CNIL vs Free: €42M — why a 24/7 SOC is vital to meet NIS 2 Art. 23

In January 2026, the CNIL fined Free Mobile (€27M) and Free (€15M) a total of €42M after a breach affecting 24 million contracts. The inability to detect fast is costly in fines and reputation. Under NIS 2, detecting, qualifying, and notifying within 24 hours is an operational imperative, notably in Luxembourg (ILR).

What happened

On January 13, 2026, the CNIL sanctioned Free Mobile and Free for security shortcomings (GDPR Art. 32) after an October 2024 intrusion exposing data linked to 24 million subscriber contracts, including IBANs. The CNIL cited insufficient VPN authentication for remote work and “ineffective” detection of anomalous behavior. It also reproached incomplete data subject information (GDPR Art. 34) and excessive retention (Art. 5-1-e). Sources: CNIL, 14/01/2026, EN version, and coverage by The Register.

Applicable legal framework

• GDPR, Article 32: appropriate security via technical and organizational measures (authentication, monitoring, detection). Text: Eur-Lex – GDPR Art. 32. Free/Free Mobile were sanctioned on this basis: CNIL.
• GDPR, Article 34: inform data subjects in case of a high-risk breach. Eur-Lex – GDPR Art. 34.
• NIS 2, Article 23: early warning within 24 h, notification within 72 h, and a final report within 1 month. ILR guidance (SERIMA): ILR — In case of incident, FAQ: ILR — NIS 2 FAQ, EU reference: Directive (EU) 2022/2555, Art. 23. See more on NIS 2 obligations.

What regulators expect

• Rapid detection and qualification of significant incidents (sensors, correlation, monitoring).
• Ability to issue a 24 h early warning with minimum elements (nature, presumed cause, scope, initial impacts).
• Data protection by default, continuous logging and monitoring.

The solution: a managed SIEM/SOC built for 24 h notification

Goal: move from “best effort” security to an industrial-grade capability for timed detection and notification. A 24/7 managed SOC structures these capabilities.

How it works

• Centralized collection (SIEM): VPN, IAM, endpoints/servers, firewalls, proxies, critical SaaS, cloud. Authentication events, privilege escalations, abnormal transfers, off-perimeter access.
• Correlation and detection: rules and models for access compromise (weak/failed MFA, mass attempts, anomalous sessions), exfiltration (volume spikes, unapproved destinations), lateral movement.
• 24/7 monitoring (SOC): triage, threat intelligence enrichment, qualification as a “significant incident” (NIS 2 sectoral criteria and impacts).
• Alert orchestration: playbooks for the 24 h early warning (NIS 2 minimum content), the 72 h update, and the 1‑month report (root causes, remediation).
• Retention and forensics: timestamped, tamper‑evident logs to investigate and evidence due diligence (GDPR Art. 5/32).

Best‑practice references

• ISO/IEC 27001:2022 — A.8.15 Logging and A.8.16 Monitoring: A.8.15, A.8.16.
• NIST CSF 2.0: Detect and Respond (DE.AE, RS.AN).
• CIS Controls: 8 (Audit Log Management), 17 (Incident Response).

How Luxgap deploys this

• 24/7 managed SOC: integrate your existing SIEM or deploy a turnkey one (on‑prem/cloud), with use cases mapped to NIS 2 Art. 23 and GDPR Art. 32 (“likely customer data leakage,” “VPN/MFA compromise,” “anomalous IBAN/PII access”). “NIS 2 clock” dashboards to drive 24 h / 72 h / 1‑month milestones.
• ISO 27001 governance: design logging/monitoring framework (policy, scope, retention), log source inventory, investigation and notification procedures. Alignment with A.8.15/A.8.16 and audit evidence readiness.
• GDPR/NIS 2 advisory: qualification, data subject communications (GDPR Art. 34), and liaison with ILR (SERIMA). For local specifics, see NIS 2 in Luxembourg (ILR).

Case study in Luxembourg/EU

A regulated B2B services company (NIS 2 important entity) had scattered logs and noisy alerts. In six weeks we:

• centralized 12 key sources (VPN, AD/Azure AD, firewalls, M365, ERP) into a SIEM,
• enabled 25 NIS 2‑aligned detections (off‑timezone access, MFA anomalies, unusual outbound volume),
• ran a “24 h early warning” exercise using the SERIMA format.

Outcome: detection of a partner account compromise in under 20 minutes, automated containment, and proven ability to notify ILR on time with verifiable facts.

Practical first steps

1. Map essential log sources and verify retention (≥ 6 months operational; adjust to risk).
2. Define at least 10 use cases tied to your sensitive data (PII/IBAN/customers) and authentication (including VPN/MFA), with tuned thresholds and false‑positive controls.
3. Establish a “NIS 2 Art. 23” procedure: who triggers the 24 h alert, what content, who validates, how to submit via SERIMA to ILR. See ILR.
4. Run a 90‑minute tabletop: a VPN account is compromised, potential customer data exposure — can you alert within 24 h with sourced facts?
5. Coordinate with your DPO: prepare the GDPR Art. 34 message to data subjects to avoid the information gaps criticized in the Free case.

Official sources

• CNIL — “Data breach: €42M sanction against FREE MOBILE and FREE” (Jan 13, 2026): https://www.cnil.fr/fr/sanction-free-2026
• The Register — “France fines telcos €42M for issues leading to 2024 breach” (Jan 14, 2026): https://www.theregister.com/security/2026/01/14/france-fines-telcos-42m-for-issues-leading-to-2024-breach/4965344
• ILR Luxembourg — “In case of incident” (SERIMA, 24 h notification): https://www.ilr.lu/secteurs-activites/niss/incident/ and NIS 2 FAQ: https://www.ilr.lu/secteurs-activites/niss/nis-2/faq/
• Directive (EU) 2022/2555 (NIS 2), Article 23: https://nis2resources.eu/fr/directive-2022-2555-nis2/article-23/
• GDPR — Arts. 32 and 34 (Eur‑Lex): https://eur-lex.europa.eu/eli/reg/2016/679/oj
• ISO/IEC 27001:2022 Annex A — A.8.15 Logging, A.8.16 Monitoring: A.8.15, A.8.16

Bottom line: the Free case shows that “not seeing in time” is expensive. A managed SOC, ISO 27001‑aligned and ready for NIS 2 Art. 23, lets you detect, contain, and notify on time, reducing fine and reputational risks.