CNIL vs Free/Free Mobile (€42M): a 24/7 SOC is now essential under NIS 2

Excerpt — On 13 January 2026, the CNIL fined Free and Free Mobile €42M after a breach exposed by weak VPN authentication and ineffective detection. Here is the concrete technical measure — a managed SIEM/SOC — that fulfills NIS 2’s 24-hour detection and notification duty.

The facts

On 13 January 2026, the CNIL sanctioned Free Mobile (€27M) and Free (€15M) following an October 2024 attack that enabled access to data tied to 24 million subscriber contracts, including some IBANs. The authority cited “insufficient security measures” under GDPR, notably a VPN authentication procedure “not sufficiently robust” (remote work) and ineffective abnormal behavior detection. The CNIL also reproached incomplete data subject information (Art. 34) and excessive retention (Art. 5-1-e). Source: CNIL — Data breach: FREE MOBILE and FREE fined €42 million (14/01/2026). Media coverage highlights the key technical points: weak VPN authentication and failed detection drove the severity of fines. See: LeMagIT — Authentication procedures too fragile (Jan 2026).

Why this matters in Luxembourg, Belgium, France, and Germany in May 2026: beyond GDPR, NIS 2 now transposed in Luxembourg (law of 5 May 2026) requires operational detection and 24-hour incident notification to the ILR for covered entities. The Free case precisely illustrates what regulators now expect on monitoring and alerting. For local specifics, see NIS 2 in Luxembourg.

The applicable legal framework

GDPR:

• Article 32 — appropriate technical and organizational measures (strong authentication, detection, logging, access control, etc.). In Free, this is the main basis for the security fine. Text: EUR‑Lex — GDPR (see also the CNIL release above).
• Article 34 — data subject information in case of a breach, considered incomplete in this case (email content insufficient). Reference: CNIL.

NIS 2 (Directive (EU) 2022/2555):

• Article 23 — three-step notification duty: early warning within 24 hours, notification within 72 hours, final report within 1 month. Official text: EUR‑Lex — NIS 2, Art. 23.
• In Luxembourg, the ILR confirms the 24h/72h/1-month mechanism and its role as the competent authority: ILR — NISS FAQ (NIS 2) and ILR — NISS.

In practice, regulators expect: continuous, qualified detection of security events (logs, correlations, anomalies), the ability to alert within 24 hours if the incident is “significant,” and sufficient traceability to document analysis (IoCs, affected scope, impacts).

The technical solution to deploy

Managed SIEM/SOC: the platform and team that collect and correlate logs (VPN, IAM, AD/Azure AD, firewalls, EDR, databases, SaaS/Cloud), detect abnormal behaviors (UEBA, correlation rules, MITRE ATT&CK detections), investigate (threat hunting, IoC pivoting) and trigger response (playbooks, containment, regulatory notification). In practice:

• Log collection and retention: centralize VPN/SSO, directories, systems, Cloud, business apps — the foundation for GDPR Art. 32 and NIS 2 Art. 23 (evidence and chronology).
• Correlation and detection: rules targeting VPN/remote access (abnormal authentications, weak/broken MFA, IP/ASN hopping, impossible travel), exfiltration, privilege escalation.
• 24/7 monitoring: alert triage, escalation, and incident mode to start the 24h/72h/1-month timer (NIS 2).
• Orchestration (SOAR): automatic enrichment (threat intel), initial containment (account disablement, network blocking), and generation of notification drafts compliant with Art. 23.
• Compliance dashboard: SLA tracking, notifiable vs non-notifiable incidents, 24/72/30 milestones.

Frameworks: ISO/IEC 27001:2022, Annex A A.8.15 Logging and A.8.16 Monitoring; NIST CSF 2.0, Detect (DE) and Respond (RS) functions; CIS Controls v8: 8 — Audit Log Management, 17 — Incident Response. For the notification obligation: NIS 2 Art. 23 and ILR guidance (FAQ).

Key takeaway from the Free case: without reliable detection and actionable logging, you risk a double hit: a GDPR fine (Arts. 32/34) and NIS 2 non-compliance on alert timelines. A managed SIEM/SOC is the central brick to avoid this scenario.

How Luxgap deploys this

• Our 24/7 managed SOC: onboarding priority sources (VPN/IAM/EDR/Firewall/Cloud), “remote access” correlation packs, MITRE use cases for abnormal access detection, and escalation procedures aligned to Art. 23. We configure notification playbooks (24h/72h/1-month drafts) and the collection of evidence (IoCs, timestamps, scope).
• Our ISO 27001 governance: we frame the logging/monitoring policy (Annex A.8.15/A.8.16), the incident register, notifiable vs non-notifiable classification, and GDPR/NIS 2 alignment (GDPR Art. 34 and NIS 2 Art. 23 procedures, DPO/CISO roles, email templates).
• Our outsourced DPO and CISO consultants: techno-regulatory coordination during incidents, NIS 2 significance qualification, arbitration of the 24h/72h deadlines and notification content (ILR/CSIRT/CNPD as applicable), and communications to affected individuals (Art. 34). See our outsourced CISO and external DPO services.

Concrete case in Luxembourg or the EU

Realistic example: an “important” entity operating digital services in Luxembourg spots atypical VPN connections on a Monday morning. The managed SOC correlates VPN/IdP/EDR logs, isolates suspect endpoints, and triggers the “NIS 2 Art. 23” procedure. By T+4h, a 24-hour alert draft is ready (indicators, suspected malicious act, scope). The CISO validates and the ILR is informed within the deadline. In parallel, the DPO prepares GDPR Art. 34 content for data subjects, based on the same SIEM-derived evidence and timelines. Result: contained incident, deadlines met, and a robust file for the regulator.

First practical steps

1. Map your critical logs (VPN/SSO/AD/firewalls/EDR/Cloud). Identify and fix collection gaps first.
2. Activate detection use cases for remote access: repeated failures, impossible travel, off-hours/ASN connections, MFA bypass.
3. Establish a “NIS 2 Art. 23” runbook: significance criteria, who decides and when, 24h/72h/1-month templates, ILR/CSIRT channels and alignment with GDPR/CNPD notification.
4. Table-top test a “compromised VPN” scenario: time the detection, qualification, and evidence generation.
5. Close the last mile: strengthen VPN authentication (phishing-resistant MFA), reduce privileges, and actively monitor admin access (PAM). Ensure the SOC ingests these logs.

Official sources

• CNIL — Data breach: FREE MOBILE and FREE fined €42 million (14/01/2026)
• LeMagIT — Violation de données Free: authentication procedures too fragile (Jan 2026)
• EUR‑Lex — Directive (EU) 2022/2555 (NIS 2), Article 23
• ILR (Luxembourg) — NISS/NIS 2: FAQ and notification timelines

To get an operational setup quickly, explore our managed SOC and our resources on NIS 2 in Luxembourg, then contact us.