CNIL 2025 report: EUR 487M in fines, 1 breach in 2 = hacking, key takeaways

The French data protection regulator CNIL has published its 2025 annual report and the detailed sanctions and corrective measures review. For DPOs, CISOs and executives in Luxembourg or cross-border companies, this is mandatory reading: the Luxembourg CNPD and the Belgian APD align their priorities with the CNIL, and half of the Place's companies also operate in France via subsidiaries or cross-border employees. Here is what we took away and, above all, the most important signal to integrate into the 2026 roadmap.

The raw figures: a historic jump

• 20,150 complaints received, +10% vs 2024. An all-time record since the CNIL was created. Individuals know their rights and exercise them.
• 6,167 data breaches notified to the CNIL. And critically, one breach in two results from hacking. Cybersecurity is no longer a marginal IT topic, it has become the main GDPR battleground.
• EUR 487 million in fines issued in 2025. The amount has exploded.

Across 323 inspections conducted and 259 decisions rendered, the CNIL issued 83 sanctions (including 78 financial fines), 143 formal notices, 31 reminders of legal obligations and 2 warnings.

The flagship fines: cookies and marketing on top

• Google: EUR 325 million for failure to comply with cookie and consent rules.
• Shein: EUR 150 million on the same cookies and consent topics.

The signal is clear: the CNIL no longer treats cookies as a second-tier technical topic. Non-compliant banners (more visible "accept all" than "reject all", pre-ticked boxes, withdrawing consent harder than giving it) are now sanctioned at the level of historical major GDPR cases.

Employee video surveillance: 16 sanctions this year

16 organisations were sanctioned in 2025 for non-compliance with employee video surveillance rules. Typical breaches: cameras continuously filming workstations, no prior information of employees and representatives, image retention beyond 30 days, no Data Protection Impact Assessment (DPIA) when employee video surveillance systematically requires one.

Data security: 14 organisations sanctioned and a 2026 priority

Fourteen organisations were sanctioned in 2025 for personal data security breaches (Article 32 GDPR). But the real signal is in the CNIL's 2026 priority declaration: "half of inspections and enforcement actions will be devoted to data security".

If your password policies are not ANSSI-compliant, if you do not have MFA on admin access, if your backups are never restored in test, if your sensitive data is not encrypted at rest, if your EDR is signature-only, you are statistically exposed to a CNIL inspection in 2026.

AI: the CNIL steps in as AI Act authority

• Already designated as the supervisory authority for AI Act prohibited uses (Article 5 of Regulation 2024/1689): social scoring, behavioural manipulation, real-time biometric identification in public spaces.
• Future market surveillance authority for high-risk AI systems (Annex III): biometrics, migration and asylum, border control, employment, education, essential public services.
• Publication in 2025 of resources for AI designers and developers, now translated into English, serving as a de facto European reference.

So what is the most important signal?

Our reading, after analysing the full report and cross-checking with what we observe across our 200+ external DPO mandates: the most important signal is not in the Google or Shein fines, nor even in the 2026 security priority. It is in the hacking figure.

One data breach in two now results from hacking. That number says a lot:

• External attackers are no longer marginal. The majority of leaks are no longer due to a misdirected email or a lost file. It is an attacker who actively breached.
• The GDPR/cybersecurity boundary has disappeared. Notifying a breach within 72h is also notifying a cyber incident under NIS 2 within the same deadlines. Both topics must be handled together.
• The CNIL and its European counterparts will inspect technical measures much more than before. A well-written but unapplied security policy will be spotted in 30 minutes by a technical inspector.

Practical consequence for 2026: you can no longer separate the DPO from the CISO. Data protection and cybersecurity must share the same tools, action plans, registers and tested incident scenarios. This is precisely the logic of our DPO Assist platform: one tool for GDPR tickets, 72h breaches, ENISA/CNIL severity grid qualification, and critical processor tracking.

Four actions before end of Q1 2026

1. Cookie and marketing audit. Verify your banners follow CNIL/EDPB guidelines: "reject all" as accessible as "accept all", no pre-ticking, no dark patterns.
2. Technical security audit under Article 32 GDPR. MFA everywhere, encryption at rest, behavioural EDR, 3-2-1 backups tested, MITRE ATT&CK as detection reference. Our NIS 2 audit article details quality criteria.
3. AI inventory and AI Act compliance. List all AI systems used (officially or shadow IT), classify by risk per Annex III, formalise internal usage charter, plan compliance.
4. Test the 72h breach alert chain. Simulate a real scenario with your team and time the decision chain through to the pre-filled regulator form.

Conclusion: 2026 will be the year of technical security

The CNIL 2025 report unambiguously sketches the 2026 trajectory. Record cookie fines show that formal compliance continues to be hunted, but technical security becomes GDPR's main battleground, because that is where half of the leaks now flow through. The boundary between GDPR and cybersecurity disappears. Your data protection and cybersecurity policies must merge.

If you want to discuss your specific case, our external DPO and external CISO team has been working these topics together since 2018, with a shared view of tools, registers and incidents. Contact us or request a tailored quote within 24 hours.

Official sources

• CNIL — 2025 Annual Report
• CNIL — 2025 Sanctions and Corrective Measures Review
• Regulation (EU) 2024/1689 (AI Act)