Year in review: technology, media and telecommunications in France

All questions

The year in review

Year in review

Adoption of the Data Act

The Data Act entered into force on 11 January 2024, and it will become applicable in September 2025.

The regulation proposes new rules specifying who can access and use data generated within the EU in all economic sectors.

It aims to ensure fairness in the distribution of the value generated by data between players in the digital environment; stimulate the development of a competitive data market; open up opportunities for data-driven innovation; and make data more accessible to all.

The text includes a number of measures, such as interoperability of services, data access obligations for consumers, guarantees against illegal data transfers and a ban on unfair contractual clauses. They apply to manufacturers of connected objects, online service providers and cloud platforms.

It should enable individuals and businesses alike to exercise greater control over their data, which can be easily copied or transferred between different services when generated by smart objects, machines or devices, thanks to a strengthened right to data portability.

This new piece of legislation is designed to give consumers and businesses a greater say in what can be done with the data generated by their connected products. However, business associations declared that they believe that the safeguards provided for in the text will not be sufficient to protect industrial secrets, placing European businesses at a disadvantage with regard to their non-European rivals. Potential data leaks and a process that is too restrictive for small and medium-sized businesses are also feared.

Adoption of Law No. 2024-449 of 21 May 2024 aiming at Securing and Regulating the Digital Space (the SREN Law)

The SREN Law aims at better regulating the digital space and enhancing the protection of internet users, and also aligns French law with the Digital Services Act, the Digital Markets Act and the Data Governance Act.⁴

Protection of minors

Article 1 of the SREN Law creates a new article 10 to the Law on Confidence in the Digital Economy to protect children from pornographic content by mandating age verification systems on pornographic websites. These mandates may be enforced by ARCOM with fines of up to €150,000 and blocking orders affecting non-compliant websites. Article 1 also mandates the publication by ARCOM of a framework establishing the technical requirements for age verification in systems with which providers of pornographic websites must comply.

Additionally, hosts must remove child pornography content reported by the police within 24 hours, and face up to one year in prison and a €250,000 fine for non-cooperation, or more for repeat offences.⁵

These provisions apply to online public communication service publishers and video-sharing platform providers established in France or outside the European Union.⁶

Protection of Citizens in the Digital Environment

The law creates a new penalty for acts of online harassment, procurement, invasion of privacy cyberbullying, or other serious offences committed using social media, by providing that a judge may impose a social media ban of six months for these offences, or up to a year for repeat offences.

Moreover, the SREN Law incorporates the concept of 'revenge porn' (i.e., online blackmail using intimate pictures or video materials) into the Criminal Code provision on blackmail.⁷ It also creates an offence consisting in making available to the public or a third party 'a sexual montage made with the words or image of a person, without that person's consent', punishable by up to two years in prison and a €600,000 fine.⁸ Where deepfakes (i.e., AI-generated content) is used to commit the offence, the penalty is increased to a maximum of three years of imprisonment and a €75,000 fine.⁹

The SREN Law introduces cybersecurity filters to protect the public from fraudulent access to personal or banking information. When an administrative authority is informed of the existence of websites clearly designed to that effect, it gives the publisher formal notice to cease the infringement, and notifies Internet service access providers. The latter must then immediately take measures such as displaying a message warning users of the risk incurred, and take users to an official website.¹⁰

Cloud and the data economy

The SREN Law lays out a new regulation specific to cloud computing services, defined as 'digital service[s] provided to a client allowing on-demand network access to a pool of configurable computer resources [. . .] which can be quickly allocated with minimal management effort or interaction with the service provider'.¹¹

The SREN Law lays down obligations regarding commercial practices, interoperability, portability, digital sovereignty and transparency. Article 26 of the SREN Law requires that service credits be granted for a limited regulatory duration not exceeding one year, and must exclude any exclusivity conditions. Article 26 also prohibits linking cloud sales to service contracts and engaging in 'self-preferential' practices (i.e., providing equivalent software services on differing terms depending on whether they are provided through an in-house cloud service versus an external cloud service, without sufficient justification). Article 27 of the SREN Law provides that data transfer charges must not surpass the actual costs incurred by the supplier and must be directly related to the change of supplier. Charging additional fees to a customer to allow a data transfer to another provider is also prohibited, with a maximum pricing amount established by decree and guidelines published on the costs eligible to determine the pricing.¹²

Article 28 of the SREN Law provides that service providers must ensure (1) the interoperability of their services with their client’s services or other similar services provided by other suppliers, (2) the portability of digital assets and data, allowing them to be exported to the client’s services or those of other providers; and (3) free provision of application programming interfaces necessary for implementing this interoperability and portability.¹³ ARCOM may further specify legal requirements via a technical regulation.¹⁴ ARCOM is also competent to enforce the regulation applicable to providers of cloud services, including by imposing fines ranging up to 3 per cent of yearly world turnover (5 per cent for repeat offences); and may also bring relevant cases to the French Competition Authority (FCA).¹⁵

State administrations and other public entities using cloud services provided by private suppliers for processing particularly sensitive data must adhere to specific obligations. This applies to data, whether personal or not, whose breach could potentially harm public order, public safety, health or life of individuals, or the protection of intellectual property. In particular, security measure should protect processed or stored data against unauthorised access from third countries.¹⁶

Cooperation agreement on DSA enforcement between ARCOM, DGCCRF and CNIL

ARCOM, CNIL and DGCCRF have been designated as competent authorities for France by the SREN Law pursuant to Article 49 of the DSA, with ARCOM being designated as Digital Services Coordinator.¹⁷ ARCOM therefore sits at the European Board for Digital Services as introduced by Article 61 of the DSA, and is primarily responsible for controlling the implementation of the DSA in France – except for provisions for which competence has been granted to the CNIL or the DGCCRF.

DGCCRF is tasked with controlling compliance with the following obligations: (1) design and organisation obligations for the online interface of platforms as introduced by Articles 25 and 31 of the DSA; (2) traceability obligations for professionals using online platforms to enter into remote contracts with consumers according to Article 30 of the DSA; and (3) obligations related to information rights of consumers, according to Article 32 of the DSA.

CNIL controls compliance with the following: (1) obligations related to informing service recipients about the advertising displayed on their online interfaces (Article 26-1-d of the DSA); (2) obligations related to the prohibition of displaying advertising based on profiling using personal data (Article 26-3 of the DSA); (3) prohibitions on the display of advertising based on profiling to minors (Article 28-2 of the DSA).

The three competent authorities signed an agreement on 27 June 2024 which aims at defining the conditions of their cooperation regarding DSA enforcement for online platform providers whose main establishment is located in France or whose legal representative resides or is established in France.¹⁸ It establishes: (1) general cooperation commitments; (2) methods for sharing information, including access to the 'Agora' system set up by the European Commission to support communication between digital services coordinators in member states; (3) coordination methods for national and European investigations targeting platforms; (4) participation methods in the European Digital Services Committee; and (5) coordination methods for handling complaints they receive.

The agreement reiterates that, in accordance with the new Article 7-2 of the Law for Confidence in the Digital Economy, 'neither business secrecy, nor confidentiality of investigations, nor the protection of personal data' can hinder the exchange of information between these authorities and the administration.

Project for a new framework for cybersecurity and resilience of service provider

A Bill No. 33 on resilience of critical infrastructure and strengthening of cybersecurity dated 15 October 2024. was submitted by the government to the Senate,¹⁹ in order notably to implement three directives: (1) Directive 2022/2557 on the resilience of critical entities (the CER Directive);²⁰ (2) Directive 2022/2555 on Network and Information Security (the NIS2 Directive);²¹ and (3) Directive 2022/2554 accompanying the Regulation on Digital Operational Resilience for the financial rector (DORA).²² It cannot yet be foreseen when this Bill or any equivalent bill may pass into law.

Implementation of the CER Directive

The CER Directive replaces Directive 2008/114 on the identification and designation of European critical infrastructure. Whereas Directive 2008/114 only targets critical infrastructure, the CER Directive provides that Member States shall designate critical entities (i.e., public and private operators involved in a range of activities such as the production or distribution of electricity, credit institutions or healthcare providers, where incidents may have significant disruptive effects on the provision of essential services). The designation of critical entities must occur before 17 July 2026.²³ Designated critical entities will be notified within one month.

Critical entities that may be designated include providers of digital services, including electronic communication services and electronic communication network services, providers of internet exchange points, providers of services relating to the domain name system, providers of cloud computing services, and providers of data centre services.²⁴ Note that providers of digital services, along with banking and financial markets are not subject to the CER Directive’s substantive obligations, and Member States remain free to legislate regarding their resilience.²⁵

Designated entities must conduct an analysis of their liabilities and set up a resilience plan in order to ensure the continuation of critical activities.²⁶ Compliance with these obligations can be investigated by an ad-hoc commission under the Prime minister’s authority, with the power to set fines of up to €10 million, or 2 per cent of world turnover of the previous year.²⁷

Implementation of the NIS2 Directive

Implementation of the NIS2 Directive in France will significantly expand the scope of entities subject to French cybersecurity regulation: whereas under the Directive NIS1, operators of essential services were only subject to the regulation after being designated as such by the Prime Minister, under the NIS2, all entities involved in the provision of essential services are subject to the regulatory cybersecurity standards. Sectors whose services are considered 'essential' now includes: digital services (online marketplaces, search engines and social networking platforms), digital infrastructure, ICT service management, among other new essential sectors, and in addition to the sectors already considered essential under NIS1: energy, transportation, banking, financial market infrastructure, digital infrastructure, drinking water and health.²⁸

Also, a number of digital services providers, including providers of public electronic communications networks, publicly available electronic communications services, cloud computing services, data centre services, content delivery networks, managed security services, online marketplaces, online search engines and social networking services platforms will fall under the jurisdiction of the Member State where they offer their services (as opposed to their Member State of establishment). Entities not established in the EU, but providing these services in the EU, will also be subject to the jurisdiction of Member States where they provide services, and must designate a representative.²⁹

Although the new cybersecurity risk-management framework introduced by the NIS2 Directive does not introduce many new mandatory measures in addition to the framework already in place in France under Decree No. 2018-384 of 23 May 2018, regulated entities will now have to integrate their third-party direct suppliers into their analysis of cybersecurity vulnerabilities.³⁰ Management bodies of regulated entities must approve the cybersecurity risk-management measures taken by those entities, and oversee their implementation. They can be held liable for infringement of the cybersecurity risk-management framework.³¹

The NIS2 Directive enhances cyber incident reporting obligations of regulated entities under NIS1: in case of cyber incidents having an important impact, operators must now abide by a reporting process with several notices to the competent national authority at different stages of investigation and resolution of the incident, including early notices within 24 hours of detection of the incident and a final comprehensive report within one month.³²

The NIS2 Directive also mandates the establishment of national resilience strategies and provides for the creation of EU-CyCLONe, a European network of liaison organisations for cybersecurity crises.³³

Implementation of DORA Regulation and Directive 2022/2556

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 (“DORA”) establishes a regulatory framework for the digital operational resilience of the financial sector and ensuring cybersecurity of financial entities. The DORA regulation came into effect on 16 January 2023, with its application date set for 17 January 2025. DORA is considered lex specialis and therefore takes precedence over NIS2 regarding network and information systems supporting business processes of financial entities.³⁴ Note that in Bill No. 33 on the resilience of critical infrastructure presented on 15 October 2024, the French government chose to extend obligations derived from DORA to financial institutions, in addition to credit institutions.³⁵