CNIL Reports Record 20,150 Complaints and Nearly €500 Million in Fines, Shifts Half of 2026 Enforcement to Cybersecurity

Context CNIL, France’s national data protection authority, oversees compliance with the EU General Data Protection Regulation and related laws. Its annual activity report reflects trends in privacy complaints, breach notifications, and enforcement actions.

Key Facts - CNIL recorded 20,150 complaints in 2025, up 10% from the previous year. - It conducted 323 investigations, issued 259 corrective measures, and imposed 83 sanctions totaling almost €487 million. - Two major sanctions accounted for a large share of the fine total, while a simplified procedure introduced in 2022 accelerated resolution of less complex cases. - For 2026, CNIL announced that 50% of its controls and enforcement efforts will be allocated to data security, targeting organisations affected by breaches, those subject to complaints, and sectors handling large volumes of sensitive personal data.

What It Means The rise in complaints signals growing public concern over how personal data is handled, especially after high‑profile breaches. The substantial fines demonstrate CNIL’s willingness to impose significant financial penalties for non‑compliance. By shifting half of its 2026 enforcement to cybersecurity, the authority will likely increase scrutiny of technical safeguards such as encryption, access controls, and incident‑response plans. Organizations should expect more frequent audits focused on breach prevention and faster corrective actions when vulnerabilities are found.

What to watch next Monitor CNIL’s 2026 enforcement calendar for announcements of sector‑specific cybersecurity checks and any updated guidance on protecting health, biometric, and employment data under the forthcoming EU AI Act.