1. Home
  2. Annual report: CNIL's achievements and key actions in 2025

Annual report: CNIL's achievements and key actions in 2025

19 May 2026

Professionals support, investigations, awareness-raising, AI regulation, cybersecurity and European cooperation… the CNIL reviews an intense year in 2025, at the service of the protection of personal data and privacy of all individuals.

Each year, the CNIL publishes its activity report of its actions around its four main missions: informing and protecting the general public, supporting and advising professionals and public authorities, anticipating and innovating to build the digital of tomorrow, and finally, controlling and sanctioning breaches of data protection requirements, which stem in particular from the General Data Protection Regulation (GDPR).

2025 was marked in particular by a very significant increase in complaints received, a unprecedented total amount of fines, but also a record number of notifications of data breaches. Despite resources constrained regarding the increase in its workload, the CNIL reorganizes and transforms itself, in particular to accompany the progressive entry into application of the Artificial Intelligence Act.

It is also innovating in the tools it offers, such as those for young people and families, including the FantomApp app, which is dedicated to adolescents and funded by the European Commission.

Couverture et planches du rapport annuel 2025

Download the CNIL’s 2025 annual report

Supporting professionals: a range of tools for all professionals

To produce recommendations close to the practices and expectations of professionals, 7 public consultations were launched in 2025, on various topics: connected vehicles, medical records, credit granting, trackers on the Internet or social housing.

Proactive support: 1,351 requests for professional advice processed; 90 opinions on draft laws or regulatory texts; 539 applications for authorizations in health sector processed; 6 innovative projects for the silver economy supported

In addition, the CNIL has published factsheets recalling the rules and good practices for many situations, for example on the display of school lists or the use of ‘augmented’ cameras, the re-use of databases and for candidates and political parties during elections. It has also supported six innovative projects for the silver economy as part of its "sandbox".

Furthermore, the CNIL processed 539 applications for health authorizations (for research, studies or evaluations that do not fall within the scope of one of its reference methodology), including 406 applications for health research.

Finally, the CNIL processed 1,351 requests for professional advice and delivered 90 opinions on draft laws or regulatory texts, mainly at the request of the French government.

Complaints: a record increase in solicitations

2025 was marked by a new record of complaints received by the CNIL, reaching 20,150 - 10% more than in 2024. In question, in particular, a failure to respect data protection and privacy in the context of work, commerce, real estate or on social networks. About 1,900 complaints also directly concern data breaches.

The CNIL collaborates on a daily basis with other European data protection authorities. It thus transmitted more than 230 cross-border complaints and responded to 600 requests from its counterparts.

Complaints, investigations, sanctions: 20,150 complaints received; 323 investigations; 83 sanctions; 487M euros of fines

Investigations and sanctions: an unprecedented amount of fines

As every year, the CNIL has carried out checks on public and private bodies, following complaints, reports, depending of current events or as part of its priority themes. The topics are varied: respect for fundamental rights, cybersecurity, video devices, or the use of online tracers.

In total, the CNIL carried out 323 investigations and issued 259 corrective measures, including 83 sanctions for a total amount of nearly €487 million (collected by the French Treasury). While two significant sanctions explain this total amount of an unprecedented level for the institution, the CNIL has also imposed numerous fines on companies of all sizes and sectors of activity, in particular thanks to its simplified procedure put in place in 2022, which allows it to act faster in certain less complex cases.

In addition, the CNIL actively participates in regulation at European level through a sustained dialogue with its counterparts in the framework of the one-stop shop. Thus, in 2025, almost 80 CNIL decisions were submitted to other European authorities, 4 sanctions were adopted in cooperation and, in parallel, the CNIL examined 9 draft decisions of its counterparts.

Awareness raising: a multi-channel strategy to engage with all audiences

In order to exchange with the public, particularly minors, who are more vulnerable, the CNIL relies on numerous partnerships with: Radio France (chronicle "Digital life, privacy" on Radio ICI), France Télévision (clip "Think before publishing"), or Geek Junior magazine.

Information and awareness raising: 35,403 calls answered; 20,000+ individuals reached in the field (including 25% minors); 266 actions lead including 73 targeting minors; 14,654 answers to written requests for information

At the same time, the CNIL was present at a number of events: seniors’ fair in March, Hauts-de-Seine Digital Games in April or Paris Plage in the summer, in addition to numerous interventions in schools. In total, the 266 actions carried out on the ground have made more than 20,000 people aware of data protection.

2025 was also marked by the launch of the FantomApp, designed to help teens protect themselves on social media.

Finally, over the year as a whole, the CNIL responded to 35,403 calls and 14,654 written requests for information.

Cybersecurity at the heart of CNIL's concerns

All public or private bodies are concerned by cybersecurity issues: from associations to companies, from SMEs to multinationals, from local authorities to ministries.

Of the 6,167 data breaches notified to the CNIL, 1 in 2 incidents reported in 2025 is hacking, which remains the most frequent type of incident. Data breaches can also result from sending personal data to the wrong recipient or from the loss of material.

In the face of threats, the CNIL acts: cybersecurity breaches, which are partly responsible for the increase in the number of complaints, account for one third of controls and nearly 30% of sanctions. It also works with the Agence Nationale de la Sécurité des Systèmes d’Information (National Agency for the Security of Information Systems) and the Paris Cyber Public Prosecutor’s Office for criminal prosecutions, particularly in the most serious cases.

Cybersecurity: 6,167 data breaches notified to the CNIL; +9,5% vs. 2024; 50% regarding hacking

Three lessons can be drawn from the data breach reported to the CNIL in 2025: no one is spared; breaches are becoming increasingly massive; they often involve service providers.”

Marie-Laure Denis, chair of the CNIL

In 2026, the CNIL will devote 50% of its controls and enforcement actions to cybersecurity breaches

The last two years have been marked by numerous data breaches of significant magnitude, affecting a considerable number of individuals. The CNIL took up this issue from the first alerts, drawing lessons from violations, putting forward recommendations to secure large databases in spring 2025, but also making the cybersecurity of local and regional authorities one of its priority control themes.

Moreover, where justified, it penalised those actors, public and private, responsible for data processing as processors, whose security practices were insufficient.

Despite strong involvement, the situation remains very worrying and requires the CNIL to strengthen its actions.

That is why, in 2026, it will devote half of its controls and enforcement actions to data security.

The CNIL will thus verify strict compliance with security requirements, while continuing to disseminate awareness messages and advice to individuals and professionals, because the security of our data is everyone’s business.

The checks may concern bodies affected by a breach, which are the subject of complaints or which belong to sectors that are conducive to the massive processing of data, including sensitive or highly personal data (location data, bank data, State files, etc.).

These checks will be linked to the other priority themes defined for 2026.

As a reminder: The security of personal data is an obligation laid down in particular in Article 32 of the GDPR (in addition to other texts, such as the NIS2 Directive for certain critical sectors). All appropriate measures must be taken to limit the risks: the CNIL provides a dedicated guide, official recommendations and advice on the subject.

Numerous actions for innovative and responsible AI

Under the Artificial Intelligence Act, the CNIL is already designated as the authority to monitor prohibited uses and should soon be designated as the market surveillance authority for certain high-risk AI systems (e.g. biometrics, migration, law enforcement, employment or education).

While preparing for these new powers, the CNIL has been supporting the use of artificial intelligence for years in compliance with the GDPR. Thus, in 2025, it published a series of resources for designers and developers, following public consultations, now translated into English. It also participated in the AI Action Summit from 6 to 11 February.

In a more forward-looking approach, it has published a traceability tool for open-source AI models and is participating, in cooperation with ANSSI, Inria and PEReN, in the PANAME project: a software library to check whether an AI model processes personal data.

Document reference

Download

Rapport annuel 2025
[ PDF-1.71 MB ]
Texte reference

Read more

This can also interest you ...

The sanctions issued by the CNIL
The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR....

14 April 2026

 Sanctions
Closure of the order issued against KASPR

06 March 2026

 Injunction
Sanctions and corrective measures: CNIL’s actions in 2025

09 February 2026

 Sanctions