CNIL (Commission nationale de l'informatique et des libertés)
France's independent data-protection authority — enforces GDPR, runs the 72-hour breach-notification clock and publishes binding guidance on personal-data handling.
The CNIL — Commission nationale de l’informatique et des libertés — is France’s independent data-protection authority. Established by the Loi Informatique et Libertés of 6 January 1978, it is one of the world’s oldest data-protection regulators, and since 25 May 2018 it is the French supervisory authority for the EU General Data Protection Regulation (GDPR). Its website is cnil.fr.
For RSSI, DPO and security buyers, the CNIL matters on three operational fronts.
- Breach notification. Under GDPR Article 33, a personal-data breach likely to result in risk to individuals must be notified to the CNIL within 72 hours of becoming aware of it. Late or incomplete notification is itself a regulated failure.
- Inspections and sanctions. The CNIL conducts on-site and online inspections, and its restricted committee can impose fines of up to €20M or 4% of global turnover under GDPR Article 83. Recent French decisions have repeatedly cited insufficient security measures under GDPR Article 32 — including weak password practices and insufficient staff training.
- Binding guidance. The CNIL publishes practical guides on subjects like cookies, biometrics, video surveillance, BYOD, employee monitoring, and the role of the DPO. These guides are not merely advisory — they shape what inspections look for.
For French organizations the CNIL forms the data-protection counterpart to ANSSI on the technical-security side. While ANSSI publishes the methodologies for how to secure systems, the CNIL enforces what must be protected and how it must be governed when personal data is involved. The two often appear together in NIS2 and DORA conversations because most security incidents are simultaneously personal-data incidents.
The behavioral angle is increasingly visible in CNIL decisions: when a breach traces back to a phishing click, an over-broad file share, or an OAuth grant to an unverified app, the regulator looks for evidence that the controller did more than file a policy and run an annual e-learning — exactly the behavioral evidence Engarde (engarde.cc) produces for DPOs and CISOs.
Related terms
- GDPR Article 32The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.
- ANSSI (Agence nationale de la sécurité des systèmes d'information)France's national cybersecurity agency — publishes the guidance, certifications (SecNumCloud, CSPN) and incident-response posture French organizations align with.
- NIS2EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.
- PSSI (Information Systems Security Policy)The French Politique de Sécurité des Systèmes d'Information — an organization's master security policy, formalized following ANSSI's PSSI-E methodology.
- Behavioral evidenceThe audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.