EU AI Act in France: Enforcement, Authorities, and Business Obligations
EU AI Act applies directly in France. CNIL and DGCCRF proposed as enforcers. Covers penalties, GDPR overlap, and Dec 2027 high-risk deadline.
France has positioned itself as a European champion of AI development — President Macron's February 2024 Paris AI Action Summit and France's €109 billion AI investment package signal a government determined to lead, not follow, on artificial intelligence. Yet the EU AI Act — Regulation (EU) 2024/1689 — does not wait for national ambition to align with national law. It applies directly in France now, with substantive obligations already in force, regardless of whether Paris has completed the work of designating its enforcement authorities.
This article sets out where France stands: which obligations already bind French companies, the proposed national governance framework awaiting Parliament, how the CNIL fits into the picture, the GDPR interaction, the corrected timeline under the Digital Omnibus, and what French businesses should be doing today.
A Regulation, Not a Directive: No French Transposition Required
The EU AI Act is a Regulation, not a Directive. By virtue of Article 288 TFEU, Regulation (EU) 2024/1689 entered into force on 1 August 2024 and applies directly and uniformly across every Member State, including France. No French Parliament vote is needed to give it legal effect. French companies do not wait for a loi d'application before obligations bite.
What France does need to provide is the national enforcement infrastructure: the designation of competent authorities under Article 70, domestic procedures for imposing sanctions, and whatever national measures are required in areas where the Regulation grants Member States discretion. Those elements are still being assembled.
Article 5's prohibited practices applied from 2 February 2025. GPAI model obligations under Chapter V applied from 2 August 2025. General application — including Article 50 limited-risk transparency duties — applies from 2 August 2026. The high-risk regime follows, with stand-alone Annex III systems due from 2 December 2027 under the Digital Omnibus. None of those dates depends on France completing its national governance work.
France's Designation Is Still Pending
The deadline for Member States to designate national competent authorities under Article 70 was 2 August 2025. France missed it.
The French Government has since proposed a governance framework — a sector-segmented model with a coordinating hub — that still requires adoption by Parliament before it becomes final. As of early June 2026, the proposal has not been enacted into law. Nothing about the proposed structure is settled; Parliament could amend, delay, or alter it.
That uncertainty carries a practical consequence companies should take seriously. The Regulation's obligations and deadlines are set by Brussels, not Paris. French companies already owe Article 4 AI literacy duties, Article 5 compliance, and GPAI-related obligations. The absence of a designated national authority means there is currently no French body empowered to investigate high-risk AI infractions or impose Article 99 fines through a domestic enforcement procedure — but that window will close once Parliament acts, and the AI Office in Brussels already has direct enforcement competence over GPAI model providers.
Treat the designation delay as an administrative gap, not a reprieve. The obligations exist; the enforcer is coming.
Who Will Enforce the EU AI Act in France? (Proposed Model)
The French Government's proposed framework splits oversight by sector and establishes a coordinating hub. None of the following is final until Parliament adopts it.
DGCCRF: Proposed Coordinator and Single Point of Contact
The Direction générale de la concurrence, de la consommation et de la répression des fraudes (DGCCRF) is proposed as the coordinating authority and France's single point of contact for the EU AI Office under Article 70. As the national consumer and market surveillance body, DGCCRF already enforces product-safety and unfair-commercial-practices rules; the proposed AI Act mandate would extend that cross-sectoral coordination role. Under the proposed model, DGCCRF would directly oversee approximately 14 AI use cases.
CNIL: Proposed Supervisor for Rights-Sensitive Use Cases
The Commission nationale de l'informatique et des libertés (CNIL) — France's data protection authority — is proposed to oversee approximately 15 AI use cases, concentrated on rights-sensitive and personal-data-intensive deployments. The CNIL has publicly argued that data protection authorities, with their existing powers and expertise over personal data processing, are the natural home for oversight of high-risk AI in areas such as biometric identification, employment, creditworthiness, and health.
That argument has institutional logic. The systems most likely to generate serious harm under the AI Act are precisely the systems that also process personal data at scale. Placing the CNIL in a supervisory role for those use cases means one authority holds both the GDPR and AI Act threads.
ARCOM: Proposed Oversight of Audiovisual and Platform Use Cases
ARCOM (the Autorité de régulation de la communication audiovisuelle et numérique, France's audiovisual and digital regulator) is proposed to oversee approximately 7 AI use cases — those connected to media, digital platforms, and content distribution. ARCOM's existing mandate under the Digital Services Act and platform governance rules gives it relevant experience for AI-generated content and deepfake-related use cases.
Shared Technical Pool: ANSSI and PEReN
The proposed framework would establish a shared technical-expertise pool drawing on ANSSI (Agence nationale de la sécurité des systèmes d'information, France's cybersecurity agency) and PEReN (Pôle d'expertise de la régulation numérique, the Centre of Expertise in Digital Regulation). This pool would support the market surveillance authorities on technical assessments — cybersecurity evaluations under Article 15, review of technical documentation under Annex IV, and the more complex conformity questions — without itself holding enforcement powers.
EU AI Office: Direct GPAI Supervision
French companies that develop and place general-purpose AI models on the market are not supervised by any French authority for that activity. The EU AI Office in Brussels holds direct competence over GPAI model obligations under Articles 53 and 55, whichever French governance framework eventually crystallises. French AI model developers engaging with the EU AI Office's codes of practice process should treat that as a Brussels relationship, not a Paris one.
How France's Framework Interacts with the GDPR
The CNIL's proposed role is not arbitrary — it reflects a genuine structural overlap between the EU AI Act and the GDPR that France is better placed than most to manage, given the CNIL's reputation as one of Europe's more active data protection authorities.
The most immediate stacking point is between GDPR Article 35 (the Data Protection Impact Assessment, DPIA) and Article 27 of the EU AI Act (the Fundamental Rights Impact Assessment, FRIA). Both are mandatory prior to deployment for systems they cover; both require documented assessment of risks to persons; and Article 27(4) of the AI Act explicitly allows the FRIA to build on an existing DPIA. A French public body deploying an AI system to assess social-benefit eligibility will owe both. The workload is real, but the factual foundations of the two assessments overlap substantially — completing a thorough DPIA first is good preparation for the FRIA, not duplicate effort.
The second interaction concerns automated decision-making. GDPR Article 22 restricts decisions made solely by automated processing that produce legal or similarly significant effects on individuals, and requires meaningful information about the logic involved. The EU AI Act's Article 12 logging and Article 13 transparency requirements for high-risk AI systems stack on top of that. A French fintech using an AI creditworthiness model faces simultaneous obligations under both instruments: Article 22 GDPR on the decision logic disclosure, and Articles 12 and 13 of the AI Act on record-keeping and deployer information. Neither replaces the other.
The CNIL has been active in AI governance before the EU AI Act — its 2023–2024 work on AI and GDPR, and its recommendations on facial recognition, provide a foundation. Where the CNIL holds both supervisory mandates, companies can expect coordinated rather than duplicative investigations, but also coordinated rather than duplicative scrutiny.
The EU AI Act Timeline as It Applies in France
| Date | What applies |
|---|---|
| 2 February 2025 | Article 5 prohibited practices and Article 4 AI literacy — in force and enforceable now |
| 2 August 2025 | GPAI obligations (Chapter V, Articles 51–56), governance, AI Office, Article 99 penalties |
| 2 August 2026 | General application including Article 50 limited-risk transparency (chatbots, deepfakes, synthetic-content marking, emotion recognition disclosure) |
| 2 December 2027 | Stand-alone high-risk AI systems (Annex III list) — deferred under the Digital Omnibus |
| 2 August 2028 | High-risk AI as safety components of Annex I regulated products — deferred under the Digital Omnibus |
Two dates warrant emphasis for French companies.
Article 5 is already live. French companies using AI that involves social scoring by public authorities, subliminal manipulation exploiting vulnerabilities, biometric categorisation by sensitive characteristics outside the permitted exceptions, or real-time remote biometric identification in public spaces should have completed their review before February 2025. The prohibition has been enforceable — at EU level by the AI Office, and potentially at national level once France completes its designation — since that date.
The high-risk deadline has moved. Under the Digital Omnibus — the Commission amendment package for which the European Parliament and Council reached political agreement on 7 May 2026, with formal adoption expected before 2 August 2026 — stand-alone Annex III high-risk systems now have until 2 December 2027, and high-risk AI embedded in Annex I products until 2 August 2028. That deferral does not mean the work can wait until 2027. Building an Article 9 risk management system, assembling an Annex IV technical documentation pack, establishing Article 14 human oversight controls, and completing a conformity assessment under Article 43 typically takes six to twelve months of focused work for a well-resourced organisation. Starting in 2026 is prudent; starting in mid-2027 is not.
Penalties: What Companies in France Face
The penalty framework is Article 99 of Regulation (EU) 2024/1689. Three tiers apply:
- €35,000,000 or 7% of total worldwide annual turnover (whichever is higher) — for violations of the Article 5 prohibitions. Deploying a banned AI practice — social scoring, real-time public biometric identification outside the law-enforcement carve-outs — sits in this tier.
- €15,000,000 or 3% — for non-compliance with most other obligations: high-risk AI system requirements (Articles 9–15), provider obligations (Article 16), deployer obligations (Article 26), Article 50 transparency duties, and related obligations.
- €7,500,000 or 1% — for supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.
For smaller companies, Article 99(6) provides a proportionality cap: for SMEs and start-ups, the fine is the lower of the fixed amount or the percentage. A French company with €8 million in annual turnover cannot face a €15 million fine for a high-risk obligation breach — 3% of €8 million is €240,000, and that is the ceiling.
Fines are maximums, not defaults. Proportionality factors — the duration and severity of the infringement, degree of cooperation, and prior conduct — will shape any actual figure. But the ceiling is real, and the 7% tier has applied to prohibited practices since 2 August 2025.
One practical note: the national enforcement procedure through which French authorities will investigate and impose these fines is still being established alongside the governance framework. That procedural uncertainty does not affect the underlying obligations, but it does mean the immediate enforcement risk sits primarily with the EU AI Office (for GPAI) and with whatever national authority is first designated.
France-Specific Compliance Considerations
AI Regulatory Sandboxes: Operational by August 2026
Article 57 of the EU AI Act requires each Member State to establish at least one AI regulatory sandbox by 2 August 2026. French companies — and particularly those developing novel AI systems in financial services, health, or public administration — should monitor the French sandbox's operational rules once published. Article 58 mandates priority access and reduced fees for smaller companies. Sandboxes allow supervised real-world testing under regulatory oversight before general market launch; for French AI developers targeting high-risk categories, this is a meaningful pathway to market that the designation delay should not obscure.
Public-Sector Deployers: Mandatory FRIA
French public bodies — ministries, prefectures, social-security bodies (CAF, CPAM), and public agencies such as Pôle Emploi — deploying AI in Annex III categories must complete a FRIA under Article 27 before putting the system into service. The French public sector has a long history of using algorithmic systems in benefit eligibility, tax assessment, and public-service resource allocation; many of those systems will require formal classification, and some will require a FRIA. Public-body compliance has high visibility — it sets the standard and will likely attract early supervisory attention once the national framework is established.
Deployer vs. Provider: The Article 25 Risk for French Customisers
Most French companies deploying third-party AI tools sit in the deployer role under Article 26. But fine-tuning a vendor model on proprietary data, integrating it under a company's own name, or substantially modifying its intended purpose can shift a company across the Article 25 line into full provider obligations under Article 16. French technology companies — including many in the Paris tech ecosystem — that have adapted vendor AI tools for specific professional use cases should work through the Article 25 analysis carefully. The shift from deployer to provider is not visible from the outside; it depends on what was done to the system, not what it is called.
Documentation Now as an Uncertainty Premium
France's pending designation creates a specific compliance consideration: while the national enforcement framework is unclear, companies cannot know exactly which authority will review their documentation, in what sequence, or with what investigative tools. The rational response is to document classification reasoning now — which Article 6(3) filter analysis was applied, which Annex III categories were assessed, how role (provider or deployer) was determined. Documentation produced close to the event is more credible and useful than documentation reconstructed under regulatory pressure.
How Confir Helps Companies in France
Building the EU AI Act documentation stack from scratch is time-consuming. The Annex IV technical file alone spans nine content areas; add the Article 47 / Annex V Declaration of Conformity, the Article 27 FRIA for qualifying deployers, and an organisation-wide AI inventory, and the workload quickly exceeds what most compliance or legal teams have bandwidth for alongside their day jobs.
Confir is an EU-hosted compliance tool built specifically for this work. Its classification engine is rule-based and deterministic — it encodes Articles 5 and 6 with Annex III logic in explicit rules, producing the same finding from the same intake every time, with a human-readable explanation of which rule applied. No LLM inference, no hallucination risk. It generates the full Annex IV technical documentation pack, the Article 47 / Annex V Declaration of Conformity, and the Article 27 FRIA. Pricing from €600 per year, self-serve, no consulting engagement required.
What Companies in France Should Do Now
Immediately (Article 5 obligations already in force): Audit any AI system that could involve biometric categorisation by sensitive characteristics, social scoring by public authorities, real-time biometric identification in public spaces, subliminal manipulation, or exploitation of personal vulnerabilities. If it fits an Article 5 category and no statutory exemption applies, it must stop or be restructured. The prohibition has been enforceable since 2 February 2025.
Before 2 August 2026 (Article 50 transparency): AI systems that interact with natural persons — customer-facing chatbots, voice assistants, AI-generated content tools, emotion recognition systems — must comply with Article 50's transparency and labelling obligations. Users must know when they are interacting with AI; synthetic content must be marked. This is not the high-risk deadline, but it is real, it is coming, and it is separate from the national designation question.
2026–2027 (high-risk preparation, Annex III systems): Companies with stand-alone Annex III systems have until 2 December 2027 under the Digital Omnibus deferral. Use 2026 to build the AI inventory and classification, apply the Article 6(3) filter to determine which systems genuinely land in high-risk categories, assign provider and deployer roles, and begin documentation. French public bodies should initiate FRIA preparation for any Annex III systems in active deployment.
Ongoing: Track the French governance bill's parliamentary progress — the first enforcement actions in France will signal which authority is prioritising which sectors. Monitor CNIL guidance on the GDPR–AI Act intersection; the CNIL is an active publisher and its positions on AI oversight are among the most developed of any European DPA. Watch EU AI Office GPAI guidance if your company develops or integrates foundation models.
Frequently Asked Questions
Who enforces the EU AI Act in France?
As of June 2026, France has not yet designated national competent authorities — it missed the 2 August 2025 Article 70 deadline. The Government has proposed a framework with DGCCRF as coordinating authority and CNIL overseeing rights-sensitive use cases, but Parliament has not yet adopted it. In the interim, the EU AI Office in Brussels directly supervises GPAI model obligations and the Article 5 prohibitions remain enforceable. Once France's designation is complete, DGCCRF, CNIL, and ARCOM would each take responsibility for their allocated use-case areas.
Has France formally designated its AI Act authority?
No. France proposed a governance framework but missed the statutory Article 70 deadline of 2 August 2025. The proposed designation — DGCCRF as coordinator, CNIL for roughly 15 use cases, DGCCRF for 14, ARCOM for 7 — requires parliamentary adoption. Until that process concludes, the national enforcement infrastructure is not in place. French companies' obligations under the Regulation are unaffected by that gap.
What is the CNIL's role under the EU AI Act?
Under the proposed French framework, the CNIL would oversee approximately 15 AI use cases — primarily those that are rights-sensitive or personal-data-intensive, such as biometric identification, employment, creditworthiness, and health applications. The CNIL has publicly argued that data protection authorities are the appropriate supervisors for high-risk AI in those areas. The CNIL's existing GDPR enforcement experience — and its own published AI guidance — make it the most active AI governance actor in France, even before formal designation.
What are the AI Act fines in France?
Article 99 sets three tiers: €35 million or 7% of worldwide annual turnover for Article 5 prohibition breaches; €15 million or 3% for most other obligations including high-risk AI requirements and deployer/provider duties; and €7.5 million or 1% for supplying incorrect or misleading information to notified bodies or authorities. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the fixed amount or the percentage of turnover. The national enforcement procedure is still being established alongside France's governance framework.
When do high-risk AI Act rules apply in France?
Under the Digital Omnibus amendment (political agreement reached 7 May 2026), stand-alone high-risk AI systems listed in Annex III apply from 2 December 2027. High-risk AI embedded in Annex I regulated products applies from 2 August 2028. Article 5 prohibitions applied from 2 February 2025 and are in force now. Article 50 limited-risk transparency obligations apply from 2 August 2026. The national designation delay does not affect any of these dates.
Does the EU AI Act apply in France even without the national governance law?
Yes. The EU AI Act is a Regulation that applies directly by virtue of EU law, without requiring a French implementing law. Article 5 prohibitions and Article 4 AI literacy obligations applied from 2 February 2025; GPAI and penalty provisions from 2 August 2025. France's pending governance work determines which national authority will enforce, not whether the rules apply. French companies are bound by Regulation (EU) 2024/1689 today.
Does the AI Act apply to French companies operating outside France?
The EU AI Act has extraterritorial reach under Article 2. It covers providers placing AI systems on the EU market — regardless of where they are established — and deployers located in the EU. A French company providing AI services to customers in Germany or Spain is within scope. A non-EU company placing AI systems on the French market is also within scope, and must appoint an authorised representative in the EU under Article 22. The relevant article for extraterritorial scope is Article 2; see the related guide below for the full analysis.
Related guides
- EU AI Act: what it is and who it covers
- EU AI Act: full application timeline
- EU AI Act extraterritorial scope — non-EU companies
- EU AI Act penalties: Article 99 fines explained
- EU AI Act in Germany: enforcement and authorities
- Annex III: the high-risk AI use-case list
- Article 27 FRIA: public-sector deployer obligations
- Deployer obligations under Article 26
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →