Marie-Laure Denis opens her annual report with a word worth taking seriously. Hinge year. The term appears twice in the opening paragraphs, which is not the kind of repetition you expect from a careful writer. The president of France's data protection authority picks her vocabulary with the caution of a former Conseil d'État councillor, and when she says hinge, she is describing an institutional shift she observes without fully controlling.
The question is: hinge between what and what. The report answers in the negative, provided you read it as a transition document rather than as an activity record. Several deep currents cross through its pages, none of them reducible to a headline, and that is precisely what makes the reading interesting.
Time as a regulatory tool
The first shift concerns the temporal function of the regulator. In spring 2025, after a 2024 that had already broken every record for notified breaches, the CNIL published its guidance on securing large databases. It pressed on multi-factor authentication, on logging, on remote-access supervision, on subcontractor management. Then it announced, in plain language, that it had granted actors time to adapt and that controls would run throughout 2026.
Read quickly, this sentence looks like administrative routine. Read slowly, it is a doctrinal admission. The regulator is preregistering, in its own method, the certainty that organisations will not act on the mere publication of a recommendation. It no longer expects spontaneous compliance. It calibrates its pressure across time.
The report contains enough material to confirm the doctrine. Five years separate the cookie guidelines, adopted in 2020, from the September 2025 sanctions against Google and Shein, for a combined total of 475 million euros. Five years during which the rules were known, documented, illustrated, and largely ignored by actors who could not seriously plead ignorance. The restricted formation says so explicitly in its reasoning. Eighty percent of the large-scale breaches observed in 2024 were enabled by user accounts protected by a password alone. Multi-factor authentication has existed for twenty years, its operating cost has collapsed, its integration is documented down to the consumer manual. And yet the 2025 report shows that 17,802 breaches were notified during the year, a large share of them exploiting precisely the vector the CNIL has been warning against for a decade. Knowing the risk has never been enough to trigger the decision.
The subcontractor blind spot
The second shift concerns subcontractors, and this is where reading the report becomes uncomfortable for an informed observer. Two software vendors are compromised during the year. One serves wealth-management professionals, the other independent healthcare providers. Each of these two incidents generates, in cascade, several thousand breach notifications from client firms who suddenly discover they are data controllers of a system they no longer really mastered. Eleven thousand six hundred and thirty-five notifications for these two events alone. The CNIL has to remove the numbers from its annual statistics so that the overall trend remains legible.
The president frames the observation with care. A significant share of incidents involves a subcontractor with deficient security. The report adds that sector concentration aggravates the phenomenon, since a single vendor can serve hundreds or even thousands of organisations in the same field.
The discomfort comes from the fact that this finding is not a discovery. ENISA, in its 2030 cybersecurity threat foresight published in 2023, already ranked software supply-chain compromise as the top emerging threat of the decade. The technical incident reports of 2020 and 2021, starting with SolarWinds, had made the mechanism visible to anyone following the topic. The CISOs of large organisations had been talking about it at conferences for five years. The CNIL 2025 report treats this risk as a phenomenon worth analysing now, when it had been documented, modelled, and anticipated by the technical community for half a planning cycle. Five years behind the experts who warned, translated into the numbers of an annual report.
The lag is not an individual failing of the institution. It is inherent to the operating mode of a legal regulator, which can only integrate a risk into its doctrine after statistical materialisation in its own data flows. But it raises a practical question for data controllers. If the authority only formalises a risk after five years of converging signals, a compliance audit grounded in the state of the law cannot be confused with a resilience audit grounded in the state of the threat. Organisations that settle for the former are accumulating an operational debt they will pay on the day of the incident, not on the day of the audit.
The admission of inter-regulation
The third shift is the one the president names explicitly and which deserves to be taken at her word. She speaks of a new era, the era of inter-regulation. The term is not neutral. It acknowledges that the CNIL is no longer the sole authority in its domain, that it now shares competence with the DGCCRF on the AI Act, with the ARCEP on the Data Governance Act, with the ARCOM on political advertising and the Digital Services Act, with the competition authority on cross-cutting digital economy issues. This entanglement mechanically increases the coordination burden, which the president concedes without dressing it up: the implementation of these new missions implies stronger coordination with many other regulators, through procedures that often remain to be built.
Procedures remaining to be built, in a context where the texts have already entered into force. The sentence is heavy. It says that the European legislator stacked regulations faster than national authorities could organise their interaction, and that regulated entities are operating within a formal framework that is not yet operationally workable. The July 2025 Helsinki declaration, in which the EDPB commits to simplify GDPR application for small and medium organisations, is in reality a collective admission of this tension. The complexity of European regulation has itself become a factor of non-compliance, and the authorities are recognising it together.
Four jobs for one institution
The fourth shift concerns artificial intelligence, and the report devotes considerable space to it for reasons that go beyond the AI Act calendar. The CNIL is being assigned, subject to parliamentary confirmation, four distinct roles in AI regulation. These four roles are not an extension of its missions, they are four different professions. The first is the one it has exercised for a decade, protecting personal data within algorithms. The second consists in controlling the absence of prohibited AI systems, which requires technical expertise on what constitutes a banned system. The third is an alert function under fundamental rights, which moves the CNIL closer to a quasi-constitutional authority. The fourth is market surveillance over a large share of high-risk AI systems, in domains as sensitive as biometrics, employment, migration, and law enforcement.
The president acknowledges that this fourth role places the institution in an operating mode it does not yet master. She speaks of adapting working methods to this new profession and of taking ownership of the AI Act from an operational angle. Put another way, the authority is building its doctrine while walking, and the actors deploying AI in 2026 will operate within a framework whose practical contours stabilise in real time.
The study conducted with the French Ministry of Labour and the AFCDP, published in 2025, shows that sixty percent of DPOs report being frequently involved in AI projects and express a strong need for support, both technical and legal. The number does not just say that DPOs are working on AI. It says that the role designed in 2018 to embody GDPR compliance is shifting toward a multi-text orchestration job that was never sized to handle it. Many DPOs in post today lack the technical background to evaluate training pipelines, memorisation risks, architectural choices. The CNIL does not put it that way, but its own numbers reveal it.
The mental gymnastics of record fines
The report announces a total of 486,839,500 euros in fines, a spectacular increase from 55 million in 2024. The figure is featured in the headline statistics, in the communications, in the recap pieces echoed by the trade press. It deserves a pause, because its structure tells a different story from the one it pretends to tell.
Of those 486 million, 475 come from two decisions handed down on the same day, 1 September 2025, against Google for 325 million and against Shein for 150 million. Both decisions concern the same subject: non-compliance with cookie legislation. Strip these two cases out, and the total fines issued on the year fall to around 11 million euros, five times less than the previous year. The record is not a record of repressive activity, it is the effect of concentrating on two long-prepared, targeted files.
This does not undermine the legitimacy of the sanctions. Google had already been fined twice for comparable conduct, Shein operated at massive scale in full knowledge of the rules. The breach is documented and the penalty looks proportionate. But the gap between the media display of the figure and the reality of repressive practice deserves to be named.
Cookies are a second-tier subject in the hierarchy of risks. Non-consented advertising tracking infringes privacy, but it does not bring down a healthcare system, does not leak the data of several million citizens, does not paralyse an administration. The massive breaches affecting a telecom operator, a sovereign ministry, a sports federation are a completely different category of risk, and these are the subjects on which actor maturity remains weakest. The report acknowledges this implicitly by devoting a whole chapter to the security of large databases.
Yet on those subjects, the volume of fines remains modest. The simplified procedure caps individual sanctions at 20,000 euros. Serious security failings, which require lengthy investigation and a fine technical demonstration, rarely result in headline amounts. The CNIL has the means to hit hard on legally clear subjects like cookies, and struggles to hit hard on operationally complex subjects like a subcontractor failure or the mapping of an intrusion.
The result produces an incentive asymmetry that has to be faced. A rational economic actor reading these 486 million and weighing compliance priorities will tend to invest in the cookie banner and the consent management platform before investing in multi-factor authentication, in subcontractor audits, or in remote-access supervision. It is not that the cookie banner is irrelevant, it is that resource allocation is driven by signal, and the signal sent by the record numbers misrepresents the actual hierarchy of risks.
More missions, same resources
That leaves the question of resources, which structures everything else without always appearing on the front page. The CNIL operates in 2025 with a 30.2 million euro budget and 303 staff, with six new positions during the year and zero new positions planned for 2026. At the same time, its missions expand in every direction under the combined effect of the DSA, the DGA, the French SREN law, the political advertising regulation, and the AI Act. The deputy secretary-general acknowledges that this twin trend, against a budget context that does not allow proportional headcount growth, forces the CNIL to prioritise its activity more sharply. To prioritise more sharply, in administrative language, means to give up on certain controls, certain responses, certain forms of accompaniment. The report does not say which ones, but the attentive reader can anticipate the movement. Enforcement pressure will concentrate where the institution can set precedent and capture media attention, which means on major actors, massive breaches, and subjects that can sustain a headline fine.
For the rest of the economic fabric, the probability of being audited remains statistically low. That does not mean the effort can be relaxed, but it does mean that the motivation to comply can no longer flow from fear of the regulator alone. It has to be rooted in an understanding of operational resilience, which is a different conversation, slower, and harder to carry into a board meeting.
Hinge
The CNIL 2025 report is therefore not a homogeneous document. It layers an activity record, a confession of institutional tension, and an implicit transformation programme. The president speaks of a hinge. The word is right, but the hinge metaphor carries two dimensions: the articulation and the fragility. A hinge connects, and a hinge can also give way.
Several questions remain open after reading. How will the authority practically exercise its market surveillance role without the technical expertise sized for it. How will coordination between European regulators stabilise without further loading the regulated. How will the DPO evolve into a role that now demands a cross-disciplinary competence many do not have. How will organisations integrate the subcontractor cascade into a risk map that, for most of them, did not see it three years ago. And how to explain to a board that the cookie banner is not the main subject, when the authority itself seems to be saying the opposite through its headline numbers.
The report answers none of these questions. It poses them, more or less explicitly, and leaves the actors to work it out. That is probably the best indication of where the regulator actually stands in 2026. It has stopped pretending to know everything, and it has started asking the regulated to do the same.