Digital Services and Content Regulation

The liability of hosting providers, previously governed by Law No 2004-575 on Confidence in the Digital Economy (LCEN), is now regulated by the Digital Service Act (DSA), which generally came into effect on 17 February 2024 and is directly applicable in French law.

This new framework establishes harmonised due diligence obligations for providers of intermediary services, and gives regulators broad investigative and enforcement powers at both national and EU levels. However, the core principle of intermediary liability remains the same: hosting providers are not liable for user content unless they have actual knowledge of its illegal nature and fail to act promptly.

The French Consumer Code sets out the obligations that are applicable to online platforms in their relations with consumers (eg, pre-contractual duty to inform).

French Law No 2024-449 of 21 May 2024, known as Sécurité et Régulation de l'Espace Numérique or Security and Regulation of the Digital Space (SREN Law), aligns French legislation with EU regulations such as the Digital Service Act (DSA), the Data Governance Act (DGA) and the Digital Markets Act (DMA), focusing on online safety, misinformation and digital asset regulation. It affects cloud computing, interoperability and digital sovereignty. In addition, Decree No 2024-753 completing SREN Law mandates online comparators, marketplaces and news aggregators to enhance transparency about ranking criteria, provider relationships, pricing and guarantees. Sponsored content must be labelled as “Ads”.

Digital Markets Regulation

Digital markets are currently mostly regulated by general competition law.

The EU Regulation on platform-to-business relations (P2B Regulation) was adopted in 2019 to impose transparency and fairness obligations on online intermediation services and online search engines used by business users to provide goods and services to consumers.

The DMA imposes a range of obligations on providers of core platform services, which are designated as “gatekeepers”. An undertaking should be identified as a gatekeeper if it fulfils three qualitative criteria:

• it has a significant impact on the internal market;
• it provides a “core platform service” that serves as an important gateway for business users to reach end users; and
• it enjoys an entrenched and durable position in its operations, or is expected to enjoy such a position in the near future.

These three criteria are presumed to be satisfied if three quantitative thresholds are met, respectively:

• the undertaking has either an annual turnover above EUR7.5 billion in each of the last three financial years or market capitalisation or equivalent fair market value above EUR75 billion in the last financial year and it provides the same core platform service in at least three member states of the European Union;
• the core platform service has at least 45 million monthly active end users or 10,000 active business users located or established in the EU; and
• this second threshold has been met in each of the last three financial years.

The designated gatekeepers under the DMA are subject to a list of ex ante obligations and prohibitions, most of which must be implemented within six months of their designation. The DSA takes a more comprehensive approach, encompassing a wider range of digital intermediary services and imposing requirements on very large online platforms and very large online search engines to address systemic risks associated with their operations.

On 6 March 2024, the new DMA regulatory framework came into effect for the first designated gatekeepers. This framework includes rules on interoperability and data sharing, and prohibits practices such as self-preference. The European Commission oversees its application and can impose fines of up to 10% of worldwide turnover for infringement (20% in case of repeat offence). At the time of writing, the European Commission has designated seven gatekeepers (Alphabet, Amazon, Apple, Booking.com, ByteDance, Meta and Microsoft) and 24 core platform services.

The DGA, together with the Data Act, is part of the European Data Strategy presented by the European Commission in 2020. This strategy aims to develop a single data market by supporting responsible access, sharing and reuse, in compliance with EU values, and particularly the protection of personal data. The DGA entered into force on 24 September 2023, with a compliance obligation for entities providing data intermediation services no later than 24 September 2025. The regulation aims to promote the sharing of personal and non-personal data by setting up intermediation structures, and concerns all sectors of activity, public and private, without restriction given the nature of data.

It includes a framework facilitating the reuse of certain categories of protected public sector data (confidential commercial information, intellectual property, personal data), and regulates the provision and sharing of data services by imposing notification obligations (private as well as public) and compliance obligations on the operators of these services. It also develops a framework for the voluntary registration of entities that collect and process data provided for altruistic purposes.

Traditional tax rules cannot adequately tax highly digitalised businesses without a traditional “bricks and mortar” presence. Because of the difficulty in achieving agreement on a multilateral level, France introduced a French digital services tax (DST) in 2019. The French DST encompasses online advertising, sales of user data and the use of digital platforms. The tax applies to resident and non-resident companies with a worldwide turnover exceeding EUR750 million and a French turnover exceeding EUR25 million. The 3% tax applies on gross revenues, deriving from the provision of a digital interface, targeted advertising and the transmission of data about users for advertising purposes.

France's Finance Law for 2024 introduced a new “streaming music services tax”, which came into effect on 1 January 2024. This 1.2% tax applies to both paid and free services providing access to recorded music and online music videos in France, levied on amounts exceeding EUR20 million.

Entities established outside of France may be subject to French value-added tax (VAT) obligations if they carry out transactions with customers located in France, including non-resident businesses offering digital products. The standard VAT rate in France is set at 20%. Businesses are required to register for VAT as soon as they make their first business-to-consumer (B2C) sale in France. In November 2024, EU member states unanimously agreed on the VAT in the Digital Age (ViDA) proposal, which seeks to update the EU VAT system with three main components:

• e-invoicing and digital reporting;
• platform economy; and
• single VAT registration.

The current lack of an internationally co-ordinated approach may lead to overlapping taxes, possible double taxation and the administrative burden of applying multiple digital taxes.

To ensure compliance with tax regulations, companies selling digital products and services must understand their obligations – they must:

• determine where they have obligations by cross-checking customer locations, product taxability and registration thresholds in each country;
• monitor tax exposure and register in exposed jurisdictions;
• identify transactions that require tax collection and apply the correct rates to those invoices;
• file tax returns;
• make payments; and
• keep records.

French tax law also introduces additional specific obligations for operators of online platforms that act as intermediaries, which must submit a user’s activity report to the French tax authorities with data about the users.

As mentioned in 1.2 Digital Economy Taxation, DST is applied to revenues generated by certain digital services, including digital advertising platforms, and this mainly targets large companies.

A specific tax applies to revenues generated by the broadcasting of advertising and sponsorship messages on video streaming. This tax is levied at a rate of 5.15% on the portion of pre-tax advertising income exceeding EUR100,000 received within a calendar year. The rate is raised to 15% for the portion of taxable advertising and sponsorship fees relating to access to pornographic content or incitement to violence on the audiovisual content access service. In cases where the platform is free of charge and hosts user-generated video content, allowing it to be shared and exchanged within communities of interest, the tax base is reduced by 66%. This reduction applies to streaming platforms that integrate social networking features, such as messaging services for users.

In France, all the specific taxes mentioned about digital advertising revenues must be liquidated, declared and paid to the Direction générale des Finances publiques.

To ensure compliance with tax law regarding digital advertising, companies must establish robust tax management and reporting systems. This includes the accurate collection of revenue data generated in each jurisdiction, the correct application of local taxes, and the timely submission of tax returns.

The French Consumer Code applies to the TMT sector and includes the new regulatory framework set by the DSA, the SREN Law and its implementing decree.

Consumers benefit from several protections under this framework, including a legal guarantee of conformity (Articles L 217-4 to L 217-13 of the French Consumer Code) and a legal guarantee of hidden defects (Articles 1641 to 1648 of the French Civil Code).

Companies must include mandatory information on their websites to ensure consumers are aware of their rights. They must also comply with the General Data Protection Regulation (GDPR), which grants consumers enhanced rights over their personal data: access, correction, deletion, restriction, objection and data portability. Companies must clearly inform users about how their data is used, especially for advertising purposes, and obtain explicit consent for the intended data processing, if needed.

To ensure that consumer rights are respected, companies must take the following steps:

• they need to identify the applicable standards in the sector in which they operate and the specific regulations that apply thereto;
• they should follow best practices issued by authorities such as the French Data Protection Authority (CNIL), the Autorité de régulation de la communication audiovisuelle et numérique (ARCOM) or the Directorate General for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF);
• they must adapt their processes to ensure compliance with these regulations;
• they should train their teams to raise awareness and ensure everyone understands and follows best practices and regulatory requirements; and
• they need to conduct regular internal or external audits, to verify if they are applying the rules correctly and to correct any non-compliance.

The best practices to handle consumer disputes are to provide clear and comprehensive information to consumers, ensuring transparency while avoiding the disclosure of sensitive details, and to inform consumers about the possibility of resolving disputes amicably.

Companies should ensure access to efficient after-sales services to support consumer satisfaction. They must also implement the processes required by the Consumer Code, such as the right of withdrawal and easy termination procedures outlined by law. Furthermore, consumers are entitled to access a consumer mediator at no cost, to facilitate the amicable resolution of disputes with professionals. Access to consumer-specific mediation must be guaranteed by TMT companies.

Finally, companies need to establish internal processes to handle complaints promptly, such as offering a complaint form to address consumer issues.

Cryptocurrency significantly impacts the legal landscape of the TMT sector both in France and in Europe. Enhanced anti-money laundering (AML) and counter-terrorist financing regulations require TMT companies involved in cryptocurrency activities to implement comprehensive know-your-customer and AML procedures, which are essential for preventing illegal activities and ensuring transaction integrity. The integration of blockchain introduces new considerations for intellectual property rights and data security, requiring legal frameworks to evolve to address issues related to the ownership, distribution and protection of digital content and user data. The legal environment actively supports blockchain and smart contracts, fostering innovation and enabling new business models within the TMT sector.

The main legal challenges posed by cryptocurrency are smart contracts, which are self-executing contracts with terms written into code and stored on a blockchain. Their code-based structure complicates the interpretation of terms, potentially leading to unintended outcomes. Programming errors pose serious security and financial risks due to the irreversible nature of blockchain transactions.

Blockchain and crypto-assets are regulated under EU laws, which are technologically neutral and refer to Distributed Ledger Technology (DLT). These rules apply to both DLT market infrastructures and crypto-assets.

DLT-based market infrastructure is governed by the general framework, which includes Directive 2014/65/EU (MiFID II) for multilateral trading facilities and Regulation No 909/2014 (CSDR) for central securities depositories. To promote DLT adoption, Regulation (EU) 2022/858 introduced the Pilot Regime, offering regulatory exemptions. This applies to DLT multilateral trading facilities (DLT MTFs), DLT settlement systems (DLT SSs) and combined DLT trading and settlement systems (DLT TSSs).

Alongside the general requirements, the Pilot Regime enforces transparency and cybersecurity requirements, such as publishing business plans, defining operational rules and implementing risk management procedures. It also allows DLT SSs and DLT TSSs to settle transactions in DLT-issued currency without using securities accounts or central bank money.

Since 2017, France’s Ordinance No 2017-1674 has enabled the use of shared electronic registration systems (DEEP) for financial securities, granting them the same legal effect as traditional account registration.

Since 30 December 2024, crypto-assets in the EU have been governed by Regulation 2023/1114 (MiCA), which standardises rules for crypto-asset issuers to enhance consumer protection and financial stability. MiCA defines crypto-assets as digital representations of value or rights that can be transferred and stored using DLT.

MiCA identifies three categories of crypto-assets, as follows:

• e-money tokens (EMTs) are crypto-assets whose value is pegged to a single official currency;
• asset-referenced tokens (ARTs) are linked to other assets or rights; and
• all other crypto-assets fall into a separate category.

Issuers are required to publish a white paper, and only credit institutions or electronic money institutions are permitted to issue EMTs. Issuers of significant EMTs and ARTs must also comply with additional obligations related to liquidity and remuneration policies. NFTs, however, are explicitly excluded from MiCA’s scope.

Since the regulation took effect, only authorised crypto-asset service providers are allowed to operate, subject to strict governance and transparency requirements. Existing providers may continue operating under national laws until July 2026 or until they receive MiCA authorisation.

Cloud Computing

CNIL defines cloud computing as the use of the memory and computing capabilities of computers and servers that are distributed around the world and are linked by a network. Applications and data are no longer located on a specific computer, but in a cloud with many interconnected remote servers.

Cloud computing service providers offer several deployment models, such as infrastructure as a service, software as a service or platform as a service. They allow a client to switch part or all its IT infrastructure and resources to the cloud, rather than managing it locally or internally.

Under French law, there is no contractual law category related to cloud computing contracts. As such, they are subject to common French contract law. The SREN Law imposes stringent security requirements on cloud service providers to protect hosted data. Providers must implement strong encryption protocols, conduct regular security audits and ensure the confidentiality of user data. They must also be transparent about the locations of their data centres and their data back-up and recovery policies. Particular attention should be given to the content of the contract, notably regarding data integrity and security, service level agreements (SLAs), the clear division of the responsibilities of each party, and compliance with data protection laws and regulations (Data Act, GDPR). In addition, the termination of the contract should be anticipated, with the use of precise clauses such as notice periods, chain termination of contracts, reciprocal restitution and reversibility.

In March 2022, the National Cybersecurity Agency for France (ANSSI) published version 3.2 of its certification framework for cloud service providers (SecNumCloud), to promote a protective digital environment in line with technical developments. The SecNumCloud identifies trusted cloud services and gives them a label that confirms they comply with the security and regulatory standards set out in the framework. In particular, the framework ensures that the cloud service provider and the respective data that they process are subject to European laws, in order not to undermine the level of protection provided by them.

After the opinion of the French Competition Authority on potentially anti-competitive practices concerning cloud computing companies, the French Parliament adopted the “Secure and Regulate the Digital Space” bill. This law provides for the interoperability of cloud services, the prohibition of data transfer fees and the time limitation of cloud credits, to align with the provisions of the Data Act.

Cybersecurity Implications

The NIS1 and NIS2 directives apply to cloud services and aim to strengthen the security of networks and information systems.

NIS1 established security standards for Operators of Essential Services and Digital Service Providers, including cloud service providers, while enhancing co-operation among EU member states.

Building on NIS1, NIS2 was adopted in 2022 and expands its scope to cover more sectors and entities, addressing sophisticated cyber threats and formalising the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe). It introduces stricter cybersecurity requirements, requiring cloud service providers to implement enhanced risk management measures, adopt state-of-the-art cybersecurity practices, and ensure supply chain security. Significant security incidents must be reported within 24 hours, with follow-up reports submitted within 72 hours.

In France, compliance involves the SecNumCloud certification mentioned above, and participating in the European cloud certification scheme (EUCS). The NIS2 transposition is still pending.

The banking industry is subject to specific provisions regarding cloud computing. Indeed, on 25 February 2019, the European Banking Authority (EBA) adopted new guidelines on outsourcing, which are still applicable. These guidelines include specific provisions regarding the following, for instance:

• the protection of confidentiality and personal or sensitive information; and
• the need to comply with all legal requirements relating to the protection of personal data, banking secrecy or confidentiality obligations concerning customer data.

The French supervisory authority for banks and insurance (the Prudential Supervision and Resolution Authority – ACPR) has published a notice to ensure that these guidelines are followed in France.

In accordance with NIS2 and these EBA guidelines, the Digital Operational Resilience Act (DORA) regulation entered into force on 17 January 2025. It creates a stricter regulatory framework than NIS2 for financial entities, which will have to ensure that they can withstand, respond to and recover from any serious operational disruption linked to information and communication technologies.

The insurance industry is also subject to similar requirements. On 6 February 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published its Guidelines on Outsourcing to Cloud Service Providers, which provides guidance to insurance and reinsurance providers on how outsourcing should be carried out to cloud service providers in order to comply with their industry-specific regulations. The ACPR has also published notices relating to the modalities for the implementation of the EIOPA guidelines in France.

Cloud computing services usually involve storing and sharing data that may fall within the scope of regulations on the protection of personal data. Therefore, it is essential that any cloud project be compliant with data protection laws and regulations. As such, GDPR and the French Data Protection Act of 1978, as amended in June 2019, will be applicable to the processing of personal data within a cloud project.

Importantly, it is necessary to assess whether the cloud service provider will act as data controller or data processor regarding the personal data processed by the cloud service. In most cases, the cloud provider will be qualified as data processor and the client as data controller, but this may vary depending on the nature of the processing and the general cloud project. In addition, to ensure that any transfer of data outside of the EU is carried out with appropriate safeguards, a contractual framework must be put in place between the provider and the client, addressing the requirements provided for in Article 28 of GDPR regarding data processing.

The 2022 version of the SecNumCloud also provides guarantees on data protection against non-EU legislation. The design of the data protection regulations is compliant with the requirements of the Schrems II ECJ ruling. CNIL even recommends the use of this standard for all data controllers who want to guarantee a high level of data protection.

To rebalance competition between the various players and strengthen the control of personal data by the data subjects, the DMA prohibits gatekeepers from engaging in certain practices without obtaining the end users’ consent, including:

• combining personal data from the relevant core platform service with personal data from other services of the gatekeeper;
• cross-using personal data from the relevant core platform service in other services provided separately by the gatekeeper; and
• signing in end users to other services of the gatekeeper in order to combine personal data.

The DMA is also intended to regulate the access and use of the data provided or generated by core platform services, and to enhance the transparency obligations related to profiling practices.

To encourage internet users to be aware of the realities of risks on the sites they consult, the French Law of 3 March 2022 introduced a cyberscore. Effective since October 2023, the cyberscore will be displayed on websites in order to warn the internet user of the security of such site and the data hosted. To obtain this cyberscore, companies must carry out audits with providers qualified by ANSSI.

AI Act

The AI Act was adopted on 21 May 2024 and aims to regulate the use of AI, ensuring it is safe, ethical and trustworthy. The European Artificial Intelligence Office was established to support its implementation.

The AI Act uses a risk-based approach, classifying AI systems into four categories.

• Unacceptable risk systems: banned due to harm to safety, fundamental rights or human dignity.
• High-risk systems: strictly regulated, requiring high standards for data quality, transparency, accountability and human oversight.
• Limited risk systems: subject to strict transparency rules.
• Minimal or no risk systems: not subject to regulation.

Unacceptable risk AI systems have been prohibited in the EU market since 2 February 2025. Obligations related to general-purpose AI will apply as of 2 August 2025. The AI Act will be fully applicable as of 2 August 2026, and high-risk AI systems must be compliant by 2 August 2027.

Non-compliance can result in significant fines of up to EUR35 million or 7% of annual turnover.

Deepfakes

The SREN Law incorporates measures in the penal code to regulate deepfakes:

• Article 228-8 criminalises the use of deepfakes for disinformation, including private sharing, emphasising the need for “communication of content” for legal action; and
• Article 226-8-1 targets pornographic deepfakes, penalising their creation and distribution without consent, aiming to combat sexism and exploitation.

At the European level, the DSA requires online platforms to remove illegal content, including deepfakes, quickly after it has been reported. Platforms must put effective mechanisms in place to enable users and authorities to report such content in order to facilitate its removal.

Pursuant to Article 50 of the AI Act, deployers of an AI system that generates or manipulates image, audio or video content to create deepfakes must disclose that the content has been artificially generated or manipulated. This requirement does not apply when the use is legally authorised for the detection, prevention, investigation or prosecution of criminal offences. When the content is part of an evidently artistic, creative, satirical, fictional or similar work or programme, the transparency obligation is limited to appropriately disclosing the existence of such generated or manipulated content in a way that does not interfere with the display or enjoyment of the work.

Autonomous Vehicles

France has established an advanced regulatory framework to support the development of autonomous vehicles, emphasising safety, gradual adoption and public acceptance. According to Article R. 311-1 of the French Highway Code, autonomous vehicles are categorised into three levels of automation: partially, highly or fully automated. A French decree issued in July 2022 authorises the use of vehicles with driver delegation corresponding to Level 3, which means the car can operate autonomously under specific conditions.

The PACTE Law (2019) and the Mobility Orientation Law (2019) enable experimentation and regulatory adaptation for autonomous vehicles by providing a legal framework that supports technological innovation and the deployment of autonomous driving solutions. These laws facilitate the testing of self-driving vehicles on public roads under controlled conditions, ensuring safety while encouraging advancements in mobility technologies. They also allow for the gradual integration of autonomous vehicles into the transport system by adapting existing regulations to accommodate new mobility models.

Data Protection

Big data projects must consider users' rights granted by GDPR, especially regarding purpose restriction and prior information, as users may not have been informed of unforeseen processing purposes when the data was collected.

In April 2024, CNIL released practical guides to offer clear recommendations for developing AI systems and creating databases for AI training involving personal data. These guides focus solely on the development phase, not deployment, and are limited to data processing under GDPR. They are designed to assist professionals with both legal and technical backgrounds, including data protection officers, legal professionals and those with or without specific AI expertise.

The European Commission's draft code of practice aims to guide providers of general-purpose AI models in their compliance with EU legislation. European Data Protection Supervisor (EDPS) Opinion 2024/48 criticises the lack of detail on transparency, data protection and systemic risk management. The EDPS recommends rigorous monitoring to ensure the protection of fundamental rights in the face of technological developments.

In 2023, the Council of the European Union adopted the Data Act, laying down harmonised rules for fair access to and fair use of data. It specifies who can access and use data generated within the EU in all economic sectors. It aims to:

• ensure fairness in the distribution of the value generated by data between players in the digital environment;
• stimulate the development of a competitive data market;
• open up opportunities for data-driven innovation; and
• make data more accessible to all.

The new regulation will enter into force in September 2025. However, the requirements for simplified access to data for new products will only apply to connected products and related services placed on the market 32 months after the entry into force.

Responsibility/Liability

The EU has adopted the Product Liability Directive, which is to be implemented by the end of 2026. It deals with claims for harm caused by AI systems or the use of AI, adapting non-contractual civil liability rules to artificial intelligence. Under this directive, manufacturers or providers of defective AI systems that cause physical harm, property damage or data loss to individuals are liable without fault.

The directive complements the AI Act by creating a legal framework for civil liability related to AI systems, ensuring consumer trust and legal clarity for businesses. It aims to introduce a harmonised liability regime across the EU, and ensures claimants have effective avenues for compensation comparable to non-AI-related damage cases.

Intellectual Property

Many elements of AI systems may be protected by intellectual property rights (or assimilated), including content, algorithms under certain conditions, computer programs, models, robots, database, etc. It is necessary to consider the type of protection appropriate for each element (patent, copyright if original and specific form for content, computer programs, designs for robots, etc).

The protection of creations by AI is of particular interest. It is obvious that the intellectual property protection system is based on human creativity, which will render the works of AI difficult to protect. No related case law is evident in France but, in the DABUS case, the European Patent Office denied patent protection of an invention by AI on the grounds that no human was named as inventor.

There are workaround solutions, such as naming a physical person as inventor or author, but this does not fully solve the issue, and a legislative intervention seems necessary on this topic.

Liability

Under French law, there is no specific legal framework applicable to liability for connected objects or connected robots; general liability rules will apply. A distinction must be made between contractual and extra-contractual liability. In addition, several liability regimes may apply, in particular defective products or the custody of the object.

For instance, if the manufacturer/producer of the connected objects does not respect its pre-contractual information as referred to in Article 1112-1 of the French Civil Code and Article L 111-1 et seq of the French Consumer Code regarding the substantial characteristics of connected objects, they could be held accountable for that omission. However, these regimes do not fully meet the challenges related to connected objects and artificial intelligence in general. It seems necessary either to adapt the existing regimes or to create a specifically adapted regime.

In 2024, France updated its drone regulations to align with European directives, introducing new classifications and stricter requirements. These changes aim to enhance safety and confidentiality while expanding drone usage for leisure and professional purposes. The regulations cover flight zones, training certificates and drone flight scenarios, providing a comprehensive framework for drone operations.

Data Protection

GDPR and standard data protection provisions also extend to the internet of things (IoT). Identifying data controllers and processors in IoT projects is challenging due to the interoperability and constant data exchange of connected devices. Beyond GDPR and French law, CNIL recommends conducting Data Protection Impact Assessments for IoT projects, to clarify processing purposes and legitimate methods. CNIL also provides guidelines to help data subjects using IoT devices protect themselves from associated risks.

Consent

In IoT devices, it is not always possible to request consent directly. Therefore, in order to implement GDPR requirements for consent, IoT manufacturers must find other ways to collect it.

Cybersecurity

The Cyber Resilience Act establishes mandatory cybersecurity standards for digital products and services within the EU, aiming to protect consumers and businesses from cybersecurity risks. Its main provisions will become enforceable from 11 December 2027. It mitigates risks associated with the increasing prevalence of connected devices and digital services, and ensures a harmonised cybersecurity framework that supports innovation while safeguarding consumers.

The principal challenge is dealing with the multiplicity of European regulations in the same industries (particularly TMT), as mentioned in 4.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection. There are also sector-specific regulations that apply to industries such as healthcare, environment and energy.

Companies must implement internal regulations, such as policies and codes of conduct, to ensure compliance with various obligations. They should develop processes to inform employees of their obligations and conduct regular audits for compliance. External information notices must be provided to potential clients, detailing mandatory consumer regulations like terms and conditions.

In 2021, ANSSI published a guide to IoT security recommendations, facilitating security analysis based on probable attack scenarios and offering recommendations to mitigate identified risks.

Sharing the personal data of European residents with countries lacking an EU adequacy decision is generally not permitted, unless appropriate safeguards, as outlined in Article 46 of GDPR, are in place. These include binding corporate rules, standard contractual clauses, an approved code of conduct or an approved certification mechanism.

The Data Act promotes fair access to and fair use of data across the EU, complementing the DGA. While the DGA establishes frameworks for voluntary data sharing, the Data Act mandates entities to make data accessible to other parties.

The DGA allows companies to reuse data held by public sector bodies, including “protected data”, provided it is anonymised or does not infringe business secrecy or copyright. The Data Act introduces a new obligation to share data obtained through IoT devices with the user and third parties at the user's request, starting 12 September 2025. This means data previously exclusive to the IoT provider or manufacturer must be shared upon request.

The Data Act establishes rules for users, data holders and third parties regarding data-sharing requirements, applicable to those processing personal data. Its territorial scope is similar to GDPR, applying regardless of the location of manufacturers, providers and data holders. Non-EU-based manufacturers and providers must comply if their connected products or services are marketed within the EU, and data holders must follow the regulations if they make data available to EU recipients.

These regulations have a broad scope, potentially affecting any company that processes data. However, not all IoT data falls under the sharing obligation. Manufacturers or service providers can refuse to share specific data identified as trade secrets, but only in exceptional circumstances with a high likelihood of serious economic harm from disclosure. Such refusals must be based on objective criteria, substantiated in writing, and notified to the national competent authority.

The French regulation does not impose higher standards than the EU approach.

Audiovisual services traditionally cover TV, radio and on-demand audiovisual media services (AVMS). AVMS commonly include services such as video on demand (VOD), catch-up television and audio podcasts.

Audiovisual services are subject to Law 86-1067 of 30 September 1986 on the freedom of communication, and are regulated by an independent administrative authority, the Regulatory Authority for Audiovisual and Digital Communication (Autorité de régulation de la communication audiovisuelle et numérique – ARCOM, formerly CSA).

The requirements and associated procedures for providing an audiovisual service depend on the nature of the service. The requirements for providing these services vary based on the service type but include general obligations such as respecting individual dignity and privacy rights, and protecting minors. In addition, programmes must promote the French language, uphold public order and avoid inciting hatred or violence.

TV and Radio Providers

ARCOM must grant authorisation to TV and radio providers using the network of assigned frequencies before they can provide their services. Private providers have to participate in a call for applications and be selected by ARCOM in order to be provided with an assigned frequency.

The provider must sign an agreement with ARCOM, outlining specific service rules based on coverage, advertising market share and competition compliance. ARCOM's authorisation can last up to ten years for TV services and five years for radio services, with the possibility of renewal up to two times without a new application process.

For other services provided without using the assigned frequencies, the applicable procedure will depend on the service. As a principle, such services may be broadcasted only after entering into an agreement with ARCOM, defining their specific obligations and the contractual penalties available to the regulator for non-compliance. However, services with a budget under EUR75,000 for radio and EUR150,000 for TV are only required to make a prior declaration rather than entering into an agreement.

Finally, distributors of audiovisual services not using assigned frequencies must make a prior declaration before distribution. This declaration should include:

• the distributor's corporate form, name and head office address;
• a list of services;
• the service offer structure; and
• a letter of intent to conclude a distribution agreement for paid television services.

AVMS Providers

AVMS must be declared to ARCOM prior to the provision of such services. The purpose of such declaration is to facilitate the identification of AVMS, better ensure their regulation and be able to verify their obligations. This declaration must notably include the description of the service and the designation of a responsible person, and can be completed online.

Companies With Online Video Channels With User-Generated Content

The revised Audiovisual Media Services Directive (AMSD) extends certain audiovisual rules to video-sharing services, such as YouTube. It has been transposed in France by an ordinance dated 21 December 2020.

To be considered as a video-sharing service, the service must meet the following conditions:

• it is provided by means of an electronic communication network;
• it provides user-created programmes or videos to inform, entertain or educate as its main purpose;
• it has no editorial responsibility for the content; and
• it is related to an economic activity.

Video-sharing services have specific obligations. Besides ensuring compliance with general content rules, ARCOM has additional powers, such as resolving disputes between users and providers and ensuring providers meet transparency obligations. ARCOM's powers are limited to video-sharing platforms established in France, due to the country of origin principle. However, platforms from other EU states may still need to contribute to French cinematographic and audiovisual content production, despite being regulated by their home country. The classification of online video channels with user-generated content as AVMS must be assessed individually.

In this respect, the ECJ qualified as an AVMS the catalogue of videos proposed by an online press website with a content independent from that of the written press articles, since these videos, produced by a local television publisher, were comparable to those of other services of the same nature (ECJ, 21 October 2015, C-347/14). On the contrary, the ECJ found that a commercial video on a YouTube channel could not be considered an AVMS as it did not inform, entertain or educate viewers (ECJ, 21 February 2018, C-132/17).

On 30 January 2024, in case C-255/21, the ECJ clarified that the term “messages broadcast by the television broadcaster regarding its own programmes” does not cover promotional messages for a radio station belonging to the same group as the television broadcaster, unless the programmes being promoted are distinct “audiovisual media services” and the television broadcaster assumes “editorial responsibility” for them.

In France, ARCOM has classified certain online video offerings as AVMS, including:

• radio station websites with video catalogues (CSA, 29 May 2013);
• company-operated YouTube channels (CSA, 9 November 2016); and
• YouTube channels of TV stations (CSA, 3 July 2019).

It follows from such decisions that programmes offered on video-sharing services (eg, “channels”) may be considered AVMS if the on-demand channel includes content organised by the editor of that service, allowing the user to choose from a catalogue of content.

European Media Freedom Act

The European Media Freedom Act (EMFA) entered in force on 7 May 2024 to protect media pluralism and independence in the EU. It complements the AMSD, the DSA and the DMA. The EMFA is part of the EU’s project to promote participation in democracy, to address fake news and disinformation and to support media freedom and pluralism. It shall ensure an easy cross-border operation of media in the EU internal market. Thus, the focus of this legislation lies on the independence (also in regard to stable funding) and transparency of media ownership.

The EMFA also regulates the protection of the independence of editors and the disclosure of conflicts. Furthermore, it creates a new independent European Board for Media Services, which will begin operating in February 2025 and will, among other functions, promote the effective and consistent application of the EU media law framework. Further measures the legislation intends to implement include safeguards against espionage software, transparent state advertising and the new user right to customise their media offering. These new rules will better protect editorial independence, media pluralism and journalistic sources, ensure transparency and fairness, and bring better co-operation of media authorities through the new European Board for Media Services.

Local telecommunication rules traditionally apply to electronic communication networks (ECNs) and electronic communication services (ECSs) (Article L 32 of the French Postal and Electronic Communications Code).

At an EU level, however, Directive (EU) 2018/1972 establishing the European Electronic Communications Code (EECC Directive) has modified and updated the applicable framework. In France, the EECC Directive was transposed by Ordinance No 2021-650 of 26 May 2021.

The EECC Directive expands the definition of ECSs by including so-called “interpersonal communications services”, defined as services normally provided for remuneration that enable the direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipients. Accordingly, and subject to the transposition ordinance of the EECC Directive, voice-over internet protocol (VoIP) and instant messaging fall under the new scope of the telecommunications rules. This was confirmed by Recital 15 of the EECC Directive, and is in line with the ECJ’s previous ruling, which considered that SkypeOut offering a VoIP service constitutes an ECS (ECJ, 5 June 2019, C-142/18).

The qualification of radio-frequency identification (RFID) as ECS remains unclear, as it is not specifically covered by the new scope of the telecommunications rules. However, ARCOM and the Autorité de Régulation des Communications Électroniques, des Postes et de la Distribution de la Presse (ARCEP) consider RFID technology as radio-electric installations, which can be used on certain frequencies only and with defined technical settings.

Applicable Requirements

The declaratory regime for ECSs was abolished in 2021. The provision and establishment of ECNs are now unrestricted, but they must comply with the obligation to notify security incidents to ARCEP, net neutrality, interoperability of services, etc.

In France, every operator must pay an administrative tax under the conditions provided by the finance law. They must also pay an additional fee if they use a specific frequency or provide a specific numbering.

Providers of instant messaging are subject to stricter data protection law requirements regarding messages under Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive). The ePrivacy Directive notably obliges member states to ensure the confidentiality of communications and the related traffic data by means of an ECN or ECS through national legislation. For example, traffic data relating to subscribers and users processed and stored by the provider of a public communications network or publicly available electronic communications service must be erased or made anonymous when no longer needed, pursuant to Article 6 of the ePrivacy Directive.

In France, net neutrality is governed by both EU regulations and national laws. The EU's Net Neutrality Regulation 2015 prohibits internet service providers (ISPs) from blocking, throttling or prioritising content, except in specific cases like network security or legal compliance. France has integrated these regulations into its national framework, with ARCEP overseeing enforcement.

Net neutrality impacts TMT operators by requiring them to treat all internet traffic equally, preventing them from offering premium “fast lane” services for additional fees. This ensures fair competition, as ISPs cannot prioritise services like Netflix over smaller video platforms, but it also removes a potential revenue source for ISPs.

Emerging technologies like 5G, IoT and AI are reshaping the legal landscape of TMT in France, requiring stringent regulatory compliance. ARCEP oversees 5G deployment, while GDPR mandates strong data privacy and security measures. Intellectual property protection and clear liability contracts are crucial due to the complexities introduced by AI and IoT. Cybersecurity laws protect critical infrastructure, and competition laws ensure fair business practices. Consumer protection laws demand transparency and honesty, and environmental regulations like REACH aim to reduce the technological impact on the environment. Companies must stay updated on legal changes, ensuring compliance across these areas while considering ethical implications.

Parties’ Level of Expertise

Issues in IT service agreements often stem from late or incorrect fulfilment of contractual obligations, making the allocation of responsibilities crucial. Customers are often unfamiliar with the technology, and rely on the service provider's obligation to advise and inform during both negotiation (Article 1112-1 of the Civil Code) and performance (Article 1104 of the Civil Code). This includes informing about the customer's needs and warning against unlawful or risky expectations, even refusing the contract if necessary. Customers must also collaborate with the provider.

Since 2016, French law protects against unfair clauses in pre-formulated standard agreements, including B2B contracts. If these terms create a significant imbalance, they may be deemed unfair and unenforceable, potentially invalidating the entire agreement if the clause is essential.

Liability of the Service Provider and Service Level

Providers may try to exclude or limit their liability by excluding indirect damages; such exclusion is authorised under French law, although providers will try to have a broad definition of “indirect damages” to include loss of data, loss of clients, breach of data privacy, etc. Unless these liability clauses deny the essential obligation of the provider, in which case they are prohibited, liability clauses (including the amount of the liability cap, if any) are often one of the key topics of the parties’ service agreement negotiations.

However, because the parties may not have the same bargaining power, especially when customers are consumers or businesses with no IT expertise or when the product is complex or customised, those clauses may be more easily challenged and unenforceable. To better identify providers’ contractual breach, customers would be advised to detail their needs as much as possible and to set out clear specifications in terms of performance (eg, through a service level agreement) or in terms of timeframe (eg, including provision for liquidated damages).

To assess whether the service provider has complied with its obligations under IT service agreements, in particular its obligation to reach a specific result, the parties usually agree on service levels and a quality assurance plan. This implies the definition of key performance indicators and the payment of penalties in the event those indicators are not met. In June 2022, the French Supreme Court (1-6-2022 No 20-19.476) reiterated the importance of contractually stipulating the service provider's obligations in IT contracts. On this occasion, it ruled that a software deployment contract must be terminated to the detriment of the service provider if, being bound by an obligation of result, the latter was unable to resolve the blocking and recurring anomalies complained of by the customer.

Specific IT Service Agreements

In software licence agreements, a key issue is whether the licensee can repair or correct bugs themselves or through a third party, or if only the licensor can perform maintenance. French law typically allows licensors to retain the right to correct bugs, posing challenges for licensees without a maintenance agreement. When a licensee has both a licence and a maintenance agreement with the same provider, it is important to clarify whether the termination of one affects the other. Transitioning to new service providers requires a reversibility clause for a smooth transition. The Court of Justice of the European Union recently ruled that decompilation for bug fixing is lawful under certain conditions: necessity, lack of specific contractual provisions, and sole purpose of error correction (ECJ, 6 October 2021, C-13/20). Contracts should clearly regulate decompilation and maintenance terms.

A telecommunications service agreement should clearly define the parties, scope of services, pricing and payment terms. It should include SLAs with guaranteed performance and remedies for non-compliance, and should specify duration, renewal and termination conditions. Key provisions must address data privacy, security, liability limits, dispute resolution and force majeure. Equipment ownership and maintenance responsibilities, confidentiality clauses, legal compliance and signatures for legal enforceability are essential.

Companies should use competitive bidding to negotiate flexible pricing and ensure clear termination terms to minimise penalties. Favourable equipment terms should be sought, such as outright ownership or low-cost leasing. Engaging legal and technical experts ensures the agreement meets operational and regulatory requirements, and understanding their bargaining position aids successful negotiation.

Electronic Signatures

Electronic signatures are governed by the EU regulation on electronic identification and trust services for electronic transactions of 2014 (eIDAS) and the French Civil Code.

Three categories of electronic signatures exist pursuant to eIDAS:

• advanced electronic signatures are those that meet the requirements set out in Article 26 of eIDAS;
• qualified electronic signatures are advanced electronic signatures that are created by a qualified electronic signature creation device and based on a qualified certificate for electronic signatures; and
• simple electronic signatures are those that are neither qualified nor advanced.

Article 25(1) of eIDAS specifies that electronic signatures shall not be denied legal effect and admissibility as evidence in legal proceedings solely due to their electronic form or because they do not meet the requirements for qualified electronic signatures. Article 25(2) of eIDAS indicates that a qualified electronic signature shall have the equivalent legal effect of a handwritten signature.

Article 1367 of the French Civil Code indicates that an electronic signature must use a reliable identification process, guaranteeing its link with the document to which it is attached. Article 1 of Decree No 2017-1416 of 28 September 2017 further specifies that qualified electronic signatures under eIDAS are presumed to be reliable.

Further guidance on electronic signatures is available on the ANSSI website.

Electronic Identification

Article L 102 of the French Postal and Electronic Communications Code establishes the framework for electronic identification of online services in France and the presumption of reliability of electronic means of identification, and the procedures for their certification.

The security requirements applicable to these electronic means of identification are based on the provisions of eIDAS and the associated Implementing Regulation No 2015/1502. Decree No 2022-1004 of 15 July 2022 sets out the conditions for the certification by ANSSI of electronic identification means, as well as the specifications for establishing the presumption of reliability of these means. Further guidance on electronic identification is available on the ANSSI website.

France's regulatory framework for the gaming industry emphasises consumer protection, copyright and age verification. A significant 2022 ruling from the Paris Court of Appeal requires game platforms targeting French consumers to comply with French regulations, emphasising fair and transparent terms. On 23 October 2024, the French Supreme Court ruled that digital games are complex works rather than simple computer programs, opposing digital game resale.

French regulations authorise horse betting, sports betting and online poker, but casino games and lotteries remain monopolised by La Française des Jeux (La FDJ). Influencer marketing in gaming is restricted to platforms that can exclude minors, under Law No 2023-451. The industry faces challenges in age verification, IP protection and compliance with consumer protection laws and GDPR.

The Autorité nationale des jeux (ANJ) was created in 2020 as an independent administrative authority responsible for approving online gaming and betting operators. It has enhanced powers, the authority to sanction non-compliant operators, and a mandate to combat excessive gambling in casinos. In November 2024, the ANJ issued one warning and eight financial penalties, ranging from EUR5,000 to EUR150,000, against nine online gaming operators.

ARCOM oversees digital and audiovisual content, including video game advertising, and can issue warnings or sanctions for non-compliance with digital content laws.

DGCCRF ensures fair commercial practices, focusing on consumer protection, and regulates practices around loot boxes, microtransactions and advertising transparency.

At the European level, the EU Commission ensures responsible operation of the video game industry through the DSA, GDPR and the Unfair Commercial Practices Directive, while fostering innovation and cultural impact. The PEGI system provides age ratings and content warnings for consumers and parents.

The French Competition Authority also plays a significant role, having fined Sony group companies EUR13.5 million in 2023 for abuses of dominant position in the market for PlayStation 4 video game controllers.

Game developers in France face several IP challenges, including ensuring originality for copyright protection, securing trade marks amidst conflicts, and managing third-party content licences. Patents for game technology are hard to secure, and enforcing IP rights against online piracy is challenging. Clear contracts are crucial to avoid IP ownership disputes with employees or contractors.

For digital and virtual assets, key considerations include ensuring originality, defining ownership and managing licensing terms to prevent unauthorised use. Creators must guard against unauthorised copying and potential infringement on shareable platforms.

Trade mark laws protect brand names, logos and distinctive marks in virtual goods and services, preventing consumer confusion and safeguarding brand identity. User-generated content complicates IP rights, as users retain copyright, but platforms may claim usage rights through terms of service, leading to ownership and commercial use disputes.

The Law of 7 July 2023 introduces new obligations for social media platforms to protect minors online, such as requiring parental consent for minors. It aims to safeguard young users from online harm.

The placement of cookies and subsequent processing of data is governed by the ePrivacy Directive, which mandates explicit and informed consent for non-essential cookies, and GDPR. Users must have the option to accept or refuse non-essential cookies on equal terms. In December 2023, CNIL fined Yahoo EMEA Limited EUR10 million for failing to respect the choice of internet users to refuse cookies on its “Yahoo.com” website and for not allowing users of its “Yahoo! Mail” messaging service to freely withdraw their consent to cookies.

Platforms must navigate whether/when to expeditiously remove illegal content under LCEN, the DSA and the SREN Law, as mentioned in 1.1 Key Challenges, while balancing free speech and avoiding over-moderation. Intellectual property compliance involves managing copyright issues on user-generated content without implementing overly restrictive measures. Frequent data breaches necessitate GDPR-compliant responses, and transparency obligations under the DSA and GDPR pose legal and competitive challenges.

Since 1 January 2025, the French tax authorities have extended the scope of their efforts to combat fraud. Thanks to a new decree, tax officials, like customs officers, can collect and analyse public data published on social networks such as Facebook, Instagram and LinkedIn.

There is no one specific regulatory body for social media. CNIL is the authority responsible for ensuring the protection of personal data and privacy rights, while ARCOM regulates content moderation, hate speech and online safety, DGCCRF monitors consumer protection, and the European Commission is in charge of enforcing various European regulations.

CNIL can impose fines of up to 4% of global turnover for GDPR violations and mandate corrective measures. ARCOM can issue warnings, fines or sanctions for failing to remove illegal content within required deadlines. DGCCRF can conduct investigations, impose fines and enforce fair practices. The European Commission imposes penalties of up to 6% of global turnover under the DSA and up to 10% of global turnover under the DMA in cases of infringement.

On 27 June 2024, ARCOM, CNIL and DGCCRF signed a tripartite agreement to co-ordinate the implementation of the DSA. The agreement formalises co-operation commitments, notably in terms of sharing information on investigations and handling user complaints. It also provides a framework for the designation of trusted signallers, whose selection is overseen by ARCOM with the advice of CNIL and DGCCRF.

On 31 December 2021, CNIL imposed a fine of EUR150 million on Google LLC and Google Ireland Limited for inadequate cookie policies. The committee also ordered the companies to ensure that users of google.fr and youtube.com in France could refuse cookies as easily as they could accept them, giving them three months to comply.

In 2022, ARCOM alleged that Twitter was not complying with its obligations to combat hate speech and illegal content online, identifying significant shortcomings in the moderation and removal of such content. Consequently, ARCOM issued a formal notice to Twitter.

The French tax authorities have initiated several tax adjustments against social networks.