How France Is Regulating Artificial Intelligence

France's approach to AI in 2026 is not best understood as "France is regulating AI." France is implementing the EU AI Act through national bodies, layering specific national guidance on top, and competing aggressively in AI development through France 2030 investment and "national champions" including Mistral AI and Hugging Face. The result is a layered system where binding obligations come almost entirely from EU law, while CNIL's national-level guidance and the Macron government's strategic direction shape how those obligations are applied in practice.

For businesses operating in France, the practical compliance picture has three components: the directly applicable EU AI Act (with phased dates already running and 2 August 2026 high-risk obligations imminent), the GDPR as enforced by the CNIL with specific AI-applied recommendations, and sector-specific and contextual rules covering areas like the Olympics-era augmented video surveillance experiment, public-sector AI deployment, and content provenance.

The EU AI Act and France's role

The EU AI Act entered into force on 1 August 2024, with phased application:

  • 2 February 2025: Article 5 prohibitions and AI literacy obligations applied (in force across France).
  • 2 August 2025: governance provisions and general-purpose AI model obligations applied.
  • 2 August 2026: Article 50 transparency obligations and high-risk system requirements scheduled to apply. The European Commission's Digital Omnibus on Simplification proposes to adjust the timeline for high-risk rules to up to 16 months after standards are issued, which could delay these obligations.
  • 2 August 2027: rules for AI systems embedded in regulated products take effect.

France did not need to enact separate AI legislation to give the AI Act effect; as a Regulation, it applies directly. However, France must designate national competent authorities for AI Act enforcement. The CNIL has been designated for monitoring compliance with several Article 5 prohibitions, including predictive policing, untargeted scraping for facial recognition databases, emotion recognition in workplace and education, biometric categorization, and real-time remote biometric identification. Other prohibitions are monitored by the Audiovisual and Digital Communication Regulatory Authority and the Directorate General for Competition, Consumer Affairs and Fraud Control, depending on the regulatory area.

Penalties under Article 99 of the AI Act reach up to €35 million or 7% of worldwide annual turnover for prohibited AI practices, €15 million or 3% for high-risk system non-compliance, and €7.5 million or 1% for incorrect information.

CNIL: France's AI regulator in everything but name

The Commission Nationale de l'Informatique et des Libertés (CNIL) has built the most extensive AI-specific guidance of any EU data protection authority. While it is not formally an "AI regulator," its combination of GDPR enforcement, Article 5 monitoring under the AI Act, and detailed published guidance gives it effective regulatory authority over most AI deployments processing personal data in France.

The CNIL AI Action Plan (May 2023)

CNIL published its AI Action Plan in May 2023, structured around four pillars: understanding AI systems and their impact, enabling privacy-friendly AI development, federating and supporting innovators, and auditing and supervising AI deployments. The Action Plan continues to frame CNIL's AI work and has been operationalised through the recommendations summarised below.

Sequenced AI recommendations (2023-2025)

  • October 2023: First AI guides addressing fundamental concepts.
  • 18 January 2024: First formal recommendations (Délibération 2024-011) on GDPR and AI development.
  • 7 February 2025 (timed with the AI Action Summit): two specific recommendations on "AI: Informing Data Subjects" and "AI: Complying and Facilitating Individuals' Rights". These clarify how purpose limitation applies to general-purpose AI, when consent vs. legitimate interests can serve as lawful bases, and how rectification and erasure rights apply to trained models.
  • 22 July 2025: three new fiches pratiques covering data annotation, AI system security, and the GDPR status of trained AI models. The third fiche operationalises the December 2024 European Data Protection Board (EDPB) Opinion 28/2024, which clarified that AI models trained on personal data are typically subject to GDPR due to memorisation capabilities.
  • Second half of 2025 onward: CNIL has signalled further recommendations clarifying the responsibilities of model designers, reusers, and integrators across the AI value chain.

The PANAME project

CNIL launched PANAME (Privacy Auditing of AI Models) in 2025 in partnership with the French Cybersecurity Agency (ANSSI), the iPoP research programme (Interdisciplinary Project on Privacy), and the French centre of expertise for digital platform regulation (PEReN). The project aims to develop a software library to assess whether an AI model processes personal data, providing concrete operational tooling that maps CNIL's guidance to engineering reality. Combined with research on AI model explainability launched in summer 2024, PANAME represents CNIL's move from interpretive guidance to enforceable technical standards.

CNIL 2025-2028 strategic plan

CNIL's 2025-2028 strategic plan emphasises sector-specific guidance for high-priority areas:

  • Education: published FAQs for educators, school principals, ministries, and academic authorities
  • Healthcare: ongoing co-regulatory work with the French national Authority for Health (HAS)
  • Public sector: guidance on AI in administrative decision-making
  • Law enforcement and security: oversight of biometric and video surveillance applications

The Olympic Games augmented video surveillance experiment

A distinctive French regulatory experiment was the Law on the Olympic and Paralympic Games of 2024, which authorised time-limited "augmented" (algorithmic) video surveillance at and around Olympic venues. The experimentation is set to run until March 2027 and has been the subject of CNIL oversight and civil society scrutiny, including evaluations of bias, accuracy, and proportionality. The framework was explicitly experimental, with reporting obligations and a sunset clause, and it informs French and EU debate on biometric surveillance more broadly.

France 2030 and investment framework

France 2030, announced by President Macron in October 2021, is the umbrella €54 billion investment plan for industrial transformation. The AI component, with cumulative public commitments now in excess of €2.5 billion, has funded:

  • National computing infrastructure including the Jean Zay supercomputer at IDRIS and the Alice Recoque exascale system at GENCI/CEA, providing public research compute capacity for AI workloads
  • AI talent programmes including AI graduate schools and the AI Action Plan (PNRIA)
  • Sectoral applications in health, environment, defence, and public services
  • Startup support through Bpifrance and the French Tech Next40/120 programmes, supporting an ecosystem of approximately 600 specialised AI startups

Two French AI national champions are particularly significant for the regulatory conversation:

  • Mistral AI, founded in 2023, is one of the only European frontier model developers and a primary stakeholder in EU AI Act general-purpose AI obligations. Mistral has raised more than €1 billion across funding rounds and provides the closest European counterweight to US and Chinese frontier labs.
  • Hugging Face, founded in France in 2016 (now headquartered in New York but with substantial French operations), runs the world's largest open-source AI model and dataset repository.

The AI Action Summit (10-11 February 2025)

France hosted the AI Action Summit at the Grand Palais in Paris on 10-11 February 2025, co-chaired by President Macron and Indian Prime Minister Modi. The summit followed the 2023 Bletchley Park AI Safety Summit and the 2024 Seoul Summit. Over 1,000 participants from more than 100 countries attended.

Key outputs:

  • Statement on Inclusive and Sustainable Artificial Intelligence for People and the Planet, signed by approximately 60 countries (notably not signed by the US or the UK), committing to scientific foundations, open AI models, and sustainability principles.
  • Current AI, a foundation announced 11 February 2025 with an initial $400 million endowment from France and partners (Finland, Germany, Chile, India, Kenya, Morocco, Nigeria, Slovenia, Switzerland), backing public-good datasets, open-source tools, and infrastructure.
  • Coalition for Sustainable AI, led by France, UNEP, and the ITU, with support from 11 countries, 5 international organisations, and 37 tech companies, addressing the energy and environmental impact of AI.
  • First International AI Safety Report, published 29 January 2025 (commissioned at Bletchley Park), discussed at the summit's "Trust in AI" pillar.

The summit was deliberately recast from "AI Safety" (the Bletchley framing) to "AI Action," emphasising innovation and economic opportunity alongside risk mitigation. US Vice President JD Vance's speech criticising "excessive AI regulation" and the absence of US and UK signatures from the closing statement signalled a transatlantic divergence on AI governance philosophy. The follow-on summit, the AI Impact Summit, was hosted by India in February 2026.

Article 5 prohibitions enforcement in France

EU AI Act Article 5 prohibitions have been in force since 2 February 2025 across all member states including France. CNIL has been designated to monitor compliance with several of these prohibitions:

  • Article 5(1)(d): predictive policing based solely on profiling
  • Article 5(1)(e): untargeted scraping of facial images for facial recognition databases (the Clearview AI provision)
  • Article 5(1)(f): emotion recognition in workplace and education contexts
  • Article 5(1)(g): biometric categorization for sensitive characteristics
  • Article 5(1)(h): real-time remote biometric identification in public spaces for law enforcement, with narrow exceptions

In practice, this dual role means CNIL is enforcing both GDPR (via Article 9 special category data and Article 22 automated decision-making rules) and AI Act prohibitions (via Article 5) for biometric and identification AI deployments. The frameworks are complementary: the GDPR addresses processing of personal data, while the AI Act addresses the AI system's design and deployment.

Other relevant French national instruments

  • Loi Informatique et Libertés (1978, amended 2018 and subsequently): France's foundational data protection law, now operating as the national companion to GDPR.
  • Loi SREN (Securing and Regulating Digital Space, May 2024): addresses online harms, deepfakes, and certain platform obligations alongside the EU's Digital Services Act.
  • Cyber Resilience Act, Data Act, Data Governance Act, and NIS2 Directive as transposed into French law each affect AI deployments through adjacent obligations on cybersecurity, data sharing, and critical infrastructure.
  • Cybermalveillance.gouv.fr and ANSSI guidance on AI cybersecurity, including ANSSI's 2024-2025 publications on AI system security.

A practitioner's compliance plan

Step 1: AI Act applicability and classification

For each AI system, identify whether it constitutes prohibited AI under Article 5 (compliance obligation already in force), high-risk AI under Annex III (full obligations from 2 August 2026 subject to potential delay), limited-risk AI under Article 50 (transparency obligations from 2 August 2026), or general-purpose AI subject to specific provider obligations from 2 August 2025. Document the classification.

Step 2: GDPR compliance with CNIL recommendations

For AI processing personal data, apply the CNIL recommendations sequence: lawful basis analysis (purpose limitation flexible for GPT-style systems), data subject information per the February 2025 recommendation, individual rights handling per the February 2025 recommendation, security obligations per the July 2025 fiche pratique, and data annotation practices per the July 2025 fiche pratique. Document whether trained models retain memorised personal data per the third July 2025 fiche pratique and EDPB Opinion 28/2024.

Step 3: Sectoral compliance

For healthcare AI, apply HAS guidance and ANSM rules for medical devices. For education AI, apply the CNIL FAQs for educators and the broader Code de l'éducation framework. For law enforcement and biometric surveillance, apply Article 5 prohibitions and the Olympic experimentation framework where relevant.

Step 4: Engage with CNIL's enhanced support programmes

CNIL operates an "enhanced support" programme for innovative companies in AI, including a specific support stream for augmented video surveillance providers in the Olympic experimentation context. For startups and scale-ups, this is a viable route to derisk compliance early.

Step 5: International alignment

Anchor the compliance programme on ISO/IEC 42001 and the NIST AI Risk Management Framework. Both are referenced in CNIL guidance and form the international interoperability layer that satisfies EU AI Act expectations alongside US, Japanese, Korean, and Singaporean frameworks.

Compliance FAQ

Does France have its own AI law beyond the EU AI Act?

No. France relies on directly applicable EU instruments (AI Act, GDPR, DSA) plus its own data protection statute (Loi Informatique et Libertés) and adjacent laws (SREN, NIS2 transposition). National-level "regulation" of AI in France comes through CNIL's AI-applied GDPR recommendations and through national designations of competent authorities for EU AI Act enforcement.

Who enforces the EU AI Act in France?

CNIL has been designated as the competent authority for several Article 5 prohibitions including those involving biometric data, predictive policing, and emotion recognition. Other prohibitions and the high-risk regime involve additional designated authorities (ARCOM for audiovisual matters, DGCCRF for consumer protection). The institutional architecture continues to develop as the high-risk regime approaches its August 2026 application date.

What did the AI Action Summit accomplish?

The summit produced the multilateral declaration signed by around 60 countries, the Current AI foundation with $400M endowment, and the Coalition for Sustainable AI. It also marked a deliberate shift in framing from "AI Safety" toward "AI Action," and exposed transatlantic divergence on AI governance with the US and UK declining to sign the closing statement. For French AI policy specifically, the summit consolidated the country's position as the leading EU venue for international AI diplomacy.

How does CNIL guidance interact with the EU AI Act?

CNIL guidance addresses GDPR compliance in AI-specific contexts, while the EU AI Act addresses AI system design and deployment obligations. The two are complementary and run in parallel. CNIL's February 2025 and July 2025 recommendations explicitly account for the AI Act adopted in August 2024, and CNIL's role as a designated competent authority for several Article 5 prohibitions creates direct overlap. A French AI deployment must address both regimes simultaneously.

What is the practical impact of EDPB Opinion 28/2024?

The European Data Protection Board's Opinion 28/2024 (December 2024) clarified that AI models trained on personal data are typically subject to GDPR due to model memorisation. This means controllers must conduct documented analyses of whether trained models contain personal data extractable through reasonable means. CNIL's third July 2025 fiche pratique operationalises this for French deployments, including practical re-identification attack testing methodology.

What about Mistral AI's regulatory exposure?

As an EU-headquartered general-purpose AI model provider, Mistral is directly within scope of the EU AI Act's GPAI obligations applicable from 2 August 2025, including transparency, copyright compliance, and (for systemic-risk-tier models) safety evaluation and incident reporting. Mistral's specific position as a French national champion has not produced any regulatory exemption; the AI Act applies uniformly across the EU.

The bottom line

France's AI policy in 2026 is layered and active. The EU AI Act provides the binding regulatory floor with phased application running through 2027. CNIL has built the most detailed AI-applied GDPR guidance of any EU data protection authority, including operational tooling through PANAME and sector-specific guidance for education and healthcare. France 2030 anchors the investment side, and the Paris AI Action Summit positioned France as the leading EU venue for AI diplomacy. National champions including Mistral AI and Hugging Face shape what the regulatory frameworks must accommodate. Businesses operating in France should treat the framework as cumulative: EU AI Act plus CNIL-applied GDPR plus sectoral rules, with Article 5 prohibitions already in force and high-risk obligations approaching. France's "human-centric AI" framing remains characterising rhetoric, but the operational reality is increasingly EU-driven binding obligations applied through national authorities with specific national tooling. Build compliance accordingly, watch CNIL announcements, and plan for the August 2026 milestone.

Last updated: April 2026. This article is educational content and is not legal advice. France's AI regulatory framework is closely tied to evolving EU instruments and CNIL guidance. Consult qualified counsel before making compliance decisions.