AI laws and regulation in France

High.

France is subject to The Regulation (EU) 2024/1689 -  Artificial Intelligence Act (“EU AI ACT”). 

Relevant laws that govern AI-related activities are:

• Data protection:
  • Loi Informatique et Libertés (French Data Protection Act): governs personal data processing and provides rules on transparency, data minimisation, and automated decision-making. It grants individuals rights when decisions are made on the basis of algorithmic processing and empowers the CNIL to supervise and sanction AI-related data practices.
• Product safety and liability:
  • Consumer Code: includes safety obligations and legal conformity guarantees for digital content and services, including AI ‑enabled products.
  • Civil Code: includes strict liability for defective products (including softwaree mbedded AI) and general tort/contract liability for harm or nonconformity.
• Cybersecurity and digital services:
  • Loi pour la Confiance dans l’Économie Numérique (Act for Trust in the Digital Economy): sets rules for digital service providers, including hosting liability and obligations to act against unlawful online content potentially generated or disseminated by AI systems.
  • Criminal Code: contains provisions on attacks against automated data processing systems, applicable to AI security incidents and misuse.
• Copyright and intellectual property in relation to AI systems:
  • Intellectual Property Code:   Copyright and database rights applicable to training data and outputs; text and data mining exceptions and opt‑out mechanisms; infringement and moral rights constraints for AI uses.

Among the French regulatory sectors that govern AI-related activities, the following should be considered:

• Critical infrastructure and transport: AI used in automated or autonomous vehicles is regulated by an ordinance of 2021 on automated driving and by provisions of the Highway code. Also, AI deployed in sensitive or safety-critical infrastructures is subject to general safety, liability, and cybersecurity obligations under French law.
• Medical and health technologies: AI integrated into medical devices is regulated by the Code of Public Health, which imposes safety, performance, and clinical evaluation requirements.
• Education and public-sector decision-making: the Code governing relations between the public and the administration includes transparency duties when public decisions are supported by algorithms, including disclosure of main parameters and logic, subject to protected secrets. Also, AI used for admissions, evaluation, or allocation decisions in education must comply with transparency, fairness, and safety obligations under general French administrative and data-protection law.
• Online services, platforms, and content: the Law aimed at securing and regulating the digital space (“SREN”) designates the national authorities responsible for enforcing the DSA/DMA – such as ARCOM (authority for audiovisual and digital communications), DGCCRF (Directorate-General for Competition, Consumer Affairs, and Fraud Control), and CNIL (the French data protection authority), depending on the area – and specifies their powers, possible penalties, and inspection procedures.

France does not have a single, standalone AI regulator. Oversight is shared across existing authorities, with the CNIL acting as the de facto lead for most AI issues that involve personal data. Other regulators have been designated by the French government to implement the AI Act, depending on sector and risk (sector-based approach), as described below. The DGCCRF is responsible for coordinating these market surveillance authorities and, as such, will act as the single point of contact in accordance with Article 70.2 of the EU AI Act.

• ARCOM (media and online content) for platform algorithms, recommendations, deepfakes/misinformation aspects.
• ANSSI (cybersecurity) for security of information systems and, increasingly, security expectations for AI systems integrated into critical infrastructure or products.
• DGCCRF (consumer protection) for unfair commercial practices and misleading AI-related claims.
• Competition Authority (Autorité de la concurrence) (competition) for AI-related market power, data access, and interoperability issues.
• Financial regulators for AI in banking, insurance, and markets (model risk, suitability, conduct).
• Health regulators for AI in health, including clinical evaluation and medical device software under the EU medical device framework.
• Defender of Rights (Défenseur des droits) for discrimination risks in algorithmic decision-making in public services and employment.

Also, and although they are not “regulators” in the classic sense, some Ministers and some Jurisdictions will be responsible for supervising high-risk AI systems, e.g., the Ministries of Economy, Finance, and Industrial and Digital Sovereignty; and the administrative and judicial Supreme Courts (Conseil d’Etat and Cour de cassation).

Yes, the CNIL has published several guidance to help stakeholders implement, develop and use AI in a GDPR-compliant manner.

Also, the Government and governmental bodies have published sectoral AI strategies and roadmaps (for example,  a national AI & health strategy and public-service guidance on AI use).

France aligns closely with international AI standards and guidance. It endorses global principles such as the OECD AI Principles and UNESCO’s AI Ethics Recommendation. France references ISO/IEC standards through AFNOR, including ISO/IEC 42001 on AI management systems. 

No formal AI-specific legislation launched to date.

• AI and intellectual property: https://cms.law/fr/fra/news-information/propriete-intellectuelle-et-intelligence-artificielle
• AI and data protection: https://cms.law/fr/fra/news-information/ia-et-protection-des-donnees
• AI, cybersecurity and defense: https://cms.law/fr/fra/news-information/ia-cybersecurite-et-defense
• AI in fiscal law: https://cms.law/fr/fra/news-information/l-intelligence-artificielle-en-matiere-fiscale
• AI and labor law: https://cms.law/fr/fra/news-information/intelligence-artificielle-et-droit-du-travail
• Generative AI and intellectual property: https://cms.law/fr/fra/news-information/intelligence-artificielle-generative-et-propriete-intellectuelle
• Cultural collection and AI: https://cms.law/fr/fra/news-information/collections-culturelles-et-ia-vers-une-nouvelle-economie-des-donnees-culturelles
• https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence
• EU AI Act - Questions and Answers