CNIL is inspecting more SMBs than ever
In 2025, CNIL conducted over 300 formal inspections and processed 17,772 complaints. One-third of sanctions concerned inadequate security measures. SMBs are no longer exempt: CNIL now targets businesses of all sizes, particularly in healthcare, finance, and legal sectors.
What CNIL checks during an inspection
CNIL verifies GDPR compliance on several axes. Article 32 is the one directly concerning your application's technical security.
Processing records: have you documented what data you collect, why, and for how long?
Legal basis: do you have a legal foundation for each processing (consent, contract, legitimate interest)?
Article 32 technical measures: have you implemented security measures proportionate to the risks?
Data subject rights: can you respond to access, rectification, and deletion requests?
Breach notification: do you have a procedure to notify CNIL within 72h in case of a breach?
The Article 32 checklist for SMBs
Article 32 GDPR requires "appropriate technical and organizational measures." Concretely, for a web application:
How to prepare your SMB for an inspection
Step 1 — Inventory: list all personal data your application handles. Names, emails, addresses, health data, financial data.
Step 2 — Technical audit: have your application audited by an expert. The audit report constitutes due diligence evidence in case of inspection.
Step 3 — Remediation plan: fix identified flaws and document each correction.
Step 4 — Procedures: write your breach notification procedure (72h) and your data subject rights response procedure.
Step 5 — Training: train your team on security best practices.
What the audit report should contain
To be useful in front of CNIL, your audit report must include the scope analyzed, methodology used, vulnerabilities identified with their severity, personal data potentially exposed, prioritized remediation recommendations, and the audit date.
Our view for SMBs
Our Full Audit (€4,200) produces a CNIL-compliant report. It identifies security flaws, assesses the impact on personal data, and provides a prioritized remediation plan. It's your best proof of due diligence.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
CNIL priority sectors 2026: healthcare, finance, justice in focus
CNIL targets healthcare, finance and justice for 2026 controls. How to prepare.
CNIL 2025: €487M in fines. What small SaaS teams should take away
Record CNIL fines in 2025. Analysis and concrete lessons for businesses.
NIS2: SMBs with 50+ employees must prepare now
The NIS2 directive extends cybersecurity obligations to SMBs. Here's what changes.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.