A historic record
€487M in CNIL fines in 2025 — 8.8× more than 2024. Google (€325M), SHEIN (€150M), Orange (€50M).
What it means for smaller SaaS teams
Smaller companies are not the targets of record-setting fines. But they are very much within scope for controls, customer scrutiny, and breach reporting pressure. 17,772 complaints in 2024 and a third of sanctions linked to inadequate security show the direction clearly.
3 concrete actions
1. Review your exposed surface.
2. Document your security measures (Art. 32 GDPR).
3. Prepare notification procedures (72h, Art. 33).
Related articles
Three adjacent analyses to keep exploring the same attack surface.
CNIL compliance audit: the complete guide for SMBs in 2026
What CNIL expects, the Article 32 checklist, how to prepare your SMB for an inspection, and what the audit report should contain.
GDPR and recruiting software: what the CNIL really looks at in 2026
The most concrete points for an ATS or recruiting software: candidate data, recruiter access, retention, and visible security posture.
CNIL priority sectors 2026: healthcare, finance, justice in focus
CNIL targets healthcare, finance and justice for 2026 controls. How to prepare.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.