CNIL 2025: €487M in fines. What small SaaS teams should take away
> TL;DR: Record CNIL fines in 2025. Analysis and concrete lessons for businesses.
A historic record
€487M in CNIL fines in 2025 — 8.8× more than 2024. Google (€325M), SHEIN (€150M), Orange (€50M).
What it means for smaller SaaS teams
Smaller companies are not the targets of record-setting fines. But they are very much within scope for controls, customer scrutiny, and breach reporting pressure. 17,772 complaints in 2024 and a third of sanctions linked to inadequate security show the direction clearly.
3 concrete actions
1. Review your exposed surface.
2. Document your security measures (Art. 32 GDPR).
3. Prepare notification procedures (72h, Art. 33).
Key Takeaways
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
CNIL compliance audit: the complete guide for SMBs in 2026
What CNIL expects, the Article 32 checklist, how to prepare your SMB for an inspection, and what the audit report should contain.
GDPR and recruiting software: what the CNIL really looks at in 2026
The most concrete points for an ATS or recruiting software: candidate data, recruiter access, retention, and visible security posture.
CNIL priority sectors 2026: healthcare, finance, justice in focus
CNIL targets healthcare, finance and justice for 2026 controls. How to prepare.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.