What are the main regulatory authorities in France?

The CNIL oversees data protection, the AMF regulates financial markets, and the ACPR supervises banking and insurance. Cleo monitors enforcement actions from all three.

How does French law differ from EU regulations?

France adds national layers like Sapin II (anti-corruption), the Duty of Vigilance law (supply chain due diligence), and AGEC (circular economy). Cleo maps these alongside EU requirements.

What are the CNIL's latest enforcement trends?

The CNIL has issued some of Europe's largest GDPR fines and increasingly focuses on cookie compliance, AI systems, and children's data. Cleo tracks all CNIL decisions in real time.

🇫🇷France

DORA compliance in France

In France, DORA is enforced by the ACPR (banking/insurance) and the AMF (investment firms/markets). French financial entities must comply with both DORA and existing ACPR IT risk guidelines.

Run a Free Scan

Enforcement authority

ACPR (Autorité de contrôle prudentiel et de résolution) + AMF (Autorité des marchés financiers)

Maximum sanctions

ACPR and AMF can impose administrative sanctions including fines, public reprimands, and license withdrawal. Criminal penalties may apply for severe non-compliance.

Key obligations

What DORA requires from organizations operating in France.

Align existing ACPR IT risk framework (Arrêté du 3 novembre 2014) with DORA requirements

Report ICT incidents to ACPR or AMF depending on entity type

Update ICT third-party contracts to include DORA-mandated clauses

Conduct TLPT in accordance with ANSSI (national cybersecurity agency) framework

Local context in France

France's financial sector is highly regulated with existing ACPR guidelines that overlap with DORA. The ANSSI plays a key role in TLPT testing standards. French financial entities should map DORA requirements against existing ACPR controls to identify gaps.

DORA by industry in France

Retail & Consumer Goods Real Estate FinTech HealthTech Insurance Energy & Utilities Sustainability & ESG

Frequently asked questions

How does DORA apply in France?

In France, DORA is enforced by the ACPR (banking/insurance) and the AMF (investment firms/markets). French financial entities must comply with both DORA and existing ACPR IT risk guidelines.

Who enforces DORA in France?

ACPR (Autorité de contrôle prudentiel et de résolution) + AMF (Autorité des marchés financiers)

What are the penalties for DORA non-compliance?

ACPR and AMF can impose administrative sanctions including fines, public reprimands, and license withdrawal. Criminal penalties may apply for severe non-compliance.

Read our complete DORA compliance guide

DORA in other jurisdictions

🇪🇺European Union 🇩🇪Germany 🇬🇧United Kingdom 🇺🇸United States 🇧🇷Brazil 🇦🇺Australia 🇮🇳India

Check your DORA compliance now

Run a free scan to see your risk score and applicable obligations.

Run a Free Scan

Key obligations

What DORA requires from organizations operating in France.

Align existing ACPR IT risk framework (Arrêté du 3 novembre 2014) with DORA requirements

Report ICT incidents to ACPR or AMF depending on entity type

Update ICT third-party contracts to include DORA-mandated clauses

Conduct TLPT in accordance with ANSSI (national cybersecurity agency) framework

Frequently asked questions

How does DORA apply in France?

In France, DORA is enforced by the ACPR (banking/insurance) and the AMF (investment firms/markets). French financial entities must comply with both DORA and existing ACPR IT risk guidelines.

Who enforces DORA in France?

ACPR (Autorité de contrôle prudentiel et de résolution) + AMF (Autorité des marchés financiers)

What are the penalties for DORA non-compliance?

ACPR and AMF can impose administrative sanctions including fines, public reprimands, and license withdrawal. Criminal penalties may apply for severe non-compliance.