Data breaches: the CNIL raises the alarm, and we agree.
Two weeks ago, an executive called me in a panic. One of his service providers had just suffered a cyberattack. His customer files, which he thought were well protected with a "certified" SaaS provider, were out in the open. The first question he asked me was: "Well, that's their problem, right?" Well, no. It's his too. And that's precisely one of the key takeaways from the annual report published by the CNIL May 18th: data leaks explode, and the subcontracting chain is almost always in the equation.
6,167 notifications of data breach recorded in 2025. A record. 9.5 % more than in 2024, and the first quarter of 2026 is already following the same trend with 2,730 incidents. Behind these figures are millions of French people affected, businesses shaken, and a clear message from Marie-Laure Denis, president of the CNIL : there cybersecurity that of the State, as well as that of companies, is "far from satisfactory".
In summary
- Absolute record of data breaches In France in 2025: 6,167 notifications, +9.5 % over one year, and the first quarter of 2026 confirms the trend.
- THE data leaks are becoming increasingly massive, with the public administration at the forefront, and very often involve a service provider.
- The evaluation and contractual framework of the GDPR subcontractor have become a primary obligation: a DPA Compliance, audits and monitoring are the basis.
- Multi-factor authentication (MFA) is now the measure that the CNIL waits by default. In 2026, 50 % of its controls will focus on the cybersecurity.
- A procedure of violation notification tested, the update of processing activities register and the realization of AIPD make all the difference on the big day.
- Compliance is not proven by intentions, but by documents: that's what it is.accountability.
What the CNIL's annual report (really) says
"Increasingly massive" violations
The report doesn't just count. It paints a picture. Around forty incidents in 2025 each affected more than a million people—ten more than in 2024. The public administration leads the way with 19 million reported incidents, followed by healthcare, social services, and then financial and insurance activities. And that's not all: this figure doesn't even include cyberattacks against Weda and Harvest software, which alone generated more than 11,600 customer notifications. A single incident upstream, thousands of businesses downstream. That says it all.
Three lessons that must be learned
There CNIL Three key observations emerge that every leader should write prominently on the executive committee board. First: no one is spared. Sports federations, hotel chains, mutual insurance companies, local authorities, SMEs as well as large corporations—the threat no longer has a typical profile. Second: the data leaks They concern increasingly considerable volumes. Thirdly, and this is where the subject ties back to our previous articles: these incidents often involve service providers. The GDPR subcontractor has become the most exposed link.
The attackers' method is becoming commonplace.
Hacking accounts for half of all reported incidents. Behind this word lies a whole range of issues: ransomware, phishing, credential stuffing, theft of legitimate user accounts. Alongside this, 13 of the incidents stem from an incorrect recipient being copied on an email, 7 from hardware loss, and 7 from accidental posting. In short, human error remains a significant factor. And then there's generative AI, which, in the words of the president of the CNILThe ANTS case, in which a 15-year-old minor — "not a prodigy," the prosecutor specified — is implicated after the hacking of the secure documents agency, is a chilling demonstration of this.
Why your subcontractors are (still) at the heart of the problem
When a service provider falls, their clients fall with them.
Let's return to the story of the Weda and Harvest software. These were two cyberattacks, but the authority received 11,600 notifications. Because each time, behind the software publisher, there are hundreds of medical practices, hundreds of wealth management advisors, who are also affected. data controller and must report the leak to their own customers. This is exactly the scenario of the subcontractor Mobius/Deezer that the CNIL It was fined one million euros by the end of 2025 — except that here, the cost multiplies. One attack, a thousand professional victims, millions of people affected.
The preliminary assessment: your best (and only) protection
The GDPR leaves no room for doubt: a data controller "only uses subcontractors who offer sufficient guarantees." This obligation, set out in Article 28, paragraph 1, is not wishful thinking. It's what the inspectors will be looking for. Specifically, do you send an evaluation questionnaire to each service provider? Do you ask about their safety policy, their processing activities register, the name of their DPOTheir certifications? Have you identified your data transfers Outside the EU? If the answer to any of these questions is "uh," you have your first operational priority.
The contract alone is not enough, nor is the audit, but both together, yes.
A GDPR subcontracting agreement well written — that is to say a DPA Reiterating the eight mandatory clauses of Article 28 §3 — is the starting point. Not the end goal. Long-term management is also essential: annual audits, reviews of subsequent subcontractors, monitoring of technical and organizational measures effectively applied. To structure this approach, the Viqtor Subcontractors Module centralizes assessments, contracts, audits, and transaction history in a single repository. This is the kind of evidence that a controller CNIL Love to see.
Are your subcontractor contracts and evaluations up to date? Get the facts from a Viqtor expert
What the government is doing — and what you should do in turn
200 million euros and a new digital authority
At the end of April, Prime Minister Sébastien Lecornu unveiled his plan: 200 million euros to strengthen the cybersecurity of the State, merger of the interministerial directorate for digital affairs and that for public transformation to create a digital authority attached to the Prime Minister's office. Following this, theANSSI has published new guidelines for ministries: each must appoint an advisor cybersecurityThis is not insignificant. When the state reorganizes at this level, it means it considers the house to be on fire. However, in the chain, government departments outsource a great deal — and each service provider is a potential point of entry.
Multi-factor authentication: the measure that could have prevented many tragedies
There CNIL hammers home a simple message: the majority of recent major attacks could have been avoided with a multi-factor authentication correctly deployed. The MFAIt is this dual factor that renders a large part of the techniques ineffective. credential stuffing and phishingThe authority published its recommendation as early as March 2025, allowing organizations time to adapt, and is now announcing targeted controls. In 2026, 50% of enforcement actions will focus on the cybersecurity, compared to a quarter to a third in 2025. For bases that contain more than one million people, checks will be a priority.
Some concrete projects to be launched this week
Without overburdening the teams, there are a few actions that can be taken quickly and make a real difference in the event of an incident. Here's what I recommend to my executive clients when they ask me where to start.
- Activate the MFA on all privileged accounts and on access to tools containing personal data.
- Update your list of subcontractors, verify that each one has a DPA signed, and identify those who carry out data transfers outside the EU.
- Test your procedure violation notification Who notifies whom? Are you able to trace the chain of events back to the... CNIL within the legal time limit of 72 hours ?
- Documenting a AIPD (impact analysis) for your high-risk treatments — that's the other point that the CNIL systematic checks.
- Take another quick look at your processing activities register : it is rarely as up-to-date as one might think.
And what happens after the leak? Incident management, where everything hinges.
The first 72 hours decide the rest
When a service provider alerts you, you have 72 hours to notify the CNIL if the data leak presents a risk to people. Not three weeks. Not enough time to convene a steering committee. The procedure must be ready, written, tested, and ready to be activated on a Sunday evening. Our page dedicated to the data breach statement details the steps to avoid doing it backwards.
Informing those concerned, the moment of truth
If the breach poses a high risk to individuals' rights and freedoms, the GDPR also requires that each individual be informed directly. It is often at this point that crisis communication takes precedence over legal action. If poorly managed, trust collapses—Marie-Laure Denis even speaks of "the erosion of the bond of trust between the state and its citizens" in relation to government leaks. For a private company, it means the customer leaves, and the lawyer arrives.
The sanction, and what it says about the organization's maturity
There CNIL It does not penalize the act of fleeing itself; it penalizes the failings that made it possible or aggravated it. Absence ofmulti-factor authenticationincomplete register, generic subcontracting contracts, late notification, accountability non-existent. This is where the defense—or the condemnation—is built. To make this whole structure reliable, our A complete guide to GDPR compliance audits outlines the methodology used by our consultants.
FAQ
My service provider has suffered a data breach. Am I responsible?
Inasmuch as data controllerYes, you remain legally responsible for the data processing, even if the leak originates from your subcontractor. You must analyze the risk and notify the CNIL if necessary in the 72 hoursand, where appropriate, inform the people concerned. Your subcontracting agreement GDPR must plan how the service provider alerts you and cooperates.
Is multi-factor authentication mandatory?
It is not explicitly stated in the GDPR, but the CNIL considers it an expected technical measure for any access to personal data sensitive or large-scale. Its March 2025 recommendation is explicit, and the 2026 audits will primarily target organizations that have not implemented it. In short: it is no longer optional.
What is the deadline for notifying the CNIL of a data breach?
72 hours from the moment the incident is reported, unless the violation is unlikely to pose a risk to the rights and freedoms of individuals. Beyond this point, a late notification must be justified. The report is made via the online service of the CNIL and must describe the nature of the breach, the categories of data involved, and the measures taken.
What are the first actions to be implemented for an SME?
Mapping treatments and maintaining a processing activities register keep up to date, identify and properly contract each subcontractor via a DPAdeploy the MFAwrite a procedure for violation notification, and designate a referent or a DPOThese five construction sites cover the essential control points. CNIL.
What is the purpose of a Data Protection Impact Assessment (DPIA) and when should one be carried out?
L'AIPD (impact analysisA risk assessment is mandatory for processing activities that present a high risk to rights and freedoms: large-scale surveillance, sensitive data, automated profiling, etc. It documents the risks, the measures to mitigate them, and demonstrates your risk management approach.accountabilityThis is one of the first documents that the CNIL request in case of inspection.
Do you want to turn these lessons into a concrete action plan?
To learn more, find all our resources on the data governance and GDPR compliance on the Viqtor platform.