Skip to content
PolicyForge
All posts
By Vyrhak SATH · Founder, NAGASHIELD SECURITY9 min

CNIL sanctions 2025: what the record €487M actually means for SMEs

Analysis of the CNIL’s official 2025 enforcement report: 259 decisions, 83 sanctions, €486.8M in fines — 97.6% of it from just two decisions. What the simplified procedure and the recurring grounds (cookies, employee monitoring, data security) mean for smaller companies.

The official 2025 numbers

The CNIL, France’s data protection authority, published its 2025 enforcement report with record figures. In 2025 it issued 259 corrective decisions: 83 sanctions, 143 formal notices (mises en demeure), 31 reminders of legal obligations and 2 warnings. Cumulated fines reached €486,839,500 — an unprecedented amount, compared with €55.2M in 2024 and €89.2M in 2023.

YearTotal fines
2023€89,179,500
2024€55,212,400
2025€486,839,500

Of the 83 sanctions, 16 went through the ordinary procedure of the restricted committee and 67 through the simplified procedure. They include 78 fines (27 paired with injunctions under periodic penalty), three penalty-liquidation decisions and two calls to order.

Two decisions account for 97.6% of the total

The record headline is driven almost entirely by two decisions issued on 3 September 2025: €325M against Google and €150M against Shein, both primarily about cookie practices. Together they represent €475M — about 97.6% of the year’s total. Strip them out and the remaining fines add up to roughly €11.8M spread across the other decisions: the ordinary enforcement level did not explode, it stayed in the range French organisations have known for years.

That distinction matters. Reading “€487M in CNIL fines” as a signal that only tech giants are targeted gets the risk exactly backwards.

The simplified procedure is aimed at ordinary companies

67 of the 83 sanctions in 2025 — 81% — went through the simplified procedure, a fast track created in 2022 for cases that do not require the full restricted-committee process, with fines capped at €20,000. This is the CNIL’s instrument for sanctioning SMEs and mid-sized organisations at scale: cheaper for the authority, quick, and increasingly systematic. Add the 143 formal notices and the pattern is clear — for a typical company the realistic scenario is not a headline fine, it is a €5,000–€20,000 sanction plus an injunction, following a complaint or a breach.

The three recurring grounds — and the documents that prevent them

The CNIL highlights three recurring themes in 2025: cookies, employee monitoring and data security. All three are, at their core, governance failures that documented policies address directly:

GroundTypical failurePreventive document
CookiesNo valid consent, no easy refusalCookie/consent policy + compliant banner
Employee monitoringDisproportionate surveillance, no informationEmployee monitoring & acceptable use policies
Data security (GDPR Art. 32)Weak passwords, unrevoked access, no encryptionAccess control, password and encryption policies

What an SME should do with these numbers

  1. Treat the simplified procedure as your realistic exposure: up to €20,000 plus remediation under deadline — material for an SME, and public.
  2. Fix the three recurring grounds first — they are audited from the outside (your cookie banner) or triggered by any employee dispute or breach.
  3. Document Article 32 security: access control with MFA, password rules and revocation runbooks are what the CNIL asks for after a breach.
  4. Keep evidence: dated, approved policies and a processing register are the first items requested in any CNIL inquiry.

Primary sources

How PolicyForge helps

PolicyForge generates the GDPR-supporting documents the CNIL expects to see — access control, passwords, encryption, acceptable use, incident response with 72-hour notification — bilingual, versioned and signed off. Start free →

Frequently asked questions

How much did the CNIL fine in 2025?

According to its official 2025 report, the CNIL issued 83 sanctions among 259 corrective decisions, for a cumulated total of €486,839,500 — versus €55.2M in 2024 and €89.2M in 2023. Two decisions of 3 September 2025, Google (€325M) and Shein (€150M), represent about 97.6% of that total.

Does the CNIL sanction small companies?

Yes. 67 of the 83 sanctions in 2025 (81%) went through the simplified procedure, the fast track designed for ordinary cases with fines capped at €20,000 — the instrument used against SMEs and mid-sized organisations. The CNIL also issued 143 formal notices in 2025.

What are the most common grounds for CNIL sanctions?

The CNIL highlights three recurring themes in its 2025 report: cookie practices (no valid consent or no easy refusal), employee monitoring (disproportionate surveillance), and data security failures under GDPR Article 32 such as weak passwords or unrevoked access.

How do I reduce the risk of a CNIL sanction?

Address the recurring grounds first: a compliant cookie banner, a proportionate and documented employee-monitoring policy, and Article 32 security measures (access control, MFA, passwords, encryption) — all documented, approved and dated, with a processing register ready to produce during an inquiry.