AI Regulation Tracker / Governance and enforcement
France Moves to Name the CNIL a Lead AI Act Regulator
France is settling who will police the EU AI Act on its soil. A bill working through Parliament, validated in the Senat on February 17, 2026, puts the CNIL at the center as a market surveillance authority for prohibited practices and many high-risk systems. This is a signal about where enforcement is heading, and it is still a bill, not enacted law.
The EU AI Act does not enforce itself. It leaves each country to appoint the national bodies that will supervise it, both the market surveillance authorities that police systems in use and the notifying authorities that oversee conformity assessment. That step was supposed to be done by August 2, 2025. France missed the original date and spent the months after it working out who does what. The answer is now taking legislative shape, and the CNIL is at the middle of it.
What the bill actually does
France chose not to build a single AI regulator. Instead it spread the job across roughly fifteen existing sector authorities, each covering AI in its own field. The Direction generale des Entreprises set out that allocation in September 2025, and the DDADUE bill is the legal vehicle that would put it into force. The government was candid that the plan needed Parliament, describing it as applying "sous reserve qu'il soit accepte par le Parlement par le biais d'un projet de loi," meaning subject to acceptance by Parliament through a bill.
On February 17, 2026, the Senat examined and validated the digital section of that bill. Some senators were uneasy about the sheer number of authorities involved, and one described the resulting map as hard to read. The structure held anyway, with the CNIL given the widest remit of any of them.
The CNIL's three jobs
Under the bill the CNIL would wear three hats. First, it would be a market surveillance authority for the AI Act's prohibited practices. As the reporting on the bill put it, "En tant qu'autorite de surveillance du marche, elle veille au respect des obligations sur les pratiques interdites: notation sociale, manipulation comportementale, exploitation des vulnerabilites, reconnaissance faciale dans l'espace public," which covers social scoring, behavioral manipulation, exploitation of vulnerabilities, and facial recognition in public space.
Second, it would regulate a large slice of the high-risk systems in Annex III of the AI Act. That list includes biometrics, employment and workforce management, education and vocational training, access to essential services, justice, and migration. These are exactly the areas where a system's output can change a person's job, schooling, or legal standing, which is why they carry the heaviest obligations.
Third, the CNIL would act as a notified body, issuing conformity certificates to high-risk systems in its scope before they go to market and then supervising them afterward. Market surveillance authorities under the AI Act can demand technical documentation, test systems, and, where a system breaks the rules, order it corrected, withdrawn, or fined. The penalty ceilings in the Act are steep, up to 35 million euros or 7 percent of global turnover for the worst violations.
The CNIL itself has been careful not to get ahead of the law. In its own guidance it stresses that "il appartient a chaque Etat membre d'organiser la structure de gouvernance qui lui apparait la plus a meme de permettre une bonne application" of the Regulation, meaning each member state decides its own governance, and that the final designation rests on the legislative process now underway.
This is a signal, not a finished rule
I want to be precise, because it is easy to read a Senat vote as the end of the story. It is not. The DDADUE bill has cleared the Senat, but under French procedure it still has to be examined and adopted by the Assemblee nationale before it becomes law, and text can change along the way. Until it is passed and promulgated, the CNIL's expanded AI Act role is the intended design, not a legal duty you can be held to under French law.
What this is, is a strong and specific signal. When a government publishes its allocation, when the responsible ministry stands behind it, and when the Senat validates it, you are looking at the near-final shape of French enforcement. Treat it as a governance designation moving into place, and plan around it, while remembering that the binding version is the enacted law, not this stage of it.
Why this matters for US AI providers
The AI Act does not care where a company is headquartered. If your system reaches users in France and falls into a covered category, a French authority supervises it, and this bill tells you which one. For the categories US firms most often build in, that authority is the CNIL. A hiring or workforce tool, an ed-tech system that scores or sorts students, a biometric or identity product, all of these land in Annex III areas the bill assigns to the CNIL. So does anything that strays near the prohibited practices, where the CNIL is the market surveillance authority.
Practically, that means the body already known for aggressive data protection enforcement in France would also be your AI Act supervisor for these systems. It could ask for your technical file, evaluate the system, and act if it does not conform. And the clock matters here: most high-risk obligations under the AI Act become fully applicable on August 2, 2026. A US provider selling into France should already know which of its systems are high-risk, which French authority owns them under this framework, and whether its documentation would survive a request from that authority.
None of this is a reason to panic, and none of it is legal advice. It is a reason to map your exposure now. The designation is arriving, the enforcement deadline is close, and the authority most likely to hold your file is one that does not hesitate to use its powers.
Questions professionals are asking
Has France officially named the CNIL its AI Act regulator?
Not yet in final law. The designation sits in the DDADUE bill, whose digital section the Senat validated on February 17, 2026. The bill still has to pass the Assemblee nationale before it becomes binding. The intent is clear, but the enacted text is what will carry legal force.
What would the CNIL be responsible for?
Three things under the bill: acting as a market surveillance authority for the AI Act's prohibited practices such as social scoring and public facial recognition, regulating many high-risk Annex III systems including biometrics, employment, education, and access to essential services, and serving as a notified body that issues conformity certificates for high-risk systems in its scope.
Does this reach US companies?
Yes, if their systems reach users in France and fall into a covered category. The AI Act applies based on where the system is placed on the market or used, not where the provider is based. For high-risk categories like hiring tools, ed-tech, and biometrics, the bill points to the CNIL as the supervising authority.
Why does France use so many authorities instead of one?
France chose a decentralized, sector-split model, assigning AI oversight to roughly fifteen existing regulators by field, with the DGCCRF as coordinator and single point of contact and the CNIL as the central player. Some senators criticized the map as hard to read, but the structure was validated.
When do the obligations bite?
Most high-risk obligations under the EU AI Act become fully applicable on August 2, 2026. France's national designation of authorities is being finalized through the DDADUE bill. Providers should identify their supervising authority and check their documentation ahead of that date rather than after it.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any law or requirement applies to your situation with qualified professionals in the relevant jurisdiction.