Privacy & IA: the big change of February 2026
February 2026 marked a turning point with the designation of the CNIL as the supervisory authority for the AI Act, the launch of the first NIS2 audits and a record sanctions record of 486 million euros. Between critical cyberattacks (UNSS, Cegedim) and new requirements on EHDS or the marking of content generated by AI, the convergence between cybersecurity and data protection is becoming an operational obligation. This analysis analyzes the 9 pillars that are redefining compliance for businesses and public organizations.
The year 2026 will not be the year of a simple regulatory update, but the year of a true genetic mutation in compliance.
Gone are the days when the simple respect of RGPD was enough to reassure partners and regulators. In this month of February 2026, we are witnessing the explosive convergence of three worlds: artificial intelligence, robust cybersecurity and the protection of ultra-sensitive data.
Between a CNIL which is changing in size, systemic cyberattacks and record financial pressure, here is the decryption of the 9 news items that are redefining your agenda of DPO, RSSI and decision makers.
The CNIL becomes the supervisory authority for the AI Act in France
February 12, 2026 will remain a key date. The government has tabled a historic amendment modifying the 1978 Data Protection Act to designate the CNIL as a national supervisory authority forAI Act. It is no longer just an advisory mission. La CNIL now has sovereign skills for:
- Sanctioning banned AIs, in particular social scoring, an absolute red line in Europe
- Audit transparency to verify that high-risk systems such as biometrics or emotional analysis at work are not black boxes
- Impose watermarking in accordance with section 50 of theAI Act, because all AI-generated content must be identifiable
Analysis of major cyberattacks: focus on the UNSS
The cyberattack against the site of the National Union of School Sports (UNSS) caused a national shock wave. The data of one and a half million middle and high school students (names, addresses, parents' contacts) have been compromised. La CNIL has made the protection of minors its top priority for 2026. The associative and parapupublic sector is often the weak link: this incident reminds us that the volume of data managed requires proportionate security.
Analysis of major cyberattacks: focus on Cegedim
The health sector is not spared. The attack on the giant Cegedim, a critical player and health data host (HDS), highlights the vulnerability of our vital infrastructures. When an actor of this size falters, the entire healthcare ecosystem (pharmacies, doctors, insurers) is paralyzed. This incident validates the urgency of the directive NIS2 : computer security is now a question of the continuity of the life of the nation.
CNIL sanctions: 2025 report and France Travail case law
On February 9th, the CNIL has published its annual report. The figure is unquestionable: 486 million euros in fines accumulated in one year. The pedagogical phase that began in 2018 is officially over. The regulator is now primarily targeting:
- Intrusive advertising tracking
- The disproportionate surveillance of teleworking employees
- The lack of basic database security
The 5 million euro penalty imposed on France Travail for lack of security (faulty strong authentication) sets a precedent. It is a clear signal: the CNIL will no longer hesitate to sanction public organizations if their technical architecture does not meet state of the art standards.
NIS2 and EHDS: the new pillars of technical compliance
NIS2: the moment of truth for “Essential Entities”
February 2026 marks the start of the first compliance audits for the Directive NIS2. There is no longer a watertight barrier between privacy and cyber. In the vast majority of cases, a security incident is a personal data breach. The collaboration between the DPO And the RSSI is no longer optional: it is the basis for regulatory survival.
EHDS: the countdown to health data
At the same time, the European Health Data Space (EHDS) enters an operational phase. Health tech companies must now design systems that allow the secondary use of data for research, while guaranteeing irreversible anonymity. This is the challenge of privacy-by-design pushed to its paroxysm.
The CNIL monitors your business model
On February 2nd, the CNIL launched its economic analysis program to understand how data is monetized. If your profitability depends on data brokerage or massive profiling, the regulator will question the ethical legitimacy of your financial value. Compliance is now part of your spreadsheets Excel.
Safer Internet Day: Protecting « Generation AI »
Finally, on 10 February, the 23rd edition of Safer Internet Day has highlighted the dangers of deepfakes and automated harassment. France is equipping itself with tools to sanction platforms that do not filter content AI malicious, thus protecting the generation AI of unprecedented information manipulation.
FAQ - the challenges of AI and GDPR compliance in 2026
What is the role of the CNIL concerning the AI Act?
La CNIL is designated as the national supervisory authority forAI Act in France. It has the power to sanction prohibited practices and to audit the transparency of high-risk artificial intelligence systems.
What are the priorities of the CNIL for controls in 2026?
The regulator focuses on the protection of the data of minors, the security of health data, the security of health data, advertising tracking, and the surveillance of employees.
How does the NIS2 directive impact data protection?
The directive NIS2 requires strict security audits. It reinforces the link between RSSI and DPO, because any major computer security breach generally constitutes a personal data breach within the meaning of RGPD.
