DPO and AI Act: What role under CNIL supervision?
As of 2026, CNIL is officially the supervisory authority for the AI Act in France. This decision repositions the DPO at the heart of AI governance: a strategic point of contact on executive committees, guarantor of the dual GDPR and AI Act framework, but often without additional resources. Caught between increased visibility and an overloaded scope, here's how DPOs can organize themselves, protect themselves legally, and gain influence without burning out.
The digital compliance landscape in 2026 is marked by a major clarification: the French government has officially designated CNIL as the market surveillance authority for the AI Act. This choice, which concludes months of inter-ministerial debates, establishes the Data Protection Officer (DPO) as the central pivot of this new regulation. While this decision brings welcome coherence, it presents DPOs with a significant challenge: assuming increased strategic visibility while navigating an already saturated scope of responsibilities.
CNIL, the AI Act authority: why this choice was essential
For several months, two visions clashed. On one side, a sectoral approach championed by Bercy, which sought to distribute oversight among several authorities (DGCCRF, Arcom, etc.). On the other, a desire for centralization embodied by CNIL. Ultimately, the latter option prevailed, particularly to avoid the legal risk of "non bis in idem": the prohibition against sanctioning a company twice for the same offense.
By entrusting the AI Act to CNIL, the government acknowledges that personal data is the essential fuel for AI. For DPOs, this decision simplifies the single point of contact but significantly increases their responsibilities. They naturally become the guarantor of compliance with the dual GDPR and AI Act framework within their organization.
Strategic visibility finally gained on the executive committee
The AI Act, with its fines potentially reaching 7% of global turnover, has finally given DPOs the attention they sometimes struggled to get. By becoming the point person for high-risk AI systems, DPOs gain access to executive committees. They are no longer just the one managing cookies or data retention periods, but the one securing innovation and preventing potentially devastating sanctions.
This new responsibility helps break the inertia of certain departments. The argument of AI Act compliance, championed by a CNIL now equipped with algorithmic audit powers, is a powerful lever to secure necessary budgets and decisions. The DPO becomes an architect of digital trust, a rewarding role that highlights their cross-functional expertise.
Expanded Responsibilities, Often Without Additional Resources
However, this rise in influence comes with a complex operational reality. DPOs must now develop expertise in highly technical subjects: model explainability, bias detection, and the security of training datasets. Yet, in many organizations, this mission expansion occurs with constant resources, without additional time or team reinforcement.
The DPO finds themselves in a critically dependent position regarding other departments. To fulfill the new technical documentation obligations imposed by the AI Act, they rely on the transparency of AI providers and the cooperation of the IT department. Without access to information on how algorithms truly function, the DPO risks becoming a "superficial validator" — a dangerous stance in the face of future CNIL audits.
Protecting Oneself Through Traceability of Advice
Given this expanded scope, the DPO must more than ever rely on their advisory role. The legal framework offers protection: the DPO is not responsible for the use of AI; they are the supervisor of its compliance. If management chooses to deploy a generative AI tool without following their recommendations or providing them with the necessary investigative resources, ultimate responsibility lies with the organization.
The DPO's success in 2026 lies in their ability to document their actions. Every piece of advice given, every request for technical documentation, and every alert regarding a lack of resources must be recorded. By doing so, the DPO fulfills their mission of informing and alerting. They transform their frustration with stagnation into proof of professional diligence — ensuring that if the CNIL intervenes, their personal actions cannot be questioned. The DPO remains a sentinel: they show the path to compliance, but they are not the one driving the vehicle of innovation.
Best Practices: Strengthening Your Influence Without Burning Out
To navigate between the requirements of the AI Act and the limitations of your job description, here are some actionable strategies.
Instill the habit of admissibility
Do not attempt to audit a complex AI system alone. Establish a rule: any new AI project can only be reviewed if the business teams provide minimum technical documentation (data sheets, explainability notices, security logs). If information is missing, the standstill is no longer due to you, but to the project owner.
Update your terms of reference
As the scope of AI is new, have your management approve an update to your terms of reference. Explicitly state that your role regarding AI is consultative and depends on effective access to technical resources. This safeguards your legal protection.
Share intelligence gathering with the IT Department
The DPO's role is not to become a machine learning engineer. Partner with a technical lead from the IT Department. Your role is to ask compliance questions (GDPR/AI Act); theirs is to answer them technically. This collaboration alleviates the DPO's isolation.
FAQ - DPO and AI Regulation: Key Questions
Why was CNIL chosen as the regulator for the AI Act?
The government prioritized consistency. Since most AI systems process personal data, entrusting regulation to CNIL avoids conflicting directives between two different authorities and simplifies the compliance process for businesses.
Is the DPO automatically responsible for AI compliance?
No, no law requires it. However, given their knowledge of data flows, they are naturally best positioned to lead on this topic. If they accept this mission, they must ensure their workload is officially re-evaluated to avoid the risk of negligence due to overload.
What should I do if my management ignores an alert about a high-risk AI system?
The procedure remains the same as for the GDPR: document the alert in writing (email, report, management tool) specifying the risks of CNIL sanctions. Once the alert is documented, the deployment decision rests with the data controller. The DPO has fulfilled their advisory duty.
