France

Non-compliance with personal data security measures may be subject to an administrative fine by the CNIL of up to €3 million. Additionally, pursuant to article 226-17 of the Criminal Code, contraveners may face up to five years of imprisonment and face a fine of up to €300,000 (multiplied by five for organisations). As a reminder and upon the entry into force of the EU General Data Protection Regulation, controllers and processors (public or private) may face an administrative fine of up to 2 per cent of the total worldwide annual turnover of the preceding financial year or €10 million, whichever is higher.
Organisations of essential importance may be subject to criminal fines of up to €150,000 in cases of contravention of cybersecurity laws, pursuant to article 22 of the Military Programming Act of 2013.