A record year, built on two fines
The Commission Nationale de l'Informatique et des Libertés (CNIL) published its 2025 activity report on May 19, 2026. The headline figures — €487 million in fines across 83 sanctions, off 323 investigations — are a record by a wide margin. CNIL collected roughly nine times what it took in 2024 (€55.2m across 87 sanctions), and almost all of the surge came from two decisions in early September 2025: a €325m sanction against Google and a €150m sanction against Shein's Irish operating subsidiary, Infinite Styles Services Co. Limited, for cookie consent failures under Article 82 of the French Data Protection Act of January 6, 1978.
The strongest case for the fines
Start with what the cookie enforcement is doing right. CNIL has been chasing the same set of behaviors — pre-consent cookie deployment, asymmetric 'accept' vs 'refuse' buttons, broken withdrawal mechanisms — since its September 17, 2020 guidelines. Google has now been sanctioned three times in five years: €100m in 2020, €150m in 2021, and €325m in 2025. Shein, for its part, was found to have placed cookies before users interacted with its banner and to have continued reading them after users clicked 'Refuse all,' across an average of roughly 12 million French monthly visitors. When a regulator's response curve is 'more, then much more,' what is being priced in is recidivism, not novelty. Under any reasonable reading of consent law, that is not regulatory overreach — that is a regulator doing the job the statute assigns.
The cookie programme has also moved beyond global platforms. CNIL's November 20, 2025 deliberation (SAN-2025-010) fining the French publisher of Vogue, GQ and Vanity Fair €750,000 for the same family of Article 82 violations is a credible signal that compliance expectations are not negotiable by scale. The framework now reaches mid-market publishers, not only Big Tech.
But two fines on one day are not a strategy
That said, an honest reading of the report is harder for proponents of more enforcement, not less. About €475m of the €487m total — north of 97% — came from a single subject (cookies) on a single day. Strip those two decisions out and 2025 looks much like 2024: a steady drumbeat of smaller sanctions, mostly process-driven. Concentration that extreme suggests GDPR enforcement is still chasing a 2018-era surface target — banners, click flows, the choreography of consent — while the actual harm landscape has shifted underneath it.
The same annual report makes the shift visible. CNIL logged 6,167 data breach notifications in 2025, a 9.5% jump and the highest figure ever recorded, with hacking accounting for roughly half. The €475m in cookie fines did not prevent any of them.
The 2026 pivot is the right trade
The most consequential paragraph in the May 19 release is not about Google. It is the announcement that CNIL will devote 50% of its 2026 controls and enforcement actions to data security and cybersecurity, alongside three sectoral priorities — recruitment, the single electoral register (REU), and sports federations. That is a serious reallocation, and it is the right one. It tracks the agency's 2025–2028 Strategic Plan, which names cybersecurity as one of four cross-cutting priorities, and it follows CNIL's April 30, 2025 directives requiring multi-factor authentication for any organisation holding personal data on 'several million' individuals.
Two things make this the better trade than another year of cookie litigation.
First, the rule is concrete and outcome-linked. MFA for remote access to large personal-data stores is the kind of measure where the regulator can point to a specific control, demand evidence of deployment, and tie non-compliance to a class of breach that actually occurs in the wild. Password-only employee and contractor accounts remain the dominant entry vector for large-scale incidents; mandating MFA at the organisations holding the largest databases attacks the bottleneck directly. That is not a process metric. It is a vulnerability metric.
Second, the targets are right. Sectoral focus on recruitment platforms (CV databases that are routinely scraped), the single electoral register (a national identity-anchored dataset), and sports federations (medical, biometric, and minors' data, much of it held by under-resourced bodies) is exactly where breach impact and individual harm are highest per euro of enforcement effort. None of those sectors is going to be measurably improved by tighter cookie banners.
The risk to watch
The pro-innovation case for the pivot is not unqualified. There is a real risk that '50% of controls on cybersecurity' calcifies into checklist enforcement — points awarded for documenting an MFA policy, deducted for missing one, without any look at whether the configuration is meaningfully resistant to the threats organisations actually face. CNIL has explicitly called its April 30, 2025 paper 'directives' rather than 'recommendations,' signalling prescriptiveness. That helps with predictability, but the prescriptions must keep tracking threat models rather than freeze 2025 best practice in regulatory amber. The agency should publish, transparently, which controls it inspects and which breach typologies it has actually reduced — otherwise the pivot risks becoming a new species of compliance theatre.
Bottom line
CNIL had a banner year on paper, but the substance of 2025 was a single ninth-figure cookie verdict — useful as a deterrent, narrow as a regulatory programme. The 2026 pivot toward cybersecurity moves enforcement closer to where harm now lives. For European tech policy more broadly, this is the model worth copying: less choreography, more controls that prevent the breaches their citizens are actually suffering.