France is about to switch on a piece of internet plumbing it has been promising since 2022. According to a draft decree first reported by the French press on May 2, 2026, the government's filtre anti-arnaque — the anti-scam filter written into the 2024 SREN law — is now slated to go live on September 1, 2026. The novelty this time is operational: the system will be run by the Office Anti-Cybercriminalité (OFAC), a police service under the national police directorate, rather than the public-facing Cybermalveillance.gouv.fr. OFAC agents will maintain a blacklist of fraudulent sites, push it to internet service providers and browser vendors, and trigger a warning screen before a flagged page loads.
What launches on September 1
The legal basis is Article 6 of LOI n° 2024-449 du 21 mai 2024, the loi visant à sécuriser et réguler l'espace numérique (SREN). As the French government's own guidance describes it, the mechanism lets regulators require browser vendors such as Chrome and Safari to display a clear warning that a user is about to reach a fraudulent site, with a link to an official state page. The plumbing is DNS-level: when you click a phishing link from an SMS or email — a fake bank login, an identity-theft form — the resolver returns the warning instead of the page. The draft decree was notified to the European Commission, the same TRIS channel through which the broader SREN bill drew a detailed Commission opinion in 2023.
The goal is unobjectionable. Phishing and impersonation scams drain real money from real people, and a state-curated warning that interrupts a victim mid-click is, on its face, a sensible nudge. France has tried to ship this since President Macron's 2022 campaign, missing deadline after deadline — the 2023 Rugby World Cup, the 2024 Paris Olympics — so there is a fair argument that some friction against industrial-scale fraud beats none. That is the strongest case for the filter, and it deserves to be stated plainly.
The proportionality problem: no judge in the loop
The trouble is the structure, not the goal. The SREN text lets a police office order a site onto the blacklist without prior judicial review. La Quadrature du Net has warned since 2023 that this turns browsers into "auxiliaires de police" — private companies conscripted to execute an administrative blocking decision that no court has reviewed. The only backstop is CNIL oversight after the fact, which the group argues is illusory against a list that may absorb up to a thousand new entries a day. A reviewer cannot meaningfully audit a blocklist growing at that rate; the safeguard becomes a rubber stamp.
This matters because "scam" is not a self-defining category. Phishing pages that spoof a bank are easy calls. But the same infrastructure — a police-maintained domain blacklist enforced at the DNS layer — is exactly the tool that, once built, invites scope creep toward disputed commercial claims, unlicensed-but-lawful services, or sites a regulator simply dislikes. France's own Constitutional Council struck down the 2020 Avia law's 24-hour administrative takedown regime precisely because it placed the censorship decision with the executive rather than a judge. The anti-scam filter rebuilds that architecture and labels it cybersecurity.
It also doesn't work
Even on its own terms, the filter is weak. Telecom operators have pointed out the obvious: phishing domains rotate constantly, sometimes several times a day. A static blacklist transmitted to ISPs is reactive by construction — it blocks yesterday's domain after the campaign has already moved to a fresh one. DNS filtering is trivially circumvented by anyone who changes their resolver to 1.1.1.1 or 8.8.8.8, uses encrypted DNS (DoH is now default in major browsers), or runs a VPN. The actual fraud victims — the non-technical users the filter is meant to protect — are the only ones who will ever see the warning, while the criminal operators it targets route around it in seconds.
So the cost-benefit is upside-down. The state gains a permanent, court-free blocking capability with real censorship potential; the public gets a speed bump that stops the least sophisticated threats for the least sophisticated users and nothing else. That is the textbook definition of disproportionate regulation: maximal infrastructure, minimal protective return.
A proportionate version exists
None of this means France should do nothing. A better design keeps the warning and drops the coercion. Browser and email providers already run reputation feeds — Google Safe Browsing, Microsoft SmartScreen — that flag phishing at scale, update in near-real time, and remain advisory rather than mandatory. The state's comparative advantage is intelligence, not enforcement: OFAC could publish a high-quality, transparently-sourced threat feed that vendors choose to ingest, with a published appeals path and a judge in the loop before any binding block. That preserves the genuine public-safety benefit — interrupting a victim mid-scam — without standing up a police blocklist that no court reviews and no honest attacker respects.
The SREN filter, as drafted for September, gets the trade exactly backwards. France would acquire a censorship-capable chokepoint and call it consumer protection, while the scammers it names keep working. Proportionality asks whether the power granted matches the harm prevented. Here, it plainly does not.