Chapter 1: France and the EU AI Act
1.1 Direct Applicability
The EU AI Act (Regulation (EU) 2024/1689) applies directly in France without national transposition. As a Regulation of the European Union, it has immediate effect in French law and takes precedence over conflicting provisions of French domestic legislation.
France has positioned itself as a leading voice in European AI policy. The country has pursued a dual strategy: promoting AI innovation through substantial public investment and research programmes, while ensuring that fundamental rights protections remain central to AI governance. This approach shaped France's negotiating position during the AI Act legislative process, particularly regarding the balance between innovation support and regulatory oversight.
1.2 French National AI Strategy
France's national AI strategy, initiated by the Villani report (2018) and refined through successive government programmes, provides the policy context for AI Act implementation:
Phase 1 (2018-2022): EUR 1.5 billion investment in AI research, creation of national AI institutes (3IA: Grenoble, Nice, Paris, Toulouse), establishment of data infrastructure.
Phase 2 (2021-2025): Focus on AI adoption in priority sectors (health, environment, transport, defence), support for AI startups, development of sovereign cloud and computing infrastructure.
Phase 3 (2024-present): Integration of AI governance with EU AI Act implementation, emphasis on trustworthy AI, support for regulatory sandboxes, and positioning France as the European hub for responsible AI development.
The French government views the AI Act not as a constraint on innovation but as a framework that, properly implemented, can provide competitive advantage through trust and legal certainty.
1.3 French Institutional Landscape
| Institution | Role in AI Governance |
|---|---|
| CNIL (Commission nationale de l'informatique et des libertes) | Data protection supervision; AI-specific guidance; regulatory sandbox |
| DGCCRF (Direction generale de la concurrence, de la consommation et de la repression des fraudes) | Market surveillance for AI consumer products |
| ANSSI (Agence nationale de la securite des systemes d'information) | Cybersecurity requirements for AI systems |
| ARCEP (Autorite de regulation des communications electroniques) | Telecommunications and digital platform regulation |
| AMF (Autorite des marches financiers) | AI in financial markets supervision |
| ACPR (Autorite de controle prudentiel et de resolution) | AI in banking and insurance supervision |
| Inria (Institut national de recherche en sciences et technologies du numerique) | AI research; technical standards contribution |
| DGE (Direction generale des entreprises) | Industrial policy; AI sector support |
1.4 Designation of Market Surveillance Authority
France is finalising the designation of its national market surveillance authority for AI Act enforcement. The institutional arrangement involves coordination between several existing authorities:
The CNIL serves as the primary contact point for AI systems that process personal data, building on its established expertise in automated decision-making oversight under GDPR Article 22 and French data protection law.
The DGCCRF handles consumer protection aspects of AI systems placed on the French market, including product safety and fair commercial practices.
Sector-specific regulators (AMF, ACPR, ANSSI) retain supervisory authority over AI systems within their respective domains.
The precise allocation of competences is defined by decree (decret d'application), ensuring coordination between authorities and avoiding jurisdictional overlap.
1.5 Enforcement Timeline for France
| Date | Milestone |
|---|---|
| 2 February 2025 | Prohibited AI practices and AI literacy obligations in force |
| 2 August 2025 | GPAI model obligations apply |
| 2 August 2026 | Transparency obligations; AI Office enforcement powers |
| 2 December 2027 | Annex III high-risk AI obligations (Omnibus deferral) |
| 2 August 2028 | Annex I product-embedded AI obligations |
Want to monitor your AI compliance automatically? Try AIOS — your AI compliance OS. https://mmoww.net/ai/app/
Quick Decision Matrix
Use this matrix to determine your AI compliance obligations.
| Your Situation | Risk Level | Priority Action | Go To |
|---|---|---|---|
| Deploying AI that affects employment decisions | High | Impact assessment required | Chapter 3 |
| Using AI for customer-facing services | Medium-High | Transparency obligations apply | Chapter 4 |
| Internal AI tools (analytics, automation) | Medium | Document and monitor | Chapter 5 |
| AI in regulated sector (finance, health) | High | Sector-specific rules apply | Chapter 3 |
| Procuring AI from third-party vendor | Medium | Vendor due diligence needed | Chapter 5 |
| Just exploring AI for the first time | Low | Start with governance framework | Chapter 2 |
5-second answer: If your AI system makes decisions that affect people, you have compliance obligations. Start with Chapter 2 for the regulatory framework, then Chapter 3 for your specific obligations.