FRANCE Law and Practice Contributed by: Sylvain Clavé and Germain Chaux, Clavé Avocat
only be outsourced to regulated entities, which are authorised/licensed to perform these functions. EBA guidelines on outsourcing are entirely implemented into French law. In this regard, the Decree of 3 Novem - ber 2014 expressly provides that “the outsourcing of activities shall give rise to a written contract” between the parties. Under EBA Guidelines, contracts for “critical or important” functions must include specific manda - tory clauses. Notably, the regulated entity is required to contractually secure full and unrestricted rights of inspection/audit over the service provider. This right allows the institution to monitor the provider’s compli - ance with its obligations and is essential, as financial institutions remain responsible for the actions of their providers. This regulatory framework has been enhanced by the full entry into application of DORA. This Regulation introduces a harmonised European regime regard - ing third-party ICT service providers. In principle, the requirements under DORA apply in parallel to the out - sourcing requirements. 2.9 Gatekeeper Liability As a general principle, fintech providers, when they are regulated entities, are deemed to ensure that the services they provide are not linked to illicit activities or money laundering – bearing in mind that unregulat - ed players are also strictly forbidden from knowingly facilitating illicit activities. For this purpose, they are subject to strict AML/CFT legislation, requiring them to prevent their platforms from being used for crimi - nal ends (KYC, proactive fraud reporting, transaction monitoring, etc). 2.10 Significant Enforcement Actions The AMF and ACPR can conduct on-site investiga - tions and initiate disciplinary proceedings. At the heart of their enforcement framework are independ - ent “Sanction Commissions” ( Commissions des Sanc- tions ), which act as autonomous courts capable of imposing significant administrative fines and even professional bans to ensure market integrity and con - sumer protection. Part of the sanction is to be pub - lished, to let third parties know about the decision of the commission.
French regulators have increased their activity in the field of crypto-assets, in the context of the approach - ing end of the MiCAR transitional period. In 2025 alone, the AMF added 71 new websites to its blacklist for illegally offering crypto-asset services. In Febru - ary 2026, the AMF reiterated that all providers failing to obtain the mandatory CASP authorisation by the 1 July 2026 deadline must immediately cease their activities in France or face severe criminal penalties. To enforce these rules, the regulator will publish black - lists of unauthorised platforms and is prepared to seek court orders to block access to their websites. Moreover, in its 2026 roadmap, the AMF announced that it will conduct targeted inspections to ensure the robustness of regulated entities’ cybersecurity sys - tems, specifically focusing on their alignment with the DORA framework. 2.11 Implications of Additional, Non- Financial Services Regulations All industry participants in the French fintech eco - system face a dual burden where financial regulation intersects with transversal non-financial regulation. Both legacy players and fintechs are subject to the General Data Protection Regulation (GDPR) and the supervision of the French data authority, the CNIL ( Commission nationale de l’informatique et des liber- tés ). In the context of open banking, they handle vast amounts of data, making its management a critical competitive and legal stake. Beyond data privacy, cybersecurity has become a major non-financial stake for the industry (under the authority of the National Cybersecurity Agen - cy – Agence nationale de la sécurité des systèmes d’information , ANSSI). While legacy banks and large-scale institutions were previously the main tar - gets of cybersecurity mandates under Directive (EU) 2016/1148 of 6 July 2016 (the Network and Informa - tion Security Directive), DORA now applies to them. Moving into 2026, French fintechs must now adhere to stringent ICT risk management frameworks and reporting standards. Furthermore, the French ecosystem is uniquely impacted by the Law of 9 June 2023 on commer - cial influence, which regulates social media activities.
290 CHAMBERS.COM
Powered by FlippingBook