TMT 2025

FRANCE Law and Practice Contributed by: Clara Hainsdorf, Bertrand Liard, Saam Golshani and Guillaume Vitrich, White & Case LLP

3. Artificial Intelligence 3.1 Liability, Data Protection, IP and Fundamental Rights AI Act The AI Act was adopted on 21 May 2024 and aims to regulate the use of AI, ensuring it is safe, ethical and trustworthy. The European Artificial Intelligence Office was established to support its implementation. The AI Act uses a risk-based approach, classify - ing AI systems into four categories. • Unacceptable risk systems: banned due to harm to safety, fundamental rights or human dignity. • High-risk systems: strictly regulated, requiring high standards for data quality, transparency, accountability and human oversight. • Limited risk systems: subject to strict trans - parency rules. • Minimal or no risk systems: not subject to regulation. Unacceptable risk AI systems have been pro - hibited in the EU market since 2 February 2025. Obligations related to general-purpose AI will apply as of 2 August 2025. The AI Act will be fully applicable as of 2 August 2026, and high-risk AI systems must be compliant by 2 August 2027. Non-compliance can result in significant fines of up to EUR35 million or 7% of annual turnover. Deepfakes The SREN Law incorporates measures in the penal code to regulate deepfakes: • Article 228-8 criminalises the use of deep - fakes for disinformation, including private

The 2022 version of the SecNumCloud also provides guarantees on data protection against non-EU legislation. The design of the data pro - tection regulations is compliant with the require - ments of the Schrems II ECJ ruling. CNIL even recommends the use of this standard for all data controllers who want to guarantee a high level of data protection. To rebalance competition between the various players and strengthen the control of personal data by the data subjects, the DMA prohibits gatekeepers from engaging in certain practic - es without obtaining the end users’ consent, including: • combining personal data from the relevant core platform service with personal data from other services of the gatekeeper; • cross-using personal data from the relevant core platform service in other services pro - vided separately by the gatekeeper; and • signing in end users to other services of the gatekeeper in order to combine personal data. The DMA is also intended to regulate the access and use of the data provided or generated by core platform services, and to enhance the transparency obligations related to profiling practices. To encourage internet users to be aware of the realities of risks on the sites they consult, the French Law of 3 March 2022 introduced a cyber - score. Effective since October 2023, the cyber - score will be displayed on websites in order to warn the internet user of the security of such site and the data hosted. To obtain this cyberscore, companies must carry out audits with providers qualified by ANSSI.

CHAMBERS.COM