TMT 2025

FRANCE Law and Practice Contributed by: Clara Hainsdorf, Bertrand Liard, Saam Golshani and Guillaume Vitrich, White & Case LLP

Consent In IoT devices, it is not always possible to request consent directly. Therefore, in order to implement GDPR requirements for consent, IoT manufacturers must find other ways to collect it. Cybersecurity The Cyber Resilience Act establishes mandatory cybersecurity standards for digital products and services within the EU, aiming to protect con - sumers and businesses from cybersecurity risks. Its main provisions will become enforceable from 11 December 2027. It mitigates risks associat - ed with the increasing prevalence of connected devices and digital services, and ensures a har - monised cybersecurity framework that supports innovation while safeguarding consumers. 4.2 Compliance and Governance The principal challenge is dealing with the mul - tiplicity of European regulations in the same industries (particularly TMT), as mentioned in 4.1 Machine-to-Machine Communications, Com- munications Secrecy and Data Protection . There are also sector-specific regulations that apply to industries such as healthcare, environ - ment and energy. Companies must implement internal regulations, such as policies and codes of conduct, to ensure compliance with various obligations. They should develop processes to inform employees of their obligations and conduct regular audits for compliance. External information notices must be provided to potential clients, detailing mandatory consumer regulations like terms and conditions. In 2021, ANSSI published a guide to IoT security recommendations, facilitating security analysis based on probable attack scenarios and offer - ing recommendations to mitigate identified risks.

rules will apply. A distinction must be made between contractual and extra-contractual lia - bility. In addition, several liability regimes may apply, in particular defective products or the custody of the object. For instance, if the manufacturer/producer of the connected objects does not respect its pre-con - tractual information as referred to in Article 1112- 1 of the French Civil Code and Article L 111-1 et seq of the French Consumer Code regarding the substantial characteristics of connected objects, they could be held accountable for that omis - sion. However, these regimes do not fully meet the challenges related to connected objects and artificial intelligence in general. It seems neces - sary either to adapt the existing regimes or to create a specifically adapted regime. In 2024, France updated its drone regulations to align with European directives, introducing new classifications and stricter requirements. These changes aim to enhance safety and confidential - ity while expanding drone usage for leisure and professional purposes. The regulations cover flight zones, training certificates and drone flight scenarios, providing a comprehensive frame - work for drone operations. Data Protection GDPR and standard data protection provi - sions also extend to the internet of things (IoT). Identifying data controllers and processors in IoT projects is challenging due to the interop - erability and constant data exchange of con - nected devices. Beyond GDPR and French law, CNIL recommends conducting Data Protection Impact Assessments for IoT projects, to clarify processing purposes and legitimate methods. CNIL also provides guidelines to help data sub - jects using IoT devices protect themselves from associated risks.

CHAMBERS.COM