The French government has adopted a law aimed at regulating digital services. The new SREN law (Loi Visant à Sécuriser et à Réguler l'Espace Numérique) adapts French legislation to new EU regulations, including the Digital Services Act (DSA), the Data Act and the Digital Market Acts. It also introduces measures that supplement and even go beyond the scope of these EU regulations.

Key Takeaways

1. The SREN law pre-enacts EU Data Act provisions that apply to cloud computing services.
2. The law expands the territorial scope of the French Data Protection Act of 1978.
3. New rules will adapt French law to the DSA.
4. The Regulatory Authority for Audiovisual and Digital Communication has new powers.
5. The SREN law regulates online games that include digital monetizable tokens for a three-year experimental period.

What Companies Should Consider Doing

The SREN law covers a wide range of operators. Online service providers should assess which provisions cover their services and how they may be impacted as part of their EU regulation compliance processes.

This tool will help you assess whether you are affected by provisions of the SREN law adapting national law to the DSA. You can also reference our update on the Data Act.

5 Things to Know About the SREN Law: More Detail

1. The SREN law pre-enacts EU Data Act provisions that apply to cloud computing services.

The SREN law anticipates the Data Act’s effect on providers of “data processing services” so the relevant SREN law provisions come into force before the Data Act.

The Data Act defines a data processing service as “a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralized, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.” The SREN law adopts this definition but refers to “cloud computing services.”

Both the Data Act and the SREN Law appear to target software providers that make products available in the cloud. Recital 81 of the Data Act refers to SaaS as one of three fundamental data processing models. The EU Commission also refers to SaaS as a data processing service in its online guidance.

In addition, the Data Act distinguishes cloud services limited to infrastructure elements from cloud computing services that contain the provision of software.

Therefore, the Data Act will cover SaaS models. The SREN law should also be considered as covering SaaS providers for two reasons:

• The SREN law provisions concerning changing cloud providers anticipates the application of the Data Act.
• Documentation issued as part of the legislative process refers to cloud providers including SaaS providers.

The SREN law contains restrictions and obligations to help a customer switch service providers. Those restrictions and obligations mirror those in the Data Act. In particular, the SREN law provides for mandatory contractual terms in agreements with customers and technical obligations (for example, the obligation to assist customers achieve functional equivalence when switching providers). 

Importantly, the SREN law also contains provisions that go beyond the Data Act to prohibit service providers from using open-ended cloud credits. It also regulates conditional sales and pricing practices when the provider offers services covering infrastructural elements and its software through those services.

The SREN law provisions concerning cloud providers took effect on 21 May 2024 (before the Data Act starts applying, on 12 September 2025). They apply to companies doing business in France.

2. The law expands the territorial scope of the French Data Protection Act of 1978.

The French Data Protection Act of 1978 supplements the GDPR in France. It applies to:

• Data controllers or data processors established in France.
• Data processing carried out by a data controller or data processor established outside the EU if the processing relates to supplying goods or services to people in France or to monitoring of the behavior of people in France.

The SREN law provides that matching personal data to an individual’s online activity shall be considered monitoring of data subjects’ behavior.

The law therefore extends the territorial scope of the French Data Protection Act of 1978. It now encompasses data controllers or processors established outside the EU that do not provide goods or services to people in France but match personal data of people in France.

3. New rules will adapt French law to the DSA.

The SREN law implements measures that online platforms subject to the DSA will need to consider related to making their services available in France.

Ban/suspension measures of users posting illegal content

• The SREN law provides for additional enforcement measures for categories of content that are illegal in France, such as deep fakes (including sexual deep fakes) and content involving cyberbullying, hate speech and serious offenses like child sexual abuse material and pimping.
• The law also provides for enforcement measures for these categories of content. Courts will be able to ban offenders from an online service for a defined period; an online service that does not comply will face financial sanctions.
• Specific enforcement measures and sanctions apply to child sexual abuse material – hosting service providers will have to withdraw that content within 24 hours of notice. from authorities. They also may face financial sanctions.

Sanctions imposed on marketplaces: Marketplaces that fail to meet transparency and trader traceability obligations under the DSA can be fined under the French Criminal Code.

Designation of competent authorities under the DSA: The Regulatory Authority for Audiovisual and Digital Communication (ARCOM) is designated as the digital services coordinator. That means that it oversees the coordination between the France’s consumer protection authority, the DGCCRF, and the country’s consumer protection authority, CNIL.

• The DGCCRF is in charge of monitoring the compliance of marketplace providers with their obligations.
• The CNIL will monitor the compliance of online platforms with the limitations on advertisement based on profiling of minors and profiling using special categories of personal data.

4. The Regulatory Authority for Audiovisual and Digital Communications has new powers.

The SREN law gives ARCOM new powers in relation to disinformation and content involving acts of torture and barbarism, including the power to order to remove of content.

The SREN law also introduces new age verification rules for websites and apps that permit access to pornography. ARCOM launched a public consultation on a draft guidance for age verification systems in April. It is expected to issue final guidance by mid-July.

Additionally, authorities have adopted an expedited procedure that empowers ARCOM to obtain website/app download blocking orders with a formal notice. This measure is directed at internet service for non-compliance with a formal notice from ARCOM.

5. The SREN law regulates online games that include digital monetizable tokens for a three-year experimental period.

The law defines these games as those offered via an online public communication service that enable players who have made a financial sacrifice to obtain monetizable digital objects, based on a mechanism that relies on chance, to the exclusion of monetary gain.

Operators proposing this type of games will need to declare their offer to the French gaming authority (ANJ), verify the age of players, implement measures against gaming addiction and retain players’ data to identify fraud, money laundering activities and the financing of terrorism.

Digital tokens may not be transferred for consideration, directly or indirectly via any natural or legal person, either to the games company that issued them or to any affiliated person. (The French Constitutional Court is examining provisions related to these games after legal challenges.)