The EU AI Act is a European regulation - it applies directly in all Member States without national transposition. But its concrete implementation is national: supervisory authorities, regulatory sandboxes, business support. In France, the framework is taking shape. Here is what French SMEs need to know.
France and AI: A Favourable Context but Compliance Lagging Behind
France is one of the most advanced European countries in AI. Paris concentrates a significant share of European AI startups, and the government has invested heavily in the sector. Mistral AI, one of the global players in generative AI, is French.
Yet, as elsewhere in Europe, the vast majority of French SMEs have not yet started their EU AI Act compliance. The urgency is real: fewer than 126 days remain before the 2 August 2026 deadline.
Which Authority Supervises the EU AI Act in France?
The regulation requires each Member State to designate one or more national competent authorities. In France, several institutions are involved.
The CNIL, at the Forefront
The Commission Nationale de l'Informatique et des Libertés (CNIL) is the most directly concerned authority. Already the GDPR supervisory authority, it is set to play a central role in overseeing AI systems that process personal data - which covers the vast majority of practical cases.
The CNIL published several practical guides on AI and data protection as early as 2024, and actively supports businesses in understanding their obligations.
The Competition Authority and Sectoral Regulators
For AI systems in regulated sectors (finance, health, transport), existing sectoral regulators (AMF, ACPR, HAS...) coordinate with AI authorities. The EU AI Act provides for this articulation with existing sectoral regulation.
The formal designation of French competent authorities is expected before 2 August 2026, in line with the regulation's requirements.
The French Regulatory Sandbox: Supervised Experimentation
Article 57 of the EU AI Act requires each Member State to set up at least one AI regulatory sandbox before 2 August 2026. In France, the CNIL is leading the implementation of this framework. It already has experience with sandboxes in the personal data field, and is now extending this approach to AI.
For French SMEs developing innovative AI systems, the sandbox is an opportunity: test, adjust, and obtain regulatory validation before risking a non-compliant market launch.
What the EU AI Act Concretely Changes for a French SME
If You Use AI in Your Tools (Deployer)
Most French SMEs are in this situation: they use SaaS tools integrating AI (Salesforce, HubSpot, HR tools, content generation tools...) without having developed them.
Your main obligations from 2 August 2026:
| Obligation | Applies to | Deadline |
|---|---|---|
| Inform users they are interacting with AI | Any AI tool in contact with users | 2 August 2026 |
| Human oversight of automated decisions | High-risk systems | 2 December 2027 (if Omnibus adopted) |
| Keeping usage logs | High-risk systems | 2 December 2027 (if Omnibus adopted) |
| Training your teams on AI (AI literacy) | All | 2 August 2026 |
If You Develop AI Tools (Provider)
If you have developed a SaaS application integrating AI, you are a provider under the regulation. The obligations are heavier: technical documentation (Annex IV), conformity assessment, registration in the EU database, CE marking for certain systems.
French SMEs and the GDPR: A Solid Foundation
An often underestimated advantage for French SMEs: those that have seriously implemented the GDPR since 2018 already have part of the foundations needed for AI Act compliance.
Processing records, activity registers, impact assessments, DPO designation... These elements can be directly reused in an AI Act compliance approach. If you have solid GDPR foundations, you have a head start.
Penalties: What a Non-Compliant French SME Risks
The EU AI Act provides for significant fines, applied by national authorities:
- Up to 7% of global turnover for prohibited practices
- Up to 3% of global turnover for non-compliance of high-risk systems
- Up to 1.5% of global turnover for inaccurate information provided to authorities
For SMEs, the regulation explicitly provides for proportionate application (Article 62). Authorities will take into account the size, resources, and whether the violation was intentional. But total exemption does not exist - and ignorance of the regulation is not a grounds for exoneration.
Where to Start for a French SME
Step 1 - Inventory your AI systems (30 minutes)
List all tools integrating AI in your organisation: HR tools, CRM, chatbot, content generation tools, customer scoring... The question to ask yourself: "Does this tool make or influence decisions?"
Step 2 - Classify your risk level (5 minutes)
Use AiCompliBot to find out whether your systems fall into regulated categories. The diagnosis is free and gives you an immediate result with your priority obligations.
Step 3 - Prioritise 2 August 2026 obligations
Article 50 transparency and AI literacy training are the two firm obligations, whatever the outcome of the Digital Omnibus. Start there.
French SME, not sure where to start? The AiCompliBot diagnosis identifies your obligations in 5 minutes - free, no jargon.