France's digital regulatory environment shifted in a material way at the start of 2025. The full application of the EU Digital Services Act, combined with France-specific implementing measures, places new obligations on technology companies operating in or targeting French users. Companies that fail to act before the compliance window closes risk enforcement orders, financial penalties, and suspension of access to French markets.
Digital services regulation in France now operates under a dual layer: EU-level rules applied directly by French authorities. Additionally. National implementing legislation enforced by the Autorité de régulation de la communication audiovisuelle et numérique (ARCOM), France's digital regulatory authority. Obligations vary by company size and service type, with the most demanding requirements applying to platforms exceeding defined user thresholds. Companies outside France that direct services at French users are treated as subject to French jurisdiction for enforcement purposes.
This alert identifies the regulatory changes now in force, the business categories affected, the applicable thresholds, the compliance deadline, and the immediate steps international technology companies should take.
What has changed and when it took effect
The EU Digital Services Act entered full application in early 2024 for all in-scope providers. French national measures implementing and supplementing that regulation took effect progressively through 2024 and into 2025. The result is a consolidated set of requirements that French authorities now actively enforce.
Several specific changes are worth noting. ARCOM has assumed the role of Digital Services Coordinator for France. It holds investigative powers, can issue binding compliance orders, and may refer matters to the European Commission for cross-border action. The French legislature has also updated the Code de commerce (French Commercial Code) and related digital economy legislation to align national software liability and platform accountability rules with EU standards.
Algorithmic accountability obligations have been strengthened. Platforms using automated systems to rank, recommend, or restrict content must now document how those systems operate. They must provide users with at least one option that is not based on profiling. AI Act compliance is relevant here: systems that meet the definition of high-risk AI under EU AI regulation are subject to additional conformity requirements before deployment on the French market.
Technology licensing arrangements involving French SARL (société à responsabilité limitée, equivalent to a limited liability company) or SAS (société par actions simplifiée. A simplified joint-stock company) entities must now reflect updated digital services obligations in their contractual structures. Contracts that allocate liability for content moderation failures, algorithmic outputs, or data handling need to be reviewed against the new standards.
French courts – including the Cour de cassation (the highest civil and commercial court in France) – have begun receiving cases that apply these updated standards. Practitioners note that enforcement is no longer theoretical. A huissier de justice (a court-appointed bailiff in French civil procedure) may now be instructed to execute compliance orders against non-conforming providers, including those with no physical presence in France.
For a detailed overview of ongoing compliance obligations for technology companies in France, see our AI and technology law services in France.
Which companies are affected and what thresholds apply
The new obligations apply across a broad spectrum of digital service providers. The key categories are as follows.
- Online intermediaries and hosting services with users in France, regardless of where the provider is established
- Online platforms connecting buyers and sellers, including marketplaces, app stores, and social media services
- Very large online platforms (VLOPs) and very large online search engines (VLOSEs) that exceed the threshold of 45 million average monthly active users in the EU
- Providers using high-risk AI systems as defined under EU AI regulation, where those systems are deployed to serve French users
- Digital services businesses structured through French SARL or SAS entities that handle user-generated content or operate recommendation systems
Companies below the VLOP threshold are not exempt. They face a lighter set of obligations but must still maintain complaint-handling mechanisms, publish transparency reports, and designate a legal representative in the EU if they have no establishment in a member state.
The threshold for VLOP designation is assessed on a rolling basis. A company that crosses the user threshold during a reporting period may become subject to the full VLOP regime within months. This creates a planning risk for fast-growing platforms. Many underestimate how quickly the designation can be triggered.
Software liability is a related concern. Providers of software embedded in digital services. including AI-generated outputs and automated decision tools. face increasing scrutiny under both the Digital Services Act and evolving French jurisprudence on product and service liability for digital goods.
Companies with intellectual property portfolios in France should also review how their technology licensing agreements address the new compliance requirements. Failure to align licensing terms with the updated regulatory regime can expose both licensor and licensee to liability. For related considerations, see our intellectual property law services in France.
To receive an expert assessment of your company's exposure under France's digital services rules, contact us at info@ferrazwhitmore.com.
Immediate actions for international technology companies
The compliance deadline for companies that have not yet completed a gap analysis is now. French authorities have signalled that enforcement will escalate through 2025 and 2026. Acting without a clear plan risks both regulatory penalties and reputational harm in a market where digital services are a priority for enforcement.
Five immediate actions are recommended.
- Conduct a service classification review. Determine which category of digital service your business provides and whether you meet the VLOP threshold. This assessment drives the full scope of your obligations.
- Appoint an EU legal representative. If your company has no establishment in an EU member state, you must designate a representative for regulatory contact. Failure to do so is itself a compliance violation.
- Audit your algorithmic systems. Document how recommendation, ranking, and content moderation systems operate. Prepare the transparency disclosure required under the Digital Services Act and assess whether any system qualifies as high-risk under AI Act compliance rules.
- Review and update contracts. Technology licensing agreements, terms of service, and data processing arrangements entered into with French SARL or SAS entities should be reviewed for consistency with the new software liability and algorithmic accountability standards.
- Establish an internal complaint-handling mechanism. The regulation requires platforms to provide users with accessible, effective mechanisms to challenge content decisions. This must be operational, not merely documented.
For companies that have already taken preliminary steps, a second-tier review is advisable. The implementing measures in France include procedural requirements that go beyond the EU-level text. A review by a lawyer in France with experience in digital regulation can identify gaps that an internal review may overlook.
The risk of inaction is not abstract. Companies that received informal notices from ARCOM in 2024 and did not respond have already faced formal proceedings. The window to address compliance proactively is narrow. Enforcement timelines in France can move quickly once a formal investigation is opened.
For further context on how similar obligations apply in other EU jurisdictions, see our alert on digital services regulation in Portugal.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising technology companies, institutional investors, and international business clients across 46 jurisdictions. Our AI and technology law practice covers digital services regulation, AI Act compliance, algorithmic accountability, and software liability across EU and non-EU markets. As a law firm in France matters context, we work with international clients who need a clear regulatory picture before French enforcement reaches them. Our team combines Portuguese civil law expertise with English common law tradition – a dual perspective that is directly relevant when EU-level rules interact with national implementing measures. To discuss how France's digital services regulation applies to your business, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.