CNIL publication on its website – April 30, 2025
The year 2024 saw a record number of personal data breaches, sometimes involving millions of people. In many cases, these incidents highlighted basic but recurring technical shortcomings: compromised passwords, lack of active monitoring, insufficiently scaled security measures. This worrying finding has led the French data protection authority (the “CNIL”) to publish a communication dedicated to the security of large databases. This publication is part of the CNIL’s 2025-2028 strategic plan, which places cybersecurity at the heart of its operational priorities.
The CNIL uses the expression “large databases” to designate systems that enable the processing of personal data relating to “several million people.” This includes “customer” databases and CRM (customer relationship management) software. According to the authority, large databases present increased risks due to their sheer size: a single vulnerability can impact entire segments of the population and facilitate further cascade attacks. The existing legal framework already imposes security measures proportional to the risks (Articles 5(1)(f) and 32 of the GDPR), but the CNIL deems it necessary to clarify the additional expectations applicable to these environments. These requirements complement existing security frameworks (CNIL’s guides, ANSSI’s priority measures) and must be implemented in conjunction with the principles of data minimization and privacy by design.
CNIL identifies four security measures that it considers should, in principle, be implemented when a processing operation involves a large database:
- Enforce multi-factor authentication for external accesses
A significant portion of the breaches notified in 2024 were enabled by the compromise of legitimate accounts, often via phishing attacks or reused passwords. To mitigate this risk, the CNIL considers that external access to any system containing personal data on the scale of several million records must rely on multi-factor authentication (MFA). This is undeniably the core measure of the publication. The CNIL emphasizes MFA beyond just large databases, reminding that this mechanism is also a key requirement for other types of processing, notably in the banking sector or when handling sensitive data.
To implement MFA, organizations are invited to refer to the CNIL’s recent recommendation on the subject. In this text, the authority details the conditions under which this form of authentication can be deployed in compliance with the GDPR. Highlights of this recommendation include:
- CNIL’s preference for MFA authentication systems based on knowledge (e.g. a password) and possession (e.g. USB key, OTP token, connected phone); the use of biometrics (e.g. fingerprint, facial recognition) should be reserved for very specific cases.
- The need to collect only strictly necessary data, favoring the least intrusive methods and avoiding any superfluous additional data collection. The CNIL provides several examples of mechanisms relying on purely local processing, which in some cases may fall under the “household” processing exception, not subject to the GDPR.
- The importance of secure administration and management of the MFA solution itself.
- The requirement to define the retention periods and modalities for data related to the MFA solution – the CNIL referring in part to its specific recommendations on passwords and biometrics.
- The necessity of carrying out prior risk analyses to assess the above points and others, such as the risk of user fatigue from overly frequent MFA prompts, which could lead users to unwittingly accept fraudulent requests.
- Limit data exfiltration opportunities
Systems must be designed to detect and hinder large-scale data copying. The CNIL specifically recommends technically controlling exports, limiting the volume downloadable per query or session, and establishing alert thresholds for suspicious behavior. Logging of access and extraction events should enable real-time monitoring and effective post-incident analysis.
- Involving the users
Data security also depends on user behavior. The CNIL recommends establishing regular awareness programs tailored to user profiles (employees, developers, executives, subcontractors) to prevent the most common errors: account sharing, clicking on fraudulent links, and installing malicious software. These activities must be documented, assessed, and integrated into security governance. Their absence or purely formal implementation may be considered a failure to meet security obligations.
- Rigorously supervise relations with processors
The CNIL has recently published real-world incident examples illustrating that unauthorized access to databases often occurs via subcontractors. In this context, the processing of very large volumes of data entrusted to service providers – notably in cloud environments – must be subject to enhanced controls. The CNIL expects the data controller to obtain from the subcontractor the security policy (ISMS), evidence of certifications, and to schedule regular audits throughout the contractual relationship. The entire subcontracting chain, including downstream providers, must be covered.
The CNIL indicates that these requirements will be subject to specific investigations starting in 2025. It specifies that the expected security measures must be adapted to the technical architecture and documented so as to allow their evaluation during inspections. Regarding multi-factor authentication, the CNIL acknowledges that its implementation involves significant costs and resources and plans to focus its audits on this point starting in 2026.
It should be emphasized that the CNIL did not present its publication as a mere collection of “best practices” or a new “recommendation”, but rather as a set of “directives.” This choice of terminology reflects the prescriptive nature of the measures laid out, which the authority considers mandatory for processing operations involving large databases. Their absence may, where applicable, constitute a breach warranting sanctions – a position that the CNIL already clearly articulates regarding multi-factor authentication.
