On December 22, 2025, the French data protection authority CNIL fined the software company NEXPUBLICA FRANCE €1.7 million. The company develops PCRM, a management system used by French social services, including offices that handle disability cases.
In November 2022, several customers reported a data breach — users of the portal gained access to documents belonging to others. CNIL found that NEXPUBLICA had conducted both internal and external security audits before the breach. The errors were documented. However, the company had not corrected them.
This is what makes the case special—not that there were security vulnerabilities, but that the vendor knew about them and left them as they were. The CNIL emphasized that the company lacked fundamental knowledge of security principles and that the leaked data was particularly sensitive because it revealed disabilities.
Practical point: Ask your software vendors if they conduct regular security audits — and if the findings are actually followed up on. Data Processing Agreement Your contract should regulate the supplier's duty to inform you of known vulnerabilities. You are the data controller – but the supplier's neglect becomes your risk.
Inspired by: CNIL