CNIL Imposes €1.7 Million GDPR Fine on NEXPUBLICA FRANCE for Cybersecurity Failures
France’s data protection authority, known as CNIL, has levied a significant fine of €1.7 million against the software company NEXPUBLICA FRANCE. This financial penalty was announced on December 22, 2025, following an investigation into a major data breach associated with the company’s PCRM software, a tool widely utilized within the social services sector.
Details of the Data Breach
The investigation into NEXPUBLICA FRANCE traces back to November 2022. It was discovered that users of an online portal operated by the company could view documents belonging to other individuals, a serious lapse in data security. These documents included sensitive personal information, highlighting significant concerns regarding data protection and user access controls.
Upon realizing that personal data belonging to third parties was accessible through the portal, customers promptly alerted the CNIL. Given the nature of the information involved, this incident presented a substantial risk to individuals’ privacy rights, leading to a formal probe by the data protection authority.
PCRM Software and Its Sensitive Usage
NEXPUBLICA FRANCE, formerly known as INETUM SOFTWARE FRANCE, focuses on developing IT solutions and software. One of its flagship products, PCRM, serves as a relationship management tool specifically designed for social action services. This software is notably utilized by the Departmental Houses for the Disabled (MDPH) in multiple departments across France.
Given that PCRM handles highly sensitive personal data—including potentially life-altering information about disabilities—the CNIL emphasized the necessity for rigorous security measures. The extent of the GDPR fine reflects not only the sensitive nature of the exposed data but also the potential harm suffered by those affected.
Investigation Findings on Security Failures
The findings from the CNIL’s investigation revealed that the technical and organizational measures taken to protect PCRM were grossly inadequate. Among the issues identified were pervasive weaknesses in Nexpublica’s information systems and longstanding vulnerabilities that had remained unaddressed.
The CNIL noted that many of these security issues resulted from a lack of awareness regarding fundamental cybersecurity principles and contemporary best practices. Warning flags had been raised in both internal and external audit reports before the breach took place. However, Nexpublica failed to act on these warnings until after the data breach incidents were reported, which contributed significantly to the fine imposed.
Violation of GDPR Regulations
The CNIL determined that Nexpublica was in violation of Article 32 of the GDPR, which mandates organizations to implement security measures that align with the level of risk posed. This encompasses evaluating current technologies, implementation costs, and the threats to individuals’ rights and freedoms.
The restricted committee within the CNIL, which is responsible for sanctions, concluded that Nexpublica fell short of these obligations. This situation was exacerbated by the company’s role as a specialist in IT systems and software, which theoretically should have equipped it with the necessary understanding of its security responsibilities.
Factors Influencing the Fine Amount
When determining the €1.7 million GDPR fine, the CNIL considered several factors, including Nexpublica’s financial situation, the number of individuals affected, and the sensitive nature of the data handled through PCRM. The regulator also took into account that the company was aware of existing security issues prior to the breach but did not take corrective action until after the incidents were reported.
Although Nexpublica has since implemented necessary changes to improve its security measures, the CNIL indicated that this could not overshadow the severity of the previous failings. As the critical fixes have now been incorporated into their systems, the CNIL did not require a separate compliance order. However, this GDPR penalty serves as a stern reminder to software providers working with sensitive public-sector data that security flaws must be addressed proactively, rather than reactively.
