DDADUE Article 32: ANFR to be designated as France's CRA authority
The DDADUE bill, adopted by the Senate under accelerated procedure, formally designates ANFR as France's market surveillance authority for the CRA. Article 32 inserts a new I quinquies into Article L.43 of the CPCE, sets out the mise en demeure → fine sequence, and codifies the three CRA sanction tiers (up to €15M or 2.5% of worldwide turnover). Two points deserve particular attention: trade secrets are not opposable to ANFR in CRA investigations, and the entry into force is split, ANFR mission on 11 September 2026, sanctions regime on 11 December 2027.
What the CRA left open and what DDADUE closes
Regulation (EU) 2024/2847 (the Cyber Resilience Act) designates market surveillance authorities at European level but leaves member states to set their national implementation: who is the competent authority, what are its specific investigative powers under domestic law, and what is the administrative procedure for imposing sanctions. In France, this transposition goes through the DDADUE bill (projet de loi portant diverses dispositions d'adaptation au droit de l'Union européenne), whose Article 32 amends Article L.43 of the Code des postes et des communications électroniques (CPCE).
The Senate adopted this text under accelerated procedure. The entry into force is split by Article 32 itself: paragraph I (the assignment of mission to ANFR) takes effect on 11 September 2026, the date on which the Article 14 CRA notification obligation becomes applicable. Paragraph II (the administrative sanctions regime) takes effect on 11 December 2027, the date of full CRA application.
For manufacturers who had already factored ANFR into their risk analysis from the time CRA was published, this article contains no surprises. For those who had not yet determined which administrative counterparty would handle their CRA files, it provides a definitive answer.
ANFR's designation and the trade-secret non-opposability clause
Article 32 inserts a new I quinquies into Article L.43 of the CPCE. The first paragraph is brief and direct: ANFR "ensures compliance monitoring of Regulation (EU) 2024/2847." The second paragraph deserves the closest attention from legal teams and compliance officers.
It provides that ANFR "may exchange with the competent state services information, documents and data, to the strict extent necessary for the performance of its mission, without trade secrecy being opposable to the agency or to those state services."
In the context of a CRA investigation, a manufacturer cannot refuse to produce technical drawings, internal test reports, or vulnerability analyses on the grounds that they constitute commercially sensitive information. ANFR may also transmit these elements to ANSSI or other state services within the limits necessary for its mission. This point is frequently underweighted in compliance plans: preparing a CRA file includes inventorying which documents the company would be required to produce on demand.
The sanctions procedure: notice to comply, adversarial process, fine, forced publication
The new II ter of Article L.43 of the CPCE describes the procedural sequence. It runs in three stages.
First, the mise en demeure (notice to comply): when ANFR finds a breach, it may, following an adversarial process, order the responsible party to come into compliance within a timeframe it sets. The notice to comply is a mandatory prerequisite to any sanction: ANFR cannot impose a fine without first issuing such a notice.
Second, if the notice is not complied with within the set timeframe, ANFR may impose an administrative fine. Before any decision, the manufacturer is notified in writing of the contemplated sanction. It may access the case file, be assisted by counsel of its choice, and has a period — which may not be less than one month — to submit written observations and, if applicable, oral observations. This one-month floor is a statutory minimum, more protective than the wording of the II bis applicable to radio equipment, which had left this period to be set by decree.
The three sanction tiers codified in French law
Article 32 of the DDADUE directly transposes the ceilings of CRA Article 57 into domestic law. Three tiers are defined:
- Failure to meet the essential cybersecurity requirements (CRA Annex I) and the manufacturer obligations under Articles 13 and 14 (conformity assessment, technical documentation, notification of vulnerabilities and incidents): fine not exceeding €15 million or, for a company, 2.5% of its total annual worldwide turnover, whichever is higher;
- Failure to meet process obligations: vulnerability management, incident notification, cooperation with authorities, obligations of importers and distributors (Articles 18 to 23, 28, 30 to 33 paragraphs 1 to 4, 33 paragraph 5 and 53): fine not exceeding €10 million or 2% of worldwide turnover;
- Inaccurate, incomplete or misleading information provided to notified bodies or market surveillance authorities: fine not exceeding €5 million or 1% of worldwide turnover.
These ceilings are identical to the CRA's. The contrast with the previous regime applicable to radio equipment under the RED directive is stark: RED ceilings stood at €1,500 for a natural person and €7,500 for a legal entity. This ratio of 1 to 2,000 between the two regimes is a structural change in the regulatory risk calculus for manufacturers of connected radio products.
The text also specifies cumulation rules: where multiple concurrent breaches give rise to multiple sanctions whose total would exceed €15 million or 2.5% of turnover, the fines are executed cumulatively up to the highest applicable statutory ceiling.
What remains pending
Two elements of the framework are not yet finalised at the time the DDADUE is adopted by the Senate.
A decree in the Conseil d'État must specify the implementing arrangements of the II ter. This decree will cover, among other things, fine recovery conditions (currently set to follow the rules applicable to claims other than tax and state-domain debts) and potentially additional procedural elements.
In addition, ANFR's specific investigative powers for CRA matters (access to premises, document requests, seizure under judicial authorisation) take effect on a separate date set by another adaptation statute (the date retained in parliamentary proceedings is 11 June 2026). These investigative powers are those defined in Article L.43 II of the CPCE, identical to those used for RED controls.
What this article changes for risk models
For compliance teams and counsel advising connected radio product manufacturers, Article 32 of the DDADUE ends uncertainty about the CRA control architecture in France. ANFR is the sole authority. DGCCRF has no CRA mandate: a manufacturer that had included DGCCRF as a potential CRA authority must correct that analysis.
For acquisition due diligence, this text creates a precise risk reference: the obligations of Annex I and Articles 13 and 14 of the CRA, if unmet, expose manufacturers to sanctions that, for an SME with €50 million in worldwide turnover, can reach €1.25 million. For an industrial group with €1 billion in worldwide turnover, the applicable theoretical ceiling is €25 million. These amounts are those ANFR can impose by administrative decision, without prior judicial proceedings.
The full article on ANFR's method and the CRA enforcement logic is available here: CRA market surveillance: the ANFR perspective.
Back to blog
