Skip to main content

Clifford Chance

Clifford Chance
Data<br />

Data

Talking Tech

Insurance is not a safety net for administrative sanctions

French authority decision reshapes data protection and cybersecurity risk management

Data Privacy Cyber Security 31 March 2025

The French Prudential Supervision and Resolution Authority (ACPR) clarified that administrative financial penalties are uninsurable under French law, significantly impacting how organizations manage compliance risks, especially in data protection and cybersecurity. This decision compels businesses operating in France to reinforce internal compliance frameworks, clearly distinguishing between insurable operational losses and uninsurable regulatory fines.

On 18 March 2025, the ACPR issued a significant clarification, confirming that financial penalties imposed by administrative authorities are uninsurable under French law. This authoritative position, premised on preserving public order, warns that clauses in insurance contracts purporting to cover such penalties risk being declared null and void by French courts.

While the ACPR’s jurisdiction primarily concerns financial services, its announcement notably employs cross-sectoral language, suggesting broad applicability. Hence, implications extend beyond finance, encompassing regulatory penalties in sectors like data protection and cybersecurity.

Public order and individual responsibility as legal foundations

The ACPR bases its stance on two key principles: safeguarding public order and upholding individual responsibility.

Firstly, the regulator recalls the well-established French legal principle that contracts cannot derogate from rules pertaining to public order. Public order limitations bind contractual parties, irrespective of their awareness, and any contractual breach of such imperative norms is subject to nullification. This highlights substantial legal risks for insurers and insured companies attempting to transfer the burden of administrative penalties.

Secondly, the ACPR references the constitutional principle of individual responsibility inherent to criminal sanctions, extending its applicability to administrative penalties. According to French jurisprudence, notably an advisory opinion of the Conseil d'État (2007), administrative sanctions, due to their punitive and deterrent nature, must be personally borne by the offending entity. Allowing insurers to cover these penalties would negate their intended preventive effect, directly undermining the principle of personal accountability for the relevant organisation and public policy objectives.

Historical debate and jurisprudential background

Historically, French jurisprudence and legal doctrine have debated the insurability of administrative penalties, partly due to uncertainty regarding their classification as penal measures. A key ruling often referenced in this context is the Cour de cassation’s judgment of 14 June 2012 ("Marionnaud case"), which excluded coverage of an administrative penalty based on intentional misconduct (faute intentionnelle) as per article L.113-1 of the French insurance code. However, that decision did not explicitly address the broader public order issue, leaving uncertainty regarding the insurability of penalties resulting from negligent, non-intentional regulatory violations.

In the absence of a definitive judgment by the highest courts explicitly addressing public order grounds, the ACPR's position decisively fills this interpretative gap. This regulatory clarification now strongly supports the view that all administrative penalties, regardless of the intent involved, fall within the ambit of uninsurable risks under French law.

Implications for data protection and cybersecurity

The ACPR’s statement carries considerable implications for data protection and cybersecurity, areas prone to significant administrative fines under European and French laws. For instance, GDPR violations enforced by France's data protection authority (CNIL) carry penalties up to €20 million or 4% of annual worldwide turnover. Similarly, the ongoing transposition of the NIS 2 directive into French law imposes penalties up to €10 million or 2% of worldwide turnover for cybersecurity breaches.

Before this clarification, certain insurers offered policies implicitly covering administrative fines arising from unintentional breaches, particularly in data privacy. With the ACPR’s explicit stance, such coverages become legally precarious, compelling insurers to reconsider policy formulations and risk disclosures. Corporate risk managers and legal advisors must now clearly separate insurable operational losses from explicitly uninsurable administrative fines when structuring insurance portfolios.

Intersection with cyberattack insurance under the LOPMI law

This ACPR announcement coincides with another recent legislative development, the January 2023 LOPMI law, which explicitly permits insurability of losses from cyberattacks, provided that victims file a police complaint within 72 hours of detection. While this law encourages prompt reporting and cooperation with authorities, it notably maintains silence on the insurability of resulting administrative penalties.

Practically, companies facing cyber incidents might confront simultaneous risks: insurable operational losses (subject to prompt reporting) and non-insurable administrative penalties for regulatory non-compliance, particularly data protection breaches. The ACPR’s clear stance highlights the essential role of compliance and proactive risk management practices. Companies must integrate rapid notification procedures into their crisis management protocols to preserve insurance eligibility while reinforcing internal controls to mitigate the risk of substantial, uninsured penalties.

Conclusion

Although the ACPR’s declaration does not constitute a legally binding rule, its authoritative interpretation significantly influences legal and market practices in France. By definitively reinforcing public policy principles against the insurability of administrative sanctions, the regulator resolves longstanding uncertainties and reshapes risk management practices. Legislators or courts may further solidify this stance in the future, but the immediate impact is clear: corporate compliance programs must be robust, proactive, and uncompromising, recognizing that penalties for regulatory violations will inevitably remain an uninsurable risk under French law.