Under the "Act aiming to preserve the interests of defence and national security in the framework of exploiting mobile radioelectric networks", any components used to connect consumers with mobile telecommunications networks are subject to prior approval by the Prime Minister, whose decision is based on the permanence, integrity, security and the availability of networks, as well as the confidentiality of the messages transmitted. Fourth-generation networks and older generations are exempted.

Under the Certification framework for cloud service providers, only providers who are certified under the SecNumCloud standard have access to public procurement tenders for cloud services. The SecNumCloud standard requires providers to use root certificates emitted by the certification authority of an EU Member State in the presence of the provider.

According to Art. 45-3 of the Postal and electronic communications code, ".fr" domains can only be registered by physical persons residing in the territory of an EU member state or legal persons established there.

According to Art. 289A of the General Taxation Code, a person not established in the European Union who is liable for the value-added tax or must fulfil reporting obligations is required to have a taxable representative established in France accredited to the tax office.

The Consumer Rights Directive 2011/83/EU provides an updated framework aimed at encouraging online sales. The Directive has been implemented by Law no. 2004-575 of June 21, 2004 on confidence in the digital economy.

The European Union General Data Protection Regulation (GDPR) provides a comprehensive framework for data protection that applies to all EU Member States. The Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties was amended in June 2018 to implement the GDPR.

Under the EU Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws that implemented the Directive have been overturned.
France implemented the Directive with Decree No. 2006-358, Relating to the conservation of electronic communication data. In 2021, the Conseil d'Etat upheld the law despite the CJEU ruling, arguing that it remained compatible as it was necessary to safeguard national security.

Under Art. L34-1 of the Postal and Electronic Communications Code, telecommunication service providers have to keep personal data like the name and address of consumers for simple law enforcement purposes, as well as users' payment information and other information. For the purpose of fighting grave crime, as well as national security and public security threats, providers can be obliged to keep data on the source and destination of communications as well as data on the devices used. In cases where there is a grave threat to national security, currently or in the immediate future, the Prime Minister can enjoin providers to keep other data, including location data.

According to Art. L851-1 of the Internal Security Code, the Prime Minister can authorise the collection of connection data and other technical data for law enforcement purposes without a court order. Furthermore, under Art. L851-2, in exceptional cases, real-time online surveillance of individuals connected to a terror suspect can be authorised. The maximum number of authorisations for this is determined by the Prime Minister.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
The E-Commerce Directive was transposed into French law by Law No. 2004-575 of 21 June 2004. According to this law, the hosting provider is liable for the stored contents only if (i) he was actually aware of the illicit character of the content or if (ii) he did not delete the illicit content or did not forbid access to such content promptly after becoming aware of its illicit character.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
The E-Commerce Directive was transposed into French law by Law No. 2004-575 of 21 June 2004. According to this law, the hosting provider is liable for the stored contents only if (i) he was actually aware of the illicit character of the content or if (ii) he did not delete the illicit content or did not forbid access to such content promptly after becoming aware of its illicit character.

It is reported that France imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card or a passport in case of foreigners to activate a new prepaid SIM card.

Under Art. 11 of the Act related to the fight against the manipulation of information, platform operators have to implement measures to fight against the spread of false information that may disrupt public order or affect general elections. To this end, they have to provide a complaint mechanism and are invited to establish complementary voluntary measures such as blocking accounts that massively spread disinformation and increasing transparency over their algorithms and the sources of information.

According to Art. L851-3, telecommunication providers can be required to automatically analyse connection data in their networks to detect terrorist threats.

In May 2024, during a state of emergency, French authorities imposed a temporary suspension of TikTok in New Caledonia, citing risks to public order amid civil unrest. The measure, implemented from 15 to 29 May, was carried out via the territory’s sole internet provider and marked the first instance of France blocking access to a social media platform. The action raised significant concerns regarding compliance with legal standards of necessity and proportionality, particularly given the absence of judicial oversight or formal regulatory procedure.