Under the EU Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws that implemented the Directive have been overturned.
France implemented the Directive with Decree No. 2006-358, Relating to the conservation of electronic communication data. In 2021, the Conseil d'Etat upheld the law despite the CJEU ruling, arguing that it remained compatible as it was necessary to safeguard national security.

Under Art. L34-1 of the Postal and Electronic Communications Code, telecommunication service providers have to keep personal data like the name and address of consumers for simple law enforcement purposes, as well as users' payment information and other information. For the purpose of fighting grave crime, as well as national security and public security threats, providers can be obliged to keep data on the source and destination of communications as well as data on the devices used. In cases where there is a grave threat to national security, currently or in the immediate future, the Prime Minister can enjoin providers to keep other data, including location data.

According to Art. L851-1 of the Internal Security Code, the Prime Minister can authorise the collection of connection data and other technical data for law enforcement purposes without a court order. Furthermore, under Art. L851-2, in exceptional cases, real-time online surveillance of individuals connected to a terror suspect can be authorised. The maximum number of authorisations for this is determined by the Prime Minister.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
The E-Commerce Directive was transposed into French law by Law No. 2004-575 of 21 June 2004. According to this law, the hosting provider is liable for the stored contents only if (i) he was actually aware of the illicit character of the content or if (ii) he did not delete the illicit content or did not forbid access to such content promptly after becoming aware of its illicit character.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbour. Not all Member States have transposed the relevant articles consistently, leading to divergent national case law that could cause legal insecurity on an EU level.
The E-Commerce Directive was transposed into French law by Law No. 2004-575 of 21 June 2004. According to this law, the hosting provider is liable for the stored contents only if (i) he was actually aware of the illicit character of the content or if (ii) he did not delete the illicit content or did not forbid access to such content promptly after becoming aware of its illicit character.

It is reported that France imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card or a passport in case of foreigners to activate a new prepaid SIM card.

Under Art. 11 of the Act related to the fight against the manipulation of information, platform operators have to implement measures to fight against the spread of false information that may disrupt public order or affect general elections. To this end, they have to provide a complaint mechanism and are invited to establish complementary voluntary measures such as blocking accounts that massively spread disinformation and increasing transparency over their algorithms and the sources of information.

It is reported that Certification framework for cloud service providers (SecNumCloud) “sovereignty requirements” disadvantage—and effectively preclude—foreign cloud firms from providing services to government agencies. The latest SecNumCloud guidance retains foreign ownership and board limits, which would effectively force foreign firms to set up a local joint venture to be certified under SecNumCloud as “trusted” and thus able to manage European data and digital services. These new provisions are in addition to their current use as a de facto discriminatory barrier, as France has not certified firms from other EU member states and from outside the EU.
Since 2016, only four companies, all French, have been certified (3DS Outscale (a subsidiary of Dassault Systemes), OVHcloud, Oodrive, and Worldline Cloud services). It is mandatory for public agencies to use SecNumCloud-certified services. Art. 19.6 of the SecNumCloud requires that cloud service providers be “immune to non-EU laws” established via corporate ownership structure limitations. Specifically, the law specifies that individual shareholders outside the EU cannot possess more than 25% of the company and collectively 39% of the value and voting rights of the company. They also cannot have veto rights, nor can they nominate a majority of members of boards. Together, all of these requirements essentially preclude the majority of foreign-owned and run cloud firms from SecNumCloud certification.

Under Section 19.6.a of the Certification framework for cloud service providers (SecNumCloud) requirements repository, the registered office, central administration or main establishment of the service provider must be established within a member state of the European Union.. France's Policy on the Security of Information Systems of the State states that if certificates are available, certified products or services are to be preferred, effectively putting non-EU providers at a disadvantage.

Art. 85 of the Utilities Directive (2014/25/EU) contains provisions allowing contracting public entities to reject foreign goods not covered by any EU international commitments from its tender procedures. In these cases, a tender submitted for the award of a supply contract may be rejected where the proportion of the products originating in third countries exceeds 50% of the total value of the products constituting the tender (Art. 85.2). Additionally, in cases of equivalent offers, the provisions provide for a preference for European tenders and tenders covered by EU's international obligations. In practice, this possibility has rarely been used.
In France, the Directive has been transposed with the Public Order Code (CCP), which contains the provisions governing public order contracts, following a distinction between public contracts and concessions.

The Public Procurement Code, Chapter 3, Section 1, stipulates that French public authorities shall guarantee equivalent treatment to economic operators and works, supplies and services from States that are signatories to the WTO Government Procurement Act and economic operators from EU Member States. In other cases, authorities may introduce criteria or restrictions in the tender documents based on the origin of the goods or services.

It is reported that the lack of transparency is a challenge for public procurement procedures in France, especially for foreign bidders, including with respect to overly narrow definitions of tenders, and implicit biases in favor of local vendors and state-owned enterprises.

With a few exceptions in specific sectors not relevant to digital trade, there are no statutory limits on foreign ownership of companies. Foreign entities have the right to establish and own business enterprises and engage in all forms of remunerative activities.

Decree 2019-1590 on foreign investments in France, which amends the French Monetary and Financial Code (FFIR) and was last revised by Decree No. 2023-1293, establishes a screening procedure for foreign acquisitions of French companies. An investment transaction is subject to the FFIR if certain cumulative criteria are met, such as the percentage of ownership and the sector involved. Specifically, this procedure applies when a foreign entity is part of the ownership chain, and the investor (i) acquires control, (ii) acquires all or part of a line of business, or (iii) exceeds the threshold of 10% of the voting shares, reduced from the original 25% by Decree No. 2020-892 and permanently amended by Decree No. 2023-1293 if the investor's home state is not part of the EU. The investment must also be in critical sectors, including information systems security, cryptography, surveillance, digital security audits, gambling (excluding casinos), telecommunications networks, and media (Art. R151-3).
When applying the procedure, the Ministry of Economy considers factors such as the permanence of the activities on French territory, the potential to maintain related know-how in France, the governance structure of the resulting company, and information-sharing arrangements (Art. R151-8). The Ministry has the authority to refuse the transaction or impose certain conditions. For example, in 2020, the acquisition of the French photonic sensor manufacturer Photonis by the American company Teledyne was blocked.

France is a party to the Patent Cooperation Treaty (PCT).