Home
AI Act
AI Act AI Benchmark
Product Pricing Team Barometer
Annual Report · Themio · Digital Compliance Office 2026 Edition — updated June 2026

SME Digital Compliance Barometer
France & Europe 2026

Where do French and European SMEs really stand facing the AI Act, GDPR, and NIS2? The metrics you won't see in official press releases.

Take our survey → Test my compliance for free →
60 %

of French SMEs remain non-compliant with GDPR — six years after it came into force.

Why This Barometer?

What institutional reports don't say

Regulatory compliance for large enterprises is well documented. That of SMEs is far less so. Available studies often stop at declarations of intent — "we are in the process of becoming compliant" — without measuring the actual state of practices.

This barometer compiles available public data from the CNIL, ENISA, the French General Directorate for Enterprise, and France Num. It does not claim to be exhaustive. It provides the most reliable overall diagnostic available today, and invites SMEs to contribute directly via our participatory study. This work is supervised by our team of experts .

Themio Participatory Study

Themio is running its own parallel study of French and European SMEs. The results will be published in the 2027 Barometer.

Participate in the study →

Survey hosted on the official European Commission platform — your data is processed in compliance with GDPR.

Key Metrics 2025-2026

What the data shows

60 %

of French SMEs are not GDPR compliant

Lack of awareness of obligations or failure to implement. This figure has remained stable since 2022.

88 %

of French VSE/SME websites fail GDPR requirements

Absence of compliant cookie banners, outdated privacy policies, unconsented trackers.

486 M€

in CNIL fines handed down in 2025

An increase of +780% compared to 2024 (55 M€). 32% of audited companies were SMEs or VSEs.

41 %

of VSEs/SMEs keep a record of processing activities

This document is mandatory for any structure processing personal data — virtually all companies.

26 %

of VSEs/SMEs use at least one AI tool

This figure has doubled in one year. The majority of these companies are unaware that AI use is now governed by Regulation (EU) 2024/1689 (AI Act) .

59 %

of European SMEs fail to find qualified cybersecurity staff

Direct consequence: NIS2 obligations — which entered into force in October 2024 — remain largely unimplemented in structures with fewer than 250 employees.

Overview Table

Three regulations, three levels of maturity

Regulation SME Awareness Level Estimated Compliance Level Next Key Deadline
GDPR (Regulation EU 2016/679) High — known by 80%+ of managers Low — 40% compliant on substance Continuous reinforced CNIL audits
AI Act (Regulation EU 2024/1689) Low — less than 20% of SME AI users have heard of it Very Low — virtually non-existent compliance Article 4 (AI literacy): in force since Feb. 2025 — High-risk systems: December 2027 (Digital Omnibus delay, May 2026)
NIS2 (Directive EU 2022/2555) Medium — known by the most exposed sectors Low — delayed transposition in the majority of Member States French transposition pending — check national status
Update

Digital Omnibus (May 2026): The postponement of high-risk AI Act obligations to December 2027 was finalized in May 2026. This postponement does not affect Article 4 (mandatory AI training) or prohibited practices, which have been in force since February 2025.

Sector Focus

Most Exposed Sectors

Not all SMEs are exposed in the same way. Here are the four sectors where the gap between compliance and obligations is most critical.

HR, Recruitment, Payroll Management

AI is heavily used for CV screening, attendance management, and performance evaluation. These uses fall directly under the category of "high-risk AI systems" in Annex III of the AI Act (Article 6). Obligations for transparency and human oversight apply — even for an SME with 20 employees using third-party HR software that integrates AI.

E-commerce and Digital Marketing

Advertising trackers, algorithmic personalization, commercial chatbots: three constant GDPR friction points. The CNIL has made cookies and consent its enforcement priority since 2023. E-commerce SMEs are overrepresented in simplified procedure sanctions (fines up to €20,000).

Accounting, Legal, and Consulting Firms

Entities subject to NIS2 as critical digital service providers. Obligation to report security incidents within 24 hours. 51% of VSEs/SMEs have already suffered a data security incident — without reporting it in the vast majority of cases. 📎 Source: France Num GDPR 2024

Healthcare, Social Work, and Well-being

Health data = special category within the meaning of Article 9 GDPR. Maximum level of protection required. A sector with a structural delay in digital compliance despite a higher-than-average exposure to penalties.

3 Most Underestimated Risks

What most SMEs don't know yet

01

Using AI software ≠ AI Act compliance

Most SMEs think the AI Act only concerns AI developers. This is false. The regulation distinguishes two roles: the provider (who develops the system) and the deployer (who uses it in a professional context). As a deployer, an SME has obligations: verify that the system is compliant, train its staff (Article 4), and not use AI to monitor its employees unlawfully. Using ChatGPT, HR software with automated scoring, or a facial recognition tool places the SME within the scope of the regulation.

02

An incomplete GDPR record can cost as much as a data breach

The absence of a record of processing activities is a documented infraction, auditable during a CNIL inspection, and punishable independently of any security incident. 59% of SMEs do not keep one. The record is not an optional document: it is the simplest GDPR obligation to implement and the first one that the CNIL verifies.

03

The AI Act postponement is not a pause

The Digital Omnibus has postponed certain obligations to December 2027. However, three obligations remain active starting now: the ban on AI practices with unacceptable risk (in force since February 2025), the obligation for AI training (Article 4, in force since February 2025), and rules applicable to general-purpose AI models (in force since August 2025). SMEs that wait until 2027 to start becoming compliant are taking a real risk.

Participatory Study

Help us produce the first primary barometer on SME compliance

Available data on SME compliance is mainly declarative or comes from large firms working with mid-caps and large enterprises. There is not yet a systematic, independent, and representative study of SMEs with fewer than 250 employees in France and Europe.

We are building it.

What you gain by participating:

  • The full results of the study in preview, as soon as they are published
  • A benchmark of your sector — where does your company stand compared to others?
  • Priority access to Themio at launch

The survey takes less than 5 minutes. It is hosted on the official European Commission platform (EUSurvey). Your responses are anonymized and processed in compliance with GDPR.

Participate in the Themio Study →
FAQ

Frequently Asked Questions on SME Regulatory Compliance

Is my company affected by the AI Act if it is not a tech company?
Yes. The AI Act (EU Regulation 2024/1689) distinguishes between two types of actors: providers, who develop AI systems, and deployers, who use them in a professional context. An SME that uses recruitment software with automated scoring, a content generation tool, or a customer chatbot is considered a deployer and has legal obligations. Article 4 imposes an obligation for AI training for anyone involved in using an AI system, in force since February 2, 2025. The vast majority of French and European SMEs using AI tools are already within the scope of the regulation without knowing it.
Does GDPR really apply to a small business with fewer than 10 employees?
Yes, with no size exception. GDPR (EU Regulation 2016/679) applies to any entity that processes personal data — customers, employees, prospects, suppliers — regardless of its size. Only limited exception: companies with fewer than 250 employees are not required to keep a record of processing activities... unless the processing is regular, likely to result in a risk, or involves sensitive data. In practice, this exemption almost never applies. The CNIL actively targets VSEs/SMEs since 2023 via its simplified procedure, with fines of up to €20,000.
What is NIS2 and does it affect my SME?
The NIS2 Directive (EU 2022/2555) imposes cybersecurity obligations on entities deemed "essential" or "important" to the economy and society. It applies starting from 50 employees or €10 million in turnover in identified sectors: energy, transport, health, water, digital infrastructure, public administration, and digital service providers. It requires these entities to implement cyber risk management measures, notify incidents within 24 hours, and designate a security officer. According to ENISA, 59% of affected SMEs do not have the internal skills to meet these requirements (NIS Investments 2025).
What is the real cost of GDPR non-compliance for an SME?
CNIL fines for SMEs via the simplified procedure range from €3,000 to €20,000. In 2025, the CNIL issued 87 penalties, 69 of which were via this procedure targeting small structures — for a total of €486 million across all companies. But the real cost exceeds the fine: reputation damage, customer loss, emergency compliance costs, and risk of complaints from data subjects. The average cost of reactive compliance (after a penalty) is estimated to be between 5 and 15 times higher than that of proactive compliance.
The AI Act was postponed — can I wait before preparing for it?
No. The Digital Omnibus (provisional agreement May 2026) only postponed the obligations relating to high-risk systems under Annex III from August 2026 to December 2027. However, three obligations remain active starting now: (1) the ban on AI practices with unacceptable risk, in force since February 2, 2025; (2) the obligation for AI training (Article 4), in force since February 2, 2025; (3) rules for general-purpose AI (GPAI) models, in force since August 2, 2025. Waiting until 2027 exposes SMEs deploying AI today to real non-compliance risks on these three points.
How does Themio produce this barometer?
This 2026 barometer compiles data from public institutional sources: CNIL (annual penalty reports), ENISA (NIS Investments 2025), General Directorate for Enterprise (France), and France Num Barometer (2024 and 2025 editions). Each metric is sourced and verifiable. In parallel, Themio is conducting its own primary study of French and European SMEs via a survey hosted on the official European Commission platform (EUSurvey). The results of this study will fuel the 2027 Barometer, with data collected directly from SME executives and compliance officers.
Methodology

Methodology and sources

This barometer is based exclusively on verifiable public data from French and European institutions. No data is extrapolated or estimated without a documented basis.

Data Source Year
60% of SMEs are GDPR non-compliant RGPDKit — CNIL 2025 Review 2025
88% of VSE/SME sites are non-compliant with GDPR Cartegie — GDPR 7 Years On 2024
€486M in CNIL fines in 2025 DPO Partage — CNIL 2025 Penalties 2025
32% of audited entities are SMEs/VSEs CNIL — 2025 Annual Report 2025
41% of VSEs/SMEs keep a record of processing activities France Num GDPR 2024 Barometer 2024
51% have suffered a data security incident France Num GDPR 2024 Barometer 2024
26% of VSEs/SMEs use an AI tool (x2 in one year) France Num 2025 Barometer 2025
59% of EU SMEs lack qualified cybersecurity staff ENISA — NIS Investments 2025 2025
Article 4 AI Act — training in force Feb 2025 DGE France — European Regulation on AI 2025
Postponement of high-risk AI Act → Dec 2027 Digital Omnibus — provisional Council/Parliament agreement, May 7, 2026 2026

Where does your company stand compared to these statistics?

Find out if you are in compliance with the European AI Act by evaluating your transparency obligations today.

Take the Article 50 compliance benchmark now →

Or participate in our study and contribute to the 2027 Barometer:

Answer the Themio survey →