The SREN Law (Sécurité et Régulation de l'Espace Numérique - Security and Regulation of the Digital Space) represents a major legislative advancement to enhance security and regulate the use of digital technology in France.
Adopted in response to the increase in cyberthreats and the need for better regulation of online content, Law no. 2024-449 (in French) of 21 May 2024 introduces several key provisions.
Here is an overview of its main measures:
The SREN Law requires companies and public authorities to strengthen their security systems to protect strategic and sensitive data. Entities must comply with strict cybersecurity standards or face penalties. This includes the implementation of advanced security protocols and ongoing staff training to handle with cyber threats.
Online platforms are now required to quickly remove illegal content, such as hate speech, incitement to violence and terrorist content. ARCOM is responsible for monitoring the moderation of online content and ensuring compliance with these obligations. An anti-scam filter is in place to alert users to malicious sites.
The protection of minors is reinforced by strict measures designed to limit their exposure to inappropriate content. Platforms must verify the age of users and restrict access to adult content. This verification must be carried out rigorously to prevent any attempt at circumvention. ARCOM is responsible for establishing the age verification standards.
Large digital platforms must now comply with new transparency obligations regarding their algorithms and moderation policies. Platforms must also report on their user data protection practices.
Users' rights have been significantly strengthened. The SREN Law provides for mechanisms enabling users to better control and manage their personal data. Platforms must offer transparent tools so that users can exercise their rights, including the right to data erasure and portability.
The regulation of advertising practices is another important aspect of the SREN Law. Platforms must guarantee transparency about the origin and nature of the advertising displayed. Measures have also been put in place to limit intrusive practices and protect users' privacy.
One of the innovative aspects of the SREN Law concerns the regulation of games with monetisable digital objects. These games, often called "play-to-earn" or "blockchain games", allow players to win or buy digital objects that can be exchanged for real money. The SREN Law imposes strict rules to regulate these practices, aimed at preventing the risks of fraud, money laundering and exploitation of players. Game developers must put in place transparent mechanisms for the management and exchange of these digital objects, ensure the protection of user data and comply with financial transparency standards.
The SREN Law also introduces specific measures concerning cloud computing. Cloud service providers must comply with strict security standards to protect hosted data. This includes implementing robust encryption protocols, carrying out regular security audits and guaranteeing the confidentiality of user data. Additionally, cloud service providers must be transparent about the location of data centres and data backup and recovery policies.
This new law also adapts French law to the Digital Services Act (DSA) and the Digital Market Regulation (DMA), while creating a legal framework to meet the challenges of the digital age. However, it is important to note that the European Commission could review and challenge certain provisions of this law. Such a review could lead to adjustments or amendments to bring them into line with European law, thus affecting the application and effectiveness of certain measures provided for in the SREN Law.