CNIL Resolution no. 2026-045 of 19 March 2026 on the security of electronic remote voting systems
By a resolution of 19 March 2026, France’s data protection authority (CNIL), working with the national cybersecurity authority (ANSSI), replaced its 2019 guidance with a new framework. Elections already in preparation for 2026 may continue under the 2019 text; the new recommendation applies to all new elections.
The framework introduces three risk levels – low, moderate, significant – each carrying cumulative security objectives that cover integrity, confidentiality, authentication, availability and verifiability. For works council (comité social et économique, CSE) elections, the CNIL expressly places small and medium-sized organisations at level 2, and larger organisations at level 3. Level 3 triggers heightened requirements, including a fresh independent expert review at each election and disclosure of the source code of components running on voters’ devices.
Employers should assess their applicable risk level using the CNIL’s grid, confirm with their voting solution provider that the corresponding security objectives are met, and ensure that information provided to employees satisfies both Labour Code and GDPR requirements.
