France ANTS government identity agency breach — 11.7M citizen records confirmed

NIS2 transposition is still incomplete across several Member States more than 18 months after the October 2024 deadline, with most of the EU now compliant but a minority — France and Spain among them — still lagging (EC Digital Strategy — NIS transposition tracker; Viktoria Compliance NIS2 tracker). France in particular has not yet enacted its NIS2 transposition vehicle, which means the national authority cannot formally designate in-scope entities or apply sanctions there — and NIS2-derived incident-notification obligations on French entities are therefore not yet enforceable. The operational consequence for Swiss organisations with French or Spanish supply-chain or data-processing counterparts: do not assume NIS2 notification and security obligations are operative in those jurisdictions yet, and confirm the contractual basis for any incident-notification flow rather than relying on a not-yet-transposed statutory one.

The most consequential public-sector incident of the week. On 7 June ANSSI detected a compromise of Tchap, the French state's sovereign Matrix-based encrypted messenger used by ~825,000 civil servants across all ministries; DINUM published the disclosure (DINUM; daily 06-10). The attacker used account takeover to scrape directory metadata on 73,467 users; message content, protected by end-to-end encryption, was not exposed, and CNIL was notified. The defender takeaway is that "sovereign and E2E-encrypted" still leaves a metadata-harvesting surface at the account/identity layer — the directory is a target even when the message body is not.

The week's most consequential regulatory move. The Commission referred France and Spain to the Court of Justice of the EU on ~9 June — the third and final stage of the infringement procedure — for failing to transpose NIS2 (Directive 2022/2555) more than 19 months past the October 2024 deadline (Brussels Signal). The CJEU can impose lump-sum fines and daily penalties until transposition completes. What defenders need to do differently: entities in non-transposed states operate in a legal grey zone — NIS2's substantive Article 21 security measures and Article 23 reporting windows apply as the floor even where the national implementing law and its competent authority do not yet exist. Swiss federal agencies and cantonal governments with regulated counterparts or outsourced providers in France or Spain should treat NIS2 Article 21 as the baseline regardless of national enforcement status, and watch the remaining non-transposers for the same escalation.

On 7 June 2026 ANSSI detected a compromise of Tchap, the French state's sovereign Matrix-based encrypted messenger used by some 825,000 civil servants across all ministries; DINUM published its disclosure on 8 June (DINUM, 2026-06-08). The attacker obtained a single account on the education shard (matrix.agent.education.tchap.gouv.fr) through account impersonation; the attacker further claims to have used a Tchap directory-search function to enumerate accounts across the service, a mechanism DINUM has not confirmed and which The Register reports as part of a set of unverified attacker claims (Help Net Security, 2026-06-09; The Register, 2026-06-09). DINUM confirms 73,467 agents (under 9% of registered users) had name, first name, email address, employing entity and avatar potentially exposed; private rooms protected by Matrix end-to-end encryption were not accessible from a compromised user account, only public-room content (DINUM, 2026-06-08). The unverified actor additionally claims bulk scraping of ~643,000 messages and ~13.5 GB of media, alleging that any media object is retrievable without an auth token once its media ID is known — an unconfirmed content-repository access-control claim that, if true, would widen the exposure considerably (The Register, 2026-06-09). DINUM has notified CNIL and blocked the account; the investigation is ongoing.

Defender takeaway: account takeover followed by directory enumeration and bulk metadata scraping is a generic risk for any Matrix homeserver, since user-directory search is reachable by authenticated users across a federation by default. Organisations running Matrix/Element (BwMessenger and several cantonal/government deployments share this architecture) should restrict or disable cross-federation directory search, confirm sensitive comms use private E2EE rooms rather than public rooms, and watch for follow-on phishing that uses the leaked name + email + organisational-affiliation tuples.

France's CNIL fined IQVIA Operations France €5 million on 26 May 2026 for systematic GDPR violations across two authorised health data warehouses, LRX (fed by ~14,000 pharmacies) and EMR (fed by thousands of GPs) (CNIL, 2026-05-28). The CNIL enumerated five control failures: (1) IQVIA operated the warehouses outside the scope of its CNIL authorizations — deliberations 2018-289 and 2021-015 approved specific study types, and IQVIA conducted studies beyond those terms (Art. 66 of the French Data Protection Act); (2) patients were not informed that IQVIA acted as a data controller for their prescription data, violating GDPR Art. 14 information obligations; (3) multi-factor authentication was absent from all warehouse access paths; (4) no automated connection-log monitoring or alerting was in place — IQVIA confirmed retrospective deployment only after the CNIL investigation commenced; (5) no network segmentation between the health data warehouse and other IQVIA corporate infrastructure. The fine magnitude reflects the scope — "several tens of millions" of individuals — and IQVIA's market position. A compliance order with a €10,000/day penalty period accompanies the fine. For defenders this ruling operationalises baseline controls now explicitly expected for health data warehouse operations: MFA on all warehouse access paths, automated log alerting, network segmentation between sensitive-data stores and corporate infrastructure, and strict compliance with CNIL authorization scope for each study type conducted.