Lecornu Decree 2025-980 — French Metadata Retention & Sovereign Encryption

Advanced Summary — Lecornu Decree No. 2025-980 and Targeted Traceability Doctrine

The Lecornu Decree No. 2025-980, published on October 16, 2025, mandates temporary retention of electronic communication metadata (identifiers, timestamps, protocols, durations, locations, technical origins) for twelve months. It builds on the Internal Security Code — Book VIII and is jointly supervised by the Prime Minister, CNCTR, and CNIL. Grounded in the national security exception recognized by the CJEU (C-511/18, C-512/18, C-746/18) and guided by the ECHR jurisprudence (Big Brother Watch, Centrum för Rättvisa, Ekimdzhiev), it adheres to the principle of proportionality (French Constitutional Council, Decision No. 2021-808 DC). Measures must be time-limited, threat-specific, and independently reviewed. This decree represents a structural milestone in France’s legal framework for digital sovereignty.

Scope and Exemptions

Covered: ISPs, telecom operators, hosting providers, digital platforms, and messaging/collaboration services. Exempt: autonomous offline cryptographic systems. Freemindtronic’s DataShielder NFC HSM and HSM PGP — authorized under Decree No. 2007-663 and supervised by ANSSI — generate no metadata, use no server or cloud, and therefore fall outside the Lecornu perimeter.

European Compatibility and Sovereign Cryptography

The CJEU (Tele2 Sverige AB, Watson, Privacy International) and ECHR require foreseeability, independent oversight, and limited retention. The CNIL emphasizes that preventive retention qualifies as personal data processing under GDPR Article 6, demanding proportionality and purpose limitation. Freemindtronic’s DataShielder embodies native legal resilience: it neither processes nor stores personal data, adhering to privacy by design principles (GDPR Article 25) — minimization, segmentation, immediate destruction.

Executive Brief — Lecornu Decree No. 2025-980 on Metadata Retention

Published in France’s Official Journal on 16 October 2025 (full text on Legifrance), the Decree No. 2025-980 of 15 October 2025 requires digital service operators to retain communication metadata for one year — including user identifiers, protocols, durations, geolocation, and technical origins.

This obligation, overseen by the CNCTR (National Commission for the Control of Intelligence Techniques) and the French Prime Minister, is part of the Book VIII of the French Internal Security Code governing intelligence techniques.

The decree does not apply to autonomous cryptographic systems or offline architectures that process or host no communication data.
This includes Freemindtronic’s DataShielder NFC HSM and DataShielder HSM PGP solutions — local encryption tools with no servers, clouds, or databases — fully compliant with the GDPR, NIS2 Directive, and DORA Regulation.

Legal Overview

Introduction — Lecornu Decree No. 2025-980 and Digital Sovereignty: A Decade of Traceability Legislation

Legal Context — Ten Years of Intelligence Oversight and Targeted Retention

The Lecornu Decree No. 2025-980 continues a legislative framework initiated in 2015 and consolidated through successive statutes:

• 2015 — Intelligence Act No. 2015-912: established a legal regime for intelligence techniques and introduced oversight by the CNCTR.
• 2021 — Constitutional Council Decision No. 2021-808 DC: upheld metadata retention under proportionality and independent supervision conditions.
• 2024 — Adaptation of Book VIII of the Internal Security Code to the NIS2 Directive.
• 2025 — Full decree published on Legifrance: mandates one-year metadata retention.

This decree marks a stabilization of France’s intelligence and traceability framework, applying CJEU case law (La Quadrature du Net) while reaffirming the authority of the Prime Minister and oversight by the CNCTR.

Note: The CNCTR publishes annual activity reports assessing the legality and proportionality of retention measures, available at cnctr.fr.

Timeline — Evolution of Data Retention and Surveillance (2015 → 2025)

This timeline places into perspective the evolution of French and European law on connection and metadata retention:

• 2015 — Intelligence Act: legalized surveillance techniques and created independent oversight by the CNCTR.
• 2016–2018 — CJEU — Tele2 Sverige / Watson: prohibited general and indiscriminate data retention.
• 2021 — Constitutional Council Decision 2021-808 DC: confirmed conditional validity under proportionality safeguards.
• 2022 — Adoption of the NIS2 Directive and the DORA Regulation.
• 2024 — Revision of the Internal Security Code, Book VIII.
• 2025 — Official publication in the Journal Officiel: mandatory one-year metadata retention.

Reading note: each step highlights the growing tension between national security imperatives and the protection of fundamental rights, under joint arbitration by the Constitutional Council, CJEU, and ECHR.

This gradual evolution demonstrates how the Lecornu Decree on Digital Sovereignty fits into a balanced framework between security and information system autonomy.
Before exploring the next contextual segments, it is essential to understand how targeted traceability evolved into a model of sovereign cryptography — where compliance arises natively from system architecture.

Lecornu Decree and Digital Sovereignty — Legal Framework, National Security, and Fundamental Freedoms

Published in the Official Journal on 16 October 2025 (full text – Legifrance), the Decree No. 2025-980 of 15 October 2025 requires digital operators to retain specific communication metadata for one year — including identifiers, timestamps, duration, protocol, geolocation, and technical origin.

This measure, justified by the need to prevent and anticipate threats to national security, forms part of Book VIII of the French Internal Security Code, which governs intelligence-gathering techniques. It is under the dual oversight of the Prime Minister and the CNCTR (National Commission for the Control of Intelligence Techniques).

The Lecornu Decree explicitly does not apply to autonomous, offline, and non-communicating cryptographic systems — such as the DataShielder NFC HSM, DataShielder HSM PGP, and SilentX™ HSM PGP solutions, which integrate the EviLink™ HSM PGP technology.

These local, serverless and cloudless encryption systems generate no metadata and operate fully within the compliance perimeter of the EU Regulation 2016/679 (GDPR), NIS2 Directive (EU) 2022/2555, and DORA Regulation (EU) 2022/2554.

To fully understand the reach of the Lecornu Decree on Digital Sovereignty, one must analyze its legal foundation and the definition of a “communications operator” under the French Electronic Communications Code. This distinction clarifies the separation between network-based infrastructures and sovereign cryptographic devices that are autonomous by design.

Legal Box — Definition of “Electronic Communications Operator” (Article L32 of the French CPCE)

In continuity with the Lecornu Decree on Digital Sovereignty, the EviLink™ HSM PGP doctrine demonstrates the operational implementation of sovereign cryptology — rooted in decentralization and non-traceability. Before addressing the decree’s broader legal and technical implications, it is essential to understand how this segmented architecture achieves compliance by design while eliminating any exploitable form of data retention.

EviLink™ HSM PGP Doctrine — Compliance Through Decentralized Sovereignty and Segmented Contextual Encryption

The EviLink™ HSM PGP technology, embedded at the core of the SilentX™ HSM PGP system, implements an innovative model of hybrid decentralized encryption. It combines hardware, software, and contextual factors to form a sovereign cryptographic architecture: keys are segmented, volatile, and impossible to reassemble within the same memory space.

Architecture and Operation

• Self-hosted decentralized server: each instance can be deployed locally or on a private remote relay, fully controlled by the end user.
• Secure remote connection: TLS channels via Let’s Encrypt and/or VPN tunnels. Every instance features a dynamically generated, unique certificate.
• Dynamic IP addressing: variable and non-correlatable allocation prevents persistent tracking.
• Post-transmission volatility: instant deletion of messages and derived keys after reading; no logs, caches, or session files are ever retained.

Segmented AES-256 Encryption Within the Lecornu Digital Sovereignty Decree Framework

EviLink™ HSM PGP is based on segmented AES-256 encryption, where the session key is derived from concatenated, independent segments.
Each segmented key pair is autonomous and a minimum of 256 bits per segment, i.e., ≥ 512 bits before derivation.

Typological Derivation Line

# Concatenation + derivation toward 256-bit key
SEED = localStorageKey || server || [optional_trust_factors] || salt || nonce
AES256_KEY = HKDF-SHA512(SEED, info="EviLink-HSMPGP", len=32)

Legend: This line shows the typological cryptographic derivation process.
Each segment is concatenated to form a SEED, then derived via HKDF-SHA512 within a named context (“EviLink-HSMPGP”) to produce a 32-byte AES-256 key.

• localStorageKey: randomly generated in memory and exportable in encrypted form for restoration; reusable only after strong authentication and trust policy validation.
• server: temporary segment hosted on the EviLink™ relay (generated server-side, encrypted storage, auto-deleted after session/TTL).
• Optional — Trust factors: contextual elements (e.g., BSSID, userPassphrase, device fingerprints) dynamically added to the concatenation to bind the key to its execution environment.
• salt / nonce: fresh values ensuring derivation uniqueness and resistance to replay or reuse attacks.

The result: an uninterceptable, locally derived encryption system in which data on both sender and receiver sides remains over-encrypted.
Even if one segment (server or local) is compromised, the absence of concatenation logic, trust factors, and salts/nonces makes decryption infeasible.

Legal Status and Compliance

This hybrid architecture fully satisfies security and proportionality standards without falling within the scope of Decree No. 2025-980:

• Decree 2025-980: non-applicable — no exploitable data or metadata are stored.
• Decree 2007-663: classified as dual-use cryptographic product, declarable to ANSSI.
• GDPR (Articles 5 & 25): native compliance — data minimization and privacy by design.
• CJEU & ECHR: respects the La Quadrature du Net and Big Brother Watch rulings — proportionality and immediate destruction.

Comparative Summary

After presenting the cryptographic principles of the EviLink™ HSM PGP Doctrine and its logic of decentralized sovereign compliance, the next section examines how the Lecornu Decree on Digital Sovereignty legally frames such architectures. This transition from the technical to the normative dimension clarifies how French regulation aligns with European principles of proportionality, independent oversight, and fundamental rights protection.

National and European Legal Framework of the Lecornu Decree on Digital Sovereignty — Foundations, Oversight, and Doctrine

The Lecornu Decree No. 2025-980 of 15 October 2025 (Legifrance) extends the framework initiated by the French Intelligence Act No. 2015-912. It authorizes the retention, for a maximum of one year, of technical metadata (identifiers, protocols, durations, locations, and origins of communications) when a serious and current threat to national security exists.

This preventive and non-intrusive measure, which excludes message content, is based on the distinction drawn by the Constitutional Council Decision 2021-808 DC: content remains under judicial authorization, while technical data collection is under administrative oversight by the Prime Minister and the CNCTR (National Commission for the Control of Intelligence Techniques).

2. European Position — CJEU and ECHR

The CJEU confirmed the prohibition of generalized data retention (Tele2 Sverige C-203/15, Privacy International C-623/17), while allowing a targeted derogation in cases of serious and current national security threats (La Quadrature du Net C-511/18, SpaceNet C-746/18). The Lecornu Decree applies this exception precisely — limiting both scope and duration, while ensuring independent oversight.

The ECHR rulings —Big Brother Watch, Centrum för Rättvisa, and Ekimdzhiev — impose strict safeguards: a foreseeable legal basis, independent control, and mandatory data deletion upon expiry. The 2025-980 decree meets all these criteria: clear legal foundation, limited retention period, and CNCTR supervision.

3. GDPR and CNIL Alignment

According to the CNIL, metadata retention qualifies as a personal data processing activity under the GDPR. Even when justified under the national security exemption (Article 2 §2 a), it must comply with the principles of proportionality and data minimization. Authorities remain responsible for ensuring processing security (Article 32 GDPR) and restricting access exclusively to national defense purposes.

4. Comparative Table — Lecornu Decree No. 2025-980 and European Law

5. DataShielder — Compliance Through Non-Applicability

The DataShielder NFC HSM and DataShielder HSM PGP solutions, developed by Freemindtronic Andorra, operate entirely offline. They use no server, no cloud, and no database; no metadata is ever generated or retained. Consequently, these devices fall outside the scope of Decree 2025-980.

They natively embody privacy by design and data minimization (GDPR Art. 25), while complying with the resilience frameworks of the NIS2 Directive and DORA Regulation. As Decree 2007-663 dual-use cryptographic products, they are approved under ANSSI regulation.

Centralized Architecture           DataShielder Offline Architecture
───────────────────────────────    ─────────────────────────────────────
Server / Cloud required            No server or cloud
Identified sessions (UUID)         No persistent identifiers
Network transmission               Local NFC chip encryption
Technical logging                  No logging at all
Ex post audit control              Legally non-applicable

Their design illustrates compliance through data absence: no logs, no identifiers, and thus no obligation for retention.

6. Perspective — Towards a Balanced Digital Sovereignty

The Lecornu Decree 2025-980 represents a turning point: it institutionalizes targeted and temporary traceability under independent supervision.
Amid growing global surveillance trends, autonomous cryptographic solutions like DataShielder provide both legal and technical resilience — a sovereignty model grounded in the non-existence of data.

In conclusion, the Lecornu Decree on Digital Sovereignty stands as a legal instrument balancing national security with European data protection standards. Its effective interpretation and enforcement now depend on the oversight institutions — courts, regulators, and civil society — tasked with defining the real scope and future of targeted metadata retention within the European legal space.

Following the legal analysis of the Lecornu Decree on Digital Sovereignty, attention now turns to its institutional reception and practical implementation.
This monitoring phase aims to assess how national and European authorities interpret the balance between public security and fundamental rights.

Institutional Reactions and Monitoring — Lecornu Decree No. 2025-980 on Digital Sovereignty

Absence of Official Reaction, but Civil Society Vigilance

As of 20 October 2025, no official statements have yet been issued by the CNIL, CNCTR, or the Constitutional Council regarding Decree No. 2025-980. However, several institutional and civil society actors — including La Quadrature du Net and Privacy International — have reiterated in earlier communications their principled opposition to any form of generalized metadata retention, citing the CJEU Tele2 Sverige and La Quadrature du Net rulings.

Doctrinal Anticipation and European Oversight

At the European level, neither the European Data Protection Board (EDPB) nor the European Commission has yet commented on the decree. Nevertheless, questions surrounding its compatibility with the Charter of Fundamental Rights of the European Union are expected to arise during forthcoming dialogues between France and the Commission.

In France, legal scholars and digital law researchers — notably from Université Paris-Panthéon-Assas, the Institut Montaigne, and the Observatoire de la Souveraineté Numérique — already view the decree as a transitional measure pending European harmonization. Its effective reach will depend on proportionality reviews by the Conseil d’État.

In summary: the Lecornu Decree on Digital Sovereignty has not yet triggered formal legal challenges, but it is likely to become a test case before the CJEU or ECHR, following the trajectory of the 2015 and 2021 intelligence laws. Freemindtronic Andorra maintains continuous monitoring of publications from the CNIL, CNCTR, and European courts to anticipate any doctrinal developments.

While institutional monitoring captures early reactions to the Lecornu Decree, the doctrinal analysis now highlights areas of uncertainty that shape its interpretation — between legal theory, technical constraints, and European digital sovereignty. These open questions require in-depth reading to anticipate future adjustments to the legal framework.

International and Comparative Context of the Lecornu Decree No. 2025-980

The Lecornu Decree No. 2025-980 is part of a global movement to reassert digital sovereignty and national control over data flows.
Several countries have adopted comparable frameworks, balancing national security, proportionality, and privacy protection.
Approaches differ depending on constitutional structures and available judicial safeguards.

• 🇺🇸 United States — Patriot Act (2001), later Freedom Act (2015): allows targeted retention under supervision of the FISA Court.
  Bulk collection curtailed after the 2015 USA Freedom Act ruling.
• 🇬🇧 United Kingdom — Investigatory Powers Act (2016): extensive retention and access regime, criticized by the ECHR (Big Brother Watch, 2021) for insufficient independent oversight.
• 🇩🇪 Germany — Bundesdatenschutzgesetz: highly restricted retention, partially invalidated by the CJEU in SpaceNet C-793/19 for breaching temporal and geographic proportionality.
• 🇪🇸 Spain — Ley Orgánica 7/2021 on data processing for law enforcement: temporary retention permitted under the supervision of the Data Protection and Transparency Council.
• 🇵🇱 Poland — Telecommunications Law: mandatory 12-month retention, criticized by the CJEU (Case C-140/20) for lack of prior judicial review.
• 🇨🇦 Canada — Communications Security Establishment Act (2019): allows targeted collection and retention, supervised by the National Security and Intelligence Review Agency (NSIRA).
• 🇦🇺 Australia — Assistance and Access Act (2018): obliges operators to provide technical access without generalized retention, under specific judicial orders.
• 🇰🇷 South Korea — Communications Secrets Protection Act: permits one-year retention for national security or severe cybercrime cases, under PIPC supervision.

Retention Duration / Independent Oversight

• United States: 6 months / FISA Court review
• United Kingdom: 12 months / Investigatory Powers Commissioner
• Germany: 10 weeks / Bundesnetzagentur oversight
• Spain: 12 months / pending CJEU review (2024)
• Poland: 12 months / ongoing constitutional review (CJEU 2025)
• France: 12 months / CNCTR + Conseil d’État supervision

Out of Scope — What This Chronicle Does Not Cover in Relation to the Lecornu Decree on Digital Sovereignty

To maintain analytical rigor and prevent misinterpretation, the following areas are deliberately excluded from this Chronicle.
The Lecornu Decree on Digital Sovereignty is examined solely from the perspective of metadata retention, without extending to other technical, judicial, or operational domains.

• Communication content (lawful interception, monitoring) — the decree concerns metadata retention only, not access to message content.
• Criminal procedures (searches, digital seizures, judicial investigations) — outside the legal scope of this analysis.
• Sector-specific regimes (health, finance, defense, ePrivacy, open data) — mentioned only when intersecting with GDPR, NIS2, or DORA frameworks.
• Technical implementation details (log formats, access protocols, operator APIs) — omitted to preserve regulatory neutrality.
• Internal practices of platforms and messaging apps (WhatsApp, Signal, Telegram, etc.) — cited comparatively, without compliance assessment.
• Cryptographic weakening, backdoors, or offensive methods — excluded for ethical, legal, and sovereignty reasons.
• Individual legal advice, GDPR audit, or compliance consulting — not provided; this Chronicle constitutes neither legal counsel nor expert service.
• Export control regimes (cryptology licensing, ITAR, EAR) — cited only for reference.
• Product tutorials (installation, configuration, performance of DataShielder solutions) — deliberately excluded to maintain editorial neutrality and ethical integrity.

Sovereign Glossary — Key Terms Related to the Lecornu Decree No. 2025-980 and Sovereign Cryptology

• ANSSI — French National Cybersecurity Agency: authority responsible for certification and compliance of cryptographic products. https://www.ssi.gouv.fr/en/
• CNCTR — National Commission for the Control of Intelligence Techniques: independent authority supervising intelligence practices in France. https://www.cnctr.fr/
• CNIL — French Data Protection Authority: regulator ensuring personal data protection and GDPR compliance. https://www.cnil.fr/en/
• CJEU — Court of Justice of the European Union: highest EU court ensuring the interpretation and application of EU law. https://curia.europa.eu/
• ECHR — European Court of Human Rights: ensures national laws comply with the European Convention on Human Rights. https://www.echr.coe.int/
• GDPR — General Data Protection Regulation (EU 2016/679): cornerstone framework for personal data protection in the European Union. Official GDPR Text
• NIS2 — Directive (EU) 2022/2555: strengthens cybersecurity obligations for essential service operators and critical infrastructure. Official NIS2 Directive
• DORA — Regulation (EU) 2022/2554: establishes digital operational resilience requirements for the financial sector. Official DORA Regulation
• HSM — Hardware Security Module: a secure hardware device isolating cryptographic keys from software environments.
• NFC HSM — Near Field Communication Hardware Security Module: autonomous cryptographic device using ISO 15693/14443 contactless standards for local encryption.
• Privacy by Design — GDPR principle requiring that privacy and data protection be integrated into systems from the earliest stages of design.
• Compliance Through Data Absence — Freemindtronic Doctrine:
  a digital sovereignty principle that ensures legal compliance by designing systems that store no exploitable data at all.

Express FAQ — Lecornu Decree No. 2025-980: Metadata Retention and Sovereign Cryptology

Reference Legal Library — Lecornu Decree No. 2025-980

This documentary corpus gathers all legal texts, decisions, and official sources cited throughout this Chronicle, ensuring full traceability and verifiability of the information presented.

🇫🇷 National Legal Framework — France

• Decree No. 2025-980 of 15 October 2025 — Metadata Retention by Digital Operators
• French Internal Security Code — Book VIII: Intelligence Techniques
• Article L. 801-1 — Principles of Necessity, Proportionality and Independent Oversight
• Article L. 833-4 — CNCTR Powers (Ex Ante and Ex Post Control)
• Article L. 871-6 — Prime Minister’s Authority to Enact Data Retention Decrees
• CNCTR — National Commission for the Control of Intelligence Techniques
• Law No. 2015-912 of 24 July 2015 — Intelligence Law
• Decision No. 2021-808 DC of 20 May 2021 — Anti-Terrorism and Intelligence Act
• Conseil d’État — Jurisdiction over Intelligence Techniques
• Decree No. 2007-663 of 2 May 2007 — Regulation of Cryptology Means and Services
• ANSSI — French National Cybersecurity Agency
• CNIL — French Data Protection Authority

🇪🇺 European Legal Framework — European Union

• Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)
• Directive (EU) 2022/2555 — NIS2 Directive on Network and Information Systems Security
• Regulation (EU) 2022/2554 — DORA (Digital Operational Resilience Act)
• CJEU — Tele2 Sverige AB and Watson, Cases C-203/15 and C-698/15
• CJEU — Privacy International, Case C-623/17
• CJEU — La Quadrature du Net, Case C-511/18
• CJEU — SpaceNet, Case C-746/18
• Charter of Fundamental Rights of the European Union — Articles 7 & 8

🇪🇺 European Case Law and Doctrine — ECHR

• ECHR — Big Brother Watch v. United Kingdom (2021)
• ECHR — Centrum för Rättvisa v. Sweden (2021)
• ECHR — Ekimdzhiev and Others v. Bulgaria (2022)

Products and Compliance — Cryptology and Sovereignty

• DataShielder NFC HSM — Local Hardware Encryption Architecture
• DataShielder HSM PGP — Sovereign PGP Encryption Module
• SilentX HSM PGP — P2P Self-Hosted Instant Messaging System with EviCall™ HSM PGP Technology
• Freemindtronic — Cryptology, Sovereignty and GDPR / NIS2 / DORA Compliance

Complementary Documentation

• CNIL — National Security and Personal Data
• CNCTR — Public Reports and Opinions
• EUR-Lex — Access to EU Law
• HUDOC — ECHR Case Law Database
• Constitutional Council of France — Decisions and Releases