Employment Law Compliance: Employer Obligations

Compliance with employment law is one of the major challenges for any business, regardless of its size. In 2026, with the accelerated digitalisation of HR processes, strengthened GDPR requirements, the entry into force of new provisions from labour legislation and the widespread adoption of electronic signature for HR, employers must master an increasingly complex regulatory framework. This article reviews the fundamental obligations, associated legal risks and best practices to ensure full compliance.

Fundamental contractual obligations of the employer

The employment contract is the cornerstone of the employer-employee relationship. Its drafting, retention and signature carry specific responsibilities.

Mandatory form and content of the employment contract

In France, the Labour Code imposes mandatory provisions according to the type of contract:

• Permanent contract (CDI): although no written form is legally required for full-time permanent contracts, practice and legal certainty require comprehensive documentation (duration, remuneration, job title, place of work, applicable collective agreement).

• Fixed-term contract (CDD): Article L.1242-12 of the Labour Code requires a written document to be given to the employee within 48 hours of hiring, on pain of reclassification as a permanent contract.

• Part-time: Article L.3123-6 requires a written contract specifying weekly or monthly hours.

• Special contracts (temporary work, apprenticeship, professional training): each is subject to specific formal rules.

Since 2023, European Directive 2019/1152 on transparent and predictable working conditions requires employers to provide employees, from the first day of work, with a written declaration covering at least 11 key elements (identity of parties, working hours, remuneration, holidays, notice procedures, etc.).

Contract signature: legal validity and dematerialisation

Electronic signature is now fully recognised for employment contracts following the transposition of the eIDAS regulation into French law. Article 1366 of the Civil Code establishes electronic writing as equivalent to paper writing, provided the author's identity is guaranteed and the document's integrity is assured.

Using an electronic signature solution in the business allows precise timestamping of contract delivery, eliminates postal delays and guarantees complete traceability in case of dispute. The signature levels required vary: for most employment contracts, advanced electronic signature (SES or AES level according to eIDAS) is sufficient; sensitive contracts (severance agreements, certain mandates) may require qualified signature (QES).

Obligations regarding protection of employee personal data

Under GDPR (Regulation No. 2016/679), the employer is classified as a data controller with respect to employee personal data. This classification entails significant obligations.

Processing register and legal basis

Every employer must maintain a register of processing activities (Article 30 GDPR) listing each processing of HR data: payslips, annual reviews, geolocation, access control, business email, etc. The legal basis varies according to the processing:

• Contract performance: data necessary for payroll, holidays, health insurance.

• Legal obligation: URSSAF declarations, DSN (Social Reporting Statement).

• Legitimate interest: security of premises, dispute management.

• Consent: to be used cautiously in employment context, the power imbalance undermining its lawfulness.

In the event of a CNIL inspection, absence of a register exposes the employer to a fine of up to €10 million or 2% of global turnover (Article 83§4 GDPR).

Employee rights and transparency obligations

The employer must inform employees of their rights (access, rectification, erasure, portability, objection) through a clear internal confidentiality policy, provided during onboarding. The deadline for responding to a rights exercise request is one month maximum, with possibility of extension by two months for complex requests.

The data retention period must be strictly defined: payslips are retainable for 5 years after contract termination, access control data for maximum 3 months in principle, disciplinary files according to applicable limitation periods.

Workplace health, safety and unique risk assessment document

The employer's obligation to achieve a result in safety is established by Article L.4121-1 of the Labour Code. It must take all necessary measures to ensure safety and protect the physical and mental health of workers.

The Unique Document for Professional Risk Assessment (DUERP)

Since the decree of 18 March 2022, the DUERP is mandatory for all businesses with at least 1 employee. It must be:

• Updated at least annually in businesses with 11 or more employees, and when any major restructuring decision significantly modifies working conditions.

• Retained for 40 years and made available to workers, the Works and Social Committee, labour inspectors and CARSAT prevention service agents.

• Accessible through a national digital portal since 1 July 2023 for businesses with 150 or more employees (portal managed by INRS).

The absence of or insufficiency of a DUERP is penally sanctioned: fifth-class misdemeanour (€1,500 per employee concerned) and civil liability exposure in case of accident.

Prevention of psychosocial risks (PSR)

Since the Court of Cassation rulings in 2002 (Asbestos cases), case law recognises a heightened safety obligation for psychosocial risks (burnout, moral harassment, work stress). The national cross-industry agreement of 19 June 2013 on work quality commits employers to implementing prevention, information and training actions.

In 2024, DARES estimated that 48% of employees reported suffering from at least one significant physical or psychosocial constraint in their work. Integration of a PSR component into the DUERP has become an essential practice for any diligent employer.

Information, consultation obligations and role of the Works and Social Committee

In businesses with at least 11 employees, the establishment of a Works and Social Committee (CSE) is mandatory. Its responsibilities are defined in Articles L.2311-1 et seq. of the Labour Code.

Mandatory consultations

The CSE must be consulted annually on three major topics:

• Strategic directions of the business and their consequences for employment and occupations.

• Economic and financial situation of the business.

• Social policy, working conditions and employment (including the social balance sheet in businesses with more than 300 employees).

Specific consultations are also required before any significant unilateral decision: collective redundancy project, introduction of new technologies, modification of work organisation. An employer who omits this consultation is exposed to the offence of obstruction (Article L.2317-1), punishable by €7,500 fine for individuals and €37,500 for legal entities.

Economic, social and environmental database (BDESE)

Since the Climate and Resilience law of 2021, the BDESE integrates a mandatory environmental component. Permanently accessible to CSE members, it must be updated according to a precise schedule. Dematerialisation of this database is now standard: many businesses use secure platforms with strong authentication to manage access. A comparison of electronic signature solutions can help employers choose tools compatible with these document traceability requirements.

HR digitalisation and regulatory compliance: 2026 challenges

The digital transformation of human resources is accelerating. In 2026, more than 65% of large French businesses have dematerialised at least part of their HR document processes (source: 2025 HR Digital Benchmark, Gartner). This development raises specific compliance questions.

Electronic payslips

Article L.3243-2 of the Labour Code has authorised delivery of payslips in electronic form since 2017, provided the employee has not objected. The employer must guarantee:

• Availability of the payslip for 50 years or until the employee reaches age 75.

• Confidentiality of data through secure access with personal identifiers.

• The possibility for the employee to object at any time to electronic delivery.

Electronic signature of HR documents

Employment contracts, amendments, releases, severance agreements and various certificates can now be electronically signed. The complete guide to electronic signature details the security levels required for each document type. For severance agreements, DREETS (formerly DIRECCTE) accepts dematerialised transmission via the TéléRC portal since 2017, and qualified electronic signature is recommended to secure the agreement.

Using an eIDAS-compliant solution also enables compliance with legal retention requirements: an employment contract electronically signed via a certified platform constitutes irrefutable evidence in case of employment tribunal dispute, unlike a simple email or unsecured PDF.

Cybersecurity and NIS2 compliance

Since October 2024, the NIS2 Directive (transposed into French law by Law No. 2024-449 of 22 May 2024) imposes strengthened cybersecurity obligations on essential and important entities, including many employers in health, energy, transport and digital services sectors. HR departments are directly concerned with securing payroll systems, HR databases and electronic signature tools. ANSSI recommends annual cyber risk review incorporating HR processes in the business continuity plan.

Legal framework applicable to HR employer compliance

Compliance of the employer with employment law rests on a multidimensional legislative and regulatory body, combining national and European law.

Labour Code (consolidated version 2026):

• Articles L.1221-1 et seq.: formation and performance of employment contract.

• Article L.1242-12: mandatory written form of CDD on pain of reclassification.

• Article L.4121-1: general employer safety and prevention obligation.

• Articles L.2311-1 to L.2317-1: CSE responsibilities and consultation, obstruction offence.

• Article L.3243-2: dematerialised payslip delivery.

Civil Code:

• Articles 1366 and 1367: legal value of electronic writing and electronic signature, equivalence with handwritten writing under conditions of author identification and document integrity.

• Article 1369: modalities for conclusion of electronic contracts.

eIDAS Regulation No. 910/2014/EU (updated by eIDAS 2.0, Regulation 2024/1183): Distinguishes three levels of electronic signature: simple (SES), advanced (AES) and qualified (QES). QES produces the same legal effects as a handwritten signature in all Member States. For ordinary employment contracts, SES or AES is generally sufficient; QES is recommended for severance agreements and sensitive mandates.

GDPR — Regulation No. 2016/679/EU:

• Article 5: principles of lawfulness, fairness, data minimisation, accuracy, storage limitation, integrity and confidentiality.

• Article 30: obligation to maintain a register of processing activities.

• Articles 12 to 22: rights of data subjects (employees), response deadlines and procedures.

• Article 83: administrative sanctions up to €20 million or 4% of global turnover for the most serious violations.

Directive (EU) 2019/1152 on transparent and predictable working conditions: transposed in France by ordinance, it requires provision of a written declaration to the employee from the first day of work.

NIS2 Directive (EU) 2022/2555, transposed by French Law No. 2024-449 of 22 May 2024: obligation of cyber risk management, notification of incidents to ANSSI within 24 hours for major incidents, penalties up to €10 million or 2% of global turnover for essential entities.

ETSI Standards: EN 319 132 (advanced XML signature XAdES), EN 319 122 (CAdES), EN 319 142 (PAdES) — technical standards used by qualified trust service providers (QTSP) to ensure eIDAS compliance of electronic signatures.

Practical risks: an employer failing to comply with these obligations faces employment tribunal litigation (CDD reclassification as permanent contract, dismissal cancellation for formal vice), criminal sanctions (obstruction offence, health-safety breaches), CNIL and ANSSI fines, and unlimited civil liability in case of workplace accident or data breach.

Use scenarios: HR compliance in practice

Scenario 1 — An industrial SME with 120 employees dematerialises employment contracts

An industrial SME managing approximately 120 employees and frequently using seasonal CDD contracts faced a 15% error rate on contracts sent by post: missed return deadlines, missing signatures, risk of reclassification. After deploying an eIDAS-compliant advanced electronic signature solution (AES), the HR department reduced average signature time from 4.5 days to less than 6 hours. Contractual compliance rate rose to 99.8%, virtually eliminating reclassification risk. Time saved for the HR team was estimated at approximately 3 hours per recruitment, representing annual savings of over 200 employee hours.

Scenario 2 — A services group with 800 collaborators brings BDESE and DUERP into 2026 compliance

A services group with approximately 800 collaborators across multiple sites faced out-of-sync DUERP updates and incomplete BDESE on environmental aspects, following introduction of the new Climate and Resilience legal framework. By structuring an HR compliance project over 6 months — including professional risk mapping by site, DUERP update with certified prevention consultant, and BDESE redesign with environmental indicator integration — the group avoided two enforcement notices from labour inspectors. Dematerialising CSE access through a secure platform reduced preparation time for mandatory consultations by 40%.

Scenario 3 — An HR consulting firm of 30 people manages GDPR compliance of recruitment processes

An HR consulting firm of about thirty collaborators was collecting CVs and candidate data without clearly defined legal basis, without a processing register and without documented data retention policy. Following a GDPR audit, the external DPO implemented a processing register covering 12 types of HR processing, a candidate information notice compliant with Articles 13-14 GDPR, and automatic application deletion procedure at 24 months. Electronic signature of consent forms was deployed for situations where consent constituted the relevant legal basis, producing an auditable trail. The firm thus avoided an estimated fine of between €50,000 and €150,000 during a subsequent CNIL inspection.

Conclusion

Compliance with employment law is not merely a formal obligation: it constitutes a genuine lever for legal protection, HR performance and employee trust. In 2026, employers must simultaneously master Labour Code contractual requirements, GDPR obligations, CSE consultation rules, new NIS2 requirements and eIDAS standards for document dematerialisation.

Digitalisation of HR processes — notably through electronic signature — considerably simplifies this compliance achievement when deployed with the right tools. Certyneo supports HR teams in this transformation: eIDAS-compliant solution, signature levels adapted to each document, integrated audit trail and secure retention.

Ready to secure your HR processes? Discover the Certyneo solution for HR or calculate your return on investment right now.