Employment Law Compliance: Employer Obligations

Compliance with employment law represents one of the major challenges for any business, regardless of its size. In 2026, with accelerated digitalisation of HR processes, strengthened GDPR requirements, the entry into force of new provisions from the Labour Act and the widespread adoption of electronic signature for HR, employers must master an increasingly dense regulatory framework. This article provides an overview of fundamental obligations, associated legal risks and best practices to ensure complete compliance.

Employer's Fundamental Contractual Obligations

The employment contract is the cornerstone of the employer-employee relationship. Its drafting, retention and signature involve specific responsibilities.

Mandatory form and content of the employment contract

In France, the Labour Code imposes mandatory provisions depending on the nature of the contract:

• Permanent contract (CDI): although no written form is legally required for full-time permanent contracts, practice and legal certainty require a complete written document (duration, remuneration, qualification, workplace, applicable collective agreement).

• Fixed-term contract (CDD): article L.1242-12 of the Labour Code mandatorily requires a written contract delivered to the employee within 48 hours of hiring, failing which it is reclassified as a permanent contract.

• Part-time: article L.3123-6 requires a written contract specifying weekly or monthly duration.

• Special contracts (temporary work, apprenticeship, vocational training): each is subject to specific formal rules.

Since 2023, European Directive 2019/1152 on transparent and predictable working conditions requires employers to provide employees with a written statement on their first day of work covering at least 11 key elements (identity of parties, working hours, remuneration, leave, notice procedures, etc.).

Contract signature: legal validity and dematerialisation

Electronic signature is now fully recognised for employment contracts following the transposition of the eIDAS regulation into French law. Article 1366 of the Civil Code establishes electronic writing as equivalent to paper writing provided that the author's identity is guaranteed and document integrity is assured.

Using an electronic signature solution in the company allows precise time-stamping of contract delivery, eliminates postal delays and guarantees complete traceability in case of dispute. The signature levels required vary: for most employment contracts, an advanced electronic signature (SES or AES level according to eIDAS) is sufficient; sensitive contracts (settlement agreements, certain mandates) may require a qualified signature (QES).

Obligations Regarding Employee Personal Data Protection

Under GDPR (Regulation n°2016/679), the employer is qualified as a data controller with respect to employee personal data. This qualification entails considerable obligations.

Processing register and legal basis

Every employer must maintain a register of processing activities (article 30 GDPR) listing each HR data processing activity: payslips, annual assessments, geolocation, access control, professional messaging, etc. The legal basis varies by processing:

• Contract execution: data necessary for payroll, leave, benefits.

• Legal obligation: URSSAF declarations, DSN (Declarative Social Statement).

• Legitimate interest: facility security, dispute management.

• Consent: to be used cautiously in employment context, power imbalance weakening its lawfulness.

In case of CNIL inspection, absence of a register exposes the employer to a fine reaching 10 million euros or 2% of global turnover (article 83§4 GDPR).

Employee rights and transparency obligations

The employer must inform employees of their rights (access, rectification, erasure, portability, opposition) through a clear internal privacy policy provided during onboarding. The response time to an exercise of rights request is one month maximum, with possibility of two-month extension for complex requests.

Data retention periods must be strictly controlled: payslips are retainable for 5 years after contract termination, access control data for maximum 3 months as a rule, disciplinary files according to applicable limitation periods.

Occupational Health, Safety and Unique Risk Assessment Document

The employer's obligation of result for safety is enshrined in article L.4121-1 of the Labour Code. The employer must take all necessary measures to ensure worker safety and protect physical and mental health.

Unique Document for Evaluating Professional Risks (DUERP)

Since the decree of 18 March 2022, DUERP is mandatory for all companies with at least 1 employee. It must be:

• Updated at least annually in companies with 11 or more employees, and whenever significant structural changes modify working conditions.

• Retained for 40 years and made available to workers, the Works Council, labour inspectors and CARSAT prevention service agents.

• Accessible on a national digital portal since 1 July 2023 for companies with 150 or more employees (portal managed by INRS).

Absence of DUERP or insufficient content is penally sanctioned: fifth-class misdemeanour (€1,500 per affected employee) and employer's civil liability engagement in case of accident.

Prevention of Psychosocial Risks (PSR)

Since Court of Cassation rulings of 2002 (Asbestos cases), case law recognises a reinforced safety obligation for psychosocial risks (burn-out, moral harassment, workplace stress). The national interprofessional agreement of 19 June 2013 on quality of working life commits employers to implement prevention, information and training actions.

In 2024, DARES estimated that 48% of employees reported experiencing at least one marked physical or psychosocial constraint in their work. Integration of a PSR component in DUERP has become an essential practice for any diligent employer.

Information, Consultation Obligations and Works Council Role

In companies with at least 11 employees, establishment of a Works Council (CSE) is mandatory. Its functions are defined in articles L.2311-1 et seq. of the Labour Code.

Mandatory consultations

The Works Council must be consulted annually on three main topics:

• Strategic directions of the company and their consequences on employment and occupations.

• Economic and financial situation of the company.

• Social policy, working conditions and employment (including social balance sheet in companies with more than 300 employees).

Specific consultations are also required before any major unilateral decision: planned collective redundancies, introduction of new technologies, modification of work organisation. An employer omitting this consultation faces obstruction of social representation charges (article L.2317-1), punishable by €7,500 fine for individuals and €37,500 for legal entities.

Economic, Social and Environmental Database (BDESE)

Since the Climate and Resilience Act of 2021, BDESE incorporates a mandatory environmental component. Permanently accessible to Works Council members, it must be updated according to a precise schedule. Dematerialisation of this database is now standard: many companies use secure platforms with strong authentication to manage access. A comparison of electronic signature solutions can help employers choose tools compatible with these documentary traceability requirements.

HR Digitalisation and Regulatory Compliance: 2026 Issues

Digital transformation of human resources is accelerating. In 2026, more than 65% of large French companies have dematerialised at least part of their HR documentary processes (source: 2025 Digital HR Barometer, Gartner). This evolution raises specific compliance questions.

Electronic Payslips

Article L.3243-2 of the Labour Code has authorised electronic payslip delivery since 2017, provided the employee has not objected. The employer must guarantee:

• Availability of the payslip for 50 years or until the employee's 75th birthday.

• Confidentiality of data via secure access with personal identifiers.

• Right for the employee to oppose electronic delivery at any time.

Electronic Signature of HR Documents

Employment contracts, amendments, final settlement documents, settlement agreements and various certificates can now be electronically signed. The complete guide to electronic signature details security levels required for each document type. For settlement agreements, the DREETS (formerly DIRECCTE) accepts dematerialised submission via the TéléRC portal since 2017, and qualified electronic signature is recommended to secure the agreement.

Using an eIDAS-compliant solution also enables respect of legal retention requirements: an electronically signed employment contract via a certified platform constitutes irrefutable evidence in case of employment tribunal litigation, unlike unsecured email or PDF.

Cybersecurity and NIS2 Compliance

Since October 2024, NIS2 Directive (transposed into French law by Act n°2024-449 of 22 May 2024) imposes reinforced cybersecurity obligations on essential and important entities, including many employers in healthcare, energy, transport and digital services sectors. HR departments are directly concerned with securing payroll systems, HR databases and electronic signature tools. ANSSI recommends annual risk review integrating HR processes into the business continuity plan.

Legal Framework Applicable to Employer HR Compliance

Employer compliance with employment law rests on a multidimensional legislative and regulatory corpus, articulating national and European law.

Labour Code (consolidated version 2026):

• Articles L.1221-1 et seq.: formation and execution of employment contract.

• Article L.1242-12: mandatory written form for fixed-term contracts under penalty of reclassification.

• Article L.4121-1: general employer safety and prevention obligation.

• Articles L.2311-1 to L.2317-1: Works Council functions and consultation, obstruction offences.

• Article L.3243-2: dematerialised payslip delivery.

Civil Code:

• Articles 1366 and 1367: legal value of electronic writing and electronic signature, equivalence with manuscript writing subject to author identification and document integrity conditions.

• Article 1369: methods of concluding electronic contracts.

eIDAS Regulation n°910/2014/EU (updated by eIDAS 2.0, Regulation 2024/1183): Distinguishes three electronic signature levels: simple (SES), advanced (AES) and qualified (QES). QES produces the same legal effects as manuscript signature in all Member States. For ordinary employment contracts, SES or AES is generally sufficient; QES is recommended for settlement agreements and sensitive mandates.

GDPR — Regulation n°2016/679/EU:

• Article 5: principles of lawfulness, fairness, data minimisation, accuracy, storage limitation, integrity and confidentiality.

• Article 30: obligation to maintain register of processing activities.

• Articles 12 to 22: rights of individuals concerned (employees), response deadlines and procedures.

• Article 83: administrative sanctions reaching 20 million euros or 4% of global turnover for most serious violations.

Directive (EU) 2019/1152 on transparent and predictable working conditions: transposed in France by ordinance, it requires providing employees with a written statement on their first day of work.

NIS2 Directive (EU) 2022/2555, transposed by French Act n°2024-449 of 22 May 2024: obligation to manage cyber risks, notify incidents to ANSSI within 24 hours for major incidents, sanctions reaching 10 million euros or 2% of global turnover for essential entities.

ETSI Standards: EN 319 132 (advanced XML signature XAdES), EN 319 122 (CAdES), EN 319 142 (PAdES) — technical standards used by qualified trust service providers (QTSP) to guarantee eIDAS compliance of electronic signatures.

Practical risks: an employer failing to comply with these obligations faces employment tribunal litigation (fixed-term to permanent reclassification, dismissal annulment for procedural defect), criminal sanctions (obstruction offences, health-safety infractions), CNIL and ANSSI fines, and unlimited civil liability in case of workplace accident or personal data breach.

Use Scenarios: HR Compliance in Practice

Scenario 1 — A 120-Employee Industrial SME Dematerialises Employment Contracts

An industrial SME managing approximately 120 employees and frequently using seasonal fixed-term contracts faced a 15% error rate on contracts sent by post: exceeded return deadlines, missing signatures, reclassification risk. After deploying an eIDAS-compliant advanced electronic signature solution (AES), the HR department reduced average signature time from 4.5 days to less than 6 hours. Contractual compliance rate rose to 99.8%, practically eliminating reclassification risk. Time savings for the HR team was estimated at approximately 3 hours per recruitment, or annual savings exceeding 200 staff hours.

Scenario 2 — An 800-Employee Services Group Brings BDESE and DUERP into 2026 Compliance

A services group with approximately 800 employees spread across multiple sites faced unsynchronised DUERP updates and incomplete BDESE on the environmental component, following new Climate and Resilience legal framework. By structuring a 6-month HR compliance project — including occupational risk mapping by site, DUERP update with certified prevention consultant, and BDESE redesign with environmental indicators integration — the group avoided two works inspectorate enforcement notices. Dematerialising Works Council access via a secure platform reduced consultation preparation time by 40%.

Scenario 3 — A 30-Person HR Consulting Firm Manages GDPR Compliance of Recruitment Processes

An HR consulting firm of approximately thirty employees collected CVs and candidate data without clearly defined legal basis, without processing register and without documented data retention policy. Following GDPR audit, the externally appointed Data Protection Officer implemented a processing register covering 12 HR treatment types, candidate information notice compliant with articles 13-14 GDPR, and automatic candidate deletion procedure at 24 months. Electronic signature of consent forms was deployed for situations where consent constituted the relevant legal basis, producing an auditable trail. The firm thus avoided an estimated €50,000 to €150,000 fine during subsequent CNIL inspection.

Conclusion

Employment law compliance is not merely a formal obligation: it constitutes genuine protection leverage, HR performance driver and employee confidence builder. In 2026, employers must simultaneously master contractual requirements of the Labour Code, GDPR obligations, Works Council consultation rules, new NIS2 requirements and eIDAS standards for documentary dematerialisation.

HR process digitalisation — notably via electronic signature — considerably simplifies this compliance achievement when deployed with appropriate tools. Certyneo supports HR teams in this transformation: eIDAS-compliant solution, signature levels adapted to each document, integrated audit trail and secure retention.

Ready to secure your HR processes? Discover Certyneo solution for HR or calculate your return on investment now.