Employment Law Compliance: Employer Obligations

Compliance with employment law constitutes one of the major challenges for any business, regardless of its size. In 2026, between accelerated digitalisation of HR processes, strengthened GDPR enforcement, the entry into force of new provisions from labour legislation and the widespread adoption of electronic signature for HR, employers must master an increasingly complex regulatory framework. This article reviews the fundamental obligations, associated legal risks and best practices for ensuring full compliance.

The fundamental contractual obligations of the employer

The employment contract is the cornerstone of the employer-employee relationship. Its drafting, retention and signing entail precise responsibilities.

Mandatory form and content of the employment contract

In France, the Labour Code imposes mandatory provisions depending on the nature of the contract:

• Permanent Contract (CDI): although no written form is legally required for full-time permanent contracts, legal practice and security impose a complete written agreement (duration, remuneration, role, place of work, applicable collective agreement).

• Fixed-Term Contract (CDD): Article L.1242-12 of the Labour Code imperatively requires a written document handed to the employee within 48 hours of hire, failing which it is reclassified as a permanent contract.

• Part-time: Article L.3123-6 imposes a written contract specifying weekly or monthly duration.

• Special contracts (temporary work, apprenticeship, professional development): each follows specific formal rules.

Since 2023, European Directive 2019/1152 on transparent and predictable working conditions requires the employer to provide the employee with a written statement on the first day of work covering at least 11 key elements (identity of parties, working hours, remuneration, leave, notice procedures, etc.).

Contract signature: legal validity and dematerialisation

Electronic signature is now fully recognised for employment contracts following the transposition of the eIDAS Regulation into French law. Article 1366 of the Civil Code recognises electronic documents as equivalent to paper documents provided the author's identity is guaranteed and document integrity is assured.

Using an electronic signature solution in the enterprise allows precise time-stamping of contract delivery, eliminates postal delays and guarantees complete traceability in case of dispute. The levels of signature required vary: for most employment contracts, advanced electronic signature (SES or AES level under eIDAS) is sufficient; sensitive contracts (conventional termination, certain mandates) may require qualified signature (QES).

Obligations regarding personal data protection of employees

Under the GDPR (Regulation No. 2016/679), the employer is designated as controller regarding personal data of its employees. This designation entails considerable obligations.

Register of processing activities and legal basis

Every employer must maintain a register of processing activities (Article 30 GDPR) listing each HR data processing: payslips, annual evaluations, geolocation, access control, professional messaging, etc. The legal basis varies according to processing:

• Contract performance: data necessary for payroll, leave, health insurance.

• Legal obligation: URSSAF declarations, DSN (Nominative Social Declaration).

• Legitimate interest: facility security, dispute management.

• Consent: to be used cautiously in employment context, power imbalance undermining its validity.

In case of CNIL inspection, absence of register exposes the employer to a fine reaching €10 million or 2% of global turnover (Article 83§4 GDPR).

Employee rights and transparency obligations

The employer must inform employees of their rights (access, rectification, erasure, portability, objection) via a clear internal confidentiality policy provided during onboarding. The deadline to respond to a data subject request is one month maximum, with possible extension of two months for complex requests.

Data retention duration must be strictly regulated: payslips are retainable 5 years after contract end, access control data 3 months maximum in principle, disciplinary files according to applicable limitation periods.

Health, safety at work and unique document for risk assessment

The employer's obligation of safety as a result is established by Article L.4121-1 of the Labour Code. They must take all necessary measures to ensure safety and protect the physical and mental health of workers.

Unique Document for Evaluation of Occupational Risks (DUERP)

Since the decree of 18 March 2022, the DUERP is mandatory for all enterprises with at least 1 employee. It must be:

• Updated at least annually in enterprises with 11 or more employees, and whenever significant organisational changes modify working conditions.

• Retained for 40 years and made available to workers, the Committee, labour inspectors and CARSAT prevention agents.

• Accessible via a national digital portal since 1 July 2023 for enterprises with 150 or more employees (portal managed by INRS).

Absence of DUERP or its insufficiency is criminally sanctioned: fifth-class misdemeanour (€1,500 per employee affected) and potential civil liability of the employer in case of accident.

Prevention of psychosocial risks (PSR)

Since Court of Cassation rulings from 2002 (Asbestos cases), case law recognises a reinforced safety obligation for psychosocial risks (burnout, moral harassment, professional stress). The National Interprofessional Agreement of 19 June 2013 on quality of working life commits employers to implement prevention, information and training measures.

In 2024, DARES estimated that 48% of employees reported suffering at least one marked physical or psychosocial constraint in their work. Integration of a PSR section in the DUERP has become an essential practice for any diligent employer.

Information, consultation obligations and the role of the Social and Economic Committee

In enterprises with at least 11 employees, establishment of a Social and Economic Committee (CSE) is mandatory. Its powers are defined in Articles L.2311-1 et seq. of the Labour Code.

Mandatory consultations

The CSE must be consulted annually on three major themes:

• Strategic directions of the enterprise and their consequences for employment and skills.

• Economic and financial situation of the enterprise.

• Social policy, working conditions and employment (including social report in enterprises with over 300 employees).

Specific consultations are also required before any major unilateral decision: collective redundancy plan, introduction of new technologies, modification of work organisation. An employer omitting this consultation is exposed to the offence of obstruction (Article L.2317-1), punishable by €7,500 fine for individuals and €37,500 for legal entities.

Database of economic, social and environmental information (BDESE)

Since the Climate and Resilience Act of 2021, the BDESE includes a mandatory environmental component. Permanently accessible to CSE members, it must be updated according to a precise schedule. Dematerialisation of this database is now standard: many enterprises use secure platforms with strong authentication to manage access. A comparison of electronic signature solutions can help employers choose tools compatible with these documentary traceability requirements.

HR digitalisation and regulatory compliance: challenges for 2026

Digital transformation of human resources is accelerating. In 2026, more than 65% of large French enterprises have dematerialised at least part of their HR documentary processes (source: HR Digital Barometer 2025, Gartner). This evolution raises specific compliance questions.

Electronic payslips

Article L.3243-2 of the Labour Code has authorised delivery of payslips in electronic form since 2017, provided the employee has not objected. The employer must guarantee:

• Availability of the payslip for 50 years or until the employee reaches 75 years old.

• Confidentiality of data via secure access by personal identifiers.

• The employee's ability to object at any time to electronic delivery.

Electronic signature of HR documents

Employment contracts, amendments, settlement releases, conventional terminations and various certificates may now be electronically signed. The complete guide to electronic signature details the security levels required according to each document type. For conventional terminations, the DREETS (former DIRECCTE) accepts dematerialised transmission via the TéléRC portal since 2017, and qualified electronic signature is recommended to secure the agreement.

Using an eIDAS-compliant solution also ensures compliance with legal retention requirements: an electronically signed employment contract via a certified platform constitutes irrefutable proof in case of employment tribunal dispute, unlike simple email or unsecured PDF.

Cybersecurity and NIS2 compliance

Since October 2024, the NIS2 Directive (transposed into French law by Act No. 2024-449 of 22 May 2024) imposes reinforced cybersecurity obligations on essential and important entities, including many employers in health, energy, transport and digital services sectors. HR departments are directly concerned with securing payroll systems, HR databases and electronic signature tools. ANSSI recommends annual review of cyber risks incorporating HR processes in the business continuity plan.

Legal framework applicable to employer HR compliance

Employer compliance with employment law rests on a multidimensional legislative and regulatory corpus, articulating national and European law.

Labour Code (consolidated version 2026):

• Articles L.1221-1 et seq.: formation and performance of employment contract.

• Article L.1242-12: mandatory written form of fixed-term contract or reclassification.

• Article L.4121-1: general employer obligation of safety and prevention.

• Articles L.2311-1 to L.2317-1: CSE powers and consultation, obstruction offence.

• Article L.3243-2: dematerialised delivery of payslip.

Civil Code:

• Articles 1366 and 1367: legal value of electronic document and electronic signature, equivalence with handwritten document subject to identification of author and document integrity.

• Article 1369: conditions for conclusion of electronic contracts.

eIDAS Regulation No. 910/2014/EU (updated by eIDAS 2.0, Regulation 2024/1183): Distinguishes three levels of electronic signature: simple (SES), advanced (AES) and qualified (QES). QES produces the same legal effects as handwritten signature in all Member States. For ordinary employment contracts, SES or AES is generally sufficient; QES is recommended for conventional terminations and sensitive mandates.

GDPR — Regulation No. 2016/679/EU:

• Article 5: principles of lawfulness, fairness, data minimisation, accuracy, storage limitation, integrity and confidentiality.

• Article 30: obligation to maintain register of processing activities.

• Articles 12 to 22: rights of data subjects (employees), response deadlines and procedures.

• Article 83: administrative penalties reaching €20 million or 4% of global turnover for most serious violations.

Directive (EU) 2019/1152 on transparent and predictable working conditions: transposed in France by ordinance, it requires provision of a written statement to the employee on the first day of work.

NIS2 Directive (EU) 2022/2555, transposed by French Act No. 2024-449 of 22 May 2024: obligation for risk management, notification of incidents to ANSSI within 24 hours for major incidents, penalties reaching €10 million or 2% of global turnover for essential entities.

ETSI Standards: EN 319 132 (advanced XML signature XAdES), EN 319 122 (CAdES), EN 319 142 (PAdES) — technical standards used by qualified trust service providers (QTSP) to ensure eIDAS compliance of electronic signatures.

Practical risks: an employer failing to comply with these obligations faces employment tribunal disputes (reclassification of fixed-term to permanent contract, dismissal annulment for procedural defect), criminal penalties (obstruction offence, health-safety violations), CNIL and ANSSI fines, and unlimited civil liability in case of workplace accident or personal data breach.

Usage scenarios: HR compliance in practice

Scenario 1 — An industrial SME of 120 employees dematerialises its employment contracts

An industrial SME managing approximately 120 employees and frequently using seasonal fixed-term contracts faced a 15% error rate on contracts sent by post: missed return deadlines, missing signatures, reclassification risk. After deploying an advanced electronic signature solution (AES) compliant with eIDAS, the HR department reduced average signing time from 4.5 days to less than 6 hours. Contractual compliance rate improved to 99.8%, practically eliminating reclassification risk. Time gain for the HR team was estimated at approximately 3 hours per recruitment, totalling annual savings of over 200 staff-hours.

Scenario 2 — A services group of 800 collaborators brings its BDESE and DUERP into compliance with 2026 requirements

A services group with approximately 800 collaborators across multiple sites faced desynchronised DUERP updates and incomplete BDESE regarding environmental aspects, following introduction of new Climate and Resilience legislation. By structuring an HR compliance project over 6 months — including occupational risk mapping by site, DUERP update with certified prevention consultant, and BDESE redesign with environmental indicators — the group avoided two warnings from labour inspectors. Dematerialisation of CSE access via a secure platform reduced preparation time for mandatory consultations by 40%.

Scenario 3 — An HR consulting firm of 30 people manages GDPR compliance of its recruitment processes

An HR consulting firm with approximately 30 collaborators collected CV data and candidate information without clearly defined legal basis, without processing register and without documented data retention policy. Following GDPR audit, the externally appointed DPO implemented a processing register covering 12 types of HR processing, a candidate information notice compliant with Articles 13-14 GDPR, and automatic deletion procedure for applications at 24 months. Electronic signature of consent forms was deployed for situations where consent constituted the relevant legal basis, producing an auditable paper trail. The firm thus avoided an estimated fine of between €50,000 and €150,000 during subsequent CNIL inspection.

Conclusion

Employment law compliance is not merely a formal obligation: it constitutes genuine legal protection, HR performance and employee trust leverage. In 2026, employers must simultaneously master Labour Code contractual requirements, GDPR obligations, CSE consultation rules, new NIS2 requirements and eIDAS standards for document dematerialisation.

Digitalisation of HR processes — particularly via electronic signature — considerably simplifies this compliance when deployed with appropriate tools. Certyneo supports HR teams in this transformation: eIDAS-compliant solution, signature levels adapted to each document, integrated audit trail and secure retention.

Ready to secure your HR processes? Discover the Certyneo solution for HR or calculate your return on investment right now.