HomeKnowledge HubWeekly Guidance Watch › The PIA Guides and the Open-Source PIA Software

Regulator guidance & tool · surfaced resource

The PIA Guides and the Open-Source PIA Software

Commission Nationale de l'Informatique et des Libertés (France)Guidance + open-source tool

The French regulator publishes a complete DPIA kit: a four-step method, fill-in templates, a controls knowledge base — and free, open-source software that runs the method end to end and exports the record. The software is actively maintained: version 4.1.0 shipped on 2 April 2026, the CNIL lists twenty available languages, and it installs on Windows, macOS and Linux or deploys to your own server. If you have heard it was being retired, that is wrong — and the CNIL has said so.

Published by
Commission Nationale de l'Informatique et des Libertés (CNIL) — the French supervisory authority
Named by the EDPB
France's entry in Annex 1 of the EDPB DPIA template Explainer, which links both the French and the English guides pages.
Type
Guidance — final. Three guides (Methodology, Templates, Knowledge bases), February 2018 editions, each published in English, plus an application guide for connected objects. And the PIA software — open source (GPL-3.0), free, current version 4.1.0, released 2 April 2026.
Jurisdiction
France (CNIL) — not binding in the UK. The method is jurisdiction-portable: it is built on the French ANSSI EBIOS risk method and is compatible with international risk-management standards such as ISO 31000, and the guides map to GDPR Article 35(7), which the UK GDPR carries across.
Primary audience
DPOs and privacy teams who need a repeatable, exportable DPIA record — and fractional or multi-client DPOs who need it to look the same every time
Topic tags
DPIA · risk management · tooling · accountability · privacy by design
Availability
Free. Guides in English and French. Software in twenty-plus languages (the CNIL lists twenty; the repository ships more), desktop builds for Windows / macOS / Linux with local storage, or a front-end plus REST back-end for internal deployment. Cite the French software page — the CNIL's English page still describes the tool as a “beta version”, which has been out of date for years.

Why it matters

Two things stand out. The first is the software, which is a defensible free way to produce a consistent DPIA record across a portfolio of clients: it walks the CNIL method step by step, carries a contextual legal and technical knowledge base drawn from the guides, visualises the risk picture, and gates DPO sign-off on every section being evaluated. Because it is open source it can be forked — sector-specific knowledge bases, or wiring into internal tooling. Desktop builds keep the data local. The second is a detail in an appendix of Guide 1 that is easy to miss: an appendix mapping the WP248 rev.01 criteria to the four chapters of the method, with the criteria annotated against Article 35(7)(a)–(d). That is an audit-ready coverage matrix — the cleanest artefact we know of for demonstrating that your DPIA method actually covers what Article 35(7) requires, rather than asserting it. Note what the CNIL is careful not to claim. Guide 1 states plainly that “the methodology does not address the initial conditions which determine whether or not a PIA needs carrying out … or the subsequent conditions which determine whether or not the supervisory authority needs consulting” — the method tells you how, never whether. For whether, you need the lists: the CNIL's own Article 35(4) list (fourteen types, adopted 11 October 2018) and its Article 35(5) list (twelve types, 12 September 2019) are published French-only on cnil.fr — the EDPB's register carries English translations of both, which is another reason to run cross-border screening from there. Finally, the correction. The EDPB's draft DPIA template in April 2026 was read in some quarters as the CNIL retiring its tools — the CNIL evidently thought the point needed making, because it addressed it directly, under the heading “Les outils AIPD actuels resteront pleinement utilisables”: the European template “viendra compléter les outils déjà mis à disposition par la CNIL, notamment ses modèles, sa méthode, ses bases de connaissance et le logiciel PIA”, and DPIAs already carried out “demeurent valides”. It is not being retired. A free, maintained, exportable tool with a regulator's name on it is worth knowing about: it removes a licence line from a budget and adds a provenance line to a file.

A Weekly Guidance Watch resource entry, curated by VulaPri. We summarise and link to the original; we do not reproduce or host it. Suggest a correction.