What an operator in France must know first. France has not yet completed its formal designation of national AI competent authorities under Article 70 of the EU AI Act. The CNIL and DGCCRF are the practical regulatory contacts today. French civil liability under Articles 1240 and 1242 of the Code civil applies to AI-caused harm right now, independent of any EU enforcement infrastructure. Article 5 prohibited practices have been binding since 2 February 2025. Article 50 transparency obligations bind from 2 August 2026. The revised Product Liability Directive will apply to products placed on the market after 9 December 2026. There is no grace period for civil liability, and the French judiciary does not wait for the EU enforcement architecture to reach its final shape.

France enters the second half of 2026 in a distinctive position among major EU member states: the EU AI Act's prohibited practices and GPAI obligations are in force, the CNIL is actively publishing AI guidance, but the parliamentary process to formally designate France's national competent authorities under Article 70 of Regulation (EU) 2024/1689 has stalled. A draft law proposed in September 2025 was later withdrawn from Parliament. For operators deploying AI in France, the practical consequence is that obligations under the Regulation are operative while the national enforcement architecture is still forming. This guide maps both layers: what the EU Regulation requires of operators in France today, and what France's own legal tradition, the Code civil, the SREN law, and sector-specific supervision, adds on top.

Key takeaways

  • France has not yet formally enacted its national competent authority designation under Article 70. A September 2025 draft proposed the DGCCRF as coordinator with 17 sectoral authorities as market surveillance bodies. That draft was withdrawn from Parliament and the formal designation remains incomplete as of June 2026.
  • The CNIL is France's data protection authority and the single most active AI regulatory body in France. It enforces GDPR as applied to AI, has published five major AI guidance documents since February 2025, and would hold the market surveillance role for 15 AI use categories under the proposed framework.
  • French civil liability under Articles 1240 (fault-based) and 1242 (liability for things in one's keeping, strict liability) of the Code civil applies to AI-caused harm now. The custody-of-thing doctrine is particularly significant for autonomous AI agents.
  • The ACPR (prudential supervisor for banks and insurers) has an active AI task force and would be the market surveillance authority for credit and insurance AI systems under Annex III. Financial services operators in France face ACPR supervisory expectations alongside EU AI Act obligations.
  • The SREN law (Loi n. 2024-449) criminalises non-consensual deepfakes. Operators generating or deploying synthetic media in France must comply with Article 226-8 of the French Criminal Code and, from 2 August 2026, with Article 50 of the EU AI Act.
  • The revised Product Liability Directive (EU) 2024/2853, which includes AI software within the product definition, applies to products placed on the market after 9 December 2026. France must transpose it by that date. The French transposition instrument has not yet been published.

The EU AI Act obligations already in force in France

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and is directly applicable law in France without the need for national transposition. Its obligations apply in phases. Several of those phases have already passed.

Since 2 February 2025, the prohibited practices under Article 5 have applied. These cover AI systems that manipulate human behaviour through subliminal techniques beyond conscious perception, systems that exploit vulnerabilities of individuals, untargeted scraping of facial images from the internet for biometric databases, emotion recognition in workplace and educational contexts, biometric categorisation inferring sensitive attributes, social scoring by public authorities, and certain real-time remote biometric identification systems for law enforcement. An operator deploying a system in France that falls within any of these categories is in breach of EU law today, regardless of the state of France's national enforcement designation. Penalties under Article 99 for prohibited practice violations reach up to 35 million euros or 7 percent of global annual turnover, whichever is higher.

Since 2 February 2025, the AI literacy obligation under Article 4 has applied. Deployers must take measures to ensure a sufficient level of AI literacy among their staff and others who operate AI systems on their behalf. The Digital Omnibus provisional agreement proposes softening the wording to a duty to support AI literacy development, but this softening is not yet formally adopted and the obligation as written remains in force.

Since 2 August 2025, GPAI model obligations under Chapter V have applied. Providers of general-purpose AI models have been required to maintain technical documentation, comply with copyright law, and publish summaries of training data. Models presenting systemic risk face additional obligations including adversarial testing and serious incident reporting. The European AI Office, which coordinates GPAI supervision at EU level, began its GPAI enforcement activities on 2 August 2026.

From 2 August 2026, Article 50 transparency obligations apply. Deployers of AI chatbots must inform users they are interacting with an AI system. AI-generated or manipulated content, including deepfakes, must be labelled in machine-readable form. Biometric categorisation and emotion recognition systems must notify individuals subject to them. This obligation is not deferred by the Digital Omnibus proposal. The European Commission published guidance on Article 50 implementation in June 2026, including a Code of Practice for transparency labelling. A narrow grace period until 2 December 2026 applies only to the machine-readable watermarking element under Article 50(2) for systems already on the market before 2 August 2026.

Also from 2 August 2026, the high-risk AI deployer obligations under Article 26 are the binding legal deadline, though a proposed deferral exists. A deployer of a high-risk system under Article 6 and Annex III must: use the system according to the instructions of use provided by the provider; assign competent human oversight personnel; take technical and organisational measures to ensure human operators can understand the system's capabilities; verify that input data is relevant and representative; retain automatically generated logs for a minimum of six months; inform their provider or distributor and the relevant market surveillance authority of any serious incident or malfunction; and, where deploying a system used in decision-making affecting individuals, conduct or commission a Fundamental Rights Impact Assessment (FRIA) under Article 27 if required by the system type.

The Digital Omnibus provisional agreement of 7 May 2026 proposes moving the high-risk Annex III deadline from 2 August 2026 to 2 December 2027. This agreement is not yet formally adopted by the Council and Parliament, not published in the Official Journal, and not in force. The legally binding deadline for high-risk Annex III systems is 2 August 2026 until formal adoption and publication occurs. Operators should plan against 2 August 2026 while monitoring the formal adoption process.

France's national implementation: the DGCCRF, CNIL, and the stalled designation

Article 70 of the EU AI Act required Member States to designate one or more national competent authorities by 2 August 2025. France has not met that deadline as of June 2026.

On 9 September 2025, the Ministry of Economy and Finance published a draft law proposing France's national implementation framework. The proposal was architecturally complex: a decentralised model distributing market surveillance responsibilities across 17 authorities, rather than establishing a single AI regulator.

Under the September 2025 draft, the DGCCRF would serve as the single point of contact under Article 70(2) and as operational coordinator of the market surveillance authorities. The Direction generale des entreprises (DGE) would serve as France's strategic representative to the European AI Committee under Article 65. This dual-coordination structure, operational coordination by the DGCCRF and strategic representation by the DGE, reflects France's tradition of separating market surveillance from industrial policy functions.

The draft proposed the following sectoral distribution for key categories. For Article 5 prohibited practices: the CNIL (for prohibited practices involving emotion recognition and biometric systems), ARCOM (for media-related prohibited practices), and the DGCCRF (for consumer-facing prohibited practices). For high-risk systems under Annex I product-embedded systems: the DGCCRF, ANSM (Agence nationale de securite du medicament et des produits de sante), and DGPR (Direction generale de la prevention des risques). For high-risk systems under Annex III: the ACPR for credit and insurance; sector authorities for employment, education, and access to essential services.

Three authorities were proposed as fundamental rights protection authorities under Article 77: the DGCCRF, the CNIL, and the Defender of Rights. Under Article 77, these bodies would have the right to request documentation on high-risk AI systems deployed in France and, where documentation is insufficient, to require technical testing to assess compliance with fundamental rights obligations.

The provisions concerning the formal designation of national competent authorities were withdrawn from the bill as submitted to Parliament, and no alternative legislative vehicle has been announced as of June 2026. France's formal Article 70 designation therefore remains incomplete. The European AI Office and the AI Board have noted that only a minority of member states have completed their formal designation, and the absence of a national designation does not suspend EU AI Act obligations, which are directly applicable by virtue of being an EU Regulation.

The CNIL: France's most active AI regulatory body

Whatever the status of the formal national authority designation, the CNIL is the practical authority for AI operators in France who process personal data. That category includes the vast majority of commercially deployed AI systems.

The CNIL has published a structured series of AI guidance documents since early 2025. In February 2025 it published two recommendations: one on informing data subjects about AI processing, and one on facilitating the exercise of individual rights (access, rectification, objection) in AI contexts. Both are framed under the GDPR and are non-binding recommendations that nonetheless represent the CNIL's enforcement expectations.

On 22 July 2025 the CNIL published three further practical guidance documents: guidance on annotation of training data and GDPR compliance, guidance on security requirements during AI system development, and guidance on the GDPR status of AI models (addressing when a trained model should itself be treated as personal data). These July 2025 publications are the most technically detailed AI governance documents any French authority has issued.

For 2026, the CNIL has announced a programme covering guidance on the responsibilities of actors in the AI creation chain (model designers, reusers, integrators, deployers) under the GDPR, and guidance articulating the intersection of GDPR and EU AI Act obligations. The CNIL's 2026 AI guidance programme is the closest France currently has to an official AI governance roadmap for operators.

The CNIL's GDPR enforcement of AI is not merely advisory. The CNIL has fining powers of up to 20 million euros or 4 percent of global annual turnover for GDPR violations. Where an AI system processes personal data in breach of the GDPR, for example by failing to provide legally adequate transparency about automated decision-making or by lacking a valid legal basis for processing, the CNIL can investigate and sanction under existing powers, independent of the EU AI Act enforcement regime.

For deployers specifically, the CNIL has signalled that its planned 2026 guidance will address how GDPR obligations apply to the deployer role in AI supply chains, including the question of whether deployers are controllers, processors, or joint controllers when they use third-party AI models for processing that affects their customers. This question has material implications for liability allocation, particularly where an AI system produces harmful outputs based on personal data the deployer provided.

French civil liability and the Code civil: what applies today

French civil liability for AI-caused harm operates through Articles 1240 and 1242 of the Code civil. These provisions apply to AI-related damage today, independently of any AI-specific statute and without waiting for EU AI Act enforcement to be operational in France.

Article 1240: fault-based liability

Article 1240 of the Code civil provides that any act which causes harm to another creates an obligation in the person by whose fault it occurred to make reparation for it. Applied to AI systems, this means a claimant who suffers harm from an AI output must prove three elements: damage (a quantifiable loss), fault or negligence (a failure to act as a reasonably prudent operator would have), and causal link between the fault and the damage.

The fault standard under Article 1240 is sensitive to the foreseeable nature of AI risk. An operator who deploys a large language model for legal or financial advice without adequate disclosure, validation, or human review may be found at fault not because the AI failed in a technical sense, but because a reasonably prudent operator would have implemented measures to prevent reliance on AI outputs in high-stakes contexts. The precedent from other jurisdictions is instructive: in Moffatt v. Air Canada (2024, British Columbia Civil Resolution Tribunal), an airline was held liable under consumer protection principles for its chatbot's incorrect bereavement fare advice, with the tribunal rejecting the airline's argument that chatbot outputs were distinct from company representations. While that case arose in Canadian law, the underlying principle (that an operator bears responsibility for what its AI system says to users) maps directly to the fault standard under Article 1240.

Article 1242: liability for things in one's keeping

Article 1242 of the Code civil is more significant for AI operators and more immediately threatening. It provides that one is liable not only for harm one causes by one's own action, but also for harm caused by things which one has in one's keeping. French courts have developed the garde de la chose (custody of a thing) doctrine as a form of strict liability: where a thing is the active instrument of harm, its keeper is liable without the need for the claimant to prove fault.

The application of Article 1242 to AI systems is not yet settled in French jurisprudence, but the doctrinal case is strong. An AI agent that operates autonomously, makes decisions and takes actions on behalf of its deployer, and causes harm through those actions is a plausible candidate for the garde de la chose regime. The deployer, as the entity that configures, deploys, and benefits from the agent's operation, is likely to be treated as the keeper. Under this analysis, a claimant harmed by an autonomous AI agent would need to prove only that the agent was the active cause of the harm, not that the deployer was negligent.

This strict liability exposure is distinct from, and in some respects more immediate than, the EU AI Act's enforcement regime. It does not require a market surveillance authority to initiate proceedings. Any person harmed by an AI system an operator deploys in France can bring a civil claim under Article 1242 before the tribunal judiciaire. The practical implication is that operators of autonomous AI agents in France are exposed to civil liability now, at a level that does not require demonstrating fault.

The Product Liability Directive and French transposition

Directive (EU) 2024/2853, the revised Product Liability Directive, was published in the Official Journal on 18 November 2024 and entered into force on 8 December 2024. It applies to products placed on the market or put into service after 9 December 2026. France's national transposition deadline is also 9 December 2026.

The revised Directive expressly includes software and AI systems within the definition of product, closing the gap in the original 1985 Directive (85/374/EEC) that excluded intangibles. For AI systems specifically, the revised Directive introduces a rebuttable presumption of defectiveness where the AI system does not comply with applicable EU law, including the EU AI Act, or where a defendant fails to disclose evidence relevant to the defect assessment. This presumption materially eases the claimant's burden of proof for AI-related product liability claims.

In France, the existing product liability regime is codified in Articles 1245 to 1245-17 of the Code civil, implementing the original 1985 Directive. The French transposition of the 2024 Directive will amend these provisions. Industry observers expect the French government to proceed by ordonnance or by amending the Code civil directly, but the transposition instrument had not been published on Legifrance as of June 2026.

The combination of the revised Product Liability Directive and Article 1242 of the Code civil creates a layered liability environment for AI operators in France from December 2026: strict product liability for defective AI products under the Directive transposition, and strict custody liability under Article 1242 for AI systems operating as autonomous agents. These are distinct legal bases that may be pleaded in the alternative by claimants.

The SREN law and France's pre-existing AI-specific obligations

France enacted specific digital regulation before the EU AI Act through the SREN law (Loi n. 2024-449, the loi visant a securiser et a reguler l'espace numerique), which entered into force in May 2024. The SREN law amended Article 226-8 of the French Criminal Code to make the production and dissemination of non-consensual deepfakes a criminal offence where the artificial nature of the content is not made manifest.

The criminal penalties are significant. Production or dissemination of a non-consensual deepfake carries up to one year imprisonment and a 15,000 euro fine. Where the offence is committed through an online public communications service, penalties increase to two years' imprisonment and 45,000 euros. ARCOM has responsibility for monitoring compliance in the audiovisual and digital domain, alongside the French judiciary.

The SREN deepfake provisions are not substituted or suspended by Article 50 of the EU AI Act. They operate in parallel. From 2 August 2026, operators who generate AI content or AI-manipulated media in France must comply with both regimes: the criminal law requirement under Article 226-8 of the Criminal Code (disclosure of artificial nature) and the Article 50 EU AI Act labelling obligation (machine-readable marking of AI-generated content). These requirements are broadly consistent, but the Article 226-8 criminal liability is more severe and requires no formal EU enforcement architecture to trigger prosecution.

ARCOM, ACPR, and the sectoral layer

The proposed French national authority framework distributes AI supervision across sectors, and two authorities beyond the CNIL and DGCCRF are particularly relevant for operators in major industry verticals.

ARCOM (Autorite de regulation de la communication audiovisuelle et numerique) would hold market surveillance authority for prohibited practices involving AI in the audiovisual and media sectors, including AI-generated disinformation, manipulated political content, and synthetic media that falls within Article 5's scope of harmful manipulation. ARCOM already has enforcement powers over platforms hosting such content under the SREN law and the EU Digital Services Act.

ACPR (Autorite de controle prudentiel et de resolution), the prudential supervisor for banks and insurers under the Banque de France, has established a dedicated cross-functional AI task force addressing the legal articulation of the EU AI Act with Solvency II, the Insurance Distribution Directive, DORA, and GDPR. The ACPR's task force is developing AI audit methodologies covering fairness, explainability, and bias testing, and is running industry workshops to assess preparedness among French financial institutions. For insurance operators deploying AI in underwriting, pricing, claims handling, or fraud detection, ACPR supervisory expectations are operationally binding regardless of the formal designation status, and align with the EIOPA Opinion on AI governance and risk management (EIOPA-BoS-25-360, August 2025), which addresses all EU national insurance supervisors.

Insurance implications for operators in France

Operators of AI systems in France face liability exposure from three distinct and concurrent sources, each with its own trigger mechanism, evidentiary standard, and potential financial consequence.

First, EU AI Act penalties. Violations of Article 5 prohibited practices carry potential fines of up to 35 million euros or 7 percent of global annual turnover. Violations of other AI Act obligations carry fines of up to 15 million euros or 3 percent of turnover. Incorrect or misleading information to supervisory authorities triggers fines of up to 7.5 million euros or 1 percent of turnover. Until France's formal market surveillance authority designation is enacted, the European AI Office can exercise direct enforcement powers in relation to GPAI model providers, and Member State authorities are obliged to apply the Regulation even in the absence of formal designation.

Second, French civil liability. Claims under Articles 1240 and 1242 of the Code civil can be brought by any person who suffers harm from a deployed AI system. There is no requirement to first exhaust regulatory proceedings. The garde de la chose doctrine under Article 1242 provides a strict liability path that does not require proof of fault. Claims for damages recoverable under the Code civil include patrimonial damage (financial loss, including loss of earnings and costs of remediation) and extra-patrimonial damage (moral harm, pain and suffering).

Third, product liability from December 2026. Once France transposes Directive (EU) 2024/2853, AI software placed on the French market after 9 December 2026 that causes damage will be subject to the revised product liability regime, with rebuttable presumptions of defectiveness and expanded heads of recoverable damage including data loss and medically recognised psychological harm.

Standard commercial general liability and professional indemnity policies predating 2024 were not underwritten against this liability landscape. Several contain AI exclusion clauses or were priced without accounting for the AI Act penalty regime. The EIOPA Opinion (EIOPA-BoS-25-360) signals that EU supervisors, including the ACPR, expect insurance carriers to develop specific AI liability products as a genuine market category. Carriers actively writing AI liability cover in the European market include Munich Re (aiSure parametric coverage), Armilla (Lloyd's of London coverholder, AI liability and performance cover [VERIFY current European availability and limits]), and HSB (Hartford Steam Boiler, Munich Re group) [VERIFY current product scope]. Operators in France deploying autonomous AI agents should assess their existing policy coverage against AI-specific exclusions and consult a qualified insurance professional about available standalone AI liability cover.

What operators should do now

The practical compliance programme for an operator deploying AI in France in 2026 addresses obligations that are already in force, obligations that fall due in August 2026, and preparatory steps for the December 2026 product liability transition.

Immediately, operators should audit their AI deployments against the Article 5 prohibited practices list. Any system that falls within the prohibited categories, emotion recognition in the workplace, social scoring, subliminal manipulation, untargeted biometric database building, is illegal under EU law and has been since February 2025. The absence of a formally designated French market surveillance authority does not reduce this risk; the European AI Office maintains direct enforcement powers and the CNIL can refer concerns under GDPR.

Also immediately, operators should assess their GDPR compliance posture for AI systems that process personal data. The CNIL's 2025 guidance provides the most detailed available standards for what compliant AI development and deployment looks like in France. Operators using third-party AI models to process customer data should map their controller-processor relationships and ensure data processing agreements reflect current CNIL expectations.

Before 2 August 2026, operators must implement Article 50 transparency labelling. Any chatbot or conversational AI interface must disclose its AI nature to users. Any AI-generated content must carry machine-readable labelling. This is a non-negotiable compliance step that proceeds regardless of the Digital Omnibus deferral, which does not affect Article 50's date.

For operators whose systems may qualify as high-risk under Annex III, the prudent position is to begin Article 26 compliance preparation now: documenting the risk management system, establishing human oversight procedures, implementing log retention for at least six months, and assessing whether an Article 27 Fundamental Rights Impact Assessment is required. If the Digital Omnibus formal adoption brings the deadline forward to December 2027, that preparation will not be wasted; it represents the operational standard that the French supervisory framework will apply regardless of the formal date.

Before 9 December 2026, operators placing AI software products on the French market should assess their product liability exposure under the forthcoming transposition of Directive (EU) 2024/2853. Systems that do not comply with EU AI Act requirements will face a rebuttable presumption of defectiveness in product liability claims. Compliance with the AI Act is therefore also a product liability risk management measure.

For the broader EU AI Act operator obligations and a structured framework for compliance documentation, the Article 26 deployer obligations guide on agentliability.eu provides detailed analysis. For the insurance coverage dimension of AI liability in European markets, see agentinsured.eu.

Frequently asked questions

Which authority enforces the EU AI Act in France?

France has not yet completed its formal parliamentary process for designating national competent authorities under Article 70. A draft law published in September 2025 proposed the DGCCRF as the single point of contact and coordinator, with 17 sectoral authorities as market surveillance bodies. That draft was withdrawn from Parliament and the formal designation has not been enacted as of June 2026. The CNIL and DGCCRF are the practical regulatory contacts today.

What is the CNIL's role in AI in France?

The CNIL is France's data protection authority and the most active AI oversight body in France. It enforces GDPR as applied to AI, has published five major AI guidance documents since February 2025, and under France's proposed national framework would hold market surveillance authority for 15 AI use categories and fundamental rights protection authority under Article 77. Its 2026 guidance programme covers deployer responsibilities in AI supply chains and the GDPR-EU AI Act intersection.

How does French civil liability apply to AI operators?

Article 1240 of the Code civil imposes fault-based liability: an operator who fails to deploy AI with reasonable care is liable for resulting harm. Article 1242 imposes strict liability for things in one's keeping: where an AI agent operating autonomously causes harm, its deployer, as the keeper of the system, may be liable without proof of fault. These provisions apply today and do not depend on the EU AI Act enforcement architecture being operational in France.

Does France have a national AI law?

France does not have a standalone national AI statute comparable to Italy's Law 132/2025. The EU AI Act is directly applicable in France as an EU Regulation without national transposition. France's legislative work has focused on designating national authorities to implement the Regulation, a process that stalled in Parliament in late 2025. The SREN law (Loi n. 2024-449) enacted in May 2024 provides criminal liability for non-consensual deepfakes under Article 226-8 of the French Criminal Code, which is France's most significant AI-specific national legal provision.

When does the revised Product Liability Directive apply in France?

Directive (EU) 2024/2853 applies to products placed on the market after 9 December 2026. France's transposition deadline is also 9 December 2026. The French transposition instrument has not been published as of June 2026. Once transposed, the Directive introduces a rebuttable presumption of defectiveness for AI systems that do not comply with EU AI Act requirements, and expands recoverable damage to include data loss and medically recognised psychological harm.

What does Article 50 of the EU AI Act require in France by August 2026?

Article 50 transparency obligations apply from 2 August 2026 and are not deferred by the Digital Omnibus proposal. Deployers of AI chatbots must inform users they are interacting with an AI. AI-generated or manipulated content must carry machine-readable labels. Emotion recognition and biometric categorisation systems must notify data subjects. A narrow grace period until 2 December 2026 applies only to machine-readable watermarking for systems already on the market, not to the core transparency disclosure duties.

References

  1. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (EU AI Act), OJ L 2024/1689, 12 July 2024.
  2. Article 70, Regulation (EU) 2024/1689: designation of national competent authorities and single point of contact. Deadline for Member States: 2 August 2025.
  3. Ministry of Economy and Finance (France), draft law proposing national authority designation under the EU AI Act, published 9 September 2025. Provisions concerning formal designation subsequently withdrawn from Parliament.
  4. CNIL recommendations: AI and informing data subjects, AI and individual rights, published 7 February 2025.
  5. CNIL practical guidance: annotation of training data, security in AI system development, GDPR status of AI models, published 22 July 2025.
  6. Article 1240, Code civil: fault-based liability ("Tout fait quelconque de l'homme, qui cause a autrui un dommage, oblige celui par la faute duquel il est arrive a le reparer.").
  7. Article 1242, Code civil: liability for things in one's keeping (garde de la chose doctrine).
  8. Loi n. 2024-449 (SREN law), enacted May 2024, amending Article 226-8 of the French Criminal Code on deepfakes.
  9. Directive (EU) 2024/2853 on product liability (revised), OJ L 2024/2853, 18 November 2024. Applies to products placed on the market after 9 December 2026.
  10. Council of the EU and European Parliament, provisional political agreement on the Digital Omnibus on AI, 7 May 2026 (proposing deferral of high-risk Annex III deadline to 2 December 2027; not yet formally adopted or published in the Official Journal as of June 2026).
  11. EIOPA Opinion on Artificial Intelligence governance and risk management (EIOPA-BoS-25-360), published 6 August 2025.
  12. ACPR cross-functional AI task force, established 2025, addressing EU AI Act articulation with Solvency II, IDD, DORA, and GDPR.
  13. Moffatt v. Air Canada, 2024 BCCRT 149 (British Columbia Civil Resolution Tribunal): operator liability for chatbot misstatement.
  14. Mata v. Avianca, No. 22-cv-1461, 678 F. Supp. 3d 443 (S.D.N.Y. 2023): sanctions for fabricated AI-generated citations.