Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Cybersecurity Risk Management and Strategy Disclosure	Dec. 31, 2024
Cybersecurity Risk Management and Strategy Disclosure Abstract [Abstract]
Cybersecurity Risk Management Processes For Assessing Identifying And Managing Threats	Risk Management and Strategy Sanofi has implemented a cybersecurity strategy involving various dedicated personnel and resources aimed at preventing, detecting and responding to cyberattacks, as well as being able to recover promptly in the event of material impact following a cyberattack. Additionally, Sanofi has set up various cybersecurity processes applicable to subsidiaries within the Sanofi group. Sanofi regularly updates its cybersecurity processes to address cybersecurity trends and threats. Cybersecurity processes have been established to address material cybersecurity risks, including in connection with the following areas: •information technology and solution usage; •access control; •patch management; •security on specific environments (i.e. cloud, virtualization, SAP, automated systems, IoT, etc.); •log management; •network security; •systems security standards; •remote access; •secure development of applications; •cryptography; •mobile devices; •third-party management (including cybersecurity requirements in contracts); and •incident management. Sanofi utilizes security standards and frameworks (i.e. the NIST framework) and has established cross-functional risk control capabilities to facilitate operational implementation aligned with its cybersecurity processes. Sanofi regularly analyzes its Internet-based services and performs regular penetration tests and attack simulations to assess the protections and the detections capabilities. The cybersecurity compliance status of computing assets connected to Sanofi’s network is routinely consolidated for Sanofi's business units, including within manufacturing, and research and development sites. Monthly dashboards are published and shared within Sanofi’s different business units and global functions. Sanofi implements corrective measures and improvement actions in response to these processes. Data classification and protection tools are in place, such as the implementation of a specific process and technology aimed at detecting and responding to abnormal data flows. Sanofi has set up a cybersecurity operation center in charge of detecting and responding to cybersecurity threats and attacks, as well as coordinating Sanofi-wide incident responses. Incident response trainings and simulations are run within Sanofi to seek to be better prepared in case of a cybersecurity incident. In addition, Sanofi’s employees, who are the main users of Sanofi’s digital assets, are regularly trained to face cybersecurity threats and attacks. In the event of a cyberattack, Sanofi has established a plan that includes criteria triggering the notification process for material cybersecurity incidents including from the cybersecurity operation center and the Chief Information Security Officer who can use the internal escalation channels to inform the management and the Board of Directors and, as appropriate, the relevant regulatory bodies. When dealing with third parties, our main commercial contracts include cybersecurity clauses aimed at ensuring such third parties comply with Sanofi’s cybersecurity rules and requirements, especially when providing services to and processing data from Sanofi. Additionally, Sanofi set up a vendor’s risk assessment program to evaluate the digital maturity of a vendor, which covers their business continuity as well as their related internal regulations, such as data privacy. As part of their contractual commitments major vendors and partners must report to Sanofi any cybersecurity incident that may have a significant impact for Sanofi. A dedicated process has been implemented for third parties’ networks interconnected with Sanofi’s network, aimed at limiting any propagation of a cyberattack to Sanofi’s digital assets. Sanofi’s cybersecurity risk management processes are integrated into its overall risk management system through its enterprise risk management process, which seeks to identify and address material risks to the organization. Each year, specific risk committees identify the risks that affect Sanofi’s local businesses in each country it operates and Sanofi’s global functions, such as Research and Development or Manufacturing and Supply. Although Sanofi has put in place the cybersecurity processes described above, Sanofi remains exposed to cybersecurity attacks and incidents and misuse or manipulation of any of its IT systems, which could have a material adverse effect on its business strategy, results of operations or financial condition (see “Item 3. Key Information — D. Risk Factors — Risks relating to our business — Breaches of data security, disruptions of information technology systems and cyber threats could result in financial, legal, competitive, operational, business or reputational harm”).
Cybersecurity Risk Management Processes Integrated	Sanofi has set up a cybersecurity operation center in charge of detecting and responding to cybersecurity threats and attacks, as well as coordinating Sanofi-wide incident responses. Incident response trainings and simulations are run within Sanofi to seek to be better prepared in case of a cybersecurity incident. In addition, Sanofi’s employees, who are the main users of Sanofi’s digital assets, are regularly trained to face cybersecurity threats and attacks. In the event of a cyberattack, Sanofi has established a plan that includes criteria triggering the notification process for material cybersecurity incidents including from the cybersecurity operation center and the Chief Information Security Officer who can use the internal escalation channels to inform the management and the Board of Directors and, as appropriate, the relevant regulatory bodies.
Cybersecurity Risk Board of Directors Oversight	Governance Sanofi has appointed a Chief Information Security Officer who oversees Sanofi's information, cybersecurity, and technology security. Our current Chief Information Security Officer has been working for Sanofi in this capacity since 2014 and has seventeen years of experience in the cybersecurity industry, including eight years as the global head of cybersecurity at one of France’s largest telecommunications companies. The Chief Information Security Officer is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through the cybersecurity operation center. He develops appropriate plans to mitigate such risks. Such plans are validated by the Chief Digital Officer and shared with the Executive Committee. The Chief Information Security Officer belongs to the digital division and directly reports to the Chief Digital Officer, a member of the Executive Committee. In addition, the Chief Information Security Officer is a permanent member of the group Risk Committee and reports on the cybersecurity risk to such group Risk Committee, to the Audit Committee and to the Executive Committee regularly. The reporting covers various matters, such as the outcomes of audits on Sanofi’s information systems, the main incidents encountered over the preceding period, Sanofi’s digital transformation or the cybersecurity strategy and framework for the coming years. The group Risk Committee, comprised of the managers of Sanofi’s Global Business Units, consolidates the risks identified by the specific committees and targets the high priority risks Sanofi is facing. The group Risk Committee then allocates each risk to the relevant Executive Committee member (i.e. the cybersecurity risk is allocated to the Chief Digital Officer as the relevant member of the Executive Committee, who manages the mitigation of such risk with the Chief Information Security Officer) and reports regularly to the Audit Committee. Following this identification and allocation process, the group Risk Committee reports on a quarterly basis to the Executive Committee on the progress of the mitigation plans. The Audit Committee controls that the cybersecurity risks are well managed and reports on such management to the Board of Directors. The Board of Directors is also informed of such risks, as well as other cybersecurity matters, through periodic reports from the Chief Digital Officer, the Head of the group Risk Committee, or the Chief Information Security Officer.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight	Chief Information Security Officer
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight	The Chief Information Security Officer is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity incidents through the cybersecurity operation center. He develops appropriate plans to mitigate such risks. Such plans are validated by the Chief Digital Officer and shared with the Executive Committee.
Cybersecurity Risk Role of Management	The Chief Information Security Officer belongs to the digital division and directly reports to the Chief Digital Officer, a member of the Executive Committee. In addition, the Chief Information Security Officer is a permanent member of the group Risk Committee and reports on the cybersecurity risk to such group Risk Committee, to the Audit Committee and to the Executive Committee regularly. The reporting covers various matters, such as the outcomes of audits on Sanofi’s information systems, the main incidents encountered over the preceding period, Sanofi’s digital transformation or the cybersecurity strategy and framework for the coming years.
Cybersecurity Risk Management Expertise of Management Responsible	The group Risk Committee, comprised of the managers of Sanofi’s Global Business Units, consolidates the risks identified by the specific committees and targets the high priority risks Sanofi is facing. The group Risk Committee then allocates each risk to the relevant Executive Committee member (i.e. the cybersecurity risk is allocated to the Chief Digital Officer as the relevant member of the Executive Committee, who manages the mitigation of such risk with the Chief Information Security Officer) and reports regularly to the Audit Committee. Following this identification and allocation process, the group Risk Committee reports on a quarterly basis to the Executive Committee on the progress of the mitigation plans.
Cybersecurity Risk Process for Informing Management or Committees Responsible	The Audit Committee controls that the cybersecurity risks are well managed and reports on such management to the Board of Directors. The Board of Directors is also informed of such risks, as well as other cybersecurity matters, through periodic reports from the Chief Digital Officer, the Head of the group Risk Committee, or the Chief Information Security Officer.