Transatlantic data flows face new uncertainty as the US administration moves to weaken key privacy oversight. The Privacy and Civil Liberties Oversight Board (PCLOB)—a critical body that helped justify the EU-US Transatlantic Data Privacy Framework (TADPF)—is now barely functional after recent leadership changes.
Without PCLOB, the EU’s argument that US companies like Microsoft, Google, Amazon, and Meta provide “adequate” data protection is at risk. If the EuropeanCommission reassesses the situation, it may have no choice but to revoke TADPF, making data transfers to US cloud providers legally questionable under GDPR.
Beyond privacy concerns, this development has serious implications for compliance with both DORA (Digital Operational Resilience Act) and NIS2 (Network and Information Security Directive 2), both of which impose strict Third-Party Risk Management (TPRM) requirements.
Regulatory Implications for EU Businesses
– DORA & Financial Sector Risks – DORA mandates third-party risk assessments for ICT service providers, especially non-EU cloud providers. Financial institutions must ensure operational resilience and contingency planning in case TADPF is invalidated.
– NIS2 & Critical Infrastructure Compliance – NIS2 extends cybersecurity obligations to essential and important entities, including cloud providers. Organisations must assess supply chain risks and ensure their ICT partners comply with EU security standards.
– Exit & Contingency Planning – Both DORA and NIS2 require robust risk mitigation strategies, meaning businesses must prepare for a scenario where data transfers to the US become legally uncertain.
– Data Localisation & Sovereignty – Companies may need to re-evaluate their cloud strategies, ensuring compliance with EU data sovereignty rules to avoid regulatory penalties.
What Businesses Should Do Now
– Explore EU-based cloud providers
– Reassess data storage & residency strategies
– Ensure compliance with DORA & NIS2 TPRM requirements
– Monitor regulatory and legal developments closely
Additionally, all sensitive data should be encrypted using company-owned encryption keys to prevent access by U.S. authorities and cloud providers.
This latest move could be the first domino to fall, accelerating the shift away from US cloud dominance in Europe. Organisations relying on US providers must act now to reduce compliance risks and safeguard their data operations.
Secure your supply chain today—get in touch to learn more.
Njord was a character in Norse mythology with the power of the (cyber) sea, the winds (trends), fishing (for intelligence), and wealth (of insights). Njordium addresses the underlying layers, rather than the (‘complex’) layer of symptoms on the surface.
Contact
Stockholm: +46 8 5078 05 06
Malmö: +46 40 686 00 46
reachout@njordium.com