Recent news from the United States has caused a shockwave within the European IT and cybersecurity community. The surprising statement by U.S. policymakers that Russia is no longer considered a cybersecurity threat has far-reaching implications for organisations and governments using U.S. information systems and storage.

The laws surrounding data sharing between the US and Europe have always been a gray area. Yet until now, there was a degree of trust in the U.S.'s intention to protect our data. Of course, that trust was already somewhat naive, but now it is abundantly clear: our data is simply no longer safe if it is under U.S. control.

We can no longer sit still. Action is needed! Organisations and governments in Europe can take several concrete steps to protect their data and reduce their dependence on U.S. information systems and storage. Here are some recommendations:

Review your Data Storage Strategy

Move data to European clouds: Consider using European cloud providers that are fully compliant with GDPR requirements and are not subject to U.S. law.

On-premises storage: For highly sensitive data, it may make sense to store (some of) the data locally, under your own management.

Perform a Risk Analysis

Inventory dependencies: Map which systems and services use U.S. technology or infrastructure.

Assess data flows: Identify what data is potentially sent to the U.S. or through U.S. servers.

Commit to European Alternatives

Software & Platforms: Look for European alternatives to widely used U.S. software, e.g. Nextcloud for cloud storage, OnlyOffice as an alternative to Microsoft Office, and ProtonMail for secure email.

Hardware & Network Components: Choose European suppliers of network infrastructure and hardware where possible.

Encrypt sensitive data

End-to-end encryption: Use encryption that you control entirely yourself, so that even the cloud provider cannot access the contents of your data.

Zero-knowledge storage: Choose services where not even the provider can see your data.

Adjust your contracts and SLAs

Capture data location and protection: Make sure contracts with providers specifically define where your data will be stored and how it will be protected.

Exit strategy: Have a plan to quickly switch vendors if the situation changes.

Encourage Awareness and Training

Information security training: Make sure employees understand the risks and how to handle data safely.

Simulate scenarios: Test your organisation's resilience through scenario exercises around data breaches or cloud migrations, for example.

Work with European Partners

Share best practices: Work with other European organisations and governments to share knowledge and experiences.

European consortia: Join initiatives such as Gaia-X, the European cloud project, to become less dependent on non-European technology.

By taking these steps, organisations and governments can not only better protect their data but also contribute to a more robust and secure European digital infrastructure.