There are quarters we cover in our Cybersecurity & Data Protection digest during which times seems to move faster than usual. The first three months of 2025 was one of them. This time, the focus is not so much on many small stories but a few big ones that may shape the landscape for the next years – or maybe decades.
The most crucial one is, how the election of Donald Trump as 47th president of the United States could make a difference. Trump does not present himself as a champion of international cooperation. One of his first actions in office was the de-facto dismantling of a crucial part of the EU-US Data Privacy Frameworks (EU-US DPF). This leaves the future of this transfer mechanism in grave danger. If the US does not outright terminate the agreement – which is in the cards – it is more than possible the European Court of Justic (ECJ) may invalidate it during a future judicial review. The implications could be catastrophic for both, the US and the EU, as both blocks trade in data and services more than in machines and things.
On the more technical side of the industry a strategic move towards quantum-safe encryption is gaining momentum. This is no wonder as quantum computing becomes a real thing. In fact, if the speed of development does not slow down, the industry timeline may have to be hastened.
And last but not least we do have to look into a cybersecurity issue that even the best technology cannot solve. Like inviting a journalist to a discussion of military secrets on a private messaging platform with people who should not been there while using their private phones in an unfriendly country.
Let’s look into all of this.
The EU-US DPF is Dead in the Water. Almost.
Time and again; we have reported on the state of the EU-US Data Privacy Framework (EU-US DPF). This is for good reason: Without the DPF, the web of economic connections between the EU and the US in the field of electronic services is in grave danger. Losing the DPF could be akin to clogging the coronary arteries around the heart, leading to a stroke.
That is because the EU-US DPF is a vital legal mechanism designed to enable a compliant transatlantic data transfer.
Some context – why is there a DPF in the first place?
Such transfer mechanism is needed as, from the vantage pint of the General Data Protection Regulation (GDPR), the US is a “third country” – the GDPR does not apply there. Data transfers to such third countries are not permitted per se as they may lack a level of data protection that is comparable to the EU. However, if the EU commission finds that such third country does indeed have a suitable level of data protection, it may issue a so called “adequacy decision” that allows data transfers.
The EU commission has issued such decision in cases such as the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, and a few others. And while it is good to be assured that our personal data are well protected with the whale fishers on the Faroe Islands, it seems a bit more important to wonder if the same is true for the US that actually has an IT industry. Or, to be even more to the point: virtually all big cloud storage and application providers are US companies.
The EU is very much dependent on data transfers – but due to the sheer size of the EU commercial space, the US entities also need to do business here.
Yet the US does not have anything close to the required level of data protection, at least not on a federal level. That is the gap the EU-US DPF aims to bridge.
How does the DPF work?
To that end, the framework establishes safeguards regarding access to personal data. On the US side, several steps must be taken to ensure compliance with the DPF.
First, the US government must fully implement the legal safeguards restricting mass surveillance and ensuring that intelligence collection is targeted and justified.
Second, the Office of Privacy and Civil Liberties (DPRC) must be operational and independent, providing an effective means for EU citizens to seek redress.
Finally, U.S. companies seeking to transfer EU data must certify their compliance with the framework’s principles, committing to strong privacy and security measures comparable to those required under GDPR. The Federal Trade Commission (FTC) is responsible for enforcing these commitments, ensuring that certified companies adhere to their obligations.
Trump as the elephant in the room
The Elephant in the room is, of course, the Trump administration. While President Trump has not assaulted the EU-US DPF directly so far, he did harm on a structural level already. Furthermore, he has a reputation for being erratic and oriented towards action without regard for long term consequences.
There are two ways that the Trump presidency could – and most likely will – end the EU-US DPF.
The obvious way is that President Trump could just outright exit the EU-US DPF. The framework is not a law approved by congress but just a political agreement, on the US side based on a presidential decree. This also means that it can be repealed any time by the next administration. As president Trump is not known to be particularly fond of obligations he feels are imposed on the US by the EU, there is a danger he may, in fact, terminate the agreement. He may even more be inclined to do that as the EU-US DPF is often seen to be an achievement of specifically the Biden administration – and Trump already said he would review any such act of previous administrations.
But even if Trump does not officially terminate the EU-US DPF, the European Court of Justice could simply invalidate it.
This was always on the table as the framework is not the first attempt to establish a data transfer mechanism between Europe and America. Both of its predecessors, namely Safe Harbor and the Privacy Shield, were found lacking by the court. The DPF, however, is not fundamentally different but rather “more of the same”.
The danger is, however, exacerbated by the disregard for America’s to-do’s under Trump:
- In an executive order, Trump requires all agencies – among them the bodies overseeing execution of the DPF on the American side – to submit regulatory action for presidential review. It is, therefore, obvious that those agencies are no longer independent, rendering them unable to act as a watchdog overseeing data processing.
- Furthermore, Trump terminated three (all Democrats) of the five members of the Privacy and Civil Liberties Oversight Board, an independent federal agency tasked with the analysis and review of actions taken by the executive branch in the fight against terrorism and balance them with the protection of privacy and civil liberties. The board has only five members and acts by a quorum, which means that at the moment it cannot act. While the board was not specifically created for the DPF, it serves a vital role there.
Such actions make the independence and validity of redress and oversight mechanisms on the American side questionable. If one adds the general unreliability of Trump in the context of international treaties and the fact that many observers found the DPF to be “not good enough” to begin with, any lawsuit trying to invalidate is has good chances of success.
What the end would mean
An end of the EU-US DPF would wreak havoc. Not only would it create legal chaos for thousands of businesses and organizations as well as disrupting digital trade and increasing compliance costs. It would also further undermine trust on both sides of the Atlantic and fuel a move toward data localization and protectionism.
Therefore, businesses and organizations must take action – and do that now.
We at Engity have been advocates of digital sovereignty for a long time. Most digital tasks can be done by European Services and more business development here would be beneficial for Europe.
Public Initiatives and Developments
Scanning message contents – protection vs. violation of rights
For the third time, the EU is discussing rather controversial measures that aim to make the world safer for children. The idea is this: material showing the sexual abuse of children is mostly exchanged online. Hence it makes sense to scan online communication for such material to raise deterrence and disincentive production and trade. The respective proposed EU regulation is known as “CASM” - Regulation to prevent and combat child sexual abuse.
The problem: almost all online communication is encrypted. Such scanning would therefore require breaking this encryption – most likely by requiring companies to implement backdoors in their software or platforms allowing law enforcement agencies access to private communications.
There is also the danger of a mission-creep. Once surveillance mechanisms are implanted in the fabric of online communication, it is almost irresistible for the government to not make further use of it. If the data is there, why not also scan them for communication about other crimes, look for tax evasion, or outright social-score citizens?
As we currently see in the wider world, there is also a risk of state capture. Tomorrow’s government may not be democratic anymore and could scan – stored and unencrypted – communication to identify “enemies of the state”.
Furthermore, backdoors in any type of software, system, or communication protocol will also increase the attack surface for bad actors. A backdoor is nothing but a security flaw that is not yet known. In effect, CASM will certainly weaken the overall cybersecurity of any country implementing it.
To top it off, it is not even clear that implementing backdoors would indeed make the world safer for children. One concern: unsafe online communication would make it, in fact, easier for nefarious actors to hack accounts on social platforms and steal images.
We at Engity believe in privacy and security. While we do see the good intentions of CASM approaches, we believe that implementing them would do – much – more harm than good.
GDPR to be overhauled – and red tape to be cut
The EU is finally attempting to give the – now seven year old – GDPR a major overhaul. The idea of the review is to keep what is good about the privacy law while attempting to cut back overregulation hampering innovation and ease of business.
Details of the planned changes are not yet available, but several ideas are floating around. One of the ideas is to make the GDPR “tier-based”, in effect imposing harsher rules on larger platforms while easing the burden for smaller companies. This would be very much in line with the regulatory approach the EU has adopted recently in other cases such as Digital Services or AI.
Cybersecurity and Data Breaches
Data breaches increase further – stolen credentials are the main issue
We all “feel” that data breaches are constantly on the rise. Flashpoint, a provider of treat intelligence, compiled the numbers it its Global Threat Intelligence Report. And to make it short: the data back up the feeling.
2024 saw a 6% increase in data breaches overall. More interesting than the overall numbers is, however, where the breaches come from: the attack vectors. The number of cases involving compromised credentials grew by 33%. And that trend continued in early 2025, in which Flashpoint found a further 200 million compromised credentials in the first two months alone.
At Engity, the protection of credentials and the provision of Identity Services are our business. We find the numbers alarming. Should you share that sentiment, then we are always available to discuss what there can be done – and how to do it.
AI will accelerate account takeovers, Gartner finds
While discussing threats to credentials and accounts: Generative AI is one of them. According to an industry report by Gartner, in only two years, account takeovers will be much faster than today. Deepfakes and autonomous AI agents that are not reliant on a fixed script will make stealing credentials much easier and an automated task.
What makes generative and agentic AI so dangerous is that is can be used for spear phishing and the good old dragnet kind at the same time. For that reason, an organization is no longer automatically safe just because its data security is a tad better than that of the competition.
To fight the expected surge in attacks, the report recommends advanced authentication options such as Passwordless, phishing-resistant MFA (multi factor authentication) or multi-device passkeys.
Infosec Prepares for the Post-Quantum World
Quantum computers pose a significant challenge to cybersecurity because they have the potential to break widely used encryption methods that secure digital communications today. Classical encryption algorithms like RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman rely on the difficulty of mathematical problems such as integer factorization and discrete logarithms, which are hard to solve for conventional computers. Quantum computers, however, can solve these problems exponentially faster, meaning that encrypted data protected by these methods could become vulnerable. This poses a major risk to sensitive information, including financial transactions, government communications, and personal data.
The transition to post-quantum is live-streamed
For that reason, the cybersecurity industry is in a push to transition to post-quantum cryptography (PQC), new encryption algorithms resistant to quantum attacks. There are, of course, significant difficulties, such as the need for global standardization, backward compatibility, and large-scale implementation across industries.
With all that in mind it makes obvious sense to start preparing for a post-quantum world on an infrastructural level.
Google has introduced supposedly quantum-safe digital signatures in its Cloud Key Management Service, protecting key data in its cloud-based identity and access management (IAM) service. Furthermore, the company has shared some insights into its post-quantum strategy.
Cloudflare, a web performance and security company that provides services to protect and optimize websites, applications, and networks, has started the transition process by introducing post-quantum cryptography (PQC) protections in its platform. The idea is to act as a quantum-firewall that protects the underlying corporate systems so that not all of them have to upgrade in one go.
The process, however, has a rather extended timeline – scheduled for completion by 2035. This aligns with the recommendations of regulators and advisors. The UK’s NSCS (National Cyber Security Centre) for instance also urges decision makers to aim for that ten-year timeline. Nevertheless, the process should be started immediately – by 2028, organizations should have a migration plan ready.
Microsoft raises the urgency level
It looks, however, that even such a timeline needs to be accelerated. Microsoft, not only a maker of Software but also busy in new areas of hardware, announced its new “Majorana” device. This quantum chip is potentially able to be used in systems running encryption-breaking software. Microsoft itself claims that such systems are merely “years, not decades” away. The company is, however, also often criticized for being rather optimistic in its announcements.
Action may be needed – now and in a very traditional manner
Precautions against a post-quantum world have to be taken already now and in a very traditional way: by applying current state-of-the-art technology to prevent data outflows. This is true even if those data are properly encrypted.
The reason for this is the concept of “harvest now, decrypt later”. That refers to a strategy where bad actors intercept and store encrypted and very valuable data today, even though they cannot immediately break its encryption. They hope that future advances in computing like quantum computers will allow them to decrypt the stored data later. Many industry secrets in sensitive industries (think defense) or stemming from the intelligence community will still be valuable.
This means that, even though no practical applications of quantum attacks may exist yet, data will have to be protected now – basically from the future.
Software takes longer to patch – 9 months on average
In practice, however, fixing security holes by traditional means seems to simply not happening, the latest “State of Software Security” report by Veracode, provider of a SaaS Security platform, finds.
According to its findings, the average time to fix a software vulnerability has risen to almost nine (9) months and as a result, security debt is mounting. More than half of all apps contain flaws that are severe, yet increased complexity, reliance of third party code and AI written apps that nobody really understands make it harder and harder to fix and patch in time.
To make things worse – and to the surprise of no-one: the older a vulnerability is, the more widely it is – on average – exploited, according to GreyNose’s 2025 Mass Internet Exploitation Report.
The Human Factor – US War Planning in a Signal Chat-Group
It is a rather overused trope in the cybersec community that even superb processes and technology cannot buy one safety if the user just ignores them.
For that reason, tons of corporate trainings revolve around the issue who can tell what whom in which way. Concepts like „need to know“ or „state-of-the-art security measures” are being stipulated in NDAs.
None of this seems to apply to the US government when it comes to the discussion of war plans. Instead, the planning of very concrete attacks on the Houthi rebel group was discussed on a group chat on the “Signal” messenger, a private platform.
Members of the chat were high-ranking officials, including Vice President JD Vance, Secretary of State Marco Rubio, Secretary of Defense Pete Hegseth, and CIA Director John Ratcliffe. While those would at least make sense in terms of personnel, there was United States Secretary of the Treasury Scott Bessent in the chat – hardly a person with a “need to know” regarding attack plans.
And, yes, a journalist was also added: Atlantic’s editor-in-chief Jeffry Goldberg.
At Engity we cannot discuss the political side of the story. Yet from the vantage point of cybersecurity, this is a disaster.
There are very good reasons why governments typically rely on their own platforms to exchange information, not platforms operated by private companies. “Signal” was in no way certified by any US security agency. How exactly the encryption works, whether or not there are any backdoors in the platform, and who has access to the communication data, is completely unclear.
Furthermore, and to add insult to injury, one member of the group was in Russia – not a friendly country to the US – while taking part in the discussion. If his phone was with him is unclear though.
Alas, all that is small fry compared with the blunder of simply adding a journalist by accident to the group.
The whole story reveals a remarkable neglect of even basic understanding of cybersec – and we talk about military secrets. But on the positive side: there are lessons to learn here, not just for the government, but for every organization:
- “Need to know” is not a suggestion. It’s a principle. If a secretary of the treasury and a journalist are in the same chat about military operations, something has gone terribly wrong.
- Private messengers are for private messages. Planning a military operation over an app meant for coordinating dinner plans is not “state-of-the-art security.”
- Certification matters. Just because a messenger app says it’s encrypted doesn’t mean it’s secure for national secrets. If it’s not vetted by your own security agencies or, by extension, your department responsible in a corporation, it’s not trustworthy.
- Location, location, location. Discussing sensitive topics while one party is physically in a hostile country is a textbook case of what not to do.
- Accidental transparency is still transparency. Adding a journalist to a top-secret group chat by mistake is not just embarrassing – it’s potentially catastrophic.
Ultimately, the tools matter less than the mindset. Even the best technology is useless when used carelessly – a lesson that, evidently, needs constant repeating.
Court Decisions & Enforcement
When much is too much - Excessive Data Subject Access Requests
Every right can be abused. And when there are no cost nor other hurdles, such abuse may, in fact, become more likely. Such easy to claim right is the data subject access request under Art. 15 GDPR.
An Austrian citizen had filed 77 complaints over the course of 20 months with the Austrian Data Privacy Authority (DPA), saying that data controllers had not honored his request for access to his person data. The DPA found that a tad over the top. It refused to act due to the “excessive” nature of those complaints.
The European Court of Justice (ECJ) disagreed and shed some clarity on what constitutes “excessive” data subject access requests under the GDPR. The court emphasized that supervisory authorities must demonstrate abusive intent rather than relying solely on the number of requests.
Never ask a person for their gender – says the ECJ
We all know those pesky forms we have to fill out if we want to make an online purchase. And rather often, there are fields marked as “mandatory” that seem to be not truly important to the planned purchase at hand, yet when we do not fill them, we cannot send the form.
That is what SNCF did, a French operator of trains. When people wanted to buy a ticket, they had to identify themselves as “Monsieur” or “Madame” and said it needs to have that information in order to assign gender-specific accommodations on night trains or assist passengers with disabilities.
The ECJ (case number C‑416/23, judgement from 9 January 2025),did not follow that line of thinking and, based on the principle of data minimization, ruled that every processing of personal data must be “adequate, relevant, and limited to what is necessary.”