Vienna, September 2025: As Europe prepares for the next wave of digital regulations, experts are warning of strategic risks. In an interview with Dr. Fabian Knirsch, data protection expert and co-founder of sproof GmbH, Katharina Raabe-Stuppnig – renowned data protection lawyer and long-time companion of Max Schrems before the European Court of Justice – analyzes current risks and new regulatory developments in the European digital space. <\/strong> The GDPR has been the gold standard since 2018. But now comes the next wave of regulations: AI Act, NIS-2, Cyber Resilience Act, Data Act. “All of these rules are based on a functioning data protection system,” explains Raabe-Stuppnig. Companies that don’t have this will fall behind – both legally and economically. This new legislation is tightening the requirements for companies – across all sectors. The central challenge is to reconcile legal requirements, technical security and the ability to innovate. <\/p>\n\n Despite the adequacy decision, data transfer to the USA remains fragile. “The framework is based on a political decree – it could be history again tomorrow,” warns Raabe-Stuppnig. A lawsuit against the agreement is already pending. The US supervisory authority PCLOB – responsible for monitoring government surveillance measures – is currently unable to function properly: Several management positions are vacant after US President Donald Trump fired three of the five people in charge. As a result, important data protection mechanisms on which the Data Privacy Framework is based are de facto blocked. <\/p>\n\n Particularly tricky: Even with server locations in the EU, access by US authorities cannot be ruled out – for example via parent companies. European authorities require external key management solutions that guarantee control over encryption. “This type of encryption usually only works for backup data,” explains Raabe-Stuppnig. “The necessary technology is often lacking for operational systems.” <\/p>\n\n A recent ruling by the International Criminal Court shows just how urgently such alternatives are needed: Microsoft refused to hand over emails in international proceedings – based on US legislation. For many, this is a warning signal: without digital independence, there is not only a threat of compliance risks, but also restrictions on democratic jurisdiction and the state’s ability to act. <\/p>\n\n Despite these uncertainties, Raabe-Stuppnig is optimistic about the future. She sees the EU Data Act as a key lever for greater digital sovereignty. Multicloud strategies are to be promoted, switching providers made easier and switching costs reduced. “We need European alternatives – and we need them now,” she says. “With targeted support, we can create real competition for the US hyperscalers.” <\/p>\n\n The good news is that some EU countries are already taking action. Denmark, for example, is currently gradually abandoning US cloud solutions in favor of secure EU open source solutions. <\/p>\n\n The debate shows: Data protection is no longer just a compliance issue, but a strategic element of digital competitiveness. Companies that secure their data processes in a structured and forward-looking manner not only strengthen their legal framework, but also their market position. <\/p>\n\nGDPR as a basis: new EU laws on the horizon<\/h3>\n\n
Data transfer to the USA: trust is not a strategy<\/h3>\n\n
Encryption: Aspiration and reality diverge<\/h3>\n\n
European alternatives: The Data Act as a beacon of hope<\/h3>\n\n
Conclusion: Data protection as a strategic element<\/h3>\n\n