Why this matters
European and non-USA NGOs sometimes rely on non-European software and platforms (cloud services, communications tools, analytics, AI, etc.). Without careful review, these tools can expose your organization to legal liabilities, security breaches, and loss of trust with stakeholders.
Most important legal context comes from the EU General Data Protection Regulation (GDPR). GDPR applies when you process personal data of people in the EU, no matter where the vendor is based. It also applies when a European NGO transfers that data to a non-EU provider. (European Union)
Key areas you must understand
GDPR obligations
European NGOs that collect, store, or use personal data must protect it according to GDPR. This includes data about donors, partners, volunteers, and beneficiaries. (European Union)
Your obligations when using non-European products:
- International transfers still count. Even if data is hosted outside the EU, GDPR applies and you must ensure lawful transfer mechanisms (Standard Contractual Clauses or Binding Corporate Rules). (DPO & Privacy Support)
- Controllers and processors. Clarify whether a vendor is a data controller or a processor. The contract must require them to act only on your instructions. (European Union)
- Data subject rights. You must be able to handle access, rectification, erasure, and portability requests for EU residents. (DPO & Privacy Support)
If a vendor fails to comply with GDPR, your organization can face fines up to €20 million or 4 percent of global revenue and reputational harm. (European Union)
Real world threat examples: government-linked attacks
NGOs worldwide are sometimes facing digital threats from state-linked actors and proxies.
1. State and intelligence linked spyware
In early 2025, WhatsApp alerted multiple civil society actors, including migrant activists and journalists, that they were targeted with high-end spyware. This campaign used surveillance tools linked to a non-EU vendor, with allegations of misuse by a government agency despite official denials.
2. Sophisticated state-associated cyber operations
European government agencies and networks have been targeted by hacking groups with alleged links to state actors. For example, a persistent campaign against a European foreign ministry’s communication network was attributed to an advanced group tied to a non-EU government intelligence service.
3. Targeted attacks on humanitarians and NGOs
Reports show cyberattacks against NGO sectors in conflict zones, including malware distributed to aid organizations designed to steal credentials and intelligence.
4. Spear phishing against humanitarian organizations
A major European NGO reported a targeted cyberattack linked to foreign state interests, using tailored phishing emails to try to gain remote access to internal systems. The attempt was detected and blocked, but highlights how threat actors exploit organizational trust.
NGOs are recognized as targets not only by cybercriminals seeking profit, but also by state and state-aligned actors who may seek to disrupt operations or collect intelligence on programs and donors. A report by the CyberPeace Institute identifies a wide range of threats to nonprofits, including espionage, data theft, ransomware, and fraud.
Vendor risk due diligence
Before signing with a non-European provider:
- Map all data flows: know what data is shared, where it goes, and who can access it.
- Check whether the vendor supports GDPR compliance and can sign appropriate data processing contracts. If not, find alternatives.
- Ask for ISO 27001 or equivalent security certifications to verify security posture.
Where possible, choose vendors that support data residency controls so sensitive data remains within the EU.
Security and cyber risk
NGOs are frequent targets for cybercrime because they hold sensitive data and often lack dedicated IT security resources. Many NGOs still lack formal security plans. (Edana)
Your protections should include:
- Encryption at rest and in transit
- Multi-factor authentication
- Endpoint protection on all devices
- Incident response plans
- Ongoing staff training on phishing and threats
These measures reduce the risk of breaches that could compromise personal data and mission data.
Contracts and transparent terms
When onboarding non-EU vendors:
- Require data protection agreements that include GDPR clauses.
- Ensure contracts clearly define who controls data, who processes it, and where data can be stored.
- Confirm how data is handled when subcontractors are involved. You remain responsible.
Data Protection Impact Assessments (DPIAs)
For high-risk processing (for example, cloud platforms holding health or sensitive beneficiary data), you should conduct a DPIA. This identifies risks and how you will mitigate them. (DPO & Privacy Support)
Audit and vendor monitoring
GDPR compliance is ongoing:
- Review vendor compliance annually.
- Ask for third-party audits.
- Monitor regulatory developments.
Ethics in data use
A recent report shows that lack of transparency with tech vendors can weaken data rights of vulnerable people NGOs serve, especially when consent and control are unclear. (euronews)
NGOs must think beyond legal compliance and consider ethical use of third-party tools, particularly those that use profiling or cloud storage in jurisdictions with weaker protections.
Certifications and codes of conduct
EU frameworks exist to help:
- EU Cloud Code of Conduct helps cloud vendors demonstrate GDPR compliance. (Wikipedia)
- Europrivacy and Interprivacy offer privacy certification aligned with GDPR standards. (Wikipedia)
Using certified vendors can reduce risk and simplify compliance.
Practical steps you can take now
- Create a vendor assessment checklist that covers GDPR, security, data residency, and support for EU rights.
- Update your contracts to include data protection terms and require GDPR compliance from processors.
- Conduct a data flow audit to map personal data movement.
- Train staff on security and data protection.
- Review your incident response plan and breach notification process.
Further reading and resources
- GDPR official guidance from the European Commission: https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_en.htm (European Union)
- GDPR compliance steps for non-EU companies: https://dpo-privacy-support.com/gdpr/gdpr-compliance-non-eu-companies/ (DPO & Privacy Support)
- European Digital Rights network (advocacy on digital rights): https://edri.org/ (Wikipedia)
This guidance will help you make informed decisions when using non-European products and services, keep your NGO compliant, and protect the people whose data you process.
