Expanding Beyond the UK: Purview Strategies for Belgium, Luxembourg, France and the Netherlands

Belgium

The APD governs data protection with a growing enforcement track record and strong EDPB alignment. Beyond data protection, the CCB (Centre for Cybersecurity Belgium) has introduced the CyberFundamentals (CyFun) Framework, Belgium's national cybersecurity standard. NIS2 is fully transposed into Belgian law, with organisations required to register on Safeonweb@Work and self-assess against CyFun levels.

For financial sector organisations, DORA supervisory responsibilities are split between the FSMA (investment firms and insurers) and the NBB (credit institutions and payment institutions), a dual-regulator structure that directly affects how ICT governance and incident reporting must be configured in Purview.

Healthcare organisations must account for APD special category data processing rules, while education deployments need to reflect APD guidance on student data and EdTech platforms.

Luxembourg

The CNPD oversees data protection for a disproportionately large volume of financial and technology organisations and has been designated alongside the CSSF as a supervisory authority for the EU AI Act. The CSSF is one of the EU's more rigorous financial regulators. CSSF Circular 24/847 established ICT incident reporting requirements ahead of DORA, and Luxembourg was one of the first EU states to fully transpose DORA via the Law of 1 July 2024.

As the EU's largest fund domicile, Luxembourg organisations managing data under MiFID II, UCITS or AIFMD face retention and access control requirements that go well beyond standard GDPR obligations. The CSSF has made explicit that AI systems used by supervised entities must demonstrate governance, human oversight and explainability, directly relevant for any Copilot deployment in the financial sector.

France

CNIL is one of the most active and financially aggressive data protection authorities in Europe and is designated as the national supervisory authority for the EU AI Act. Its 2025-2028 strategic plan is heavily focused on AI, with recommendations confirming that GDPR applies to AI model training. EU AI Act prohibited practices have been enforceable since February 2025, with fines reaching up to 35 million euros or 7% of global turnover.

For healthcare deployments, HDS (Hebergeur de Donnees de Sante) certification is a hard legal requirement. Any platform hosting French health data must be HDS certified. ANSSI cybersecurity standards apply to government and critical infrastructure operators, with OIV organisations subject to additional obligations under the LPM framework. Education deployments must reflect CNIL's 2025 AI guidance for schools and MENJS data protection requirements.

Netherlands

The AP (Autoriteit Persoonsgegevens) has designated algorithms and AI as a top enforcement priority for 2025 and is the designated national market supervisor for high-risk AI systems under the EU AI Act. Customer profiling and data trading are also explicit AP enforcement priorities, directly relevant for retail and financial sector Purview deployments.

For healthcare, NEN 7510 is the mandatory Dutch information security standard, mapping to ISO 27001 with health-specific controls, with the IGJ designated as AI systems supervisor for healthcare. DORA has applied to Dutch financial entities since January 2025, with the AFM and DNB actively supervising ICT risk management. Government organisations must align with the BIO (Baseline Informatiebeveiliging Overheid), the Dutch equivalent of the UK's Government Security Classifications, alongside the CBw NIS2 Control Framework published by NCSC-NL.

What This Means for Purview Strategy

Several requirements carry direct implications across all four countries.

Incident reporting timelines under NIS2 and DORA require audit logging configured for 24-hour initial notification windows. AI governance is under active regulatory scrutiny in all four countries. CNIL, AP, CNPD and APD are all exercising oversight of AI systems through existing GDPR powers ahead of full EU AI Act implementation. Copilot interaction logging and DLP policies governing AI tool access are the evidence base regulators will request.

Sector-specific requirements, HDS in French healthcare, NEN 7510 in Dutch healthcare, CyFun in Belgian organisations and CSSF ICT circulars in Luxembourg financial services, must inform label taxonomy and policy scope from the design stage.

PurLayer Strategies for Europe

PurLayer strategies for Belgium, Luxembourg, France and the Netherlands are coming across all six sectors, giving architects and compliance teams a validated starting point for governance design that accounts for the regulatory requirements specific to each country and sector.