From UK to Europe: Delivering on Our Q2 EU Expansion

Building for the Reality of EU Regulation

Our approach has stayed consistent. We start with the regulatory landscape—not a template.

At an EU level, this includes GDPR, NIS2, DORA and the EU AI Act. But enforcement does not happen at EU level. It happens nationally, through supervisory authorities, with local interpretation.

We have not built a single EU framework. We have built country-specific strategies from the ground up.

Four Countries Now Live

The first phase includes:

• France — aligned to CNIL and French health, finance and government frameworks
• Netherlands — aligned to Autoriteit Persoonsgegevens and NEN 7510 standards
• Luxembourg — aligned to CNPD and DORA supervisory requirements
• Belgium — aligned to APD, CCB CyberFundamentals and dual-regulator DORA structure

These are not overlays onto a shared model. They are part of how each strategy is structured.

Aligned to Supervisory Authorities

Each country strategy is mapped to its national data protection and cybersecurity authority. This is not decorative. How each authority enforces regulation directly shapes which controls matter most and how they should be implemented.

• CNIL in France
• Autoriteit Persoonsgegevens (AP) in the Netherlands
• CNPD in Luxembourg
• Autoriteit Persoonsgegevens (APD) in Belgium

Depth Where It Matters

Each country strategy includes:

• Sector-specific mapping — Healthcare, Finance, Education, Government, Manufacturing and Retail strategies aligned to local regulatory frameworks
• Objective-level alignment — Each objective (protect IP, prevent data leakage, ensure compliance, secure remote work) mapped to relevant national guidance
• Cross-regulation coverage — GDPR, NIS2, DORA and EU AI Act all mapped to their national transposition and enforcement
• Local regulatory updates — Current supervisory authority guidance, enforcement trends and upcoming regulatory changes

This allows organisations to work from a position that reflects how regulation is applied, not just how it is written.

Why This Approach Matters

Building a Purview strategy that works across borders requires more than translating UK frameworks. It requires understanding how each national regulator interprets and enforces EU rules.

The French CNIL has different enforcement priorities than the Dutch Autoriteit Persoonsgegevens. The Belgian CCB's CyberFundamentals framework is distinct from Luxembourg's approach. DORA creates the same legal framework across the EU, but it is enforced by different regulators in each country.

Organisations extending their Purview governance across Europe need strategies that reflect those differences. Not strategies that assume one-size-fits-all EU compliance.

What's Next

All four country strategies are now available in PurLayer Professional for organisations working with France, the Netherlands, Luxembourg and Belgium.

Professional users can now select their region during strategy generation and receive guidance filtered to their country's regulatory framework, supervisory authority and sector-specific requirements.

If you are expanding Microsoft Purview governance into Europe, the foundation is ready. Try PurLayer with a European country selection.