The Proton Blog

Survey: Europeans prefer businesses that don’t use US tech

Edward Shone — Tue, 16 Jun 2026 11:50:45 GMT

Earlier this year, we discovered that Europeans are leaving US tech and switching to more private local alternatives that align with their values. But we also wanted to know whether this growing consumer attitude affects non-tech businesses in Europe who merely rely on US technology for their email, payment systems, or web hosting.

We asked 3,000 people in the UK, France, and Germany whether they would avoid giving their business to a European company if it used US tech. And a surprising number of them said, “Yes.”

Some of the key findings of the new research released today show mounting resistance to US tech from multiple perspectives:

Mistrust over data protection: Forty-five percent said they were likely to avoid products and services that stored their data with US companies, due to privacy and security concerns.
Keeping euros in Europe: Sixty-five percent agreed European small businesses should prioritize European-based technology over US-based ones.
Communications privacy fears: Respondents were most worried about social media, email, and messaging apps invading their privacy.

European businesses are incredibly dependent on American tech companies to operate. Our previous research found that over 74% of all publicly listed European companies rely on US-based tech services, like Google and Microsoft.

There are many factors turning Europeans away from US tech, but their concern boils down to a lack of control. At the Open Source Policy Summit 2026, Finnish MEP Aura Sally vocalized the chief concern that this creates: “The EU runs on Microsoft. The US could turn us off inside one hour.”

In such a context, European alternatives are not only more urgent, they might also help your bottom line as consumer preferences shift.

Interest in European tech is growing

Tech sovereignty has never been more top of mind for European businesses. Geopolitical tensions between the US and the EU have grown steadily in recent years. In the last year, rising US tariffs, fines against Big Tech, and governmental threats of invasion have seen Europeans become more resolved to end reliance on US Big Tech companies.

One particular incident that generated concern for Europeans towards US tech occurred in May 2025: The ICC’s chief prosecutor Karim Khan lost access to his email inbox after Microsoft revoked his access — Khan has since moved to Proton Mail, which is based in Switzerland, to prevent further censorship.

Our research found that the last year has made a significant difference in European tech priorities. Forty-five percent of respondents feel it’s more important now than a year ago that European businesses rely on local infrastructure.

Privacy and security concerns push consumers away

Fifty-six percent of respondents will avoid US tech because they’re concerned about data privacy and security. The majority of European consumers would be uncomfortable having their data stored on US servers and it’s easy to understand why.

In 2025, US tech companies were hit with a number of high-profile data breaches and lawsuits leading to considerable fines. Their perceived lack of interest in protecting consumer privacy and exploitation of user data has led to poor perceptions in the EU. Monopolistic practices from businesses such as Google also made it obvious just how dependent the world has become on Big Tech’s services.

European small businesses feel US tech’s impact most

When it comes to European businesses, it’s the smaller ones that consumers feel should prioritize European-based technology.

Sixty-six percent of respondents agree that European small and medium businesses (SMBs) should be using European tech. This is a crucial insight into how important tech choices are for companies under 500 employees. If an SMB relies on US tech, it’s becoming more likely that its potential customers will opt for businesses relying on European tech. This could be fatal: While larger institutions can weather loss of customers, regulatory fines, and loss of reputation, SMBs are much less likely to bounce back due to a lack of funds and resources.

This is further confirmed by our finding that 80% of respondents say that European tech is a key factor in their decision-making when it comes to working with businesses. Investing in European tech is a way to not only protect sensitive data from leaving Europe, but to actively invest in European digital infrastructure and the economy more broadly.

Europeans want secure communication

When it comes to the apps and services that businesses rely on, respondents had three clear priorities: email, messaging apps, and social media.

It’s interesting to note that these are all communications apps, indicating that Europeans prioritize being able to communicate securely and protect their personal data. A Gmail address or an X account could have consumers re-evaluating if they trust the business they’re communicating with.

This distrust is likely caused by high profile incidences of social media apps failing to protect their users against harassment and unwanted surveillance in email inboxes. It’s hard to overstate how much US tech has become both ubiquitous and feared.

European consumers want to invest in European tech

It isn’t just that European consumers actively want to avoid US tech, they want to be able to choose European tech.

Sixty-five percent of respondents said they agreed that people in Europe should rely more on European technology companies. The number of Europeans who want secure European tools such as email, cloud storage, and AI chatbots is increasing because this investment represents a future built to strengthen European countries and end outsourcing to the US.

With this insight into consumer preferences, it’s time for European businesses to make the choice to invest in EU tech sovereignty.

EU tech sovereignty is the future

Knowing that it’s time to break reliance on US tech, what are the options for European businesses? There are options that put your business’s security first and ensure that you’ll never lose access to your data because of geopolitical tensions.

Proton, headquartered in Switzerland, gives your business everything you need to move away from US Big Tech:

Proton Mail offers end-to-end encrypted email relied on by businesses, governments, and journalists to protect sensitive data.
Proton Drive offers cloud storage, docs, and sheets that ensures you’ll never lose access to critical business assets and protects you from Big Tech using your data to train its AI models.
Proton VPN offers secure VPN connections that encrypt data within your network, protecting your business from hackers and insider threats.
Proton Lumo is a secure AI tool that keeps no logs of your conversation, meaning your business can leverage the benefits of AI without giving away your data or training Big Tech’s models.
Proton Pass is a business password manager that centralizes your business’s passwords, preventing data breaches and helping your team work safely and effectively.
Proton Meet makes private videoconferencing possible with end-to-end encryption and seamless integration with Proton Calendar, so sensitive conversations are secure and convenient.

Report: Reclaim tech sovereignty before Big Tech breaks your business

Risa Tang — Tue, 16 Jun 2026 11:50:09 GMT

Across Europe, most companies run on American technology — often without realizing just how much of their day‑to‑day operations depend on it. From email and video calls to customer support systems, hundreds of mission-critical tools pass through a handful of US platforms.

For decades, that felt like a reasonable trade‑off: powerful tools, competitive prices, and confidence in the US as a geopolitical ally. But those assumptions no longer hold: Big Tech tools are no longer the only option, and EU policymakers believe they’re not worth the price of European sovereignty.

As political tensions intensify and privacy demands increase, Europe’s reliance on US tech is starting to look less like a convenience and more like a liability — especially for small- and mid-sized businesses without a business continuity option.

To help European businesses navigate the uncertainty and the transition to tech sovereignty, Proton is releasing a new intelligence report today, US tech dependence: A risk report for European businesses. In it, we examine how this dependence developed, where it creates risk, and what leaders can do to regain control.

Download the free report

How deep does Europe’s dependence go?

Proton has been tracking Europe’s reliance on US tech for several years. The picture that emerges from our latest research and market analysis is clear:

Over 74% of Europe’s publicly listed companies rely on US‑based providers like Google and Microsoft for critical services.
As of 2025, US cloud providers control more than 70% of the European cloud market; European vendors hold less than 15%.
In a Proton survey of 3,000 people across the UK, Germany, and France, 73% said Europe is too dependent on US tech companies, and 83% expressed concern about that dependence.

This all means that sensitive business information, strategic plans, and everyday operations across the continent sit on infrastructure controlled outside Europe’s legal and political system, leaving European companies exposed to decisions taken elsewhere. The result is a structural dependence that underpins nearly every sector from finance and healthcare to manufacturing, media, and even the government.

Why tech sovereignty matters more than ever

Dependence on US tech is not new. What is new is the combination of pressures Europe now faces from Washington — and the way those pressures intersect with critical digital infrastructure.

As Finnish MEP Aura Salla puts it: “The EU runs on Microsoft. The US could turn us off inside one hour.”

Several recent developments have made this issue too big to ignore:

Sanctions and tech access are tightly linked. In recent years, US sanctions have cut off targeted individuals and institutions from mainstream American services overnight, including email, payment platforms, and cloud tools. When the chief prosecutor of the International Criminal Court lost access to his Microsoft inbox following US sanctions, it sent a clear signal: Access to US platforms can be wielded for geopolitical ends.
Transatlantic relations have become progressively strained. In his second term, President Trump has raised tariffs on European exports, floated the idea of leaving NATO, and threatened retaliation when the EU enforces its own laws against US tech companies. Senior US officials have framed EU fines on American platforms as attacks on “the American people”. In other words, digital infrastructure now risks becoming a bargaining chip.
US surveillance laws reach into European data. The CLOUD Act and Section 702 of the Foreign Intelligence Surveillance Act permit US authorities to request access to data held by American companies, even when that data belongs to Europeans and is stored in the EU.
Europe is trying to assert digital sovereignty, but still runs on US systems. European governments have announced plans to move away from US platforms in sensitive areas, launched initiatives to strengthen tech sovereignty, and passed laws such as the EU Data Act to constrain foreign access to European data. But the irony is most of its businesses and institutions still rely on US infrastructure for core operations.

These developments mean Europe now faces a paradox: It is trying to defend its laws, norms, and strategic interests while running those defenses on systems ultimately governed by someone else’s rules.

How much is your business at risk?

Some organizations are more exposed than others. Based on our research, certain patterns tend to correlate with higher risk.

Which of these statements are true for your business:

Most of your core tools sit with one US provider. Many organizations default to Big Tech ecosystems such as Google and Microsoft, mostly for convenience. But this also means a single outage or policy change can disrupt multiple functions at once.
Your SaaS vendors still rely on US clouds. While your stack may come from different vendors and look varied on the surface, they may still rely on a US cloud provider like AWS and therefore be subject to US data jurisdiction.
You manage EU customers or sensitive data on US platforms. If your business serves European or public‑sector clients, processes health or financial data, or operates in a regulated industry, that information is subject to US laws. This can cause potential conflicts with European privacy and data protection rules.
Security and compliance are left to your providers. If asked, would you be able to easily explain your vendors’ policies on security and privacy? Simply trusting that your providers will “do the right thing” means limited independent verification of how your data is actually accessed, logged, or shared — and these policies can change at a moment’s notice.
There is no clear exit plan. Migrating away from your main US provider would take months of preparation and significant disruption. There is no tested scenario, or any alternatives in mind, if access is suddenly affected.

If several of the points above sound familiar, your dependence on US tech may be deeper — and more precarious — than it appears. You’re not alone: The real question is what to do next.

Maneuver now, while you still have room

Over the past decade, we’ve seen how easily control can slip away when critical infrastructure is outsourced, and how hard it is to regain once that happens. As a privacy-first, Swiss-headquartered company, Proton is built on the belief that people and organizations should control their data — and, by extension, their future.

This report is part of that effort, providing detailed analyses and actionable insights that any business can use to understand its position and plan ahead. US tech dependence: A risk report for European businesses gives you:

An overview of the current landscape, including how and why Europe became reliant on US tech
A breakdown of the main risk areas, from geopolitics and outages to surveillance and compliance
Real‑world examples that show how these risks have already disrupted organizations
13 practical mitigation strategies you can implement now

The pressure on European businesses is already building. Waiting until a sanction, policy change, or major outage hits your providers is the most expensive way to find out how much your business is at the mercy of external forces. Acting now — while the choice is still yours — gives you options instead of emergencies.

Download the free report

15 cybersecurity tips for small and medium businesses

Alanna Alexander — Tue, 16 Jun 2026 11:40:37 GMT

Small to medium businesses (SMBs) tend to think that they’re at a lower risk of facing a cyberattack. That’s not how attackers see it. To them, the smaller the business, the smaller the security budget. But that’s only part of why SMBs need stronger security.

Why cybersecurity matters for SMBs

SMBs aren’t ignoring cybersecurity. According to Proton’s SMB Cybersecurity Report 2026 — a survey of 3,000 business leaders across six markets — 92% have invested in security measures.

Still, one in four still suffered a cyberattack or breach in the past year.

The gap between investment and protection is largely a human one. SMBs rarely have dedicated security resources, yet handle large amounts of valuable data — a combination that makes them an attractive target.

When things go wrong, the impact is far-reaching:

46% of those hit reported data loss
38% operational disruption
30% loss of customer trust.

Formal risk assessments, regular audits, and modern measures like multi-factor authentication and password managers aren’t working because without enforcement, even good tools fail.

Half of respondents have a password manager in place — but in those same organizations, credentials are still being shared via email (29%), shared documents (28%), messaging apps (23%), and written notes (21%). Having the right tools isn’t enough if they aren’t embedded into how people actually work.

So, what can businesses do to protect themselves?

Essential cybersecurity best practices for SMBs

1. Enforce strong password management

Poor password management is one of the biggest threats to security at your organization, and might include:

Password reuse: Using the same password for multiple accounts means that if hackers steal your password for one account, they can use it to access other business accounts.

Unsafe password sharing: Sharing credentials via email, messaging apps, shared documents, in conversation, or in writing leaves you vulnerable to hackers or unauthorized people accessing your accounts.

Unrestricted access: Failing to limit access to privileged platforms or documents allows anyone with credentials for a single account to view, modify, or delete sensitive business data they shouldn’t have access to.

A business password manager can help prevent password reuse and enable safe password sharing. However, it’s essential to implement an enterprise password manager rather than rely on browser-based ones. Proton Pass provides you with a centralized admin panel, audit logs, and granular user and group controls, making it easy to add or remove access during onboarding and offboarding, as well as during a cybersecurity event.

2. Keep software and systems updated

Installing all relevant software updates is critical. SMBs often skip updates due to downtime fears. These updates protect you by patching security vulnerabilities to protect against data breaches, malware, and unauthorized access.

Many SMBs use a centralized automated patch management strategy to manage updates. A single platform handles the detection, testing, deployment, and auditing of software updates across network devices, reducing reliance on manual updates and helping maintain consistency.

3. Implement multi-factor authentication (MFA)

Multi-factor authentication is one of the best protections available for securing access to your systems and files. The key is to enforce MFA by default — don’t leave it as an optional setting.

Most secure MFA methods: Hardware keys and authenticator apps
Moderately secure MFA methods: Biometrics, such as fingerprints or Face ID
Least secure MFA methods: Push notifications and text messages

In addition to enforcing MFA, you can ban push notifications and text messages for admin accounts. Use an authenticator app or hardware keys to prevent SIM-swapping attacks, which are rampant against small business owners.

4. Secure your network access

If your organization offers remote or hybrid work or requires travel, create a secure connection between your employees and your business network. Employees working from home, or on public Wi-Fi networks in cafes or while traveling can allow attackers to intercept data in transit. A VPN encrypts data in transit, shielding sensitive information from hackers and insider threats.

Proton VPN gives you control of your network and defends your devices from IP tracking and malware.

5. Conduct employee training and security awareness

Technology alone can’t prevent a breach; human error consistently ranks among the main causes of data breaches. Your employees need to recognize social engineering tactics, which often rely on psychological manipulation. It’s advisable to implement regular phishing simulation exercises and security training to foster a security-first culture.

6. Encrypt your data

Encryption ensures that even if data is stolen, it remains unreadable to attackers. This applies to both data at rest (stored on devices) and data in transit (being sent over the internet).

Email encryption: Protect client communications and prevent sensitive information from being intercepted. Proton Mail offers end-to-end encrypted business email solutions that automatically protect your messages.
File encryption: Understand which files need to be encrypted and how to encrypt them.

7. Ensure secure cloud storage and collaboration

When choosing a cloud provider, avoid services that scan your data for advertising or AI training purposes. Opt for zero-knowledge cloud storage where only you hold the encryption keys.

Proton Drive provides end-to-end encrypted cloud storage, so your documents and files remain private. For team collaboration, Proton Docs and Proton Sheets enable your team to work in real time without compromising data security.

8. Implement network segmentation and access controls

Don’t let a breach in one area spread to your entire network. Implement network segmentation to limit lateral movement during an attack. Combine this with role-based access control (RBAC) so employees have access only to the data necessary for their roles.

9. Review third-party vendor risk

Your supply chain is only as secure as its weakest link. Attackers often target smaller vendors to gain access to larger partners. Conduct vendor security assessments and require partners to follow the same strict data protection standards that you do.

10. Develop and enforce a BYOD policy

Allowing employees to use personal devices (Bring Your Own Device/BYOD) introduces significant risk if not managed correctly. Personal devices rarely have the same security controls in place as corporate hardware.

Develop a clear BYOD policy that defines security requirements, data access permissions, and compliance regulations. Give your team access to secure tools, such as encrypted email and password managers, on their personal devices to reduce risk.

11. Implement zero-trust principles

Adopt a “never trust, always verify” mindset. Zero trust security treats every access request as untrusted by default, whether it comes from inside or outside your organization. Every request should be authenticated, authorized, and encrypted.

12. Conduct regular vulnerability scanning and security audits

You can’t fix what you don’t know is broken. Schedule regular vulnerability scans to find weak points in your infrastructure before attackers do. Use these findings to prioritize patching and configuration changes.

13. Monitor and log network activity

Continuous monitoring helps detect suspicious activity in real time. Log network traffic and review logs regularly to spot anomalies that could indicate a breach in progress.

14. Have an incident response plan ready

Many SMBs assume they’ll handle a breach when it happens. But without a plan, a small incident can spiral into days of disruption.

An incident response plan doesn’t need to be complex — start with a one-page document that covers the basics. Run simple “what if” scenarios with your team to identify gaps before a real crisis forces you to find them the hard way. And importantly, review your plan after every incident or test run.

15. Adopt the modern 3-2-1-1-0 backup strategy

The traditional “3-2-1” backup rule (three copies, two media types, one off-site copy) no longer covers every risk. Ransomware attacks can encrypt connected backups alongside your primary files, making recovery much harder. Many organizations now follow the 3-2-1-1-0 approach:

3 copies of your data: 1 primary + 2 backups.
2 different storage media types: For example, local server + external drive.
1 off-site or cloud copy.
1 immutable or air-gapped copy: This is the critical addition — it ensures one backup copy cannot be modified, deleted, or encrypted by ransomware, even if an attacker gains admin access to your network.
0 errors: Regularly test your backups to confirm restoration works flawlessly — a backup you can’t restore is a wasted expense.

Many small businesses rely on cloud sync folders that automatically update files across devices. If ransomware encrypts your files, those encrypted versions can quickly spread to synced devices and backups. To reduce this risk, consider using zero-knowledge cloud storage with version history and retention controls.

Proton Drive includes end-to-end encryption and file version history. If ransomware encrypts local files and those changes sync to the cloud, version history can help restore earlier, unencrypted versions. However, full 3-2-1-1-0 compliance also requires an air-gapped backup or another protected backup isolated from ransomware attacks.

By implementing these cybersecurity tips, SMBs can significantly reduce their risk profile and protect their reputation and revenue.

Ready to get started? Try a free Proton for Business trial and upgrade your cybersecurity stance today.

UK’s social media ban for children: the privacy problems Australia already exposed

Edward Komenda — Mon, 15 Jun 2026 20:44:27 GMT

Prime Minister Keir Starmer announced on Monday that the UK will ban children under 16 from social media platforms including Instagram, TikTok, YouTube, Facebook, Snapchat, and X. Legislation is expected before Christmas, with the ban coming into force in spring 2027. Messaging services like WhatsApp and Signal are excluded.

The UK is going further than Australia — which implemented the first under-16 social media ban — in some respects: the ban will extend to livestreaming and stranger-to-child contact on gaming platforms, and the government is considering overnight curfews on social media use for under-18s. AI chatbots designed to simulate romantic relationships will be restricted to adults only.

Political support is broad. More than 90% of parents who responded to the government’s public consultation backed a minimum age of 16. Starmer framed the decision in unambiguous terms: “Tech giants had their chance and failed, but we’re stepping in to protect children.”

But the harder question — how exactly this gets enforced — is where things get complicated.

Australia’s six months offer an early lesson

The UK government says it plans to learn from Australia, which became the first country to implement an under-16 social media ban in December 2025. That experiment now has roughly six months of data behind it.

The results are not encouraging. Australia’s online safety regulator, eSafety, found that 70% of under-16s in the country continue to access banned platforms. Teens have been bypassing restrictions by providing false credentials during account sign-up or lying about their age — the same workarounds that existed before the ban.

Australia’s eSafety guidelines also point to VPNs as a circumvention tool and ask platforms to detect and block them. But the evidence that children are actually driving VPN use is thin. When the UK’s Online Safety Act brought in age verification requirements in 2025, VPN usage more than doubled, but Ofcom’s Online Nation report found it had fallen back significantly by November.

Research from Childnet found the surge was not attributable to children at all. In fact, the most common reason children gave for using a VPN was to stay safe online and protect their privacy

The US government’s submission to the UK consultation made the point plainly: “VPNs are a useful, lawful privacy tool — individuals globally rely on VPNs as an essential tool to protect their privacy online and access the open internet. Policies banning or treating such internet freedom and privacy tools as inherently suspect are typically associated with states that subject their people to significant censorship and human rights violations.”

Enforcement still means collecting more sensitive data

Every age-verification system, however it works, requires platforms to collect more personal data than they do today. The UK government has asked Ofcom to conduct a rapid study on what constitutes “highly effective age assurance” for verifying whether someone is over 16.

That study will likely revisit the same territory already explored in Australia: biometric facial-age estimation, live selfie verification, AI-based behavioral inference, and government-issued identity document uploads. As we noted when Australia’s ban took effect, this approach turns mainstream social platforms into identity-verified services rather than places where people can participate without handing over sensitive information.

The UK has been here before. The government spent years trying to introduce a system requiring users to prove their age to access pornography online — and the effort collapsed after repeated technical failures and the discovery that at least one verification system could be bypassed in minutes. It was abandoned in 2019. When the government tried again under the Online Safety Act, the results were no more reassuring: Discord’s rollout of age verification in 2025 ended with a third-party provider compromised and 70,000 government-ID photos exposed.

Who bears the cost

Critics including the Molly Rose Foundation — established in memory of 14-year-old Molly Russell, who died by suicide after viewing self-harm content online — argue the ban is too blunt an instrument. “What we’re really concerned about is that the government rushes into solutions that the evidence just doesn’t support, rather than addressing the causes of harm,” said Rowan Ferguson, the foundation’s policy manager. Kate Edwards, its head of education, put it more directly: “It does nothing to address the actual problem — the harmful algorithms, the harmful content that is existing on those platforms.”

That’s the tension at the core of age-based social media bans. The business models that make these platforms harmful — algorithmic amplification of extreme content, infinite scroll, engagement-at-all-costs design — affect adults just as much as children. A ban on under-16 access doesn’t touch those models. Even if it does remove some young people from the platforms, it doesn’t make those platforms any less toxic.

YouTube and Meta have both warned that blanket restrictions risk pushing teenagers toward unregulated alternatives with fewer safety features. That warning should be taken seriously, because evidence from Australia suggests it’s happening.

What the UK ban means globally

The UK’s announcement follows similar moves in Australia, Canada, Brazil, and Indonesia, with France, Denmark, Spain, Thailand, and South Korea studying comparable approaches. Australia said the world would follow if its rollout went smoothly. The rollout has not gone smoothly — and the world appears to be following anyway.

The US has pushed back. The American Embassy in London submitted a response to the UK’s public consultation warning against regulations that “impose disproportionate compliance burdens on American companies.” Tensions between Washington and London over Silicon Valley regulation are expected to be on the agenda at the G7 summit this week.

What’s emerging is a global race to restrict children’s access to social media without a clear model for how enforcement actually works at scale. The UK government says it will learn from Australia’s experience. Whether that learning is deep enough to produce a meaningfully different outcome remains to be seen.

The real question

Protecting children online is a legitimate and urgent goal. The harms are real — predatory behavior, algorithmically amplified content promoting self-harm, eating disorders, anxiety. No serious person disputes that tech companies have failed to address these problems voluntarily.

But the mechanism matters. Age-verification systems normalize mass collection of biometric and identity data just to access services that were previously open to everyone. They shift the burden of child safety onto data infrastructure that introduces its own serious risks. And based on what Australia has shown, they may not significantly reduce teenage access to platforms at all.

The more lasting solution is to make the internet less harmful for everyone. That means addressing the business models, algorithms, and design patterns that make these platforms toxic in the first place. Children and adults both deserve better than what today’s social media offers them. A ban on under-16s doesn’t fix that. It protects platforms, not children.

At Proton, we believe the answer is to minimize data collection, maximize user control, and build systems that treat privacy as a default rather than as a trade-off for access. For families navigating these questions now, our parent’s guide to keeping kids safe online is a place to start. As Britain prepares to introduce its ban, the question worth asking is whether the cure is being designed with as much care as the diagnosis.

The answer to online harm shouldn’t be an internet that requires you to prove who you are before you’re allowed in.

In win for digital sovereignty, Netherlands blocks takeover of ID service by US firm

Elfi Egmond — Sat, 13 Jun 2026 10:29:07 GMT

Citing the risks to its citizens’ data, the Dutch government has blocked the €100 million takeover of Solvinity by an American company, Kyndryl, ensuring that the infrastructure behind the national digital identification service DigiD will stay in European hands for now.

The decision on May 25, 2026, was the first time the Bureau for Investment Screening had blocked an American takeover on grounds of public interest, and it fits into a broader European movement toward protecting digital sovereignty: increasingly, countries are taking concrete steps to keep crucial digital infrastructure under their own control.

Why the DigiD takeover sparked so much resistance

Solvinity manages the cloud infrastructure on which DigiD runs — the system that gives Dutch citizens access to tax records, medical files, and pension information. When Kyndryl announced the takeover of Solvinity in November 2025, broad opposition emerged immediately.

The primary concern was the American CLOUD Act. This law requires American tech companies to provide data to the US government, even when that data is physically stored in Europe. The takeover would have meant that personal data of millions of Dutch citizens would fall under American jurisdiction, outside the protection of the European GDPR.

This dependence is no theoretical risk. Our own research shows that 81% of Dutch publicly traded companies depend on American tech services. In strategically crucial sectors such as semiconductors (including microchips), this rises to 83%.

The rejection was the result of months of action by citizens, journalists, and privacy activists. State Secretary Willemijn Aerdts adopted the advice of the Bureau for Investment Screening: the takeover posed “a risk to the public interest.” A broad parliamentary majority supported the decision.

Digital sovereignty: from policy to action

In December 2025, the Netherlands presented a new vision on digital sovereignty, emphasizing that crucial infrastructure must fall under Dutch or European legislation. The country is actively investing in its own cloud alternatives such as STACKIT and the KPN-Thales sovereign cloud.

This development fits into a broader European pattern toward digital independence, with countries like France replacing American tools and the EU bringing chip production back to Europe through the CHIPS Act. Earlier this month, the EU Parliament ditched Google in favor of a European alternative search engine, Qwant.

What this means for your privacy

Control over digital infrastructure is no longer a technical detail — it’s a matter of national security and civil rights. When medical data, financial information, and personal communication are all digital, whoever controls that infrastructure also determines who has access to that data.

This applies not only to government systems like DigiD, but also to your everyday internet use. Your internet traffic passes through the servers of your internet provider and the websites you visit, often under American or non-European jurisdiction. With a premium VPN based in Europe, such as Proton VPN, you can encrypt your internet traffic and route it through servers in the Netherlands or other European countries, keeping your data under European privacy legislation.

The Netherlands has shown with the rejection of the DigiD takeover that digital sovereignty is achievable. Now it’s up to citizens to also protect their personal data.

How to know if you have a virus on your phone

Jessica Bernard — Fri, 12 Jun 2026 11:55:30 GMT

If your phone is behaving in unusual ways, like unexpected data usage spikes or rapid battery drain, there’s a chance it might have a virus. Here are some of the telltale signs that your phone is infected, what you can do to clean it, and how to ensure your phone is protected in the future.

What is a phone virus?
Signs your phone has a virus
How to check if your phone has a virus
Should you use additional antivirus software?
How to protect your phone from viruses

What is a phone virus?

A phone virus is a type of software that is designed to spread throughout the files, apps, and data on your phone. Once a user opens an infected file the virus can infect the host and set out to replicate itself, infecting other files and devices in the same way a biological virus infects other people who come into contact with the host.

Many people use the terms “virus” and “malware” interchangeably, but a virus is a type of malware. Malware is an umbrella term for software that steals, disrupts, or deletes data, and also includes things like ransomware and spyware.

Signs your phone has a virus

There are a number of symptoms that might indicate your phone has a virus.

Unusual performance issues

Rapid battery drain: Your battery life has suddenly dropped without a change in your usage habits.
Overheating: Your phone feels hot to the touch, even when you aren’t using energy-intensive apps like games or video streaming.
Sluggish performance: Apps take a long time to open, the home screen freezes, or your phone lags significantly when scrolling or typing.

Malware often runs hidden background processes, draining your battery and slowing down your device. If your phone feels sluggish or hot when you’re not performing processor-intensive tasks, it’s a major red flag.

Strange data or billing activity

Spike in data usage: You experience an unexplained jump in cellular or Wi-Fi data consumption.
Mysterious charges: Your phone bill shows premium SMS messages you didn’t send, unexpected subscriptions, or calls to unknown international numbers.

Malware often sends data to remote servers or joins your device to a botnet; a group of internet-connected devices that have been breached and are being controlled by a third party, often to perform DDoS attacks.

Toll fraud is a type of malware that is predominantly used to target Android systems. Users are secretly subscribed to premium-rate SMS or telephone services, racking up charges without their knowledge or consent.

Pop-ups and ads

Unexpected advertising: You have ads popping up on your home screen, inside apps where they shouldn’t be, or even when your browser is closed.

These ads are likely what’s known as adware, and can slow down your device. Adware often gets downloaded automatically with “free” software.

Fake security alerts: You’re seeing pop-ups and alerts claiming your phone is infected and urging you to download a “cleaner” app.

These alerts are almost always scams designed to install more malware.

App behavior anomalies

Unknown apps: You notice apps installed on your device that you don’t remember downloading.
Apps crashing frequently: Legitimate apps start crashing or freezing unexpectedly.
Unusual permissions: Apps are requesting permissions they don’t need, such as access to contacts, camera, or microphone.

These irregularities could indicate that malicious software is masquerading as legitimate apps, hijacking system resources, or seeking access to your private data.

Network and connectivity issues

Slow internet speeds: Your connection seems slower than usual, even on strong WiFi.
Random reboots: Your phone restarts itself without your input.

Hidden malware processes frequently consume your bandwidth to transmit stolen data or join botnets, causing slowdowns and system instability that triggers unexpected restarts.

It should be noted that many of these issues can also be caused by aging hardware, software bugs, or simply by too many apps running in the background, rather than a virus. Regardless of the cause, there are steps you can take to resolve the underlying issue.

How to check if your phone has a virus

Android phone virus checks

Google Play Protect is your first line of defense against viruses and malware on Android devices. Play Protect runs continuously in the background and performs several types of automatic scans:

App installation scan: Every time you install an app from Google Play Store.
Periodic device scan: Automatically checks all installed apps regularly (usually daily or weekly).
Web protection: Scans websites you visit through Chrome for known threats.
Harmful app removal: Can automatically uninstall detected malware.

Automatic scans happen as long as Play Protect is enabled, which it is by default on most devices.

Manual Play Protect scan

You can trigger a manual scan any time you want by following these steps:

1. Open the Google Play Store app.

2. Tap your profile icon.

3. Select Play Protect.

4. Tap Scan to run an immediate check.

This is useful if you’ve recently installed an app from outside the Play Store (known as sideloading) or if you’re experiencing suspicious behavior.

While Play Protect is helpful, it’s not foolproof. Because it’s not a full antivirus tool, it may struggle to recognize new malware variants. It may also give false negatives in some cases.

Review app permissions

Review which apps have access to your information by using Permission Manager.

1. Go to Settings → Security and Privacy → More privacy settings → Permission Manager.

2. Revoke access for any apps that don’t need it.

Use a third-party anti-virus app

You can download antivirus and anti-malware apps from the Play Store. Just be sure to only download apps from reputable vendors. See Should you use additional antivirus software? below for more details.

iPhone virus check

Because of how iOS is designed, traditional antivirus apps that scan your entire file system for malware don’t exist on the App Store (and Apple wouldn’t allow them to function that way anyway). Instead, iOS’s architecture protects you from phone viruses by ensuring that:

Apps are sandboxed: Every app on an iPhone runs in its own isolated sandbox. An app can’t access the files, data, or code of another app.
Apps are reviewed: Apple manually reviews every app before it reaches the App Store. While bad actors sometimes slip through, it’s extremely rare.
Apps can’t be sideloaded: Outside the EU, you can only install apps from the App Store, which drastically reduces infection risk (unless you’ve jailbroken your phone).

To do a manual diagnosis and cleanup, try these steps:

Do a safety check (iPhone with iOS 16 or later)

Review which people and apps have access to your information and devices by using Safety Check.

1. Go to Settings → Privacy & Security → Safety Check → Manage Sharing & Access.

2. Follow the steps to reset or manage access to your information.

Clear Safari data

What seems like malware is often “just” adware or browser redirects trapped in your Safari cache.

1. Go to Settings →Apps → Safari.

2. Scroll down and tap Clear History and Website Data.

This removes cookies and cached scripts that might be causing pop-ups.

Review configuration profiles

Malware sometimes installs a configuration profile to force settings changes or redirect traffic.

1. Go to Settings → General → VPN & Device Management.

2. From here:

If you don’t see any profiles, then no device management profiles are installed on your device.
If you do see unfamiliar profiles, select the profile, tap Delete Profile and follow the instructions, then restart your device.

Do a factory reset

If you still suspect a virus, you can restore your phone to factory settings. This will completely wipe your phone and enable you to set it up again as new.

Warning: Before resetting, follow Apple’s recommended steps to ensure you’ve backed up your phone correctly.

Should you use additional antivirus software?

Regardless of whether you have an Android or iOS device, good security habits are generally sufficient to prevent phone viruses. However, you could consider additional antivirus software if you:

Frequently sideload apps (Android devices)
Download files from untrusted sources
Handle sensitive financial or business data on your phone
Want extra peace of mind

Popular options include Bitdefender, Malwarebytes, Norton, and Kaspersky.

If you have an Android device, these apps can actively scan files, monitor app behavior, and block malicious downloads in real-time.

However, if you’re an iPhone user, these apps won’t scan for viruses in the traditional sense. Instead, they focus heavily on web protection (blocking phishing sites), Wi-Fi security, and identity theft monitoring, so iPhone users may prefer to opt for other protections.

How to protect your phone from viruses

Maximizing phone security requires a layered approach. Combining the built-in security measures of your phone with a password manager and a VPN creates a strong line of defense against phishing, credential theft, and network surveillance.

Set up automatic updates

Automatic software updates ensure that Apple and Google can swiftly patch critical vulnerabilities.

iPhone software updates

1. Select Settings → General → Software Update.

2. Toggle on Automatic Updates.

You can also turn on Background Security Improvements to provide additional protection in between software updates.

1. Select Settings → Privacy & Security → Background Security Improvements.

2. Toggle on Automatically Install.

Android software updates

1. Go to Settings → System → System Update and enable automatic updates.

2. Disable Install Unknown Apps (keep this setting off for all apps unless absolutely necessary).

Install a password manager

A password manager generates and stores unique, complex passwords for every account, eliminating the single biggest cause of breaches: password reuse. It also guards against credential stuffing and phishing by autofilling credentials only on legitimate sites.

Proton Pass protects your logins with zero-knowledge, end-to-end encryption and goes further with built-in 2FA authenticator codes, unlimited hide-my-email aliases to shield your identity, and Dark Web Monitoring that alerts you if your credentials are leaked.

Get Proton Pass

Use a VPN

A VPN encrypts your internet traffic, shielding it from ISPs and other third parties. It also hides your IP address so websites and trackers can’t identify or profile you.

Proton VPN is open-source and independently audited, with a strict no-logs policy backed by Swiss privacy law. If you have a Plus plan, our NetShield Ad-blocker DNS filtering solution can block connections to adware and malware domains

Get Proton VPN Plus

Stay legit

If you’re on Android, stick to apps available in the Google Play Store or a reputable app store like F-droid. If you do need to sideload an app, only download APKs from the developer’s official website and verify where possible. If you’re on an iPhone, don’t jailbreak your phone. This opens you up to viruses and other malware, and negates many of the protections that Apple products otherwise offer.

Section 702 just expired. What’s next for warrantless surveillance in the US?

Edward Komenda — Thu, 11 Jun 2026 23:06:04 GMT

Through a series of extensions and expansions since its creation in 2008, Section 702 of the Foreign Intelligence Surveillance Act has allowed US intelligence agencies to collect communications from foreigners abroad without a warrant, routinely sweeping up Americans’ emails, messages, and calls in the process.

It expired over the weekend. And while that’s not the end of the story, there’s reason for hope that reform may be on the way.

In a 218-to-198 vote on Friday, the House of Representatives rejected a short-term extension of Section 702, and Senate Democrats blocked a parallel effort hours later. For years, a growing bloc in both parties had demanded one thing before agreeing to renew: a warrant requirement. On Thursday, they finally had the votes to hold the line. Speaker Mike Johnson called the lapse “dangerous, and very, very shameful.”

Privacy advocates have argued for years that renewing Section 702 without reform is the real danger.

Surveillance doesn’t stop when the law does

The Foreign Intelligence Surveillance Court renewed its procedures for the Section 702 program in March. On Thursday, Representative Jamie Raskin said “government surveillance activities will continue unchanged” and that “current FISA authorizations will continue unaffected, at least through March 17, 2027,” according to CBS News. Even Representative Rick Crawford, the Republican chairman of the House Intelligence Committee and a supporter of renewal, confirmed the 702 database “would remain available to search.” The concern is that data grows stale over time, not that collection stops.

The more immediate problem is that some carriers have privately warned they will stop cooperating once the statute lapses, fearing legal liability without an active law behind the government’s requests. Intelligence agencies and telecoms face uncertainty about what collection can legally continue. Reform legislation would have resolved that. Congress chose not to pass it.

A warrant requirement needed three more votes

Axios reported that lawmakers in both parties were close to a longer-term extension. What they couldn’t agree on was whether to attach the reforms a substantial bloc of lawmakers has demanded for years.

Conservative Republicans who have long pushed back on FBI abuses of the Section 702 database refused to vote for a clean renewal. Democrats who previously supported the program did the same.

The warrant requirement is not a fringe position: when it came to a House vote in 2024, it failed 212-212. This week, a clean extension couldn’t reach a majority. The reform bloc, for the first time, had enough votes to block renewal outright.

Both parties expand surveillance when in power

We’ve documented this pattern for years. Section 702 has grown under every administration that has touched it. The party in power defends and extends these authorities. The party out of power raises objections, until it wins.

President Bush signed the Patriot Act into law on October 26, 2001, expanding domestic surveillance authority. Once in power, the Obama administration signed a four-year reauthorization of those same provisions, despite bipartisan resistance in Congress.

The 2024 renewal also made this plain. As a candidate, President Trump said “KILL FISA” days before Congress passed a renewal that President Biden signed into law, expanding Section 702 by broadening which companies can be compelled to assist with surveillance. The warrant amendment failed. Surveillance expanded. Both parties voted for it.

The case for reform doesn’t depend on who is in office. These powers have no meaningful checks on how they are used.

When searching Americans’ private communications requires no warrant, the only protection users have is whether the people in charge choose to exercise restraint.

That is not a protection.

The warrant requirement is the specific reform that matters

The Government Surveillance Reform Act, backed by a bipartisan coalition including senators Ron Wyden and Mike Lee, would require a warrant before agencies can search Americans’ data collected under Section 702.

It would close the loophole that lets the government buy personal data from brokers instead of going to court, so location data and browsing history can’t be purchased to avoid judicial oversight. It would also roll back the expanded definition of who can be forced to assist with surveillance, with direct implications for how VPN traffic is classified under the law.

Reauthorization will come back. This time, reformers have leverage.

Your business’s practical multi-factor authentication implementation guide

Kate Menzies — Wed, 10 Jun 2026 12:05:11 GMT

Multi-factor authentication (MFA) is no longer just a security recommendation for large enterprises. It’s one of the most practical ways for businesses to reduce the risk of account takeover and make stolen passwords less useful. As access to business systems spreads across cloud apps, remote teams, shared devices, and third-party platforms, MFA is becoming a more useful tool.

But during implementation, IT managers face the challenge of being able to assess whether MFA is useful or effective. Making MFA work across an organization requires making a lot of decisions: Which accounts need it first? Which MFA methods should be allowed? How do you avoid employee pushback? How do you make sure MFA is actually enforced, not just encouraged?

This guide is written to help your business MFA implementation work. It explains what MFA is, why passwords alone are no longer enough, how common MFA methods compare for business use, and how to roll out MFA in a way your team can adopt. It also shows how a business password manager with built-in 2FA support can make stronger authentication practices easier to manage at scale.

What is multi-factor authentication?

Why passwords alone are no longer sufficient

Types of MFA and business trade-offs

Where MFA implementation fails

The employee resistance problem

How to roll out MFA across your business

How Proton Pass for Business makes MFA manageable

What is multi-factor authentication?

MFA is a security process that requires more than one type of identity verification to access an account. Instead of relying only on a traditional password, MFA asks for an additional factor that makes unauthorized access harder.

The three common authentication factors are:

Something you know, such as a password or PIN.
Something you have, such as a phone, authenticator app, hardware security key, or trusted device.
Something you are, such as a fingerprint or facial recognition.

In practice, MFA usually means an employee enters a password and then verifies the login through another method, such as a time-based code (or TOTP), push approval, passkey, or hardware key. The goal is simple: if a password is stolen, guessed, phished, or reused, the attacker still needs another factor to get in.

Multi-factor authentication in business environments

For businesses, implementing MFA is a way to strengthen account security with an additional access control, not just to replace passwords. In business environments, the challenge is deciding where those methods are most needed and how to deploy them consistently across different systems, roles, and levels of risk.

Nevertheless, not all MFAs are equally strong. A code sent by SMS is better than a password alone, but it does not offer the same protection as a hardware security key or a well-implemented passkey. The right choice depends on risk, usability, device access, compliance needs, and how much administrative control your business can maintain.

Why passwords alone are no longer sufficient

Strong passwords still matter, but they are no longer enough on their own. Employees manage more accounts than ever, and attackers know that business access often begins with one compromised credential.

A password can be exposed through phishing, malware, data breaches, credential stuffing, password reuse, or unsafe sharing. Once attackers have a valid username and password, their activity may look like a normal login attempt unless another layer of verification is required.

This is why data breach protection for businesses needs to include credential controls, endpoint security, and employee training. A strong password policy helps, but it can’t stop every stolen password from being tested against email, cloud storage, finance tools, admin portals, or customer systems.

The financial stakes are high. IBM’s 2025 Cost of a Data Breach Report places the global average cost of a data breach at $4.4 million. MFA can’t eliminate breach risk, but it does reduce one of the most common paths into business systems: unauthorized access through compromised credentials.

MFA is especially important for accounts that control other accounts. Email, identity providers, password managers, admin consoles, developer platforms, payroll tools, and finance systems should be treated as high priority because gaining access to them can unlock further access elsewhere.

Types of MFA and business trade-offs

A good MFA implementation starts with choosing the right methods. The best option is not always the same for every business, team, or system. IT managers, for example, need to balance security strength, employee usability, device availability, administrative overhead, and support needs.

SMS one-time passwords

SMS one-time passwords (OTPs) send a code to a phone number during login. This is one of the easiest MFA methods for employees to understand, and it can be useful where better options are not available.

The downside is security. SMS can be vulnerable to SIM swapping, interception, social engineering, and phone number recovery attacks. It also creates operational problems when employees change numbers, travel internationally, have poor reception, or use personal phones for work.

For businesses, SMS OTPs are best treated as a fallback option rather than the preferred MFA method. It is still better than passwords alone, but it should not be the default for high-risk accounts.

Authenticator apps and TOTP codes

Employees open an authenticator app, such as Proton Authenticator, copy the code generated for the service they’re logging into, and then enter it during login.

This is usually stronger than SMS because the code is generated on the device and doesn’t depend on the mobile network. It is also widely supported across business tools, making it a practical baseline for many MFA rollouts.

The trade-off is usability and recovery. Employees need to set up the app correctly, keep access to their device, and understand how recovery works if a phone is lost or replaced. IT teams also need to create clear policies for backup codes, device changes, and offboarding.

TOTPs works well as a general business MFA method, especially when paired with strong password management and clear admin processes.

Hardware security keys

Hardware security keys, such as YubiKeys, provide strong authentication because the employee must physically possess the key to gain access to business accounts. Many security keys also protect against phishing because they verify that the website itself is legitimate before completing authentication.

For high-risk roles, hardware keys can be one of the strongest MFA options. They are especially useful for administrators, executives, finance teams, developers, and anyone with access to sensitive systems.

The trade-off is rollout complexity. Businesses need to purchase keys, distribute them, train employees, manage backups, and handle lost or damaged devices. A hardware key strategy also needs a recovery process that doesn’t weaken the security benefit.

Passkeys

Passkeys use cryptographic authentication instead of a traditional password. In many cases, employees unlock the passkey with a fingerprint, face recognition, PIN, or device approval. The private key stays on the device, which makes passkeys more resistant to phishing than many older authentication methods.

For businesses, passkeys can improve both security and usability. They reduce reliance on shared secrets and can make login faster for employees. The main challenge is ecosystem readiness. Not every business tool supports passkeys yet, and IT teams need policies for device enrollment, recovery, shared workstations, and employee offboarding.

For many organizations, the practical solution is a hybrid model: use passkeys where supported, keep strong passwords and MFA where they are still required, and manage both through clear access policies.

MFA method	Security strength	Business suitability	Best-use scenario
SMS OTP	Basic	Easy to adopt, but weaker than other MFA methods	Fallback option when stronger MFA is not available
Authenticator apps	Moderate to strong	Practical default for many teams	Everyday business accounts and SaaS tools
Hardware security keys	Very strong	Best for high-risk roles, but requires device management	Admins, executives, finance teams, and sensitive systems
Passkeys	Very strong	Secure and user-friendly where supported	Modern apps, passwordless workflows, and phishing-resistant access

Where MFA implementation fails

MFA can still fail even when a business has implemented it. Implementation quality actually matters as much as the MFA method itself. Some of the reasons for failure can include:

Weak recovery. If employees can bypass MFA through easy account recovery, help desk shortcuts, or poorly protected backup codes, attackers may target the reset process instead of the login screen.
Inconsistent enforcement. MFA may be enabled for some tools but left optional for email, admin accounts, finance systems, shared operational accounts, or certain employees. In that situation, MFA becomes an aspiration rather than a control, and attackers can still look for the weakest available path.
Poor usability. If employees are constantly interrupted, locked out, or unclear about what to approve, they may become frustrated and more likely to make mistakes. Push fatigue is one example: repeated approval prompts can train people to accept requests without thinking.

A strong MFA rollout needs enforcement, monitoring, and support. It should be easy for employees to do the right thing and difficult to leave important accounts unprotected.

The employee resistance problem

Employee resistance is one of the biggest barriers to MFA rollout. Employees may see it as an extra step, a productivity blocker, or another security rule added without context.

This reaction is understandable, especially when MFA is introduced abruptly or with unclear instructions. Resistance often comes from poor implementation, not from opposition to security itself.

The solution to this problem is to make MFA predictable and easy to follow. Explain to employees that it protects business accounts even if a password is stolen, start with familiar tools such as email and shared business platforms, provide clear setup steps, and support employees through device changes.

Avoid framing MFA as a punishment or a sign of distrust. It should feel like a practical safeguard for the company, its clients, and employees’ own work accounts.

A bring your own device (BYOD) policy also helps. If employees use personal devices for work, clear rules for authentication apps, device security, lost-device reporting, and access revocation make MFA rollout smoother.

How to roll out MFA across your business

A successful MFA rollout is a change-management project. IT managers need to decide what gets protected first, how enforcement will work, how exceptions will be handled, and how adoption will be measured.

Step 1: Map your accounts and risk levels

Start with an access inventory. Identify the systems your business depends on and the accounts that create the most risk if compromised.

Prioritize:

Email and identity provider accounts.
Admin accounts and privileged roles.
Password manager accounts.
Finance, payroll, and billing tools.
Cloud storage and file sharing.
Developer, infrastructure, and production systems.
Customer data platforms and CRMs.

This creates a rollout sequence for your business that’s based on risk rather than convenience.

Step 2: Choose approved MFA methods

Decide which MFA methods your business will allow. For many teams, authenticator apps or passkeys may become the default, while hardware security keys are reserved for high-risk roles. SMS can remain a fallback where necessary, but should not be the preferred method for sensitive systems.

Document the decision clearly. Employees should know which methods are approved, which are discouraged, and what to do if they lose a device.

Step 3: Pilot before enforcing everywhere

Run a pilot with IT, operations, finance, leadership, or another group that can provide useful feedback. The goal is to test the setup process, support documentation, recovery flows, and policy settings before the rollout reaches the whole organization.

A pilot also helps identify where MFA prompts are too frequent, where employees need clearer instructions, and which systems require special handling.

Step 4: Enforce MFA for high-risk accounts first

Encouragement is not enough for critical systems. Once the pilot is complete, enforce MFA for the accounts that create the highest risk.

This includes admin accounts, email, identity systems, password managers, and financial tools. If these accounts remain optional, attackers may still find a path into the business.

The key is to enforce with support. Give employees advance notice, setup guides, office hours, and recovery instructions. Enforcement works best when people aren’t surprised by it.

Step 5: Expand to the rest of the organization

After high-risk accounts are protected, expand MFA to remaining business tools. This can happen by department, tool category, or risk level.

Track adoption as you go:

Which accounts have MFA enabled?
Which employees haven’t enrolled?
Which systems still allow password-only access?
Which exceptions are open, and who owns them?

A business password manager can support this process by giving teams visibility into which accounts already have MFA enabled and which still need stronger authentication.

This is where many rollouts stagger or fail. MFA needs ongoing governance after the rollout date.

Step 6: Review exceptions and recovery paths

Every exception should have an owner, reason, and expiration date. If MFA cannot be enabled for a tool, document why and decide whether a compensating control is needed.

Recovery also deserves regular review. Backup codes, account recovery flows, admin overrides, and device resets can become weak points if they are not controlled. MFA implementation should make recovery safe, not simply convenient.

How Proton Pass for Business makes MFA manageable

MFA rollout becomes easier when credential management is already controlled. If passwords are reused, shared informally, stored in browsers, or scattered across spreadsheets, MFA becomes harder to enforce consistently.

A business password manager like Proton Pass for Business helps by doing more than strengthening the password layer. It can also support the second factor directly. The built-in 2FA support means teams can store TOTP codes securely and use the password manager itself as the MFA device, which makes stronger authentication easier to adopt and easier to share securely where appropriate. Employees can generate strong, unique passwords, store them in encrypted vaults, autofill logins, use built-in 2FA support for TOTP codes, and manage passkeys where supported.

This also improves visibility. Administrators need to know not only whether employees have strong passwords, but also which accounts already have 2FA enabled and which still rely on password-only access. Proton Pass can help IT admins surface that information, making MFA adoption easier to track across the organization.

Passkeys are also a key consideration. As businesses move toward stronger, phishing-resistant authentication, a password manager that supports passkeys like Proton Pass helps teams manage both traditional MFA flows and newer passwordless methods in one place. That makes rollout more practical in mixed environments where some systems still use passwords and TOTP, while others are ready for passkeys.

For IT teams, Proton Pass for Business supports centralized management, policies, secure sharing, and visibility through reporting and logs. That makes MFA more operationally realistic because teams can reduce password sprawl while also making stronger authentication easier to deploy and govern across the organization.

A business password manager doesn’t replace MFA. It makes MFA much easier to implement because it strengthens the first factor, supports the second, and gives the business a more manageable path toward stronger authentication overall.

A journalist’s safety guide to the 2026 FIFA World Cup

Proton Team — Tue, 09 Jun 2026 18:05:07 GMT

Three countries and 16 cities are slated to host the 23rd FIFA World Cup this June. The event, which will be held in the United States, Mexico, and Canada, is expected to bring in more than 5 million fans from around the world, including an estimated 50,000 journalists.

Large crowds and global security threats like cyber, drone, or mass-casualty attacks pose risks to reporters and fans at all locations. In the US, travel bans and increased ICE activity should also be considered. If you are a journalist or media professional covering the 2026 FIFA World Cup, there are ways to ensure your safety as you travel through the event’s host cities.

Proton has assembled a guide to assist journalists navigate the World Cup safely. The tips below can help protect journalists and media against security threats while reporting from the ground at the World Cup.

Reporting from the United States

11 cities in the United States are hosting FIFA World Cup games in 2026, including Atlanta, Boston, Dallas, Houston, Kansas City, Los Angeles, Miami, New York, Philadelphia, San Francisco, and Seattle.

According to The Athletic, the Federal Emergency Management Agency granted $625 million in security funding toward those 11 US cities for operational exercises, staff background checks, and cybersecurity defense.

Travel restrictions and border crossings

Given the location, size, and scope of the World Cup, journalists traveling from outside the US should consider the risks when entering the country. In 2025, the Trump Administration announced a travel ban for citizens of Afghanistan, Myanmar, Chad, Republic of Congo, Guinea, Eritrea, Haiti, Iran, Libya, Somalia, Sudan, and Yemen. There are partial restrictions for residents of Burundi, Cuba, Laos, Sierra Leone, Togo, Turkmenistan, and Venezuela.

According to the Committee to Protect Journalists, border agents in the US “maintain broad discretionary authority to implement travel restrictions.” Additionally, “increased vetting, inconsistent enforcement, and sudden policy changes suggest an unpredictable environment,” in which traveling journalists should prepare.

Media personnel can anticipate being questioned at the border by Customs and Border Protection (CBP), especially if journalists represent a country on the travel ban list or have a history of covering politically sensitive issues. Journalists with dual citizenship from a country on the travel ban list should use the passport of their nation that does not appear on the banned list.

Protecting your devices and data

Precautions should be taken to encrypt or back up sensitive or personal information on electronic devices, as CBP does not need a warrant or probable cause to search your person or electronics. To protect your personal data and ensure it isn’t copied or stored by CBP, journalists should:

Use strong passwords and store them in a password manager like Proton Pass.
Use an end-to-end encrypted email service like Proton Mail so messages can’t be surveilled.
Employ email aliases so your personal or work email isn’t exposed.
Enable two-factor authentication so CBP can’t access your accounts.
Back up sensitive information on a cloud storage service like Proton Drive, so privileged documents don’t live on your phone or electronic devices.
Make social media accounts private and/or delete any apps that may be subject to search.

Legal resources for journalists

If a legal concern should arise during your coverage of the FIFA World Cup, journalists can call the Reporters Committee for Freedom of the Press legal hotline at 1-800-336-4243.

Media members can also text CPJ’s chatbot for assistance using the number 1-206-590-6191 or email the committee at emergencies@cpj.org.

If you are denied entry into the country or into the World Cup, are facing detention or arrest, have been assaulted, or had equipment damaged, you can file a report using the U.S. Press Freedom Tracker.

General safety tips for all host cities

Whether reporting from the United States, Mexico, or Canada, you should familiarize yourself with the country’s local laws. Before heading to your destination, research the location and have an exit strategy should an emergency arise.

Have an emergency contact on standby, work in pairs whenever possible, and designate meet-up locations ahead of time should cell service or Wi-Fi go down. Identify exits, medical tents, rideshare drop off and pickup locations and media areas before arrival.

Proton for journalists and newsrooms

To counter unprecedented threats toward journalists, Proton offers discounts on Proton for Business to news media. Protect your emails, contacts, documents, sources, and other sensitive data with end-to-end encryption, so your team can work safely no matter where they are.

Proton has been committed to press freedom for more than 10 years. Learn more about how Proton protects journalists and get Proton for your newsroom today.

Cybersecurity compliance 101: What small businesses need to know

Alanna Alexander — Tue, 09 Jun 2026 17:34:04 GMT

You’ve likely experienced this scenario: You’re in the final stages of a deal with a promising enterprise client. The contract is ready, the price is agreed upon, and then the conversation stalls.

The reason? They asked for your cybersecurity compliance documentation, and you couldn’t provide it.

It’s a frustrating moment. It’s understandable to feel that cybersecurity compliance is a game for large corporations with dedicated security teams and massive budgets. For a growing startup or a small business, it can feel like an overwhelming administrative burden.

The good news is that there are simple ways to prove you take data protection seriously.

This guide breaks down what compliance actually means for your business, the key frameworks you’ll encounter, and how to get started without needing a team of IT experts.

What is cybersecurity compliance?

Cybersecurity compliance is how you prove you are protecting sensitive data according to recognized standards. It’s not just about having the right tools; it’s about having the right processes and the documentation to back them up.

Think of it as your business’s “report card” for security. It shows prospects and partners that you have rules in place, you follow them, and you can prove it.

It’s not optional. Regulations like GDPR and HIPAA carry real legal weight. Fines, lawsuits, and operational restrictions are all on the table. And cybersecurity threats aren’t theoretical. Four in five small businesses have suffered a recent data breach.

The risks of data non-compliance

Skipping compliance might seem like a way to save time and money, but it’s a short-sighted gamble. The fallout hits in three critical areas:

Financial penalties: A single GDPR violation can cost millions. For a small business, even a mid-range fine can mean layoffs, frozen growth, or closure.
Operational disruption: A breach takes systems offline for weeks. Your staff gets pulled from revenue-generating work to manage the crisis. Recovery costs can easily exceed $1 million when you factor in downtime, legal fees, and lost contracts.
Reputation damage: Customers who trusted you with their data may not give you a second chance. In tight-knit industries, word travels fast. A compliance failure doesn’t just hurt your brand; it can shrink your sales pipeline for years.

Key cybersecurity frameworks every business should know

These are the standards your customers, regulators, and enterprise partners will likely ask about.

GDPR (General Data Protection Regulation)

If you have even one customer in the European Union, or if you collect email addresses from EU visitors on your website, GDPR applies to you—regardless of where your company is based. Non-compliance can result in fines of up to €20 million or 4% of your annual global revenue, whichever is higher.

What it means: You must be transparent about how you collect and use data. You must give people the right to access, correct, or delete their information.

HIPAA (Health Insurance Portability and Accountability Act)

Are you a SaaS company serving a US healthcare provider? Or perhaps a clinic managing appointments? The moment patient data touches your systems, HIPAA applies.Penalties range from thousands to millions of dollars, depending on the severity and whether negligence was involved

What it means: You need strict safeguards like data encryption, controlled access, and clear procedures for reporting breaches.

NIS2 (Network and Information Security Directive)

This is an EU directive strengthening cybersecurity in essential sectors like energy, transport, and digital infrastructure.Even if you aren’t directly regulated, your enterprise customers may require you to meet NIS2 standards as part of their vendor checks.

What it means: It requires risk management practices and strict incident reporting.

ISO 27001 & SOC 2

These are international standards that evaluate how you manage and protect data. The stakes: For enterprise clients, having ISO 27001 certification or a SOC 2 report is a massive trust signal. It tells them, “We have been audited by independent experts, and our security is solid.”

What it means: You need to implement documented security controls, submit to independent audits, and maintain that certification on an ongoing basis.

How to get started with compliance in cybersecurity

Compliance can feel like a long list of boxes to check, but the basics come down to five practical steps.

Map out what data you have, where it lives, and who has access. You might be surprised to find a customer list saved on a contractor’s personal Dropbox or a shared spreadsheet with sensitive info that anyone can edit.
Write down your policies. Who can access what? How do you report a breach? How do you dispose of old data? If it isn’t written down, it doesn’t exist. Keep these documents clear, current, and ensure your team actually follows them.
Give your team a business password manager. It generates strong credentials, stores them securely, and makes good habits the default. It removes the friction of remembering complex passwords.
Use a business VPN. It encrypts all your team’s internet traffic, ensuring data stays protected no matter where they log in. This is a straightforward way to meet network security requirements for almost every major framework.
Assign a specific person (even if it’s part of their role) to be accountable for your compliance posture. They should track regulatory changes, keep documentation updated, and ensure leadership stays informed.

How to stay compliant with cybersecurity regulations

Regulations change, your team grows, and the tools you use evolve. That’s why requires ongoing attention.

Review policies regularly: Conduct quarterly reviews to ensure your documentation reflects how you actually work.
Monitor for exposure: Don’t wait for a breach to find out your credentials leaked. Use tools that monitor the dark web and alert you if your company data appears in a breach.
Conduct internal audits: Test your controls before an auditor does. Find the gaps yourself — it’s always cheaper than having them exposed externally.
Train your team: Policies only work if people follow them. Short, practical training on phishing and data handling keeps security habits sharp.
Use tools that enable good security: Compliance is easier when security is the default. Choose tools that encrypt your business data, give you granular control over access, and flag risks like weak passwords automatically.

Make cybersecurity compliance a part of BAU

Compliance doesn’t have to be a scramble. With the right tools, it becomes part of how your business operates, giving you concrete answers to security questionnaires and audits.

Proton Pass and Proton VPN are built for this. Setup takes minutes, and you don’t need an IT team to manage them.

Proton VPN encrypts all company network traffic and restricts access to approved devices, meeting strict network security requirements.
Proton Pass lets you enforce two-factor authentication, manage credentials securely, and pull activity logs directly from the admin panel for audits. When a new hire joins, you can provision access in clicks; when someone leaves, you revoke it instantly.

You also get to leverage our compliance for yours. When enterprise clients ask about the security of the software you use, you can point to our credentials.

Proton is ISO 27001-certified and SOC 2 Type II-verified, based in Switzerland, and fully open-source. This gives you verifiable, third-party proof that your data is protected by the highest global standards.

Proton for Business gives you the tools you need not just to start your compliance journey, but to maintain it long term.