62. What measures should data processing service providers implement to prevent unlawful governmental access to or transfer of data?

Recital 102 of the Data Act explains that data processing service providers “should take all reasonable measures to prevent access to systems on which non-personal data are stored, including, where relevant, through the encryption of data, frequent submission to audits, verified adherence to relevant security reassurance certification schemes, and by the modification of corporate policies.” The Commission encourages the development, deployment, and regular update of these measures. The Commission may in the future decide to offer further guidance on this point to the competent authorities, following the advice of the European Data Innovation Board.