OK, be that as it may, in IT stuff, the question often becomes "Who is responsible?". If a state or its institutions violate the law, at least no one can blame you for GDPR violations, which you did not commit.
The GDPR largely came about as a response to the Snowden revelations of pervasive surveillance of netizens globally, and it says you need to protect PI from non-EU state actors. So you're possibly right as far as EU state adversaries go but you for defending against foreign state actors it's different.
