A digital officer at the European External Action Service (EEAS) is preparing a secure briefing for a High Representative's mission in a non-EU country. The briefing involves sensitive data that must be transmitted to a field office using a cloud-based collaboration tool. To ensure compliance with EU principles of data protection and the specific mandate of the EEAS to coordinate international action while safeguarding information, which of the following actions best aligns with the core requirements for handling sensitive external action data in a cloud environment? 1) Relying on the cloud provider's standard Terms of Service for data encryption without a specific Data Processing Agreement (DPA); 2) Encrypting the data before uploading it to the cloud service and verifying that the cloud provider is GDPR-compliant and bound by a DPA; 3) Using a public file-sharing link with a simple password to ensure accessibility for all mission members; 4) Storing the unencrypted data on a local server to avoid cloud risks, even if it hinders real-time collaboration; 5) Sharing the data via a standard email attachment to a broad distribution list to ensure no one is excluded.