An official from the European Commission is designing a new cybersecurity policy for an EU diplomatic mission in a high-risk country. The policy must comply with EU security principles and legal frameworks such as the General Data Protection Regulation (GDPR) and the NIS2 Directive. The official must ensure that the principles of 'privacy by design' and 'security by default' are correctly integrated into the software development lifecycle of a new secure collaboration application. Which of the following implementation strategies is most consistent with EU regulatory requirements and cybersecurity best practices to protect personal and sensitive EU data?