Education — Canvas/Instructure breach and EU/CH GDPR exposure

Canvas LMS serves Swiss federal universities (ETH, EPFL), cantonal university systems, and major EU higher-education institutions. The ShinyHunters double-intrusion and ransom payment create ongoing GDPR Art. 33/34 notification exposure for all EU institutions that deployed Canvas and received student-data-scope notifications from Instructure. The US House investigation deadline (2026-05-21) is a political milestone; the regulatory follow-up from EU supervisory authorities (Germany, Austria, Switzerland) is the operationally relevant compliance risk for this audience.