As a EU cybersecurity expert, you are drafting an internal policy for an international collaborative project that involves the exchange of citizen data between a Union delegation in a third country and Brussels institutions. The project uses a cloud service provider based outside the European Union for storing and processing sensitive data. Based on the EU's digital security framework and data protection principles, what is the fundamental requirement that must be implemented before transferring any personal data to this non-European provider to ensure compliance with the GDPR and Commission security guidelines?