I’m not a lawyer so take this with a grain of salt but AFAIK it really depends on the type of personal data you’re storing.
The GDPR makes a distinction between personal data (email, name, etc) and sensitive data (healthcare data, biometric data, etc).
Unless you’re storing sensitive data you don’t need to worry about having the upmost level of encryption and security throughout your infrastructure. If you’re just storing user emails nobody is going to check whether your storage is encrypted etc.
The data transfers between US-EU were forbidden because the US was not considered an adequeate country to safeguard personal data. This changed last year:
On 10 July the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework.