Zero Trust – What is to be con­side­red in legal terms?

The basic con­cept of Zero Trust is to have no trust in users, devices or net­works, but to assu­me that ever­y­thing might alre­a­dy be com­pro­mi­sed. Regard­less of the start­ing point, every acti­vi­ty and every access is the­r­e­fo­re che­cked and aut­ho­ri­sed. Risks from the take­over of user accounts or the misu­se of main­ten­an­ce access by ser­vice pro­vi­ders can thus be effec­tively coun­te­red. From a legal point of view, howe­ver, Zero Trust does not only bring advan­ta­ges, but can also bear risks – espe­ci­al­ly with regard to data protection.

Legal advan­ta­ges of Zero Trust

With the new Euro­pean cyber­se­cu­ri­ty law, com­pa­nies are faced with num­e­rous new legal requi­re­ments for cyber­se­cu­ri­ty. Com­pa­nies fal­ling under the scope of the NIS‑2 Direc­ti­ve will have to take a multi-threat approach to ensu­ring the secu­ri­ty of their infor­ma­ti­on sys­tems, using appro­pria­te con­cepts and solu­ti­ons. Reci­tal 89 of the NIS‑2 Direc­ti­ve even refers to Zero Trust as a basic prac­ti­ce of cyber hygie­ne. It is the­r­e­fo­re no sur­pri­se that Zero Trust can help with the imple­men­ta­ti­on of the NIS‑2 Direc­ti­ve in the fol­lo­wing are­as, among others:

  • Net­work secu­ri­ty: Micro-segmentation is a key aspect of Zero Trust, rest­ric­ting access to sys­tems and ser­vices to increase security.
  • End­point secu­ri­ty: End­point Detec­tion and Respon­se (EDR) solu­ti­ons moni­tor appli­ca­ti­on and pro­cess beha­viour on end­points for con­ti­nuous attack detection.
  • User beha­viour: Modern authen­ti­ca­ti­on sys­tems detect irre­gu­lar log­in acti­vi­ties such as “impos­si­ble” loca­ti­on chan­ges when log­ging in and sup­port dyna­mic authentication.
  • Zero Trust Net­work Access (ZTNA): ZTNA pro­ducts are secu­re gate­ways for appli­ca­ti­ons that authen­ti­ca­te users, check secu­ri­ty sta­tus and enable risk-based access.

Zero Trust also brings mul­ti­ple advan­ta­ges in mee­ting the requi­re­ments of the plan­ned Cyber Resi­li­ence Act (CRA) and the cyber­se­cu­ri­ty of pro­ducts with digi­tal ele­ments. One exam­p­le of this is the requi­red con­trol mecha­nisms for pro­tec­tion against unaut­ho­ri­sed access.

Risk: Data pro­tec­tion with Zero Trust

Sin­ce Zero Trust approa­ches invol­ve exten­si­ve ana­ly­sis of net­work traf­fic and user beha­viour, they also often pro­cess lar­ger amounts of per­so­nal data than tra­di­tio­nal cyber­se­cu­ri­ty mea­su­res. At the same time, pro­ces­sing is often more tight­ly mes­hed, which can pose addi­tio­nal data pro­tec­tion risks. To avo­id data pro­tec­tion brea­ches, spe­cial atten­ti­on must be paid to com­pli­ance when using Zero Trust solu­ti­ons. In par­ti­cu­lar, con­trol­lers must ensu­re that the­re is a legal basis for the pro­ces­sing of per­so­nal data. Sin­ce the­re are num­e­rous legal requi­re­ments for cyber­se­cu­ri­ty and cyber­se­cu­ri­ty in gene­ral has a high prio­ri­ty, com­pa­nies can inso­far invo­ke, among other things, a legal obli­ga­ti­on (Art. 6 (1) © GDPR) and a legi­ti­ma­te inte­rest (Art. 6 (1) (f) GDPR). In the case of high risks for data sub­jects, a data pro­tec­tion impact assess­ment must be car­ri­ed out in addi­ti­on to the gene­ral data pro­tec­tion com­pli­ance measures.

Recom­men­da­ti­ons for companies

The use of Zero Trust in the com­pa­ny requi­res a clear stra­tegy, which should in par­ti­cu­lar include the following:

  1. Exami­na­ti­on and adapt­a­ti­on of the exis­ting secu­ri­ty archi­tec­tu­re to the prin­ci­ples of Zero Trust;
  2. Con­side­ra­ti­on and imple­men­ta­ti­on of the data pro­tec­tion requi­re­ments for Zero Trust;
  3. Har­mo­ni­sa­ti­on bet­ween dif­fe­rent secu­ri­ty mea­su­res and pro­ducts used;
  4. Trai­ning of employees in the prin­ci­ples of Zero Trust and rai­sing their awa­re­ness of data pro­tec­tion risks;
  5. Con­ti­nuous moni­to­ring, ana­ly­sis of thre­ats and adapt­a­ti­on of the secu­ri­ty stra­tegy to respond to new risks and imple­ment new legal requirements.

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.