The basic concept of Zero Trust is to have no trust in users, devices or networks, but to assume that everything might already be compromised. Regardless of the starting point, every activity and every access is therefore checked and authorised. Risks from the takeover of user accounts or the misuse of maintenance access by service providers can thus be effectively countered. From a legal point of view, however, Zero Trust does not only bring advantages, but can also bear risks – especially with regard to data protection.
Legal advantages of Zero Trust
With the new European cybersecurity law, companies are faced with numerous new legal requirements for cybersecurity. Companies falling under the scope of the NIS‑2 Directive will have to take a multi-threat approach to ensuring the security of their information systems, using appropriate concepts and solutions. Recital 89 of the NIS‑2 Directive even refers to Zero Trust as a basic practice of cyber hygiene. It is therefore no surprise that Zero Trust can help with the implementation of the NIS‑2 Directive in the following areas, among others:
- Network security: Micro-segmentation is a key aspect of Zero Trust, restricting access to systems and services to increase security.
- Endpoint security: Endpoint Detection and Response (EDR) solutions monitor application and process behaviour on endpoints for continuous attack detection.
- User behaviour: Modern authentication systems detect irregular login activities such as “impossible” location changes when logging in and support dynamic authentication.
- Zero Trust Network Access (ZTNA): ZTNA products are secure gateways for applications that authenticate users, check security status and enable risk-based access.
Zero Trust also brings multiple advantages in meeting the requirements of the planned Cyber Resilience Act (CRA) and the cybersecurity of products with digital elements. One example of this is the required control mechanisms for protection against unauthorised access.
Risk: Data protection with Zero Trust
Since Zero Trust approaches involve extensive analysis of network traffic and user behaviour, they also often process larger amounts of personal data than traditional cybersecurity measures. At the same time, processing is often more tightly meshed, which can pose additional data protection risks. To avoid data protection breaches, special attention must be paid to compliance when using Zero Trust solutions. In particular, controllers must ensure that there is a legal basis for the processing of personal data. Since there are numerous legal requirements for cybersecurity and cybersecurity in general has a high priority, companies can insofar invoke, among other things, a legal obligation (Art. 6 (1) © GDPR) and a legitimate interest (Art. 6 (1) (f) GDPR). In the case of high risks for data subjects, a data protection impact assessment must be carried out in addition to the general data protection compliance measures.
Recommendations for companies
The use of Zero Trust in the company requires a clear strategy, which should in particular include the following:
- Examination and adaptation of the existing security architecture to the principles of Zero Trust;
- Consideration and implementation of the data protection requirements for Zero Trust;
- Harmonisation between different security measures and products used;
- Training of employees in the principles of Zero Trust and raising their awareness of data protection risks;
- Continuous monitoring, analysis of threats and adaptation of the security strategy to respond to new risks and implement new legal requirements.