Zero Trust

Also: Zero-Trust Architecture, ZTA

A security model built on the principle that no user, device or network location is trusted by default. Access is continuously verified against identity, device posture, context and policy, regardless of whether the request comes from inside or outside the corporate network.

Zero Trust is a model, not a product. It is composed of capabilities across IAM, device management, network segmentation, data protection and continuous monitoring. Vendors selling Zero Trust typically cover one or two layers; no single product delivers it end to end.

The practical question in a Zero Trust decision is sequencing. Most programmes start with identity and device, move to network (ZTNA replacing VPN) and finish with data and workload controls. The memo should name the stage, the target state and the criteria for moving on, not treat Zero Trust as a single binary.

Regulatory context: NIS2 Art. 21 and DORA Art. 9 do not name Zero Trust, but their access-control and least-privilege expectations align closely. A Zero Trust programme maps directly to these articles as the operating model.

Zero Trust

Related terms