Zero Trust in Europe: Special Considerations in an Evolving Regulatory Climate

In this blog we explore some of the special regulatory considerations organisations should understand when adopting a Zero Trust strategy in Europe.

As enterprise technology ecosystems evolve to include a growing number of cloud resources, mobile and employee-owned devices, and digital business processes, the traditional approaches to securing them no longer apply.

In today’s world, we cannot assume that networks have an “inside”—where all users and traffic can be trusted—and an “outside.” Nor can we assume that there’s a clear border between the two that can readily be policed. 

This evolution is taking place all over the world. As it proceeds, Zero Trust is increasingly becoming a global standard.

As a model for securing today’s borderless networks and distributed users, assets and IT resources, it has been championed by the National Institute of Standards and Technology in the U.S., with the White House issuing an Executive Order requiring the country’s government agencies to begin implementing Zero Trust architectures while making the move to the cloud. 

Closer to home, the National Cyber Security Council (NCSC) is advocating Zero Trust adoption in the UK and has published the following guidance for Zero Trust architecture and design principles.

Zero Trust adoption continues to grow

While North America leads the way in Zero Trust adoption, with projects and initiatives in this area having grown 275% from 2019 to 2020, European companies are not far behind. 

Our latest State of Zero Trust report revealed that 45% of EMEA organisations currently have a defined Zero Trust initiative in 2022 (24% more than in 2021). It also showed that 53% of organisations are planning to start implementing Zero Trust within the next 12 to 18 months.

This increase in adoption makes sense. As many as 40% of European employees began working remotely during the pandemic, and many will continue to do so for the foreseeable future. In addition, IDC Research forecasts that most large European organisations will be incentivised to generate at least 40% of their revenue from digital products and services by 2025. 

This will require a much greater focus on securing modern, digitally-transforming IT environments by implementing a security model that’s more robust and comprehensive because it’s based on the “never trust, always verify” principle.

Putting Zero Trust into practice can be challenging. It may require the implementation of new tools or technologies, or a pivot to reconfigure or reimagine how you’re using what’s already in place. As business ecosystems become increasingly distributed, there’s less and less direct management control. This means that identity proofing and ensuring that you’ve implemented right access controls becomes more and more important to your organisation’s overall risk posture.

Figuring out how to ensure (and continually assess) that the right people, have the correct level of access to resources, both at the right time and within the right context can be complex enough. Doing so in a way  that avoids introducing unnecessary friction into the end user’s login experience or permitting potentially risky authentications, is difficult for any organisation anywhere in the world. 

However, some of the strategies commonly employed to facilitate the move to Zero Trust can be particularly problematic in a European context. The enormous diversity of laws, geographies and cultures that exist across the continent may demand particular planning to ensure that your security strategy can work across all of them.

Here are a few potential roadblocks to Zero Trust adoption that we’ve seen arise within European companies, as well as our suggestions on overcoming them:

Implementing Analytics and Monitoring or Session Recording to Enhance Visibility

In countries like France, the Netherlands, Germany and Switzerland, it’s common for companies to have stakeholder-driven models of governance in which members of workers’ councils have significant numbers of seats on corporate supervisory boards and considerable amounts of managerial authority. Often, the idea of monitoring employees’ on-the-job activities isn’t well received by these councils.

Technology leaders who are planning to implement Security Information and Event Management (SIEM) analytics and monitoring capabilities within Zero Trust reference architectures will need to be specific about which use cases they’re planning to apply this technology to. They’ll need to be prepared to explain how they’re going to implement these use cases, what data they will be collecting and how the implementation will be compliant with the General Data Protection Regulation (GDPR) and other privacy protections. It’s critical to safeguard employees’ privacy and to clarify which protections are in place to the workers’ councils so that they don’t feel that the odds are stacked in management’s favour.

Stakeholders have successfully highlighted the benefits of security monitoring—and the collection of related analytics data—for workers. When security teams can accurately identify that an external attacker has compromised an employee’s account, they can prove that that employee wasn’t at fault in any ensuing incidents that might occur. In this sense, continuous monitoring can actually provide a powerful protection for workers. It’s important that it be presented to councils in this light.

International Data Transfers

By nature, the management and governance of international data transfers is far more complex in the E.U. than it is in the U.S., where there’s a single legal and regulatory framework that’s relevant for all entities. Europe is a complex and fragmented landscape when it comes to compliance, where organisations must navigate both regional and industry specific regulations.

Here are just a few of the regulations you need to be familiar with when it comes to data transfers:

• General Data Protection Regulations (GDPR) - A regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
• EU Cloud Code of Conduct (EU CoC) - Harmonises GDPR compliance across the entire cloud industry.
• Payment Services Directive (PSD2) - Legislation designed to force payment services providers to improve customer authentication processes.
• Trusted Information Security Assessment Exchange (TISAX) - Governed by the ENX Association on behalf of the German VDA to provide industry-specific framework for assessing information security.
• Digital Operational Resilience Act (DORA) - A regulatory framework on digital operational resilience whereby all firms ensure they can withstand, respond and recover from IT related disruptions and threats.

It’s also important to think about the data storage and transfer practices of your partners and vendors, including Software-as-a-Service (SaaS) providers. A recent enforcement action by the independent French regulatory authority CNIL, ordering a website operator to remove Google Analytics from its systems to stop data from being transferred to the U.S., highlights European regulators’ increasing intent to take the Schrems II judgment regarding the Privacy Shield seriously. E.U. regulation continues to adapt, and stakeholders should attend to future developments with care.

Encryption and Cryptographic Asset Use

The encryption of data at rest and in transit is currently allowed within the European economic area. It remains, however, the subject of debate between government officials and law enforcement authorities. On the one hand, encryption is viewed as an essential privacy protection that’s important for the functioning of open societies and markets; on the other, it’s seen as an obstacle to law enforcement that inhibits the ability to counter terrorism.

Right now, there are countries within the EMEA region that enforce rules and regulations about handing over cryptographic assets like keys and certificates to law enforcement upon request. However, there are pressures within the E.U. to enact similar legislation. A proposal published by the E.U.’s executive body in May 2022, for instance, requires plain-text access to email, text and social media messaging to stop the distribution of child abuse materials. This proposed regulation has sparked privacy concerns, but further movement in this direction remains possible. Stakeholders should remain cognisant of changing regulations.

Implementing an identity-based Zero Trust framework is certainly possible for European companies or those doing business in E.U. member states. Doing so will bring an array of benefits, including meaningful risk reduction and enhanced employee experience. But because of the complexities involved, it may make sense to collaborate with an identity partner who has extensive experience in this area.
 

For more information on how Zero Trust adoption is transforming industries and security worldwide, read our latest State of Zero Trust Report.

To discover how you can start your Zero Trust journey with Identity, read our eBook.