Skip to main content
Informationssicherheit / NIS2

Zero trust architecture

A zero trust architecture is a security model that grants no implicit trust to any user, device or service and continuously authenticates, authorises and inspects every access request, regardless of its location.

Zero trust architecture (ZTA) breaks with the traditional perimeter security model, which treats everything inside the corporate network as trustworthy and everything outside it as untrustworthy. Instead, its guiding principle is "never trust, always verify": there is no implicit trust based on network membership, IP address or location. Every single request to access data, applications or systems is treated as if it originated from an untrusted network and must be explicitly verified before access is granted.

At the core of the model is continuous verification based on as many signals as possible: the identity of the user and the device (typically through multi-factor authentication), device health and compliance, location, the sensitivity of the requested resource and behaviour-based risk scoring. Access decisions are made dynamically and in context, and enforced at a central policy decision point. Complementary principles include least privilege, fine-grained micro-segmentation of the network as well as comprehensive logging and monitoring of all access.

For information security, zero trust is not a single product but a strategic architecture implemented through identity and access management, endpoint security, network segmentation and monitoring. Internationally, the NIST framework SP 800-207 serves as the authoritative reference, and the German BSI incorporates zero trust principles into its recommendations. In the context of the NIS2 directive and the IT-Grundschutz baseline, zero trust underpins key requirements for access control, authentication and the management of cyber risks, thereby supporting the legally required technical and organisational measures.

Legal Basis

NIST SP 800-207 (Zero Trust Architecture); Art. 21 NIS2 Directive (EU) 2022/2555 (risk management measures, including access control and MFA); BSI IT-Grundschutz; ISO/IEC 27001 (Annex A, access control)

Practical Example

An organisation classified as an essential entity under NIS2 wants to secure remote access for its employees and external service providers. Instead of a classic VPN that grants broad network access after a successful login, the information security officer introduces a zero trust approach: every access to an application requires multi-factor authentication, device health is checked before each session, and access rights are granted per application following the least privilege principle. Suspicious sign-in patterns automatically trigger re-verification or a block. This makes it possible to demonstrate that the access control measures required under Art. 21 NIS2 are effectively implemented.

FAQ

The perimeter model trusts everything inside the corporate network and protects only the outer boundary. Zero trust assumes no implicit trust and re-verifies every individual request regardless of its location. This keeps protection effective even when attackers have already breached the perimeter.
No, zero trust is a security architecture rather than a single product. It is implemented through the interplay of identity and access management, multi-factor authentication, endpoint security, network segmentation as well as logging and monitoring.
Yes. Zero trust addresses several of the risk management measures required under Art. 21 NIS2, in particular access control, multi-factor authentication and the principle of least privilege. However, it is only one building block of a comprehensive information security management system.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Access control Identity and access management Least privilege Multi-factor authentication Network segmentation
Back to Glossary