Zero Trust: The Unified Security Standard of NIS2, DORA, CISA, and SAMA

Key Takeaways

• Regulators worldwide—EU, US, Middle East, UK, and Asia‑Pacific—have independently arrived at the same technical requirements despite different legal frameworks.
• The common thread is an identity‑centric, continuously verified architecture that enforces least privilege, segmentation, encryption, monitoring, and supply‑chain risk management.
• These requirements map directly onto the pillars of Zero Trust Architecture (ZTA), making ZTA the de‑facto architectural standard for modern cybersecurity regulation.
• A mature ZTA generates much of the compliance evidence regulators demand as a by‑product of normal operation, reducing the need for separate, parallel compliance programs.
• Governance obligations (board accountability, training, data‑subject rights, etc.) remain essential and sit above the architectural layer; ZTA does not replace them but provides a uniform foundation to satisfy diverse jurisdictional demands.

Global Regulatory Convergence on Zero Trust

Although European, American, Middle Eastern, and Asia‑Pacific regulators acted independently, responding to local threat landscapes and sector‑specific priorities, they have converged on an identical set of technical expectations. This alignment was not the result of a coordinated treaty but rather a shared diagnosis of how modern systems fail: identity‑driven attacks, lateral movement, supply‑chain exposure, and the obsolescence of traditional perimeter defenses. Consequently, disparate regulations now point to a single architectural model—Zero Trust Architecture—as the foundation for resilience.

Core Architectural Themes Emerging from the Regulations

Across the surveyed frameworks, six recurring themes dominate:

1. Identity‑centric access control – every request must be authenticated and authorized based on verified identity and contextual attributes.
2. Continuous monitoring and verification – trust is never static; systems must constantly re‑evaluate device health, user behavior, and risk signals.
3. Network segmentation and containment – micro‑perimeters limit blast radius and prevent adversaries from moving laterally.
4. Encryption and cryptographic protection – data at rest, in transit, and in use must be shielded with strong cryptography.
5. Incident detection, response, and recovery – rapid observation, automated containment, and tested recovery processes are mandatory.
6. Supply‑chain and third‑party risk management – external connections inherit the same verification rigor as internal assets.

These are not prescriptions for specific products; they describe the architectural capabilities an organization must possess to meet regulatory intent.

NIS2 and Systemic Cyber Resilience

The EU’s Network and Information Security Directive 2 (NIS2) applies to essential and important entities and mandates a baseline of cybersecurity risk‑management measures—risk analysis, incident handling, business continuity, supply‑chain security, vulnerability management, cryptography, access control, and multi‑factor authentication. While expressed in regulatory language, these obligations presuppose an architecture capable of enforcing least privilege, segmenting systems, continuously monitoring activity, and containing incidents when they occur. Zero Trust Architecture was explicitly designed to deliver exactly this operating model, making NIS2 compliance a natural outcome of a ZTA implementation.

DORA and Continuous Operational Resilience

The Digital Operational Resilience Act (DORA) targets the financial sector, requiring continuous ICT risk monitoring, anomaly detection, incident classification and reporting, business‑continuity testing, and rigorous third‑party ICT oversight. To satisfy DORA, firms must map their ICT environments, monitor access and system behavior in real time, and maintain tested containment and recovery mechanisms. These expectations line up with Zero Trust’s pillars of continuous verification, segmentation, and observability, providing financial institutions with a single architectural pathway to meet DORA’s demanding resilience criteria.

GDPR and Data Protection by Design

Under the General Data Protection Regulation, the principle of data protection by design and by default obliges organizations to embed technical controls—access limitation, encryption, and auditable data access—directly into system architecture. Zero Trust Architecture satisfies this mandate by making every data request subject to identity‑based authorization and generating immutable audit trails for each interaction. While higher‑order decisions such as data minimisation and pseudonymisation reside above the architectural layer, ZTA is the mechanism that renders those policies enforceable and verifiable in practice.

The EU AI Act and Emerging Trust Boundaries

Starting August 2026, the EU AI Act imposes risk‑management, data‑governance, human‑oversight, and transparency requirements on high‑risk AI systems. Deploying AI in regulated contexts now forces organizations to extend trust boundaries to the AI models themselves, demanding architectural controls that govern identity, data flows, and access across AI pipelines. Zero Trust provides the structural model that regulators implicitly assume: a framework where every component—including AI workloads—is continuously verified, segmented, and monitored, thereby satisfying the AI Act’s nascent trust‑boundary expectations.

Global Adoption Beyond Europe

The convergence is not confined to the EU. In the United States, federal agencies must adopt Zero Trust Architecture in line with CISA’s Zero Trust Maturity Model, which explicitly addresses identity, devices, networks, applications, and data—a rare case where the term appears in a regulatory mandate. In the Gulf, Saudi Arabia’s National Cybersecurity Authority and the Central Bank (SAMA) require financial institutions to prove identity‑centric access controls and network segmentation, while the UAE’s updated cybersecurity rules levy heavy fines on entities handling personal data that fail to implement Zero Trust access controls. The United Kingdom’s forthcoming Cyber Security and Resilience Bill mirrors NIS2’s expectations. Across Asia‑Pacific, nations such as Singapore, Australia, India, Malaysia, and Vietnam are tightening cybersecurity rules around continuous verification, least privilege, monitoring, and incident detection. Independent regulators on four continents have thus arrived at the same architectural prescription.

Single Architecture versus Parallel Compliance Programs

Faced with overlapping mandates, many organizations default to building separate compliance silos: distinct gap analyses, control mappings, and evidence‑collection exercises for each regulation. This approach is costly, slow, and fragile, as any change in one framework can necessitate rework across multiple streams. Zero Trust Architecture offers an alternative: a unified technical foundation that simultaneously satisfies the core requirements of NIS2, DORA, GDPR, the AI Act, CISA’s directives, Gulf regulations, and numerous national statutes. One identity‑governance platform can address authentication mandates across regimes; a single segmentation strategy meets network‑security expectations everywhere; a unified monitoring and detection capability feeds incident reporting for all applicable laws. By architecting once, organizations avoid the inefficiency of parallel tracks.

The Overlooked Benefit: Compliance Evidence by Design

A mature Zero Trust system naturally produces much of the technical evidence regulators demand during audits. Access logs enriched with identity context, authentication events tied to device posture, segmentation enforcement logs, incident detection timestamps with full audit trails, and data‑access decisions recorded at every request are generated as part of routine operation. These artifacts are not special reports assembled for auditors; they are the by‑product of continuous verification and monitoring. Consequently, organizations with robust ZTA implementations spend considerably less time compiling compliance packages—they merely map existing data to the relevant regulatory framework, dramatically reducing the overhead of evidence collection.

Architecture and Governance Are Not Interchangeable

Zero Trust Architecture does not eliminate governance responsibilities. Board‑level accountability under NIS2 and DORA, management awareness programs, business‑continuity planning, third‑party contractual clauses, GDPR‑driven data‑subject rights processes, and data‑minimisation decisions all reside above the architectural layer. While governance expectations vary by jurisdiction and sector, the architectural layer can be designed once to support them all. Regulators did not set out to standardize on Zero Trust; they reacted to the same underlying reality—identity‑centric attacks, lateral movement, supply‑chain risk, and the collapse of perimeter‑based trust. The result is a de‑facto consensus: Zero Trust Architecture is the security standard regulators implicitly agree upon because it mirrors how modern systems fail and how resilient systems must be built.

Learn how Atos views the architectural foundations behind global cybersecurity regulation.