What it is
Zero Trust Architecture (ZTA) is a security model built on the principle that no user, device or request is trusted by default — not even one already inside the corporate network. Every access request must be authenticated, authorised and continuously validated before access is granted, and only for as long as it is needed. The model is formalised by the US National Institute of Standards and Technology in NIST SP 800-207, now the common reference for what "Zero Trust" actually means.
It replaces the traditional perimeter or "castle-and-moat" model, where a strong network boundary (firewalls, VPNs) protected a trusted interior. That model fails in a world of cloud services, remote work and mobile devices, where there is no single perimeter and where an attacker who gets inside faces little resistance moving laterally. Zero Trust assumes the attacker may already be inside and verifies accordingly.
How it works in practice
NIST distils Zero Trust into a few core tenets, then realises them with specific components.
1. Verify explicitly. Every access decision uses multiple signals — strong identity (ideally multi-factor authentication), device health, location, and the sensitivity of the resource — not just a network address. Being "on the LAN" grants nothing.
2. Least-privilege access. Users and services get the minimum rights needed for the task, often granted just in time and time-limited. This shrinks the blast radius if a credential is stolen.
3. Assume breach. Architect as though attackers are already present: segment aggressively, encrypt traffic end to end, log everything, and monitor continuously so anomalies are caught fast.
4. Microsegmentation. The network is divided into small zones — often down to the individual workload — so that compromising one segment does not grant access to others. This is what stops lateral movement, the failure mode of the perimeter model.
Architecturally, NIST describes a Policy Decision Point — split into a Policy Engine (which evaluates the request against policy and risk signals) and a Policy Administrator (which issues the verdict) — and a Policy Enforcement Point (PEP) that sits in front of each resource and actually allows or blocks the connection. Identity becomes the new perimeter, so a strong Identity and Access Management (IAM) system is the foundation of any Zero Trust deployment.
| Dimension | Perimeter ("castle-and-moat") | Zero Trust |
|---|---|---|
| Default trust | Trust the internal network | Trust nothing; verify every request |
| Basis of access | Network location | Identity, device, context |
| Privilege | Broad once inside | Least privilege, just in time |
| Lateral movement | Easy after breach | Blocked by microsegmentation |
| Verification | Once, at the boundary | Continuous |
For EU public administrations the shift is now a legal and strategic expectation, not just good practice. The NIS2 Directive raises cybersecurity-risk-management obligations across essential and important entities, the Cybersecurity Act gives ENISA a permanent mandate and creates EU-wide certification, and a dedicated regulation now sets baseline cybersecurity requirements for the EU institutions themselves, supported by CERT-EU. Zero Trust — strong identity, least privilege, segmentation, continuous monitoring — is the architecture that operationalises these obligations.
Common points of confusion
- Zero Trust is not a product you buy. It is an architecture and a set of principles realised across identity, network, devices and monitoring. Any vendor selling "the Zero Trust box" is overselling one piece of it.
- A VPN is not Zero Trust. A VPN extends the trusted perimeter to a remote user — the opposite of Zero Trust, which trusts no connection implicitly. Replacing VPNs with identity-aware access is often a first ZTA step.
- Zero Trust is not just authentication. Verifying identity once is necessary but not sufficient; the model requires least privilege, microsegmentation and continuous validation, not a single login.
Why it matters for EU infrastructure specialists
Zero Trust is the defining security model of modern infrastructure, and EU legislation increasingly assumes it. For EPSO/AD/429/26 Field 1 (ICT Infrastructure), expect questions contrasting Zero Trust with the perimeter model, probing its core tenets (verify explicitly, least privilege, assume breach), or asking which component — policy engine, PEP, microsegmentation — does what. Knowing the NIST framing and the EU legal context (NIS2, the Cybersecurity Act, ENISA) is exactly what the exam rewards. Build that fluency with the full study pack: Prep for AD7 ICT Infrastructure on Prep4EU