Palo Alto Prisma Access EU Alternative 2026: CLOUD Act 23/25 in Cloud-Delivered SASE
Post #1 in the sota.io EU Zero Trust Networking Series
Palo Alto Networks built its reputation on next-generation firewalls — physical appliances that enterprises deployed in data centres and campus networks. Prisma Access is something different: a cloud-delivered Secure Access Service Edge (SASE) platform that replaces those on-premises appliances with a globally distributed cloud service. Every enterprise network session — web browsing, SaaS access, private application connections, DNS queries — is routed through Palo Alto's cloud infrastructure for inspection, policy enforcement, and threat detection.
For European organisations, this architectural shift creates a compliance problem distinct from the one posed by traditional Palo Alto firewalls. When you deploy a Palo Alto NGFW on-premises in Frankfurt, the device is under your control, and its telemetry goes where your configuration directs it. When you deploy Prisma Access, your employees' network traffic becomes an inline data stream processed by infrastructure that Palo Alto Networks, Inc. — a Delaware C-Corporation — operates on behalf of Google Cloud. This is not a question of where your data centre is located. It is a question of which legal entity controls the path every packet travels.
This is the first post in our EU Zero Trust Networking Series, examining CLOUD Act and GDPR exposure in cloud-delivered ZTNA and SASE platforms. We have previously covered the broader Palo Alto Networks portfolio (NGFWs, Prisma Cloud, Cortex) in our EU Security Tools Series. Prisma Access deserves its own analysis because its data flows, legal exposure, and EU-native alternatives differ substantially from the firewall and CSPM products.
What Prisma Access Actually Does (and Why It Differs from On-Premises Palo Alto)
Prisma Access is Palo Alto Networks' cloud-delivered SASE platform. It bundles four security functions:
- ZTNA (Zero Trust Network Access): Replaces VPN for accessing private applications. Users authenticate through Palo Alto's cloud brokers; the service mediates every session between the user and the application.
- SWG (Secure Web Gateway): An inline proxy that filters and inspects all internet-bound traffic, including TLS-inspected HTTPS. Every web request your employees make passes through Prisma Access before reaching the destination.
- CASB (Cloud Access Security Broker): Monitors and controls access to SaaS applications — Microsoft 365, Salesforce, Box — by sitting inline between users and cloud services.
- FWaaS (Firewall as a Service): Next-generation firewall policy enforcement delivered from the cloud, without physical appliances.
The critical architectural distinction is inline processing. Prisma Access is not a monitoring tool that receives copies of network events after the fact. It is the network path itself. Your users cannot reach the internet, private applications, or SaaS services without their traffic transiting Palo Alto's cloud infrastructure. This makes Prisma Access architecturally closer to a network carrier than to a security analytics platform.
Palo Alto delivers Prisma Access through a global network of cloud nodes hosted on Google Cloud Platform. The company licenses cloud compute capacity from Google and builds its SASE service on top. The combination creates a two-layer US-jurisdiction dependency: Palo Alto Networks, Inc. (Delaware, NASDAQ:PANW) runs its SASE software on Google LLC infrastructure (Google LLC is a Delaware LLC, Alphabet Inc. NYSE:GOOGL Delaware C-Corp). A compelled disclosure under the US CLOUD Act could arrive at either layer.
CLOUD Act Risk Score: 23/25
We evaluate Prisma Access using the same 25-point framework applied across this series, assessing five dimensions on a scale of 0–5.
D1 — Corporate Structure: 5/5
Palo Alto Networks, Inc. is incorporated in Delaware and headquartered in Santa Clara, California. It is listed on the NASDAQ as PANW and had annual recurring revenue exceeding USD 4.5 billion in fiscal year 2025. Palo Alto operates European subsidiaries — Palo Alto Networks Netherlands B.V. and others — but the European entities are wholly owned by the Delaware parent. The US CLOUD Act applies to the parent, and US courts have consistently held that parent corporations can be compelled to produce data held by subsidiaries. Maximum risk: 5/5.
D2 — US Government Exposure: 5/5
Palo Alto Networks is one of the largest federal cybersecurity contractors in the United States. Its FedRAMP High authorization covers Prisma Access, Cortex XDR, and Prisma Cloud. Known federal customers include the US Department of Homeland Security (DHS), Department of Defense (DoD) components, intelligence community agencies, and major defence contractors. Palo Alto's Cortex XSIAM platform is deployed in US national security infrastructure, and the company holds classified program contracts.
This government exposure matters for CLOUD Act risk because agencies with existing operational relationships — and the legal authorities to compel production — are not starting from a cold relationship. For Prisma Access specifically: DHS, the main cybersecurity regulator, is a significant Palo Alto customer. The same company whose cloud processes your EU network traffic is already deeply embedded in US government security operations. Risk: 5/5.
D3 — Data Sovereignty: 5/5
Prisma Access routes traffic through a network of regional "service connections" and Points of Presence (PoPs). Palo Alto offers EU-regional PoPs — data centres in Amsterdam and Frankfurt are referenced in its documentation. However, regional PoPs do not guarantee regional data processing. Several elements of the Prisma Access architecture escape regional boundaries:
Cortex Data Lake: All log data — URL categories, application identifiers, user identities, threat events, policy matches — is stored in Cortex Data Lake. Palo Alto has deployed regional Cortex Data Lake instances, but the parent company retains administrative access to all instances regardless of location.
AI and threat intelligence: WildFire, PAN's global threat intelligence service, processes file samples and URL intelligence globally. When Prisma Access encounters an unknown file or suspicious URL, it submits metadata or samples to WildFire for analysis. WildFire is not regionally isolated.
ZTNA brokering: Private access sessions are brokered through Palo Alto's cloud control plane. Even if data-path PoPs are EU-located, the authentication and session-management control plane spans global infrastructure.
The net effect: European enterprises cannot achieve clean EU-jurisdiction data processing with Prisma Access. Data sovereignty commitments exist in Palo Alto's DPA, but they describe contractual intent, not architectural reality under a compelled disclosure. Risk: 5/5.
D4 — Architecture and Telemetry Depth: 4/5
Prisma Access is inline for network traffic, which means it sees more than most security tools. When TLS inspection is enabled — the default recommended configuration — Palo Alto decrypts, inspects, and re-encrypts HTTPS traffic. This gives the platform visibility into the content of encrypted communications, not just metadata.
Specific telemetry categories collected by Prisma Access:
- Full URL (including path and query parameters) for all inspected web traffic
- Application identification (App-ID) for all traffic flows
- User identity mapped to network sessions
- DNS queries and responses
- Threat and malware detection events, including file hashes submitted to WildFire
- Policy match events for every allowed or denied connection
- ZTNA session metadata: which user connected to which private application, when, from where
This telemetry is richer than what endpoint agents typically collect but narrower than a Ring-0 kernel-level agent that intercepts filesystem operations and process memory. The 4/5 reflects the significant depth of network-layer visibility combined with content inspection capability. Risk: 4/5.
D5 — Transparency: 4/5
Palo Alto Networks publishes an annual transparency report that discloses government requests by volume and category. The report distinguishes criminal legal process from national security demands. Palo Alto acknowledges receiving national security orders — including orders it is legally prohibited from disclosing specifically — and reports aggregate counts.
The limitation: Prisma Access is a network infrastructure service, not a communication platform. The transparency framework most applicable to it is the one governing telecommunications providers and network intermediaries, not the voluntary corporate reporting model Palo Alto uses. There is no equivalent of the EU Electronic Communications Code compelled disclosure regime that would provide comparable procedural protections. Risk: 4/5.
Total CLOUD Act Risk Score: 23/25
Why This Score Is Higher Than the Firewall Product
The EU Security Tools Series assigned Palo Alto Networks 19/25 when covering NGFWs, Cortex XDR, and Prisma Cloud. Prisma Access scores 4 points higher for a structural reason: inline network processing creates fundamentally different CLOUD Act exposure than a cloud-hosted analytics platform.
When Cortex XDR or Prisma Cloud processes EU security data, a compelled disclosure can produce logs, configurations, and threat records. This is sensitive, but the data is retrospective — copies of events that have already occurred.
When Prisma Access is the network path, a compelled production order — or a Section 702 collection order directing Google Cloud to intercept traffic at the infrastructure layer — could result in real-time access to the content of enterprise network sessions. The difference between a recording and a wiretap is legally and operationally significant. Inline SASE products face the same exposure profile as telecommunications infrastructure, not the analytics-platform exposure profile of CSPM or XDR products.
Specific GDPR Compliance Considerations
Article 32 — Security of Processing
Article 32 requires controllers and processors to implement technical and organisational measures appropriate to the risk. For network security, this typically includes encryption in transit, access controls, and network segmentation. Prisma Access satisfies basic Article 32 requirements at the platform level: it provides TLS, authentication, and policy enforcement.
The Article 32 problem arises from the meta-level architecture decision: choosing to route EU employee network traffic through a US-jurisdiction cloud service is itself a risk that Article 32's proportionality test applies to. Data Protection Authorities in Germany (BfDI, BayLDA), France (CNIL), and the Netherlands (AP) have all issued guidance indicating that the structural CLOUD Act risk created by routing personal data through US cloud infrastructure is relevant to the Article 32 assessment.
Article 44 — Transfers to Third Countries
ZTNA session metadata, user identity records, and URL access logs generated by Prisma Access constitute personal data under GDPR (identifiable individuals, processed by an identifiable controller). When this data is processed in or accessible from the United States, Article 44 requires a legal basis for the transfer.
Standard Contractual Clauses (SCCs) are the primary mechanism Palo Alto offers. Post-Schrems II, the Court of Justice of the European Union held that SCCs must be supplemented by a Transfer Impact Assessment (TIA) when the destination country's surveillance laws may undermine the protection SCCs provide. The CLOUD Act is precisely the type of surveillance law the CJEU had in mind. Any TIA for Prisma Access must address US CLOUD Act authority over Palo Alto Networks, Inc. and Google LLC infrastructure. TIAs that conclude this risk is "negligible" or "manageable through contractual mitigations" are legally vulnerable.
NIS2 Article 21(2)(h) — Network and Information System Security
NIS2 requires essential and important entities to implement "policies and procedures regarding the use of cryptography and, where appropriate, encryption" and "security in network and information systems." Essential entity security teams advising on SASE adoption need to evaluate whether routing all network traffic through a US-controlled cloud service is consistent with NIS2's security requirements, particularly for critical infrastructure operators in energy, transport, and financial services.
DORA Article 9 — ICT Security
Financial entities subject to DORA must ensure that ICT arrangements do not create unacceptable concentration risk or operational dependency on providers whose resilience, continuity, and confidentiality cannot be independently verified. Prisma Access as network infrastructure represents a high-dependency ICT arrangement. DORA's Article 28 concentration risk provisions apply when a single provider controls network access paths for the entire financial entity.
EU-Native Zero Trust Networking Alternatives
Building a GDPR-compliant Zero Trust network without US-jurisdiction infrastructure requires substituting both the ZTNA/SASE function and the underlying cloud infrastructure. Pure EU-native alternatives are limited — the SASE category emerged from Silicon Valley and Israeli security firms — but viable options exist.
LANCOM SD-WAN + R&S LANCOM (Germany) — CLOUD Act Score: 0/25
LANCOM Systems GmbH is a German network equipment manufacturer headquartered in Würselen, North Rhine-Westphalia. It is a wholly-owned subsidiary of Rohde & Schwarz GmbH & Co. KG (Munich, private), one of Germany's oldest electronics companies, founded 1933. LANCOM has no US corporate parent, no US-listed shareholders, and no US government contracts.
LANCOM's SD-WAN portfolio covers:
- LANCOM vRouter: Software-defined network functions for enterprise routing
- LANCOM Management Cloud (LMC): German-hosted cloud management platform
- LANCOM R&S Unified Firewalls: Hardware and software firewalls with German-hosted update infrastructure
Limitation: LANCOM does not offer a full cloud-delivered SASE stack comparable to Prisma Access. It provides SD-WAN connectivity and network security but lacks the cloud-native SWG and ZTNA brokering that Prisma Access delivers. For organisations requiring a direct Prisma Access replacement, LANCOM would typically be combined with a EU-hosted proxy service.
T-Systems SASE / Telekom Security (Germany) — CLOUD Act Score: 0/25
T-Systems International GmbH is a wholly owned subsidiary of Deutsche Telekom AG (DTAG, Frankfurt Stock Exchange, FWB:DTE). Deutsche Telekom is approximately 31% owned by the German federal government through KfW and direct holdings. T-Systems operates European cloud infrastructure through its Open Telekom Cloud (based on OpenStack, EU data centres in Biere and Magdeburg, Germany) and Telekom Security services.
T-Systems offers SASE-adjacent services through partnerships and its own security operations portfolio:
- Managed SD-WAN on European infrastructure
- Cloud-based security services through Telekom Security
- Network access controls and enterprise connectivity
The T-Systems offering is less feature-complete than Prisma Access for global enterprise deployments — particularly for organisations with significant non-European workforces — but for EU-centric enterprises, it provides a sovereign network path through German-controlled infrastructure.
Systancia Gate (France) — CLOUD Act Score: 0/25
Systancia is a French software company headquartered in Issy-les-Moulineaux (Île-de-France). Founded in 2000, it offers enterprise application delivery, virtualisation, and network access solutions. Its Gate product is a ZTNA platform for secure remote access to private applications — a functional equivalent of the ZPA (Zscaler Private Access) or Prisma Access ZTNA component.
Systancia is entirely French-owned, with no US corporate parent or US investor with control rights. Its infrastructure is hosted in French and EU data centres. Gate is deployed primarily in French public sector and regulated enterprises (healthcare, energy, defence-adjacent).
Limitation: Systancia Gate addresses the ZTNA use case but does not provide the full SASE stack (SWG, CASB, FWaaS). Organisations requiring comprehensive inline network inspection alongside private access would need to combine Gate with other EU-native security components.
Cato Networks (Israel) — CLOUD Act Score: 0/25
Cato Networks Ltd. is an Israeli private company headquartered in Tel Aviv. It is not incorporated in the United States and has no US corporate parent. While it has received US venture capital funding (including from Lightspeed Venture Partners and others), the company is not subject to the US CLOUD Act — that law applies to providers incorporated or headquartered in the United States, not to their investors.
Cato's SASE platform is architecturally comparable to Prisma Access: a cloud-delivered network with global PoPs providing ZTNA, SWG, CASB, and FWaaS. The key difference is that Cato Networks is not a US company, not listed on a US exchange, and not subject to US surveillance law.
Cato is not strictly an EU-native alternative — it is an Israeli company — but for GDPR purposes, Israel is recognised by the European Commission as providing an adequate level of data protection (Commission Decision 2011/61/EU). This adequacy finding was maintained post-Schrems II and means personal data transfers to Israeli-controlled infrastructure do not require SCCs or a TIA.
Migration Guidance: Moving from Prisma Access to EU-Native SASE
A phased migration approach minimises operational risk:
Phase 1 — ZTNA/Private Access (Months 1–3): Replace Prisma Access's ZTNA function with Systancia Gate or an EU-hosted alternative. Private application access (ZTNA) is typically less operationally complex to migrate than SWG because it does not require re-routing all internet-bound traffic.
Phase 2 — Secure Web Gateway (Months 4–8): Replace the SWG component. This requires redirecting all employee internet traffic through an EU-hosted proxy. EU-based alternatives exist (hosted SWG services from European managed security providers) but require careful evaluation of throughput, SSL inspection capability, and EU-regional PoP coverage.
Phase 3 — Network Consolidation (Months 9–12): Consolidate the SD-WAN connectivity layer. LANCOM or T-Systems SD-WAN solutions can replace the underlying network transport function. At this stage, no EU enterprise network traffic transits US-controlled infrastructure.
Compliance documentation at each phase: Maintain updated TIAs and DPAs reflecting the reduced US-jurisdiction exposure at each migration step. DPA reviewers in Germany and France have accepted phased TIA updates as evidence of good-faith compliance progress, even where full migration is not yet complete.
Decision Matrix: When Prisma Access Is Acceptable vs. When It Is Not
| Scenario | Assessment |
|---|---|
| Global enterprise, US/EU hybrid workforce | Prisma Access acceptable under SCCs + TIA — workforce and data scope crosses jurisdictions |
| EU-only enterprise, no US data flows | High risk — full network traffic in EU-only context transiting US infrastructure is difficult to justify under Art.44 TIA |
| DORA-regulated financial entity | Critical risk — concentration risk analysis likely flags Prisma Access as systemically significant ICT provider |
| NIS2 essential entity (energy, transport, health) | High risk — competent authorities applying NIS2 Art.21 may require EU-sovereign network paths |
| Public sector / German, French, Dutch authority | Unacceptable — most EU public procurement frameworks now prohibit US-CLOUD-Act-subject network infrastructure |
| Defence-adjacent or classified environment | Unacceptable — use case requires EU-sovereign classified network access (German VSA, French ANSSI) |
Conclusion
Palo Alto Prisma Access earns a 23/25 CLOUD Act risk score because it combines the highest-risk corporate structure profile (PANW, Delaware, NASDAQ, major US Federal contractor) with an inline network architecture that creates fundamentally different exposure than analytics or monitoring products. When Prisma Access is your SASE platform, every EU employee network session is processed by US-controlled cloud infrastructure. There is no configuration, DPA clause, or regional routing option that changes this structural reality.
The critical insight for EU security architects: the regulatory risk calculus for SASE is not the same as for endpoint security or CSPM tools. Inline network products are closer to telecommunications infrastructure than to enterprise software. The EU regulatory framework — Schrems II, NIS2, DORA, and emerging data sovereignty requirements in public procurement — is progressively tightening requirements on network infrastructure specifically.
For EU-regulated enterprises building a ZTNA or SASE architecture, the question is not whether to evaluate EU-native alternatives but how quickly to migrate. Cato Networks (Israeli, 0/25) provides the most feature-complete SASE alternative to Prisma Access. For organisations requiring strict EU-jurisdiction control, the combination of Systancia Gate (ZTNA) and T-Systems Telekom Security (network access) represents the most operationally mature EU-sovereign path, at the cost of some feature completeness versus the integrated Prisma Access platform.
This analysis is part of the sota.io EU Zero Trust Networking Series. Coming next: Cloudflare One EU Alternative 2026 — NYSE:NET Delaware, CLOUD Act 23/25, and the compliance gap between Cloudflare's CDN products and its Enterprise network security suite.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.