Zscaler EU Alternative 2026: CLOUD Act & GDPR Risk in ZTNA/Zero Trust Security
Post #5 in the sota.io EU Security Tools Series
Zscaler has redefined enterprise network security. Its Zero Trust Exchange processes over 500 billion transactions daily — inspecting, filtering, and routing corporate internet traffic through a cloud-native platform that eliminates the traditional VPN perimeter. For European enterprises, however, Zscaler presents a structural compliance problem that no data processing agreement can fully resolve: every packet of corporate network traffic flows through a US-incorporated company subject to the CLOUD Act.
This is the fifth post in our EU Security Tools Series, examining GDPR and CLOUD Act exposure in enterprise security platforms. We have previously covered CrowdStrike, SentinelOne, Palo Alto Networks, and Wiz. Today: the zero trust category.
What Zscaler Actually Does (and Why It Matters for GDPR)
Zscaler sells two primary products:
- ZIA (Zscaler Internet Access): A cloud-native Secure Web Gateway and CASB that acts as an inline proxy between your users and the internet. All HTTP/HTTPS traffic, DNS queries, and application sessions pass through Zscaler data centers for inspection and policy enforcement.
- ZPA (Zscaler Private Access): A Zero Trust Network Access solution that replaces VPN for accessing internal applications. Users authenticate through Zscaler brokers; the platform mediates every session.
Both products are architecturally inline. Zscaler does not receive logs or telemetry after the fact — it is the network path itself. This architectural reality creates a compliance exposure unlike endpoint or cloud security tools: Zscaler sees everything, including encrypted traffic when SSL inspection is enabled.
Zscaler Corporate Structure and US Jurisdiction
Zscaler, Inc. is incorporated in Delaware, headquartered in San Jose, California. It is publicly listed on NASDAQ (ticker: ZS). Key facts:
- CLOUD Act scope: As a US-domiciled provider, Zscaler can be compelled by US federal law enforcement and intelligence agencies to disclose customer data without requiring consent or prior notification to the data subject
- FISA Section 702: Zscaler's US personnel and infrastructure fall within the NSA's collection authorities under FISA 702, which covers foreign intelligence acquisition from US-based providers
- Executive Order 12333: Broader foreign intelligence collection framework that can reach Zscaler's non-US data centers through US-nationality staff and corporate control
- EU Data Center availability: Zscaler operates points of presence in Frankfurt, Amsterdam, Paris, and other EU cities — but these nodes are operated by a US corporation under US law. Geographic location of data processing does not remove US jurisdiction over the operator
The European Data Protection Board's adequacy guidance, the Schrems II decision (C-311/18), and the EU-US Data Privacy Framework all acknowledge this tension. The DPF provides a political mechanism for some transfers, but it does not immunise data from FISA 702 collection.
GDPR Risk Analysis: Zscaler
| Risk Factor | Assessment | Score |
|---|---|---|
| US corporation (CLOUD Act subject) | Delaware/California domicile | 5/5 |
| Data sensitivity | All corporate internet traffic + encrypted session metadata | 5/5 |
| Inline proxy architecture | Every HTTP/HTTPS request inspected | 4/5 |
| SSL/TLS inspection | Can decrypt and inspect all encrypted traffic | 4/5 |
| FISA 702 / EO 12333 exposure | Intelligence-grade access to traffic metadata | 3/5 |
| Data minimisation (GDPR Art. 5) | Traffic analysis requires processing all data | 2/5 |
Total GDPR Risk Score: 23/25 — Extreme
Zscaler scores among the highest in our series. The combination of US incorporation, inline architecture, and SSL inspection capability means that Zscaler has technical access to sensitive EU employee traffic that a US government order could compel disclosure of. This is not a theoretical risk — the CLOUD Act includes emergency disclosure provisions that bypass normal notification requirements.
For organisations processing special categories of personal data (health, finance, legal, HR) whose employees use Zscaler-protected internet access, the exposure is compounded: Zscaler may see the URLs, application metadata, and session identifiers associated with sensitive internal systems.
What the NIS2 Directive Means for Your ZTNA Vendor Choice
NIS2 (Directive 2022/2555), effective January 2025 across EU member states, introduced supply chain security obligations for essential and important entities. Article 21(2)(d) specifically requires "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."
For NIS2-covered organisations — which include energy, transport, banking, health, digital infrastructure, and managed service providers — using a ZTNA platform that processes all network traffic creates a supply chain dependency that regulators are beginning to scrutinise. National competent authorities in Germany (BSI), France (ANSSI), and the Netherlands (NCSC-NL) have all published guidance recommending EU-certified or EU-headquartered security products where available.
DORA (Digital Operational Resilience Act), effective January 2025 for EU financial entities, similarly requires ICT third-party risk assessments that include data jurisdiction analysis. A Zscaler deployment for a EU bank requires explicit concentration risk documentation and may trigger enhanced oversight.
EU Alternatives for Zero Trust Network Access
The European ZTNA market is less mature than the US-dominated incumbents. However, several EU-incorporated providers offer credible alternatives covering different use cases. No single product replicates the full Zscaler Zero Trust Exchange — this section maps EU options by capability area.
WALLIX (France) — PAM-anchored Zero Trust
Company: WALLIX Group SA, incorporated in France, listed on Euronext Paris (ALLIX), headquartered in Paris.
Products: WALLIX Bastion (Privileged Access Management), WALLIX Trustelem (identity-based zero trust for cloud applications).
GDPR Jurisdiction: French law (GDPR directly applicable), no US parent, no CLOUD Act exposure.
ANSSI Certification: WALLIX Bastion holds ANSSI CSPN certification.
Strengths:
- Designed for zero trust access to privileged accounts and internal applications
- Maps well to ZPA use cases (private application access without VPN)
- Strong audit trail and session recording capabilities
- Listed on a European stock exchange — EU regulatory accountability
- Active in banking, insurance, energy, and government sectors
Limitations:
- Does not provide inline web filtering (no ZIA equivalent)
- SWG/CASB capability requires integration with separate products
- Smaller engineering team than Zscaler (approx. 600 employees)
Best for: Organisations primarily concerned with privileged access control and internal application ZTNA. Strong fit for NIS2-covered entities requiring PAM.
Stormshield (France) — Network-layer Security
Company: Stormshield SAS, wholly owned by Airbus CyberSecurity, incorporated in France.
Products: Stormshield Network Security (SNS — NGFW/UTM), Stormshield Endpoint Security (SES), Stormshield Data Security (SDS).
GDPR Jurisdiction: French law. Airbus SE is a European multinational (Netherlands incorporation, Germany/France/Spain operations). No US parent.
Certifications: ANSSI Qualification (highest French certification level), NATO SECAN approval for use in classified networks, BSI Basic Protection recognised, Common Criteria EAL3+.
Strengths:
- NATO and EU government approved — genuine certified-for-classified track record
- SNS appliances act as network proxy/filtering, partially overlapping with ZIA's web filtering
- Operates entirely within EU legal frameworks
- Airbus parent provides financial stability and defence-grade R&D budget
- Strong in industrial/OT environments (ICS-SCADA security)
- On-premise and hybrid deployments available (data does not leave customer infrastructure)
Limitations:
- Primarily appliance-based — less cloud-native than Zscaler's SaaS model
- Requires more on-premise infrastructure management
- No equivalent to ZPA's agentless zero trust access
- Smaller global partner network
Best for: Regulated industries requiring certified-for-classified security, manufacturing, critical infrastructure, government. Strong ZIA-parallel for network filtering.
Rohde & Schwarz Cybersecurity (Germany) — Trusted Endpoints and Gateways
Company: Rohde & Schwarz Cybersecurity GmbH, subsidiary of Rohde & Schwarz GmbH & Co. KG, Munich. Family-owned German company with zero US ownership.
Products: R&S Trusted Gateway Suite (SWG/web filtering), R&S Trusted Endpoint (endpoint security + secure browsing), R&S Trusted VPN (site-to-site and remote access).
GDPR Jurisdiction: German law. No US shareholders, no CLOUD Act exposure.
Certifications: German BSI certification for multiple products. BSI C5 criteria compliance for cloud services.
Strengths:
- R&S Trusted Gateway Suite directly addresses the SWG/CASB use case (ZIA equivalent)
- Browser isolation technology prevents web-borne malware without full traffic inspection
- German Mittelstand and government sector track record
- On-premise and private cloud options preserve data sovereignty
- Trusted Endpoint can replace agent-based ZTNA in certain architectures
Limitations:
- Cloud-native scalability less proven than Zscaler's hyperscaler-backed infrastructure
- Primarily European market presence (limited global support outside DACH region)
- Less feature breadth than Zscaler's integrated platform
Best for: German enterprises and government agencies requiring BSI-certified solutions. SWG replacement for organisations unwilling to route traffic through US-owned infrastructure.
Eviden (France) — Managed ZTNA Services
Company: Eviden SAS, formerly Atos Cybersecurity, incorporated in France. Subsidiary of Eviden (Atos Group).
Products: Managed Zero Trust Network Access services, identity governance, SASE-adjacent managed services.
GDPR Jurisdiction: French law, EU infrastructure, no US parent.
Strengths:
- Managed service model removes operational burden
- EU infrastructure guarantees for data processing location
- Large EU client base in banking, government, and healthcare
- Can integrate with existing EU identity providers (Keycloak, MS Entra in EU regions)
Limitations:
- Managed service dependency — vendor lock-in risk
- Less transparent product roadmap than pure-play security vendors
- Pricing structured for enterprise contracts
Best for: Large EU enterprises that prefer managed security services over in-house ZTNA operations. Banking and financial services.
Capability Comparison: Zscaler vs. EU Alternatives
| Capability | Zscaler | WALLIX | Stormshield | R&S Cybersecurity | Eviden |
|---|---|---|---|---|---|
| ZTNA (Private App Access) | ZPA — excellent | Bastion — strong | Limited | Trusted VPN | Via managed service |
| SWG (Internet Access Filtering) | ZIA — excellent | No | SNS — good | Trusted Gateway — good | Via managed service |
| CASB (Cloud App Security) | ZIA-CASB — excellent | No | Limited | Limited | Via managed service |
| SSL Inspection | Yes (ZIA) | No | Yes (SNS) | Yes (Trusted Gateway) | Via managed service |
| GDPR Risk | 23/25 — Extreme | 3/25 — Low | 2/25 — Minimal | 2/25 — Minimal | 4/25 — Low |
| US Jurisdiction | Yes (Delaware) | No (French law) | No (French law) | No (German law) | No (French law) |
| ANSSI Certification | No | CSPN ✓ | Qualified ✓ | BSI ✓ | Evaluated |
| Cloud-native SaaS | Yes | Partial | Partial | Partial | Yes (managed) |
| Deployment Complexity | Low (SaaS) | Medium | Medium-High | Medium | Low (managed) |
Migration Strategy: From Zscaler to EU-Sovereign ZTNA
Moving from Zscaler's integrated platform to EU alternatives requires a phased approach because no single EU product replicates the full feature set today.
Phase 1 — Risk Assessment (Month 1-2)
Inventory all Zscaler integrations: identity provider connections, DLP policies, SSL inspection scope, ZPA application connectors. Classify which workloads have the highest CLOUD Act sensitivity — typically HR systems, legal document stores, M&A deal rooms, health data, and financial trading applications.
Phase 2 — Private Access Migration (Month 2-4)
Replace ZPA with WALLIX Trustelem or equivalent EU ZTNA for internal application access. Start with lower-risk applications to validate identity federation and access policies. Maintain ZPA in parallel during validation.
Phase 3 — Internet Access Migration (Month 4-8)
Replace ZIA with Stormshield SNS or R&S Trusted Gateway for web filtering. This is the most complex phase because ZIA often handles DLP, CASB, and threat prevention simultaneously. Consider a hybrid approach for cloud application access (EU-native CASB where available).
Phase 4 — Cutover and Validation (Month 8-12)
Full cutover with monitoring. Validate NIS2 supply chain documentation reflects EU-only vendors. Update DPIAs for any remaining cross-border flows.
Cost consideration: EU alternatives typically involve higher operational costs (appliance management, more integration work) offset by reduced regulatory risk premiums and potential avoidance of DPA enforcement actions.
The Broader EU ZTNA Landscape
The gap between Zscaler's integrated platform and available EU alternatives reflects a broader market reality: the zero trust category was invented and scaled primarily by US startups (Zscaler, Palo Alto Prisma, Cloudflare One, Netskope). European vendors have historically focused on on-premise perimeter security.
This is changing. The NIS2 implementation, combined with EU-US DPF uncertainty and CLOUD Act enforcement actions, is creating demand that EU vendors are beginning to address. WALLIX has explicitly positioned Trustelem against ZPA. Stormshield is investing in cloud-native SNS capabilities. The European Investment Fund has backed cybersecurity startups in France, Germany, and the Nordics.
For procurement decisions made today, the EU ZTNA market requires accepting functional trade-offs in exchange for data sovereignty. For organisations where CLOUD Act exposure is a real regulatory or contractual risk — financial services under DORA, health data processors, defence contractors, legal firms advising on EU matters — those trade-offs are increasingly justified.
Regulatory Context: What GDPR Supervisory Authorities Have Said
The German DSK (Datenschutzkonferenz) published a position in 2023 stating that use of US-domiciled cloud and security services requires a Transfer Impact Assessment (TIA) under GDPR Article 46. For inline services like Zscaler, where the transfer is architecturally unavoidable, the TIA must address FISA 702 collection risk explicitly.
The French CNIL has similarly found that US cloud providers cannot guarantee GDPR-compliant data processing when subject to FISA 702, despite contractual protections. Standard Contractual Clauses (SCCs) do not override US intelligence law.
The European Data Protection Board (EDPB) Opinion 28/2024 on the EU-US DPF noted ongoing concerns about FISA 702 batch collection that applies to non-US persons. For a ZTNA provider processing all internet traffic from EU employees, this creates a systemic exposure that the DPF does not resolve for intelligence collection purposes.
Checklist: Evaluating Your Zscaler GDPR Exposure
Before your next contract renewal, assess:
- Does your DPA with Zscaler explicitly address FISA 702 and CLOUD Act disclosure scenarios?
- Have you completed a Transfer Impact Assessment for Zscaler as a data importer under SCCs?
- Is SSL inspection enabled? If yes, what categories of employee data are being decrypted and processed by a US entity?
- Are special category data systems (health, finance, legal, HR) accessible through Zscaler-proxied connections?
- Have you notified your works council/employee representatives about Zscaler's network monitoring scope?
- Does your NIS2 supply chain risk register include Zscaler and its US jurisdiction exposure?
- For financial entities under DORA: have you completed a Zscaler ICT concentration risk assessment?
Conclusion: Zero Trust Should Not Mean Zero Sovereignty
Zscaler's Zero Trust Exchange is technically impressive — arguably the most complete ZTNA platform available. But zero trust does not mean zero sovereignty. When all corporate internet traffic routes through a Delaware corporation's infrastructure, EU enterprises are extending implicit trust not just to Zscaler's security model but to US legal jurisdiction over their network data.
European alternatives exist. WALLIX provides credible EU-sovereign ZTNA for private application access. Stormshield and Rohde & Schwarz Cybersecurity offer certified SWG replacements. Eviden provides managed services for enterprises that prioritise operational simplicity. None replicate Zscaler's integrated breadth today — but the regulatory trajectory of NIS2, DORA, and ongoing Schrems II litigation is creating the market pressure that will drive EU alternatives to close the gap.
The question for European CISOs is not whether EU alternatives are as feature-complete as Zscaler today. The question is whether the CLOUD Act risk of routing all corporate network traffic through a US-jurisdiction entity is acceptable given your regulatory obligations, sector requirements, and data classification. For a growing number of European organisations, the answer is no.
Part of the sota.io EU Security Tools Series. Previous posts: CrowdStrike | SentinelOne | Palo Alto Networks | Wiz. Next: EU Security Tools Comparison Finale.
Deploy on sota.io — European cloud hosting with GDPR-compliant infrastructure. Start free.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.