Zscaler has announced an expansion of its digital sovereignty capabilities within its Zero Trust Exchange platform, a move aimed at addressing a growing demand among large corporations, governments, and regulated sectors: the ability to use global cloud security services without relinquishing control over where data is processed, inspected, and stored. The company states that it already operates over 160 data centers and that its new phase involves strengthening the separation between the control plane, data plane, and logging plane, as well as extending these functions to new regions, including a future deployment in Canada.
The news comes at a time when digital sovereignty has shifted from an abstract political concept to a technical and contractual requirement. In the European Union, for example, regulatory pressures have increased with laws like GDPR and NIS2, which compel organizations to have clearer insights into how their data is protected, where it flows, and under which jurisdiction it falls. The European Commission reminds that NIS2 establishes a common cybersecurity framework for 18 critical sectors, further elevating expectations for infrastructure and security providers.
What Zscaler is promoting here is not just data residency, but a more decentralized architecture. The company claims it has long built dedicated control planes for the United States and Europe, along with specific logging planes in six different countries, and is now extending this model to additional regions. This detail matters because one of the major debates in digital sovereignty is not only about where logs are stored but also where control decisions are made, how the platform is managed, and whether a service claiming to be “local” truly depends on a global shared control plane.
More local control without sacrificing a global network
Zscaler seeks to address an increasingly pressing contradiction for multinational corporations and public organizations: protecting data within a jurisdiction without disrupting cross-border collaboration or sacrificing performance. Their argument is that a truly sovereign architecture cannot rely on a single centralized plane for all global customers. That’s why they emphasize a strict separation between traffic management, inspection, and log storage, ensuring that sensitive information remains within its designated jurisdiction.
Among the new features announced, the company highlights SSL inspection and malware analysis within the region itself. This is significant because many organizations already accepted the idea of local data logging but remained uncertain about where traffic was decrypted or where suspicious files were analyzed. Zscaler now assures that such processing can be conducted locally, preventing content or files from leaving the appropriate jurisdiction during analysis.
It also emphasizes its Private Service Edge offering, a dedicated and managed deployment option tailored for clients with specific hardware certification or operational isolation requirements. While not entirely new to Zscaler’s portfolio, this reinforces its approach towards environments where a purely multi-tenant, global model may not meet the compliance or security needs of regulators or end customers. Additionally, regional support teams are pledged to help CIOs and CISOs interpret national regulations and configure services accordingly.
Underlying message: cloud security without ceding jurisdiction
Another core aspect of the announcement involves cryptographic control and compliance. Zscaler states its model grants full ownership of data through integration with HSMs so that only authorized parties can decrypt traffic. It also promotes a “collect once, certify all” approach, aiming to map a unified set of security controls across multiple overlapping regulatory frameworks, including GDPR, NIS2, and DoD IL5. While this is a commercial point, it reflects a real challenge: many organizations face compliance with multiple standards simultaneously, often with overlapping and costly-to-demonstrate requirements.
Resilience is also a key focus. The company underscores that it operates its own cloud infrastructure and that an outage at a data center should not become a single point of failure for the global service. This argument carries weight in a market where digital sovereignty is increasingly viewed not just as data residency but as operational continuity, management autonomy, and the ability to keep critical services active during incidents. In sectors such as finance, public administration, or essential infrastructure, this component becomes nearly as crucial as the physical location of data stores.
In essence, this announcement highlights the direction in which the cloud cybersecurity market is heading. For years, many platforms sold the promise of a unified global cloud. That narrative no longer suffices for the most sensitive clients. They now seek a more complex combination: international scale, advanced inspection, local compliance, key control, regional support, and technically auditable guarantees about where each part of the service resides. Zscaler positions itself right at that intersection of global performance and operational sovereignty.
The unresolved question is not whether demand exists—because it does and is growing—but to what extent the “digital sovereignty” models offered by leading cloud security providers genuinely meet the toughest requirements of European clients and governments, or whether they will push parts of the market toward even more localized, dedicated, or hybrid architectures. What seems clear is that digital sovereignty is no longer a value-added feature; it is becoming a baseline requirement.
Frequently Asked Questions
What exactly has Zscaler announced?
Zscaler has expanded its digital sovereignty capabilities within Zero Trust Exchange with new features for local control over SSL inspection, malware analysis, control planes, and log storage, as well as extending this model to new regions like Canada.
What does digital sovereignty mean in this context?
It means that an organization can decide and verify where its data and logs are managed, processed, and inspected, ensuring they do not leave the jurisdiction required by its policies or applicable laws.
Why is this important in Europe?
Because frameworks like GDPR and NIS2 have tightened data protection, traceability, and cybersecurity requirements across multiple critical sectors, forcing organizations to reconsider how they use global cloud and security providers.
What advantage does Zscaler claim over other providers?
The company asserts that its advantage lies in a decentralized architecture with genuine separation between control, data, and logs, along with regional inspection capabilities and a global network of over 160 data centers.
via: zscaler