They should map the full access path, not just the application location. If a ZTNA service brokers sessions through foreign infrastructure, it can create a transfer issue even when the user and resource are local. The control objective is to keep routing, logging, and enforcement inside the jurisdiction required by the data classification.
Why This Matters for Security Teams
ZTNA is often adopted to reduce exposure, but privacy and data residency risk can be introduced by the access broker itself. Hidden cross-border transfers may occur through session orchestration, authentication services, telemetry, packet inspection, or support operations that are not obvious from the application inventory. Security, legal, and privacy teams need to assess the full trust path, not just the location of the protected workload. The design question is whether any part of the access decision, metadata handling, or traffic relay leaves the required jurisdiction.
This matters because cross-border transfer rules can be triggered by temporary processing, not just storage. A ZTNA deployment that seems compliant on paper may still route user identifiers, device posture data, or session logs through another region. Current guidance suggests that data flow mapping should sit alongside architecture review, especially where regulated or sensitive data is involved. NIST SP 800-207 Zero Trust Architecture is useful here because it makes the policy engine, policy administrator, and policy enforcement point explicit parts of the control path.
In practice, many security teams discover the transfer problem only after a privacy review, procurement challenge, or regulator query has already exposed the hidden relay path.
How It Works in Practice
The operational fix is to build a jurisdictional data-flow model for the ZTNA architecture. That model should identify where authentication occurs, where device posture is evaluated, where session metadata is stored, and where traffic is proxied. If any of those functions are performed outside the approved region, the environment may create a cross-border transfer even if the application itself remains local.
Teams should treat the ZTNA control plane and data plane separately. A control plane hosted in one country can still process user identifiers, device certificates, and access logs in another. The safest approach is to validate each stage of the access journey against the relevant data classification and residency requirement. That includes identity provider integrations, certificate authorities, DNS resolution, remote support access, and the logging pipeline. Where possible, organisations should prefer regional brokers, local logging sinks, and in-jurisdiction key management.
- Map user, device, and session data from initiation to termination.
- Confirm where enforcement, inspection, and logging actually occur.
- Review third-party subprocessors and support access paths.
- Separate metadata handling from payload handling in the risk assessment.
- Test failover routes, because backup regions can silently change the transfer profile.
Operational evidence matters as much as architecture diagrams. Export settings, admin consoles, telemetry defaults, and incident-response workflows should all be reviewed for jurisdictional spillover. When encryption is involved, organisations still need to know where keys are generated, stored, and accessed, because key operations can themselves be regulated processing. The ZTNA design should also be aligned with least privilege so that access brokers only see the minimum data required to make a decision. These controls tend to break down when global failover and centralized logging are enabled because routing and observability services silently move processing outside the intended jurisdiction.
Common Variations and Edge Cases
Tighter residency controls often increase operational overhead, requiring organisations to balance lower transfer risk against resilience, observability, and supportability. The tradeoff is especially visible in multinational environments where regional failover is part of the business continuity design.
There is no universal standard for this yet, so organisations should avoid assuming that vendor marketing language such as local processing or regional availability automatically eliminates transfer risk. Best practice is evolving around contractual controls, technical data localization, and documented transfer assessments, but the exact threshold depends on the applicable privacy regime and the sensitivity of the data. A ZTNA service may be acceptable for low-risk traffic while still being unsuitable for regulated records or employee data.
Edge cases often appear in hybrid and remote support scenarios. For example, a local application can still be accessed through a global backbone, or a supposedly in-region deployment can rely on offshore support staff with privileged access to logs and administration consoles. The same issue can arise when a single sign-on provider, certificate service, or analytics platform sits outside the approved geography. Organisations should verify whether their access stack includes hidden identity or telemetry dependencies before treating ZTNA as a residency-safe control. CISA Zero Trust Maturity Model can help teams structure that review alongside ENISA zero trust guidance for implementation detail.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the technical controls, while DORA and NIS2 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.RM-01 | Risk management should cover hidden jurisdictional transfer paths in the ZTNA stack. |
| NIST Zero Trust (SP 800-207) | Zero Trust architecture requires explicit policy and enforcement path visibility. | |
| NIST SP 800-63 | Identity proofing and authentication dependencies can move personal data across borders. | |
| DORA | Operational resilience depends on understanding cross-border dependencies in access services. | |
| NIS2 | Network and access controls must support secure and accountable processing paths. |
Test failover and support arrangements to ensure resilience does not create unapproved transfers.
Related resources from NHI Mgmt Group
- How can organisations detect cross-cloud AI abuse before data is exposed?
- How should organisations handle sanctions risk when crypto is used for cross-border payments?
- How can organisations support forensic investigation of suspected data exfiltration?
- When should organisations review external data shares as part of identity governance?