TL;DR: Cloud-routed ZTNA can create GDPR exposure when vendor-controlled PoPs move traffic, metadata, or identifiers across borders, according to AppGate. Direct-routed access architecture matters because sovereignty failures can arise even when content is encrypted and access appears secure.
At a glance
What this is: This article argues that some cloud-routed ZTNA designs can undermine GDPR by moving user traffic and metadata through vendor-controlled infrastructure outside the customer’s jurisdiction.
Why it matters: It matters to IAM and security teams because access routing, authentication flows, and session metadata are part of the compliance boundary, not just the encrypted payload.
👉 Read AppGate's explanation of direct-routed ZTNA and GDPR sovereignty controls
Context
ZTNA changes the routing model for remote access, but it does not remove compliance obligations around where data travels. Under GDPR, the security boundary includes session metadata, identity context, and any personal data that passes through non-EU infrastructure, which makes access architecture a governance issue as much as a connectivity issue.
This is especially relevant where access decisions depend on identity providers, policy engines, and vendor-operated points of presence. The identity angle is not theoretical: routing, authentication, and authorization paths can all create regulated data transfers if they cross jurisdictions or leave customer control.
Key questions
Q: How should security teams evaluate ZTNA for GDPR compliance?
A: Security teams should assess where traffic is routed, where identity metadata is processed, and who controls the infrastructure that brokers access. GDPR risk appears when personal data or identifiers move through vendor-managed regions without a lawful transfer mechanism. The right test is whether the access path stays inside a documented jurisdictional boundary, not whether the session is encrypted.
Q: Why can metadata create GDPR risk in remote access tools?
A: Metadata can identify a person or reveal their behaviour, which makes it regulated data under GDPR when tied to access sessions, logs, or identity context. If a ZTNA service sends that metadata through infrastructure outside the EEA, the organisation may trigger cross-border transfer obligations even if the application payload never leaves the region.
Q: What breaks when a ZTNA vendor controls the access path end to end?
A: The compliance model becomes harder to prove because the organisation may not control where brokering, policy enforcement, and logging occur. That opacity can make transfer assessments, audit evidence, and regional data residency claims difficult to defend. In regulated environments, governance fails first when control and visibility are separated.
Q: Who is accountable when access routing violates GDPR transfer rules?
A: The organisation deploying the access service remains accountable for lawful transfer decisions, vendor oversight, and data protection obligations. A supplier can provide tooling, but it cannot absorb the controller’s responsibility under GDPR. Privacy, IAM, and procurement teams therefore need shared ownership of routing and residency decisions.
Technical breakdown
How cloud-routed ZTNA can create cross-border data transfers
Cloud-routed ZTNA commonly uses vendor-operated points of presence as intermediaries between the user and the protected application. That relay may improve reach and simplify deployment, but it can also place traffic, device attributes, and session metadata under infrastructure located in another jurisdiction. Under GDPR, that movement can be a transfer even when the content stays encrypted. The compliance question is therefore not only what data is visible, but where the routing and control plane are physically and operationally located.
Practical implication: map every ZTNA relay, control point, and logging path to jurisdiction before approving production use.
Why metadata matters as much as payload in GDPR assessments
GDPR compliance is not limited to the contents of a document or message. Identity tokens, user identifiers, device posture signals, and access logs can all qualify as personal data when they relate to an identified or identifiable person. If those elements traverse vendor infrastructure outside the EEA, the organisation may have created an unexamined transfer path. This is where access management and privacy governance intersect, because authentication telemetry is often treated as operational data when it should be treated as regulated data.
Practical implication: classify access telemetry and identity metadata as regulated data in DPIAs and vendor reviews.
Why direct routing changes the control model
A direct-routed design removes the vendor PoP from the session path and keeps the customer in charge of the infrastructure and region where access is brokered. That does not automatically make a deployment compliant, but it reduces the number of ungoverned transfer points and makes data-location decisions explicit. For regulated environments, the key architectural value is not speed or convenience on its own. It is the ability to align access enforcement, logging, and jurisdictional control within the same operating boundary.
Practical implication: prefer access architectures that let you place controllers, gateways, and logs in customer-controlled regions.
NHI Mgmt Group analysis
Jurisdiction is now part of the access-control problem. ZTNA is often discussed as a connectivity control, but GDPR makes routing choices part of the compliance model. If a vendor PoP handles identity context or session metadata outside the customer’s jurisdiction, the access pathway itself becomes a transfer risk. Practitioners should treat network access design as a governance control, not just a performance decision.
Identity metadata is governed data, not just operational noise. Authentication flows, user identifiers, and device signals are frequently logged, brokered, and correlated across multiple services. That means ZTNA implementations can expand the regulated data surface even when application payloads remain protected. The practical conclusion is that IAM and privacy teams need a shared inventory of where identity data moves, stores, and replicates.
Direct routing is a sovereignty pattern, not a compliance shortcut. Keeping traffic under customer control can reduce exposure to vendor-managed transfer paths, but it does not replace transfer assessments, lawful-basis analysis, or vendor due diligence. The value lies in making the architecture easier to govern and audit. Teams should understand it as a control enabler, not a compliance guarantee.
Data sovereignty is becoming an access architecture requirement. As more jurisdictions tighten localization and transfer rules, enterprises will need to prove that remote access paths respect regional boundaries by design. That will push ZTNA, identity, and privacy governance closer together. The organisations that do best will be the ones that document jurisdictional control as part of their access model, not as an after-the-fact legal review.
ZTNA governance debt grows when control planes are opaque. When session brokering, policy enforcement, and telemetry reside in vendor-managed regions, organisations inherit transfer risk they may not be able to observe directly. This is a classic governance gap: the access product works as advertised, but the compliance model becomes harder to defend. Practitioners should require jurisdictional transparency before standardising any remote access architecture.
What this signals
Jurisdictional routing will increasingly show up in IAM and privacy reviews. Access architecture can no longer be separated from data residency, especially where identity telemetry and session metadata traverse third-party control planes. Teams should expect ZTNA design to be challenged in the same discussions that cover transfer risk, logging retention, and regional processing boundaries.
Identity governance will need a better map of where access data moves. The practical gap is not only access policy but observability into the control plane itself. Organisations that can show where identity signals are processed, stored, and relayed will be better positioned to defend both privacy assessments and remote-access architecture decisions.
Data sovereignty is becoming a control objective, not a legal afterthought. As more environments move to distributed access models, the ability to prove local processing, controlled routing, and auditable access paths will matter as much as authentication strength. That shifts ZTNA selection from a networking choice to a governance decision with identity implications.
For practitioners
- Map jurisdictional data flows Inventory every ZTNA relay, policy decision point, identity integration, and logging destination to determine whether personal data or metadata crosses the EEA.
- Classify identity telemetry as regulated data Treat user identifiers, device posture signals, access logs, and session metadata as personal data during DPIAs and vendor risk reviews.
- Prefer customer-controlled routing paths Choose architectures that let you place controllers and gateways in regions you control, rather than relying on vendor-operated points of presence.
Key takeaways
- Some ZTNA designs can create GDPR exposure by moving identity and session data through infrastructure outside the customer’s jurisdiction.
- The compliance boundary includes metadata, authentication flows, and access logs, not just the encrypted application payload.
- Practitioners should favour access architectures that keep routing, brokering, and logging under customer-controlled regional governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| GDPR | Art.32 | The article centres on security of processing and cross-border transfer risk. |
| NIST CSF 2.0 | PR.AC-4 | ZTNA policy enforcement and access path control map to least-privilege access governance. |
| NIST SP 800-53 Rev 5 | AC-4 | Information flow control is directly implicated by vendor-mediated routing of identity data. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy must cover jurisdiction-sensitive remote access design. |
| NIST Zero Trust (SP 800-207) | The topic is about trust boundaries and controlled access paths in zero trust design. |
Review remote access pathways against access-control policy and verify routing stays within approved boundaries.
Key terms
- Data Sovereignty: Data sovereignty is the requirement that data remain subject to the legal and operational control of the jurisdiction that governs it. In access architecture, it includes where traffic is routed, where metadata is processed, and which entities can inspect or broker the session.
- Zero Trust Network Access: Zero Trust Network Access is a remote access approach that grants application-specific connectivity based on identity and policy rather than broad network access. In practice, the compliance impact depends on where the access control path runs, who operates it, and what telemetry it generates.
- Session Metadata: Session metadata is the contextual information generated while access is being established or maintained, such as user identifiers, device posture, timestamps, and routing details. It can be regulated data under privacy law when it relates to an identifiable person or reveals their behaviour.
- Cross-Border Transfer: A cross-border transfer is the movement of personal data into, through, or under the control of another jurisdiction. For GDPR assessments, transfers can occur even when data is encrypted if routing, brokering, or logging exposes the data to non-EEA infrastructure.
What's in the full article
AppGate's full article covers the architectural detail this post intentionally leaves at a governance level:
- How direct-routed ZTNA is deployed across customer-controlled regions and infrastructure
- The GDPR reasoning behind cross-border transfer risk in routing, metadata, and authentication flows
- How the architecture supports accountability and auditability for regulated access paths
- Why reduced latency and simpler management matter operationally once sovereignty controls are in place
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity. It helps security and identity practitioners strengthen the governance models that underpin access, control, and auditability across modern environments.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org