Understanding Zscaler’s Approach to Digital Sovereignty in the Modern Era

The concept of digital sovereignty has risen to the forefront for organizations around the world. But what does sovereignty mean, and why is it so critical now? At its core, sovereignty means the ability to take control of your own digital destiny—from the data you rely on and create, to the hardware and software you use, to how it’s all managed. 

Sovereignty isn’t just about ownership. Organizations must thoroughly understand how their data is processed, stored, logged, and may be accessed in order to safeguard critical information and operations. This concept can be divided into three essential components: 

Data sovereignty refers to the principle that data is governed by the laws and regulations of the country in which it is collected and stored. For example, data collected in a specific jurisdiction may need to remain within that same jurisdiction due to local laws or industry-specific requirements.

Technical sovereignty refers to the control and management of both the digital infrastructure and underlying technologies used to process, store, and transmit data, ensuring they are aligned with governmental regulations. 

Operational sovereignty focuses on transparency and control over provider operations of the cloud service and its infrastructure. In a world increasingly reliant on cloud technology, ensuring operational sovereignty means empowering organizations to maintain control and oversight of cloud infrastructure and operations, hosted locally or by a third party.

Why Sovereignty Is Essential Now

Sovereignty has become a critical focus for organizations due to evolving geopolitical dynamics, rising infrastructure security risks, and the rapid adoption of cloud services. Geopolitical changes and emerging threats now demand greater attention to data protection and cloud service continuity. Simultaneously, risks such as cyberattacks, physical sabotage of infrastructure like undersea cables, and inconsistent global privacy standards further emphasize the need for sovereign protections.

The growing prevalence of cloud-based software, platform, and infrastructure services has also intensified concerns about data location, transparency, and access, making issues like privacy, confidentiality, and control top priorities. Moreover, increasingly stringent local regulations around data collection, processing, and storage necessitate compliance to avoid penalties, protect sensitive information, and build trust with stakeholders.

To address sovereignty demands, organizations need solutions that provide privacy, confidentiality, and control over where data is processed and stored. This means prioritizing data residency, access, and regulatory compliance. Organizations can achieve this through a number of means, such as by deploying dedicated cloud infrastructure, implementing geographic restrictions on data, controlling support access, and through encryption management.

Sovereignty by Design: How Zscaler Addresses Digital Sovereignty Today

Zscaler’s federated architecture enables organizations to maintain precise control over their digital operations by allowing customers to choose precisely where they administer policy as well as process and store data.

Built on this foundation, Zscaler provides scalable, secure, and compliant solutions that enable organizations to take full control of their data while addressing the challenges of global data regulations. In a previous blog post, Casper Klynge, VP of Government Partnerships, talks about some of the challenges we solve for our European customers. Unlike other SaaS vendors, Zscaler focuses exclusively on handling metadata—contextual information—rather than entire files or emails. This metadata can be stored in a region selected by the customer, ensuring that sensitive data remains confined to designated regions.

Here’s a look at how the Zscaler platform approaches this:

Data plane. Zscaler’s policy enforcement nodes include regional and private service edges. These are categorized into ZIA private service edges, designed for on-premises deployment, and ZPA Private Service Edges, offering flexible deployment across data centers, private, or public clouds.

Logging plane. Zscaler offers flexible logging solutions to meet diverse data residency and compliance needs. Our ZIA and ZPA services currently provide pseudonymized local logging through public hub sites for regional or in-country requirements. For dedicated on-premises logging, private infrastructure is available, and sovereign sites cater to specific government use cases. 

Control plane. This is Zscaler’s central authority for policy administration. ZPA’s Private Cloud Controllers and ZIA’s Private Policy Cache support enhances business continuity and backup policy enforcement during outages, enabling granular regional policy control. Customers can also temporarily disconnect from the Zscaler global cloud for up to 90 days in emergency situations. 

Key management. Key management is essential for ensuring data confidentiality through robust controls. For ZIA, we support Cloud HSM integration, ensuring that certificates generated for TLS inspection are cryptographically secure and signed by the customer’s HSM. This removes the need for customers to issue an intermediate CA to Zscaler for TLS inspection to occur. 

Similarly, customers can bring their second-layer CA to Zscaler, where the customer retains control of the root CA. The intermediate CA stored in AWS HSM and backed by AWS KMS, provides the components enrolled in Private Access (such as Client Connectors, App Connectors, and Private Service Edges) cryptographic security where the customer retains full control to revoke certificates. Zscaler also supports end-to-end encryption through the ZPA service using customer PKI (double encryption).

Compliance. With more than 35 global certifications, Zscaler adheres to strict compliance standards like FedRAMP, DoD IL5, C5, ISMAP, and IRAP. In addition, Zscaler has a novel approach to compliance, COCA (Collect Once Certify All), enabling us to support new certifications very quickly using the work already done.

Global data center footprint. Zscaler has more than 160 global data centers, with logging capabilities across four continents. Our sovereign data centers include our FedRAMP authorized GovCloud in the United States and ZSCloud in the EU, alongside thousands of private service edges in customer DCs worldwide. ZSCloud, established a decade ago, offers sandbox, control planes, logging, and data planes entirely based in Europe. This massive global presence enables Zscaler to comply seamlessly with local regulatory requirements.

Strengthening the Future of Digital Sovereignty

Zscaler continues to innovate across our platform to help our customers address their most urgent digital sovereignty challenges. This means delivering enhanced data control, robust privacy safeguards, and solutions that strengthen operational resilience, protect sensitive information, and unlock new opportunities for secure, compliant cloud growth. 

Here are the key areas of the Zscaler platform where we are driving innovation to meet evolving data and compliance needs:

• Data processing: Zscaler plans to provide certified hardware options for ZIA Private Service Edges, which will enhance deployment flexibility by enabling its datapath to run in customer or partner data centers, addressing evolving operational and compliance needs. Customers will be able to choose the hardware option that fulfills their compliance requirements.
• Log storage: We’re also planning storage of complete ZIA, ZPA, and ZDX metadata logs within a customer’s specified region, with ZPA logs following a six-month retention policy. Analytics and reports will also be fully stored within the specified region, ensuring customers’ data residency needs are met.
• Key management: Zscaler is exploring HSM capabilities to ensure customer PKI is stored in the regions where the service operates, including customer provided HSMs.
• Policy administration: Zscaler intends to further distribute the control plane with local nodes in data residency regions. Identity and management services, along with policy controls, are intended to survive any disconnect from the broader internet and allow for continuity of services. Zscaler intends to offer these services either through local partners or for customers to host in order to provide full sovereign controls.
• Content scanning: Advanced local content scanning will include in-region Data Protection CASB scanning and sandbox malware analysis, with secure storage of infected files, supporting in-region content and scanning processes without crossing data residency regions.
• Localized support: Customers will have the option of dedicated regional technical support tailored to sovereignty requirements, enabling faster and compliance-aligned assistance.
• Support for national security missions: In some cases, particularly for national security and defense organizations, customers require enhanced sovereign controls to meet even more stringent data handling and compartmentalization requirements. Zscaler continues to collaborate with these customers to develop and implement solutions that meet their specialized needs.

Securing Your Digital Future, Today

In today’s digital landscape, sovereignty is no longer optional—it’s essential. Zscaler delivers comprehensive solutions designed to meet the evolving requirements of data, technical, and operational sovereignty. By combining advanced capabilities like regional data processing, robust control planes, secure key management, and localized compliance, Zscaler empowers organizations to stay compliant, secure, and in control. 

As digital transformation accelerates, Zscaler remains committed to innovating and adapting to meet the sovereignty needs of tomorrow. Are you exploring sovereignty-focused solutions for your organization? Contact Zscaler today and discover how we can support your journey to a secure, compliant, and controlled digital future.

This blog contains forward-looking statements that are based on our management's beliefs and assumptions and on information currently available to our management. The words "believe," "may," "will," "potentially," "estimate," "continue," "anticipate," "intend," "could," "would," "project," "plan," "expect," and similar expressions that convey uncertainty of future events or outcomes are intended to identify forward-looking statements. These forward-looking statements include, but are not limited to, statements concerning: planned product and feature developments related to digital sovereignty; and anticipated benefits including the ability to comply with developing regulatory requirements. These forward-looking statements are subject to the safe harbor provisions created by the Private Securities Litigation Reform Act of 1995. These forward-looking statements are subject to a number of risks, uncertainties and assumptions, and a significant number of factors could cause actual results to differ materially from statements made in this blog, including, but not limited to, security risks and developments or regulatory changes unknown to Zscaler at the time of this blog and the assumptions underlying our predictions regarding the cyber security industry in calendar year 2025.

Risks and uncertainties specific to the Zscaler business are set forth in our most recent Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission (“SEC”) on May 29, 2025, which is available on our website at ir.zscaler.com and on the SEC's website at www.sec.gov. Any forward-looking statements in this blog post are based on the limited information currently available to Zscaler as of the date hereof, which is subject to change, and Zscaler does not undertake to update any forward-looking statements made in this blog, even if new information becomes available in the future, except as required by law.

Sources:
1. IDC
2. NTT Data