_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

Zero Trust for Enterprises in 2026 — A Practical Implementation Guide

01. 01. 2026 12 min read CORE SYSTEMSdevelopment
Zero Trust for Enterprises in 2026 — A Practical Implementation Guide

Since November 1, 2025, Czech Act No. 264/2025 Coll. on cybersecurity has been in effect — the Czech transposition of the European NIS2 directive. Thousands of companies that were not previously subject to regulation suddenly have to deal with systematic cybersecurity risk management. Zero Trust Architecture (ZTA) isn’t a buzzword — it’s an architectural approach that directly addresses the requirements of new legislation. This article isn’t about theory. It’s about concrete steps, tools, and Czech realities you need to know to actually implement Zero Trust.

Why Zero Trust and Why Now

Traditional perimeter security — a firewall at the network edge, VPN for remote access, trust in everything inside — is dead. Not because marketing says so, but because reality has changed:

  • Hybrid work — employees work from home, coffee shops, and co-working spaces. The “internal network” as a security boundary has ceased to exist.
  • Cloud-first — applications run in Azure, AWS, GCP. Data is scattered across SaaS services. The perimeter does not exist.
  • Supply chain attacks — SolarWinds, Log4Shell, MOVEit. Attackers do not breach your front door — they come through a trusted supplier.
  • Act 264/2025 Coll. — NUKIB requires access control, network segmentation, monitoring, and incident detection. Zero Trust addresses these requirements systematically.

NIST Special Publication 800-207 defines Zero Trust simply: “No implicit trust based on network location or device ownership. Every access is verified, every session is authorized, every activity is monitored.” Three principles: verify explicitly, least privilege access, assume breach.

Czech Legislative Landscape: What You Must Comply With

Act 264/2025 Coll. and implementing decree 408/2025 Coll. on regulated services dramatically expand the scope of regulated entities. Previously, the Cybersecurity Act (181/2014 Coll.) primarily applied to critical infrastructure and public administration information system administrators. Now it covers thousands of companies in both the private and public sector — energy, transport, healthcare, finance, digital infrastructure, manufacturing, food industry, and more.

Key Requirements Relevant to Zero Trust

  • Access control (Section 16) — user identification and authentication, authorization management based on the principle of least privilege, regular review of access rights
  • Network segmentation — separation of critical systems, limitation of lateral movement
  • Detection and monitoring — continuous monitoring of security events, anomaly detection, SIEM/SOC
  • Supply chain management — assessment of supplier security, contractual requirements
  • Incident response — reporting incidents to NUKIB within 24 hours (severe) / 72 hours (other)

NUKIB actively monitors compliance. The private and public sector regulation departments communicate with regulated entities on a daily basis. If you are a provider of a regulated service under Section 5 of the Act — and the likelihood that you are has increased dramatically — you must act.

5 Pillars of Zero Trust Architecture

Zero Trust is not a product you can buy. It is an architectural approach consisting of five pillars. Each pillar addresses a different layer and together they form a complete security model.

1

Identity as the New Perimeter

In Zero Trust, user (and device) identity is the fundamental security boundary. Not an IP address, not a network segment — but who you are and where you are accessing from. In practice, this means: a central Identity Provider (Azure AD / Entra ID, Okta, Keycloak), MFA on everything (not just on VPN, but on every application), conditional access policies (access depends on device, location, risk).

2

Device — Device Trust

Verifying the user is not enough. You also need to verify the device they are accessing from. Is it corporate-owned? Is the OS up to date? Is EDR running on it? Is the disk encrypted? Tools like Microsoft Intune, Jamf (for macOS), or CrowdStrike Falcon provide device health attestation that integrates with conditional access policies.

3

Network — Microsegmentation

Gone is the flat network where every server can see every other server. Microsegmentation limits an attacker’s lateral movement. If they compromise one system, they cannot move freely across the network. In the cloud: NSG / Security Groups, Azure Firewall, AWS VPC with explicit rules. On-premises: Illumio, VMware NSX, or simply VLAN segmentation with firewall rules between segments.

4

Application — ZTNA Instead of VPN

VPN gives access to the entire network once connected. Zero Trust Network Access (ZTNA) gives access to a specific application based on identity, device, and context. Never the entire network. Tools: Cloudflare Access, Zscaler Private Access, Tailscale (WireGuard-based, simple setup), Azure AD Application Proxy. For companies with on-premises applications, Application Proxy or Cloudflare Tunnel is ideal — you publish an internal application without opening ports in the firewall.

5

Data — Classification and Protection

Data is what attackers want. Zero Trust requires knowing where data is, how sensitive it is, and who is accessing it. Microsoft Purview (formerly Azure Information Protection) enables document classification and labeling. DLP policies prevent sensitive data leakage. For companies working with personal data (GDPR), data classification is not just a security necessity but also a regulatory one.

5-Phase Implementation Plan for Enterprises

Zero Trust cannot be implemented over a weekend. It is a transformation project spanning 12–18 months. But you can start today — and each phase delivers measurable security improvements.

Phase 1: Assessment and Inventory (months 1–2)

You cannot protect what you do not know. The first step is a complete inventory:

  • Asset discovery — all devices, servers, cloud resources. Tools: Lansweeper, Qualys VMDR, or Azure Arc for hybrid.
  • Identity audit — how many user accounts do you have? How many have MFA? How many have privileged access? How many are orphaned accounts?
  • Data flow mapping — where does sensitive data flow? Between which systems? Over which networks?
  • Gap analysis vs. Act 264/2025 — where are you today vs. what regulation requires.

Quick Win: Identity Audit

  • Export users from AD / Entra ID — how many have MFA enabled? (Target: 100%)
  • List of accounts with Domain Admin / Global Admin — how many are there? (Target: < 5)
  • Last login — how many accounts have been inactive for 90+ days? (Target: 0)
  • Service accounts — how many use a password instead of managed identity? (Target: 0)

Phase 2: Identity and MFA (months 2–4)

The fastest ROI in the entire Zero Trust programme. MFA eliminates 99.9% of identity attacks (Microsoft data). Steps:

  • IdP consolidation — one Identity Provider for everything. Azure Entra ID is the most common choice (Microsoft dominance in enterprise). Alternative: Okta, or self-hosted Keycloak for those who want control.
  • MFA everywhere — not just for admins. For all users, on all applications. Phishing-resistant MFA (FIDO2 keys, Passkeys) for privileged accounts.
  • Conditional Access — block access from unknown devices, unusual locations, outside working hours (where applicable).
  • SSO — Single Sign-On for all SaaS applications. Eliminates password fatigue and shadow IT.

Phase 3: Network Segmentation and ZTNA (months 4–8)

This is the most demanding phase because it touches the network infrastructure. Proceed iteratively:

  • Start with cloud workloads — NSG in Azure, Security Groups in AWS. Explicit allow-list instead of default-allow. Each workload only has access to what it needs.
  • ZTNA for remote access — replace VPN with Cloudflare Access or Zscaler ZPA. For smaller companies, Tailscale — WireGuard mesh, zero config, works behind NAT.
  • On-premises segmentation — separate OT/IoT networks from IT. Production servers from development. Access via jump servers with logging (Apache Guacamole is open-source and free).
  • DNS filtering — Cloudflare Gateway or Cisco Umbrella. Blocks C2 communication and malware domains. Deployable in an hour.

Phase 4: Monitoring and Detection (months 6–12)

“Assume breach” means you need to see what is happening. Not a week later in the logs, but in real time.

  • SIEM — Microsoft Sentinel (cloud-native, M365 integration), Elastic SIEM (self-hosted, open-source core), or Wazuh (open-source, active community).
  • EDR on endpoints — Microsoft Defender for Endpoint (included in M365 E5), CrowdStrike Falcon, SentinelOne. You must have visibility into what is happening on workstations.
  • Log aggregation — centralized log collection from AD, firewalls, applications, cloud platforms. Retention of at least 12 months (regulatory requirement).
  • SOC — if you do not have the capacity for your own SOC, outsource it. Several MSSPs (Managed Security Service Providers) operate in the Czech Republic with local support and legislative expertise.

Quick Win: Basic Detection in One Day

  • Enable Audit Log in Microsoft 365 (E3 and above — it is free, most companies just do not have it enabled)
  • Activate Azure AD Sign-in Logs and Risky Sign-ins reporting
  • Set up alerts for: sign-in from a new country, brute force attempts, new Global Admin
  • Connect to a Teams/Slack channel for security alerting

Phase 5: Continuous Improvement (month 12+)

Zero Trust is not a project with an end date. It is an operational model that continuously evolves:

  • Regular penetration tests — at least once a year, ideally quarterly for critical systems
  • Red team / purple team exercises — verify that detection works against real TTPs
  • Access rights review — quarterly review, automated access certification
  • Threat intelligence — Czech sources: NUKIB warnings, GovCERT.CZ, CSIRT.CZ
  • Tabletop exercises — incident simulations with management, testing the incident response plan

Tools: What Works in the Czech Environment

The Czech market has specifics: Microsoft ecosystem dominance in enterprise, growing cloud adoption (primarily Azure), and a strong on-premises tradition in manufacturing and public administration. Here are the tools we see working in practice.

Area Enterprise (500+ employees) Mid-market (50–500)
Identity Azure Entra ID P2, Okta Azure Entra ID P1, Keycloak (self-hosted)
MFA FIDO2 (YubiKey), Microsoft Authenticator Microsoft Authenticator, Google Authenticator
ZTNA Zscaler ZPA, Cloudflare Access Tailscale, Cloudflare Tunnel (free tier)
Segmentation Illumio, VMware NSX, Azure Firewall NSG/Security Groups, pfSense, VLAN
EDR CrowdStrike Falcon, MS Defender for Endpoint MS Defender for Business, Wazuh (OSS)
SIEM Microsoft Sentinel, Splunk, Elastic Wazuh, Elastic SIEM (self-hosted)
PAM CyberArk, BeyondTrust Azure PIM, JumpCloud
DNS Security Cloudflare Gateway, Cisco Umbrella Cloudflare Gateway (free), NextDNS

Cost estimate for a mid-market company (200 employees): Microsoft 365 Business Premium (22 USD/user/month) includes Entra ID P1, Intune, Defender for Business, and Conditional Access. For approximately 4,400 USD per month you have the foundations of the first three pillars covered. Add Cloudflare Zero Trust (free tier up to 50 users, approximately 7 USD/user above that) and Wazuh (free, self-hosted). Total: under 6,000 USD/month for a solid Zero Trust foundation. That is less than the cost of a single ransomware incident (average in the Czech Republic: 2–5 million CZK according to insurance data).

Most Common Mistakes Companies Make

“We have MFA — on VPN”

MFA only on VPN and nowhere else is like locking the front door and leaving the window open. An attacker bypasses VPN through phishing Microsoft 365 credentials. MFA must be on every access point — M365, ERP, internal applications, admin consoles, SSH.

“A flat network has worked for us for 20 years”

A flat network where the ERP server can see the printer, which can see the SCADA system, is a nightmare. Ransomware spreads within minutes. Segmentation is not a luxury — it is a requirement of Act 264/2025 and basic hygiene. Start at least by separating IT from OT and servers from client workstations.

“We will buy a product and have Zero Trust”

No vendor delivers Zero Trust in a box. It is an architectural approach requiring changes to processes, policies, and mindset. You buy Zscaler, but if you do not configure it properly and do not change access policies, you just have an expensive proxy.

“Compliance = security”

Meeting the minimum requirements of the law does not mean being secure. Compliance is the floor, not the ceiling. Companies that tick off the NUKIB checklist and stop will be surprised during the first real incident. Zero Trust is a journey, not a destination — continuous improvement is part of the model.

Example: Manufacturing Company, 300 Employees, Moravian-Silesian Region

A typical client we encounter. A manufacturing company, mix of on-premises and cloud, Windows domain, M365 E3, several legacy applications, ERP on SQL Server, OT network with PLC and SCADA. Newly falls under Act 264/2025 as a provider of a regulated service in the manufacturing sector.

Starting state:

  • VPN with password (no MFA) for remote access
  • Flat network — IT, OT, servers, client workstations in the same segment
  • Domain Admin accounts: 12 (should be 3–5)
  • No SIEM, logs only on individual servers
  • Antivirus on workstations, no EDR
  • No data classification

After 6 months of implementation:

  • Azure Entra ID with Conditional Access, MFA on everything (Microsoft Authenticator)
  • Intune for device compliance — only managed devices have access to corporate data
  • VPN replaced by Cloudflare Tunnel for access to internal applications
  • Network divided into 4 segments: client workstations, servers, OT/SCADA, DMZ
  • Domain Admin accounts: 3 (+ Azure PIM for just-in-time elevation)
  • Wazuh as SIEM, centralized log collection, alerting to Teams
  • Defender for Business on all workstations
  • Incident response plan tested with tabletop exercise

Costs: approximately 180,000 CZK/month (M365 Business Premium + Cloudflare + internal labour). Result: full compliance with Act 264/2025, 99.8% MFA coverage, mean time to detect (MTTD) from “we don’t measure” to 4 hours. And most importantly: the CISO can sleep soundly.

5 Things You Can Do Tomorrow

Do not wait for a big project. These steps will improve your security immediately and require no budget or management approval:

  1. Enable MFA on all admin accounts — Azure AD, M365, AWS root, GitHub, everything. Today. Now. It takes 15 minutes.
  2. Audit privileged accounts — who has Domain Admin? Global Admin? Root? How many are there? Remove it from everyone who does not need it daily.
  3. Enable Security Defaults in Azure AD — if you do not have Conditional Access (requires P1), Security Defaults is free and enforces MFA + blocks legacy authentication.
  4. Activate Unified Audit Log in M365 — Admin Center -> Compliance -> Audit. One click. Without it, you do not know what is happening in your tenant.
  5. Set up DNS filtering — Cloudflare Gateway (1.1.1.1 for Teams), free tier. Change DNS servers on the router. Blocks known-bad domains, C2, malware.

Conclusion: Zero Trust Is Not a Choice, It Is a Necessity

Act 264/2025 Coll. is not a scare tactic — it is an opportunity. An opportunity to finally approach security systematically, not reactively. Zero Trust Architecture provides a framework that directly maps to regulatory requirements while actually protecting your company.

You do not have to implement all 5 pillars at once. Start with identity — MFA, Conditional Access, audit of privileged accounts. That is 80% of security for 20% of the effort. Then gradually add segmentation, ZTNA, monitoring, and data protection.

The key is to start. Not next month, not after budget approval for Q3. Today. The 5 steps above will take you an afternoon and will dramatically improve your security posture. The rest is iteration — and that is what we are here for.

zero trustnúkibnis2kybernetická bezpečnostčeské firmy
Share:

CORE SYSTEMS

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

Need help with implementation?

Our experts can help with design, implementation, and operations. From architecture to production.

Contact us

Related articles

From VPN to Zero Trust — Security in the Remote Work Era

Why traditional VPN isn't enough and how we started implementing Zero Trust. BeyondCorp, identity-aware proxy and...

Zero Trust After Two Years — What Works and What Doesn't

A retrospective on a two-year Zero Trust journey. What we implemented, what surprised us, and where we're heading.

Zero Trust Architecture in Practice 2026 — Complete Implementation Guide

Zero Trust Architecture in practice 2026: never trust always verify principles, identity-centric security,...