Zero Trust has been a familiar term in cybersecurity for years. Even so, it often remains unclear what it actually means in practice. For some, it is a buzzword. For others, it is a strategic end state. And for others still, it is a technical solution that can simply be bought from the right vendor.

For mid-sized companies, that lack of clarity is not very helpful. In practice, the real question is not whether Zero Trust sounds good, but what role it should actually play today. That is the core question of this article: Is Zero Trust still the fancy North Star, or has it already become a cybersecurity must-have?

Along the way, we will answer three practical questions:

• What does Zero Trust mean in practice in 2026?
• What is the advantage of SMEs in Zero Trust adoption?
• What next steps should SMEs take?

To answer that, it helps to first look at why the discussion around Zero Trust feels different today than it did a few years ago.

‍

Why the question looks different today than it did a few years ago

A few years ago, Zero Trust was often discussed as a long-term target state, especially in large organizations with complex infrastructures. That was not entirely wrong. After all, the full implementation of a holistic Zero Trust architecture is genuinely demanding and involves far more than a single technical measure.

What has changed, however, is the starting point inside companies. The classic assumption that what is “inside” a clearly defined network is inherently more trustworthy than what is “outside” no longer reflects reality in many environments. Employees access company resources from different locations, applications move to the cloud, service providers need access to systems, data lives in different places, and identities have become one of the most attractive entry points for attackers.

At the same time, the technical conditions for implementing Zero Trust have also evolved. The more context can be brought into access decisions, the more powerful Zero Trust becomes. This is exactly where AI is becoming increasingly relevant. It can help correlate and interpret signals across identities, networks, endpoints, applications and data far more effectively than traditional rule-based approaches alone. That makes context-based and risk-based decisions more scalable, more dynamic and, in many environments, more practical to implement.

That does not mean every SME now has to implement a fully mature Zero Trust target state immediately. It does mean that the underlying question has become more important: On what basis is trust being granted inside the company? Is access still being given too broadly? Are users, devices and third parties being assessed with enough context? And is trust for sensitive access being continuously validated, or are companies still relying too heavily on one-time permissions and outdated perimeter assumptions?

This is where the way we think about Zero Trust begins to shift. The term may have been heavily hyped in recent years. But that does not make the underlying need any smaller. If anything, it has grown. In many companies today, Zero Trust matters less because it is a fashionable topic and more because the reality of modern IT, modern attacks and increasingly context-driven security decisions demands the principles behind it.

‍

What Zero Trust is today, and what it still is not

To answer the main question properly, it is worth taking one step back: What do we actually mean by Zero Trust?

The key distinction in this article is this: Zero Trust describes both a target state and a way of working.

As a way of working, Zero Trust is a security approach based on the assumption that no entity, inside or outside the corporate network, should be trusted by default. Trust is not granted once and then kept indefinitely. Instead, it has to be revalidated for access requests and security-relevant actions based on context, risk, and necessity. The relevant questions are straightforward:

· Who is requesting access?
· From which device?
· To which resource?
· In what context?
· At what risk level?
· And is the scope of access actually necessary?

As a target state, Zero Trust describes a modern security architecture in which this way of thinking is embedded across identities, endpoints, networks, cloud services, applications, data, and physical infrastructure.

That dual role matters, because it explains why Zero Trust can still be a North Star while its core principles have already become a must-have. A complete, highly mature, end-to-end implementation remains a strategic target state for many companies. But the underlying logic should no longer be treated as optional.

‍

What Zero Trust is

Zero Trust is a mindset and a framework for security decisions. It is about reducing trust assumptions, shrinking the attack surface, and limiting the damage if access is misused.

It is also not limited to security benefits alone. When implemented well, it can support the core business. Modern access models allow employees, service providers, and partners to access the resources they actually need in a safer and often more user-friendly way. That can be a major advantage for SMEs, because security is then no longer perceived purely as friction, but as an enabler of flexible work and clear responsibilities.

‍

What Zero Trust includes

Zero Trust is not one specific technology or a small fixed list of controls. A wide range of cybersecurity measures can contribute to a Zero Trust strategy, as long as they follow the underlying logic. That includes visibility into assets, data, and identities, centralized identity and access control, strong authentication, context- and risk-based access decisions, network segmentation, device posture checks, monitoring of access and security events, and governance, policies, and awareness.

At first glance, that may seem discouraging because it shows that Zero Trust is not a neatly packaged product you can simply buy and finish. On second glance, that is actually good news, especially for SMEs. It means Zero Trust does not suddenly create a completely new set of obligations. Many security measures that companies should be implementing anyway already contribute to Zero Trust, provided they are prioritized properly and considered in the right context.

On top of that, many Zero Trust principles are now built natively into modern IT and security tools. Capabilities such as MFA, conditional access, device compliance, centralized identity controls, and context-based access decisions are often no longer introduced as separate “Zero Trust projects.” They are already part of modern platforms and architectures.

‍

What Zero Trust is not

It is just as important to define what Zero Trust is not, because this is where many misunderstandings still come from.

Zero Trust is not a single technical solution, even though various solutions can make an important contribution. It is not a fixed checklist of measures that should look the same in every company. It is not a one-time activity that ends when a project closes, and it is not a topic that can be handled by CISOs, IT leaders, or security officers alone. It affects processes, business units, responsibilities, and the core business itself.

It is also not a completely new idea. Many established security measures have always followed the same basic logic of not granting unlimited trust. What is new is that modern ways of working and modern IT make that logic far more visible and necessary. And finally, Zero Trust is not about distrusting people. It is not about denying trust to employees or partners in general. It is about not granting indefinite, context-free access to sensitive resources.

‍

Why Zero Trust matters specifically for SMEs

When Zero Trust is discussed, it is often seen as something primarily relevant to large enterprises with huge security teams. In our view, that misses the point. Zero Trust is highly relevant for SMEs, often precisely because resources are limited.

SMEs do not need a theoretically perfect security architecture. They need a robust model that helps them make the right decisions with limited budgets. That is exactly what Zero Trust can offer.

Many attacks today do not rely on highly sophisticated vulnerabilities. They rely on stolen identities, abused permissions, or overly broad access. If access is validated more consistently and permissions are granted more restrictively, attackers have a much harder time moving through the environment unnoticed. At the same time, Zero Trust is not only about preventing attacks. It is also about limiting their impact. If users, devices, and applications do not automatically have access to everything, the chances of an incident spreading uncontrollably are reduced.

A Zero Trust approach also forces companies to define more clearly who should have access to what, why that access is needed, and under which conditions it should be allowed. That creates not only more security, but often more structure and transparency as well. This benefits not only security teams. Business units, IT teams, and management gain a clearer understanding of which systems and data are truly critical and where trust assumptions have become too broad.

It also scales better over time. SMEs grow, change their IT landscapes, onboard new providers, and adopt new applications. A security model built mainly around isolated perimeter controls often scales worse than expected. Zero Trust provides a framework because decisions can be aligned more consistently with identity, context, and protection needs.

The user experience matters too. Security and usability are often treated as opposites. In practice, that is only partly true. A modern Zero Trust approach can help make access more targeted and more understandable for end users. People who need access should get it securely and with as little friction as possible, but only to the extent that is actually required.

‍

Why SMEs may even have an advantage

Zero Trust is easiest to build on a greenfield. Startups naturally have an advantage there. SMEs are rarely greenfield organizations, but compared to large enterprises they often have one important structural benefit: less complexity.

Of course, mid-market IT environments should not be underestimated. Even so, dependencies, legacy systems, exceptions, and historically grown permission models are often more manageable than they are in large organizations. That makes prioritization, standardization, and step-by-step implementation easier. In that sense, Zero Trust is by no means an enterprise luxury for SMEs. Companies that start earlier and take a pragmatic approach can often move much more efficiently.

‍

Which Zero Trust building blocks are no longer optional for many SMEs

Not every SME needs immediate microsegmentation in every corner, highly automated policy engines, or a full replacement of existing access architectures. Even so, there are some building blocks where the debate over “nice to have” is increasingly coming to an end.

Visibility into assets, applications, data, and identities is the foundation. If you do not know what needs protection and what is most critical to the business, you cannot make clean, context-based access decisions. For SMEs, that does not mean building a perfect asset management capability overnight. A structured inventory of key systems, data sets, user groups, and external access paths is often already a meaningful first step.

Strong identity and access management is equally central. Identities are one of the most important control points in modern IT. A central identity provider helps manage permissions more consistently, onboard and offboard users cleanly, protect administrative access more effectively, and enforce policies centrally. This should be complemented by MFA, which has become a baseline requirement in many environments. In practice, a single authentication factor is too often no longer enough to justify trust in an access request.

The condition of the device also matters. Is the device managed? Is it encrypted? Is it patched? Are security controls active? Not every SME needs a highly sophisticated device posture concept right away. But the logic is essential: not every device should receive the same level of access just because a username and password are known.

Network segmentation and least privilege also belong to the fundamentals. Flat networks and broad permissions do not fit well with Zero Trust. For SMEs, a solid baseline level of segmentation is already highly valuable. Not every area needs unrestricted communication with every other area, and not every user needs access to everything that is technically reachable.

In distributed work environments, it is also worth revisiting how internal applications are accessed. Many companies still rely on traditional VPN structures that have grown over time and often grant broad network access. Zero Trust Network Access can be a useful building block here because access is aligned more closely to identity, device, and the specific application being requested. That does not mean every SME should immediately replace VPN with ZTNA. It does mean the question is now increasingly justified, especially when many users access business-critical applications remotely or when third parties are involved.

Finally, Zero Trust requires visibility and organizational anchoring. That includes log monitoring and incident detection, but also clear security policies, awareness measures, and a conscious approach to controlling external access. Third parties, service providers, and partners are often brought into Zero Trust discussions too late, even though they frequently need access to sensitive systems or data.

The key point is simple: not everything has to happen at once. But some foundations should no longer be treated as optional for many SMEs.

‍

How SMEs can implement Zero Trust pragmatically, without falling into actionism

One of the biggest risks around Zero Trust is actionism. As soon as the term enters the conversation, individual technologies that sound particularly modern are discussed, while the basics are still missing. That is exactly what leads to frustration later, unnecessary costs, and the impression that Zero Trust does not work in practice.

A more sensible approach is to build pragmatically around a clear logic. The first step is not to start with products, but with protection needs and business reality. Which processes are most critical? Which data is truly sensitive? Which user groups, devices, and external access paths create the greatest risk? And where are trust assumptions still too broad today?

From there, a target state should be described in a way that is not detached from the broader cybersecurity strategy. If a strong cyber strategy already exists, Zero Trust should be embedded in it as a guiding principle. If not, Zero Trust can be a useful trigger to define that target state more clearly in the first place.

Sequence matters as well. Without visibility, there is no prioritization. Without an identity foundation, there are no controlled access decisions. Without policies, there is no sustainable implementation. Without monitoring, there is no continuous validation. SMEs often benefit from building a stable foundation first and then deepening it step by step.

Realistic expectation management is equally important. Zero Trust will not transform the entire security posture within a few weeks. Individual quick wins can create value quickly, but the real benefit emerges when measures work together and contribute to a shared target architecture.

‍

Which challenges SMEs still need to overcome

Even though the relevance of Zero Trust has increased, the practical challenges have not disappeared. A common mistake is to dismiss Zero Trust as a pure marketing topic, or to expect a completely new level of security after implementing only a few measures. Both approaches create problems.

Limited budgets, lack of know-how, and siloed departments add to the difficulty. SMEs cannot implement every useful measure at once. That is why prioritization is critical. Companies that treat Zero Trust like an all-in package quickly run into budget issues. Those that start with the biggest risks and the most business-critical access paths can usually proceed much more efficiently.

Know-how is also often missing on two levels, both at the strategic level of understanding Zero Trust and at the technical level of implementing individual measures. External support can be useful here, provided it does not only deliver short-term implementation but also creates lasting knowledge transfer. It is equally important that security is not treated as something separate from day-to-day business, but as part of good corporate management.

Another typical mistake is investing in image-friendly technologies before building the basics. That is often where companies miss what makes Zero Trust powerful in the first place, the interaction between the measures.

‍

Conclusion: A North Star in full maturity, a must-have in its core principles

The answer to the main question is neither clearly black nor white. That is exactly where the key insight lies.

Yes, in its full and holistic form, Zero Trust remains a North Star for many SMEs. It is a target state that companies can orient themselves toward strategically and that is not reached overnight. The architecture, processes, and technical maturity required for it are usually built step by step.

At the same time, Zero Trust in its core principles has become an absolute must-have for all companies. Not necessarily as a label that needs to be written on everything, but as a mindset for managing modern access, identities, devices, data, and third parties in a sensible way.

So the decisive question for SMEs is not whether Zero Trust as a concept is relevant. The real question is which building blocks are feasible in their own environment, economically sensible, and security-effective without creating unnecessary complexity.

Any company that asks that question seriously and derives prioritized, economically sound measures from it is already moving in the right direction. That is the central point here: Zero Trust does not need to be sold in every company as a grand transformation label. But the logic behind it should no longer be missing from any company.

Put differently, as a vision, Zero Trust often remains the North Star. As a core principle, it is already much more than that.

‍