Zero Trust as a Location Factor: Secure Networks Draw Investors
8 min Reading Time
Only 19 percent of German companies have fully implemented Zero Trust. Globally, the figure is 63 percent. Germany is lagging behind. But the catch-up race has begun: Siemens has introduced the first Zero-Trust platform for industrial networks, SAP integrates Zero Trust natively into RISE with SAP, and Deutsche Telekom is completely restructuring its network security offerings based on Zero-Trust principles. For the business location, secure infrastructure is becoming an investment argument. International investors are increasingly evaluating cybersecurity maturity as a quality criterion when choosing a location.
TL;DR
- 19 percent fully implemented: German companies lag significantly behind the global average of 63 percent in Zero Trust implementation. However, 56 percent are in the process of implementation (Mittelstand Heute / Gartner 2024).
- Siemens SINEC Secure Connect: The first dedicated Zero-Trust platform for OT networks. Replaces VPNs with identity-based connections. IEC-62443 compliant. Introduced at the it-sa 2025.
- 92 percent ROI within 3 years: Forrester study proves payback in less than 6 months and a 50 percent lower data breach risk with Zero-Trust implementation.
- NIS2 effectively mandates Zero-Trust principles: Access control, network segmentation, and continuous authentication are NIS2 requirements. Zero Trust is the architectural approach that fulfills all these simultaneously.
- 72 percent of German companies are increasing their security budgets: The cybersecurity market in Germany is growing to 12.2 billion euros by 2026. Startup funding increased by 878 percent (PwC / Tracxn).
The Implementation Gap: Where Germany Really Stands
The numbers tell two stories at once. Story one: Germany is falling behind. According to an industry-wide survey, only 19 percent of German companies have fully implemented Zero Trust. Globally, the figure is 63 percent, according to Gartner. The Okta State of Zero Trust Study paints an even bleaker picture: In North America, 60 percent of organizations had already started Zero-Trust initiatives by 2022/2023. In EMEA, it was less than 18 percent.
Story two: Germany is catching up – and faster than any other European country. 56 percent of German companies are actively implementing Zero Trust. Two-thirds expect budget increases for Zero Trust over the next two years. And according to Forrester, German companies lead Europe in prioritizing Zero Trust. The gap reflects not disinterest – but pace.
The reason for the delay is structural: Germany’s corporate landscape is dominated by mid-sized firms. 53 percent of German companies cite insufficient budget as their biggest challenge in adopting Zero Trust. Globally, that figure stands at 40 percent. A mid-sized firm with 200 employees and a three-person IT team cannot move at the same speed as a U.S. conglomerate rolling out Microsoft Entra ID with Conditional Access enterprise-wide in three months. But it can adopt the same architecture – phased and pragmatic.
Gartner itself delivers a sobering forecast: By 2026, only 10 percent of large enterprises will have a mature, measurable Zero-Trust program. This shows the challenge isn’t uniquely German – it’s universal. Zero Trust is hard everywhere. But the direction is clear – and Germany is investing.
Sources: Okta State of Zero Trust 2024, OpenKRITIS, MarketsandMarkets
How Siemens Brings Zero Trust to the Factory Floor
The most impressive German Zero-Trust case doesn’t come from IT – but from Operational Technology. At the it-sa Expo 2025 in Nuremberg, Siemens unveiled SINEC Secure Connect: the first dedicated Zero-Trust platform for industrial networks.
What makes SINEC Secure Connect unique: It replaces traditional VPN tunnels – the decades-old standard in industrial environments – with encrypted, identity-based connections. Every machine, sensor, and maintenance technician must authenticate before accessing a specific system. Blanket network access via VPN – where a technician with a VPN connection could theoretically reach any system on the network – is now obsolete.
The platform complies with IEC 62443, the international standard for industrial cybersecurity, and runs on-premises, in the cloud, or hybrid. For plant operators, this means Zero Trust becomes viable even in OT environments previously deemed “too complex” or “too legacy.” Germany’s manufacturing sector – operating machinery fleets often 20 to 30 years old – now has a tool tailored precisely to its unique challenges.
Natalia Oropeza, Global Chief Cybersecurity Officer at Siemens, underscores the urgency: When AI systems begin controlling critical infrastructure, the attack surface shifts fundamentally. A CISO who doesn’t grasp those threats flies blind. The same logic applies to Zero Trust: Connecting factories without securing them according to Zero-Trust principles creates attack surfaces in the physical world – not just the digital one.
SAP and Deutsche Telekom: Zero Trust Becomes Standard Infrastructure
SAP has embedded Zero Trust into its core offering. Since January 2025, Zscaler Private Access is natively integrated into RISE with SAP. For the thousands of companies migrating their SAP landscapes to the cloud, this means Zero Trust is no longer a separate project – it’s standard architecture. VPN-based access to SAP systems gives way to identity-based policies that dynamically decide which user may access which data, based on context.
Deutsche Telekom goes one step further. With “Magenta Security on Net,” T-Systems has offered, since 2025, a network-based SASE solution (Secure Access Service Edge) featuring integrated Zero Trust Network Access. That’s notable because it lifts Zero Trust from the application layer up to the network layer. Companies using T-Systems as their network provider receive Zero Trust essentially as an infrastructure feature – no standalone project, no dedicated budget silo required.
Bosch takes the identity-first path: Through a partnership with CyberArk, Bosch consolidates Identity and Access Management across all cloud environments. Its “Chip to Cloud” security strategy embeds Zero Trust at the hardware level in IoT devices – building security in from the start, not bolting it on later.
For Germany as a business location, this development signals something fundamental: The country’s three largest tech corporations – Siemens for OT, SAP for enterprise IT, and Deutsche Telekom for networking – have made Zero Trust a core component of their products. German companies buying from these providers implement Zero Trust whether they planned to or not. That’s the most effective form of adoption: not mandated by regulation – but preconfigured by technology.
“When AI systems control critical infrastructure, the attack surface shifts fundamentally. A CISO who doesn’t understand those threats flies blind.”
Paraphrased from Natalia Oropeza, Global Chief Cybersecurity Officer, Siemens AG (Help Net Security, December 2025)
Why Investors Are Watching Cybersecurity Maturity
The link between Zero Trust and investor confidence is real – even if it’s not as direct as sometimes claimed. There’s no study proving a direct correlation between Zero-Trust maturity and foreign direct investment. What does exist is growing evidence that cybersecurity maturity is becoming central to due diligence reviews.
According to PwC Digital Trust Insights, 72 percent of German firms plan cybersecurity budget increases. Germany’s cybersecurity market is projected to reach €12.2 billion in 2026, growing annually by 10 percent. And startup funding in Germany’s cybersecurity sector surged 878 percent in 2025, per Tracxn – from $13 million to $114 million across 11 funding rounds.
The signal to international investors is unmistakable: Germany is investing heavily in security. The Made-for-Germany initiative, backed by a total commitment of €735 billion, reinforces that. Combined with NIS2 regulation, a strong industrial base, and a rapidly maturing security ecosystem, Germany is becoming more attractive for tech investment. Zero Trust serves as the architectural proof that Germany doesn’t just regulate security – it implements it.
NIS2 and Zero Trust: The Regulatory Connection
NIS2 doesn’t explicitly mandate “Zero Trust.” But its required measures are de facto Zero-Trust principles: access control based on least privilege, network segmentation, continuous authentication, and multi-factor verification. Implementing Zero Trust automatically satisfies NIS2 requirements in these areas.
In July 2023, the German Federal Office for Information Security (BSI) published a position paper defining three core Zero-Trust principles: First, authenticate every connection. Second, grant no implicit trust. Third, enforce fine-grained segmentation. In October 2025, the BSI joined eight international security agencies to release the MDA Guide (Modern Defensible Architecture), positioning Zero Trust as the cornerstone of modern security architecture. In August 2025, it followed with Zero-Trust design principles for LLMs – a guide for securely deploying AI systems.
For the roughly 30,000 companies falling under NIS2, Zero Trust is the most efficient compliance path. Rather than implementing isolated measures – MFA here, segmentation there, monitoring elsewhere – Zero Trust delivers a consistent architecture covering all requirements in a single framework. Upfront effort is higher than a patchwork approach, but long-term cost and sustainability are superior.
What Zero Trust Costs – and Delivers – for SMEs
Precise euro figures for Zero-Trust implementation in SMEs are difficult to pin down – every starting point differs. What’s verifiable: The Forrester Total Economic Impact Study for Microsoft shows 92 percent ROI within three years and payback in under six months. Data breach risk drops by 50 percent. These figures reflect Microsoft customers, but the scale is plausible across industries.
For a mid-sized company with 50-500 employees, a phased approach is recommended. Phase one: Multi-factor authentication across all systems. Cloud-based, costing a few thousand euros annually – and deployable in weeks. Phase two: Consolidate Identity and Access Management – using Entra ID, Okta, or a European provider like Bare.ID. Phase three: Network and micro-segmentation – the highest-impact measure, but also the most resource-intensive. Phase four: Continuous monitoring and security operations, ideally delivered as a managed service.
The key insight: Zero Trust isn’t a product you buy – it’s an architectural decision you make. Each phase delivers independent security value. A company that starts at phase one and never reaches phase four is still significantly better protected than before. Perfection isn’t required – progress is.
The Honest Counterpoint
Zero Trust isn’t a panacea – and implementation is harder than marketing promises suggest. 53 percent of German firms cite insufficient budget as their top challenge. Yet budget is often a proxy for a deeper issue: lack of management-level understanding. If executives view Zero Trust as an “IT project” rather than a foundational architectural decision, it will be underfunded and half-implemented.
Then there’s the legacy challenge: German industrial firms operate machinery fleets 20-30 years old. These machines speak proprietary protocols, lack update mechanisms, and were never designed for a connected world. Implementing Zero Trust in such brownfield environments is fundamentally harder than in greenfield cloud setups. Siemens’ SINEC Secure Connect directly addresses this – but broad adoption across the industrial base will take years.
And there’s a conceptual risk: A half-baked Zero Trust implementation can be worse than none at all. If MFA is deployed but network segmentation is missing – if identities are managed but monitoring fails – a dangerous illusion of security emerges. The organization believes it’s protected – yet it isn’t. The consequence: Either do it right – or consciously decide where to stop and which residual risks to accept.
Four Steps to Zero Trust Entry
1. Consolidate Identities. Before Zero Trust functions, it must be crystal clear who has access to what. An Identity and Access Management system covering all systems – cloud, on-premises, and OT – is the foundation. Without clean, accurate identities, Zero Trust is impossible. First step: inventory all accounts and delete orphaned ones.
2. Enforce MFA Everywhere. Multi-Factor Authentication is the fastest, most cost-effective step with the greatest immediate impact. Prioritize phishing-resistant methods (FIDO2, Passkeys). Accept SMS-based MFA only as a transitional measure. Most cloud platforms offer MFA at no extra cost.
3. Segment the Network. Flat networks are attackers’ greatest gift. Micro-Segmentation isolates systems so a compromised workstation doesn’t automatically gain access to production servers or financial systems. For OT environments: Start with the Purdue Model, enhanced by Siemens SINEC or comparable solutions.
4. Build Continuous Monitoring. Zero Trust means “Never trust, always verify” – which demands constant oversight of every access attempt. A SIEM or XDR system detecting anomalies in real time completes the architecture. For companies without their own security team: Managed SOC services from German providers like DCSO, Telekom Security, or G DATA make professional monitoring accessible to SMEs. Cost: €500-€2,000 monthly.
Conclusion
Zero Trust in Germany is no longer just a security concept – it’s becoming a location factor. Siemens, SAP, and Deutsche Telekom have baked Zero Trust into the standard architecture of their products. NIS2 codifies its core principles through regulation. And international investors increasingly weigh cybersecurity maturity as a quality criterion in location decisions. Germany lags in implementation (19 percent vs. 63 percent globally), but its prioritization leads Europe – and investment is accelerating. Those investing in Zero Trust today aren’t just building security – they’re building location attractiveness. In a world of escalating cyberattacks, “Secured in Germany” is the new “Made in Germany.”
Frequently Asked Questions
What does Zero Trust mean for the daily work routine?
Instead of logging in once each morning via VPN and then having blanket access to everything, every individual access request is verified. Laptops no longer connect “to the corporate network” – they connect directly to the specific application needed. Each access is authenticated and authorized individually. It feels unfamiliar at first, but delivers far stronger security – and works seamlessly from anywhere.
Is Zero Trust realistically implementable for SMEs?
Yes – but as a phased approach. Starting with MFA and Identity Management costs just a few thousand euros per year and can be rolled out in weeks. Cloud-based solutions make Zero Trust feasible even without an in-house IT security department. Crucially: don’t try to do everything at once. Prioritize deliberately and build incrementally.
Does NIS2 mandate Zero Trust?
Not explicitly. But the required measures – access control, segmentation, MFA, incident response – are de facto Zero-Trust principles. Implementing Zero Trust nearly guarantees compliance with these NIS2 requirements. The BSI explicitly recommends Zero Trust in its official position papers.
How long does a complete Zero-Trust implementation take?
MFA and basic IAM: 2-4 weeks. Network segmentation: 3-6 months. Full architecture with continuous monitoring: 12-24 months. Gartner estimates that by 2026, only 10 percent of large enterprises will have a mature program. But critically – each phase delivers tangible, independent security benefits.
What does Zero Trust cost compared to a classic VPN?
More upfront, less over time. VPN: €5-€15 per user per month, with no granular access control. Zero Trust Network Access: €8-€25 per user, with identity-based policies and built-in compliance reporting. The Forrester study confirms 92 percent ROI within three years. And the savings from avoided incidents aren’t even factored into that calculation.
Further Reading
NIS2 in Germany: What Companies Need to Implement Now (SecurityToday)
NIS2 as a Location Advantage: Why Regulation Strengthens the Location (SecurityToday)
Reboot Germany: 735 Billion Investments (MyBusinessFuture)
Board Governance: Digital Competence in the Supervisory Board (Digital Chiefs)
Header Image Source: Pexels / Tima Miroshnichenko (px:5380642)
