Zscaler

‭Zscaler‬‭ accelerates‬‭ digital‬‭ transformation‬‭ so‬‭ that‬‭ customers‬‭ can‬‭ be‬‭ more‬‭ agile,‬‭ efficient,‬‭ resilient,‬‭ and‬‭ secure.‬‭ The‬‭ Zscaler‬ Zero‬‭ Trust‬‭ Exchange‬‭ is‬‭ the‬‭ company’s‬‭ cloud-native‬‭ platform‬‭ that‬‭ protects‬‭ thousands‬‭ of‬‭ customers‬‭ from‬‭ cyberattacks‬‭ and‬ data loss by securely connecting users, devices, and applications in any location.‬ ‭ Distributed‬‭ across‬‭ more‬‭ than‬‭ 150‬‭ data‬‭ centers‬‭ globally,‬‭ Zscaler’s‬‭ SASE-based‬‭ Zero‬‭ Trust‬‭ Exchange‬‭ is‬‭ the‬‭ world’s‬‭ largest‬ inline‬‭ cloud‬‭ security‬‭ platform.‬‭ It‬‭ powers‬‭ all‬‭ categories‬‭ of‬‭ Zscaler‬‭ services‬‭ for‬‭ users,‬‭ workloads‬‭ and‬‭ IoT/OT‬‭ devices,‬‭ securing‬ connections‬‭ to‬‭ the‬‭ internet‬‭ and‬‭ SaaS‬‭ applications‬‭ and‬‭ protecting‬‭ against‬‭ cyberthreats‬‭ as‬‭ well‬‭ as‬‭ providing‬‭ zero‬‭ trust‬ access to internal applications in the cloud and data center without a VPN.

Links

Website Transparency Register Profile

ID: 221735298804-23

Lobbying Activity

Meeting with Benjamin Hartmann (Cabinet of Commissioner Andrius Kubilius)

27 Jan 2026 · Global challenges.

Meeting with Christiane Kirketerp De Viron (Acting Director Communications Networks, Content and Technology)

26 Nov 2025 · CSA revision, Digital Omnibus

Meeting with Lucilla Sioli (Director Communications Networks, Content and Technology)

3 Sept 2025 · Zscaler's initiatives to connect and share expertise within the framework of the European Commission's AI initiatives

Meeting with Benjamin Boegel (Cabinet of Executive Vice-President Henna Virkkunen)

3 Sept 2025 · Cybersecurity policy and tech sovereignty

Meeting with Cathrin Bauer-Bulst (Cabinet of Commissioner Magnus Brunner)

2 Sept 2025 · Cybersecurity and critical infrastructure protection

Response to Amendment to the list of the state-of-the-art documents supporting the EUCC scheme

29 Aug 2025

Zscaler appreciates the opportunity to offer input on the draft implementing regulation for the European Common Criteria-based cybersecurity certification scheme (EUCC). Zscaler is the zero trust cybersecurity leader. The Zscaler Zero Trust Exchange protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 160 data centers globally, the SASEbased Zero Trust Exchange is the worlds largest inline cloud security platform and processes more than 500 billion transactions daily for our global customer base of more than 50 million users. We respectfully submit the following points for consideration: Alignment with modern security practices: The scope of EUCC appears heavily focused on hardware-centric products (e.g., smartcards, HSMs, secure ICs, tachographs). While these are critical components of many security ecosystems, they do not adequately address emerging technologies, such as cloud services, zero trust architectures, and service-based models, which are now the backbone of modern cybersecurity. Recognizing these in the regulation would prevent its relevance from diminishing in the face of evolving security paradigms. Continuous updates: The current model for certification appears to treat every update or patch as a potentially major disruption. In cloud and SaaS models, continuous updates are a strength, allowing organizations to deploy fixes rapidly in response to new threats. A rigid approach risks making remediation slower, thereby reducing security rather than enhancing it. We recommend flexibility that differentiates between minor patches and major updates, to align the regulation with the inherent advantages of cloud-based solutions. Transparency without risk: Transparency is critical to trust, particularly in how vendors handle patching and vulnerability disclosure. However, we urge the regulation to strike a balanced approach that does not risk aiding malicious actors. The emphasis should remain on earning customer trust rather than publishing detailed processes or timelines that attackers could exploit. Flaw remediation timeframes: The inclusion of flaw remediation in scope is valuable, but blanket assumptions around patching timelines (e.g., "30 days") may not account for the complexity of development, testing, and rollout efforts required when the software creator builds patches. Recognizing the interconnected nature of the ecosystem will help ensure timelines are achievable and fair, encouraging security improvements without penalizing responsible development workflows. E-Waste implications: For hardware products, overly strict re-certification rules may unintentionally lead vendors to abandon older models prematurely, opting to release new devices instead of supporting legacy ones. This practice could inadvertently drive an increase in e-waste, which conflicts with EU sustainability objectives. Adding provisions that encourage sustainable product lifecycles would support broader EU environmental goals. Sunset period for evaluation: Given the rapid pace of technological evolution in cybersecurity, we recommend including a sunset or review period for these regulations, such as every three years. This would allow stakeholders to assess impact, refine approaches, and ensure the scheme remains effective in delivering intended outcomes. We hope these insights contribute to a balanced and forward-looking implementation of the EUCC regulation, one that enhances security outcomes across diverse sectors while staying attuned to the realities of modern cybersecurity practices.

Read full response