Artificial intelligence is neither a curse nor a blessing - it has long been a reality, including in cyber defence. It is fundamentally changing how security decisions have to be made. In this context, zero trust will become the strategic guardrail of cyber defence from 2026: AI automates access and risk decisions, while regulations such as NIS2 and DORA set the binding framework for the protection of IT and OT environments. For the full context, it is worth reading the first part of this two-part article.AI & Zero Trust: risks and opportunities for modern cyber defence
Generative AI such as FraudGPT or WormGPT enables hyper-personalized phishing attacks that bypass multi-factor authentication (MFA). Attackers use AI-generated voices to gain access to accounts in the call center.
Practical tip: Rely on continuous authentication and use tools such as "Microsoft Defender for Identity" to analyze real-time behavior.
AI-supported policy engines (EDR) make 90% of zero trust decisions automatically. For example, by blocking a login because the user is suddenly accessing from a high-risk country or by isolating a device that shows unusual data flows.
Critical reflection: AI is not a panacea. Only continuous training with context-specific data enables reliable detection without excessive false alarms. Users need to understand why access has been blocked.
Research shows that powerful quantum computers are likely to jeopardize common encryption methods such as RSA-2048 and ECC in the 2030s. Digital certificates based on RSA or ECC could thus become vulnerable - with a direct impact on zero trust architectures.
Critical reflection: There are NIST-standardized algorithms such as CRYSTALS-Kyber and NTRU as a replacement for RSA/ECC. Hybrid encryption (classic + PQC) is used as a transition. Planning and implementation should take place at an early stage with the manufacturers of zero trust tools. The first ZTNA solutions already support PQC cryptography, but broad market penetration is still pending.
Practical tip: Create a plan for your organization with a focus on critical systems (e.g. financial data, OT control) and start pilot projects in 2026.
Because standing still increases the cyber risk. A targeted review of your zero trust strategy supports well-founded decisions on MFA, microsegmentation, NIS2 and DORA.
Even though NIS2 only applies directly to EU member states, many Swiss companies are affected - especially those with EU customers or subsidiaries. Critical infrastructures (energy, health, transportation, etc.) are obliged to implement Zero Trust.
This results in clear core requirements for KRITIS organizations:
The Digital Operational Resilience Act (DORA) requires banks and insurance companies to prove that they detect attacks in real time (via SIEM + UEBA) and control third-party risks such as cloud providers.
Practical tip IT: "Use regulation as an opportunity." Combine DORA/NIS2 projects with the zero trust roadmap. Carry out external audits (e.g. ISO 27001; Zero Trust) and use Zero Trust, Secure Access Service Edge (SASE), ZTNA and passwordless authentication (FIDO2).
Practical tip OT: "Use regulation specifically as an opportunity for OT security." Establish external audits, for example in accordance with ISE 62443 or zero trust principles, and prioritize technical measures such as OT-specific micro-segmentation, device certificates for all PLCs and passive OT monitoring through to an OT SOC. In addition, hybrid concepts from Air Gap and ZTNA are proving their worth in order to secure critical control networks in a controlled manner.
Let's let ourselves be driven by the thoughts of where our world could develop.
Users no longer realize that they are working in a zero trust environment because AI models and automation take care of everything in the background. Employees access a machine in production. The AI automatically checks: Is the device patchable? Does the behavior match the user? Are there anomalies in the network? Depending on this, access is granted or blocked without manual input.
Digital twins of OT systems open up the possibility of virtually simulating attacks and automatically adapting security rules. The aim is an increasingly proactive cyber defence that does not just react to incidents, but anticipates risks at an early stage.
Zero Trust will become mandatory in the EU and in critical infrastructures in 2030. Cyber insurance companies are already increasingly demanding proof of zero trust, while a lack of zero trust standards along the supply chain increases the risk and cost factors for all parties involved
In order for cyber defence in IT and OT to act as a strategic guard rail, a small number of targeted measures are required.
These three practical recommendations for action provide reliable guidance:
In addition, use current regulations such as NIS2 and DORA as leverage to gain budget and internal acceptance for your security measures.
Our experts will be happy to accompany you and support you with over 350 specialists in the further development and review of your zero trust strategy using proven methods from practice:
Zero Trust is like an airbag, you only realize how important an airbag is when you need it. Arrange a non-binding initial consultation now.
You can stay informed about further developments and current analyses on cyber security. Simply subscribe to our blog updates and receive the latest articles in your inbox! We look forward to hearing from you.
Image caption: Image generated with AI