Updated juli 4, 2026
Summary: Network microsegmentation divides sovereign infrastructure into fine-grained security zones that stop lateral movement between workloads. For regulated organisations under NIS-2 and DORA, it is a provable, auditable control that operates entirely within on-premises or Swiss-hosted environments.

Network microsegmentation is the practice of dividing an IT environment into small, policy-governed security zones at the workload, application, or process level, enforcing the rule that each zone communicates only with explicitly permitted peers. Unlike a perimeter firewall that inspects traffic entering or leaving the organisation, microsegmentation controls the east-west traffic that moves laterally between servers, containers, and virtual machines inside the network. For sovereign infrastructure that cannot delegate security decisions to US-controlled cloud-native services, microsegmentation is not optional; it is the primary architectural mechanism that makes a breach containable rather than catastrophic.

Why Perimeter Security Is Structurally Insufficient for Sovereign Infrastructure

Perimeter-based security assumes that everything inside the network boundary is trustworthy. That assumption has been invalidated by decades of incident data, and it is particularly dangerous for regulated organisations operating sovereign on-premises or Swiss-hosted environments where no cloud-vendor security overlay exists.

Traditional perimeter architectures inspect north-south traffic (inbound and outbound) but leave east-west traffic between internal workloads largely uncontrolled. Once an attacker, or a piece of ransomware, gains a foothold on a single host, it can traverse the internal network freely until it reaches a high-value target. According to the CrowdStrike Global Threat Report 2024, the median attacker breakout time after initial compromise is 62 minutes, with the fastest observed case occurring in under two minutes. That window is shorter than the mean time to detect an incident in most regulated organisations.

The structural dependency on US-controlled security services compounds the problem. Many organisations that have outsourced security tooling to hyperscaler-native platforms find that their visibility and control reside in a vendor environment subject to the CLOUD Act and FISA 702. Replacing that dependency with a sovereign microsegmentation stack is therefore both a security decision and a jurisdictional one.

NIS-2 Article 21 and the Legal Mandate for Network Segmentation

NIS-2 Article 21 explicitly lists network segmentation as one of the technical and organisational measures that essential and important entities must implement. The obligation is not phrased as a recommendation; it is a binding requirement accompanied by supervisory enforcement powers and fines up to EUR 10 million or 2% of global annual turnover for essential entities.

Article 21 paragraph 2(e) requires “network segmentation and access control” as part of an organisation’s overall security of network and information systems. The DORA ICT risk management framework, set out in Regulation (EU) 2022/2554 Articles 6 through 16, requires financial entities to identify, protect, detect, respond to, and recover from ICT risks. DORA Article 9 specifically requires that network connections be monitored and controlled, and that access between network segments be restricted to authorised flows. For a CISO or compliance officer preparing for a supervisory review, the practical question is not whether to implement microsegmentation, but how to make that implementation provable and audit-ready.

Audit readiness: Both NIS-2 and DORA expect organisations to demonstrate that segmentation controls are actively enforced and regularly reviewed, not merely documented in a policy. Version-controlled policy-as-code repositories and automated compliance reports from the segmentation platform are the most defensible form of evidence.

Implementation Architecture: Three Enforcement Layers

A sovereign microsegmentation architecture should operate across three complementary enforcement layers, each addressing a different attack surface and providing defence-in-depth.

Hypervisor-level segmentation

For virtualised environments running KVM, Proxmox, or VMware, segmentation at the hypervisor level is the fastest path to east-west control without touching individual guest operating systems. Open vSwitch (OVS) is the reference implementation for programmatic virtual switching in open-source hypervisor environments. OVS supports OpenFlow-based flow rules that can isolate virtual machine groups by VLAN, tunnel identifier, or match on Layer 2 through Layer 4 fields. Policies are expressed as flow tables and can be version-controlled and deployed through infrastructure-as-code pipelines, satisfying DORA’s requirement for documented and repeatable ICT controls.

Host-based eBPF enforcement

Cilium, the leading eBPF-based network policy engine, enforces security policy at the Linux kernel level without requiring a separate proxy or agent that introduces latency. Cilium policies are expressed as Kubernetes NetworkPolicy objects or Cilium’s own CiliumNetworkPolicy custom resource, and they can be applied to bare-metal hosts, virtual machines, and container workloads within the same policy model. Because eBPF programs execute inside the kernel’s verified sandbox, Cilium provides cryptographically verifiable enforcement that is extremely difficult for malware to bypass from userspace. For a sovereign environment running Nextcloud, a private AI inference server, and an on-premises SIEM, Cilium can enforce that the AI workload communicates only with its dedicated model storage and an authorised API gateway, with all other east-west flows denied by default.

Hardware-defined segmentation

For the highest-sensitivity workloads, physical network segmentation using dedicated switches, separate VLANs with enforced 802.1Q tagging, and hardware security modules for key management provides an air-gap-equivalent boundary. This layer is appropriate for primary key management infrastructure, backup repositories, and audit log storage, where compromise would undermine every other control in the stack.

Ransomware Containment: The Evidence Base

The direct operational case for microsegmentation is ransomware containment. According to the Verizon Data Breach Investigations Report 2023, over 70% of ransomware attacks involve lateral movement as a key technique. Ransomware encrypts files by moving from its initial foothold to every reachable file server, backup share, and database. A flat network converts a single compromised endpoint into an organisation-wide incident. A microsegmented network converts the same event into a contained workload failure.

The financial argument is equally clear. The IBM Cost of a Data Breach Report 2023 found that organisations without network segmentation faced average breach costs of USD 5.28 million, compared to USD 3.84 million for those with segmentation in place: a difference of USD 1.44 million per incident that is directly attributable to the blast-radius reduction that segmentation provides.

Segmentation Layer Tool (Sovereign/Open-source) Ransomware Containment Benefit Primary Audit Evidence
Hypervisor (virtual switching) Open vSwitch (OVS) Isolates VM groups; blocks SMB lateral movement between hosts OVS flow table exports, change log from IaC pipeline
Host / container (kernel) Cilium / eBPF Enforces per-process allow-list; denies unexpected outbound calls Cilium policy YAML in version control, Hubble flow logs
Hardware (physical) Dedicated switches, 802.1Q VLANs Hard boundary for backup and key management systems Network diagrams, switch configuration exports, change tickets

Zero Trust Architecture and Implementation Sequencing

Microsegmentation is the most concrete network expression of zero-trust principles. NIST SP 800-207 states that all access to enterprise resources must be authenticated, authorised, and continuously validated, with no implicit trust granted based on network location. The ENISA Zero Trust Guidelines describe microsegmentation as one of zero trust’s most powerful technical expressions because it operationalises the assumption that the internal network is already compromised.

For a regulated organisation moving from a flat network to a sovereign zero-trust posture, sequencing matters enormously. A “big bang” microsegmentation deployment that blocks all undocumented flows simultaneously will cause operational outages. The recommended sequence is:

Phase 1 (weeks 1 to 6): Deploy OVS or Cilium in observe-only mode. Capture all east-west flow data and map actual communication patterns between workloads. This produces the traffic baseline that policy must reflect, and it creates the first piece of audit evidence showing active network monitoring under NIS-2 Article 21.

Phase 2 (weeks 7 to 14): Apply coarse-grained segmentation between major security zones: production versus development, Nextcloud file services versus AI inference servers versus SIEM, internet-facing versus internal-only. Enforce deny-all between zones with explicit permit rules for documented flows. This phase provides the greatest early risk reduction because it eliminates the ability of ransomware to traverse zone boundaries.

Phase 3 (weeks 15 onwards): Progressively tighten policy to the workload and process level. Apply Cilium identity-aware policies that restrict communication to named services rather than IP addresses, which remain stable as infrastructure scales. Automate policy generation from service discovery data and integrate policy change approvals into the organisation’s change management process to satisfy DORA’s ICT change management requirements.

Sovereign tooling note: Neither Open vSwitch nor Cilium is controlled by a US vendor subject to the CLOUD Act. Both are governed by open-source foundations (the Linux Foundation in Cilium’s case) and can be deployed, audited, and modified without dependency on a foreign commercial entity, which is a meaningful advantage for organisations assessing supply-chain jurisdiction risk.

Maintaining Policies as Sovereign Workloads Evolve

Microsegmentation policies decay. As Nextcloud deployments add new integrations, as private AI inference servers expose new model endpoints, and as the on-premises SIEM ingests new data sources, communication patterns change and static allow-lists become either too permissive (leaving gaps) or too restrictive (causing breakage).

The practical answer is policy-as-code with continuous drift detection. Every permitted flow is expressed as a declarative policy file stored in a version-controlled repository. An automated pipeline compares deployed policies against the repository on every commit. Any deviation, whether from an unauthorised manual change or from a workload reconfiguring its own network calls, triggers an alert to the security team and is logged as a compliance event. This approach satisfies both the NIS-2 expectation for continuous monitoring and DORA’s requirement that ICT controls remain effective over time, not merely at the point of initial deployment. Cilium’s Hubble observability layer provides real-time flow telemetry that feeds directly into an on-premises SIEM, closing the loop between policy enforcement and security monitoring without sending data to an external cloud service.

FAQ

Does microsegmentation replace a firewall?

No. Microsegmentation operates at the workload or process level inside the network perimeter and enforces east-west policies that perimeter firewalls never inspect. It complements rather than replaces north-south perimeter controls, and the two layers together provide defence-in-depth.

Which layer of microsegmentation should a regulated organisation implement first?

Start with hypervisor-level or network-level segmentation, which can be applied without touching individual servers. This provides immediate east-west isolation and satisfies NIS-2 Article 21 baseline requirements. Host-based eBPF policies can then be layered in for finer granularity around critical workloads such as the SIEM or private AI inference servers.

Can Cilium or Open vSwitch satisfy DORA ICT risk management requirements without a commercial vendor?

Yes, provided the organisation documents its policy model, maintains version-controlled policy-as-code in a repository, and generates audit logs. DORA Article 9 requires demonstrable controls, not licensed products. Open-source tools can satisfy these requirements when governance and documentation are rigorous.

How does microsegmentation reduce exposure under the CLOUD Act or FISA 702?

Microsegmentation is a network control, not a jurisdictional one, so it does not directly address CLOUD Act exposure. Its relevance is that it prevents a breach on one workload from spreading to sensitive data stores, reducing the blast radius of any compromise, including one triggered by a foreign legal order served to a US-controlled infrastructure provider.

How often should microsegmentation policies be reviewed?

Policies should be reviewed whenever a new workload is deployed, an application changes its communication patterns, or a new vulnerability is disclosed for a workload type. At minimum, a full policy audit should occur quarterly and be documented, because both NIS-2 and DORA expect organisations to demonstrate that controls remain effective over time, not just at initial deployment.

Frequently asked questions

Does microsegmentation replace a firewall?
No. Microsegmentation operates at the workload or process level inside the network perimeter and enforces east-west policies that perimeter firewalls never inspect. It complements rather than replaces north-south perimeter controls, and the two layers together provide defence-in-depth.
Which layer of microsegmentation should a regulated organisation implement first?
Start with hypervisor-level or network-level segmentation, which can be applied without touching individual servers. This provides immediate east-west isolation and satisfies NIS-2 Article 21 baseline requirements. Host-based eBPF policies can then be layered in for finer granularity around critical workloads such as the SIEM or private AI inference servers.
Can Cilium or Open vSwitch satisfy DORA ICT risk management requirements without a commercial vendor?
Yes, provided the organisation documents its policy model, maintains version-controlled policy-as-code in a repository, and generates audit logs. DORA Article 9 requires demonstrable controls, not licensed products. Open-source tools can satisfy these requirements when governance and documentation are rigorous.
How does microsegmentation reduce exposure under the CLOUD Act or FISA 702?
Microsegmentation is a network control, not a jurisdictional one, so it does not directly address CLOUD Act exposure. Its relevance is that it prevents a breach on one workload from spreading to sensitive data stores, reducing the blast radius of any compromise, including one triggered by a foreign legal order served to a US-controlled infrastructure provider.
How often should microsegmentation policies be reviewed?
Policies should be reviewed whenever a new workload is deployed, an application changes its communication patterns, or a new vulnerability is disclosed for a workload type. At minimum, a full policy audit should occur quarterly and be documented, because both NIS-2 and DORA expect organisations to demonstrate that controls remain effective over time, not just at initial deployment.