If your organization is subject to PCI-DSS, GDPR and other EU regulations, or HIPAA, then you need to be aware of how these frameworks are evolving—particularly in their encryption expectations—and update your security practices accordingly or risk falling out of compliance.
These mandates now reflect a broader industry convergence toward Zero Trust Maturity Model (ZTMM) 2.0 principles, which emphasize continuous authentication, pervasive encryption, and runtime policy enforcement. Even if your business isn’t specifically regulated by these mandates, you can use them not as compliance obligations but as forward-looking, best-practice blueprints that can guide organizations of all kinds toward stronger security postures in cloud, hybrid, and multicloud environments.
A Sampling of Encryption Requirements
The following is an overview of some of the recent regulatory changes as they relate to network security in general, and encryption in particular. If any of these apply to your organization, please refer to the regulations themselves or consult with your resident compliance experts to understand the specifics and how you need to address them.
PCI-DSS
PCI-DSS 4.0, which was released in 2022, introduced more stringent encryption requirements to the Payment Card Industry Data Security Standard, including the encryption of all cardholder data transmitted over open, public networks, as well as stronger key management practices. Additionally, the updated standard takes a big step forward in zero trust, requiring organizations to continuously assess and verify—regardless of network location. This shift away from determining compliance via point-in-time proofs is part of the new “customized implementation” option that focuses on security outcomes rather than prescriptive controls.
EU regulations
GDPR Article 32, which was updated in 2025, requires “appropriate technical and organizational measures” be taken to ensure data security and privacy, and specifically calls out encryption as one such method. Taken together with GDPR Article 25, which mandates “data protection by design and by default,” this means you need to embed encryption into your network architecture.
The EU Cybersecurity Act, passed in 2019 and last updated in 2024, requires data to be encrypted in transit and at rest and specifies that encryption mechanisms should be up-to-date and aligned with the latest technological advancements.
The Network and Information Security 2 Directive (NIS2), effective as of 2024, also requires data in transit and at rest to be encrypted. Furthermore, it calls for continuous authentication mechanisms in high-risk situations.
HIPAA
Historically, the HIPAA Security Rule, which was initially enacted in 2003, gave covered entities discretion with respect to the safeguarding of protected health information (PHI), including encryption. This changed in 2024, when the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to strengthen the HIPAA Security Rule. The proposed changes, which will likely go into effect at the end of 2025 or in early 2026, include specific encryption requirements, such as:
Mandatory encryption of PHI in transit and at rest
Extension of encryption beyond perimeter defenses, including east-west flows within the same cloud or across hybrid environments
Implementation of centralized, policy-driven encryption controls that span on-premises, hybrid, and multicloud infrastructure
A common theme
These encryption requirements are evolving to keep pace with the realities of cyber risk in modern hybrid cloud network environments:
The perimeter that used to encircle enterprise applications and data has dissolved, so perimeter-based solutions no longer pass muster.
Applications and data traverse multiple different cloud and on-premises environments, eroding the effectiveness and value of limited deployment models.
Sophisticated, persistent cybercriminal activity is on the rise (like the 2023 MGM breach, the MOVEit breach, the EchoLeak vulnerability, and Play ransomware) with organized teams patiently exploiting small vulnerabilities and blind spots, using them as stepping stones to gain access and leverage “inside” the network until they hit paydirt.
Hence the move to zero trust, where authorization isn’t just a one-time event at an access point, encryption is pervasive, and secure key practices enforce a least-privilege approach.
How Aviatrix CNSF helps you keep encryption practices compliant
The Aviatrix Cloud Native Security Fabric (CNSF), which includes High Performance Encryption (HPE), empowers organizations to align with the latest regulatory demands and accelerate their maturity along modern cybersecurity frameworks like the ZTMM 2.0. As global standards like HIPAA, PCI DSS 4.0, NIS2, and GDPR converge toward ZTMM principles—including pervasive encryption, centralized policy enforcement, and real-time telemetry—enterprises need an architecture that enforces zero trust at runtime, not just in policy.
Aviatrix CNSF embeds encryption directly into the fabric of cloud infrastructure, enabling enforcement that moves with workloads across regions, clouds, and hybrid environments. This cloud-native architecture provides:
Inline, network-layer encryption of east-west, north-south, hybrid, and multicloud flows using FIPS 140-2 validated IPSec—at 10–100 Gbps performance.
Zero Trust segmentation and least-privilege enforcement across apps, workloads, partners, and environments—without reliance on brittle perimeter tools.
Centralized visibility into key management, policy compliance, and runtime behavior—across all cloud networks.
Software-defined enforcement that eliminates the hardware constraints of VPNs, MACsec, or appliance-based encryption tools.
With Aviatrix, security teams can confidently extend encryption strategies beyond static perimeters—weaving Zero Trust directly into the cloud runtime, in line with both ZTMM best practices and regulatory mandates.
Learn more about CNSF and encryption:
Read more about how Aviatrix’s CNSF delivers high-performance encryption that aligns with zero trust principles.
Learn about the differences between MACsec and IPSec encryption.
Get a deep-dive into the Aviatrix data plane and how it maximizes both security and performance.
Download the white paper: Modernizing Encryption Across the Fabric: Securing Your Enterprise from Edge to Cloud.
Download the executive brief: Encryption is the Backbone of Zero Trust—But Most Enterprises Are Still Behind.
