Zero Trust, Zero Knowledge and End-to-End Encryption (E2EE): Three Complementary Concepts for Better Protection

Introduction

Whether it involves medical records, donor information or client data, no business or organization can afford today to neglect cybersecurity. In Quebec, the coming into force of Law 25 on the protection of personal information further reinforces this requirement by imposing new compliance obligations. In this context, three digital security principles stand out as essential pillars: Zero Trust, Zero Knowledge and end-to-end encryption (E2EE).

These terms may seem technical, but we will explain them in a simple and precise way, then show how they complement one another to strengthen the management of sensitive data. We will also look at their particular relevance for environments such as private health care, non-profit organizations (NPOs) and small and medium-sized enterprises (SMEs), with a focus on the Quebec reality. Concrete examples of tools and platforms (such as ProtonMail, Signal, Tresorit, etc.) will illustrate these concepts. Finally, we will explain why this trio of principles is critical in an era of digital sovereignty, legal compliance and a growing cyber threat, before concluding with a summary along with practical recommendations and action items to take the next step.

Zero Trust: “never trust, always verify”

The Zero Trust principle rests on one central idea: “never trust, always verify”. In other words, no user or device should be considered trustworthy by default, even if it is part of the organization’s internal network. Unlike traditional IT security, which trusted everything inside the network perimeter (like a fortress where you are safe once past the walls), the Zero Trust model treats every access attempt as potentially suspicious. Every user, every system and every connection must prove its identity and its authorization each time it accesses a sensitive resource.

Concretely, adopting a Zero Trust strategy means that even internally, an employee must be robustly authenticated and authorized to access data or services: it is a bit like checking someone’s ID at every door they wish to pass through, and not only at the building entrance. This approach generally includes the intensive use of multi-factor authentication (MFA) (for example a password and a code sent to the phone, or a fingerprint) to make sure the person really is who they claim to be.

Another key aspect of Zero Trust is the principle of least privilege. This principle states that each user or application should have only the minimum permissions necessary to carry out their tasks. By analogy, this amounts to giving employees only a key that opens the rooms they need, rather than a master key to the whole building. In practice, this means segmenting networks and systems: the infrastructure is divided into isolated zones (this is called micro-segmentation) in order to limit the reach of a potential intrusion. For example, if a cybercriminal manages to compromise a workstation, a well-designed Zero Trust architecture will prevent them from easily pivoting to critical servers, because each new step would require them to prove themselves again.

The technologies and measures that support Zero Trust therefore include strong authentication, rigorous identity and access management (IAM), continuous monitoring of suspicious activity, and the encryption of internal communications. But more than a matter of technology, Zero Trust is a security philosophy and an overall strategy: it requires rethinking internal policies, training employees to stay vigilant (for example, not assuming that an email or a colleague is legitimate without verification) and adopting a posture where trust is never implicit, but always earned and verified.

In summary, Zero Trust offers a fitting response to modern IT systems, which are increasingly open and distributed. By treating every connection as potentially hostile until proven otherwise, you drastically reduce the risk that a flaw or an identity theft turns into a major breach. It is a model that is especially relevant at a time when remote work, the cloud and mobile devices blur the very notion of a network perimeter: with Zero Trust, the perimeter is each user and each device.

Zero Knowledge: data the provider has no knowledge of or access to

The Zero Knowledge principle (or “zero-knowledge” architecture) concerns the confidentiality of data with respect to service providers or third parties hosting that data. A platform or software described as zero knowledge is designed in such a way that the provider itself has no technical way to access the content you entrust to it. In other words, your data is encrypted before it even leaves your device, and the provider does not hold the key to decrypt it. Even though it hosts your files or messages on its servers, it is “blind” to them: it sees only a mass of unreadable data.

Concretely, this translates into the use of strong client-side encryption. For example, if you store a document on a Zero Knowledge cloud service, the file is encrypted on your computer or phone before being sent online. The provider (and a fortiori any unauthorized person) cannot decrypt it without the secret key, which only you hold. It is as if you stored your documents in a safe at a third party’s premises: the third party can keep the safe in its warehouse, but it does not have the combination. You are the only one who can open the safe and read its contents.

Why does this matter? Because this way, you are not required to trust the provider for confidentiality: even if its servers are compromised by a hacker, or even if it were legally compelled to hand over your data, it could only provide encrypted information, which is useless without your key. Zero knowledge encryption therefore delivers a very high level of security and confidentiality, including against potential breaches of trust by partners or providers.

This approach is increasingly widespread in services aimed at professionals and the general public. For example, some cloud storage solutions such as Tresorit or pCloud encrypt files client-side: the company providing the service has no way to read your documents. Likewise, many password managers (such as Bitwarden, 1Password, etc.) are based on a zero knowledge architecture: your passwords are encrypted with a key derived from your master password, which only you know, so that the company cannot access your stored credentials.

It is worth noting that the term “Zero Knowledge” is sometimes a source of confusion, because cryptography also has the notion of a zero-knowledge proof, which is a specific mathematical concept. Here, we are indeed talking about the general principle of knowledge-free hosting (zero knowledge encryption), which aims at the sovereignty of your data: you keep full control of the encryption keys, and therefore of the secrecy of your information, while still being able to use a third party’s infrastructure or services for storage or transport.

In summary, a Zero Knowledge architecture guarantees that your data stays your data. Only you (and the people you choose to grant access) can decrypt it. This is a valuable asset for confidentiality, because it drastically limits the consequences of a leak: strongly encrypted data remains incoherent and unusable for anyone without the key. This principle therefore brings additional peace of mind when using online services, especially for sensitive or confidential data.

End-to-end encryption (E2EE): protecting data from one end to the other

End-to-end encryption, often abbreviated as E2EE, is a method for securing communications and data that ensures only the legitimate sender and recipient can read the message or file exchanged. “End to end” means that data is encrypted at every stage of its journey, from the starting point (a device or software on the sender’s side) to the arrival point (the recipient’s device), passing through all intermediaries. Even if the information travels through servers, networks or a cloud, it remains unreadable to all unauthorized third parties.

Take the example of an end-to-end encrypted email: when you write your message, your device encrypts it immediately using an encryption key. The mail server (whether Gmail, Outlook or a service like ProtonMail) will only see a scrambled message pass through. Once it arrives in the recipient’s inbox, the message can only be decrypted by that recipient, who holds their own corresponding secret key. As a result, no one else – not the email provider, not a hacker intercepting communications, not even an authority requesting access to the data – can read the content in clear text. It is the digital equivalent of sending a letter inside a safe that only the recipient can open.

Historically, end-to-end encryption was long complex to implement (you had to manually manage key pairs, as with the famous PGP software in the 1990s). This restricted it to very specialized uses. But things have changed considerably: today, many tools integrate E2EE in a way that is transparent for the user. For example, the messaging app Signal automatically applies end-to-end encryption to all conversations: when you exchange messages or calls on Signal, you have nothing to configure, everything is encrypted without any action on your part, and even the company Signal cannot read your exchanges. Other mainstream messaging apps such as WhatsApp have also adopted this technology for personal communications (although WhatsApp collects other metadata, the confidentiality of message content is ensured by E2EE).

End-to-end encryption is not limited to instant messaging or email: it is also found in video-conferencing tools, file-sharing services, and even some cloud storage. For example, when you save files via a service like Tresorit or Proton Drive, they are encrypted on your device and can only be decrypted by you; this is a form of E2EE for file storage (it is very close to the Zero Knowledge principle mentioned earlier – in fact, E2EE is often the mechanism by which a Zero Knowledge architecture is achieved).

The advantages of end-to-end encryption are many. First, it guarantees confidentiality: even in the event of interception, your data stays private. Next, it ensures integrity: if a malicious third party tried to alter an encrypted message in transit, the recipient would not be able to decrypt it correctly (or the associated digital signature would not match), which makes any tampering detectable. Finally, on a more societal level, the broad deployment of E2EE strengthens freedom of expression and privacy by preventing any indiscriminate surveillance of communications. This is why many rights-advocacy organizations and governments encourage its use to protect personal data.

In practice, for a non-technical user, end-to-end encryption often goes unnoticed because it is built into modern applications. For example, if you use ProtonMail to correspond with a colleague, all the emails you exchange between ProtonMail inboxes are automatically end-to-end encrypted, with no action required on your part. The same is true when two people chat on Signal or on Element/Matrix (another secure messaging platform often used in professional or community settings). The real challenge is therefore no longer so much the technical side as widespread adoption: convincing your contacts, partners or clients to use these secure channels to exchange sensitive information, instead of traditional unencrypted channels (SMS, ordinary email, etc.).

To sum up, E2EE is the technical foundation of a private and secure Internet. It complements the Zero Trust principle by ensuring that, even if an intruder managed to infiltrate your communications or storage, they would not be able to understand any of it. In this way, your data stays in your hands and those of your authorized correspondents – from one end of the path to the other.

Complementary and inseparable principles

Having defined Zero Trust, Zero Knowledge and end-to-end encryption separately, it is important to understand that they do not conflict but rather complement one another to form a holistic security approach. Each of these three concepts covers a particular angle of data protection: together, they provide defence in depth, from the organizational level down to the finest technical level.

Zero Trust is above all an organizational and architectural strategy. It acts as an access filter and an internal shield: you verify the identity and the rights of each user or device for each action, you compartmentalize resources so that a local intrusion does not become a global disaster, and you adopt a suspicious posture by default. However, Zero Trust does not address what happens if, despite all these access controls, a piece of data ends up being intercepted or stolen. For example, you can multiply controls all you like, the fact remains that information will travel across networks and be stored somewhere.

This is where end-to-end encryption and the Zero Knowledge architecture come in. They take over at the level of the data itself: thanks to them, if an unauthorized individual unfortunately still manages to access a file or intercept a communication (whether an external hacker, a malicious employee or even a service provider), they will not be able to exploit it. Indeed, the data will be encrypted in such a way that only legitimate people hold the decryption keys. In a sense, Zero Trust tries to let no unauthorized person in, while Zero Knowledge and E2EE ensure that, even if someone malicious did get in or spy, they would find only “closed safes” to which they do not have the key.

This complementarity can be illustrated with a simple analogy: imagine a business as a physical bank. Zero Trust would be the set of guards, badge checks and reinforced doors that compartmentalize the bank so that each employee goes only where they are allowed, and so each visitor is verified. End-to-end encryption and zero knowledge would be the practice of placing the most sensitive documents in safes to which only clients or a few carefully chosen people have the combination. That way, even if a thief managed to break into the bank (despite the guards), they would leave empty-handed because they could not open the safes. Better still, even a bank employee who did not have the combination could not read the contents of the safes if they took a look.

In practice, for an organization, this means these principles must be adopted simultaneously and in a coherent way. For example, setting up a Zero Trust model without encrypting data would leave a weakness: an insider hacker or a leak could expose information in clear text. Conversely, encrypting data without applying Zero Trust could lead to flaws through the misuse of legitimate accounts (an internal user holding the key could access everything if there are no privilege restrictions). It is by combining the two that you achieve an optimal level of security: access is hard to obtain and the data is protected anyway.

Moreover, these three concepts are part of a broader trend, that of “Zero Trust + Zero Knowledge by design”, in parallel with the privacy by design approach advocated by modern regulations. This means that when designing any new system, software or workflow, you should think by default in terms of: “What data can we avoid storing or sharing in clear text? Can we ensure that even we, as the provider or administrator, do not have access to it? Who really needs to access what, and how can we limit that scope?” By asking these questions early and adopting these principles, you build resilient systems: an isolated security flaw does not compromise everything, and confidentiality remains preserved even in the face of unforeseen events.

In summary, Zero Trust, Zero Knowledge and E2EE are three sides of the same coin. They approach security from different angles – respectively access control, the intrinsic confidentiality of data, and the securing of communications – but they share a common philosophy: minimizing the trust placed in intermediaries or in single safeguards, and multiplying independent layers of protection. For any organization concerned with protecting sensitive data, implementing them together offers a powerful synergy against the majority of known threats.

The importance of these principles in the private health-care sector

The private health-care sector (clinics, medical practices, laboratories, etc.) handles some of the most sensitive data there is: patients’ medical information. By nature, this information is confidential and highly personal – its unauthorized disclosure could have serious consequences for individuals’ privacy (discrimination, professional harm, psychological distress, etc.). In addition, the health-care field is a prime target for cybercriminals, who know that health data sells for a high price on the black market because of how rich it is (identity information, health-insurance numbers, medical details that can be used for blackmail, etc.). For all these reasons, applying the principles of Zero Trust, Zero Knowledge and E2EE in private health care is of crucial importance.

Zero Trust in health care: Historically, many health-care facilities operated on a closed network, with implicit trust between the various internal systems. But today, with the digitization of medical records, the connectivity of medical devices and the need for remote access (for example, a doctor reviewing a patient’s results from their private office or from home), the internal/external boundary is blurred. It is therefore essential to adopt a Zero Trust posture. This translates, for example, into requiring each health-care professional to authenticate strongly to access records (via a health-professional smart card, a password and a second factor, etc.), into limiting access to only the records of patients under their care (principle of least privilege), and into monitoring unusual access. A nurse does not need to consult all of the clinic’s records; such global access would not only be unjustified in terms of confidentiality, but also dangerous if their account were compromised. Zero Trust helps compartmentalize this access and make each step accountable: for example, a doctor could only access a patient’s laboratory results if they are in a care relationship with that patient, otherwise the system would deny the request.

End-to-end encryption and Zero Knowledge for health data: Beyond access control, it is strongly recommended (and increasingly required) that health data be encrypted as soon as possible. Ideally, electronic medical records and exchanges between practitioners should benefit from end-to-end encryption. Imagine a patient emailing medical documents (e.g. a scan of a blood-test result) to their doctor: if this is sent via a regular unencrypted email, that data travels in clear text over the internet and could be intercepted. Likewise, if a laboratory hosts its reports on a mainstream cloud without client-side encryption, a leak from that cloud would expose those reports in readable form. By applying the Zero Knowledge principle, you can instead store health data in encrypted form to which only the health-care professionals or the patient hold the key. For example, a private clinic could use a secure medical file-sharing solution where each document is end-to-end encrypted – somewhat along the lines of what ProtonMail offers for email or Tresorit for files.

Concrete tools already exist: some medical messaging or results-exchange platforms offer strong encryption. Consider, for example, Signal or WhatsApp (Business), which some doctors are beginning to use to communicate with one another about patients, precisely because these apps encrypt messages end to end, unlike SMS or standard email. Likewise, services such as ProtonMail make it possible to send a patient an encrypted email whose content only they can read (possibly by entering a password shared through another channel). Granted, integrating such tools into medical workflows requires adjustments (and sometimes a digital acculturation of care staff), but the stakes justify it.

Applying these principles also helps meet legal and ethical requirements. For example, Law 25 in Quebec imposes rigorous protection of personal information, and in the health-care field in particular, there are strict professional rules on medical confidentiality. If a private health-care practice suffers a leak of patient data, the legal and financial consequences could be heavy, not to mention the loss of patient trust. Conversely, investing now in Zero Trust and encryption proves to be a mark of seriousness and reliability. Indeed, the Collège des médecins and other bodies increasingly recommend explicitly that health information be communicated only through secure means. Concretely, this means no longer sending results by fax or unprotected email, not keeping patient data on an unencrypted laptop, etc.

By adopting a Zero Trust, Zero Knowledge and E2EE approach, a private health-care facility protects not only the privacy of its patients, but also itself. A frequent type of cyberattack in health care is ransomware: the hacker encrypts your data themselves and demands a ransom to unlock it. If your data was already robustly encrypted and if you have compartmentalized your access (Zero Trust), the impact of ransomware can be contained (for example, the backups are encrypted and isolated, so the attacker can neither read nor easily destroy them). Moreover, even in the event of data theft, strongly encrypted medical information cannot be read or used against your patients. This is an additional element of resilience, which can make the difference between a contained incident and a true medical and ethical disaster.

Vital principles for non-profit organizations (NPOs)

Non-profit organizations (NPOs), whether charities, community associations or NGOs, may at first glance feel less concerned by advanced IT security. You sometimes hear: “We are a small organization, we don’t have any really sensitive data or large sums of money, hackers won’t be interested in us.” Unfortunately, this perception is mistaken: NPOs are targeted too by cyberthreats, and often opportunistically. On the one hand, because they do have valuable information (if only member or donor lists, including addresses, emails, sometimes banking information for recurring donations). On the other hand, because NPOs rarely have a dedicated IT team or significant resources for cybersecurity, which makes them “easy” targets in the eyes of certain attackers. Finally, some non-profit organizations deal with sensitive subjects (human rights, support for vulnerable people, political activism, etc.) that may interest malicious actors seeking to harm their cause or to reveal the identity of their beneficiaries.

Zero Trust adapted to NPOs: Even with limited resources, an NPO can gradually implement the principles of Zero Trust. For example, ensuring that each volunteer or employee can only access the data necessary for their role is a good start (principle of least privilege). There is no need for a volunteer to have access to the entire donor database if they only handle the logistics of a local event. Segmenting information by project or by function reduces the risk that a compromised account or a human error exposes the organization’s entire informational assets. Furthermore, putting in place a policy of strong passwords and multi-factor authentication for the NPO’s email accounts and social-media accounts is a concrete measure derived from Zero Trust (you do not trust the password alone, you require an additional proof such as a code or a security key). These measures can be adopted without spending fortunes: there are free or low-cost password managers and MFA solutions suited to small structures. In short, Zero Trust for an NPO mainly consists of instilling discipline in the management of access and of the (even modest) IT estate: regular system updates, removal of obsolete access, verification before clicking on dubious links, etc. These are often more organizational than technological practices, and it is possible to train staff and volunteers in these good practices through online resources or workshops (you can find, for example, cybersecurity guides specifically designed for the Quebec community sector).

Encryption and Zero Knowledge for the confidentiality of the populations served: Many NPOs collect information about their users or beneficiaries: think of an association that helps people experiencing homelessness, which may have records with name, date of birth, brief medical situation, etc. Or an organization that defends LGBTQ+ rights in a repressive country, and that holds the list of its members and testimonies. Confidentiality is often essential to protect these people. End-to-end encryption takes on its full meaning here. For example, instead of exchanging by SMS or Facebook Messenger (not end-to-end encrypted by default for the latter), workers and volunteers could communicate via Signal or Telegram in secret mode to discuss sensitive cases. Likewise, when it comes to storing personal data, an NPO should consider secure cloud solutions where documents are encrypted client-side. Using a free mainstream service like Google Drive or Dropbox to store the donor list may seem convenient, but these services do not offer zero knowledge: in theory, Google or Dropbox could access the data (or be forced to hand it over to foreign authorities if hosted abroad). Instead, a solution like Tresorit (even if paid) or encrypted open-source alternatives could be deployed to store this information in full confidence. There are even open-source projects that tech-savvy volunteers can help set up, for example an encrypted Nextcloud storage instance coupled with the Seald or Cryptomator application to ensure file encryption. The level of complexity will depend on the available skills, but the idea is that even an NPO can reach a high level of confidentiality without necessarily having large means, by relying on the right solutions.

Strengthening trust and compliance: Beyond immediate protection, adopting these good practices also brings benefits in terms of trust from partners and the public. An NPO often manages the trust of its donors and beneficiaries as a precious resource. If it were to unintentionally disclose information about its donors (imagine a leak of the list of those who support a sensitive cause), this could not only harm the individuals concerned, but also discourage future donations out of fear of exposure. In a Quebec context, recall that Law 25 also applies to non-profit organizations to the extent that they process personal information in the course of “commercial” activities (which is sometimes unclear, but as a precaution many NPOs prefer to comply with the general principles of the law). This law requires, for example, reporting any breach of data protection to the people concerned and to the Commission d’accès à l’information. It is far simpler – and more responsible – to prevent these incidents through encryption and strict access control than to have to manage the consequences of a data leak.

Note as well that assistance programs exist to support NPOs in improving their cybersecurity. In Quebec, a program called MaLoi25 was launched to support small organizations (including NPOs) in achieving compliance and securing their data, with public financial support. In addition, the Canadian Centre for Cyber Security has published guides and even a report highlighting the importance of protecting the community sector. All of this clearly indicates that, even from the standpoint of official bodies, the cybersecurity of NPOs is now taken seriously. For an organization, seizing the opportunity to be proactive on this subject can become a differentiating factor: it reassures institutional funders, foundations or government partners to know that the organization has put in place measures to protect data.

In short, Zero Trust, Zero Knowledge and E2EE in an NPO amount to preserving its mission and values. By protecting data, you protect the people you help and you ensure the longevity of the organization itself (which could be seriously affected by a major cyberattack). And contrary to a common belief, size or non-profit status does not provide immunity from risks: it is often the opposite, small structures are targeted precisely because they are perceived as less prepared. Fortunately, in 2025 there are more and more affordable (or even free) tools and resources to help NPOs reach a satisfactory level of security, without compromising their budget or their day-to-day operations.

Equally crucial stakes for small and medium-sized enterprises (SMEs)

SMEs make up the bulk of the economic fabric in Quebec as elsewhere. Because of their size and limited resources, they often find themselves in a situation similar to NPOs when it comes to cybersecurity: they sometimes feel they are not priority targets, or think they cannot invest as much as large companies in security solutions. However, the reality is unequivocal: SMEs are massively targeted by cyberattacks. Whether through targeted phishing, ransomware or the theft of client data, attackers do not “snub” small businesses, quite the contrary. Recent reports indicate that a significant share (more than half) of reported cybersecurity incidents involve SMEs. And unfortunately, the consequences there are often dramatic: the lack of financial reserves or contingency plans means that many SMEs do not recover after a major cyberattack (it is estimated that around 60% of small businesses go bankrupt within the year following a serious cyberattack or a massive loss of data).

Zero Trust for SMEs, insurance against the unexpected: For an SME, adopting Zero Trust can translate into a few headline measures that are fairly simple to understand. For example, setting up a corporate VPN with strong authentication for any remote access to internal resources (rather than exposing an RDP server or a database without protection on the internet). Or compartmentalizing the various departments: the person in charge of billing does not need access to product design files, and conversely the engineers do not need to consult the accounting database. Segmenting this access limits the damage if an internal account is compromised. In addition, Zero Trust encourages actively monitoring abnormal behaviour: even in a 20-employee SME, if a marketing employee’s account suddenly tries to access technical archives or export the entire client file at 2 a.m., that is an alarm signal not to be missed. Detection solutions exist at affordable costs (some security features are even included natively in common suites such as Microsoft 365 Business or Google Workspace). It is often enough to enable these features and configure alerts. So Zero Trust is not necessarily synonymous with massive purchases of new tools: it is often a matter of configuration and internal policy. For example, requiring two-factor authentication on corporate email is a configuration choice more than an expense (most services offer it at no extra cost).

Client data encryption and Zero Knowledge: SMEs handle varied data that may include personal information about their clients, suppliers, partners, etc., as well as sensitive data such as manufacturing secrets, blueprints, source code, etc. Protecting this information through encryption is an indispensable safeguard. Imagine a small design firm that stores its clients’ mock-ups on a cloud service to collaborate: if this service is compromised and the files are not encrypted, proprietary data (sometimes under NDA) could leak and cause significant commercial harm. Conversely, if the company uses an end-to-end encrypted cloud tool or adds a layer of encryption itself (via software like VeraCrypt or Cryptomator to encrypt locally before synchronization), a potential leak will reveal nothing exploitable. Many SMEs now use SaaS tools (online software) for day-to-day management: CRM, ERP, etc. It is wise to find out whether these services offer advanced encryption options or at least the ability to export and encrypt internally the most critical data. For example, some professional email solutions offer an end-to-end encryption mode for sensitive emails; otherwise, an SME can opt for a provider such as ProtonMail for confidential communications. Likewise, for sharing files with partners, favouring platforms with a client-side encryption option (or using file-encryption tools before sending) can prevent many headaches in the event of interception.

Combining cybersecurity and compliance: In Quebec, since the coming into force of Law 25, all businesses, regardless of their size, have the obligation to adequately protect the personal information they hold. This includes the neighbourhood SME as much as the large group. Concretely, an SME must now: designate a person responsible for data protection, keep a register of confidentiality incidents, and put in place personal-information governance policies. This may seem intimidating, but these are steps that can be scaled to a small structure. Implementing Zero Trust and encryption actually helps comply with these requirements. For example, Law 25 requires restricting access to information to only the people who need it and applying the concept of “relevance” of the data collected. We recognize here the principle of least privilege and the minimization dear to Zero Trust. Moreover, if an SME wishes to use a cloud service located abroad to host personal data, the law now requires conducting a privacy impact assessment and making sure that the data will receive adequate protection outside Quebec. Using a Zero Knowledge provider or encrypting the data before transmitting it is precisely an effective way to guarantee this adequate protection: even stored outside the province, the data remains encrypted and therefore consistent with the spirit of the law (if not the letter). In the event of an audit or an incident, the SME will be able to demonstrate that it took state-of-the-art measures to secure the information (which can protect it from sanctions or at least reduce its liability).

Beyond compliance, integrating these principles can become a business argument for an SME. More and more clients, notably in B2B, demand security guarantees from their suppliers. Being able to show that you encrypt the data entrusted to you, that you have put in place a Zero Trust approach internally, is to prove your seriousness. It reassures clients that, in working with you, their own data or that of their end users will not be exposed. In a world where digital reputation counts, an SME stands to gain by setting itself apart positively by being proactive on cybersecurity rather than waiting for the incident. As some experts have pointed out, security must move from the status of a cost to that of an investment: for a small business, every dollar invested wisely in prevention (firewalls, encrypted backups, training) can save thousands in the event of an attack avoided or contained.

In summary, for SMEs, Zero Trust provides an organizational armour, while Zero Knowledge and E2EE provide an informational safe. Together, they ensure that the SME, however small, will not be easy prey. And if it is attacked despite everything, it will have the means to resist and bounce back without losing its viability. In an economic context where digital threats are sometimes existential for small structures, these principles are no longer a technical luxury but indeed a condition of survival and prosperity.

Cybersecurity, digital sovereignty and legal compliance: unavoidable stakes

As we have seen, Zero Trust, Zero Knowledge and end-to-end encryption form a robust security foundation. But beyond the technical considerations, their adoption fits into a broader context of collective awareness around three issues: the growing cyber threat, the pursuit of digital sovereignty, and the strengthening of the legal framework. These three dynamics, which have been strongly felt in Quebec in recent years, mean that no organization can any longer afford to ignore these security principles.

The urgency of cybersecurity

Cyberattacks are rising sharply everywhere in the world, and Quebec is no exception. Ransomware paralyzing manufacturing companies, data theft in clinics, phishing targeting NPOs to divert funds: not a week goes by anymore without a cyberattack being reported in the media. This generalization of risk has two consequences: on the one hand, the probability of being attacked oneself one day is no longer negligible, even for a small structure. On the other hand, the average cost of incidents keeps rising (direct financial losses, business interruption, system restoration costs, legal penalties, etc.).

Adopting the principles of Zero Trust and encryption is a way to prepare for the worst-case scenario. In cybersecurity, we often speak of resilience: this is the ability to keep operating and to protect what is essential even in a crisis situation. For example, a company whose every workstation is encrypted by ransomware will be able to get going again more quickly if it has segmented its network (Zero Trust: the backups on another segment were not reached by the malware) and if those backups were themselves encrypted (the attackers could not delete them or read them for blackmail). Likewise, a leak of client data will have far smaller impacts if that data is encrypted (E2EE/Zero Knowledge): the leak will essentially be incomprehensible noise to the attackers. In short, these principles do not guarantee that you avoid the attack, but they greatly limit the damage. It is a bit like having earthquake-resistant construction in an area where earthquakes are frequent: you cannot prevent the quake, but you avoid the collapse.

Digital sovereignty and control over data

The concept of digital sovereignty refers to the idea of keeping control of one’s data and not depending entirely on foreign powers or large technology players to ensure the security and confidentiality of information. In Quebec, this notion is gaining ground as people realize that a great deal of sensitive data (for example medical data, or strategic information of local businesses) is hosted on servers in the United States or elsewhere, subject to foreign laws (such as the American Patriot Act or Cloud Act, which can authorize agencies to require data).

The principles of Zero Knowledge and end-to-end encryption offer a pragmatic answer to this challenge: encrypt locally, control locally. If your data is encrypted by you before being sent to a foreign cloud, you retain in a sense your “sovereignty” over that data, because the foreign provider can do nothing with it without your consent (since it does not hold the key). It is like exporting a document in a tamper-proof safe: regardless of the destination country, no one on site will be able to open the safe without your key. So even when using international services, a Quebec organization can comply with its local confidentiality and privacy requirements.

We are also seeing the emergence of an increasingly abundant offering of Canadian or Quebec cybersecurity or storage services. For example, clouds certified as sovereign cloud, where data is guaranteed to be hosted in Canada, combined with client-side encryption, may appeal to companies wishing to avoid any unprotected transfer of data abroad. Some local companies are positioning themselves in this niche, offering alternatives to Office 365 or Google Workspace, but natively integrating Zero Knowledge. Adopting such services contributes to digital sovereignty by fostering a local ecosystem of trust.

Finally, digital sovereignty also concerns technical mastery. By adopting the Zero Trust model, an organization avoids relying on the illusion of security provided entirely by an external provider or by a perimeter. It develops internally a culture of continuous security. It is a way of not delegating responsibility entirely to others. Of course, you can (and should) rely on external experts, consultants, security products, but the Zero Trust approach is a reminder that ultimately, it is up to the organization to define who accesses what and to make sure these rules are respected. This ties in with the idea of sovereignty: keeping a hand on your security decisions, not simply trusting blindly in a vendor or a default configuration.

Legal compliance and growing obligations

The legal framework has tightened when it comes to data protection. In Quebec, Law 25 (formerly Bill 64) has been progressively imposing, since 2022–2023, a whole series of obligations on businesses and organizations. Among the most notable:

• Designate a person responsible for the protection of personal information (often the senior officer by default).
• Put in place policies and practices governing the governance of personal information (by September 2024).
• Keep a register of confidentiality incidents and notify the Commission d’accès à l’information as well as the people affected in the event of an incident presenting a serious risk.
• Carry out privacy impact assessments (PIAs) before communicating personal information outside Quebec or adopting systems involving sensitive personal data.
• Obtain explicit and informed consent, and facilitate the exercise of individuals’ rights (access, rectification, erasure, portability, etc.).
• And of course, apply security measures proportionate to the sensitivity of the information, under penalty of sanctions in the event of a failure (fines that can reach up to $25 million or 4% of worldwide turnover, aligning Quebec with international standards such as the European GDPR in terms of severity).

In this context, Zero Trust, Zero Knowledge and E2EE are not explicitly named in the law, but they are excellent means of satisfying the requirements it sets out. For example, the law speaks of making information accessible only to those who must have access to it: this is exactly what a well-applied Zero Trust policy does (you could translate it as “least-privilege access”). It also requires adequate protection when transferring outside Quebec: encrypting these transfers end to end and using zero knowledge providers is to demonstrate that you are providing this adequate protection. The law also values the notion of “security by design”: integrating encryption and strict access control from the design phase of a new system or service is precisely the embodiment of this principle.

Being legally compliant is not just about avoiding fines, it is also about building the trust of stakeholders (clients, citizens, partners). We observe that more and more B2B contracts include security and data-protection clauses: to win business, you have to prove you are up to standard. For Quebec businesses, complying with Law 25 is not just an administrative burden: it can become a competitive advantage in markets where privacy protection is valued. For example, a Quebec tech SME could highlight the fact that it complies with the local equivalent of the GDPR and that it encrypts all of its users’ data; in the era of the Cambridge Analytica scandal and others, that is a marketing argument that resonates.

In short, the strengthening of the legal framework – coupled with increased public awareness of privacy issues – has raised the bar. Zero Trust, Zero Knowledge and E2EE are three concrete responses to not only be compliant, but often exceed the minimum obligations and thus protect yourself more effectively. Because beyond the law, let us not forget that the worst sanction in the event of a security failure is often that of the market or of public opinion: a client who withdraws their trust, a partner who terminates a contract, a tarnished reputation. In a hyperconnected world, transparency about incidents is expected, and it is very difficult to hide a leak or a major attack. It is therefore better to be preventive, and these three principles offer a solid roadmap to get there.

Conclusion: toward lasting security – summary, recommendations and action items

To conclude, let us remember that Zero Trust, Zero Knowledge and end-to-end encryption form an indispensable trio for anyone managing sensitive data in the digital age. Zero Trust teaches us to trust nothing and no one by default, and to systematically verify each access: it is a cultural shift that greatly improves internal security by avoiding complacency flaws. Zero Knowledge ensures that our providers or intermediaries know zero about our data: in other words, we keep full control of confidentiality via client-side encryption. Finally, E2EE guarantees that our communications and storage stay private from end to end, with no holes in the armour during transfer or storage.

These approaches, although technical in their formulation, translate into tangible benefits for a non-technical professional organization: a drastic reduction in the risk of data leaks, a mitigation of financial and operational impacts in the event of an incident, compliance with modern privacy-protection laws, and a strengthening of the trust granted by clients/partners. Whether you are the head of a manufacturing SME, a manager in the health-care sector or the director of a community NPO, you can see in these tools to protect your mission and your assets in a digital landscape full of pitfalls.

We understand that all of this may seem complex to put in place. That is why we end with a few concrete recommendations and action items to start or continue your security journey:

• Take inventory of your sensitive data: Clearly identify which information, if it were compromised, would be damaging to your organization or your clients/users (personal data, medical records, trade secrets, donor lists, etc.). This inventory will help you prioritize protection efforts on the critical items.
• Adopt the principle of least privilege right now: Review who has access to what within your organization. Restrict excessive rights: each employee or volunteer should only see the data necessary for their work. Update access, delete inactive accounts, segment your file directories by sensitivity level. This is a simple step toward Zero Trust.
• Put in place multi-factor authentication (MFA) on your important accounts: Professional emails, VPN, online project-management tools, etc. – enable two-step verification everywhere it is available. This simple measure blocks a large portion of intrusion attempts (even if a password is stolen, the attacker will not be able to log in without the second factor). Many services (Microsoft 365, Google, Facebook, etc.) offer it free of charge.
• Encrypt your devices and your backups: Make sure that the organization’s laptops, external drives and USB keys containing sensitive data are encrypted (modern Windows, macOS and Linux systems offer disk encryption – BitLocker, FileVault – often in one click). That way, in the event of theft or loss of the device, the data will not be accessible. Likewise, encrypt your backups or use backup solutions that integrate encryption. An unencrypted backup forgotten in a drawer or exposed online can become an unintentional data leak.
• Use secure communication tools: Encourage the use of end-to-end encrypted instant messaging (Signal, WhatsApp, Telegram secret, etc.) for sensitive professional exchanges rather than ordinary SMS or emails. For emails, consider using services that offer end-to-end encryption (such as ProtonMail for confidential communications). If this is not possible at a large scale, at the very least use attachment encryption for sensitive documents (for example, send a password-protected PDF file, and communicate the password through another channel).
• Choose your cloud services with discernment: Find out about the security policy of your online service providers. When possible, favour those that offer zero knowledge encryption. If you use collaborative suites (Google Drive, OneDrive, etc.) without this feature, consider adding a layer of encryption yourself for confidential files (there is software that integrates with these services to encrypt transparently). Do not forget to examine where your data is stored: if it is outside Canada, make sure you meet the obligations (Law 25 PIA) and apply additional protection measures.
• Train and raise the awareness of your team: Technology is not everything. Explain to your employees or volunteers why these measures are taken, how to spot a phishing email, why you should not reuse the same passwords, etc. Good collective digital hygiene is a key element of the Zero Trust approach (you do not blindly trust the emails you receive, you stay extra vigilant). Many educational materials exist in French, and programs like CyberSecure Canada offer basic training for small organizations.
• Develop an incident response plan: Prepare for the scenario where, despite everything, an incident occurs. Who do you contact (security expert, IT department)? What data needs to be isolated? Do you have backups to restore? Who must inform the authorities or the people concerned if personal information is involved? A well-defined response plan tested in advance makes it possible to react quickly and limit the damage. And the fact of having put in place Zero Trust and E2EE will greatly facilitate crisis management, because you will know precisely which breaches are truly critical or not (data that is stolen but encrypted, for example, eases the urgency).

By gradually applying these actions, you bring the principles of Zero Trust, Zero Knowledge and E2EE into the daily life of your organization. The benefits will not be long in coming: a drop in the number of alerts or successful intrusion attempts, compliance audits passed more easily, greater peace of mind for you and your stakeholders. Of course, security is a continuous process, not a state reached once and for all. You will need to regularly update policies, stay informed of new threats and new solutions. However, with the solid foundations that these three principles constitute, you will be well equipped to face the current and future challenges of data protection.

In the end, retaining the trust of your clients, patients, donors or users in today’s digital world rests on a simple equation: no protection, no trust. Zero Trust, Zero Knowledge and end-to-end encryption offer precisely this protection at several levels. It is up to you to integrate them into your strategy starting now – because neither the regulations, nor your users, nor cyberthreats will give you any respite. It is better to be ahead on these questions than to suffer the consequences of falling behind.

In summary, make cybersecurity a cross-cutting priority, equip yourself intelligently, and do not forget that every piece of data you protect is a bit of trust and added value that you preserve for your organization.

Sources and bibliography

• Comprendre le modèle Zero Trust : “ne jamais faire confiance, toujours vérifier.” – OGO Security (blog), July 2, 2024. (Detailed explanation of Zero Trust principles and their technical implementation.) Link
• Le Chiffrement Zéro-Connaissance Expliqué en Termes Simples – AxCrypt (blog), January 18, 2024. (Educational article presenting the concept of “zero knowledge” encryption and its benefits for data security, with supporting examples.) Link
• Qu’est-ce que le chiffrement de bout en bout et comment fonctionne-t-il ? – Proton Mail (Proton blog, Privacy Guides section), May 24, 2022. (Accessible presentation of E2EE, its mechanisms and its benefits, illustrated in the context of Proton services.) Link
• L’importance de la sécurité des données dans les soins de santé – Keeper Security (French-language blog), October 15, 2024. (Analysis of the main security flaws in the health-care sector and the recommended best practices, including least-privilege access and the use of E2EE for medical information.) Link
• Loi 25 : Quels sont ses impacts sur votre entreprise ? – Raymond Chabot Grant Thornton (expert opinion), updated May 31, 2024. (Clear overview of the provisions of Law 25 in Quebec and the obligations for private businesses, including the penalties incurred and the need for internal information-protection policies.) Link
• Québec Law 25: What Canada’s New Privacy Law Requires – BigID (blog, French version), 2023. (Details on Law 25 and a comparison with other frameworks such as the GDPR, listing the key requirements such as consent, privacy assessments, incident notification, etc.) Link
• Cybersécurité : Pourquoi la loi 25 est une opportunité ? – Eficio (blog), 2023. (Expert reflection on the evolution of cybersecurity, the impact of Law 25, the value of data and the importance of seeing security as a strategic investment for businesses.) Link
• Cybersécurité pour les OBNL, un investissement crucial et accessible – ESPACE OBNL (article), October 3, 2024. (Sets out the issues specific to non-profit organizations in terms of cybersecurity, with adapted solutions, funding programs (e.g. MaLoi25) and concrete steps to improve security.) Link
• Les petites entreprises face aux ransomwares : Ce qu’il vous faut savoir – Veeam (blog, Colin Hanks), updated May 15, 2025. (Contains recent statistics on the impact of cyberattacks on SMEs, notably the figure of ~60% of small businesses that close after a major attack, and advice on resilience against ransomware.) Link