Across roughly 50 European mid-market SASE evaluations Jimber and partner integrators took part in during 2025 and 2026, the same ten questions kept surfacing. They cluster around sovereignty, tool sprawl, audit-readiness, agentless devices, and AI governance. The pattern reveals a shift away from feature comparisons toward operating-model fit. Below is what CISOs ask, and what the honest answers look like.
The questions behind the shortlist
The ten questions below come from real evaluation conversations, not an analyst checklist. Not every question came up every time. But across direct vendor calls, partner-led evaluations, and formal RFP processes, a consistent set of priorities emerged. These are the questions European mid-market CISOs raise when the vendor is actually in front of them.
They differ from the criteria the SASE vendor evaluation framework would list. A framework tells a buyer what to assess. These questions reflect what buyers choose to probe first, under deadline pressure, with a lean team and a budget that rarely clears €500,000 a year. That distinction matters. The five themes we observed at Cybersec Europe 2026, sovereignty, tool sprawl, NIS2 audits, agentless devices, and AI governance, map almost directly onto the questions that follow.
A note on what counts as an evaluation. We include direct conversations with a CISO or IT lead present, service partner-led evaluations where Jimber and the partner compared notes afterwards, RFP processes where the CISO scoped the requirements, and informal “would this fit” exploration calls. The figure is approximate. We are not claiming a survey. We are reporting a pattern from hands-on experience, which is exactly the signal that published research cannot capture.
Question 1: Where is our traffic actually decrypted and inspected, and who can be compelled to hand it over?
The sovereignty question rarely arrives as “are you GDPR compliant”. By 2026 it arrives as a jurisdiction question. CISOs want to know which legal entity controls the inspection infrastructure and whether any non-EU regime can reach the data. A strong answer names the controlling entity and its jurisdiction without hesitation.
This question has hardened over the past two years. Data residency alone no longer satisfies it. Under the US CLOUD Act of 2018, a US-headquartered provider can be compelled to disclose data regardless of where the data physically sits. A point of presence in Frankfurt operated by an American company does not resolve the conflict. Microsoft conceded this directly in sworn testimony before the French Senate, acknowledging it could not guarantee that European-hosted data would stay beyond the reach of US authorities.
Weak vendor answers point to an EU data centre and stop there. Strong answers address the harder layer: where TLS termination happens, who holds the encryption keys, and whether the software supply chain carries foreign dependencies. The European Commission’s €180 million sovereign cloud tender formalised this thinking with its SEAL framework, requiring at least SEAL-2 data sovereignty for sensitive contracts. Jimber operates under EU jurisdiction by default. The legal entity is Belgian, processing stays in the EU, and there is no US parent to compel. For the full reasoning behind this shift, see European SASE vendor selection.
Question 2: How many tools does this actually replace, and what does the migration path look like?
Tool sprawl drives the second question, and it is usually framed around a specific number. CISOs arrive with a count: six consoles, eight vendors, three contracts renewing in the same quarter. They want to know how many of those a single platform genuinely retires, not in theory but in their environment.
The frustration behind this is well documented. Industry estimates put the average enterprise security stack at 45 discrete tools, and a 2025 survey found 84% of European security decision-makers actively prioritising platform consolidation to cut operational overhead. Gartner expects 65% of enterprises to adopt single-vendor SASE by the end of 2026. But there is a catch the best CISOs probe for: many “platforms” are co-branded suites of loosely integrated point products, what analysts call islands of platformisation.
A strong answer is specific about what stays and what goes. Jimber consolidates ZTNA, SWG, FWaaS, SD-WAN and NIAC into one console with one policy language. It does not replace everything. Identity, endpoint protection and email security still sit outside the platform, and saying so builds more trust than claiming total consolidation. For service partners running this model across multiple customers, how service partners handle tool sprawl covers the multi-tenant operational detail.
Question 3: What does this cost over three years, with no bandwidth surcharges or licence true-ups?
Pricing transparency comes up early and pointedly. Mid-market CISOs have been burned by consumption-based models and surprise true-ups. The question is usually phrased around predictability: what is the three-year total, and what could change it without warning.
This sensitivity is rational. Mid-market security budgets rarely exceed €500,000 a year, and 46% of these organisations report that mainstream enterprise platforms assume a level of staff and budget they do not have. The shelfware problem compounds it. Teams buy complex suites, then leave large portions unused because deployment is too complex for the staff on hand. So the procurement question shifts from feature counts toward actual utilisation and cost certainty.
A weak answer quotes a per-user figure and goes quiet on overages. A strong answer is explicit about what is included and what is not, and flags bandwidth-based billing as the unpredictability it is. Jimber prices per user with transparent, custom quotes scoped to the environment rather than published rate cards, which is the honest position for mid-market deals where requirements vary. The SASE business case framework covers the cost and operational dimensions in more depth.
Question 4: Can this platform produce the evidence our NIS2 or CyFun audit will demand?
Audit-readiness moved from “later” to “now” on 18 April 2026, when the Belgian CyberFundamentals verification deadline passed. The question is no longer whether a platform aligns with NIS2 in principle. It is whether the platform can produce exportable, audit-ready evidence on demand.
The shift is concrete. Before the deadline, planning or partial implementation was accepted. After it, essential entities must substantiate compliance with proof. Of 1,574 registered essential entities in Belgium, around 75% chose the CyFun route, requiring an independent audit scored against controls, with CyFun Basic needing an average of 2.5 and Important needing 3.0. The Centre for Cybersecurity Belgium now reviews evidence packs, and audits have moved from documentation review to evidence demonstration.
A weak answer offers a compliance datasheet. A strong answer shows where the logs live, how access records and segmentation evidence export, and how they map to specific controls. This is where consolidation pays off directly: assembling a coherent audit trail from six fragmented tools is slow and error-prone, while a single console produces correlated evidence with consistent formatting. Jimber’s platform generates the centralised access logs, segmentation proof and posture records that CyFun’s Protect and Detect functions require. The NIS2 audit obligations checklist sets out the full control set.
Question 5: How do you secure devices that cannot run an agent?
The agentless question is sharper in 2026 because Operational Technology had its own theatre at Cybersec Europe for the first time. CISOs in manufacturing, healthcare and logistics ask how the platform protects printers, IP cameras, PLCs, HMIs and building management systems that physically cannot accept a software agent.
Standard SASE architectures, built for remote employees on managed laptops, simply do not cover these assets. That gap is not academic. In manufacturing, an unmanaged controller on a flat network is a lateral-movement path straight to the production line. The AZ Monica hospital ransomware attack in Antwerp on 13 January 2026 showed how fast that can escalate: staff disconnected every server across two campuses, 70 surgeries were cancelled on the first day, and seven critically ill patients were transferred elsewhere.
A weak answer waves at VLAN segmentation, which is network separation, not Zero Trust. A strong answer explains hardware-level isolation that enforces explicit allow rules between the device and the network without touching the device itself. Jimber’s NIAC hardware does exactly this, creating a secure IT-OT convergence bridge without disrupting production. This is one area where most SASE vendors have no real answer, which is precisely why CISOs ask.
Question 6: How fast can a 200-user organisation get to real value?
Deployment timeline is a near-universal question, and it is usually pinned to a specific size. For a 200-user organisation, CISOs want to know weeks-to-value, not a phased enterprise roadmap measured in quarters.
The reason is structural. Mid-market teams have near-zero tolerance for deployment delays, while traditional enterprise SASE takes six to eight months to roll out fully. That timeline is unviable when the team is lean and the CyFun clock is running. CISO mobility adds pressure: the 2026 IANS and Artico Search benchmark found 70% of CISOs open to a move within twelve months, and a leader with a short horizon will not approve an 18-month migration.
A weak answer quotes a best-case lab figure. A strong answer describes a phased path with a realistic first milestone. Jimber typically starts with ZTNA for a pilot group, expands application coverage, then adds SD-WAN for branch connectivity, with a 200-user organisation reaching initial value in weeks. One Belgian wealth manager completed a full migration in eight weeks. Honest timelines, including the dependencies that can slow a rollout, land better than optimistic ones.
Question 7: Who operates this day to day, us or a partner?
The managed-service question reflects how mid-market security actually runs. Around 47% of organisations turn to managed providers specifically because they lack in-house expertise, against a skills gap affecting roughly two-thirds of organisations. So CISOs ask who holds the console day to day, and what the partner can and cannot do.
This is not a minor operational detail. When a service partner operates the platform, the CISO needs a multi-tenant management plane with strict tenant isolation, single-pane visibility, and clear boundaries on partner access. Outsourcing security does not transfer compliance responsibility, and auditors increasingly probe whether the customer understands and controls what their partner does on their behalf.
A weak answer treats multi-tenancy as a checkbox. A strong answer shows per-tenant policy, consolidated visibility, and onboarding that does not require rebuilding configuration for each customer. Jimber is built partner-first: service partners manage multiple tenants from one interface using consistent templates, which is the model most mid-market deals actually use. The distinction between vendor responsibility and partner responsibility should be explicit in the contract, not assumed.
Question 8: How does this fit our existing identity provider, SIEM and ticketing?
Integration questions are where evaluations get practical. CISOs want to know whether the platform plugs into the identity provider, SIEM and ticketing systems already in place, or whether it forces a parallel stack. The concern is operational drag, not novelty.
The context is a lean team that cannot absorb another set of manual handoffs. Mid-market organisations report stitched-together stacks and limited headcount, with only 17% prioritising new hires and the rest leaning on automation. An integration that requires manual log export or breaks SSO defeats the consolidation the platform is supposed to deliver.
A weak answer lists logos on a partner page. A strong answer is specific about authentication patterns, log forwarding and API coverage. Jimber is API-first with SSO and identity-provider synchronisation, and forwards a unified log stream rather than fragmenting events across tools. The right test is whether the platform reduces the number of places a stretched team has to look, not whether it technically connects.
Question 9: How do you handle AI, both in the platform and for our employees’ use of it?
The AI question changed shape entirely. Two years ago CISOs asked whether the platform used machine learning to detect threats. In 2026 the dominant question is “how do you secure my employees’ use of AI”, because shadow AI has become a live data-egress problem.
The driver is unapproved generative AI. Employees paste sensitive data, client spreadsheets and source code into free external tools, and Gartner has formalised “AI usage control” as a distinct category in response. CISOs now want real-time shadow AI discovery, data-loss-prevention filtering on outbound prompts, and guardrails aligned with the EU AI Act and the OWASP guidance for agentic applications. The goal is governed use, not a blanket block that pushes employees toward workarounds.
This is a question where honesty matters most. A weak answer conflates “we use AI internally” with “we govern your AI use”, which are different problems. A strong answer separates the two and is candid about current capability versus roadmap. A SASE platform with a secure web gateway and DLP is the natural enforcement point for outbound AI traffic, and CISOs are right to test how far that enforcement actually reaches today rather than accept a roadmap promise.
Question 10: What happens if you fail, get acquired, or raise prices, and how do we exit?
The vendor-risk question closes most serious evaluations. CISOs ask about lock-in, exit strategy and financial stability, and in financial services this is a regulatory requirement rather than diligence.
DORA, enforceable since 17 January 2025, mandates it directly. Article 30 requires documented exit strategies and audit rights for ICT third parties, and financial entities remain fully responsible for their vendor ecosystem under Article 28. The dry-run register-of-information exercise saw 93.5% of firms fail on data quality, which is why CISOs now ask for clear data-portability pathways and technical runbooks showing how traffic can re-route without forcing thousands of users to re-authenticate if a provider fails.
A weak answer treats exit as a contract clause. A strong answer treats it as an architecture property: portable configuration, exportable data, and a documented migration path. For European mid-market buyers, vendor jurisdiction and corporate stability are part of this calculus, which loops back to the sovereignty question. A vendor that can explain its exit story without defensiveness signals confidence in the rest of the platform.
What these questions reveal about mid-market SASE buying in 2026
The ten questions cluster around operating-model fit, not feature checklists. Mid-market CISOs want platforms that demonstrate sovereignty, retire real tools, produce audit evidence, secure agentless devices, and govern AI use. The priority order has shifted from “what can it do” to “can my team actually run it, prove it, and leave it if needed”.
This tracks a broader change in the role itself. The 2026 IANS and Artico Search benchmark found executive-level CISO titles now the most common levelling, with 36% reporting outside IT to the CEO, COO or Chief Risk Officer. As the role becomes a board-level risk function, the questions become business questions: liability, resilience, exit, cost certainty. Paul Bayle, Group CISO at Atos, framed this at Cybersec Europe 2026 as the move from technical oversight of firewalls and endpoints toward enterprise resilience and supply-chain integrity.
The regulatory calendar sharpened the focus. With the CyFun deadline behind them and DORA in force, CISOs in Belgium and the wider Benelux translate broad directives into specific, hard-hitting questions at the evaluation table. ENISA and the Centre for Cybersecurity Belgium set the macro requirements, but the precise phrasing comes from the room. That is why vendor-side experience across real evaluations is worth more here than another analyst quadrant.
The honest reading is that no single platform answers all ten perfectly. The agentless and sovereignty questions favour European single-vendor platforms like the Jimber SASE platform. The integration and AI-governance questions are where every vendor, including us, has to separate shipping capability from roadmap. The CISOs who run the best evaluations are the ones who insist on that distinction.
Frequently asked questions
How many SASE evaluations did Jimber participate in to compile these questions?
Approximately 50 European mid-market evaluations during 2025 and 2026, including direct vendor conversations, service partner-led evaluations, and formal RFP processes. The figure is a deliberate approximation, drawn from hands-on experience rather than a structured survey.
Do these questions apply to enterprises or only mid-market organisations?
They reflect mid-market priorities specifically, organisations of roughly 50 to 400 users with lean teams and constrained budgets. Enterprises ask overlapping questions but weight them differently, with more tolerance for long rollouts and dedicated security operations capacity.
Which question comes up most often in 2026?
Sovereignty and audit-readiness are the most consistent, driven by the CLOUD Act jurisdiction conflict and the passing of the 18 April 2026 CyFun verification deadline. Tool sprawl follows closely, usually framed around a specific console and contract count.
Has the question pattern changed since NIS2 entered application?
Yes. Audit questions shifted from “does this align with NIS2” to “can this produce the evidence my auditor will demand”, reflecting the move from a standard of effort to a standard of proof after the CyFun deadline.
Are the questions different in Belgium versus Germany or the Netherlands?
The themes are consistent across the Benelux, but the framing is local. Belgian CISOs anchor on CyFun and the CCB, while the underlying sovereignty, sprawl and agentless-device concerns appear across all three markets.
If one or two of these questions reflect a conversation happening inside your own organisation, the Jimber team is glad to walk through how we answer them in real evaluations. Book a 30-minute call and see the answers in practice rather than the framing in writing.
