Choosing a SASE platform is a multi-year commitment, and the marketing checkmarks on a vendor datasheet rarely tell you what you actually need to know. The questions that matter are about legal ownership, the costs that surface after signature, and whether the platform can secure the devices your team cannot install software on.
This checklist gives you 25 questions to put in front of any SASE vendor before you commit. It is built for European mid-market organisations, roughly 50 to 400 users, with lean IT teams and finite budgets. Use it as the backbone of an RFP, or as a screening tool before you shortlist.
What should a SASE RFP checklist actually cover?
A strong SASE RFP checklist looks past feature lists and tests four things vendors prefer not to discuss: legal jurisdiction over your data, the costs that appear after signing, whether a small team can actually run the platform, and how it handles devices that cannot take an agent. Platforms like Jimber, built in Belgium for the European mid-market, are designed around exactly these questions. The 25 below are grouped into eight evaluation areas so you can score vendors consistently.
The checklist is deliberately neutral on brand. Most of the questions a US-headquartered provider, a European provider, and a firewall-heritage vendor would each answer differently, and those differences are where the real decision sits.
Is the platform one system, or several products stitched together?
A natively unified single-vendor SASE platform processes security and routing policy in one engine, so a lean team manages every location from a single console. A framework assembled from acquired point products carries integration debt: separate policy models, multiple interfaces, and administrative friction that lands on whoever has to run it day to day.
The label “single-vendor SASE” gets applied loosely. Some platforms reached it by acquisition and never merged the codebase underneath. These three questions separate genuine convergence from a bundle.
Q1. Is the platform built on a single operating system with a unified policy engine, or does it chain separate security and networking products together?
Q2. Does enabling full SSL/TLS decryption introduce a performance penalty or require additional appliance licences?
Q3. How does the system keep policy in sync between on-premises environments, cloud instances, and remote endpoints?
A vendor that converged properly answers these without hedging. One that bundled will start describing integrations.
What will this cost after the first invoice?
SASE contract evaluations have to account for the entire agreement term, not the headline subscription. Standard pricing often hides egress fees, bandwidth overage penalties, and separate charges for hardware, premium support tiers, or mandatory deployment services. Stacked together, these can lift first-year contract value well above the quoted figure.
This is where most evaluations fall short. The base rate looks competitive; the add-ons accumulate quietly. Premium support and professional deployment services are common culprits, each adding a meaningful slice to the annual and first-year totals respectively.
There is also a structural cost pressure worth naming. According to research from dope.security published in late 2025, average colocation rates rose 63 percent between 2021 and 2025, climbing from roughly 120 to 196 US dollars per kW per month. Cloud-proxy SASE vendors route all traffic through physical data centres for inspection, so that infrastructure cost flows downstream. The same research links this to subscription and renewal increases of more than 35 percent at traditional cloud-proxy security vendors. Predictable per-user pricing, the model platforms like Jimber use, sidesteps the bandwidth-driven surprises entirely.
Q4. What are the specific bandwidth and throughput limits per site, and how are overage fees calculated?
Q5. Are premium support packages, including 24/7 access and a dedicated technical account manager, priced as separate add-ons?
Q6. Does the contract allow annual true-ups, scope reductions, or mid-term adjustments if business requirements change?
If a vendor cannot give you per-site limits and an overage formula in writing, you cannot model your three-year cost. Treat that as a finding, not a footnote.
Who can legally access your data, and under which law?
A vendor can host every byte inside the EU and still hand your traffic logs to a foreign government. US-headquartered providers fall under the extraterritorial reach of the CLOUD Act, which lets US authorities compel American companies and their foreign subsidiaries to disclose stored data regardless of where the servers physically sit. Data residency answers where the data lives. Data sovereignty answers who controls access to it, and that is the question NIS2 supply chain audits actually test.
This is the single most misread item on most checklists. A European data centre operated by a US-controlled entity satisfies residency and fails sovereignty. The distinction is legal, not geographic.
True sovereignty needs an exclusively EU corporate structure, local processing, and encryption key management the customer controls, where the vendor is technically unable to decrypt your data. Jimber is headquartered in Belgium and operates under EU jurisdiction, with no US parent that could be compelled. That is the property these four questions are designed to surface.
Q7. Where is the legal headquarters of the parent corporation, and which national laws govern your contract?
Q8. Where are the traffic inspection planes, management portals, disaster recovery setups, and audit logs physically located?
Q9. Does the platform support customer-controlled encryption key management, where the vendor remains technically incapable of decrypting your data?
Q10. How does the vendor handle the EU Data Act provisions phasing out cloud switching costs?
That last point matters strategically. From January 2027, the EU Data Act removes switching charges for cloud services, which lowers the cost of leaving a vendor and strengthens the case for independent European alternatives. For the fuller argument, see our analysis of why network security needs the same sovereignty shift as the rest of your stack.
Can a three-person team actually run it?
Enterprise SASE architectures assume a network and security team with deep specialist knowledge. In the mid-market, three people often run the entire network. The platform you choose has to suit that reality, with sensible default policies and one interface, so a generalist administrator can secure remote users, branches, and cloud applications without juggling disconnected tools.
Integration debt is the hidden tax here. Every console you switch between, every routing table you hand-configure, is time a small team does not have. The test is whether the platform was designed for lean operations or merely scaled down from an enterprise build.
Q11. Can security policy, firewall rules, and SD-WAN routing be managed from one console without switching interfaces?
Q12. Does the platform ship with automated, out-of-the-box security policies, or does it require manual configuration of complex routing tables?
Q13. How does the system consolidate event logs into clean compliance evidence for external audits?
For a deeper read on the day-to-day operating model, our guide to evaluating and comparing SASE platforms sets out the seven criteria that separate platforms built for small teams from those that merely tolerate them.
How does it secure devices that cannot run an agent?
Standard zero-trust network access depends on endpoint software. That leaves legacy industrial systems, medical hardware, IP cameras, and unmanaged contractor devices outside the security model, because you cannot install an agent on a PLC or an HMI. A hardware-enabled IT-OT bridge solves this by sitting inline between the equipment and the network, isolating those systems and applying identity-aware policy without touching the endpoint.
This gap is almost universally absent from competing checklists, and it is decisive for any organisation with a production floor or heavy contractor access. Jimber’s NIAC hardware provides exactly this agentless, inline isolation, which is why the OT questions below belong in the evaluation rather than as an afterthought.
Q14. How does the platform discover, classify, and secure legacy or OT devices that cannot run standard security software?
Q15. Does the solution provide hardware-enabled, agentless inline network isolation to separate OT environments from the IT network?
Q16. Can unmanaged contractor devices reach specific private applications without MDM enrolment or agent installation?
A vendor whose only answer is “install our agent” has just told you it does not cover a large part of your estate.
Will it stand up to a NIS2 or DORA audit?
European cybersecurity regulation requires essential entities to document and manage third-party supply chain risk. Your SASE vendor is part of that supply chain. It needs to produce real-time logging that supports mandatory 24-hour incident reporting, and it should hold recognised certifications that simplify your own audit and reduce personal liability for board members.
The Belgian context makes this concrete. According to the Centre for Cybersecurity Belgium, 1,574 essential entities are registered under NIS2, and 75 percent of them chose the CyberFundamentals (CyFun) path. With the first CyFun verification deadline of 18 April 2026 now passed, audit readiness is no longer a future concern for registered entities. Non-compliance carries significant financial penalties under both NIS2 and GDPR, which is reason enough to test a vendor’s audit support before signing.
Q17. How does the solution help fulfil the supply chain security risk assessments required under NIS2 Article 21?
Q18. Does the platform generate real-time log data capable of meeting strict 24-hour incident reporting timelines?
Q19. Does the vendor hold active certifications such as CyberFundamentals (CyFun) or ISO 27001 to support your compliance audits?
The CISO-level version of these questions is covered in our piece on what CISOs ask SASE vendors in 2026, which goes deeper on how sovereignty and audit evidence interact.
Does the SLA actually protect your critical traffic?
Vague uptime claims do nothing for voice and transaction applications when packet loss and latency creep in. You need to know whether the SLA guarantees regional, single-digit-millisecond latency and sub-second failover across a private backbone, or whether it simply averages global uptime across the public internet.
The difference is large in practice. A global aggregate average can look excellent while a specific regional PoP underperforms for your users. Pin the SLA to the level that affects your traffic.
Q20. What is the specific uptime SLA, and does it apply at a regional PoP level or only as a global aggregate average?
Q21. How is traffic routed during a primary PoP failure, and what is the exact sub-second failover behaviour?
Q22. Does the vendor operate a private global backbone, or does the system route traffic over the public internet?
Is zero trust continuous, or just a one-time check at login?
Zero-trust network access replaces the static firewall perimeter with continuous, identity-based validation. A real implementation integrates with your identity provider and enforces context-aware policy on live signals: device posture, location, and isolation of web content before it reaches the endpoint. A weak one verifies once at login and trusts the session afterwards.
This is where the architecture either holds or leaks. Streamed, containerised browser isolation, one of Jimber’s live components, neutralises web-based threats by keeping risky content off the endpoint entirely rather than relying on detection after the fact.
Q23. Does the platform integrate natively with major identity providers such as Entra ID, Okta, or Ping Identity?
Q24. Can access policy be restricted dynamically based on real-time device posture checks and geographic boundaries?
Q25. Does the platform include containerised browser isolation to stream safe web content to endpoints?
Where the honest trade-offs are
A checklist that only flatters one vendor is not worth running. Three trade-offs deserve a straight answer during any SASE evaluation.
If you have recently invested in on-premises firewall appliances, moving to a fully cloud-based SASE model can mean writing down hardware before its useful life ends. A hybrid transition period is sometimes the sensible path rather than a clean cut.
Single-vendor consolidation reduces integration and management load, but it does concentrate both connectivity and security with one provider. The EU Data Act’s removal of switching costs from January 2027 softens that lock-in materially, though it does not erase the dependency.
And radical simplicity has an edge case. Platforms that reduce complex routing to logical defaults can require a topology adjustment for organisations running highly specific legacy protocols, such as enterprise-grade BGP peering. For most mid-market networks this is a non-issue. For a few, it is worth checking early.
Frequently asked questions
What is the difference between data residency and data sovereignty?
Data residency specifies where data is physically stored. Data sovereignty determines which legal jurisdiction governs access to it. An EU data centre satisfies residency, but if the provider is a US-controlled entity subject to the CLOUD Act, it fails sovereignty.
How does the US CLOUD Act affect European SASE customers?
The CLOUD Act lets US authorities compel US-headquartered companies and their foreign subsidiaries to disclose stored data. Traffic logs, configuration files, and identity metadata passing through a US-controlled SASE platform stay legally exposed to foreign access requests, regardless of server location.
What hidden costs show up most often in SASE agreements?
Procurement teams routinely miss bandwidth overage penalties, premium support fees billed as separate add-ons, and mandatory professional deployment services. Together these can push first-year contract value well past the quoted subscription figure, so insist on per-site limits and an overage formula in writing.
Why do legacy cloud-proxy SASE models face price increases?
Cloud-proxy architectures route all traffic through physical data centres for inspection. According to dope.security, rising AI-driven power demand pushed colocation lease rates up 63 percent between 2021 and 2025, and proxy-based vendors have passed that through as subscription and renewal increases above 35 percent.
How does a hardware-enabled IT-OT bridge secure legacy systems?
Legacy operational technology cannot run modern endpoint agents. A hardware-enabled bridge sits directly between the industrial equipment and the network, isolating the systems and applying zero-trust policy verification without changing the legacy environment or risking production downtime.
What are the NIS2 audit requirements for SASE procurement?
Under NIS2 Article 21, organisations must run cybersecurity risk assessments of their ICT supply chain. For SASE specifically, that means evaluating the data sovereignty, ownership structure, and legal jurisdiction of the provider before signing, and confirming the platform produces the logging an audit needs.
Run these 25 questions against your shortlist and the gaps tend to show themselves fast. If you want to see how a sovereign, single-console platform answers each one for an environment your size, book a Jimber demo and bring the checklist with you. We will work through it line by line, including the questions other vendors would rather you skipped.