VPN or Zero Trust: What to Choose to Secure an SME in 2026

Has enterprise VPN become obsolete in the face of Zero Trust? For large organizations, yes. For SMEs, the reality is more nuanced. Pragmatic analysis.

The classic VPN: what it does well

• Encrypted connection remote → internal network
• Access to legacy resources (SMB servers, apps on private network)
• Low cost: included in most SME firewalls (FortiGate, Stormshield)
• Simple to deploy and understand

VPN limitations

• Once connected, the user has access to the entire network by default (no least privilege)
• A compromised workstation becomes a pivot point on the LAN
• Poor user experience (connection to manually activate, slowness)
• No fine-grained visibility on access (who accessed what, when)

Zero Trust Network Access (ZTNA): the principle

Rather than opening a tunnel to the entire network, ZTNA verifies each access to each resource:

• Strong identity (MFA mandatory)
• Device posture (up to date, EDR active, compliant)
• Context (time, location, behavior)
• Access only to the requested resource, nothing more

ZTNA solutions for SMEs

• Cloudflare Zero Trust: free up to 50 users, then $7/user/month
• Tailscale: ~€5/user/month, based on WireGuard
• Microsoft Entra Private Access: included in certain M365 E5 plans
• FortiClient Fabric Agent with FortiGate ZTNA

Quick comparison SME 20 workstations

• Traditional VPN (FortiGate): €0/user (already paid via firewall) + 1 day setup
• Cloudflare Zero Trust Free: €0 up to 50 users + 2–3 days setup
• Tailscale: ~€100/month for 20 users + 1 day setup

Our recommendation SME 2026

1. For simple use cases (NAS access, RDP server): classic VPN on FortiGate or Stormshield is sufficient, with MFA enabled on the VPN.
2. For multi-cloud and SaaS apps usage: go directly to ZTNA. Cloudflare Zero Trust Free is unbeatable to start.
3. Combining both is often the best transition approach: ZTNA for SaaS/cloud, residual VPN for legacy on-prem.

Conclusion

VPN is not dead. It is complemented by ZTNA for new use cases. For 80% of SMEs, a VPN with MFA + Cloudflare Zero Trust free in parallel for SaaS = good hygiene in 2026.