Compliance offerings from SAP

NIS2 is the most recent EU directive aimed and harmonizing and improving its cybersecurity framework for Critical Infrastructure (CI) providers. In addition to SAP being a registered CI provider, SAP serves Critical Infrastructure (CI) providers in many countries across the globe and contributes to their compliance with their respective cybersecurity regulations. SAP is a registered CI provider in Germany (KRITIS), subject to German jurisdiction. We are monitoring Germany’s adoption of its draft NIS2 law and will provide further updates as matters evolve.

DORA is an EU regulation on cybersecurity applicable as of January 17, 2025. It aims to strengthen the security and resiliency of information and communication technology (ICT) services of financial entities such as banks, insurance companies, and investment firms, helping to maintain and restore financial functions in the event of a severe operational disruption. DORA brings harmonization of various cybersecurity legal requirements to 20 different types of financial entities and to ICT third-party service providers. Aligning with and building upon NIS2 requirements, DORA takes precedence when it involves financial entities (lex specialis).

The Government of Canada Cloud Service Provider Security Assessment Process provides a means for cloud service providers to undergo standardized assessments that inform risk owners responsible for Security Assessment and Authorization. SAP Cloud Services have been assessed against the Protected B/Medium/Medium control profile (Cloud Medium).

C5 has proven itself, because of its neutrality, scope, compactness, and testability, as an attestation for a stable foundation for internal auditing and for information security management in regulated industries.

The Australian Government Cloud Security Assessment and Authorization Framework defines a means for an organization’s cybersecurity team, cloud architects, and business representatives to jointly perform a risk assessment and use SAP Cloud Services securely.

CCPS is a China regional regulatory security certification mandated by article 21 of the China Cybersecurity Law (CCSL) aiming to ensure cybersecurity. It is a China nationwide security program that provides a standardized approach to security design, assessment, audit, certification, renew and continuous monitoring against the CCPS baseline security requirements for systems/networks hosted in Mainland of China. Every organization who owns/operates/runs systems/networks in Mainland of China has CCPS compliance legal obligation.

Endorsed by the European Data Protection Board and approved by the Belgian Data Protection Authority, the EU Cloud CoC allows cloud service providers to demonstrate adherence to GDPR requirements (Article 28 GDPR and its related Articles).

The Data Act (effective September 12, 2025) is designed to enhance the EU’s data economy and foster a competitive data market by making data more accessible and usable, encouraging data-driven innovation and increasing data availability. Applicable in the 27 member states of the European Union, the law offers cloud customers (for data processing services) the right to switch providers within a defined notice period.

For government agencies, security is at the heart of every IT project. Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

ISMAP is Japan’s information system security management and assessment program that enables governments to assess and register cloud services that meet the government's security requirements. This program is based on the "Basic Framework for the Security Evaluation System for Cloud Services in Government Information Systems".

Select SAP solutions have successfully completed the 2024 South Korea Cloud Service Providers (CSP) Safety Assessment Program, also known as the Regulation on Supervision on Electronic Financial Transactions (RSEFT) Delegated Assessment. The financial sector in South Korea is required to adhere to a variety of cybersecurity standards and regulations. Having passed the Delegated Assessment conducted by the South Korea Financial Security Institute, financial institutions in South Korea can now deploy these compliant SAP solutions to process and store data, subject to compliance with applicable security measures for financial companies.

The National Security Framework (ENS) is made up of the basic principles and minimum requirements necessary for the adequate protection of the information processed and the services provided by an organization. ENS compliance helps ensure access, confidentiality, integrity, traceability, authenticity, availability and conservation of data and services processed by electronic means.

Cyber Essentials is a UK government backed cybersecurity Certification scheme that helps organizations protect themselves against common cyber threats. Cyber Essentials is available at the following Certification Levels:

• (Level One) Cyber Essentials: A self-assessment, where organisations complete a questionnaire which is then reviewed and marked by an independent Certification body.

• (Level Two) Cyber Essentials Plus: A technical audit of scoped IT systems by an independent Certification body.