Compliance offerings from SAP
The Digital Operational Resilience Act (DORA)
SAP is officially designated by the ESAs (European Supervisory Authorities) as Critical ICT Third-Party Service Provider (CTPP). SAP is globally addressing the implications for our customers, partners, and vendors.
SOC & C5 Performance Calendar FY2025-2026
SAP is committed to timely and transparent reporting. SOC 1 reports are targeted for publication within 90 days after each performance period. SOC 2 reports follow a 12-month audit cycle, with the next release scheduled for the first half of 2026. For any questions, your account executive or customer success partner is ready to assist.
ISO/IEC 42001 for AI management systems
SAP has achieved certification for ISO/IEC 42001, the first global standard for AI management systems. This reflects our implementation of a structured, independently audited AI management system.
How our compliance offerings support our customers’ business needs
SAP is committed to prioritizing compliance through precise standards and practices that guarantee data integrity, regulatory adherence, and ethical conduct across our customers’ operations.
Compliance documents on demand
The SAP for Me customer portal is the central access point and the go-to destination for existing SAP customers to download eligible compliance documents on demand. The feature is available in the Portfolio & Products section of SAP for Me.
SAP Central Cloud Services Reports
SAP will release new SOC 1, SOC 2, and C5 reports as SAP Central Cloud Services. These reports replace the previous SOC 1 SAP Business Technology Platform, SAP Cloud Infrastructure, and SAP Cell and Gene Therapy Orchestration and SAP Intelligent Clinical Supply Management reports.
Controlled Goods Program (CGP)
SAP Canada Inc.’s registration in Canada’s Controlled Goods Program strengthens our commitment to national security and compliance with Canadian regulations. By meeting strict requirements for handling sensitive goods and technical data, SAP helps customers confidently manage controlled goods projects in a secure and trusted environment.
SAP global compliance offerings
SAP builds its security foundation on global standards and compliance to meet evolving challenges. Explore our latest certifications, reports, and attestations for trusted assurance.
ISO/IEC 42001 AI management system
ISO 42001 sets audit requirements for responsible AI governance across policies, risk management, deployment, monitoring, and continuous improvement. it supports transparency, human oversight, security, privacy, and customers’ regulatory needs.
ISO 9001 Quality Management System
ISO 9001 is based on quality management principles (such as strong customer focus) that involve top SAP management.
ISO 27001 Security Management System
ISO/IEC 27001 provides a holistic, risked-based approach to security and a comprehensive and measurable set of information security management practices.
BS 10012 Personal Information Management System
BS 10012 includes employee security awareness training, risk assessments, data retention, and disposal.
ISO 27018 Code of Practice for Personally Identifiable information
ISO/IEC 27018 sets guidance for cloud service providers to protect personally identifiable information. It also supports ISO 27001 by recommending information security controls for protecting personal data in the public cloud.
ISO 27017 Code of Practice for Cloud Service Information Security
ISO/IEC 27001 provides information security controls for cloud services. It also supports ISO 27001 by providing guidance on cloud-specific information security controls.
Sustainability ISO 14001 and ISO 50001
A multisite certificate confirms that SAP’s environmental management system complies with the international ISO 14001:2015 standard. The appendix for this certificate includes all certified sites covered by SAP's environmental management system. At some sites we have a ISO50001:2018 certification, ensuring we are in line with energy management standards.
ISO 22301 Business Continuity Management System
Protects business operations from severe disruption, such as extreme weather, fire, natural disaster, theft, IT outage, and more.
SOC 1 reports
Auditors of SAP's customer financial statements receive information from SAP about cloud solution controls that are often relevant to a customer’s internal control over financial reporting. SOC 1 reports follow the SSAE 18 and ISAE 3402 standards for auditing engagements and include a detailed description of the design (type I/type II) and effectiveness (type II) of the audited controls.
SOC 2 reports
Customers gain relevant insights into control systems’ security, availability, processing integrity, confidentiality, or privacy of data. SOC 2 reports follow the ISAE 3000 and AT 101 auditing standards and are based on AICPA’s trust service principles. Includes a detailed description of the design (type I/type II) and effectiveness (type II) of the audited controls.
Bridge letters
Bridge letters inform customers of any significant changes to their controls environments from the end date of the most recently completed SOC report to the issue date of the bridge letter.
Payment Card Industry Data Security Standard (PCI DSS)
This global data security standard is adopted by the payment card brands for all entities that process, store, or transmit cardholder data. PCI DSS consists of steps that mirror security best practices across industries.
Good Practice (GxP) quality guidelines and regulations
This collection of guidelines and regulations is created to ensure that biopharmaceutical products are safe, meet their intended uses, and adhere to quality processes during manufacturing, control, storage, and distribution.
Trusted Information Security Assessment Exchange (TISAX)
TISAX enables mutual acceptance of information security assessments in the automotive industry and provides a common assessment and exchange protocol.
The following SAP locations are evaluated at TISAX AL3 (high protection needs) with zero nonconformities to the assessed control areas: St. Leon-Rot and Walldorf, Germany; Bengaluru, India; San Pedro Garza Garcia, Mexico; Bucharest, Romania; Chicago, Colorado Springs, Newton Square, and Palo Alto, United States.
Find TISAX assessments with these search terms:
Scope ID: S0R94X
Assessment IDs: AMFL1Y-1, AMFL1Y-2
Accessibility
SAP provides information about the compliance of our products with US Section 508, WCAG 2.2, and EN 301 549 standards based on the Voluntary Product Accessibility Template upon request.
Cloud Security Alliance (CSA)
The Cloud Security Alliance is a not-for-profit organization that develops and promotes best security practices for cloud computing and provides focus and guidance for SAP deployments.
Ethics and compliance
SAP is committed to the highest standards of ethical business practices. We strive to undertake business with integrity and follow both the spirit and the letter of the law in all global markets in which we operate.
IDW PS 880
Attestations of SAP software pursuant to the German Institute of Public Auditors (IDW).
SAP regional compliance offerings
CANADA
Canadian Cloud Compliance
SAP cloud services have been assessed by the Government of Canada against the Protected B/Medium Integrity/Medium Availability (PBMM) security control profile. SAP Sovereign Cloud for Canada has also been assessed against the Protected B High Value Asset (PBHVA) overlay. Additionally, SAP Canada Inc. is registered under Canada’s Controlled Goods Program (CGP), as required by Canadian regulations. Customers can verify our registration in the public CGP registry and request copies of our certificate and Canadian Centre for Cyber Security (CCCS) Cloud Assessment Summary Reports.
Federal Risk and Authorization Management Program (FedRAMP)
For government agencies, security is at the heart of every IT project. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
EU
Cloud Computing Compliance Controls Catalogue (C5)
Due to its neutrality, scope, compactness, and testability, C5 has proven itself as an attestation for a stable foundation for internal auditing and for information security management in regulated industries.
EU
Network and Information Directives (NIS2)
NIS2 is the most recent EU directive aimed and harmonizing and improving its cybersecurity framework for critical infrastructure (CI) providers. In addition to being a registered CI provider, SAP also supports CI providers in many countries’ compliance with their respective cybersecurity regulations. SAP is a registered CI provider in Germany (KRITIS), subject to German jurisdiction. We are monitoring Germany’s adoption of its draft NIS2 law and will provide further updates as matters evolve.
EU
The Digital Operational Resilience Act (DORA)
SAP has been officially designated by the European Supervisory Authorities (ESAs) as a Critical ICT Third-Party Service Provider (CTPP) on the 17th of November 2025. This designation recognizes SAP’s essential role in supporting the digital infrastructure of the financial sector. As a CTPP, SAP is subject to direct oversight by the ESAs, ensuring enhanced operational resilience and risk management. For our financial services customers, this designation reinforces transparency and trust, demonstrating that SAP meets the highest standards of security and continuity in delivering ICT services to the financial industry.
EU
EU Cloud Code of Conduct
Endorsed by the European Data Protection Board and approved by the Belgian Data Protection Authority, the EU Cloud Code of Conduct allows cloud service providers to demonstrate adherence to Article 28 of the GDPR and related articles.
EU
EU Data Act
The Data Act (effective September 12, 2025) is designed to enhance the EU’s data economy and foster a competitive data market by making data more accessible and usable, encouraging data-driven innovation and increasing data availability. The law applies in the 27 EU member states and offers cloud customers of data processing services the right to switch providers within a defined notice period.
EU
EU Artificial Intelligence Act (EU AI Act)
The EU AI Act is a comprehensive new law designed to address potential risks to health, safety, and fundamental rights from the development and use of artificial intelligence technologies.
SPAIN
Spain National Security Framework (ENS)
The National Security Framework is made up of the basic principles and minimum requirements necessary for the adequate protection of the information processed and the services provided by an organization. ENS compliance helps ensure access, confidentiality, integrity, traceability, authenticity, availability and conservation of data and services processed by electronic means.
UK
UK Cyber Essentials Certification
Cyber Essentials is a UK government-backed cybersecurity certification program that helps organizations protect themselves against common cyber threats. Certification is available at two levels:
- Cyber Essentials (Level One) is a self-assessment where organizations complete a questionnaire, which is then reviewed by an independent certification body.
- Cyber Essentials Plus (Level Two) is a technical audit of scoped IT systems by an independent certification body.
AUSTRALIA
Cloud Security Assessment (IRAP-CSA)
The Australian government’s Cloud Security Assessment and Authorization Framework defines a means for an organization’s cybersecurity team, cloud architects, and business representatives to jointly perform a risk assessment and use SAP cloud services securely.
CHINA
Cybersecurity Classified Protection Scheme (CCPS)
Every organization that owns, operates, or runs systems or networks in mainland China is legally obligated to comply with CCPS, a regional regulatory cybersecurity certification mandated by Article 21 of the China Cybersecurity Law. CCPS is a nationwide security program that provides a standardized approach to security design, assessment, audit, certification, renew and continuous monitoring against the CCPS baseline security requirements for systems and networks hosted in mainland China.
JAPAN
Information System Security Management and Assessment Program (ISMAP)
ISMAP is Japan’s information system security management and assessment program that enables governments to assess and register cloud services that meet the government's security requirements. This program is based on the Basic Framework for the Security Evaluation System for Cloud Services in Government Information Systems.
SOUTH KOREA
South Korea Financial Security Institute
Select SAP solutions have successfully completed the 2024 Regulation on Supervision on Electronic Financial Transactions (RSEFT) Delegated Assessment. The financial sector in South Korea is required to adhere to a variety of cybersecurity standards and regulations. Financial institutions in South Korea that pass the Delegated Assessment can deploy compliant SAP solutions to process and store data, subject to compliance with applicable security measures.
Compliance resources
Ethics and compliance at SAP
By doing business the right way, in accordance with our Global Code of Ethics and Business Conduct, SAP positively impacts social and economic development, furthering education, justice, democracy, prosperity, development, and health worldwide.