Supplier Qualification of Cloud Service Providers for GxP-Regulated Industries, Using SAP as an Example

With this position paper, SAP and DSAG are addressing cloud service customers in GxP-regulated industries. Its aim is to provide guidance on internal supplier risk management and to clearly formulate how future supplier qualifications should be implemented effectively. At the same time, this paper also addresses the community of regulators and inspectors, with the expectation that they will comment on the formulated position. After all, a uniform, practical approach can only be established through joint consensus between industry and supervisory authorities.

Last revised: November 2025

1. Introduction

The life sciences sector, including the pharmaceutical, biotech, and medical device industries, is undergoing rapid digital transformation. This development is opening up significant opportunities for the sector to become more operationally efficient, scale up, and drive innovation – particularly through the use of cloud computing.

Promoting innovation in the life sciences sector is especially important in this context. After all, innovations have the potential to sustainably improve people’s health and well-being. Modern technologies have already been proven to accelerate the development and market launch of new therapies, medicines, and medical products.[1]

On one hand, these innovations must be accompanied by effective regulation to ensure patient safety, product quality, and data integrity. On the other hand, they should not be hindered by red tape – especially if new approaches demonstrably pose no additional risk to patients. This balance between regulation and freedom to innovate is the key to fully capturing the possibilities of digitalization and cloud computing and making progress in the life sciences sector.

28 years ago, the U.S. Food and Drug Administration (FDA) introduced legislation on electronic records and electronic signatures – the first regulations on IT systems in regulated industries. Since then, regulated industries have been trying to keep up with rapid technological developments, while at the same time following guidelines based on existing laws.

This is where laws written in a different time and for different technologies meet the latest, rapidly evolving information technology. Although it is common for regulated industries to reinterpret old laws, advances in IT in recent decades have been enormous.

From the perspective of SAP and its GxP-regulated (good practices) client companies, which are organized under the umbrella of the Deutschsprachige SAP-Anwendergruppe e. V. (German-Speaking SAP User Group, DSAG), this has led to ever-increasing uncertainty. Companies know less and less about what requirements actually apply to IT systems that are operated in cloud environments. Clear guidance is needed that formulates the technical and organizational requirements for cloud operations and specifies any necessary certifications.

Even more important, however, is guidance on how to manage suppliers of cloud-based software, platforms, and infrastructure for GxP-regulated companies. In recent years, the management requirements for these cloud service providers have been interpreted very differently by both regulated companies and local regulatory authorities.

With this paper, SAP and DSAG are formulating this guidance, which is intended to be clear, binding, and practicable – and which follows the applicable legislation, of course. It is also intended as impetus for discussion of the further development of regulations or to at least have an influence on inspection regulations.

After all: Regulated GxP industries need to keep up with the pace of technological progress if they hope to remain competitive in increasingly unstable markets and difficult global uncertainty. They must be able to take advantage of growth opportunities that make using cloud services inevitable. And to do this, they need clear regulatory guidelines that limit bureaucratic burdens that were not originally intended by the legislators.

2. Target Group and Objective

With this position paper, SAP and DSAG are addressing cloud service customers in GxP-regulated industries. Its aim is to provide guidance on internal supplier risk management and to clearly formulate how future supplier qualifications should be implemented effectively.

At the same time, this paper also addresses the community of regulators and inspectors, with the expectation that they will comment on the formulated position. After all, a uniform, practical approach can only be established through joint consensus between industry and supervisory authorities.

This approach is intended to create trust, ensure compliance with GxP requirements, and at the same time reduce recurring discussions about the interpretation of regulatory requirements.

In this context, SAP and DSAG are clearly in favor of the risk-based approach. This type of supplier management ensures patient safety, data security, and product quality. It will allow the life sciences industry to safely capture the innovation potential of SAP cloud services.

The solution approach presented below relates to SAP as a cloud service provider, as well as to users of cloud services in all common deployment models (public cloud, private cloud, SaaS/PaaS/IaaS). Only GxP-relevant systems are taken into account. The underlying legal framework is essentially based on EU GMP guidelines. They contain comprehensive specifications for supplier qualification based on GAMP5 best practices for CFR Part 11, 21 CFR Part 820). It also focuses particularly on the requirements of German laws and their practical interpretation.

3. Status Quo: Requirements for Supplier Qualification

To clarify the current framework and the multitude of regulatory requirements, the key specifications for supplier qualification from various international regulations and guidelines are summarized below.

This overview shows that the basic principles – documentation, risk analysis, and proof of supplier competence – are comparable everywhere, but their specific interpretation varies from country to country and from authority to authority.

EU GMP guidelines: In Chapter 4, they require comprehensive documentation of audit records and reports, as well as the associated policies, procedures, and actions taken. Chapter 7 emphasizes that the pharmaceutical quality assurance process of the contracting entity must include the monitoring and audit of all outsourced activities. The client is responsible for ensuring that processes are in place to monitor these activities and that the principles of quality risk management are integrated. Prior to outsourcing, an assessment of the legality, suitability, and competence of the contractor is required. The audit of outsourced activities should be recorded in the contract.

Annex 11: This document places particular focus on computerized systems and emphasizes the need for formal agreements that clearly define the responsibilities between the client and the contractor. The regulated user must ensure that the system has been developed in accordance with an appropriate quality management system. The need for an audit should be based on a risk assessment.

Finally, the contractor should be aware that outsourced activities, including contract analysis, may be audited by the competent authorities.

Medicinal Products Manufacturing Ordinance (AMWHV) and Medicines and Healthcare products Regulatory Agency (MHRA) “GxP” Data Integrity Guidance Definitions: When we examine local regulations, the German AMWHV does require an on-site audit in accordance with §11 Self-inspection and supplier qualification, but only in relation to starting materials and primary and secondary packaging materials used in the manufacture of medicinal products.

The UK’s MHRA covers the topic of IT suppliers and service providers in more detail in its GxP guidelines and definitions on data integrity. Cloud providers and virtual services and platforms are also considered specifically. In addition to technical and contractual agreements regarding responsibilities and data access during the retention period, we recommend that the need for an audit be determined based on a risk analysis.

OECD guidance document number 17, on the application of principles of good laboratory practice to computerized systems, in particular section 1.6 “Supplier” and Supplement 1, Chapter 5.3 “Implementation of a cloud-based solution in GLP”, also emphasizes the importance of the competence and reliability of the service provider or software manufacturer. We generally recommend carrying out an audit based on a risk analysis and qualifying the service provider or software manufacturer. However, no explicit recommendation for an on-site audit is made here either. Still, the dedicated addition of including the infrastructure of cloud services in an inspection is unique in GxP regulations.

PI 011-3 of the PIC/S Guidance – Good Practices for Computerized Systems in Regulated “GxP” Environments also clarifies that audits are not mandatory, but are considered best practice. Responsibility for determining the audit requirement, scope, and standards lies with the regulated user.

Finally, reference should be made to ZLG Vote V1100202, which deals with the question of how the requirement of the AMWHV in §20 regarding the storage of documents should be implemented in the case of electronic documents. In connection with qualification and ongoing monitoring, we also clarify here that the need for an on-site audit must be decided based on a risk assessment.

Regulations for suppliers and audits also apply to medical devices. For instance, Article 10 (9) of the Regulation on medical devices[2] stipulates that an adequate quality management system must also cover “resource management, including the selection and control of suppliers and subcontractors”. The U.S. equivalent, 21 CFR Part 820[3], also contains corresponding requirements on “Purchasing Controls” in §820.50.

In the medical device certification ISO 13485, these requirements are bundled as follows. On the one hand, clear, risk-based assessment criteria should be defined. On the other hand, there must be appropriate monitoring, including the corresponding records. Non-compliance must be clearly communicated to suppliers.

The above requirements underline the importance of thorough supplier qualification and the relevance of comprehensive documentation and evaluation of outsourced activities. They form the basis for trusting and compliant cooperation between regulated companies and their service providers.

3.1 Practice of Shared Responsibility

In this context, the practice of shared responsibility in accordance with GAMP 5 Second Edition should also be emphasized, to illustrate how both parties – pharmaceutical companies and cloud providers – should jointly contribute to compliance with GxP regulations.

Because even though regulatory responsibility lies with the regulated companies, suppliers should also do their part. After all, close cooperation between both sides is essential to ensure that suitable computerized systems are used for regulated activities and are operated in a compliant and controlled manner. There is still a need for optimization here in practice.

Suppliers should therefore support the process with their own quality management system (QMS), which ensures that their software or services are developed and operated in a quality-tested manner. And by providing relevant documentation, evidence and their expertise (such as technical specifications, test protocols, certificates).

For companies, of course, this means checking the quality and completeness of this supplier documentation in advance – to then incorporate it into their own evaluation. The advantage of this: If there are gaps or deficiencies in the supplier documentation, the regulated company can carry out targeted follow-up checks or additional tests (verification checks), instead of having to check all points from scratch itself.

To ensure that collaboration between the company and supplier goes smoothly, responsibilities, processes, and services provided should be clearly defined and set out in contracts – for example, in a service level agreement.

3.2 Basis for Decision-Making for Supplier Audits

In summary, it can be seen that supplier audits are by no means prescribed in the regulatory requirements in the GxP-regulated environment. A variety of regulations and guidelines, such as the EU GMP Guideline, Annex 11, AMWHV, MHRA GxP Guideline, OECD Guideline and PIC/S Guidance, emphasize the importance of supplier qualification and comprehensive documentation, but leave open whether and to what extent an audit must be carried out. This means that the decision regarding the necessity of an audit, in particular an on-site audit, lies with the regulated company – and should be based on a risk assessment.

This approach follows the basic idea of shared responsibility according to GAMP 5 Second Edition explained above: Regulated companies and suppliers work in partnership to jointly ensure compliance with GxP regulations.

3.3 Factors in Risk Assessment

In the highly regulated world of life sciences, where the GxP standards are applied, risk management plays a crucial role. It helps to ensure the quality and safety of products and services.

GxP-regulated companies are required to establish standard operating procedures (SOPs) that detail how suppliers are evaluated for potential risks. These SOPs are based on the applicable regulatory requirements and ensure that evaluations are carried out systematically and comprehensibly.

This ensures that all important factors are taken into account when selecting and monitoring suppliers, to guarantee the integrity and safety of the end product.

Risk assessment is a central component in supplier evaluation.

The following factors are typically considered in the risk assessment:

• GxP relevance or non-GxP: The classification of supplier activity as GxP or non-GxP significantly influences the risk assessment. GxP activities require more stringent controls and monitoring.
• Proximity of the process to the final product: The more directly a service or process influences the final product, the higher the assigned risk. This proximity largely determines the critical assessment of the service provider.
• Risk of the outsourced activity: The type of outsourced service (IaaS, PaaS, SaaS) and its impact on patient safety, product quality, and data integrity are decisive factors. Services that directly affect patient safety, product quality, and data integrity require more intensive monitoring.
• Trust and experience: Historical collaboration, including documented deviations, incidents, or (positive) audit histories, influences trust in the supplier’s performance and reliability.
• Organizational size and maturity of the company: Larger organizations often have established processes and resources to manage risks effectively.
• Market penetration and user base: A widely used software solution with an extensive user base increases the likelihood that potential vulnerabilities will be identified and addressed early. This can have a positive impact on individual risk assessment.
• Monetary volume: The financial volume of the outsourced activity can increase the risk, especially when critical services are involved.
• Market position and dependency: A monopoly-like or dominant market position of the provider can increase the risk, especially if the availability of alternative solutions is limited. The substitutability of a service provider should therefore be included in the risk assessment.

As already emphasized, the challenge for the globally active life sciences industry is that many authorities interpret and review the same regulations differently. In Germany, inspections are primarily based on the requirements from Annex 11 and the descriptions from the ZLG Vote documents.

In current practice, there is a clear difference from the usual risk analyses in the life sciences industry, for example, as part of computer system validation or product qualification: Risk mitigation through standardized supplier documentation is rarely factored into the decision on the type of audit. Although suppliers may provide standardized audit reports and detailed documentation about their quality management processes, these documents do not yet influence the decision for or against an audit or an on-site audit.

This is where SAP and DSAG are calling for a rethink: Risk management in GxP-regulated companies requires careful supplier evaluation, to ensure the integrity and security of the end product. Therefore, the result should also be taken into account and considered relevant regarding the necessity and manner of conducting supplier audits.

3.4 The Different Types of Audits

The concept of an audit at companies is usually based on a risk-based approach. There are different types of supplier audits, depending on the risk assessment.

Simple assessment

This type of audit is usually applied to low-risk suppliers.

It is standardized, requires little effort, and is based on certificates and reports provided by the supplier. Its aim is to get an overview of quality management practices, software lifecycle management, supporting/security processes, and the organization and experience of the company.

This type of assessment provides only low confidence, however, as no in-depthreview of the processes is carried out and no additional evidence is requested from the supplier. Specific requirements of the auditors cannot be taken into account either. Therefore, a simple assessment is no substitute for a full audit.

Postal audit

This questionnaire-based assessment approach is generally used for medium-risk suppliers. Although the effort involved is higher compared to a simple assessment, it is still manageable. Unlike the first audit type, a postal audit is more informative because the audited company can be asked specific questions.

However, this procedure cannot be standardized for suppliers and there is a lack of concrete evidence.

On-site audit (or virtual online audit)

This procedure is generally used for high-risk suppliers. Auditors visit the supplier’s site in person or carry out the audit remotely.

This form of audit is particularly suitable when complex processes are observed directly or when the audit requires in-depth verification of activities and controls. The auditors gain insights through observations, interviews and document reviews in real time.

This type of audit offers flexibility for both auditors and the audited, as it is often conducted on a convenient schedule.

There are also disadvantages, however: It involves a high amount of effort, standardization is not possible, and it is difficult to compare audits. In addition, these on-site audits are more costly and time-consuming than the previously mentioned types (keyword: travel costs).

Group audit

The advantage of a group audit is that the audit can be carried out for several companies at the same time and can be tailored to their requirements. All the necessary evidence can be presented and viewed. Another plus: Commissioned representatives or service providers who carry out the audit in accordance with the commissioning companies come together at one time. This means that the effort for everyone involved is considerably less than when individual audits are carried out by the companies themselves on site.

The coordination and preparation can be challenging, however – for instance, when planning the agenda or discussing the results together – because more people are involved. In addition, it is not always clear how supervisory authorities assess group audits and whether they accept them in all cases.

3.5 SOC2 and SOC2+ Reports: Advantages and Challenges

A cloud service provider (CSP) must be competent and reliable when offering software or IT services to regulated companies. Because even if certain tasks are outsourced to the provider, responsibility for validating Software-as-a-Service (SaaS) and qualifying Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) solutions remains with the regulated company.

This is because software can only be validated in its specific environment and for its specific purpose. An additional challenge is that cloud providers themselves are not directly subject to regulatory supervision. Furthermore, there are no clear technical guidelines from the regulatory authorities as to how to ensure compliance in the GxP environment.

An example of this is provided by Annex 11 to the EC Guide to Good Manufacturing Practice (para. 4.5), which requires an “appropriate” quality management system (QMS) or an “adequate” assessment of suppliers. These vague terms leave room for interpretation and make uniform implementation difficult.

Other sectors have already made more progress: With the Digital Operational Resilience Act[4], the EU has established a sector-specific set of rules for cybersecurity, ICT risks, and digital resilience in the financial sector. Since January 2025, critical ICT third-party service providers have been subject to uniform European supervision. A similar approach could also help to promote scalability in the GxP environment, to reduce compliance costs without compromising quality.

Other countries are also leading the way: France is already moving in this direction with the Hébergeurs de Données de Santé[5] ((HDS) certification) for providers that host health data. One solution could be a GxP seal of approval or certification for cloud service providers. This isn’t even on the horizon in Germany, however.

According to the ZLG (Vote V1100202), an on-site audit is dependent on the risk assessment. But what options do companies in Germany have to minimize the cost of such audits in the event of a high risk?

A risk assessment of computerized systems in the GMP environment must use comprehensible criteria to show how systems affect product quality and patient safety. Although the ZLG guideline[6] for inspections of computerized systems requires such an assessment, in the form of a documented procedural instruction, it does not provide any concrete specifications for the content of the risk assessment. Therefore, each regulated company decides independently whether and to what extent a supplier audit is necessary.

GAMP 5 Second Edition, in contrast, refers to ISO 27001 certificates or SOC2 (system and organization controls) reports, which are recognized as proof of IT and data security.

The discussion about supplier audits is complex: As an industry-independent further development, SOC2 may be used to qualify suppliers according to the ZLG guideline[7] for inspections of computerized systems (No. 3-6). The ZLG guideline (No. 4-19)[8] expects an on-site audit, but does not require it. The provision of on-site audits by a service provider is expressly permitted (ZLG Guideline, No. 3-7)[9]. However, it cannot be conclusively clarified whether the service provider must be commissioned by the regulated company or, as with SOC2, by the cloud service provider. However, it is undisputed that SOC2 enables independent monitoring of outsourced cloud services. This reduces the need for, or at least the scope of, on-site audits.

The advantages of such standards are obvious: SOC2 and C5 have been established as de facto standards in the IT and cloud industry. They provide transparency by describing the internal control system and the scope of the audit, test procedures, and audit results that result in the audit opinion. Detailed reports like this are explicitly designed for supplier monitoring and are issued by an independent, liable auditor. This creates economies of scale for the service provider, because a single report can be distributed to all client companies. This makes them a sensible alternative to time-consuming individual audits. This seems desirable from the perspective of both the supplier and the regulated company.

If an independent auditor is commissioned by the cloud service provider, there is another important advantage: Data protection is taken into account. The confidentiality of other customer data (especially in the case of multi-tenant systems) in the cloud remains guaranteed. If individual supplier audits were used, this would pose a substantial challenge.

Other challenges remain, however:

• Lack of customizability: SOC2 reports are standardized (based on the Trust Services Criteria) and may not take into account all individual needs of regulated client companies.
• Limited scope: SOC2 reports focus on the outsourced managed services in the cloud and may not cover all aspects of the client company’s overall risk environment. Regulated client companies may also need to assess other risk areas outside the scope of the SOC2 report.
• Dependence on the auditor’s expertise: The quality and reliability of the SOC2 report depends on the auditor’s expertise and independence. Regulated client companies must ensure that the auditor has the necessary expertise and experience in assessing cloud service providers.
• Delays: SOC2 reports are typically produced annually and cover a certain period of time. The report only becomes available afterwards.

3.6 Example SAP: GxP-Compliant Cloud Services

SAP shows how a cloud operator can contribute to minimizing risk from the outset. As an operator of critical infrastructures, the software group has multiple certifications, including ISO 27001 (information security), ISO 9001 (quality management), and ISO 22301 (business continuity management). SAP demonstrates the required “state of the art” in accordance with the IT Security Act to the German Federal Office for Information Security (BSI) via its “Cloud Computing Compliance Criteria Catalog” (abbreviated as “C5 reports”), which are very similar to SOC2.

Standardized certificates and attestation reports (SOC/C5) provide proof of a wide range of audit priorities, such as vulnerability management, back-up and recovery, and logical and physical access protection. Admittedly, not every topic from the GxP area can be covered. Prominent examples include GxP training certificates, qualification certificates, and internal procedural instructions of the CSP.

The lack of scope and customizability can be remedied by a SOC2+ report. A SOC2+ report builds on the SOC2 standard by using the same structure and audit methodology, but is expanded to include additional, specific compliance requirements (such as ISO, HITRUST, and HIPAA). When supplemented with industry-specific requirements such as GxP, SOC2+ allows CSP to cover multiple regulatory requirements with a single audit. A SOC2+ report supplemented with GxP requirements confirms that cloud service providers have integrated these requirements into their security and compliance controls. A SOC2+ with a GxP component therefore reduces the effort required for audits and speeds up supplier evaluation.

SAP has offered this type of report in the private cloud environment for more than five years. This closes the gap in the areas of training, qualification, and procedural instructions, for example.

In addition to the certificates and attestation reports (SOC, C5), SAP also provides GxP-regulated customer companies with a contract addendum in the form of a quality agreement with additional (audit) rights, to mitigate remaining residual risks on an individual customer basis.

Therefore, if certificates and SOC reports are available, there is no need for excessive back-to-back agreements in contracts between CSPs and regulated companies, exacerbated by the inconsistent requirements of global markets.

4. Position of SAP and DSAG

Based on the above description of the situation, SAP and DSAG see the implementation of supplier qualification using SAP as an example as follows: The risk assessment must be extended as preparation for supplier qualification and an iterative process is needed to carry out the supplier qualification. Both factors are discussed further in the sections below.

4.1 Targeted Risk Assessment

Risk assessment in GxP-regulated companies is a critical process that is designed to ensure that suppliers are reliable and competent. It should take into account all measures that suppliers use to reduce risks. From the perspective of SAP and DSAG, however, these risk-minimizing measures are not always included sufficiently at the present time. The following points show which aspects should be considered in a comprehensive risk assessment.

• SOC2+ reports: These reports provide a comprehensive assessment of an organization’s security, availability, processing integrity, confidentiality, and privacy controls. A SOC2+ report could serve as evidence of the implementation of effective GxP requirements.
• GxP-specific documentation: Documents such as white papers that explain GxP standards provide valuable insight into compliance with industry standards and should be included in the risk assessment.
• Documentation on security measures: Detailed documentation of the implemented security measures demonstrates the supplier’s commitment to protecting sensitive data and systems.
• Documentation on the handling of personal data: This documentation is crucial to ensure compliance with data protection laws such as the GDPR.
• Standardized certifications: Certifications like ISO 9001 for quality management and ISO 27001 for information security management provide standardized evidence of a supplier’s competence and reliability.
• Standardized reporting on operational processes: A SOC2 report, for example, provides insight into operational processes and their effectiveness, which is important for risk assessment.

Risk assessment in GxP-regulated companies should give greater recognition to suppliers’ risk-mitigation measures.

For example, companies can significantly reduce on-site audits by implementing comprehensive risk minimization measures and using existing certificates from independent auditing organizations. The inclusion of SOC2, SOC2+(GxP) reports, GxP-specific documentation, security measures, certifications, and standardized reports can also help to better understand the actual risks, so that these risks “merely” need to be examined in the context of group audits, for example.

4.2 Target Vision: Future Supplier Qualification Process

Supplier qualification of cloud service providers for GxP-regulated industries requires a structured and thoughtful approach, to ensure that all regulatory requirements are met and potential risks are minimized.

This chapter describes the process that DSAG believes should be used for supplier qualification – based on the example of SAP as a cloud service provider. The procedure is divided into several steps, which are listed below. Depending on the course of the audit, not all steps may need to be carried out (which is an advantage compared to the current, widespread supplier evaluation). The criteria for exiting the process are described at the end of each step.

Process step 1: Assessment of the criticality of the outsourced activity from the perspective of the client company

The first step is to assess the risks of the outsourced activity from the perspective of the client’s own company, to determine how carefully it needs to be monitored.

Process step 2: Review of public/provided documentation

This phase of the solution approach involves reviewing the documentation that is publicly available or provided by SAP. These documents provide insights into the provider’s compliance measures and security standards and are crucial for the initial assessment.

• GxP Info Package (cross-SAP): This information package covers overarching SAP processes for GxP-regulated industries. It can be requested by your SAP contact person (account executive).
• GxP white paper (product-specific, if available): Product-specific white papers that provide detailed information on how to comply with GxP requirements. All white papers can be found in the SAP Trust Center or on the corresponding product page on help.sap.com.
• SOC2 report (product-specific): A SOC2 report documenting the product’s controls and security measures.
• Other certificates (ISO 9001/27001): Certificates that demonstrate compliance with international standards for quality management systems and information security management systems.
• Documentation on security measures: Documentation describing the implemented security measures.
• Documentation on the handling of personal data: Documentation that covers the measures taken to protect and process personal data.
• Other documents: Specific to the intended solution or use case.

If no further action is needed, due to the low criticality of the solution or the obviously sufficiently available public/provided documentation, simple documentation of the procedure can already be created after this step and the qualification can be completed. However, a gap analysis is recommended to ensure that no critical issues have been overlooked and that this can also be demonstrated to inspectors.

Process step 3: Gap analysis

The third phase consists of conducting a gap analysis, to determine which specific requirements of the assessment could not be met by reviewing public/provided documentation.

This analysis identifies gaps and potential risks that need to be addressed to ensure compliance. These gaps are customer-specific and can vary in relevance, depending on the system and implementation. The examples of such gaps listed here are intended to illustrate the types of gaps that could be encountered.

• Basic gaps: When using available documentation, basic requirements may not be met, depending on the specifications of the internal SOPs for supplier qualification. For example:
  • Evidence: Provision of evidence for performing tests and verifications.
  • GxP training: Evidence that auditors have been trained in GxP.
  • Level of detail of the tests: Traceability of the level of detail with which the tests were performed.
  • Coverage of the tests: Coverage of all relevant areas by the tests performed.
  • Scope of the tests: Identification of what scope was considered for the review.
• Specific thematic gaps: In addition, there may be specific thematic gaps that remain unexplained by standardized documentation without GxP reference. For example:
  • GxP training: Training employees on GxP requirements.
  • Qualification documentation: Documentation on the qualification of systems and processes.
  • GxP features (audit trail/e-signature): Implementation and documentation of GxP-specific features such as audit trails and electronic signatures.
  • Job descriptions: Clear definition of roles and responsibilities.
  • Traceability: Traceability of implementation and changes.
  • GxP-specific contractual regulations: Specific contract terms, such as retention periods and access for inspectors.
  • Documented testing with evidence: Documentation of tests with evidence.
  • Clear definition of release cycles/patch types: Definition and documentation of release cycles and patch types.
  • Cloud exit strategy: Information and contractual clauses to support a cloud exit strategy.

If no gaps are identified in this step, the assessment is documented and the audit is completed.

Process step 4-7: Address gaps and derive subsequent steps from them

The next phases involve addressing the identified gaps. This can be done through various measures, depending on the severity of the gaps and the remaining risks.

1. Supplier evaluation with determination from the gap assessment and acceptance of the existing/remaining risks: If the procedure in the previous steps was terminated due to a lack of criticality or the non-existence of gaps, this should be recorded by adequately documenting the results of the gap assessment and acceptance of the remaining risks.
2. Low/medium residual risk is determined: If the gap analysis identifies a low to medium residual risk due to unacceptable gaps, a postal questionnaire should be used to address these gaps.
   • (1) A questionnaire is sent to the SAP contact person (account executive) to address the identified gaps.
   • (2) Review the responses received.
   • (3) No/non-critical gaps remaining -> Audit is documented and completed (see 1.)
   • (4) Critical gaps -> If critical gaps are identified, an audit report is required.
3. Major residual risk is identified or postal questionnaire is not sufficient: If a major residual risk was identified in the gap analysis or if unacceptable gaps remained from the postal questionnaire, then an audit report is usually required. The following options are available:
   • (1) Group audit: If possible, gaps should be addressed together with other companies in a group audit, to limit the effort required from both the auditing firms and the affected SAP units. The audit can be carried out by delegated representatives or contracted service providers. All gaps should either be documented as closed in a group audit report or the corresponding findings should be noted. SAP then provides this report as part of the contracts with the auditing group. To guarantee acceptance of an audit report created in this way, it should at least be possible to prove participation in the planning of the audit scope and in the discussion of the findings.
   • (2) Establishment of SOC2+GxP reporting by SAP: If SAP determines through discussion with its client companies that recurring gaps should be addressed for a certain part of their products, the use of SOC2+GxP reports is a good option. As described, SOC2 reports offer the option of including additional compliance topics in a defined structure. A current example of a report like this is available for SAP Enterprise Cloud Services. This approach generally offers the possibility of dealing with all identified gaps in a standardized manner and with regular, detailed reviews for all client companies of a product. Continuous improvement is another option, for example, in cooperation with DSAG. However, regulatory acceptance is a basic prerequisite for establishing such reports. This could be achieved, for example, through GxP competence certificates for auditors. Integration into the group audit approach could also ensure acceptance.
   • (3) Individual audit: If none of the previous steps have been able to address the gaps identified, an individual audit must be considered. This may also be justified, for example, if an incident involving SAP has occurred or if there is a specific request from the authorities. It should be clear, however that SAP currently only offers an individual right to audit for selected products. If you expect that this right will be required in order to fulfill the supplier management requirements, then this should be taken into account when concluding the contract.

From DSAG’s perspective, this structured approach can ensure that the supplier qualification of cloud service providers for GxP-regulated industries is carried out comprehensively and effectively, to meet regulatory requirements and minimize potential risks. At the same time, the effort for required audits is reduced to the minimum necessary.

5. Summary

The approach described above gives SAP’s GxP-regulated client companies that want to procure cloud services a clear, comprehensible approach to setting up their supplier management for SAP.

This approach is based on applicable laws, regulations – such as 21 CFR Part 11, EU GMP – and their recognized interpretations (such as GAMP5).

In practice, the use of certifications other than ISO 9001 or ISO 27001, especially the use of SOC2 and C5 reports, is still sometimes viewed critically by inspectors. However, as these reports are a central element of the approach described, clear positioning on the part of the authorities is desirable.

As such, this position paper is also explicitly aimed at regulators and inspectors, with an appeal to actively support the further development of the GxP capability of SOC2 reports – instead of questioning one of the most important compliance tools of cloud service providers due to the lack of focus on the life sciences industry.

The extension of SOC2 reports to SOC2+GxP reports provides exactly what the industry needs in terms of clarity to be able to use the innovations that cloud service providers like SAP enable in a secure, transparent, and trusting manner.

And that is ultimately the goal: a common, binding, and practical consensus between industry, regulators, and suppliers on how supplier management and qualification can be made standardized, efficient, and legally compliant in the future.

Bibliography

• Agence du numérique en santé: HDS – Certification Hébergeur de Données de Santé, https://esante.gouv.fr/produits-services/hds, last retrieved: 2025-10-06, 9:05 p.m.
• Deloitte: 2025 Life Sciences Outlook, https://www.deloitte.com/us/en/insights/industry/health-care/life-sciences-and-health-care-industry-outlooks/2025-life-sciences-executive-outlook.html, last retrieved: 2025-09-01, 8:00 p.m
• European Insurance and Occupational Pensions Authority: Digital Operational Resilience Act (DORA), https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en, last retrieved: 2025-10-06, 9:02 p.m.
• European Union: EUR-Lex, Regulation – 2017/745 – EN – Medical Device Regulation, https://eur-lex.europa.eu/eli/reg/2017/745/oj/eng, last retrieved: 2025-09-11, 11:24 p.m
• ISPE, Pharmaceutical Engineering: When Speed to Market Counts, https://ispe.org/pharmaceutical-engineering/ispeak/when-speed-market-counts, last retrieved: 2025-09-01, 8:00 p.m
• Central Office of the Federal States for Health Protection with regard to Medicinal Products and Medical Devices (ZLG): Monitoring of computerized systems, https://www.zlg.de/index.php?eID=dumpFile&t=f&f=2601&token=587fd3625e2d3b9ad2956f334ef67bdd913123eb, last retrieved: 2025-10-06, 9:27 p.m.

Publication information

We expressly point out that this document cannot anticipate and cover all the regulatory requirements of all DSAG members in all business scenarios. In this respect, the topics and suggestions addressed must inevitably remain incomplete. DSAG and the authors involved cannot accept any responsibility regarding whether the suggestions are complete or likely to succeed.

This publication is protected by copyright.

Unless expressly stated otherwise, all rights are reserved:

German-speaking SAP® User’s Group (DSAG) e.V.
Altrottstraße 34 a
69190 Walldorf | Germany
Phone +49 6227 35809-58
Fax +49 6227 35809-59
Email info@dsag.de
dsag.de

Any unauthorized use is not permitted. This applies in particular to the reproduction, editing, distribution, translation, or use in electronic systems/digital media.

© Copyright 2025 DSAG e.V.

[1] See Deloitte: 2025 Life Sciences Outlook, https://www.deloitte.com/us/en/insights/industry/health-care/life-sciences-and-health-care-industry-outlooks/2025-life-sciences-executive-outlook.html, last retrieved: 2025-09-01, 8:00 p.m., or ISPE, Pharmaceutical Engineering: When Speed to Market Counts, https://ispe.org/pharmaceutical-engineering/ispeak/when-speed-market-counts, last retrieved: 2025-09-01, 8:00 p.m

[2] See European Union: EUR-Lex, Regulation – 2017/745 – EN – Medical Device Regulation, https://eur-lex.europa.eu/eli/reg/2017/745/oj/eng, last retrieved: 2025-09-11, 11:24 p.m

[3] See Code of Federal Regulations: 21 CFR Part 820, Quality System Regulation, https://www.ecfr.gov/current/title-21/chapter-I/subchapter-H/part-820, last retrieved: 2025-09-11, 11:27 p.m

[4] See European Insurance and Occupational Pensions Authority: Digital Operational Resilience Act (DORA), https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en, last retrieved: 2025-10-06, 9:02 p.m.

[5] See Agence du numérique en santé: HDS – Certification Hébergeur de Données de Santé, https://esante.gouv.fr/produits-services/hds, last retrieved: 2025-10-06, 9:05 p.m.

[6] See Central Office of the Federal States for Health Protection with regard to Medicinal Products and Medical Devices (ZLG): Monitoring of computerized systems, https://www.zlg.de/index.php?eID=dumpFile&t=f&f=2601&token=587fd3625e2d3b9ad2956f334ef67bdd913123eb, last retrieved: 2025-10-06, 9:27 p.m.

[7] See Central Office of the Federal States for Health Protection with regard to Medicinal Products and Medical Devices (ZLG): Monitoring of computerized systems, https://www.zlg.de/index.php?eID=dumpFile&t=f&f=2601&token=587fd3625e2d3b9ad2956f334ef67bdd913123eb, last retrieved: 2025-10-06, 9:27 p.m.

[8] ibid

[9] ibid