European Union (EU) cybersecurity authorities are in the process of drafting a new certification system for cloud services that specifies that high-risk data can only be stored in the EU and can only be accessed by employees that are located in an EU country. And, according to a recent Wall Street Journal article on the topic, data that is considered “critical” or is in need of “high security measures” must be stored in cloud services that are run by European companies. While it appears that this system would be voluntary, there is concern that the certification system could be used to impose restrictions requiring the use of providers that meet the EU certification in some sectors or some EU countries. While the certification is still in a draft stage, France updated their cloud security rules for essential data earlier this year. These new rules require providers to store and process data in the EU, be headquartered in the EU, and have no more than 39% of their voting shareholders located outside the 27 members of the EU. The three largest public cloud providers for SAP workloads, Amazon Web Services (AWS), Google Cloud, and Microsoft Azure do not meet the certification to host this essential data although all are in the process of launching cloud initiatives in conjunction with French companies.

Cloud Usage and Data Security

SAPinsider research on Enterprise Cloud Deployment shows that the biggest public cloud providers for SAP workloads are the three providers just mentioned—Microsoft Azure, AWS, and Google Cloud. However, while these are the biggest cloud providers when it comes to SAP workloads running on hyperscalers, not every workload is most likely to be running on this infrastructure. SAP workloads that are more likely to be using public or hybrid public cloud infrastructure include financial solutions, sales solutions, analytics and BI solutions, HR solutions, and SAP S/4HANA. Those that are more likely to be using a private or hybrid private cloud, which is more likely to be located in the same geography as the organization, include planning solutions, supply chain solutions, CRM solutions, and travel and expense solutions. From a cybersecurity perspective, we recently saw that the need for data protection compliance has become one of the top drivers for organizations when it comes to their strategy and plans for cybersecurity for their SAP systems. This is partly because of existing legislation like GDPR seeing an increase in enforcement, but also because of new data security legislation in California, Colorado, and other states starting to come into effect in 2023. But the new legislation will do more to impact data security than the current GDPR standards as it will restrict where the data must be stored. The biggest impact that these proposed changes will have on global organizations will be the need to have their most sensitive data hosted either on internal infrastructure or with local service providers. This may significantly complicate the picture for organizations that are looking to leverage the scalability and flexibility that cloud systems offer while attempting to comply with potential restrictions around which providers they can use. And while the major hyperscalers are launching efforts with local French companies, none of these are up and running yet and all are focused on the French market. Should the new certifications come into place, this will add a significant level of complexity to any infrastructure planning being performed by both companies located in the EU as well as those operating there.

What Does This Mean for SAPinsiders?

The most important thing that organizations should do is plan for what this might mean. Companies operating in France may already be taking action to ensure that their current data security plans comply with new legislation, but plans should be prepared for broader enforcement of similar restrictions. Specifically, the following actions may be helpful:

• Educate your teams on the planned certification as well as that already in place in France to determine the impact on your operations.
• Analyze your existing data security and storage to see where your most sensitive data is being stored today.
• Evaluate future infrastructure plans, and particularly what the cloud component of those plans is to determine whether they will be impacted by any changes.
• Start executing on these actions today so that you will be prepared for any legislature roll-outs.