CONTACT

Security Compliance for SAP RISE / Cloud ERP

SAP RISE customers must comply with requirements for security. Non-compliance may impact SAP support and lead to legal and financial risks. Discover the requirements and learn how you can automate audits to remove compliance  risks.

Summary

Are you an SAP RISE / SAP Cloud ERP customer or System Integrator for SAP customers? Are you considering RISE with SAP/ Cloud ERP for your transformation journey? Are you aware that SAP customers are required to comply with strict security standards as part of their SAP contracts? Failure to do so may impact support from SAP and lead to legal risks.

This article provides practical guidance for understanding the security requirements for SAP customers. It will discuss how you can use the Cybersecurity Extension for SAP (CES) to ensure quick, effortless and cost-effective compliance with the requirements. CES is an SAP-certified addon that automates compliance management for SAP RISE/ Cloud ERP security requirements.

Secure Your Transition to SAP S/4HANA

Manage User Risks, Secure Custom Code and Protect Cloud Systems

Read more

What are the Security Requirements for SAP RISE?

Solutions such as S/4HANA Cloud provisioned and supported by SAP as part of the RISE with SAP / Cloud ERP business transformation offering adhere to the principle of Secure by Default.  This means the solutions are delivered to customers with specific settings that are embedded into system builds to comply with security standards defined by SAP.

Settings can be modified by customers in SAP solutions after delivery. This can occur during implementation and migration projects, but it is also possible during the run or operational phase for transformations. The changes can expose systems to security risks. In order to deal with changes by customers that may undermine Secure by Default settings and provide general guidance, SAP defines security requirements for customers in the following notes:

3250501 – Information on mandatory Security Parameters & Hardening requirements for ABAP systems in SAP Enterprise Cloud Services (ECS)

3480723 – Information on mandatory Security Parameters & Hardening requirements for SAP HANA databases in SAP ECS

3381209 – Information on mandatory Security Parameters & Hardening requirements for JAVA systems in SAP CES

The notes are regularly updated by SAP for new requirements and therefore should be monitored for changes.

There are approximately 150 requirements for systems such as S/4HANA Cloud. The requirements must be met for each SAP System ID (SID) in every environment within RISE system landscapes. Since SAP customers are accountable for managing the configuration of ABAP and JAVA stacks in their systems and tenant databases in SAP HANA, the requirements are intended to align customer responsibilities to SAP’s cloud security framework for protecting RISE/ Cloud ERP systems from cyber threats.

The requirements are mandatory. In other words, compliance is obligatory. SAP customers must comply with the security requirements. Failure to comply may impact the terms and conditions for support as part of RISE with SAP/ SAP Cloud ERP. It may also impact legal liabilities in the event of security incidents and breaches.

The requirements cover the following areas for RISE systems:

  • Specific values that must be maintained for security-related profile parameters
  • Settings to control client and system changes
  • Entries for Access Control Lists (ACLs) supporting the gateway server and message server
  • Deactivation of vulnerable ICF services
  • Protections for standard users
  • Securing access to tables storing user-related information

Are Customers Complying with SAP RISE Security Requirements?

Layer Seven Security performed over 180 audits to assess compliance with note 3250501 since it’s release in 2023. Notes 3480723 and 3381209 were released in 2025. Based on the results of the audits, 100% of RISE systems were non-compliant with one or more requirement. The average compliance level was just 77%.

According to the findings of the SAPinsider benchmark report RISE with SAP, one third (33%) of SAP RISE customers are not aware or are not following the requirements. 66% (two thirds) are not monitoring the note for changes or regularly auditing their systems for compliance. The report was based on a survey of 122 SAP organizations conducted by SAPinsider between July-November 2025.  In the words of the report author, Robert Holland, Vice President and Research Director at SAPInsider, “the proportion (of SAP RISE customers) that are either not aware of the note or are not actively following all requirements is concerning. This is a key facet of securing and hardening RISE systems, which is vital for organizations to understand.“ You can download the full

report here.

“Organizations running SAP S/4HANA Cloud in an ECS environment need to make sure they understand and follow security parameters and hardening requirements. This is crucial to ensuring the security of SAP Cloud ERP Private.”

RISE with SAP, SAPinsider, November 2025.

Automate SAP RISE Audits to Remove Compliance Risks

Auditing compliance across multiple systems in each landscape is a complex and resource-intensive process. Auditing also needs to be continuous since changes can reverse security hardening and lead to configuration drift. Benchmarks for compliance also need to be regularly updated in line with changes in SAP requirements.

The Cybersecurity Extension for SAP addresses these challenges by automating compliance audits for SAP RISE/ Cloud ERP systems. The SAP-certified addon performs daily automated scans to identify compliance gaps in solutions such as S/4HANA. Interactive dashboards enable users to monitor compliance and drilldown to findings. The addon also enables users to maintain and track remediation plans for compliance gaps. Detailed reports are available in formats such as PDF, CSV and Excel with options for scheduling and automatic email distribution. The benchmarks in the addon are regularly updated for changes in SAP RISE security requirements.

The Cybersecurity Extension for SAP requires approximately 6 hours of effort from SAP Basis and Security teams to install and configure, supported by our Solution Engineers.  The software is installed in SAP systems using the SAP Add-On Installation Tool SAINT.

Once installed, the Cybersecurity Extension for SAP scans the target systems for compliance gaps. The results are available immediately and analyzed using applications accessed from the SAP Fiori launchpad. The solution also supports monitoring for other security frameworks such as NIST, GDPR, SOX and PCI-DSS, as well as SAP frameworks such as the SAP Security Baseline and the SAP Security Guide for S/4HANA. 

The Cybersecurity Extension for SAP enables organizations to meet security obligations in SAP RISE / SAP Cloud ERP as part of a shared model of responsibility with SAP.

In addition to compliance management, the Cybersecurity Extension for SAP supports:

  • Detection and remediation for vulnerabilities in SAP systems at the application, database and host level
  • Scanning for security vulnerabilities in custom SAP applications and programs
  • Access risk analysis for users in S/4HANA with critical privileges or permissions that violate the segregation of duties
  • Discovery and lifecycle management of relevant unapplied SAP security notes for regular patching, including workarounds for vulnerabilities
  • Automated threat detection for SAP systems with alerting and incident response

Contact Layer Seven Security to Secure Your SAP RISE / Cloud ERP Solutions

The Cybersecurity Extension for SAP ensures your SAP RISE/ Cloud ERP systems are compliant, protected and equipped for audits and certifications. Flexible licensing options let you choose between 30–90-day terms for one-time assessments or 12–36-month plans for sustained monitoring. From targeted security assessments to continuous monitoring, contact Layer Seven Security to discuss how you can leverage the Cybersecurity Extension for SAP to comply with SAP security requirements for RISE/ Cloud ERP solutions and protect your mission-critical SAP systems from cyber threats.

Secure your SAP Migration to the Cloud
Learn how the global pharmaceutical company Indivior securely migrated SAP systems to the cloud with Layer Seven Security

Contact Us

  • This field is for validation purposes and should be left unchanged.

We are proud to work with some of the World’s most renowned brands.

ExxonMobil
ExxonMobil