NIS2 and SAP: what the directive actually demands inside your ERP
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
The NIS2 Directive is the European Union’s updated framework for cybersecurity across critical infrastructure. It replaced the original NIS Directive in 2023 and significantly expanded both the scope of organizations covered and the obligations placed on them. Any organization classified as an essential or important entity covering sectors from energy and manufacturing to healthcare, finance, and transport must implement a defined set of risk-management measures and demonstrate them to regulators on demand. Article 21 sets out ten categories of measures. Article 20 places personal accountability on management for overseeing those measures. Article 23 requires organizations to report significant incidents within 24 hours. Penalties for non-compliance are substantial, and competent authorities across EU member states are moving from awareness to active enforcement. NIS2 does not mention SAP by name. That has given some security teams cover to treat their ERP as an afterthought. That assumption is increasingly being corrected by auditors. SAP systems run the financial transactions, HR records, supply chain processes, and manufacturing operations that define what a business actually does. Every Article 21 obligation applies to them.
Why the SAP layer is different
Most cybersecurity programs were built around the network and the endpoint. SAP operates on a different layer, uses different protocols, and generates event data in formats that standard security tooling does not parse natively. It is typically managed by a Basis team, audited by GRC, and rarely covered by the SOC. That gap is precisely what NIS2 exposes. Organizations running SAP on RISE with SAP face the same obligations. SAP managing the infrastructure does not transfer compliance responsibility to SAP.
What Article 21 requires at the SAP layer
The ten risk-management measures are technology-neutral on paper. In practice, each one maps to specific SAP capabilities:
Incident handling
Standard SIEM tools do not ingest SAP security audit logs natively, and most SOC analysts lack the domain knowledge to interpret what they receive. Threat Detection provides pre-built detection use cases for SAP-specific attack patterns, RFC abuse, privilege escalation, unauthorized transport deployment, suspicious batch job execution, and feeds structured alerts directly into SIEM and SOAR platforms.
Secure development
Code Vulnerability Analysis (CVA) scans custom ABAP for SQL injection, missing authorization checks, and insecure function module calls. It integrates with the transport lifecycle, so vulnerabilities are caught before they reach production.
Cyber hygiene and patching
Patch Management automates SAP Security Note applicability checks across the entire landscape, ensuring HotNews and high-priority notes are tracked and acted on — not missed in a quarterly review cycle.
Access control
Privileged Access Management runs a continuous SoD rule engine with violation records, owner attribution, and remediation tracking. Identity Protection handles dormant accounts, Firefighter session logging, and access lifecycle monitoring.
Multi-factor authentication
TrustBroker enforces risk-based step-up MFA at the SAP transaction level, triggered by action type, user risk profile, or time of access without requiring changes to the underlying authentication infrastructure.
Compliance reporting
Compliance Automation generates audit-ready evidence across all controls, aligned to NIS2, ISO 27001, SOX, and GDPR. Available on demand, not assembled manually before each audit.
The evidence gap most organisations face
For most large enterprises, SAP sits outside the SIEM, outside the vulnerability management program, and outside any real-time detection capability. The result is an evidence gap that NIS2 audits will find. Common issues include:
- No continuous SoD monitoring, violations accumulate between quarterly reviews
- SAP Security Notes tracked manually or not at all
- Custom ABAP code deployed to production without security scanning
- Firefighter IDs used in production without automated session recording
- No real-time alerting on SAP-layer threat indicator
- MFA enforced at the network perimeter but not inside the SAP session
NIS2 does not accept point-in-time assessments. Continuous, demonstrable controls are required and evidence to prove them. SecurityBridge is the only SAP-native platform that addresses the full Article 21 scope without external infrastructure or SAP expertise from the security team.
FAQ’s
Does NIS2 apply to SAP?
NIS2 does not mention SAP by name, but every Article 21 obligation applies to the systems that run critical business operations and for most essential and important entities, SAP is exactly that. Financial transactions, HR records, supply chain processes, and manufacturing controls all run on SAP. Auditors are increasingly treating SAP as in scope, and organizations that have treated their ERP as an afterthought are finding that position difficult to defend.
What does Article 21 require for ERP systems?
Article 21 sets out ten categories of risk-management measures covering incident handling, access control, secure development, patch management, multi-factor authentication, and more. For ERP systems like SAP, this means implementing controls at the application layer, not just the network perimeter. Organizations must be able to evidence these measures continuously, not only at audit time.
Is RISE with SAP NIS2 compliant?
RISE with SAP changes who manages the infrastructure not who is responsible for compliance. Organizations running SAP on RISE carry the same NIS2 obligations as those running on-premise. SAP managing the underlying environment does not transfer Article 21 responsibility to SAP.
What evidence do NIS2 auditors expect?
NIS2 auditors expect a continuous operational record, not a policy document or a configuration screenshot. That means timestamped logs of SoD violations detected and remediated, dormant accounts flagged and actioned, Firefighter sessions reviewed, and MFA challenges recorded. Evidence must exist independently and be exportable on demand not assembled manually in the weeks before an audit.
Request a demo to see what NIS2-ready SAP monitoring looks like in practice. To learn more about how SecurityBridge supports NIS2 compliance, visit our page HERE!
