The SAPinsider RISE with SAP 2025 benchmark report reveals a critical security gap: widespread customer non-compliance with the shared responsibility model. The most significant failure is not implementing SAP’s mandatory security hardening requirements, leaving cloud ERP systems vulnerable and exposing organizations to significant operational, legal, and and reputational risk.
The report, based on a survey of 122 SAPinsider community members, shows that a majority of organizations are not fulfilling their security duties in the SAP cloud. Less than half (45%) of respondents actively follow the shared responsibility model for security. This gap is most evident in the failure to apply mandatory hardening settings documented in key SAP notes. Because SAP’s security guidance evolves, initial compliance is not enough; continuous monitoring is required to prevent “compliance drift.” The business risks of this non-compliance are severe, impacting support, increasing legal liability in case of a breach, and creating preventable attack paths. The report underscores that cloud migration does not transfer security accountability, and customers must adopt an ongoing operational discipline to manage their risk posture effectively.
Key Takeaways
- Widespread Non-Compliance: A majority of RISE with SAP customers are not fully executing their responsibilities under the shared security model.
- Hardening is Mandatory: Failure to implement and sustain SAP’s mandatory security hardening requirements is the most critical compliance gap.
- Accountability Remains: Cloud migration does not transfer accountability for security outcomes; the customer retains the risk for their side of the model.
- Compliance is a Process: Security compliance is an ongoing discipline, not a one-time project, as SAP’s requirements evolve.
- Significant Business Risk: Non-compliance creates substantial operational, legal, support, and reputational risks for the organization.
What Is the Key Security Finding in the RISE with SAP 2025 Report?
The most material security finding from the RISE with SAP 2025 benchmark report is broad customer non-compliance with the shared model of responsibility. Specifically, organizations are failing to implement and sustain SAP’s mandatory security hardening requirements for systems operating in SAP’s cloud delivery model. This indicates a significant gap between SAP’s security expectations and customer execution.
Why Are Most Customers Non-Compliant with SAP Cloud Security?
The report highlights that customers are not consistently executing their security responsibilities. While SAP delivers and operates key elements of the cloud platform, customers remain accountable for critical security outcomes, including secure configuration and access controls.
Two key statistics from the report stand out:
- Less than half (45%) of respondents are aware of and actively following the shared responsibility model for SAP Cloud ERP Private security.
- Approximately one-third are aware of the model but do not follow it rigorously.
This demonstrates that a majority of organizations either do not fully understand or are not consistently executing their responsibilities. For leadership, the implication is clear: migrating to the cloud does not transfer accountability for SAP security outcomes to SAP.
What Are the Mandatory SAP Hardening Requirements?
The report points to a specific operational problem: customers running SAP Cloud ERP Private must comply with SAP’s mandatory security parameters and hardening requirements. These are documented in relevant SAP notes for ABAP, HANA, and Java systems. This includes notes like 3250501, 3480723, and 3381209.
Non-compliance with these requirements materially increases the organization’s exposure to attack. These hardening standards define the baseline configuration for reducing preventable attack paths, and failure to apply them creates persistent vulnerabilities.
Why Is SAP Security Compliance an Ongoing Process?
A key challenge highlighted in the report is that SAP security compliance is not static. SAP regularly updates mandatory parameters and hardening guidance in response to new threats, vulnerabilities, and platform changes. A system that was compliant at go-live can easily drift out of compliance over time.
This creates a significant operational risk. Compliance must be managed as an ongoing discipline, not a one-time implementation task. Organizations need repeatable processes to track new SAP security guidance, assess its applicability, and remediate gaps across their landscapes.
What Are the Business Risks of SAP Security Non-Compliance?
The consequences of non-compliance extend beyond technical vulnerabilities into contractual and legal exposure.
- Support Risk: When hardening requirements are not met, incident response becomes more complex. Customers may face delays in diagnosis and remediation, and their position with SAP support can be weakened if the environment does not meet required security standards.
- Legal and Regulatory Risk: In the event of a data breach, an organization’s failure to follow vendor-prescribed security guidance can weaken its legal defensibility, increase regulatory scrutiny, and raise the likelihood of fines, penalties, and reputational harm.
- Liability Risk: Under a shared responsibility model, the customer retains accountability—and therefore liability—for the security controls they manage.
How Does Layer Seven Security Help Address These Compliance Gaps?
The report’s findings directly align with the capabilities of Layer Seven Security’s Cybersecurity Extension for SAP. The solution helps organizations operationalize their security responsibilities by providing continuous monitoring and visibility.
It supports three key business outcomes:
- Continuous Monitoring: Automated checks against current SAP security baselines identify non-compliance as standards evolve.
- Reduced Risk from Compliance Drift: Ongoing visibility into configuration posture helps prevent the gradual degradation of security controls.
- Improved Audit and Support Readiness: Continuous evidence of compliance strengthens governance, improves audit defensibility, and supports more effective incident response.
This approach provides a sustainable mechanism for organizations to remain aligned with SAP’s required security standards.
Frequently Asked Questions (FAQ)
What is the shared responsibility model for RISE with SAP?
The shared responsibility model defines the security tasks managed by SAP versus those managed by the customer. While SAP secures the underlying cloud platform, the customer is accountable for secure configuration, access controls, and applying mandatory hardening standards to their SAP systems.
What happens if I don’t apply SAP’s mandatory security notes?
Failure to apply mandatory security notes, such as 3250501, 3480723, and 3381209, leaves your SAP systems vulnerable to preventable attacks. It also weakens your support position with SAP and increases legal and regulatory liability in the event of a data breach.
Is security compliance a one-time task during SAP cloud migration?
No, compliance is an ongoing process. SAP regularly updates its security requirements in response to new threats. A system that is compliant at go-live can drift out of compliance, requiring continuous monitoring and remediation to manage risk effectively.
The full benchmark findings will be presented by Robert Holland, Vice President and Research Director at SAPinsider, on Tuesday, January 13, 2026. You can register for the webinar at SAPinsider.