Does SAP's ISO/IEC 42001 cover our compliance requirements?

No. SAP's certification demonstrates SAP's provider-side processes. Your deployer obligations must be documented and evidenced by you.

Which SAP tools support compliance documentation?

SAP's AI Agent Hub (Q3 2026) provides discovery, verification, and observability. BTP audit logs cover the logging obligation at infrastructure level. For application-level documentation there is no SAP standard tool.

What is the deadline for full enforcement of the EU AI Act?

2 August 2026. That is not the start of a transition period but the end of one. Fines of up to 30 million euros or 6 percent of global annual turnover are possible.

EU AI Act and SAP Business AI: What Changes from August 2026 and What You Must Document Yourself

From 2 August 2026 the EU AI Act takes full effect. High-risk systems must meet strict requirements on risk management, data governance, transparency, and human oversight. SAP brings certifications, but the customer carries a substantial part of the compliance load. Where SAP Business AI use cases fall in scope, and which governance moments emerge.

1. Timeline and Scope of the EU AI Act

The EU AI Act entered into force in August 2024 and has been implemented in clearly defined stages. Prohibitions on unacceptable AI practices became effective in February 2025. Regulations for General Purpose AI Models (GPAI) became applicable in August 2025. Full effect for high-risk AI systems takes effect on 2 August 2026. A further stage for certain Annex III systems follows in August 2027 (source: European Commission AI Act Regulatory Framework, SAP Trust Center).

The scope of the law is deliberately broad: it applies to all AI systems deployed in the EU, regardless of where the provider is headquartered. US-based organizations with EU operations are equally affected (source: Holland & Knight, US Companies Face EU AI Act's August 2026 Compliance Deadline). For SAP customers in DACH, this means that anyone operating SAP Business AI in production has had a concrete reason since early 2026 to assess their regulatory classification.

The relevant question is not whether an organization uses AI, but how. The first governance moment in the EU AI Act context lies precisely here: systematically inventorying all AI use cases in SAP before full effect takes hold.

2. What Qualifies as High-Risk, with SAP Examples

The EU AI Act distinguishes several risk levels. For SAP customers, the most relevant are AI systems listed as high-risk in Annex III of the law. This category is subject to the strictest requirements: conformity assessment, technical documentation, a risk management system, human oversight mechanisms, logging and monitoring, and EU database registration.

Four Annex III categories are particularly relevant for SAP Business AI use cases.

HR and worker management: AI features in SuccessFactors that support candidate screening, performance evaluation, or employee monitoring can be classified as high-risk. This is the governance moment for Procurement at the initial contract decision: high-risk classification should be reflected before signing. The Contract Manager carries ongoing responsibility for documentation obligations in production.

Credit scoring and financial decisions: AI features in S/4HANA Finance that feed into credit or risk assessment processes potentially fall under this category. For Controlling, the relevance is direct: audit capability and explainability of AI-supported decisions are regulatory requirements, not optional.

Critical infrastructure: AI capabilities in Procurement and Supply Chain solutions can be relevant in critical infrastructure contexts. The Executive carries final governance responsibility for the release of such use cases.

Biometric identification: AI systems used in access control or identity verification, for example in HR processes, are also high-risk candidates.

The decisive point: responsibility as the deployer rests with the customer, not with SAP as the provider. SAP's certifications cover SAP's own provider obligations. The deployer obligations for operating the systems in production rest entirely with the customer (source: SAP Trust Center, EU AI Act Compliance).

3. SAP Certifications: ISO/IEC 42001 and SOC 2

SAP has obtained relevant certifications for its AI services that provide an important foundation in compliance dialogue.

ISO/IEC 42001 is the international standard for AI Management Systems. According to SAP's own communication, SAP is among the first major companies globally to hold this certification. The standard covers AI governance, risk management, controlled deployment, continuous monitoring, continuous improvement, and transparency for SAP's own AI processes.

SOC 2 Type II audits the cloud security of AI services on a 12-month audit cycle. Complementing this are ISO 27001 for Information Security Management and the EU-US Data Privacy Framework for transatlantic data transfers.

What these certifications mean for customers: they are a reliable demonstration of SAP's provider diligence. They do not substitute the customer's own compliance documentation as the deployer. For a conformity assessment under the EU AI Act, it is not sufficient to reference SAP's certificates. Customers must separately document and demonstrate their own AI management processes, their own use case classification, and their own human oversight mechanisms.

For the Contract Manager, a concrete governance moment arises from this: SAP's Trust Center documents and certification evidence should be referenced as contractually assured materials in the Order Form. That makes subsequent audits substantially easier to manage.

4. The AI Agent Hub as a Compliance Instrument

The SAP AI Agent Hub is scheduled for general availability in Q3 2026. It is built on SAP LeanIX and provides a technical infrastructure directly aligned with the requirements of the EU AI Act.

Five core functions and their compliance relevance:

Discovery creates the inventory of all agents in the tenant. This is the technical foundation for the EU AI Act registration obligation under Article 16.

Verification ensures agents are authorized and operate under defined policies. This addresses the requirement for a controlled deployment process for high-risk systems.

Observability delivers logging and monitoring. For high-risk systems, this is explicitly required under Article 12 of the EU AI Act.

Policy Definition defines human oversight mechanisms: who may operate which agents with which data. This addresses one of the core obligations for high-risk deployers.

Optimization enables KPI tracking per agent. This supports the demonstration of continuous improvement, which is anchored as an ongoing obligation in both ISO/IEC 42001 and the EU AI Act (sources: SAP Trust Center, SAP Insider Sapphire 2026 AI Agent Guardrails).

For Procurement and Contract Manager, the AI Agent Hub is therefore not an optional operational tool but a foundation for the organization's own governance capability. Anyone operating productive high-risk use cases before August 2026 should verify that either the AI Agent Hub is planned or an equivalent internal capability is in place. This governance moment cannot be deferred until after go-live.

5. Data Sovereignty and Tenant Isolation

Beyond EU AI Act compliance, SAP Business AI raises the question of what happens to company data in AI workflows. The EU AI Act explicitly requires, for high-risk systems, a data governance framework with documentation of the data categories used.

SAP addresses this across several dimensions.

Tenant isolation: customer business data remains in the customer tenant. SAP does not access it except for agreed operational processes.

No model training with customer data: SAP does not use customer business data to train proprietary models under the standard AI Terms. This commitment is the basis on which customers can deploy sensitive business data in AI workflows (source: SAP Trust Center, Data Sovereignty).

GenAI Hub and external models: prompts are routed through the Generative AI Hub, which abstracts the model API. The data usage terms for external foundation models are governed by the respective contract between the model provider and SAP, not by SAP's own AI Terms document. For sensitive data categories, an explicit review of this second contract layer is advisable.

The governance moment for Controlling lies in data categorization: which data flows into which AI workflows? This question must be answered before going live, because it directly determines the high-risk classification and with it the entire compliance effort. Without this foundation, a sound assessment of the organization's own compliance obligations is not achievable.

6. IP Indemnification

IP indemnification is the contractual assurance that SAP accepts liability for potential intellectual property infringements by the AI systems or holds the customer harmless. In the context of the EU AI Act, this clause gains significance: high-risk AI output that contributes to misinformation or flawed decisions can generate liability questions.

What SAP standardly commits to: indemnification for IP infringements by SAP-proprietary models (SAP-ABAP-1, SAP-RPT-1). For certain third-party models in the GenAI Hub, extended indemnification can be negotiated, but this is not the default.

What SAP does not standardly commit to: IP indemnification for output produced by agents that the customer develops in Joule Studio. Indemnification for violations of sector-specific regulation such as the Medical Device Regulation.

The practical consequence for Procurement and Contract Manager: for use cases with potentially liability-relevant outputs, for example in pharmaceuticals, the legal sector, or financial services, explicit IP clauses should be anchored in the Order Form. This governance moment lies before contract signature, not after. Once the contract is signed, the negotiating position is substantially more constrained.

A structured review of IP indemnification clauses is also advisable because SAP updates its standard terms regularly. What was contained in a RISE contract signed in 2024 may differ from the current SAP AI Terms document. For the Contract Manager, this creates a recurring governance moment: checking clause currency whenever the AI Terms document changes.

7. Industry-Specific Requirements

Beyond the general EU AI Act requirements, additional compliance obligations exist in regulated industries that affect SAP Business AI deployments.

Financial services: BaFin, EBA, and FINMA require an AI use case inventory, explainability for credit and risk assessments, and DORA compliance (Digital Operational Resilience Act) for AI services. For Controlling and Executive, this means a dual compliance layer: EU AI Act and DORA apply simultaneously.

Pharma and life sciences: GxP validation is required for AI components deployed in GxP-regulated processes. For medical software, the Medical Device Regulation (MDR) applies. SAP provides no generic GxP validation documentation for Business AI.

Defense and critical infrastructure: NIS-2 requirements apply to AI components in critical infrastructure. Sovereignty requirements may mandate EU-based cloud processing.

Public sector: BSI requirements and the C5 attestation for cloud services can be extended to AI services.

The common denominator: SAP provides no generic industry certification for Business AI. Sector-specific compliance must be independently demonstrated by each customer, based on SAP's Trust Center documentation and a proprietary AI governance framework (source: SAP Trust Center, NextLytics DSAG Technology Days 2026).

For the Executive, a structured governance moment arises: before a productive AI use case is released, a compliance assessment should be in place that evaluates both the general EU AI Act requirements and the sector-specific additional obligations together. Building this assessment internally or with independent expertise is a governance decision that typically rests at Executive level.

FAQ

Does the EU AI Act apply to us if SAP is the provider?

Yes. The EU AI Act distinguishes between provider and deployer. SAP is the provider of the AI systems and carries corresponding obligations, which SAP demonstrates through its certifications (ISO/IEC 42001, SOC 2). The customer, as deployer, is responsible for the concrete operation: use case classification, conformity assessment, human oversight, logging and monitoring. These deployer obligations cannot be delegated to SAP (source: European Commission, SAP Trust Center).

What must be completed before 2 August 2026?

For every productive AI use case in a high-risk category, the following elements should be in place by 2 August 2026: a documented classification of the use case, a completed conformity assessment, an established risk management system, defined human oversight mechanisms, and active logging and monitoring. Inventorying all AI use cases in operation is the most practical first step (source: Secure Privacy EU AI Act 2026 Compliance).

Does the SAP AI Agent Hub help with EU AI Act compliance?

The AI Agent Hub addresses several EU AI Act requirements directly: inventory of all agents (registration obligation), observability with logging (Article 12), policy management for human oversight, and verification for controlled operation. It is a technical foundation, but does not replace the customer's organizational governance function. Use case classification, conformity assessment, and sector-specific reviews remain with the customer (source: SAP Insider Sapphire 2026 AI Agent Guardrails).

What is the first concrete step?

The first governance moment is use case inventorying: which AI features in SAP Business AI are being used in production? Which of these potentially fall under a high-risk category of the EU AI Act? This foundation determines the entire compliance effort. Without it, a sound assessment of the organization's own obligations is not possible. For SAP customers with complex contract portfolios, this step is closely linked to contract analysis: which AI capabilities are contractually licensed, and which of those are actually in productive use?

Internal Links

Hub Pillar 2: SAP Business AI: Licensing, Consumption, and Governance
Cluster 4: Joule, Skills, Agents and Foundation Models

Sources: SAP Trust Center (EU AI Act Compliance, Data Sovereignty), European Commission (AI Act Regulatory Framework), Holland & Knight (US Companies Face EU AI Act's August 2026 Compliance Deadline), SAP Insider (Sapphire 2026 AI Agent Guardrails), NextLytics (DSAG Technology Days 2026), Secure Privacy (EU AI Act 2026 Compliance), Legal Nodes (EU AI Act 2026 Updates)