Mapping Global Cybersecurity and Privacy Regulations, and the Implications for Multinationals

The SIPA Capstone team worked closely with SAP’s Trust Office and was tasked to understand relevant regulations in countries where SAP products are offered and data is stored. With over 230 million cloud users, SAP is one of the world’s leading software producers for facilitating the processing of data. Within SAP, the Trust Office aims to conceive products that meet the cybersecurity standards in their clients’ jurisdictions.

The team chose the European Union (EU) as its jurisdictional focus due to its effort to achieve digital sovereignty, advance the digital economy, and uplift cyber hygiene. The EU has proposed several intriguing draft regulations to achieve its goals. The team selected three proposed regulations -The Digital Operational Resilience Act (DORA), which was proposed in October 2020; The Digital Markets Act (DMA), proposed in December 2020; and the EU Data Act, proposed in February 2022. Each of these regulations will impact SAP’s business in different ways. Hence, the final report highlighted two pivotal questions: How will SAP be in-scope for the selected regulations? How will these regulations affect SAP’s business? The team analyzed the draft regulations and conducted secondary research through literature reviews and interviewed industry leaders, lawyers, and experts in the EU’s legislative to answer those questions. The final report mapped the impact of the chosen regulations and offered SAP specific recommendations to prepare for compliance with these regulations and potential advocacy going forward.