English
DeutschGerman (Switzerland)
Book a Meeting

Hyperscaler Qualification: Regulatory Requirements and Best Practices from Current Projects

Cloud computing is established in the GxP-regulated industry and brings increased requirements, such as the qualification of hyperscalers like Azure, AWS, or Google Cloud.

How can this be implemented in a regulatory-compliant and practical manner? Our DHC web session on June 6, 2025, provided answers, and here are the key takeaways.

Picture of Thomas Pauly, Practice Manager, DHC GmbH
Thomas Pauly, Practice Manager, DHC GmbH

From Hype to Responsibility: Why Qualify Hyperscalers?

Many companies today rely on the cloud, whether Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS). With IaaS and PaaS, the cloud provider supplies the technical infrastructure, i.e., data centers, storage, networks, and virtualization services. Companies, on the other hand, are responsible for the overlying applications and data processing. Depending on the service model, responsibilities shift between the service provider and the regulated company.

Our webinar focused on qualifying the service provider, i.e., the Supplier Qualification of major cloud platform providers such as MS Azure, AWS, or SAP BTP.

Diagram of the layers of a cloud-based system with a focus on IaaS Supplier Qualification, including infrastructure, platform, and application layers as well as validation processes

Live Poll: Cloud Usage in the GxP Context

An exciting moment right at the beginning of the session was the survey on current hyperscaler usage in the GxP environment:

  • 33% use Microsoft Azure
  • 17% Amazon Web Services
  • 33% no usage yet
  • 17% other providers

These figures show: Many organizations are still at the very beginning and need guidance, both technically and from a regulatory perspective.

Regulatory Requirements: What Does Compliance Say?

Various guidelines (including EU GMP, Annex 11, MHRA GxP Guide, OECD, and ZLG) require the following before outsourcing:

  • Assessment of competence, suitability, and legitimacy of the service provider
  • Formal contracts with clearly defined responsibilities
  • Documentation and traceability of all testing activities
  • SOPs that describe the methodology for qualifying cloud providers in detail.

Risk Assessment: How Much Testing Is Necessary?

The risk assessment of the outsourced activity and the supplier is decisive for the depth of supplier qualification. Typical evaluation criteria include:

  • Type of outsourced service (e.g., GxP activities)
  • Proximity to the final product
  • Risk of the outsourced activity, as infrastructure vs. software-as-a-service significantly influences the depth of assessment.

Example: With SAP Digital Manufacturing (Public Cloud MES), critical production processes are outsourced. This carries a higher risk than the use of outsourced IT infrastructure.

  • Trust & experience with the provider
  • Size of the company, as larger companies often have established processes and corresponding resources to effectively manage risks.
  • Market position & adoption rate

Second Live Survey: How far along is your organization in preparing for hyperscalers?

Also interesting were the results of our second survey, in which we asked the web session participants how far they are already prepared for hyperscaler qualification:

  • 50% have initial considerations
  • 25% are planning
  • 13% are in implementation
  • 13% completed

Vorgehensweise: So qualifizieren Sie einen Hyperscaler in der Praxis

In our projects, we often see that supplier assessments have not yet been extended to cloud providers,” said Pauly. Above all, the documentation provided by the supplier is not evaluated and used to mitigate supplier risk during the early phase of supplier qualification. This should be taken into account in future supplier assessments. This adapted approach should be reflected in the SOP for supplier qualification. As a rule, corresponding follow-up work is required here.

Future supplier assessments (especially of large cloud service providers) should consider the following approach:

  • Risk assessment of the outsourced activity and the supplier
  • Evaluation of existing documentation to mitigate supplier risk
    • Assessment of documentation against risk-based checkpoints / checklist (e.g. Cloud Control Matrix)
    • Identification of gaps
  • Assessment of gaps
    • Residual supplier risk
  • Measures depending on the residual supplier risk
    • No gaps / acceptance of residual risk: Final report
    • Medium risk: Supplier questionnaire
    • High risk: Supplier audit
  • Final report

Particularly with hyperscalers, extensive documentation (compliance offerings) is available: SOC 2, ISO 27001, C5, whitepapers, etc. Especially relevant: SOC 2 Type II, which also verifies the actual execution of the cloud provider’s activities. Individual checkpoints not covered by SOC 2 can also be addressed through additional certificates or provider-specific whitepapers.

The Cloud Control Matrix – The Core of the Audit

A particularly important tool is the GxP Cloud Control Matrix. It is based on, among others:

  • Cloud Controls Matrix of the Cloud Security Alliance (CSA)
  • ISO 27001 and BSI C5 catalog
  • Extended with GxP-specific requirements (e.g., QMS, documentation)

“We don’t just check for the existence of certifications, but whether the actual implementation and traceability are given, for example with SOC 2 Type II,” explains Thomas Pauly, speaker of the web session and Practice Manager “IT Compliance” at DHC.

The matrix is divided into audit areas (domains) and the relevance of audit points is defined according to service model (IaaS, PaaS, SaaS).

After qualification comes monitoring

With the qualification report, the responsibility does not end. Rather, operations begin with the following requirements:

  • SOPs for qualified operations
  • Continuous monitoring and SLA evaluation
  • Regular review of audit reports (e.g., annual SOC 2)

Only in this way can lasting GxP compliance be ensured.

Conclusion: Hyperscaler Qualification Requires Methodology, Tools and Experience

Hyperscaler qualification is not a one-time audit but a structured, risk-based process that must be consistently documented and regularly reviewed.

DHC offers structured procedures, proven checklists, and deep compliance expertise for this purpose. Whether Microsoft Azure, AWS, or SAP BTP, we support our customers from assessment to ongoing compliance.

Where does your company stand when it comes to hyperscaler certification?

Feel free to analyze your individual situation with our experte.

Book a free Initial Consultation
Author picture
Magazine

More Articles from the Blog

SAP Innovation Meets GxP Compliance
How Are Cloud, SaaS, AI & Frequent Releases Changing Validation?
SAP QIM End of Support 2027: Why Companies should act now
SAP QIM support ends in 2027: Learn what risks arise and why an early migration to QM in S/4HANA is
GxP Friendly Audit for Ledidi Trials: SaaS Platform for regulated Clinical Trials
As part of an independent GxP Friendly Audit, the SaaS platform Ledidi Trials was comprehensively evaluated by DHC.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.