English
DeutschGerman (Switzerland)
Book a Meeting

Supplier Qualification of Cloud Service Providers in the GxP Environment

Supplier qualification of cloud service providers in GxP-regulated environments presents significant challenges for many companies in the life sciences industry. Different regulatory interpretations, increasing cloud adoption, and high requirements for patient safety, product quality, and data integrity create uncertainty in practice.

Picture of Thomas Pauly, Practice Manager - IT Compliance, DHC GmbH
Thomas Pauly, Practice Manager - IT Compliance, DHC GmbH

New position paper from DSAG and SAP provides guidance

With the new joint position paper “Supplier Qualification of Cloud Service Providers for GxP-Regulated Industries Using the Example of SAP” (as of November 2025), SAP and DSAG provide clear, practical guidance. The goal is to establish effective, risk-based supplier risk management for cloud services while initiating a dialogue with regulators and inspectors.

What does supplier qualification mean in the context of GxP cloud solutions?

Supplier qualification in the GxP environment refers to the systematic, risk-based assessment, monitoring, and documentation of cloud service providers (e.g., SaaS, PaaS, or IaaS) to ensure compliance with regulatory requirements and the safety of patients, products, and data.

The position paper makes clear:
Supplier qualification is mandatory, but an on-site audit is not automatic.
Whether and in what form audits are conducted should consistently be derived from the risk assessment.

Key points of the position paper:
A risk-based approach instead of a blanket audit requirement

SAP and DSAG emphasize that while international regulations (including EU GMP Guide, Annex 11, AMWHV, GAMP 5) require supplier qualification, the specific implementation must be risk-based. Key factors include:

  • GxP relevance of the outsourced activity
  • Impact on product quality, patient safety, and data integrity
  • Type of cloud service (SaaS, PaaS, IaaS)
  • Experience, maturity level, and market position of the provider

Shared responsibility between companies and cloud providers

Even though regulatory responsibility remains with the GxP-regulated company, the position paper calls for a consistent implementation of “Shared Responsibility”. Cloud service providers should actively contribute to risk mitigation through:

  • an established quality management system,
  • transparent documentation, and
  • standardized evidence

This evidence should be more strongly integrated into supplier assessments.

Tailored audit strategies

The paper classifies various audit forms, from simple assessments and questionnaire-based reviews to group or on-site audits. The clear focus:
Audit efforts should be based on actual risks and not applied universally.

The Role of SOC 2, C5, and SOC 2+GxP

According to SAP and DSAG, a key lever for efficiency improvement lies in the use of standardized, independent audit reports such as SOC2 or C5.
The further development toward SOC2+GxP reports is described as forward-looking. A SOC2+ report can be extended with industry-specific requirements such as GxP, thereby closing gaps in areas such as training, qualification, and standard operating procedures.

Goal: A structured, efficient training process

The position paper describes a clearly structured target process, from criticality assessment through review of available documentation and gap analysis to graduated follow-up steps.

In the envisioned new supplier qualification process, the assessment of available documentation (such as SOC2, C5 reports) is proposed as mitigation of supplier risk. Any gap between supplier documentation and the regulated company’s requirements is identified, and based on the remaining supplier risk, a decision is made on whether to conduct an (on-site) audit.

The result: Comprehensive and effective supplier qualification of cloud service providers while simultaneously reducing the effort for necessary audits.

Download the position paper now

The complete position paper provides detailed insights into:

  • regulatory foundations,
  • concrete assessment and decision logic,
  • the target vision: future process of supplier qualification,
  • practical examples and recommended process steps.

➡️ You can download the position paper and read the details here:

https://impulsant-dsag.de/formate/textbeitrag/lieferantenqualifizierung

Cloud service providers in the GxP environment

Let us jointly assess how you can qualify cloud service providers in a GxP environment in a risk-based, efficient, and inspection-ready manner.

Book a free Initial Consultation
Author picture
Magazine

More Articles from the Blog

SAP Innovation Meets GxP Compliance
How Are Cloud, SaaS, AI & Frequent Releases Changing Validation?
SAP QIM End of Support 2027: Why Companies should act now
SAP QIM support ends in 2027: Learn what risks arise and why an early migration to QM in S/4HANA is
GxP Friendly Audit for Ledidi Trials: SaaS Platform for regulated Clinical Trials
As part of an independent GxP Friendly Audit, the SaaS platform Ledidi Trials was comprehensively evaluated by DHC.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.