SecurityCompliance deep dive

ERP Compliance in Business Central: From SOX to GDPR, NIS2, and Beyond

Your ERP is the single largest repository of financial data in your organization. Regulators know this. Here is what Business Central ships out of the box — and what you need to configure.

In 2007, Microsoft published a whitepaper explaining how Dynamics NAV 5.0 could help subsidiaries of US-listed companies meet Sarbanes-Oxley requirements. The document covered role-based security, the change log, document approvals, and audit trails. Nearly two decades later, every one of those capabilities still exists in Business Central — but the compliance landscape around them has expanded dramatically. SOX is just one layer. GDPR, NIS2, DORA, and the EU AI Act now apply to ERP systems with equal or greater force.

1. The Regulatory Stack in 2026

Organizations in the EU — especially in Luxembourg’s financial sector — face overlapping regulations. Each places specific demands on ERP systems.

Regulation	Scope	ERP impact
SOX (2002)	US-listed companies and their subsidiaries worldwide	Internal controls over financial reporting. Audit trail, change log, segregation of duties, approval workflows.
GDPR (2018)	Any organization processing EU personal data	Data classification, right to erasure, data portability, breach notification, data residency.
NIS2 (2024)	Essential and important entities in the EU, including supply chain	Incident reporting, risk management, supply chain security, management accountability.
DORA (2025)	Financial entities and their critical ICT providers in the EU	ICT risk management, resilience testing, third-party oversight, incident reporting.
EU AI Act (2025–2027)	Any organization deploying AI in the EU	Transparency for AI-assisted decisions (Copilot), risk classification, human oversight requirements.

Key insight

These regulations are cumulative, not alternative. A Luxembourg fund administrator with a US-listed parent must comply with SOX and GDPR and DORA and NIS2. Business Central is the foundation — but only if it is configured correctly.

2. Built-In Compliance Capabilities

Business Central ships a comprehensive set of compliance features. Some are enabled by default; others require explicit configuration. Here is the complete inventory.

Role-Based Security & Permission Sets

The same concept from NAV 5.0 — but now far more granular. Business Central uses license-level entitlements combined with admin-defined permission sets. Each permission set specifies read, insert, modify, delete, and execute rights at the table and object level. Permission sets can be assigned directly to users or composed via security groups synced from Microsoft Entra ID.

Segregation of Duties — Configure incompatible permission sets (e.g., “Create Vendor” and “Approve Payment”) and BC will prevent a single user from holding both.
Security Filters — Restrict access to specific records (e.g., a user can only see G/L entries for their department).
Effective Permissions — A built-in page that shows exactly what a specific user can and cannot do, after all entitlements, permission sets, and security groups are resolved.

Change Log

Every insert, modify, and delete on monitored tables is recorded with the user ID, timestamp, old value, and new value. This is the same Change Log that existed in NAV 5.0 — but now runs on SQL Server with full platform support, and can be exported for external analysis.

Configuration: Search → Change Log Setup → select which tables and fields to monitor. At minimum, enable monitoring on: Customer, Vendor, G/L Account, Bank Account, User Setup, Permission Set, and any master data table critical to your financial reporting.

Approval Workflows

NAV 5.0 had basic document approvals. Business Central has a full workflow engine that supports multi-level approvals, amount thresholds, approval chains, delegation, and integration with Power Automate for cross-system orchestration. Standard workflows cover purchase orders, sales orders, payment journals, and master data changes (customer, vendor, item).

For SOX: approval workflows provide the preventive controls that auditors look for in Sections 302 and 404. No purchase order above a threshold posts without an authorized approver signing off.

Audit Trail & Navigate (Find Entries)

The Navigate function — now called Find Entries — remains the most powerful audit tool in Business Central. Given any document number, it shows every ledger entry, VAT entry, bank account entry, value entry, and G/L entry connected to that transaction. Full drill-down from any line to the source document.

This is the feature that makes external auditors comfortable with Business Central. They can trace any number on the balance sheet back to the original source document in seconds — exactly the drill-down capability that SOX Section 404 demands.

Data Classification & GDPR Tools

Every field in Business Central carries a DataClassification property: CustomerContent, EndUserIdentifiableInformation, EndUserPseudonymousIdentifiers, AccountData, OrganizationIdentifiableInformation, or SystemMetadata. The Data Classification worksheet lets administrators review and classify all fields in the system.

Data Privacy Utility — Handles subject access requests (SAR) and right-to-erasure requests. Export all data related to a person, or anonymize/delete it across all tables.
Retention Policies — Define how long different record types are kept. Automatically delete or archive data beyond the retention period. Critical for GDPR’s data minimization principle.
Activity Log — Tracks system-level events (email sent, web service called, document exported) for compliance auditing.

Telemetry & Monitoring

Business Central sends telemetry to Azure Application Insights — login events, permission changes, report generation, long-running queries, errors, and configuration changes. This is the modern replacement for the NAV 5.0 “Client Monitor.” Combined with Azure Monitor alerts, it provides the real-time event detection that NIS2 requires for incident reporting.

3. From NAV to BC: What Changed

The 2007 whitepaper covered NAV 5.0. Here is how each capability evolved.

Capability	NAV 5.0 (2007)	Business Central (2026)
Security model	Roles with table-level permissions. Windows authentication.	Entitlements + permission sets + security groups. Microsoft Entra ID with MFA, Conditional Access, PIM.
Change tracking	Change Log + Client Monitor.	Change Log + Application Insights telemetry + Activity Log + Audit Log.
Approvals	Basic document approval with amount limits.	Full workflow engine + Power Automate integration. Multi-level, conditional, with delegation and escalation.
Audit trail	Navigate function. Drill-down from ledger entries.	Find Entries (Navigate). Same core capability, extended to all entry types. Full API access for external audit tools.
Data exchange	XBRL for financial reporting.	XBRL deprecated. SAF-T, e-invoicing (Peppol), FAIA (Luxembourg), API-first architecture.
Backups	Manual or scheduled database backup.	Automatic platform backups with 30-day point-in-time restore. Customer-managed encryption keys available.
Data privacy	Not addressed.	Data Classification, Data Privacy Utility, retention policies, right to erasure, EU Data Boundary.
Partner access	Direct database access. No delegation model.	Granular Delegated Admin Privileges (GDAP). Scoped by role, duration, and environment. Customer Lockbox for Microsoft access.

The core is the same

If you used NAV’s compliance features in 2007, you already understand the architecture. The principles haven’t changed: restrict access, log everything, require approval, trace every transaction. What changed is the scale of the tooling and the number of regulations that demand it.

4. Practical Configuration Checklist

These are the configurations we apply in every compliance-conscious implementation.

Enable the Change Log

Setup → Change Log Setup. Monitor at minimum: Customer, Vendor, G/L Account, Bank Account, User Setup, Permission Set, General Ledger Setup, Inventory Setup.

Configure Approval Workflows

Search → Workflows. Set up approval chains for Purchase Orders, Payment Journals, and master data changes. Define amount thresholds and approver hierarchies.

Set Up Permission Sets

Create functional permission sets (e.g., AP Clerk, AR Manager, GL Accountant). Map to security groups in Entra ID. Verify with the Effective Permissions page.

Run the Data Classification Worksheet

Search → Data Classification. Review all fields tagged as EndUserIdentifiableInformation. Confirm classification is accurate for GDPR obligations.

Configure Retention Policies

Search → Retention Policies. Set retention periods per table. Align with your data retention schedule and local legal requirements.

Connect Application Insights

Environment settings → Telemetry. Connect your Azure Application Insights resource. Set up alerts for login failures, permission changes, and error spikes.

Lock Down Posting Dates

General Ledger Setup → Allow Posting From/To. User Setup for per-user overrides. Close inventory periods monthly. Prevent back-dated entries that alter reported figures.

Review Partner Access (GDAP)

Ensure your Microsoft partner (including us) has scoped, time-limited access via Granular Delegated Admin Privileges. No standing admin access.

5. What Regulations Expect from Your ERP

Mapping Business Central features to regulatory requirements.

Requirement	SOX	GDPR	NIS2	DORA	BC feature
Access control & segregation of duties	●	●	●	●	Permission sets, security groups, Entra ID
Change tracking & audit trail	●	—	●	●	Change Log, Find Entries, Activity Log
Document approval workflows	●	—	—	—	Approval Workflows, Power Automate
Data classification	—	●	—	—	Data Classification worksheet
Right to erasure / data minimization	—	●	—	—	Data Privacy Utility, retention policies
Incident detection & reporting	—	●	●	●	Application Insights, Azure Monitor alerts
Data residency	—	●	—	●	EU Data Boundary, geo-locked environments
Encryption & key management	—	●	●	●	At-rest encryption, customer-managed keys
Third-party / partner access control	●	●	●	●	GDAP, Customer Lockbox, PIM
Backup & resilience	●	—	●	●	Automatic backups, point-in-time restore

Luxembourg-specific

Luxembourg’s CSSF (Commission de Surveillance du Secteur Financier) circular 20/750 on ICT risk management aligns closely with DORA. If you are in financial services, fund administration, or insurance in Luxembourg, DORA compliance is effectively mandatory today — not just from January 2025. The CSSF has been enforcing these principles since 2020. Business Central’s cloud architecture with Microsoft’s SOC 1/2/3 certifications, ISO 27001, and C5 attestation directly supports these requirements.

What this means for your organization

Business Central is one of the most compliance-ready ERP platforms on the market — but only when configured deliberately. The features exist; the question is whether your implementation activates them. Most organizations we audit have fewer than half of these controls enabled. The gap between “available” and “configured” is where compliance risk lives.

We configure compliance controls as a standard part of every implementation — and we offer standalone compliance reviews for existing environments. Whether you need SOX readiness for a US parent, GDPR alignment, or DORA preparation for the CSSF, the starting point is the same: understand what your ERP can do, then make sure it actually does it.

Request a compliance review →Read: Data Sovereignty in BC →

Sources: Microsoft Learn — Compliance Overview · Microsoft SOX/NAV Whitepaper (2007) · SK Consulting implementation experience

Frequently Asked Questions

Common Questions

Does Business Central meet SOX requirements out of the box?

Business Central provides the technical controls that support SOX compliance — role-based security, change log, approval workflows, audit trails, and segregation of duties. However, SOX compliance also requires organizational policies, documented internal controls, and external auditor validation. BC gives you the platform; your internal controls framework completes it.

How does Business Central help with GDPR compliance?

BC includes a Data Classification worksheet to tag every field, a Data Privacy Utility for subject access requests and erasure (right to be forgotten), built-in Audit Log, and tenant isolation in the cloud. For data residency, the EU Data Boundary ensures all data stays within EU/EFTA regions.

What is NIS2 and does it affect ERP systems?

NIS2 (Network and Information Security Directive 2) is an EU directive effective October 2024 that extends cybersecurity obligations to a wider range of organizations, including supply chain partners. ERP systems are explicitly in scope because they process critical business data. NIS2 requires incident reporting within 24 hours, supply chain security assessments, and management accountability.

What is DORA and who does it affect?

DORA (Digital Operational Resilience Act) applies to financial institutions and their critical ICT service providers in the EU, effective January 2025. It mandates ICT risk management, resilience testing, incident reporting, and third-party risk oversight. If your organization is a bank, fund administrator, insurance company, or payment provider using Business Central, DORA applies to you.

Can SK Consulting help configure compliance controls?

Yes. We configure permission sets, approval workflows, change log, retention policies, data classification, and audit trail reporting as part of every implementation. For regulated industries, we add segregation of duties matrices, Customer Lockbox, and Privileged Identity Management on top.

Is your Business Central environment compliance-ready?

Most implementations have the features available but not configured. A compliance review takes days, not months — and the ROI is measured in audit findings avoided.

Talk to a compliance expert How we implement BC