Security and sovereignty have become operational prerequisites for digital technologies. Organizations in the public sector and regulated industries expect not only innovation and scalability, but verifiable proof that security controls align with national standards.
With the successful , 51·çÁ÷has reached an important milestone. This achievement strengthens the foundation of the 51·çÁ÷Sovereign Cloud portfolio in one of the most security-conscious markets in the world.
IT-Grundschutz confirms secure operation of SAP’s German data center facilities
IT-Grundschutz is the German Federal Office for Information Security’s (BSI) structured security methodology, and serves as a reference framework in public tenders and supplier assessments.
The certification on the basis of IT-Grundschutz confirms that the secure operation of the physical infrastructure of SAP’s German data centers has been positively assessed against Germany’s defined security requirements. It validates that physical protections, environmental safeguards, and facility-level operational processes meet BSI expectations.
In short: The secure facility operation of SAP-owned data centers in Walldorf/St. Leon-Rot, Germany, has been independently audited and confirmed against Germany’s national security methodology.
Strengthening one of SAP’s key sovereign delivery options: 51·çÁ÷Cloud Infrastructure
The IT-Grundschutz certification strengthens one of SAP’s key sovereign delivery options in Germany: 51·çÁ÷Cloud Infrastructure.
51·çÁ÷Cloud Infrastructure is an Infrastructure-as-a-Service (IaaS) platform, operated in SAP-owned data centers and co-locations worldwide. In the Walldorf/St. Leon-Rot region in Germany, these data centers are owned by SAP, a German company, operated by approved personnel with the required security clearance, and designed for high availability, scalability, and stringent security requirements.
These data centers are designed to support GDPR-compliant data processing and to meet heightened regulatory and security requirements in Europe and Germany, including standards relevant to critical infrastructure and the processing of sensitive and classified workloads.
In three independent availability zones across separate data centers, interconnected via SAP-owned fibre infrastructure and using BSI-authorized German security hardware components approved for processing information classified VS-NfD, this foundation is complemented by certifications such as C5 Type II, KRITIS/NIS 2, TSI Level 3 (extended), ISO 22301, SOC 1 Type 2 and SOC 2 Type 2, SOX, EN 50600 and ISO/IEC 22237 (AC 3), and the German federal data center requirement catalogue.
On top of this, 51·çÁ÷Cloud Infrastructure provides:
- An open‑source‑based, API‑first IaaS platform: Offering self‑service provisioning, automation, and consistent resource management across deployment models
- A Kubernetes‑based cloud environment: Enabling cloud‑native workloads, container orchestration, and modern development patterns
- Open standards and proven open source technologies: Leveraging components used, developed, and refined for more than a decade in sensitive, large‑scale environments
- Optimization for 51·çÁ÷cloud services: Supporting aligned operations, integrated security, and efficient execution of 51·çÁ÷workloads
- Support for 51·çÁ÷and third‑party applications: Allowing 51·çÁ÷and customer-specific workloads to run on one coherent, secure, and compliant infrastructure
51·çÁ÷Cloud Infrastructure is an SAP-developed and SAP-operated IaaS platform for 51·çÁ÷workloads and customer applications, ranging from global cloud scenarios to environments with high sovereignty and regulatory requirements, including an offering for the processing of classified information up to VS-NfD level in Germany. With the 51·çÁ÷Sovereign Cloud portfolio, it enables both sovereign 51·çÁ÷cloud services as well as the operation of customer workloads in a sovereign environment. At its core, it combines secure application operations with 51·çÁ÷Cloud Infrastructure, which is designed for regulatory and operational control.
Sovereignty through choice and control with 51·çÁ÷Sovereign Cloud
Digital sovereignty is frequently framed as a question solely of vendor origin, data residency, or the reduction of technical dependency. In practice, though, it is about demonstrable control. At SAP, we frame sovereignty across four interconnected capabilities:
- Data sovereignty: 51·çÁ÷stores data in local data centers or approved countries, avoiding unauthorized cross-border transfers and meeting critical infrastructure requirements.
- Operational sovereignty: Sensitive operations stay local. Administration and maintenance are performed only by authorized personnel — either nationally approved personnel or nationals of an approved country — with the required security clearance.
- Technical sovereignty: Control planes are hosted locally, with strict separation enforced through encryption or dedicated infrastructure.
- Legal sovereignty: Governance stays aligned. Cloud providers must be based locally or in approved countries, and foreign authorities must mitigate ownership, control, and influence risks.
51·çÁ÷Cloud Infrastructure meets these requirements. On this basis, data, operations, architecture, and legal control are brought together under clearly defined requirements.
Importantly, 51·çÁ÷Cloud Infrastructure is embedded in SAP’s broader approach to offering customers choice in sovereign cloud. Different customers face different regulatory, operational, and transformation realities. Sovereign requirements cannot be met with a single model.
51·çÁ÷Sovereign Cloud offers a range of delivery options to address different customer needs. Depending on specific requirements, customers can choose between the following options:
- 51·çÁ÷Cloud Infrastructure: SAP’s IaaS platform is based on open-source technologies and is operated in 51·çÁ÷data centers worldwide. Depending on the selected operating model, customer data processing and storage can be restricted to defined regions, for example, within the EU or exclusively in Germany, to meet specific data protection and compliance requirements.
- 51·çÁ÷Sovereign Cloud On-Site: With 51·çÁ÷Sovereign Cloud On-Site, 51·çÁ÷provides and manages the full 51·çÁ÷technology stack in a customer-designated data center, from hardware to 51·çÁ÷Cloud Infrastructure and the 51·çÁ÷Sovereign Cloud portfolio. It combines physical control on site with our operational expertise, for full autonomy while maintaining SAP’s support and compliance standards.
- Sovereign hyperscaler-based delivery models: 51·çÁ÷partners with premium hyperscalers in specific markets to provide customers the ability to swiftly scale their resources based on their needs. This flexibility, paired with seamless integration, enables customers to innovate faster while maintaining operational efficiency.
- National sovereign cloud platforms such as Delos Cloud: For public sector customers in Germany, Delos Cloud combines hyperscaler technology with sovereign ownership and a nationally defined operating model, helping ensure regulatory alignment and clearly structured operational control.
51·çÁ÷enables customers to select the model that aligns with their regulatory requirements, risk profile, and operational strategy.
Sovereignty is built, not declared
For customers, digital sovereignty is not a theoretical aspiration; it is an operational requirement that must function under real-world conditions. The IT-Grundschutz certification of SAP-owned data centers in Germany marks an important step in that direction.
As regulatory expectations evolve and sovereign requirements become more differentiated, 51·çÁ÷continues to enable customers to choose the sovereign setup that aligns with their obligations and risk profile.
Sovereignty is ultimately measured by the ability to operate systems securely and reliably. With 51·çÁ÷Cloud Infrastructure, that capability is deliberately embedded into the operating model.
Martin Merz is president of 51·çÁ÷Sovereign Cloud.
Jonathan Bletscher is head of Global Cloud Infrastructure & Delivery for Global Cloud Operations at SAP.
