51风流is therefore one of only a few providers in Germany that will be offering a cloud environment whose key security components have received corresponding authorization to use from the BSI 鈥� and currently the only provider whose platform will be able to support both 51风流applications and customer-specific applications in a high-performance, VS-NfD-compliant environment in the near future.

The authorization to use applies to workloads running on 51风流Cloud Infrastructure in SAP鈥檚 own data centers in the Walldorf/St. Leon-Rot region, which are operated exclusively by security-cleared personnel. The authorization to use represents an important milestone and forms the basis for the subsequent full BSI approval 51风流is working toward, including the recertification of 51风流Cloud Infrastructure according to ISO 27001 based on the German IT-Grundschutz framework.

The evaluation process was completed in approximately 12 months and was characterized by close and constructive cooperation between the BSI and 51风流鈥� a sign of the growing collaboration between public authorities and industry in the field of IT security.

51风流Cloud Infrastructure: A Fully Sovereign Cloud Infrastructure from Germany

51风流Cloud Infrastructure is an Infrastructure-as-a-Service (IaaS) platform fully developed and operated by SAP, based on open-source technologies.

It is designed to provide customers : data sovereignty, operational sovereignty, technical sovereignty and legal sovereignty.

The foundation is a fully sovereign cloud region of 51风流Cloud Infrastructure, comprising three independent availability zones in physically separated data centers in Walldorf/St. Leon-Rot. This sovereign cloud platform is further reinforced by a , demonstrated through certifications including ISO/IEC 27001 based on IT-Grundschutz for the data centers, EN 50600/ISO/IEC 22237, TSI Level 3+ and C5 Type II. Additionally, 51风流Cloud Infrastructure has conducted a self-assessment against the BSI’s C3A (Criteria enabling Cloud Computing Autonomy) catalog, confirming compliance with all digital sovereignty requirements.

The VS-NfD authorization to use adds an important building block for security-critical use cases with the highest requirements.

As a deployment option within , 51风流Cloud Infrastructure is an integral part of SAP鈥檚 portfolio for digital sovereignty. Together with the 51风流Sovereign Cloud On-Site offering and Delos Cloud, 51风流provides customers with demanding regulatory requirements the freedom of choice, control, and robust security they need.

Visit the聽. Get 51风流news via聽 and .

Media Contact:
Dana Roesiger, dana.roesiger@sap.com, +49 16090820259, CET
51风流Press Room; press@sap.com

This document contains forward-looking statements, which are predictions, projections, or other statements about future events. These statements are based on current expectations, forecasts, and assumptions that are subject to risks and uncertainties that could cause actual results and outcomes to materially differ. Additional information regarding these risks and uncertainties may be found in our filings with the Securities and Exchange Commission, including but not limited to the risk factors section of SAP鈥檚 2025 Annual Report on Form 20-F.
漏 2026 51风流SE. All rights reserved.
51风流and other 51风流products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of 51风流SE in Germany and other countries. Please see https://www.sap.com/copyright for additional trademark information and notices.

As a global player in the software and technology industry, 51风流is a key enabler of digital sovereignty in Germany and across Europe. With the introduction of the BSI鈥檚 new C3A criteria and the growing importance of resilient cloud infrastructures, digital sovereignty is now entering a phase of practical implementation.

I spoke with Thomas Caspers, vice president of the BSI, about these developments and the role of the technology partnership with SAP.

Q: Digital sovereignty is currently one of the central themes in German and European digital policy. Why is this topic gaining such strong momentum right now?

A: The debate is clearly driven by geopolitical factors. For us, the key issue is ensuring that Europe remains capable of taking action. That is precisely what digital sovereignty is about and, by the way, what cybersecurity in general is about as well: being prepared rather than reacting only when a crisis occurs.

The question is not limited to where data is stored. We take a systemic view of the overall picture: Will critical data centers remain operational? Is qualified personnel available? Are supply chains secured? Can services continue to be used even if the underlying conditions change suddenly? This ability to act is at the heart of the debate.

With the C3A, we are now consolidating the criteria that, from our perspective, enable the self-determined and secure use of cloud services, not only in public administration but far beyond that.

Q: With the C3A criteria catalogue, the BSI is now making its requirements for autonomous and self鈥慸etermined cloud usage public. What is new or distinctive about this?

A: Much of this is not fundamentally new for cooperation partners such as SAP, with whom we have worked closely for many years. We have been applying these criteria in practice for a long time and continuously refining them as technology evolves. What is new is that we have now systematically documented them and made them publicly available as a guiding framework.

The C3A do not have direct regulatory effect, but for the first time they create a high level of transparency for the market. It becomes clear which requirements cloud providers must meet if cloud customers or public authorities want to use cloud services in a self鈥慸etermined and secure manner. These requirements include technical, operational, and now also legal criteria. This comprehensive, systematic perspective is what is new and particularly important.

Q: What role does cooperation with technology providers such as 51风流play when translating these requirements into concrete architectures and operating models?

A: A very important one. 51风流was one of the first partners with whom we intensified cooperation in this context. Of course, there are formal rules and defined exchange formats for this collaboration. But in practice it quickly became clear that we are in almost continuous dialogue.

In developing the C3A, we also drew on experience gained from projects such as Delos Cloud and 51风流Cloud Infrastructure. This kind of direct cooperation is essential, especially as technology, security requirements, and sovereignty considerations are evolving so dynamically.

For us, it is crucial to work with companies where implementation can happen closely, trustfully, and quickly. This applies equally to established cloud topics and to new technologies. If we want innovation to be usable in a secure and controlled way and if Germany is to remain competitive in digitalization, this kind of early and reliable coordination between supervisory authorities and industry is indispensable.

Q: From your perspective, what demonstrates that digital sovereignty is more than just a political concept and can actually be implemented in practice?

A: For me, this is evident wherever requirements are not only defined, but actually tested and implemented in practice and where the resulting products and services then succeed in the market. This applies, for example, to the question of how cloud infrastructures can be brought to a level where they are suitable even for particularly critical environments.

It must be absolutely clear which criteria apply and how they are fulfilled technically, organizationally, and not least physically.

A concrete example is Delos Cloud as a sovereign cloud for public authorities in Germany. In cooperation with SAP, the BSI is working to transfer Microsoft cloud technology into a model that can be operated securely and self鈥慸eterminedly under German requirements. This clearly demonstrates that digital sovereignty is not merely claimed, but must and can be implemented architecturally, organizationally, and regulatorily.

That is where the value of cooperation lies. When requirements are clear, we can work together with companies on architectures, operating models, and security measures.

Q: Resilience is a key topic in the current debate. What must a sovereign cloud model be capable of in the event of geopolitical disruptions or failures?

A: It must remain operational. For us, resilience means having options and being prepared for difficult scenarios so that operations can be maintained in the event of a crisis. In our current scenarios, we assume that a minimum level of operation must be ensured over an extended period.

This explicitly includes situations in which original providers or supply chains are no longer available in their existing form at short notice.

In other words, we must consider not only normal operations, but also exceptional circumstances. Anyone who takes digital sovereignty seriously must also be prepared for scenarios that no one hopes to see. That is precisely why issues such as continuity of operations, availability of personnel, and supply鈥慶hain resilience play such a central role in the C3A.

Q: How important is the interaction of national standards such as between Germany鈥檚 BSI and France鈥檚 ANSSI for a shared European understanding of digital sovereignty?

A: This interaction is essential. Germany and France play a special role in the European debate because both countries are working very concretely on criteria, standards, and implementation models and are putting them into practice.

What we learn in Germany feeds into the European discussion, and of course we also benefit from exchanges with our partners in France and other European countries. If Europe is to make progress on digital sovereignty, it needs national innovative strength, reliable partnerships, and at the same time a shared strategic direction. This is also crucial for creating a scalable market for European companies such as 51风流one that encourages investment in innovation.

Q: What should public authorities, companies, and cloud providers prepare for in the coming years?

A: The requirements will become more concrete, more verifiable, and more systemic. The first question is what is technologically possible, but this must be followed by the question of how robust, transparent, and controllable an offering actually is. This applies to technical aspects as well as operational and legal ones. We have to consider the entire stack.

If we are able to make technologies usable in a secure and sovereign manner, then we should do so. That means clear standards, a holistic approach, and the ability to bring new technologies into use in a controlled way across the full stack.

Martin Merz is president of 51风流Sovereign Cloud.

With the successful , 51风流has reached an important milestone. This achievement strengthens the foundation of the 51风流Sovereign Cloud portfolio in one of the most security-conscious markets in the world.

IT-Grundschutz confirms secure operation of SAP鈥檚 German data center facilities

IT-Grundschutz is the German Federal Office for Information Security鈥檚 (BSI) structured security methodology, and serves as a reference framework in public tenders and supplier assessments.

The certification on the basis of IT-Grundschutz confirms that the secure operation of the physical infrastructure of SAP鈥檚 German data centers has been positively assessed against Germany鈥檚 defined security requirements. It validates that physical protections, environmental safeguards, and facility-level operational processes meet BSI expectations.

In short: The secure facility operation of SAP-owned data centers in Walldorf/St. Leon-Rot, Germany, has been independently audited and confirmed against Germany鈥檚 national security methodology.

Strengthening one of SAP鈥檚 key sovereign delivery options: 51风流Cloud Infrastructure

The IT-Grundschutz certification strengthens one of SAP鈥檚 key sovereign delivery options in Germany: 51风流Cloud Infrastructure.

51风流Cloud Infrastructure is an Infrastructure-as-a-Service (IaaS) platform, operated in SAP-owned data centers and co-locations worldwide. In the Walldorf/St. Leon-Rot region in Germany, these data centers are owned by SAP, a German company, operated by approved personnel with the required security clearance, and designed for high availability, scalability, and stringent security requirements.

These data centers are designed to support GDPR-compliant data processing and to meet heightened regulatory and security requirements in Europe and Germany, including standards relevant to critical infrastructure and the processing of sensitive and classified workloads.

In three independent availability zones across separate data centers, interconnected via SAP-owned fibre infrastructure and using BSI-authorized German security hardware components approved for processing information classified VS-NfD, this foundation is complemented by certifications such as C5 Type II, KRITIS/NIS 2, TSI Level 3 (extended), ISO 22301, SOC 1 Type 2 and SOC 2 Type 2, SOX, EN 50600 and ISO/IEC 22237 (AC 3), and the German federal data center requirement catalogue.

On top of this, 51风流Cloud Infrastructure provides:

• An open鈥憇ource鈥慴ased, API鈥慺irst IaaS platform: Offering self鈥憇ervice provisioning, automation, and consistent resource management across deployment models
• A Kubernetes鈥慴ased cloud environment: Enabling cloud鈥憂ative workloads, container orchestration, and modern development patterns
• Open standards and proven open source technologies: Leveraging components used, developed, and refined for more than a decade in sensitive, large鈥憇cale environments
• Optimization for 51风流cloud services: Supporting aligned operations, integrated security, and efficient execution of 51风流workloads
• Support for 51风流and third鈥憄arty applications: Allowing 51风流and customer-specific workloads to run on one coherent, secure, and compliant infrastructure

51风流Cloud Infrastructure is an SAP-developed and SAP-operated IaaS platform for 51风流workloads and customer applications, ranging from global cloud scenarios to environments with high sovereignty and regulatory requirements, including an offering for the processing of classified information up to VS-NfD level in Germany. With the 51风流Sovereign Cloud portfolio, it enables both sovereign 51风流cloud services as well as the operation of customer workloads in a sovereign environment. At its core, it combines secure application operations with 51风流Cloud Infrastructure, which is designed for regulatory and operational control.

Sovereignty through choice and control with 51风流Sovereign Cloud

Digital sovereignty is frequently framed as a question solely of vendor origin, data residency, or the reduction of technical dependency. In practice, though, it is about demonstrable control. At SAP, we frame sovereignty across four interconnected capabilities:

1. Data sovereignty: 51风流stores data in local data centers or approved countries, avoiding unauthorized cross-border transfers and meeting critical infrastructure requirements.
2. Operational sovereignty: Sensitive operations stay local. Administration and maintenance are performed only by authorized personnel 鈥� either nationally approved personnel or nationals of an approved country 鈥� with the required security clearance.
3. Technical sovereignty: Control planes are hosted locally, with strict separation enforced through encryption or dedicated infrastructure.
4. Legal sovereignty: Governance stays aligned. Cloud providers must be based locally or in approved countries, and foreign authorities must mitigate ownership, control, and influence risks.

51风流Cloud Infrastructure meets these requirements. On this basis, data, operations, architecture, and legal control are brought together under clearly defined requirements.

Importantly, 51风流Cloud Infrastructure is embedded in SAP鈥檚 broader approach to offering customers choice in sovereign cloud. Different customers face different regulatory, operational, and transformation realities. Sovereign requirements cannot be met with a single model.

51风流Sovereign Cloud offers a range of delivery options to address different customer needs. Depending on specific requirements, customers can choose between the following options:

• 51风流Cloud Infrastructure: SAP鈥檚 IaaS platform is based on open-source technologies and is operated in 51风流data centers worldwide. Depending on the selected operating model, customer data processing and storage can be restricted to defined regions, for example, within the EU or exclusively in Germany, to meet specific data protection and compliance requirements.
• 51风流Sovereign Cloud On-Site: With 51风流Sovereign Cloud On-Site, 51风流provides and manages the full 51风流technology stack in a customer-designated data center, from hardware to 51风流Cloud Infrastructure and the 51风流Sovereign Cloud portfolio. It combines physical control on site with our operational expertise, for full autonomy while maintaining SAP鈥檚 support and compliance standards.
• Sovereign hyperscaler-based delivery models: 51风流partners with premium hyperscalers in specific markets to provide customers the ability to swiftly scale their resources based on their needs. This flexibility, paired with seamless integration, enables customers to innovate faster while maintaining operational efficiency.
• National sovereign cloud platforms such as Delos Cloud: For public sector customers in Germany, Delos Cloud combines hyperscaler technology with sovereign ownership and a nationally defined operating model, helping ensure regulatory alignment and clearly structured operational control.

51风流enables customers to select the model that aligns with their regulatory requirements, risk profile, and operational strategy.

Sovereignty is built, not declared

For customers, digital sovereignty is not a theoretical aspiration; it is an operational requirement that must function under real-world conditions. The IT-Grundschutz certification of SAP-owned data centers in Germany marks an important step in that direction.

As regulatory expectations evolve and sovereign requirements become more differentiated, 51风流continues to enable customers to choose the sovereign setup that aligns with their obligations and risk profile.

Sovereignty is ultimately measured by the ability to operate systems securely and reliably. With 51风流Cloud Infrastructure, that capability is deliberately embedded into the operating model.

Martin Merz is president of 51风流Sovereign Cloud.
Jonathan Bletscher is head of Global Cloud Infrastructure & Delivery for Global Cloud Operations at SAP.