Announces global availability of Sovereign Cloud On-Site and expansion of SAP Managed Infrastructure
Responding to the growing demand from organisations worldwide to reduce their dependency on US cloud providers, German software giant SAP has announced plans to invest more than €20 billion over the next decade in sovereign cloud infrastructure, research and development and personnel. This represents a tenfold increase from the €2 billion it announced a year ago.
“Sovereignty and security are critical enablers for freedom, prosperity, digital competitiveness, and even democracy. That’s why it’s clear that digital sovereignty is no longer optional – it’s absolutely essential for our customers and is becoming a defining issue for Europe’s digital future,” said Thomas Saueressig, a member of SAP’s executive board, during a press call.
To meet the surge in demand for greater control, particularly in regulated industries, SAP plans to expand its existing 2,000-strong workforce dedicated to sovereign cloud services and invest in new infrastructure, Saueressig added.
The company also announced extensions to its sovereign cloud portfolio. Sovereign Cloud On-Site, SAP’s managed infrastructure installed within customers’ datacentres, is now globally available. This offering targets regulated industries and government organisations where regulatory compliance is paramount. In addition, SAP Cloud Infrastructure provides a full technology stack operated by SAP using open source technologies and hosted in SAP datacentres across Europe, ensuring compliance with EU data protection regulations.
“Our new offering is designed for customers who cannot or prefer not to adopt hyperscaler technology. We are opening up SAP’s own cloud infrastructure to serve as a dedicated platform,” said Martin Merz, head of SAP Sovereign Cloud.
These developments will be welcomed by many organisations who feel locked into the hyperscalers, but Saueressig acknowledged that these sovereign options come at a higher cost. Providing 24/7 operations exclusively with personnel from a specific country is more expensive than using a broader, pan-European or global workforce, he explained.
No risk of kill switches, says SAP
When asked about the risk of “kill switches” – where a foreign government could potentially shut down infrastructure provided by its companies – Saueressig insisted there is no such possibility with SAP’s sovereign offerings, even those incorporating third-party technology. For example, Delos Cloud, a SAP subsidiary serving the German public sector, offers Azure and Microsoft 365, but SAP retains full control over the infrastructure. “Every patch and every update” is checked by SAP and German security authorities, he said.
Nonetheless, Saueressig cautioned that the situation is nuanced. For instance, SAP’s datacentres rely on US-built hardware. He emphasised that questions of sovereignty should be approached with a risk-based mindset rather than by completely isolating oneself from leading innovators.
“If you have the right controls and sovereignty in place, we can absolutely embrace the technology we need. If Europe were to reject leading technology, and given that we’re already lagging in digitalisation, we would fall even further behind if we waited decades for alternatives that don’t exist today,” he said.
US CLOUD Act and FISA Section 702
Notably absent from the press call were discussions of the US CLOUD Act and FISA Section 702, which grant US authorities access to data stored on systems belonging to U.S. companies. Microsoft has acknowledged that its own Sovereign Cloud cannot protect against this legislation.
“Generally speaking, if the cloud provider can access the data in plaintext, they can be compelled to hand it over to the US government,” said Dave Michels, a researcher in cloud computing law at Queen Mary University of London.
Michels told Computing that data hosted on SAP services should be out of scope, however.
“If a European company (like SAP) manages infrastructure and uses it to run software offered by a US company (e.g., Microsoft 365 and Microsoft Azure), then the CLOUD Act and FISA Section 702 should not apply,” he said.
If the US company does not have access to the data, it cannot be forced to hand it over.
Michels added that it’s also unlikely that “the provider of the hosted software qualifies as a ‘remote computing service’ under the CLOUD Act or FISA Section 702″, although metadata could potentially be transmitted back to the software provider, and might then fall under the rules.
We have contacted SAP to ask for clarification.