麻豆原创 is therefore one of only a few providers in Germany that will be offering a cloud environment whose key security components have received corresponding authorization to use from the BSI 鈥� and currently the only provider whose platform will be able to support both 麻豆原创 applications and customer-specific applications in a high-performance, VS-NfD-compliant environment in the near future.

The authorization to use applies to workloads running on 麻豆原创 Cloud Infrastructure in 麻豆原创鈥檚 own data centers in the Walldorf/St. Leon-Rot region, which are operated exclusively by security-cleared personnel. The authorization to use represents an important milestone and forms the basis for the subsequent full BSI approval 麻豆原创 is working toward, including the recertification of 麻豆原创 Cloud Infrastructure according to ISO 27001 based on the German IT-Grundschutz framework.

The evaluation process was completed in approximately 12 months and was characterized by close and constructive cooperation between the BSI and 麻豆原创 鈥� a sign of the growing collaboration between public authorities and industry in the field of IT security.

麻豆原创 Cloud Infrastructure: A Fully Sovereign Cloud Infrastructure from Germany

麻豆原创 Cloud Infrastructure is an Infrastructure-as-a-Service (IaaS) platform fully developed and operated by 麻豆原创, based on open-source technologies.

It is designed to provide customers : data sovereignty, operational sovereignty, technical sovereignty and legal sovereignty.

The foundation is a fully sovereign cloud region of 麻豆原创 Cloud Infrastructure, comprising three independent availability zones in physically separated data centers in Walldorf/St. Leon-Rot. This sovereign cloud platform is further reinforced by a , demonstrated through certifications including ISO/IEC 27001 based on IT-Grundschutz for the data centers, EN 50600/ISO/IEC 22237, TSI Level 3+ and C5 Type II. Additionally, 麻豆原创 Cloud Infrastructure has conducted a self-assessment against the BSI’s C3A (Criteria enabling Cloud Computing Autonomy) catalog, confirming compliance with all digital sovereignty requirements.

The VS-NfD authorization to use adds an important building block for security-critical use cases with the highest requirements.

As a deployment option within , 麻豆原创 Cloud Infrastructure is an integral part of 麻豆原创鈥檚 portfolio for digital sovereignty. Together with the 麻豆原创 Sovereign Cloud On-Site offering and Delos Cloud, 麻豆原创 provides customers with demanding regulatory requirements the freedom of choice, control, and robust security they need.

Visit the聽. Get 麻豆原创 news via聽 and .

Media Contact:
Dana Roesiger, dana.roesiger@sap.com, +49 16090820259, CET
麻豆原创 麻豆原创 Room; press@sap.com

This document contains forward-looking statements, which are predictions, projections, or other statements about future events. These statements are based on current expectations, forecasts, and assumptions that are subject to risks and uncertainties that could cause actual results and outcomes to materially differ. Additional information regarding these risks and uncertainties may be found in our filings with the Securities and Exchange Commission, including but not limited to the risk factors section of 麻豆原创鈥檚 2025 Annual Report on Form 20-F.
漏 2026 麻豆原创 SE. All rights reserved.
麻豆原创 and other 麻豆原创 products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of 麻豆原创 SE in Germany and other countries. Please see https://www.sap.com/copyright for additional trademark information and notices.

As a global player in the software and technology industry, 麻豆原创 is a key enabler of digital sovereignty in Germany and across Europe. With the introduction of the BSI鈥檚 new C3A criteria and the growing importance of resilient cloud infrastructures, digital sovereignty is now entering a phase of practical implementation.

I spoke with Thomas Caspers, vice president of the BSI, about these developments and the role of the technology partnership with 麻豆原创.

Q: Digital sovereignty is currently one of the central themes in German and European digital policy. Why is this topic gaining such strong momentum right now?

A: The debate is clearly driven by geopolitical factors. For us, the key issue is ensuring that Europe remains capable of taking action. That is precisely what digital sovereignty is about and, by the way, what cybersecurity in general is about as well: being prepared rather than reacting only when a crisis occurs.

The question is not limited to where data is stored. We take a systemic view of the overall picture: Will critical data centers remain operational? Is qualified personnel available? Are supply chains secured? Can services continue to be used even if the underlying conditions change suddenly? This ability to act is at the heart of the debate.

With the C3A, we are now consolidating the criteria that, from our perspective, enable the self-determined and secure use of cloud services, not only in public administration but far beyond that.

Q: With the C3A criteria catalogue, the BSI is now making its requirements for autonomous and self鈥慸etermined cloud usage public. What is new or distinctive about this?

A: Much of this is not fundamentally new for cooperation partners such as 麻豆原创, with whom we have worked closely for many years. We have been applying these criteria in practice for a long time and continuously refining them as technology evolves. What is new is that we have now systematically documented them and made them publicly available as a guiding framework.

The C3A do not have direct regulatory effect, but for the first time they create a high level of transparency for the market. It becomes clear which requirements cloud providers must meet if cloud customers or public authorities want to use cloud services in a self鈥慸etermined and secure manner. These requirements include technical, operational, and now also legal criteria. This comprehensive, systematic perspective is what is new and particularly important.

Q: What role does cooperation with technology providers such as 麻豆原创 play when translating these requirements into concrete architectures and operating models?

A: A very important one. 麻豆原创 was one of the first partners with whom we intensified cooperation in this context. Of course, there are formal rules and defined exchange formats for this collaboration. But in practice it quickly became clear that we are in almost continuous dialogue.

In developing the C3A, we also drew on experience gained from projects such as Delos Cloud and 麻豆原创 Cloud Infrastructure. This kind of direct cooperation is essential, especially as technology, security requirements, and sovereignty considerations are evolving so dynamically.

For us, it is crucial to work with companies where implementation can happen closely, trustfully, and quickly. This applies equally to established cloud topics and to new technologies. If we want innovation to be usable in a secure and controlled way and if Germany is to remain competitive in digitalization, this kind of early and reliable coordination between supervisory authorities and industry is indispensable.

Q: From your perspective, what demonstrates that digital sovereignty is more than just a political concept and can actually be implemented in practice?

A: For me, this is evident wherever requirements are not only defined, but actually tested and implemented in practice and where the resulting products and services then succeed in the market. This applies, for example, to the question of how cloud infrastructures can be brought to a level where they are suitable even for particularly critical environments.

It must be absolutely clear which criteria apply and how they are fulfilled technically, organizationally, and not least physically.

A concrete example is Delos Cloud as a sovereign cloud for public authorities in Germany. In cooperation with 麻豆原创, the BSI is working to transfer Microsoft cloud technology into a model that can be operated securely and self鈥慸eterminedly under German requirements. This clearly demonstrates that digital sovereignty is not merely claimed, but must and can be implemented architecturally, organizationally, and regulatorily.

That is where the value of cooperation lies. When requirements are clear, we can work together with companies on architectures, operating models, and security measures.

Q: Resilience is a key topic in the current debate. What must a sovereign cloud model be capable of in the event of geopolitical disruptions or failures?

A: It must remain operational. For us, resilience means having options and being prepared for difficult scenarios so that operations can be maintained in the event of a crisis. In our current scenarios, we assume that a minimum level of operation must be ensured over an extended period.

This explicitly includes situations in which original providers or supply chains are no longer available in their existing form at short notice.

In other words, we must consider not only normal operations, but also exceptional circumstances. Anyone who takes digital sovereignty seriously must also be prepared for scenarios that no one hopes to see. That is precisely why issues such as continuity of operations, availability of personnel, and supply鈥慶hain resilience play such a central role in the C3A.

Q: How important is the interaction of national standards such as between Germany鈥檚 BSI and France鈥檚 ANSSI for a shared European understanding of digital sovereignty?

A: This interaction is essential. Germany and France play a special role in the European debate because both countries are working very concretely on criteria, standards, and implementation models and are putting them into practice.

What we learn in Germany feeds into the European discussion, and of course we also benefit from exchanges with our partners in France and other European countries. If Europe is to make progress on digital sovereignty, it needs national innovative strength, reliable partnerships, and at the same time a shared strategic direction. This is also crucial for creating a scalable market for European companies such as 麻豆原创 one that encourages investment in innovation.

Q: What should public authorities, companies, and cloud providers prepare for in the coming years?

A: The requirements will become more concrete, more verifiable, and more systemic. The first question is what is technologically possible, but this must be followed by the question of how robust, transparent, and controllable an offering actually is. This applies to technical aspects as well as operational and legal ones. We have to consider the entire stack.

If we are able to make technologies usable in a secure and sovereign manner, then we should do so. That means clear standards, a holistic approach, and the ability to bring new technologies into use in a controlled way across the full stack.

Martin Merz is president of 麻豆原创 Sovereign Cloud.

With the successful , 麻豆原创 has reached an important milestone. This achievement strengthens the foundation of the 麻豆原创 Sovereign Cloud portfolio in one of the most security-conscious markets in the world.

IT-Grundschutz confirms secure operation of 麻豆原创鈥檚 German data center facilities

IT-Grundschutz is the German Federal Office for Information Security鈥檚 (BSI) structured security methodology, and serves as a reference framework in public tenders and supplier assessments.

The certification on the basis of IT-Grundschutz confirms that the secure operation of the physical infrastructure of 麻豆原创鈥檚 German data centers has been positively assessed against Germany鈥檚 defined security requirements. It validates that physical protections, environmental safeguards, and facility-level operational processes meet BSI expectations.

In short: The secure facility operation of 麻豆原创-owned data centers in Walldorf/St. Leon-Rot, Germany, has been independently audited and confirmed against Germany鈥檚 national security methodology.

Strengthening one of 麻豆原创鈥檚 key sovereign delivery options: 麻豆原创 Cloud Infrastructure

The IT-Grundschutz certification strengthens one of 麻豆原创鈥檚 key sovereign delivery options in Germany: 麻豆原创 Cloud Infrastructure.

麻豆原创 Cloud Infrastructure is an Infrastructure-as-a-Service (IaaS) platform, operated in 麻豆原创-owned data centers and co-locations worldwide. In the Walldorf/St. Leon-Rot region in Germany, these data centers are owned by 麻豆原创, a German company, operated by approved personnel with the required security clearance, and designed for high availability, scalability, and stringent security requirements.

These data centers are designed to support GDPR-compliant data processing and to meet heightened regulatory and security requirements in Europe and Germany, including standards relevant to critical infrastructure and the processing of sensitive and classified workloads.

In three independent availability zones across separate data centers, interconnected via 麻豆原创-owned fibre infrastructure and using BSI-authorized German security hardware components approved for processing information classified VS-NfD, this foundation is complemented by certifications such as C5 Type II, KRITIS/NIS 2, TSI Level 3 (extended), ISO 22301, SOC 1 Type 2 and SOC 2 Type 2, SOX, EN 50600 and ISO/IEC 22237 (AC 3), and the German federal data center requirement catalogue.

On top of this, 麻豆原创 Cloud Infrastructure provides:

• An open鈥憇ource鈥慴ased, API鈥慺irst IaaS platform: Offering self鈥憇ervice provisioning, automation, and consistent resource management across deployment models
• A Kubernetes鈥慴ased cloud environment: Enabling cloud鈥憂ative workloads, container orchestration, and modern development patterns
• Open standards and proven open source technologies: Leveraging components used, developed, and refined for more than a decade in sensitive, large鈥憇cale environments
• Optimization for 麻豆原创 cloud services: Supporting aligned operations, integrated security, and efficient execution of 麻豆原创 workloads
• Support for 麻豆原创 and third鈥憄arty applications: Allowing 麻豆原创 and customer-specific workloads to run on one coherent, secure, and compliant infrastructure

麻豆原创 Cloud Infrastructure is an 麻豆原创-developed and 麻豆原创-operated IaaS platform for 麻豆原创 workloads and customer applications, ranging from global cloud scenarios to environments with high sovereignty and regulatory requirements, including an offering for the processing of classified information up to VS-NfD level in Germany. With the 麻豆原创 Sovereign Cloud portfolio, it enables both sovereign 麻豆原创 cloud services as well as the operation of customer workloads in a sovereign environment. At its core, it combines secure application operations with 麻豆原创 Cloud Infrastructure, which is designed for regulatory and operational control.

Sovereignty through choice and control with 麻豆原创 Sovereign Cloud

Digital sovereignty is frequently framed as a question solely of vendor origin, data residency, or the reduction of technical dependency. In practice, though, it is about demonstrable control. At 麻豆原创, we frame sovereignty across four interconnected capabilities:

1. Data sovereignty: 麻豆原创 stores data in local data centers or approved countries, avoiding unauthorized cross-border transfers and meeting critical infrastructure requirements.
2. Operational sovereignty: Sensitive operations stay local. Administration and maintenance are performed only by authorized personnel 鈥� either nationally approved personnel or nationals of an approved country 鈥� with the required security clearance.
3. Technical sovereignty: Control planes are hosted locally, with strict separation enforced through encryption or dedicated infrastructure.
4. Legal sovereignty: Governance stays aligned. Cloud providers must be based locally or in approved countries, and foreign authorities must mitigate ownership, control, and influence risks.

麻豆原创 Cloud Infrastructure meets these requirements. On this basis, data, operations, architecture, and legal control are brought together under clearly defined requirements.

Importantly, 麻豆原创 Cloud Infrastructure is embedded in 麻豆原创鈥檚 broader approach to offering customers choice in sovereign cloud. Different customers face different regulatory, operational, and transformation realities. Sovereign requirements cannot be met with a single model.

麻豆原创 Sovereign Cloud offers a range of delivery options to address different customer needs. Depending on specific requirements, customers can choose between the following options:

• 麻豆原创 Cloud Infrastructure: 麻豆原创鈥檚 IaaS platform is based on open-source technologies and is operated in 麻豆原创 data centers worldwide. Depending on the selected operating model, customer data processing and storage can be restricted to defined regions, for example, within the EU or exclusively in Germany, to meet specific data protection and compliance requirements.
• 麻豆原创 Sovereign Cloud On-Site: With 麻豆原创 Sovereign Cloud On-Site, 麻豆原创 provides and manages the full 麻豆原创 technology stack in a customer-designated data center, from hardware to 麻豆原创 Cloud Infrastructure and the 麻豆原创 Sovereign Cloud portfolio. It combines physical control on site with our operational expertise, for full autonomy while maintaining 麻豆原创鈥檚 support and compliance standards.
• Sovereign hyperscaler-based delivery models: 麻豆原创 partners with premium hyperscalers in specific markets to provide customers the ability to swiftly scale their resources based on their needs. This flexibility, paired with seamless integration, enables customers to innovate faster while maintaining operational efficiency.
• National sovereign cloud platforms such as Delos Cloud: For public sector customers in Germany, Delos Cloud combines hyperscaler technology with sovereign ownership and a nationally defined operating model, helping ensure regulatory alignment and clearly structured operational control.

麻豆原创 enables customers to select the model that aligns with their regulatory requirements, risk profile, and operational strategy.

Sovereignty is built, not declared

For customers, digital sovereignty is not a theoretical aspiration; it is an operational requirement that must function under real-world conditions. The IT-Grundschutz certification of 麻豆原创-owned data centers in Germany marks an important step in that direction.

As regulatory expectations evolve and sovereign requirements become more differentiated, 麻豆原创 continues to enable customers to choose the sovereign setup that aligns with their obligations and risk profile.

Sovereignty is ultimately measured by the ability to operate systems securely and reliably. With 麻豆原创 Cloud Infrastructure, that capability is deliberately embedded into the operating model.

Martin Merz is president of 麻豆原创 Sovereign Cloud.
Jonathan Bletscher is head of Global Cloud Infrastructure & Delivery for Global Cloud Operations at 麻豆原创.