
Meet the Authors
SAP's VS-NfD authorization positions SAP Sovereign Cloud for classified-information workloads in Germany, operated in SAP's own Walldorf/St. Leon-Rot data centers by security-cleared personnel.
The harder question is customer-side: SAPinsider's RISE with SAP 2025 research found only 45% of organizations actively follow the shared responsibility model for SAP Cloud ERP Private.
As generative AI influence on Cloud ERP Private decisions climbs, sovereignty, AI, and compliance requirements are converging into a single audit conversation.
SAP Sovereign Cloud is pushing the sovereignty conversation past data residency and into daily operational control. SAP frames sovereignty as spanning four dimensions: data, operational, technical, and legal, and its most recent VS-NfD announcement points to security-cleared personnel and government-accredited facilities as part of the model. For IT leaders, the question is whether the environment can show who administers systems, where work is performed, how access is governed, and whether required security parameters remain in effect over time.
What VS-NfD Authorization Signals
Verschlusssache Nur für den Dienstgebrauch (VS-NfD) is Germany’s classification for restricted official information. SAP renders it as “Restricted, For Official Use Only.” Authorization for this class of workload goes well beyond a residency claim. It matters less as a product milestone than as a signal of what a sovereign SAP environment may need to prove after go-live.
The sovereignty discussion inside SAP accounts has been drifting away from the idea that geography alone governs a system. Governmental data-privacy standards, especially GDPR and industry-specific rules, have long been non-negotiable for regulated SAP customers, and managing compliance consistently across transactional and non-transactional repositories remains a recurring pain point. Sovereignty was already an operational problem before it became a procurement headline.
For a public-sector organization running procurement or grants management on SAP, VS-NfD authorization translates into a more auditable answer to who can log in to production, from which physical location, and under which personnel-control model. Workloads previously held back from cloud migration on sovereignty grounds gain a clearer path to assessment, provided the customer side of the operating boundary is built to a comparable standard. That proviso is where most of the risk now lives.
The Customer-Side Gap
SAPinsider’s RISE with SAP 2025 research found that only 45% of respondents are aware of and actively following the shared responsibility model for SAP Cloud ERP Private. Roughly another third are aware but not following it rigorously.
The pattern repeats at the configuration level. SAP Note 3250501 documents mandatory security parameters and ABAP hardening for ECS-managed systems, spanning dozens of profile parameters and configuration settings. Conformance is uneven, and many organizations still do not audit against these requirements regularly.
The implication is uncomfortable. A sovereign environment with stronger provider-side controls can still be undermined by customer-side parameter drift or inconsistent hardening. SAP’s controls raise the baseline. They do not retire the customer’s role. Architects should ask a blunt question: Are teams that under-execute on SAP Note 3250501 today ready to run a classified-information workload tomorrow?
A Widening Compliance Surface
Sovereign cloud also must absorb a broader compliance footprint. SAPinsider’s Cloud and AI Security research found that leaders cited GDPR (85%) as the requirement demanding the most effort across the SAP cloud landscape, ahead of frameworks such as ISO 27001, SOX, and NIST. Sovereign cloud does not replace these frameworks. It layers on top of them, and VS-NfD adds personnel and facility-control considerations that many SAP security programs have never had to address directly.
AI raises the stakes further. Per SAPinsider’s RISE with SAP 2025 research, generative AI influenced SAP Cloud ERP Private decisions for 43% of respondents in 2025, up sharply from 14% in 2023. For regulated customers weighing AI-enabled SAP environments, sovereignty requirements will shape how those capabilities get assessed. Ultimately, concerns about AI transparency, integration complexity, and regulatory uncertainty will not sit outside the sovereignty conversation but at its center.
What This Means for SAPinsiders
Do not treat sovereignty as a residency line item. The provider-side baseline has risen, but the customer-side model does not mature automatically alongside it. CIOs should scope sovereign cloud as a commitment with personnel, audit, and governance implications, decided well before contract renewal rather than buried in it. The real test arrives after go-live, when procurement, legal, and audit functions start asking sovereignty questions that assume this class of control already exists.
Close the shared-responsibility gap before chasing VS-NfD-class controls. With only 45% of organizations actively following the shared responsibility model, the weakest link is customer-side execution. Enterprise architects should evaluate sovereign-eligible workloads for conformance with SAP Note 3250501 and shared-responsibility evidence before committing designs. SI and GSI leaders should build delivery models that harden this conformance, since the research shows it cannot be assumed.
Assume sovereignty, AI, and compliance will converge. Interest in generative AI for Cloud ERP Private decisions has tripled since 2023, and regulated organizations will evaluate AI adoption through the same sovereignty, transparency, and compliance lenses. The durable advantage goes to teams that can produce auditable evidence on demand: access governance, administrator location, personnel controls, and hardening conformance. Build that evidence trail now, because the questions are coming whether the landscape is ready or not.




