On 9 June 2026, SAP received an Einsatzerlaubnis (operational clearance) from Germany’s Federal Office for Information Security — the BSI (Bundesamt für Sicherheit in der Informationstechnik) — authorising it to process classified VS-NfD information on its cloud infrastructure operated in Germany (SAP News Center Germany, 9 June 2026). With this accreditation, SAP joins a very short list of commercial cloud providers to have achieved this clearance in Germany.
What VS-NfD means — and why it matters
In Germany’s official classification scheme, VS-NfD (“Verschlusssache — Nur für den Dienstgebrauch”, meaning “Classified — For Official Use Only”) is the lowest tier of state-sensitive information, but it carries real legal weight. It covers data that, if disclosed, could harm the interests of the Federal Republic: information arising from sensitive administrative proceedings, strategic public procurement, or certain communications between federal ministries and regional/local authorities (Länder and municipalities).
Until now, federal agencies and heavily regulated sectors (defence, healthcare, energy) were effectively barred from migrating this category of data to a public cloud. They were required to maintain on-premises infrastructure — often expensive to run and difficult to modernise.
The BSI Einsatzerlaubnis changes that equation: it is a formal confirmation that SAP’s platform meets the technical and organisational requirements for hosting classified VS-NfD data.
What it unlocks for CIOs and CFOs in public sector and regulated industries
The certification covers the cloud infrastructure SAP operates across three geographically separate availability zones at its Walldorf and St. Leon-Rot data centres. Martin Merz, President of SAP Sovereign Cloud, stated that the clearance “confirms the capability and security of our platform for the most demanding regulatory requirements” (SAP News Center Germany).
In practical terms, this opens four doors:
- Federal agencies: ministries and federal bodies can now consider SAP S/4HANA Cloud for processes that involve VS-NfD data, without requiring special derogations.
- Regional and local government: Länder administrations and large municipalities already running SAP ERP can migrate to the cloud without abandoning their compliance obligations.
- Regulated industries: defence contractors, critical infrastructure operators (KRITIS-regulated entities), and healthcare providers facing equivalent data-protection requirements can now include SAP Cloud in procurement shortlists.
- Federal supplier frameworks: BSI accreditation is typically a prerequisite for appearing on approved-vendor lists used in German federal procurement.
SAP stated in its press release that, at the time of the announcement, it is the only commercial cloud provider in Germany where both SAP applications and customer applications can run simultaneously in a VS-NfD-compliant environment.
Where the competition stands
For IT leaders evaluating their options, the landscape remains uneven:
- Microsoft Azure and Google Cloud hold BSI certifications for their German infrastructure (IT-Grundschutz baseline, C5 attestation), but not the Einsatzerlaubnis VS-NfD for SAP-specific application workloads.
- T-Systems (Deutsche Telekom subsidiary) already operates sovereign cloud offerings for German public-sector customers under the “Open Telekom Cloud” label, with sector-specific accreditations, but without the level of native SAP application integration this clearance enables.
- AWS GovCloud has no direct German equivalent for the strict sovereignty requirements defined under German public law.
The BSI Einsatzerlaubnis is distinct from ISO 27001 certifications or C5 attestations: it is an operational licence issued after an audit by the competent public authority, with direct legal standing in German public procurement.
What to watch next
SAP has signalled that this clearance is an intermediate milestone. The next step announced is an ISO 27001 recertification aligned with BSI IT-Grundschutz standards — a process that took approximately twelve months for this first phase. CIOs planning a multi-year migration to SAP S/4HANA Cloud can already factor this roadmap into their risk assessments.
On the German regulatory calendar, the mandatory e-invoicing requirement (ZUGFeRD / Factur-X standard) for B2B transactions enters its operational phase between 2025 and 2027. A cloud ERP migration to a VS-NfD-certified SAP environment can therefore serve two compliance objectives in one programme — digital invoicing conformity and data sovereignty.
For further reading, see our complete guide to German ERP and GoBD / ZUGFeRD compliance and our SAP S/4HANA Cloud vs Oracle Fusion vs Dynamics 365 Finance comparison.
