Europe’s debate over cloud sovereignty has moved from ideology to engineering. The question is no longer whether organisations should control their data and artificial intelligence (AI) workloads, but whether their governments have built the frameworks that make such control possible in practice.
“It starts with each and every country,” Merz told Computer Weekly at SAP Sapphire Europe in Madrid. “They have their own regulations, their own national security requirements, and I think that needs to be honoured.”
He understands the frustration that comes with this reality. European politicians, he said, regularly point out that 450 million citizens and a combined budget of comparable scale to the US should make Europe a formidable force. But the US is one country. Europe is not, and its cloud sovereignty landscape reflects that.
For SAP, sovereignty is not a single property but a stack of four distinct obligations: data sovereignty, which requires that data and metadata remain within the country or region; operational sovereignty, meaning that only individuals with the appropriate nationality and security clearances handle that data; technical sovereignty, including an in-country control plane rather than a centralised one; and legal sovereignty, ensuring that the applicable regulatory framework is the one the customer and government actually signed off on.
Sovereign cloud, in SAP’s definition, is not a configuration choice. It is a compliance state. “Either it’s sovereign, or it’s not sovereign. You can’t have it halfway,” said Merz.
That positioning sounds straightforward. The European reality is considerably messier.
Different speeds, different distances
France and Germany have each moved beyond policy aspiration, though they are at different stages of maturity. France built its sovereign cloud framework around SecNumCloud, the certification standard maintained by cyber security agency ANSSI that sets strict requirements for data isolation, operational control and legal sovereignty.
In March 2026, SAP launched its sovereign cloud offering in France on the Bleu platform, a joint venture between Orange and Capgemini that runs Microsoft Azure technology under French ownership and is working towards full SecNumCloud qualification.
[Cloud sovereignty] starts with each and every country. They have their own regulations, their own national security requirements, and I think that needs to be honoured Martin Merz, SAP
Germany’s Delos Cloud, an SAP subsidiary operating Microsoft Azure infrastructure under active oversight of the German Federal Office for Information Security (BSI), launched for productive use in early 2026. The platform is designed specifically for Germany’s public sector and meets the cloud platform requirements set by the BSI, which also monitors and controls outgoing telemetry.
Merz confirmed he met with Germany’s digital minister, Carsten Wildberger, two weeks before Sapphire to work through sovereign deployment requirements. Both countries have defined architectures and active deployments. The frameworks exist, and public sector organisations are running on them.
The Netherlands is not at that stage. The country has been active in European sovereignty discussions, most visibly through a non-paper adopted by the Dutch Council of Ministers calling for stronger cloud sovereignty frameworks for public administrations.
But the document is telling in what it does not do: rather than setting out a Dutch national framework, it asks Brussels to define one. The Netherlands, it argues, believes the definition and criteria for cloud sovereignty are best established within the proposed EU Cloud and AI Development Act.
A January 2025 report by the Netherlands Court of Audit found that two-thirds of government cloud services examined had not completed a mandatory risk assessment, leaving digital sovereignty and data protection inadequately assured. The findings echoed concerns reported by Computer Weekly in June 2025, when independent experts warned that Dutch sovereign cloud initiatives remain too fragmented to serve critical infrastructure at scale.
The court’s vice-president warned bluntly that foreign governments, including the US, could potentially access or modify information held on Dutch government systems.
When asked directly whether any Dutch critical infrastructure operator is currently running on SAP sovereign infrastructure at a comparable level to deployments in France or Germany, Merz was notably cautious. “We work with the Netherlands,” he said. He did not name a certified deployment.
That gap matters because the stakes are not abstract. The Netherlands is home to some of Europe’s most strategically significant critical infrastructure, and organisations across those sectors have already made significant investments in cloud enterprise resource planning (ERP).
The question of what sovereign protection those deployments carry is one that regulators, boards and procurement teams across the Dutch public and regulated private sector will need to answer.
The hyperscaler paradox
One reason the conversation is complicated is that SAP’s sovereign cloud offering does not resolve neatly into a simple alternative to hyperscale infrastructure. SAP offers sovereign deployments on Amazon Web Services (AWS), on Microsoft Azure via partnerships such as Delos, on its own cloud infrastructure, and on-premise for customers such as intelligence agencies that require data to stay within their own facilities.
Which option is sovereign depends entirely on what the relevant regional cyber security agency has approved.
“If AWS is approved by the cyber security agency, then it’s sovereign for us,” said Merz. Some military customers in Europe, he noted, are comfortable running sovereign workloads on AWS provided the regulatory sign-off is in place. Others are not. The result is that sovereignty is defined not by the underlying infrastructure but by a compliance status that varies by sector, by nation, and by the specific requirements of each organisation.
“There are customers for whom none of these options is valid,” Merz acknowledged. “They want it solely in their own datacentre. Only then is it sovereign for them.”
That compliance question does not stop at the infrastructure layer. As SAP pushes its Autonomous Enterprise vision, the governance of AI agents introduces a parallel accountability gap that organisations in regulated sectors cannot afford to ignore.
SAP’s chief technology officer, Philipp Herzig, addressed this directly in a media roundtable at Sapphire. When an autonomous agent makes a wrong call, he said, accountability does not sit with SAP alone. “At the end of the day, that’s a shared responsibility,” Herzig said.
AI governance, he explained, sits primarily with the customer, through the AI Agent Hub, where IT departments set the policies, architecture and boundary conditions that govern what agents can and cannot do.
For organisations in regulated sectors, that governance layer is not optional, and it has to be designed before AI is switched on.
An industrial speed bump
The operational consequences of Europe’s fragmented sovereignty landscape are visible at the company level.
Damen Shipyards, the Dutch maritime group that builds vessels for navies and commercial operators across more than 20 countries, has spent several years consolidating around 80% of its entities onto a single SAP S/4Hana Cloud platform via Rise with SAP. The roll-out is largely complete, and the focus has shifted to unlocking AI value across finance, procurement, supply chain and project management.
Han Coenraad, who oversees the SAP programme at Damen, described genuine enthusiasm for the direction, particularly around SAP Joule. “Young professionals are using it, and the acceleration they get from it is really something to see,” he said.
But Damen Naval, the division that designs and builds warships for European defence ministries, remains on an on-premise SAP instance. Defence compliance rules require personnel to be screened by Dutch intelligence services in first- and second-line support, a standard that current cloud deployment models do not yet structurally accommodate.
“We see internally already a difference in adoption speed developing,” said Coenraad. “And that is not what we want.”
His colleague Kenny van Sleuwen, system architect for ERP, sees SAP Sovereign Cloud as a potential route to bringing both environments onto a common platform, and expects Dutch defence to follow Germany and France in formalising such requirements. But until that framework exists, the gap remains.
That is not a technology problem. It is a policy problem.
The pragmatism trap
Merz is not without sympathy for the difficulty of European convergence. He acknowledged that the US operates as a single regulatory market, while Europe is attempting to coordinate sovereign cloud standards across member states with different legal traditions, different national security agencies and different threat assessments.
The most successful countries and customers are those who start in a pragmatic way. Fulfil the requirements but stay open for new technology Martin Merz, SAP
His prescription is pragmatism. “The most successful countries and customers are those who start in a pragmatic way,” he said. “Fulfil the requirements but stay open for new technology.”
The challenge with pragmatism as a long-term strategy is that it tends to lock in the advantages of those who moved earliest. France and Germany have invested heavily in building sovereign cloud infrastructure that meets their own standards. Organisations in those countries, including defence contractors and critical infrastructure operators, can adopt cloud and AI at a pace that regulators have approved. The Netherlands is still building the framework that would allow equivalent certifications to take place.
Merz said he would welcome one regulation for the whole of Europe. He was not optimistic about the timeline. For Dutch organisations that cannot wait for convergence, the practical questions are what sovereign cloud looks like under the current Dutch framework, whether that framework is developing fast enough, and what the cost of the delay is in terms of AI adoption that the most regulated and strategically significant sectors cannot yet pursue.
Those are questions that SAP’s engineering teams cannot answer. They are questions for The Hague.
