Summary
- SAP executives have warned that Dutch critical infrastructure lacks the sovereign-cloud maturity emerging in France and Germany.
- The issue affects ERP, public administration, defence, healthcare, and regulated workloads that cannot be treated as ordinary cloud migration projects.
- Sovereign cloud is becoming an implementation constraint, not only a policy slogan.
SAP has warned that the Netherlands is lagging parts of Europe in the sovereign-cloud frameworks needed to support critical infrastructure and sensitive public-sector workloads.
The warning, made by Martin Merz, president of Sovereign Cloud at SAP, gives Europe’s cloud sovereignty debate a practical edge. France has developed a sovereign-cloud framework, Germany has launched its own model, and the Netherlands is still building the policy foundations that would allow regulated organisations to move sensitive systems into cloud environments with confidence.
Sovereignty in this context is not simply a question of where data is stored. SAP’s position is that the term covers several layers: data residency, operational control, technical architecture, and the legal framework applying to the service. Customers in critical infrastructure, defence, public administration, healthcare, and regulated industry may be unable to move core systems into cloud environments unless each layer is clear.
The Netherlands is a strong European technology market, with advanced digital infrastructure and serious capability in quantum, semiconductors, logistics, and enterprise technology. Its cloud-sovereignty position is less settled. That creates a gap between digital ambition and the delivery models available to organisations that run critical systems but still need to modernise ageing ERP, data, and workflow platforms.
ERP is a useful lens because it sits deep inside the real economy. Finance, procurement, logistics, manufacturing, utilities, public administration, and workforce systems depend on it. When those systems move from on-premise estates into cloud environments, the legal, operational, and technical control model becomes part of the buying decision rather than a footnote in the risk register.
Europe’s cloud debate is often framed as a question of American hyperscaler dominance, although the operational problem is more specific. Organisations need to know who can access data, under which jurisdiction, using which support model, and with what separation between commercial cloud infrastructure and sovereign control planes. Without that clarity, cloud adoption slows or proceeds through bespoke exceptions that are difficult to scale.
France and Germany have tried to answer that problem through national arrangements and sovereign-cloud offerings tailored to public-sector and regulated use. Those models bring their own friction, including cost, certification, complexity, and technical constraints, but they give buyers a defined framework for workloads where standard cloud assurances are not enough.
Dutch policymakers now face pressure from two directions. Critical infrastructure operators need to modernise, improve cyber resilience, consolidate fragmented systems, and adopt AI-enabled tools, yet the national framework for highly sensitive cloud workloads remains less mature than those of larger neighbours. Organisations can defer modernisation, accept extra risk, or move through individually negotiated control models that may later prove politically exposed.
Enterprise vendors are adapting to the same pressure. SAP’s sovereign-cloud work reflects a wider shift in which major software suppliers increasingly need different deployment models for customers with national-security, public-sector, and regulatory requirements. A single pan-European cloud approach may look efficient, but sovereignty still operates through national laws, security classifications, procurement practices, and political risk appetites.
The Netherlands therefore sits inside a wider European contradiction. The EU wants more digital autonomy, more AI adoption, and stronger cloud infrastructure, but implementation is still shaped by member-state frameworks. “European cloud” does not automatically mean the same thing in Amsterdam as it does in Paris or Berlin.
As more core systems move into cloud and AI workloads begin to touch sensitive data, the sovereign-cloud gap becomes a delivery issue. Policy lag now has a direct bearing on whether critical organisations can modernise securely, whether European vendors can compete credibly, and whether public-sector cloud procurement can move beyond pilots and exceptions.










