How Companies Can Outsource Critical IT Systems
– Without Losing Their Data Sovereignty
Why Outsourcing Needs a New Approach Today Many midsize companies find themselves in a technological tension field:
On one hand, pressure is growing to modernize IT systems, accelerate digitalization, and counter the increasing shortage of skilled workers. On the other hand, decision-makers worry about losing control over their most sensitive data through outsourcing.
Additional regulatory requirements—foremost NIS‑2, officially active in Germany since December 2025—turn IT security into a personal liability issue for executive management.
Against this backdrop, it becomes clear:
Outsourcing is possible—but only if data sovereignty is guaranteed.
This blog article explores exactly that and offers an inside look at an in‑depth expert discussion with Guido Berndt, Associate Partner at Orise Digital.
#critical
What Really Counts as Critical IT Systems?
GDPR‑relevant data
- Employee data (payroll, salary information, personnel records)
- Applicant data
- Working time data
- Customer data (CRM)
Business and financial data
- Order data
- International financial statements
- Pricing information
- Compliance‑related histories
Trade secrets (not always GDPR‑relevant but confidential)
- Construction drawings
- Production formulas
- Measurement protocols
- Development documentation
- Manufacturing and quality information
Conclusion:
It’s not the system that matters—it’s the content
And these contents are now spread across a wide range of different applications, often grown over many years and connected through countless interfaces.
#misconceptions
The Biggest Misconceptions About Data Sovereignty
Misconception 1: “European hyperscaler clouds are automatically secure.”
Many companies assume that European data centers from AWS, Microsoft, or Google are automatically protected from access by U.S. authorities.
This is not the case.
Because all providers have U.S. parent companies, the CLOUD Act still applies—giving U.S. authorities the right to request data access, even without the company’s knowledge.
Misconception 2: “SAP RISE / Private Cloud = sovereign.”
SAP promotes its private cloud offerings as sovereign or privacy‑compliant.
But the fine print reveals:
- SAP partly operates its cloud using AWS, Google, Microsoft
- CLOUD Act still applies in these cases
- A truly sovereign SAP private cloud is still under development and more expensive
- There is no system ownership, only a software service
- There is no guaranteed exit plan, leading to costly and complex migrations when leaving SAP
This means:
Companies effectively lose control—even if marketing suggests otherwise.
Misconception 3: “SAP outsourcing takes away my general IT responsibility.”
Even when companies move their SAP systems to the SAP cloud, all remaining systems (BI, EDI, CAD, CRM, production systems, etc.) must still be managed—including security. The overall responsibility remains. Often, the complexity even increases.
#operating
Why the Operating Model Matters More Than the Platform
Software‑Service (SaaS / RISE / Hyperscaler)
- Customer has no admin rights
- Customer does not own the system
- No control, no superuser, no complete logging
- Dependency → High
- Exit risk → Very high
- Data privacy risk → Usually not eliminated
System Service (z. B. Orise Advanced Hybrid Cloud)
- Customer maintains system ownership
- Provider manages on behalf but cannot act autonomously
- Superuser concept prevents unauthorized government access
- Full documentation & auditability
- Operation in German data centers → no CLOUD Act risk
- High protection level, also organizationally
Key message:
Data sovereignty does not arise from the platform—but from the operating model.
The Added Value of a Holistic Outsourcing Partner
Integration of all systems in a sovereign environment
- SAP
- Non‑SAP
- Production systems
- CAD
- BI
- CRM
- EDI
- M365
- Security‑Layer
→ All orchestrated in one stable, secure overall environment.
System ownership remains with the customer
The key principle:
The customer retains full control over their systems and data at all times.
Security through technical AND organizational measures
- Superuser‑Mechanism
- German data centers
- Firewalls, zero‑trust, encryption
- MFA‑protection
- regular audits (ISAE 3402, ISO 27001)
- Exit‑Management
- Support with NIS‑2 and IT baseline protection
Cost control and clear SLAs
Customers benefit from:
- Predictable costs
- A single SLA instead of many separate contracts
- Avoidance of vendor lock‑in
- Often significantly lower operating and licensing costs
#conclusion
Conclusion: Data Sovereignty Is Achievable —with the Right Model
Outsourcing does not have to mean loss of control
With a system‑service model, German hosting, superuser rights, clear SLAs, and full auditability, outsourcing can even become a security advantage.
The question is not:
“Cloud or no cloud?”
But rather:
“How do I keep full control over my systems and data?”
The answer:
Through system ownership, real transparency, and a partner who thinks architecture, integration, and security holistically.
Download this article
If you have questions or would like advice: Your Contact Person: Guido Berndt · Associate Partner
Rheinwaldstraße 38
78628 Rottweil
Phone: 0741 17 44 16 600
E-Mail: service.DE-ROT@orise.com