Cloud ERP — the practical guide for DACH mid-market buyers
Cloud ERP is no longer a question of whether but of which flavour. By 2026 essentially every credible mid-market ERP vendor offers a cloud edition; what differs is the deployment model behind that label and the obligations it places on the customer. This guide separates the four common patterns — public cloud SaaS, private cloud SaaS, hosted on-premises, hybrid — and discusses the DACH-specific concerns around data residency, BSI C5 certification and the Schrems II ruling.
The wrong cloud-ERP decision is rarely a budget mistake; it is usually a sovereignty mistake that surfaces two years later in an audit or a contract renewal. Buyers should resolve the deployment-model question before talking to vendors, not during.
What cloud ERP actually means
The marketing term ‘cloud ERP’ covers at least four distinct technical realities. Public cloud SaaS means the vendor runs a multi-tenant platform on hyperscaler infrastructure (AWS, Azure, Google Cloud) and customers consume it as a service — SAP S/4HANA Cloud Public Edition, Oracle NetSuite, Microsoft Dynamics 365 Business Central, Workday. Private cloud SaaS means a single-tenant deployment of the same software on dedicated infrastructure, usually still hosted by the vendor or a partner — SAP RISE with private edition, Infor CloudSuite. Hosted on-premises means the traditional on-prem product is installed by a hosting partner on customer-dedicated infrastructure with managed services on top — common for proAlpha, abas, oxaion, SelectLine and many other German Mid-Market products. Hybrid covers anything that combines two of the above — core financials in public SaaS, manufacturing in hosted on-prem, for instance.
The differences matter because they determine update cadence, customisation freedom, integration patterns and the legal allocation of responsibility. Buyers who fail to distinguish them end up disappointed by surprises that were spelt out in the contract.
Public cloud vs private cloud
The decisive difference is tenancy. Public cloud SaaS is multi-tenant: many customers share the same software instance, with logical separation at the data layer. Upgrades roll out on a fixed schedule (typically quarterly or semi-annually) for the whole tenant base; customers cannot defer them. Customisation is restricted to configuration and extension via approved APIs and platforms (SAP BTP, Microsoft Power Platform, NetSuite SuiteScript). The total cost of ownership tends to be lower, the implementation faster, and the operational responsibility shifts towards the vendor.
Private cloud SaaS gives each customer a dedicated software instance on dedicated infrastructure. Upgrades can be scheduled with the customer; modifications are possible within a defined envelope; integration patterns are more flexible. The price is higher, both in licence and in the customer's own integration responsibility.
Rule of thumb: companies that have already standardised on the vendor's reference processes and want low operational overhead pick public cloud; companies with deeply customised legacy processes or strict regulatory needs that require operational control pick private cloud.
SaaS vs hosted on-premises
Hosted on-premises is the path that most German Mid-Market vendors offer to customers who want to leave their own data centre without leaving their familiar product. proAlpha, abas, ams.erp, oxaion, SelectLine and others all have well-established hosting partners. The application itself remains the on-prem product, with all its customisation freedom; the hosting partner provides the infrastructure, the operating system, the database, the backup regime and the helpdesk.
Compared with true SaaS, hosted on-prem keeps the customer in charge of the upgrade cycle — an advantage for stability, a disadvantage for technical debt. Compared with running the same software on company-owned hardware, hosted on-prem offloads infrastructure operations and capital expenditure but does not change the licensing model.
For many Mid-Market companies hosted on-prem is the realistic first cloud step. A second migration to SaaS becomes feasible once the customisation portfolio has been rationalised and the integration landscape has matured.
DACH-specific topics: data residency, BSI C5, Schrems II
Three regulatory questions dominate the DACH cloud-ERP conversation and deserve a clear answer in any vendor evaluation.
Data residency. Where, geographically, are production data, backups and disaster-recovery copies stored? ‘EU data centres’ is not enough — ask for the specific regions and for any sub-processor arrangements. Many vendors offer an EU-only contract option that excludes backup transfer outside the EU; check whether your processes (24×7 support, security operations centre) actually allow this.
BSI C5 attestation. The Bundesamt für Sicherheit in der Informationstechnik publishes the Cloud Computing Compliance Criteria Catalogue (C5) as the German standard for cloud-security assurance. Most regulated industries treat a C5 type-2 attestation as a baseline requirement. The hyperscalers and the major SaaS vendors have it; some Mid-Market-focused hosting partners do not. The C5 question is binary — either the report exists and you have read it, or it does not.
Schrems II. The 2020 ECJ ruling invalidated the EU–US Privacy Shield. Personal data transfers to the United States still require additional safeguards beyond Standard Contractual Clauses, even after the 2023 Data Privacy Framework. For cloud ERP this matters whenever the vendor or a sub-processor is US-based. The pragmatic mid-market position is to require an EU-only deployment for personal data and to accept US support access only through controlled and logged channels.
Vendor landscape for cloud ERP in the DACH mid-market
At the upper end, SAP RISE with S/4HANA (private edition) is the canonical migration path for SAP ECC customers; the public edition targets greenfield and smaller deployments. Microsoft Dynamics 365 Finance & Operations and Business Central cover, respectively, the enterprise and SMB segments with strong Office 365 and Power Platform integration. Oracle NetSuite remains the reference public-cloud ERP for subsidiaries of multinationals and digital-native mid-market companies.
In the German Mid-Market the local cloud-native vendors — myfactory, weclapp, Haufe X360 (Acumatica-based), scopevisio, BMD — cover the SMB segment with EU-only hosting and Mid-Market-friendly contracts. Sage Business Cloud and the Sage 100/200 hosted variants serve the upper SMB and lower mid-market. Industry specialists such as plentyOne, JTL-Wawi cloud and Xentral dominate the e-commerce mid-market.
Buyers should map the candidate list against their deployment-model preference first, then narrow by functional fit, then negotiate. The reverse order — functional shortlist first, deployment-model questions afterwards — routinely produces deals that fail technical due diligence late.
Migration paths and realistic timelines
Migrating from on-premises to cloud ERP is rarely a lift-and-shift; it is an opportunity and a forcing function to rationalise the customisation portfolio. A typical Mid-Market journey for a SAP ECC to S/4HANA Cloud move takes 18–30 months, with custom-code remediation accounting for the largest single workstream. Greenfield public-cloud implementations of Business Central or NetSuite can complete in 6–12 months when the customer accepts the standard process.
Buyers preparing a business case should benchmark against the ERP cost overview and the ERP RFP process playbook. The cloud-versus-on-prem decision in isolation belongs in the cloud vs on-premises comparison.
Related Topics
Frequently Asked Questions
Is cloud ERP cheaper than on-premises?
Over a three-year horizon, public cloud SaaS is usually cheaper in total cost of ownership for mid-market companies that adopt the vendor's standard processes. Once customisation, integration and migration costs are added, the picture is less clear — especially for companies with mature on-premises landscapes whose hardware is already depreciated. The honest answer is that cloud ERP is rarely a pure cost-savings play; it is a sovereignty and agility trade.
What does BSI C5 actually certify?
BSI C5 (Cloud Computing Compliance Criteria Catalogue) defines minimum security requirements for cloud providers, organised into 17 chapters covering organisation of information security, personnel, physical security, operations, identity and access management, cryptography, communications security and similar topics. A C5 type-2 attestation is issued by an independent auditor and confirms that the controls were not only designed correctly but operated effectively over an audit period (usually 12 months). Most regulated DACH industries treat C5 type-2 as a procurement gate.
Can we keep ERP data in Germany only?
Most major vendors offer an EU-region option, and some (myfactory, weclapp, scopevisio, BMD, T-Systems, Plusserver) offer a Germany-only option. The cost is usually a 5–15 % premium over the standard EU-wide deployment and possibly slower feature roll-out. For tax-relevant data covered by GoBD and for personal data under Schrems II, the Germany-only option is the simplest path to defensible compliance.
How long is a typical cloud ERP migration?
Greenfield public-cloud implementations of Business Central or NetSuite for a single-country Mittelstand operation: 6–12 months. SAP ECC to S/4HANA Cloud (RISE) brownfield migrations for a mid-market customer: 18–30 months. Multi-country roll-outs add 6–12 months per country wave. Cloud-to-cloud moves between SaaS products are increasingly common and typically run 4–8 months.