Häufig gestellte Fragen
What should an IT leader look for when selecting an ERP?
From an IT perspective, four criteria matter more than the feature set: the operating model (true cloud SaaS, private cloud or on-premise with clearly defined responsibilities), integration capability via open and fully documented APIs, and a granular security and permissions concept. Added to this are scalability, contractually guaranteed availability and long-term operability over a horizon of five to ten years. Weighing the total cost of ownership is just as important, since experience shows that the license or subscription fee makes up only a smaller share of total costs, while implementation, integration and operations often cost a multiple of it. Those who assess these points before the selection avoid expensive follow-up costs from integration and operations effort.
Cloud or on-premise – which is better from an IT perspective?
There is no universally better model, only a trade-off along the lines of IT expertise, compliance requirements and customization needs. Cloud SaaS relieves the in-house IT team of infrastructure, patching and updates and, in TCO comparisons over the contract term, frequently reduces ongoing operating costs by 30 to 50 percent compared with on-premise, but limits the depth of individual customizations. On-premise gives full control over data and customization but permanently ties up resources for operations, backup and security patches. In practice, cloud is usually more economical for smaller user counts, while with many users and a high degree of customization a detailed TCO comparison over the full term is worthwhile.
How important are APIs in ERP selection?
From an IT perspective, APIs are a central selection criterion, because no ERP is operated in isolation and it must connect to the shop, CRM, logistics and in-house developments. What matters are open, fully documented interfaces such as REST or OData, plus webhooks for real-time events instead of laborious polling. An API-first ERP exposes every function programmatically as well, so integrations do not fail due to missing endpoints. For complex system landscapes, iPaaS platforms complement the native interface strategy and reduce the maintenance burden of numerous point-to-point connections.
Which security requirements apply to an ERP?
As the central data hub, an ERP is among the systems most in need of protection and requires a granular, role-based permissions concept, multi-factor authentication and end-to-end encryption in transit and at rest. Added to this are complete, tamper-proof audit logs as well as GDPR compliance and, depending on the sector, industry-specific requirements. Since the German NIS-2 implementation act came into force, the required measures have been closely aligned with ISO 27001 and include, among other things, access control, cryptography, supply-chain security and incident management. These requirements should already be verifiable in the vendor assessment through certificates and SLAs.
Which NIS2 obligations specifically affect the ERP?
The German NIS-2 implementation act came into force on December 6, 2025, and affects companies with 50 or more employees or at least 10 million euros in annual revenue in the relevant sectors — an estimated 30,000 organizations in Germany. Because the ERP bundles business-critical data and processes, it falls within the scope of the risk-management obligations under § 30 BSIG, including access control, multi-factor authentication, encryption, backup and emergency management. Responsibility can no longer be fully delegated to the IT department, as executive management must actively approve the risk measures and monitor their implementation — otherwise it is personally liable. For particularly important entities, violations carry fines of up to 10 million euros or 2 percent of global annual revenue.
What do RTO and RPO mean for an ERP system?
RTO (Recovery Time Objective) denotes the maximum tolerated time until a failed ERP must be available again, while RPO (Recovery Point Objective) describes the maximum acceptable data loss, measured as the time span between the last backup and the incident. For a production ERP, both values are business-critical, because longer outages immediately block order processing, warehousing and invoicing. Both metrics should be contractually fixed in the SLA, documented and regularly verified through real recovery tests — not just agreed on paper. The lower the target RTO and RPO, the higher the costs for replication, failover and disaster-recovery infrastructure usually are.
What does composable ERP mean for IT?
Composable ERP breaks up the classic monolith in favor of modular building blocks that are combined into an overall solution via standardized interfaces. For IT, this increases flexibility, because individual components can be replaced or added without replacing the entire system. In return, the approach demands a well-thought-out integration and API strategy and a clear understanding of responsibilities across multiple vendors. Without clean governance for interfaces, data flows and security, the flexibility gained can otherwise turn into uncontrolled complexity.
Where is the ERP data stored, and is that GDPR-compliant?
The data location is a central compliance criterion for IT leaders, since under the GDPR personal data should as a rule be processed within the EU or the EEA, and third-country transfers require additional safeguards such as standard contractual clauses. With cloud and SaaS models, it must therefore be contractually clarified in which data centers and regions the data resides and whether a data processing agreement is in place. In addition, traceable offsite backups, documented retention and deletion concepts and verifiable recovery tests are part of a resilient operating strategy. Vendors should transparently disclose location, certifications and sub-processors so that IT can demonstrate compliance to data protection and supervisory authorities.
