We have seen four constellations repeatedly in our projects where hybrid is structurally better than pure cloud or pure on-premises — not a technology question but a question of regulation and IT staffing.
Constellation 1 — classified data alongside standard workloads. Whoever processes health data, trade secrets or NIS-2-relevant control data keeps these in a controlled zone. Office and CRM run in parallel in the public cloud. The NIS-2-UmsuCG has been in force since 6 December 2025 and covers 29,500 companies without a transition period — verifiable control architecture is mandatory.
Constellation 2 — migrations before the SAP ECC maintenance end in 2027. Mittelstand companies running SAP ECC face the end of maintenance. 20 per cent choose a hybrid approach according to the erp.today market analysis 2026: critical modules in the sovereign zone, standard modules in the public cloud. SAP RISE with private-edition components is the most common contract shape in 2026. The ERP structural decision therefore becomes hybrid by necessity.
Constellation 3 — AI workloads with high-risk classification. The EU AI Act Implementation Timeline makes high-risk AI systems mandatory from 2 August 2026. Model training on personal data belongs in a zone with verifiable data sovereignty. Inference on synthetic data scales economically only in the public cloud. The separation forces hybrid.
Constellation 4 — IT staffing below 15 full-time roles. Bitkom records around 109,000 unfilled IT positions in Germany for 2025. Mittelstand companies with under 15 IT full-time staff do not operate a 24/7 SOC. They shift standard operations into the cloud and keep business-critical data sovereignty on-premises. Pure on-premises is then not responsible; pure cloud is not sovereign enough.
When pure cloud or pure on-premises is the better choice
Hybrid is not universal. In three constellations the pure form wins structurally: digital business models without KRITIS exposure run pure cloud more economically; KRITIS operators and IP-heavy family businesses with a stable IT team run pure on-premises more sovereignly; and wherever hybrid is built without a clear workload split, operating effort doubles with no commensurate benefit.
Hybrid is not universal. In our projects we have seen three constellations where hybrid architecture comes out structurally worse than a pure form.
Pure cloud makes sense: digital business models, high scaling, low regulation. Software vendors without KRITIS exposure, marketplaces or service models with fewer than 500 employees run more economically on pure cloud. The scaling advantage outweighs the sovereignty loss because no regulatorily classified data classes are present. Computer Weekly DE reports for 2026: 39 per cent cloud ERP, 31 per cent hybrid, 28 per cent on-premises.
Pure on-premises makes sense: high data classification, established operating competence. Family-owned manufacturers with high IP content, production workloads under 10-millisecond latency, defence suppliers and KRITIS operators with their own data centre and an IT team above 30 full-time roles often run better on-premises. A hybrid architecture would multiply control planes without a corresponding workload need.
Pure form makes sense when no defensible workload splitter exists. Whoever builds hybrid because it looks modern builds two worlds in parallel — with doubled operating costs and no clearly assigned workloads. We have rolled back hybrid architectures in three mandates because the ERP selection did not rest on data classification. The pure form was operationally cheaper and no less sovereign.
Practice example: a Dreher hybrid selection decision in 2025/26
Anonymised Mittelstand selection: an automotive supplier, 540 employees, three plants in Baden-Württemberg and the Czech Republic, SAP ECC with maintenance end in 2027, 18-strong IT team. Leadership wanted pure cloud — the regulatory review forced a three-zone hybrid. Fourteen months later the migration was on plan, MES latency at 6.2 milliseconds, AI pilot legally compliant.
We have designed hybrid architectures in over 30 projects between 2023 and 2026 for the DACH Mittelstand — the following anonymised example illustrates the selection logic concretely. An automotive supplier with 540 employees, three plants in Baden-Württemberg and the Czech Republic, 18 IT full-time staff, SAP ECC with maintenance end in 2027.
Starting position: leadership wanted pure cloud on S/4HANA Public Edition. The regulatory review surfaced four critical data classes — product development data under OEM NDAs, plant control data under NIS-2 obligation, employee data and supplier evaluations under GDPR risk. Pure cloud was therefore not sovereignly tenable; pure on-premises was not 24/7 operable with the existing team.
We designed a three-zone hybrid: zone one, sovereign private cloud under German law for S/4HANA with the four critical data classes, controlled via Microsoft Azure Arc with on-premises Kubernetes nodes in Stuttgart. Zone two, public cloud for Microsoft 365 and reporting. Zone three, on-premises MES for 8-millisecond real-time control. Selection criteria: BSI C5 auditability, NIS-2 compliance, EU AI Act conformity for the planned predictive-maintenance AI.
The result after 14 months: S/4HANA migration on plan, MES latency at 6.2 milliseconds, AI pilot legally compliant, IT team expanded to 19 staff rather than doubled. The three-zone split is reproducible in Mittelstand companies between 400 and 1,500 employees — provided the data classification precedes the platform selection.
What cloud-vs-hybrid debates won't tell you
Four gaps between vendor story and DACH Mittelstand reality that cloud-vs-hybrid debates routinely overlook: TCO escalation over ten years, the greater risk from single-vendor lock-in, BSI C5:2026 as a procurement checklist, and the fact that sovereignty is measurable — not a marketing label.
The public cloud-vs-hybrid debate follows a vendor script: hyperscalers talk cloud up, on-premises vendors talk sovereignty up. In our projects we see four consistent gaps between this story and DACH Mittelstand reality — none of them surfaces in the typical top-10 definition articles.
1. The 10-year TCO calculation
Vendors present cloud costs in year one. Over ten years, subscription costs from leading cloud ERP vendors escalate in our observation by 5 to 8 per cent per year. Exit costs on switching are rarely below six monthly fees. Hybrid allows selective cost optimisation because only part of the workloads sits in the subscription corridor — see our analysis of the cloud-ERP crisis of the 2030s.
2. Single-vendor lock-in is the bigger risk
The mainstream narrative says: hybrid is complex, multi-vendor is risky. Across more than 1,200 projects we have seen the opposite: single-vendor architectures generate loss of control over pricing, roadmap and data model. Multi-vendor control planes — Azure Arc, Anthos, Outposts and SAP RISE side by side — are the structural defence.
3. BSI C5:2026 as procurement checklist
The BSI C5:2026 appeared at the end of March 2026 with 168 criteria across 17 topic areas — new: container management, confidential computing, post-quantum cryptography. Top-10 definition articles do not mention the catalogue. It is the only BSI-defensible comparison basis for hybrid selection.
4. Sovereignty is measurable, not a marketing label
Gaia-X / GXDCH has listed over 350 certified cloud services against sovereignty criteria. A vendor that does not pass the GXDCH seal has a structural credibility problem in the regulated Mittelstand of 2026 — independent of marketing.
Our take
Anyone evaluating hybrid architecture in 2026 without addressing these four gaps explicitly buys a cloud style choice instead of an architecture.
How we methodically design hybrid architectures
Hybrid is not a style question and not a vendor selection — it is an architecture decision with five methodical phases: data classification, workload assignment, control-plane selection, compliance evidence and exit strategy. Whoever skips one of these phases — typically data classification — ends with a control plane that orchestrates no classified workloads.
Hybrid is not a style question and not a pure vendor selection. It is an architecture decision with five methodical phases. We have held the sequence consistently across our mandates — it integrates with the SCOReX®-oriented selection logic we maintain on ERP and ECM mandates.
Phase one — data classification. Each data class receives three attributes: confidentiality level, regulatory requirement (GDPR, NIS-2, EU AI Act, GoBD) and latency requirement. Without this classification, the hybrid discussion goes nowhere.
Phase two — workload assignment. Each workload is assigned to exactly one zone: public cloud, sovereign private cloud or on-premises. Double assignment is allowed, but expensive — we flag it explicitly as a cost driver.
Phase three — control-plane selection. Only now does the platform decision fall. Azure Arc, Anthos, Outposts, SAP RISE — each platform has a profile that fits specific data-class to zone combinations. A vendor-neutral evaluation is mandatory here.
Phase four — compliance evidence. BSI C5:2026, the NIS-2 obligations catalogue and EU AI Act high-risk classification are tested against the architecture. Gaps are closed before procurement, not during operations.
Phase five — exit strategy. Every hybrid architecture receives a documented exit clause per zone. Whoever cannot exit has no architecture — only a subscription.
Vendor comparison: Azure Arc, AWS Outposts, Google Anthos, SAP RISE
Four platforms, four fit profiles: Azure Arc delivers the broadest multi-cloud reach and Microsoft 365 integration; AWS Outposts the deepest single-cloud extension with a sovereignty option from 2026; Google Anthos the strongest Kubernetes multi-cloud experience; SAP RISE the SAP-specific hybrid contract. No universal answer — each platform fits only certain workload-to-zone combinations.
We have evaluated and productively deployed all four platforms multiple times in our projects. From our experience there is no universal answer — each platform has a concrete fit profile for the DACH Mittelstand in 2026.
Microsoft Azure Arc. The strongest multi-cloud reach, integrated into Microsoft-365-dominated landscapes, available with Sovereign Public Cloud and Sovereign Private Cloud. Delos Cloud under German law goes productive in 2026 and is attractive for regulated Mittelstand companies. Weakness: licensing complexity.
AWS Outposts. The deepest single-cloud extension into on-premises — whoever uses AWS in the public cloud receives the identical service set in their own data centre. Since January 2026 available with the AWS European Sovereign Cloud in Brandenburg, without CLOUD Act exposure. Weakness: weaker multi-vendor integration.
Google Anthos. The strongest Kubernetes-native multi-cloud experience, ideal for container-centric architectures. Weakness: lower market penetration in the DACH Mittelstand, smaller partner footprint.
SAP RISE with Private Edition. Not a generic hybrid stack but an SAP-specific hybrid variant. For Mittelstand companies with an SAP commitment in 2026, the dominant contract shape — 30 per cent of full operations on S/4HANA Cloud Private Edition. Weakness: single-vendor lock-in risk.
Frequently asked questions
Next steps
Anyone seriously considering a hybrid architecture in 2026 examines three points before any platform selection: are the data classes mapped against GDPR, NIS-2 and EU AI Act? Does a workload-to-zone assignment with latency requirements exist? Is an exit strategy in place per zone? If two of three answers are “not yet”, the work begins there — not in the licence conversation. We examine the constellation with your managing directors in a structured selection workshop. More on our methodology under independent ERP consulting and in the overview of our digitalisation services.
30 minutes with Dr Dreher
A structured assessment of your data classes, workload zones and exit options — vendor-independent, based on 30+ years of project practice in the DACH Mittelstand.
