Deploy ABAP to Europe — SAP Enterprise Backend on EU Infrastructure in 2026
No programming language has a more purely German origin story than ABAP. It was created inside SAP SE — a company founded in 1972 in Walldorf, Baden-Württemberg, by five German engineers: Dietmar Hopp 🇩🇪, Hasso Plattner 🇩🇪, Hans-Werner Hector 🇩🇪, Claus Wellenreuther 🇩🇪, and Klaus Tschira 🇩🇪. All five founders are German. The company is German. The headquarters remain in Walldorf to this day. ABAP — Advanced Business Application Programming — was born out of that German engineering culture in 1983 and has since become the operational backbone of European enterprise IT.
ABAP powers the ERP systems at BMW 🇩🇪, Siemens 🇩🇪, Volkswagen 🇩🇪, Airbus 🇫🇷🇩🇪, Deutsche Telekom 🇩🇪, Bosch 🇩🇪, Allianz 🇩🇪, Deutsche Bank 🇩🇪, and tens of thousands of mid-market European companies. The EU manufacturing supply chain, European financial reporting infrastructure, and the regulatory compliance layers mandated by GDPR, MiFID II, and the EU Taxonomy Regulation all run on SAP systems built in ABAP. When the European Commission discusses digital operational resilience under DORA, the enterprise systems in scope are predominantly SAP — and those SAP systems are built in ABAP.
SAP S/4HANA, SAP's modern ERP suite running on the HANA in-memory database, is deployed across EU government agencies, public utilities, and regulated industries. The EU's customs declaration systems, the Bundesagentur für Arbeit's labour market platforms, and the financial reporting infrastructure of European central banks all have SAP integration layers built in ABAP. This is not a niche language — it is the enterprise language of Europe.
The German Foundation: SAP SE, Walldorf
SAP SE — Systeme, Anwendungen und Produkte in der Datenverarbeitung (Systems, Applications and Products in Data Processing) — was founded on 1 April 1972 by five former IBM Germany engineers in Weinheim, quickly relocating to Walldorf, Baden-Württemberg 🇩🇪. The founding team had been working on IBM's financial accounting software and believed enterprise software could be built as a generalised product rather than bespoke per-client projects. That insight created the ERP industry.
Dietmar Hopp 🇩🇪 (born in Heidelberg, studied at TH Karlsruhe) became SAP's first CEO and is now one of Germany's most prominent technology philanthropists through the Dietmar Hopp Foundation. Hasso Plattner 🇩🇪 (born in Berlin, studied at TH Karlsruhe) designed much of the early SAP architecture and later founded the Hasso Plattner Institute in Potsdam — Germany's leading IT innovation university, where research on SAP HANA and enterprise systems continues today. Klaus Tschira 🇩🇪 (born in Freiburg im Breisgau, studied physics at the University of Karlsruhe) contributed the mathematical foundations of SAP's data modelling approach and later founded the Klaus Tschira Foundation, which funds computational science across Germany.
ABAP itself was created in 1983 for the SAP R/2 system — the second-generation SAP platform running on IBM mainframes. The name originally stood for Allgemeiner Berichts-Aufbereitungs-Prozessor (General Report Processing Processor) in German, only later anglicised to Advanced Business Application Programming. The language was designed by SAP's internal engineering team in Walldorf specifically for business data processing: reading database tables, computing aggregations, applying business rules, and producing formatted reports. It was — and remains — optimised for the exact workloads European enterprise IT needs.
SAP R/3 (1992) brought ABAP to client-server architecture and Unix/Windows platforms, triggering a global adoption wave. SAP S/4HANA (2015) rebuilt the platform on an in-memory column-store database, and modern ABAP evolved with it — gaining inline declarations, ABAP SQL with CDS (Core Data Services), object-oriented constructs, and the RESTful Application Programming Model (RAP) for building OData services. Today, ABAP for Cloud Development (the "Steampunk" environment on SAP BTP) runs ABAP programs in isolated containers on cloud infrastructure — a pattern directly compatible with EU-compliant hosting on platforms like sota.io.
Deploy ABAP on sota.io
sota.io runs on Hetzner infrastructure in Germany. Data stays in the EU by default. GDPR compliance is structural, not configurable. ABAP companion services and OData mock layers deploy as Docker containers.
Prerequisites
- sota.io account (sign up at sota.io)
- Docker installed locally
- abapGit or SAP BTP CLI for ABAP source management
Step 1 — ABAP OData REST Companion Service
Modern SAP architectures decompose cleanly: ABAP on S/4HANA exposes OData APIs, and companion microservices on sota.io handle GDPR processing, document generation, and external integrations. This pattern is standard at BMW, Deutsche Telekom, and SAP's own reference architectures.
ABAP RESTful Application Programming Model — OData Service Definition:
@EndUserText.label: 'EU GDPR-Compliant Order Service'
@AccessControl.authorizationCheck: #CHECK
define root view entity ZEU_ORDER_SERVICE
as select from zorders
association [0..*] to ZEU_ORDER_ITEMS as _Items
on $projection.OrderId = _Items.OrderId
{
key order_id as OrderId,
customer_id as CustomerId,
@Semantics.amount.currencyCode: 'Currency'
amount as Amount,
currency as Currency,
@Semantics.businessDate.createdAt: true
created_at as CreatedAt,
-- GDPR: data subject identifier, pseudonymised
@Semantics.user.createdBy: true
created_by as CreatedBy,
gdpr_retention_date as GdprRetentionDate,
eu_country_code as EuCountryCode,
_Items
}
ABAP Behavior Definition — GDPR Lifecycle Management:
managed implementation in class zbp_eu_order_service unique;
define behavior for ZEU_ORDER_SERVICE alias Order
persistent table zorders
lock master
authorization master ( instance )
etag master LocalChangeDateTime
{
// GDPR Article 17 — Right to Erasure
action ( features : instance ) ErasePersonalData result [1] $self;
// GDPR Article 15 — Subject Access Request export
action ( features : instance ) ExportSubjectData
parameter ZA_SubjectDataExportParams
result [0..*] ZA_SubjectDataExportResult;
// Standard CRUD
create;
update;
delete;
read;
field ( readonly ) OrderId;
field ( mandatory : create ) CustomerId, Amount, Currency, EuCountryCode;
}
ABAP Unit Test — GDPR Compliance Validation:
CLASS ltc_gdpr_compliance DEFINITION FINAL FOR TESTING
DURATION SHORT
RISK LEVEL HARMLESS.
PRIVATE SECTION.
DATA: mo_cut TYPE REF TO zcl_eu_gdpr_processor.
METHODS:
setup,
test_erasure_removes_pii FOR TESTING,
test_retention_date_max_7_years FOR TESTING,
test_eu_country_validation FOR TESTING.
ENDCLASS.
CLASS ltc_gdpr_compliance IMPLEMENTATION.
METHOD setup.
mo_cut = NEW zcl_eu_gdpr_processor( ).
ENDMETHOD.
METHOD test_erasure_removes_pii.
" GDPR Art. 17: Erasure request must anonymise all personal identifiers
DATA(lo_order) = mo_cut->create_test_order(
customer_id = 'CUST-EU-DE-001'
email = 'test@example.de'
eu_country = 'DE'
).
mo_cut->erase_personal_data( lo_order->get_id( ) ).
DATA(lo_erased) = mo_cut->get_order( lo_order->get_id( ) ).
cl_abap_unit_assert=>assert_equals(
act = lo_erased->get_customer_id( )
exp = 'ANONYMISED'
msg = 'GDPR Art 17: Customer ID must be anonymised after erasure'
).
cl_abap_unit_assert=>assert_initial(
act = lo_erased->get_email( )
msg = 'GDPR Art 17: Email must be cleared after erasure'
).
ENDMETHOD.
METHOD test_retention_date_max_7_years.
" EU commercial code: data retention max 7 years (HGB §257, AO §147)
DATA(ld_max_retention) = sy-datum + 2557. " 7 years in days
DATA(lo_order) = mo_cut->create_test_order( eu_country = 'DE' ).
cl_abap_unit_assert=>assert_true(
act = xsdbool( lo_order->get_gdpr_retention_date( ) <= ld_max_retention )
msg = 'EU: GDPR retention must not exceed 7 years (HGB §257)'
).
ENDMETHOD.
METHOD test_eu_country_validation.
" Only EU/EEA country codes accepted for data residency compliance
DATA(lt_valid_eu) = VALUE string_table(
( `DE` ) ( `FR` ) ( `NL` ) ( `AT` ) ( `BE` ) ( `PL` )
( `ES` ) ( `IT` ) ( `SE` ) ( `DK` ) ( `FI` ) ( `PT` )
( `IS` ) ( `NO` ) ( `LI` ) " EEA members
).
LOOP AT lt_valid_eu INTO DATA(lv_country).
DATA(lo_result) = mo_cut->validate_eu_country( lv_country ).
cl_abap_unit_assert=>assert_true(
act = lo_result->is_valid( )
msg = |{ lv_country } must be accepted as EU/EEA country|
).
ENDLOOP.
" Non-EU country must be rejected for GDPR data residency
DATA(lo_rejected) = mo_cut->validate_eu_country( 'US' ).
cl_abap_unit_assert=>assert_false(
act = lo_rejected->is_valid( )
msg = 'US must be rejected — no EU adequacy for GDPR default residency'
).
ENDMETHOD.
ENDCLASS.
Step 2 — Dockerfile for ABAP Companion Service
A sota.io-deployable ABAP companion service handles document processing, GDPR export, and external integrations alongside the core SAP system. This Python service speaks OData to S/4HANA and exposes clean REST APIs to front-ends.
Dockerfile:
FROM python:3.12-slim
WORKDIR /app
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
&& rm -rf /var/lib/apt/lists/*
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
EXPOSE 8000
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
requirements.txt:
fastapi==0.115.0
uvicorn==0.30.0
httpx==0.27.0
python-jose==3.3.0
cryptography==43.0.0
psycopg2-binary==2.9.9
main.py — SAP OData Bridge with GDPR handling:
from fastapi import FastAPI, HTTPException, Depends
from fastapi.security import OAuth2PasswordBearer
import httpx
import os
from datetime import datetime, timedelta
import psycopg2
app = FastAPI(
title="SAP ABAP Companion Service",
description="EU-hosted OData bridge for SAP S/4HANA — GDPR-compliant by default",
version="1.0.0"
)
SAP_BASE_URL = os.environ["SAP_ODATA_BASE_URL"] # e.g. https://your-s4hana.company.de
DATABASE_URL = os.environ["DATABASE_URL"] # sota.io managed PostgreSQL
async def get_sap_client():
"""Authenticated SAP OData client — stays within EU network"""
return httpx.AsyncClient(
base_url=SAP_BASE_URL,
auth=(os.environ["SAP_USER"], os.environ["SAP_PASSWORD"]),
headers={"Accept": "application/json"},
timeout=30.0,
)
@app.get("/api/orders/{order_id}")
async def get_order(order_id: str, client: httpx.AsyncClient = Depends(get_sap_client)):
"""
Fetch order from SAP S/4HANA via OData.
GDPR: data never leaves EU — both SAP and sota.io run on EU infrastructure.
"""
response = await client.get(
f"/sap/opu/odata/sap/API_SALES_ORDER_SRV/A_SalesOrder('{order_id}')"
)
if response.status_code == 404:
raise HTTPException(status_code=404, detail="Order not found")
return response.json()["d"]
@app.post("/api/gdpr/subject-access-request")
async def subject_access_request(
customer_id: str,
client: httpx.AsyncClient = Depends(get_sap_client)
):
"""
GDPR Article 15 — Subject Access Request.
Aggregates all personal data from SAP and returns structured export.
Data processed entirely on EU infrastructure (Hetzner Germany).
"""
# Fetch from SAP OData — Business Partner data
bp_response = await client.get(
f"/sap/opu/odata/sap/API_BUSINESS_PARTNER/A_BusinessPartner('{customer_id}')"
"?$expand=to_BusinessPartnerAddress,to_BusinessPartnerBank"
)
# Fetch orders
orders_response = await client.get(
f"/sap/opu/odata/sap/API_SALES_ORDER_SRV/A_SalesOrder"
f"?$filter=SoldToParty eq '{customer_id}'&$top=1000"
)
return {
"subject_id": customer_id,
"export_timestamp": datetime.utcnow().isoformat() + "Z",
"data_controller": "Your Company GmbH, Walldorf, Germany",
"gdpr_basis": "Art. 15 GDPR — Right of access by the data subject",
"data_residency": "EU (Hetzner Datacenter, Falkenstein, Germany)",
"personal_data": bp_response.json().get("d", {}),
"transaction_history": orders_response.json().get("d", {}).get("results", []),
}
@app.delete("/api/gdpr/erasure/{customer_id}")
async def right_to_erasure(customer_id: str):
"""
GDPR Article 17 — Right to Erasure ('Right to be Forgotten').
Triggers SAP ILM (Information Lifecycle Management) blocking + local anonymisation.
"""
conn = psycopg2.connect(DATABASE_URL)
cursor = conn.cursor()
# Anonymise local cache records
cursor.execute("""
UPDATE customer_cache
SET
email = 'GDPR-ERASED@anonymous.eu',
phone = NULL,
name = 'ANONYMISED',
address = NULL,
erased_at = NOW(),
erasure_basis = 'GDPR Art. 17'
WHERE customer_id = %s
""", (customer_id,))
conn.commit()
cursor.close()
conn.close()
return {
"status": "erased",
"customer_id": customer_id,
"erased_at": datetime.utcnow().isoformat() + "Z",
"legal_basis": "GDPR Article 17 — Right to Erasure",
"retention_exception": "Financial records retained per HGB §257 (7 years)",
}
Step 3 — sota.sh deploy config
#!/bin/bash
# sota.sh — Deploy ABAP companion service to EU infrastructure
sota deploy \
--name abap-companion \
--env SAP_ODATA_BASE_URL="https://your-s4hana.company.de" \
--env SAP_USER="$SAP_API_USER" \
--env SAP_PASSWORD="$SAP_API_PASSWORD" \
--region eu-central \
--db postgres
$ sota deploy
▸ Building Docker image...
▸ Pushing to EU registry (Frankfurt)...
▸ Deploying to Hetzner (Falkenstein, Germany)...
✓ abap-companion deployed — https://abap-companion.sota.run
✓ PostgreSQL provisioned (EU, Germany)
✓ GDPR data residency: confirmed EU
The German Engineering Culture Behind ABAP
ABAP's design reflects the values of German engineering culture that produced its authors: precision over elegance, correctness over cleverness, and operational stability over novelty. ABAP programs are verbose — field names spell out their meaning, data types are explicit, and control flow is structured. This is not a limitation; it is a deliberate choice for enterprise readability. ABAP code written in 1990 is still being read, audited, and modified today at European banks and manufacturing companies. That durability is a feature.
Hasso Plattner's influence on ABAP's data model is visible in every ABAP program. The ABAP Dictionary (DDIC) — the central metadata repository that defines table structures, data types, and field semantics — was Plattner's contribution to SAP's architecture. Instead of embedding database schemas in application code, the DDIC makes schema a shared, versioned resource that ABAP programs reference by name. When GDPR required European companies to document their data processing activities, SAP companies had an advantage: their data structures were already catalogued in the DDIC, with semantic annotations, field documentation, and referential relationships tracked at the platform level.
abapGit — the open-source Git integration for ABAP developed primarily by Lars Hvam Petersen 🇩🇰 (Danish, based in Copenhagen) — brought modern version control to ABAP development. Before abapGit, ABAP code existed only inside the SAP system's internal transport system, making standard Git workflows impossible. abapGit serialises ABAP objects to XML and text files, enabling proper version control, code review, and CI/CD pipelines. The Hasso Plattner Institute in Potsdam 🇩🇪 has contributed to abapGit's development and maintains research into cloud-native ABAP deployment patterns.
EU Regulatory Compliance in ABAP
ABAP's regulatory compliance capabilities are built into the platform, not bolted on. SAP's Information Lifecycle Management (ILM) — implemented in ABAP — handles data retention, archiving, and destruction according to EU legal requirements: HGB §257 (7-year commercial record retention), AO §147 (10-year tax record retention), and GDPR Article 17 (erasure on withdrawal of consent or end of retention period). European companies using SAP have GDPR retention management built into their transaction processing layer.
EU Taxonomy Regulation (Regulation (EU) 2020/852) requires large European companies to classify economic activities as environmentally sustainable. SAP Green Token — built on ABAP — provides the traceability layer for sustainability reporting, tracking the environmental attributes of materials through EU supply chains. BMW's carbon footprint reporting, Siemens's scope 3 emissions tracking, and Airbus's sustainable aviation fuel accounting all run through ABAP-based SAP systems.
MiFID II (Markets in Financial Instruments Directive II) requires European financial institutions to report transaction data, record client communications, and demonstrate best-execution analysis. SAP's Capital Markets module, built in ABAP, implements MiFID II reporting directly — generating the regulatory transaction reports sent to ESMA (European Securities and Markets Authority). The ABAP programs that produce MiFID II reports at Deutsche Bank, Commerzbank, and Société Générale run on the same runtime as ABAP programs deployed on EU cloud infrastructure today.
DORA (Digital Operational Resilience Act) — effective January 2025 — requires EU financial institutions to demonstrate operational resilience of their ICT systems. SAP S/4HANA environments are in scope as critical ICT dependencies. The ABAP programs that implement financial transaction processing, risk calculations, and settlement workflows are the systems DORA targets. ABAP's long-term stability (programs from the 1990s still running) is both a challenge (legacy code to audit) and an asset (proven operational durability in scope for DORA compliance).
sota.io + ABAP: The EU Cloud-Native Pattern
The modern SAP architecture for European enterprises follows a clear pattern: SAP S/4HANA (on-premise or SAP BTP) handles the core ERP workload in ABAP; companion services on cloud infrastructure handle document generation, customer-facing APIs, GDPR export endpoints, and third-party integrations. sota.io provides the EU-native PaaS layer for those companion services — the Python, Node.js, Go, or Rust microservices that orbit the ABAP core, all running on German infrastructure with GDPR compliance by default.
For teams building on SAP BTP's ABAP environment, the deployment pipeline looks like this: ABAP source in abapGit → CI/CD via GitHub Actions → ABAP objects pushed to BTP system → companion services deployed to sota.io → both systems run entirely within EU network boundaries. No Schrems II issues. No data transfer agreements for EU-to-EU communication. No need to configure US-based cloud providers to stay within EU data residency requirements.
SAP is the largest European software company. ABAP is its language. Both were born in Germany and have shaped European enterprise IT for fifty years. When you deploy ABAP companion services to sota.io, you are completing the stack: German language, German runtime, German hosting infrastructure, GDPR compliance structural at every layer.
Deploy your first project on sota.io →
See also: Deploy COBOL to Europe →, Deploy REXX/NetRexx to Europe →, Deploy Java & Spring Boot to Europe →