Why this needs an honest assessment
RISE with SAP is, in SAP’s own framing, its offering to move mission-critical core systems to the cloud, with the components brought together into a single contract. A single contract is genuinely useful: one commercial counterparty, one accountability line for infrastructure and technical operations. But a single contract also invites a single mental model — “SAP runs it now” — and that model is where budgets go wrong. What follows keeps two things separate on purpose: what SAP itself states is included (SAP’s words), and what independent analysts say remains the customer’s responsibility and cost (their analysis, attributed as such).
What SAP says is in the bundle
From SAP’s own announcements, the bundle centers on SAP S/4HANA Cloud Private Edition as the ERP foundation, with SAP Enterprise Cloud Services providing technical managed services, and SAP taking more accountability for customers’ SAP systems. Infrastructure runs on hyperscalers — AWS, Google Cloud, Microsoft Azure — with SAP managing that relationship as prime contractor.
Around the core, SAP’s stated inclusions have grown with each repackaging: Business Technology Platform credits, a Business Network supplier portal, Signavio and LeanIX process-and-architecture tooling, and onboarding tooling — Readiness Check, Cloud ALM, Enable Now — plus expert activation support. Since mid-2024, SAP has stated that all RISE customers get Joule, its AI copilot natively integrated into S/4HANA Cloud, plus SAP AI units for piloting; Premium tiers add low-code development, generative AI capability, a CFO suite, Datasphere and Analytics Cloud for planning, and the 2025 private package names SAP Build, HANA Cloud, Master Data Governance, Enterprise Service Management and Taulia among included capabilities.
Two observations before the other side of the ledger. The bundle’s contents have changed materially across 2022, 2024 and 2025 announcements — so “what’s in RISE” is a dated question, and your contract’s answer is the service description attached to your order form, not a press release. And note what the inclusions above are: products, platforms, credits and tooling. What they are not is your project.
What independent analysis says stays with you
Security researchers at Onapsis, analyzing RISE’s shared-responsibility model, put the boundary bluntly: SAP applies technical patches to the operating system and standard database, while the customer retains 100% responsibility for securing everything inside the application — including all user provisioning, role and segregation-of-duties management; the security, compliance and performance of all custom code; assessing, requesting and validating application-level patches; and classifying and protecting business data. That is their analysis, not SAP’s marketing — and it is the single most important paragraph in this article for anyone budgeting a RISE operating model.
There is an honest tension here worth naming rather than smoothing over: SAP’s own 2022 description of Enterprise Cloud Services mentions application management services within the bundle, while independent assessments consistently describe the delivered scope as technical operations, with the functional and application layer remaining the customer’s. We do not assert that functional AMS is contractually excluded — we could not verify the definitive service description document (see flags). The defensible planning position is the analysts’: treat functional support, custom-code ownership and role governance as yours until your contract explicitly says otherwise.
On service levels, trade press reporting of Gartner analysis notes that RISE’s standard uptime SLA of 99.7% sits below the roughly 99.9% industry standard, and that service requests can lack committed completion times — attributed to Gartner analyst Alessandro Galimberti via The Register. Clean-core discipline has a cost side too: practitioner commentary warns that RISE is not designed to expand outside a clean-core environment, and highly customized estates will notice inefficiencies, while independent reviewers note that clean-core mandates often require rewriting or eliminating custom code — a cost the customer absorbs — and that under brownfield migrations the customer remains responsible for upgrading to stay supported.
The costs CFOs miss
Four commercial mechanics recur across independent analyses — none of them line items on the RISE order form:
- BTP consumption. Included credits are not unlimited use: advisers describe BTP’s consumption-based pricing model as unpredictable, with add-ons such as AI Core and Integration Suite licensing separately.
- Indirect and digital access. One SAP licensing advisory firm calls digital access the largest indirect exposure, licensed by document creation count rather than per user — a mechanism many CFOs have never modeled.
- Estimation gaps. The same advisory firm reports, across its own client base, user counts proposed 22–38% above defensible levels, digital-access exposure running two to four times internal estimates, BTP forecasts understated by similar multiples, and migration costs at two to three times first estimates. That is one firm’s finding, not a market statistic — but the direction of every error it reports is the same, and it is not in the buyer’s favor.
- Commercial terms and lock-in. Practitioner analysis warns that previously negotiated renewals, swap rights and price protections may not carry over under RISE, and the right to revert to a perpetual model is often revoked; the shift from CapEx to an all-OpEx model changes the finance conversation itself. On escalation, one advisory reports default annual subscription escalators of 5–7% compounding over multi-year terms — their reported range, not an SAP published rate — and recommends negotiating a cap. We deliberately quote no RISE prices or discount levels anywhere in this article: none met our sourcing bar.
How to negotiate the scope
The pattern in everything above is that RISE’s headline is fixed and its boundary is negotiable — so negotiate the boundary. Get the service description document for your specific package and walk its inclusion list against your current operating model, task by task; every task on neither list is yours by default. Price the retained scope (roles and SoD, custom-code remediation, application patching validation, functional support) as part of the business case, not as a post-signature discovery. Model BTP consumption and digital access before signature, when they are negotiating levers rather than invoices. Ask for SLA terms and service-request commitments in writing against your availability requirements. And treat exit terms — data egress, end-of-term options — as a day-one question; it is the one with the least public documentation and therefore the most contract-specific risk.
RISE with SAP is neither the outsourcing deal its single contract implies nor the trap its critics describe. It is a technical-operations bundle with a negotiable boundary — and the buyers who do well are the ones who price what stays on their side of it before they sign.