Article

Cloud ERP vs on-premise: how to decide

The market has largely settled on cloud for new ERP, but the right answer for your business still depends on a handful of specific conditions. Here is a framework that puts the deciding questions — data residency, customisation depth, IT capability and connectivity — ahead of the headline cost comparison.

Key takeaways

  • Cloud is now the default for new mid-market ERP; treat on-premise as the case you must justify, not the reverse.
  • Decide on four constraints first — data residency, customisation depth, internal IT capability and connectivity — and let cost confirm, not drive.
  • Data-residency law is the strongest reason on-premise or in-region cloud still wins: India’s DPDP Rules carry a localisation power plus sector mandates (RBI, SEBI, insurance), and the UAE and Bahrain restrict cross-border transfers.
  • Cloud does not outsource accountability: under the shared-responsibility model you still own your data, access and backups — and a site with unreliable internet is a real reason to keep workloads local.
  • Heavy customisation creates lock-in in either model; hybrid (the fastest-growing segment) is often the honest answer when only one slice of data or process is the problem.

Most teams choosing an ERP today are not really asking whether to use software. They are asking who should run it — a vendor, in their data centre, or themselves, on infrastructure they own. The cloud-versus-on-premise question sounds technical, but it is mostly a question about control, obligation and where your data is allowed to live. Get it wrong and you are not stuck with a bad feature; you are stuck with a deployment model that fights your operating reality for years.

The honest starting point is that the market has largely already chosen. New implementations skew heavily towards cloud, and the framework below assumes cloud is the default you should talk yourself out of, rather than the exception you must justify. The useful work is identifying the specific conditions under which on-premise, or a hybrid arrangement, is still the better call for your business.

Where the market has actually landed

It helps to size the direction before debating the merits. Fortune Business Insights values the global cloud ERP market at roughly USD 65.89 billion in 2025, rising to about USD 76.17 billion in 2026 and a projected USD 207.59 billion by 2034 — a compound annual growth rate of around 13.40%. Within that, public cloud is the leading deployment model at about 47.38% of the market in 2026, while hybrid cloud is the fastest-growing segment.

For new buyers specifically, industry survey data points the same way. SMC Data Solutions, citing Panorama Consulting Group figures, reports that roughly 78.6% of organisations selecting a new ERP in 2024 chose a cloud solution — which, if it holds, makes cloud the default for new mid-market implementations rather than an alternative to on-premise. Treat that particular number as a vendor-and-consultancy estimate rather than independent fact, but the direction it describes is consistent across sources.

Direction is not destiny. A strong industry trend tells you where the defaults and the vendor investment are heading; it does not tell you whether your specific data, processes and infrastructure fit the default. That is what the rest of this comes down to.

The questions that actually decide it

Cost comparisons tend to dominate these debates, and they are the softest input you have. Industry sources — for example Bizowie and SMC Data Solutions — suggest cloud ERP can lower total cost of ownership by something like 30 to 50% over five years by converting large upfront capital expenditure into a predictable per-user subscription, with on-premise mid-market builds commonly cited at USD 250,000 to 500,000 plus a further USD 50,000 to 150,000 in hardware and infrastructure, against roughly USD 100 to 150 per user per month for a loaded cloud platform. These are illustrative vendor ranges, not independent analysis, and they vary enormously with headcount, customisation and contract length. Useful for a sniff test; not a basis for the decision.

Four questions decide it more reliably than the cost slide, because they describe constraints you cannot subscription your way out of: where your data is legally required to live, how far your processes depart from the standard, what your own IT team can realistically run, and how dependent your sites are on connectivity you do not control.

  • Data residency and compliance — are you under a localisation mandate that an in-region cloud cannot satisfy
  • Customisation depth — does the business genuinely need non-standard process logic that SaaS will not accommodate
  • Internal IT capability — do you have the people and skills to patch, secure and operate infrastructure yourself
  • Connectivity — is the internet at your operating sites reliable enough to bet daily operations on

Data residency is where on-premise still has a real case

This is the dimension most likely to override the cost and convenience arguments, and the one mid-market teams in India and the GCC tend to underestimate. The relevant law is moving, and it is moving towards localisation powers rather than away from them.

In India, EY reports that the Digital Personal Data Protection (DPDP) Rules, 2025 were notified on 13 November 2025 by the Ministry of Electronics and Information Technology, operationalising the DPDP Act, 2023. Deloitte describes a phased rollout: the Data Protection Board provisions take effect immediately on notification, consent-manager obligations apply roughly twelve months later, and the core Data Fiduciary obligations — notice, consent, breach reporting, security, retention, rights and cross-border transfers — apply after about eighteen months, with full operational compliance expected around mid-May 2027. On breaches, EY notes the Rules require immediate intimation to affected individuals and the Board, followed by a detailed report to the Board within 72 hours — an obligation you carry regardless of who hosts the system.

On where data may sit, DLA Piper notes that the DPDP Act permits cross-border transfer of personal data to any country except those the Government of India specifically restricts, with no such list announced yet — a relatively open position today. But the same source flags that the Rules empower the government to require that personal data specified for Significant Data Fiduciaries is processed so that it is not transferred outside India, a localisation lever whose precise categories are not yet clarified. Layered on top, DLA Piper notes sector regulators impose their own mandates: the RBI requires payment-system data to be stored only in India, SEBI requires critical datasets to remain in India, and insurance rules require policy and claim records to be held domestically.

The GCC picture rhymes. For the UAE, Kooch notes that Federal Decree-Law No. 45 of 2021 (the PDPL) came into effect on 2 January 2022 as the country’s first federal personal-data law; China Briefing notes that transfers outside the UAE are permitted only to jurisdictions recognised as adequate or under safeguards such as standard contractual clauses, and that banking data in particular must remain onshore, with cross-border transfer subject to Central Bank approval and customer consent. For Bahrain, Securiti notes the PDPL was enacted on 1 August 2019, is modelled on EU law, and generally prohibits transferring Bahrainis’ personal data abroad except to jurisdictions on an approved list maintained by the Authority.

The practical reading: a general-purpose SaaS ERP is fine for most data, but if you sit under a sector localisation mandate or handle data categories the government may ring-fence, you need either a vendor with a genuine in-country or in-region data centre and a contract that holds the data there, or you keep that workload on infrastructure you control. The choice is rarely the whole ERP — it is often one regulated slice of it.

Customisation, upgrades and the lock-in you choose

The second deciding question is how far your processes depart from the standard, because that determines whether the SaaS bargain works for or against you. The bargain is straightforward: in exchange for the vendor running the platform, you accept the vendor’s pace and the vendor’s shape. Support Revolution describes the core trade — with SaaS ERP, security patching and upgrades are applied at the vendor’s discretion and timing rather than yours, and you follow standard processes instead of deeply customising workflows.

That is a feature when your processes are ordinary, and a problem when they are not. The same source notes that heavy customisation on any ERP creates lock-in, because accumulated custom code makes upgrades and migration progressively riskier and more costly, while proprietary data formats raise the cost of switching later. So the lock-in question is not simply cloud versus on-premise — it is how much bespoke logic you bolt on, in either model. On-premise buys you control over upgrade timing and the freedom to customise deeply; it bills you for that freedom in maintenance, risk and a future migration that gets harder every year you customise.

Security and the dependence you keep either way

It is tempting to read cloud as outsourcing security. It is not. TechTarget notes that under the shared-responsibility model the customer always remains responsible for the confidentiality, integrity and availability of their own data and for the configurations under their direct control, regardless of provider — and that responsibilities should be confirmed against the specific SLA, because there is no single standard model. Microsoft’s own guidance is consistent: in the cloud the customer always retains responsibility for their data, identities and devices, while responsibility for the operating system, network controls and applications shifts between customer and provider depending on whether the service is IaaS, PaaS or SaaS.

Two consequences follow. First, moving ERP to SaaS narrows what you operate but does not remove your accountability for access, configuration and your own data — which is precisely the data the DPDP and PDPL breach obligations attach to. Second, the cloud does not retire your backup discipline. TechTarget notes that providers protect against downtime through measures like failover and internal backups but are generally not liable for disruption or data loss, and that in an outage you may be unable to retrieve data unless you hold your own backup — even Microsoft recommends customers back up their data. Which leads to the most physical constraint of all: connectivity. If a plant or branch loses its internet, a cloud ERP stops being available there. Where sites run on unreliable links, that dependence is a real operational risk, and it is one of the clearest reasons to keep critical workloads local.

A working framework: choose cloud if, choose on-premise if

Pulling the dimensions together, the decision resolves into a short test. Lead with the constraints — residency, customisation, capability, connectivity — and let cost confirm rather than drive.

  • Choose cloud if: you want lower upfront capital outlay and a faster go-live; you lack in-house infrastructure and IT staff to run it well; you need reliable multi-site or remote access; you value vendor-managed upgrades and patching; and your data carries no hard localisation mandate, or your vendor offers a genuine in-region data centre that satisfies it.
  • Choose on-premise or self-hosted if: you have deep, non-standard process customisation that SaaS cannot accommodate; you face data-residency, sovereignty or sector mandates you cannot satisfy through in-region cloud; the internet at your operating sites is unreliable; you have sunk infrastructure and a skilled IT team already; or you specifically need control over when upgrades happen.
  • Consider hybrid if: the answer differs by workload — for example, a regulated or localisation-bound slice kept in-region or on-premise while the rest runs in the cloud. Fortune Business Insights notes hybrid is the fastest-growing segment, which reflects how often the real answer is split rather than singular.

The bottom line

Cloud is the sensible default for most mid-market ERP, and the burden of proof now sits with on-premise. But the burden is met more often than the headline trend suggests — by a localisation mandate you cannot wave away, a process too particular for standard SaaS, a site on a fragile connection, or an IT team and infrastructure you already have and trust. Map your data against the residency rules that apply to you, be honest about your customisation depth and your operating capability, and the deployment model usually chooses itself.

When we work through this with a client, we treat data residency and connectivity as gating questions answered first, and cost as the thing that confirms a direction rather than sets it — because a cheaper model you are not allowed to run, or cannot keep online, is not cheaper at all.

Sources

Talk to us about your project.

A short conversation is usually enough to tell whether we are the right fit for the work. We will be straight with you either way.

Message us on WhatsApp Or send an enquiry