← All posts
· 8 min read

SAP's 9 June API Cut-Off: One Pipeline Dies, Not All of Them

On 9 June 2026 SAP blocks ODP-RFC, not every interface. Learn what keeps running, what stops, and the one-week inventory to run before the deadline.

ERP SAP S/4HANA DataIntegration VendorLockIn ITStrategy Mittelstand
SAP's 9 June API Cut-Off: One Pipeline Dies, Not All of Them

A data engineer at a German machine builder opens the orchestration log on a Monday morning and stares at a job that has run, untouched, for two years. Every night it pulls S/4HANA finance data into a Microsoft Fabric pipeline through the Azure Data Factory connector. Green checkmarks all the way down. On his second screen sits an internal memo with a single line highlighted in yellow: “SAP API enforcement, 9 June.” He knows the date is real. What he does not know, what nobody in the building can answer in the next ten minutes, is whether that nightly job runs over ODP through RFC, or over something else entirely.

The deadline itself is fixed and public, so the date is not what trips up the Mittelstand. The missing inventory is: which of your SAP-to-non-SAP data routes actually depend on the one transport SAP is about to block, and which never touched it. Get that wrong and you spend a project budget rebuilding a pipeline that was never at risk.

What Actually Happens on 9 June

On 9 June 2026 SAP does not switch off “your interfaces,” but exactly one kind of them: ODP data replication over RFC, in scenarios where SAP feeds non-SAP systems.

The mechanism is a security patch. SAP Note 3255746 was lifted to Version 11 on 21 April 2026, and from the enforcement date it blocks non-compliant ODP-RFC calls at the technical level. The note states plainly that responsibility for any route broken afterwards sits with the customer, not with SAP. For a regulated finance pipeline, that single clause shifts the liability for a missed reconciliation onto your side of the table.

Now the part the market keeps getting wrong. RFC as a protocol is not dying. BAPIs, function modules, table and CDS-view extraction, DeltaQ, and your own Z/Y-namespace RFCs all keep working. Theobald Software spelled this out on 23 April 2026: the restriction targets one specific extraction pattern, not the broad protocol surface that most integration estates actually rely on. I have already watched two teams panic-plan a rebuild of a working BAPI route this month. Neither route had a 9 June problem.

The clearest victim is concrete and named. Microsoft’s Azure Data Factory SAP CDC connector uses ODP-RFC under the hood. Microsoft confirmed the impact and now points customers toward an ABAP add-on copy job as the Fabric-side alternative. If your nightly S/4HANA-to-Fabric job looks like the one on that engineer’s screen, it is on the list. If it pulls through a custom BAPI wrapper, it is not.

The Policy Behind the Patch

The patch is enforcement. Its intent lives in the SAP API Policy v.4.2026a, dated 24 April 2026, and the language there is broader than one transport.

Section 2.2.2 prohibits, in so many words, “interaction or integration with (semi-)autonomous or generative AI systems that plan, select, or execute sequences of API calls.” Section 3 closes the side doors: no working around the restriction through proxies, gateways, custom code, or impersonation. And the definition of a “published API” is narrow on purpose. Only what is listed in the SAP Business Accelerator Hub or in official product documentation counts. A clever pattern from a community blog does not.

So the real target is the agent, not your reporting pipe. A single agentic prompt can fan out into thousands of API calls, and SAP’s argument is that transactional APIs were never built to carry that load. Independent analysis from Kai Waehner on 2 May 2026 places the policy in exactly that context: the same data-ownership reckoning is coming for every enterprise stack, with Salesforce and ServiceNow drawing similar lines. This is where the topic stops being an SAP-only patch note and starts being an integration architecture question for any vendor.

Why Now, and What Quietly Shifts

The patch is the visible edge of a deeper move. Look at where the sanctioned replacement paths run.

SAP offers two blessed routes out. Business Data Cloud Delta Sharing handles the analytical case as a zero-copy share. The Integration Suite MCP gateway, arriving Q2 2026, handles agents. Both run through SAP-metered infrastructure. Forrester put it sharply on 20 May 2026: “Data that previously flowed at the cost of compute now flows at the cost of compute plus SAP’s metering surface.” This mechanism is not new; Mittelstand teams already know the pattern from the cloud-cost debate, where control over data flow and the bill quietly changed hands. I unpacked the broader version in Cloud Exit in the Mittelstand.

Here is the part that should keep a CFO awake. The 2027 prices for gateway throughput, BDC egress, and agent-to-agent consumption are not published. So a route that costs you nothing today becomes a metered line item on a date and at a rate you cannot yet see. The exposure is commercial rather than technical, which is exactly why it never shows up in a patch note.

What to Check Before 9 June

This is a one-week job, not a project. Four moves, in order.

First, run the inventory this week. List every SAP-to-non-SAP data route you operate. SAP ships a self-assessment tool in SAP Note 3439624 that identifies ODP-RFC usage in your system — use it rather than guessing from architecture diagrams that may be three years stale. My requirement engineering and interface work usually starts exactly here, because the route map almost never matches what people believe is running.

Second, separate, do not rebuild wholesale. Sort the ODP-RFC routes out from the BAPI, function-module, and Z-namespace routes. Only the first group carries a 9 June date. Touch the rest and you are spending money to fix something that was never broken.

Third, sequence the patch. Microsoft explicitly recommends reviewing Note 3255746 for affected routes before installation. Do not drop a security patch blind into your productive landscape on a Friday and discover the broken pipeline on Monday.

Fourth, get the contract in writing. If you are signing a multi-year deal that leans on third-party AI (Agentforce, Copilot for Finance, ServiceNow AI Agents, Workday Illuminate, Celonis), demand a grandfathering clause and a fair-use threshold on paper. An earnings-call reassurance is not a contract term, and the next section is about exactly that.

What the Reassurance Does Not Cover

The honest counter to all of this came from SAP itself. On the Q1 investor call on 23 April 2026, CEO Christian Klein walked the tone back hard: “Customers’ data is customers’ data, and accessing that data, we are not going to charge.” The restriction, he argued, targets domain know-how (ontology, knowledge graphs, process logic) and performance, not the data. And the performance point is fair. One agent prompt really can trigger thousands of calls that a transactional API was never sized for. This is not a vendor straw man. It is a legitimate engineering argument, and dismissing it would be dishonest.

So where is the limit of my own position? If the concern were purely about runaway call volume, a fair-use throttle would solve it without redrawing data ownership. The policy does more than throttle. And the reassurance lives on a call transcript, not in the agreement you sign.

That is why the thesis holds. Gartner classifies the accompanying FAQ as “not a legally binding document.” The DSAG, the German-speaking SAP user group and the loudest organised voice for SAP customers in this market, confirmed on 29 April 2026 that the policy text itself stayed unchanged: no grandfathering clause, no fair-use threshold written in. A spoken assurance protects no data route in an audit. And if you accept the performance argument at face value, you still have to explain why the only sanctioned alternative routes your traffic through SAP’s own metering surface. The reassurance lowers the temperature. It does not change the document.

Frequently Asked Questions About the 9 June API Cut-Off

Does SAP shut down all my interfaces on 9 June 2026?

No. Only ODP data replication over RFC in SAP-to-non-SAP scenarios is affected. RFC as a protocol, BAPIs, function modules, table and CDS-view extraction, and your own Z/Y-namespace RFCs stay permitted under SAP Note 3255746, Version 11 of 21 April 2026. The most common and most expensive error is panic-rebuilding a working BAPI route that was never in scope.

How do I find out whether my routes even run over ODP-RFC?

SAP provides a self-assessment tool in SAP Note 3439624 that identifies ODP-RFC usage in your system. Your first task is an inventory of every SAP-to-non-SAP data pipe. A typical candidate is the Azure Data Factory SAP CDC connector pulling S/4HANA data into Microsoft Fabric, which Microsoft has confirmed is affected.

Do I have to install the security patch immediately?

Review it first, do not patch blind into production. Microsoft explicitly recommends checking SAP Note 3255746 for affected routes before installation. Responsibility for any non-compliant connection that breaks afterwards sits with the customer, according to the note, so the sequence matters as much as the patch.

Are my existing integrations grandfathered in?

This is where the real risk sits. The DSAG noted on 29 April 2026 that the policy text contains no explicit grandfathering clause, and that the SAP Business Accelerator Hub is not yet clearly framed as a contractual component. A verbal assurance on an earnings call is, per Gartner, not legally binding. If you need certainty, you have to renegotiate it in writing.

What will the sanctioned replacement path cost me from 2027?

That is open. The released alternatives, Business Data Cloud Delta Sharing for analytics and the Integration Suite MCP gateway for agents arriving Q2 2026, both run through SAP-metered infrastructure. Concrete 2027 prices for gateway throughput, BDC egress, and agent consumption are not published, according to Forrester on 20 May 2026. A multi-year contract signed without those numbers is a blank cheque.

Next Step

Do you know which of your data routes actually run over ODP-RFC — and which only feel risky?

I am happy to sit down and run a quick joint pass over your interface list before the deadline, separate the 9 June routes from the noise, and flag where a contract clause is worth asking for. No pitch, no deck.

Book a free initial consultation

→ Or read more first: Requirement engineering and interfaces · IT strategy and system selection

Sources and links: SAP Note 3255746 V11 (21 April 2026) · SAP Note 3439624 self-assessment · SAP API Policy v.4.2026a (24 April 2026) · DSAG statement (29 April 2026) · Forrester (20 May 2026) · Theobald Software (23 April 2026) · Kai Waehner (2 May 2026) · Microsoft Learn: SAP CDC architecture · SAP Q1 2026 earnings call transcript (23 April 2026)

Further reading on pfisterer.xyz: Four Reports, One Uncomfortable Pattern · AI without ERP integration is expensive playtime · Cloud Exit in the Mittelstand

About the Author René Pfisterer

10+ years in ERP integration, data migration, and process automation for mid-sized companies. Specialized in DATEV, SAP, and AI implementation.

Full profile →
← Previous article ChatGPT Finances: The Architecture Question Before the Trust Question Next article → The Inference Gap: Why the 'AI Bank' Collides with CJEU C-184/20

Interested?

Let's discuss how I can help in a short conversation.

Book a call