Digital Sovereignty as a New Dimension of Supply Security

Energy and utility companies are currently in a phase in which several profound transformation processes are taking place in parallel. These processes are directly interlinked. Unlike previous phases of change, they do not affect individual business areas or technologies, but rather the entire operational and strategic foundation of the energy and utilities industry.

The energy transition is leading to an increasing decentralization of generation and energy flows. At the same time, the requirements for forecasting, control, and coordination are increasing in the networks. Without digital systems, this complexity becomes unmanageable.

Parallel to this, digitalization is progressing in almost all areas. Network control technology, market communication, billing, customer portals, WorkforceControl, and, to an increasing extent, decision support are based on networked IT platforms and data-driven applications. Artificial intelligence is becoming increasingly important.

Additionally, a regulatory framework is evolving dynamically. Specifications from KRITIS, NIS2, the IT Security Act 2.0, BSI guidelines, and the EU Data Act not only increase the requirements for IT security, but also for transparency, verifiability, and organizational control - in an environment characterized by volatile political decisions.

These developments coincide with a phase of geopolitical uncertainty and a noticeable increase in targeted cyber attacks on critical infrastructures.

In this context, a new dimension of security of supply is emerging: digital sovereignty. The ability to operate digital infrastructures in a self-determined, secure, and controlled manner is becoming a key strategic factor. After all, only those who keep critical (IT) systems and data sovereignty under their own control can sustainably secure stability and the ability to act in the energy and supply market.

The energy and utilities industry is one of the most digitally transformed areas of critical infrastructure today. In many companies, digital systems are no longer just supporting tools, but form the backbone of the operational business. They assume central control, monitoring, and decision-making functions - around the clock, in real-time, and increasingly automated.

This development was not only technologically consistent but also economically necessary, as it enables greater efficiency, better transparency, and a scalable process landscape. This is offset by new dependencies that have a direct impact on the resilience of companies.

As the level of digitalization increases, so do the dependencies on IT systems, platforms, and external service providers. In many companies, these dependencies have historically grown, are often complex, and are insufficiently documented. This creates structural risks that are often underestimated in practice.

Typical strategic questions that regularly arise in projects in the energy and utilities industry are:

• Which business-critical processes are directly dependent on individual platforms or cloud services - and how transparently is this dependency documented?
• What would be the operational and economic consequences of a short-term failure or withdrawal of a central IT service provider?
• Do we have viable exit strategies to move data and processes to alternative environments, and how realistic is their implementation in the event of a crisis?
• What regulatory risks arise from certain operating models, in particular with regard to compliance,Auditability, and data sovereignty?

These dependencies make the energy and supply sector more vulnerable to cyberattacks, technical disruptions, and geopolitical factors. The decisive factor here is not the individual risk event itself, but rather the inability to react in a controlled and sovereign manner in the event of an emergency.

This makes it clear: digital dependencies are not a purely technical issue, but a real risk to security of supply - and therefore a strategic field of action for management.

In light of this, it is not enough to reduce digital sovereignty to the selection of specific technologies or providers. In practice, it has been demonstrated repeatedly that, despite utilizing modern IT, companies often have a limited ability to act quickly, securely, and independently when conditions change.

Digital sovereignty refers to a company's ability to act in a self-determined, secure, and controlled manner in the digital space. It is therefore not a purely technical issue, but a strategic management task.

For energy and utility companies, this means ensuring three capabilities in the long term:

• Handling capability 
  Critical operational and management processes must be able to continue uninterrupted even in the event of IT disruptions, cyber incidents, or failures of external service providers, without loss of control or prolonged interruptions.
• Decision capability 
  Management needs reliable transparency about risks, dependencies, and realistic options for action at all times - not just in the event of a crisis, but as a continuous basis for decision-making.
• Change and migration capability 
  The change to a new platform, cloud model, or service provider must be technologically, organizationally, and economically realistic. This includes exit strategies, data portability, and clear responsibilities.

In addition to these operational and strategic capabilities, digital sovereignty also includes a direct commercial dimension. Companies that systematically safeguard their ability to act, make decisions, change, and migrate not only strengthen their technical resilience but also improve their economic negotiating position.

In practice, the lack of exit options, a lack of transparency regarding dependencies, and high barriers to switching often lead to vendor lock-in effects. These limitations restrict the scope for action in price and contract negotiations, increasing the risk of unilateral price adjustments or unfavorable contract terms.

The reverse is also true: those who can develop realistic alternatives, know their dependencies, and credibly master switching options strengthen their commercial control capability. Digital sovereignty thus becomes a key factor for predictable costs, resilient contractual relationships, and long-term profitability.

These capabilities are not the result of individual projects or selective measures. They require clear Governance, robust operating models, and the regular review of your own digital dependencies. Only those who systematically develop this control capability can strengthen their digital resilience.

In the energy and utility industry, security of supply has traditionally been understood in physical terms - as a question of sufficient generation capacity, robust grid infrastructure, technical redundancies, and available spare parts. However, in the face of advancing digitalization, this understanding falls short.

The reality is that physical infrastructures can no longer be operated securely and reliably without digital control, communication, and decision-making capabilities. 
 

Digital sovereignty, therefore, adds an independent dimension to the classic concept of supply security. It refers to the ability to utilize digital systems, data, and technologies in a self-determined, secure, and controlled manner, combining technical resilience with organizational controllability and strategic decision-making capability.

This results in clear strategic fields of action for board members, management, and responsible executives:

• Digital dependencies must be systematically identified, evaluated, and documented.
• IT sovereignty is an integral part of the corporate and risk management agenda.
• Exit, emergency, and restart concepts are not exceptional cases, but an integral part of forward-looking planning.
• Digital sovereignty is not a one-time target, but a continuous management process that must be regularly reviewed and continually developed.

To ensure the long-term security of supply, you need to manage your company's digital capacity to act as consistently as networks, systems, and physical processes.