Sovereignty in the Energy Industry:
Why Is It Broader Than Local Hosting  

 
Sovereignty has become one of the most misunderstood topics in the utility sector. In many discussions, it is reduced to a single question: is the software hosted in a local data centre or not? That is far too narrow. We have seen it all around the world and across all roles of utilities. For a grid operator, sovereignty is the ability to govern critical data, operations, technologies, security decisions, suppliers, and future change without being trapped by external dependencies that are hard to control when conditions become difficult. That matters because our customers now operate in an environment of decentralized generation, volatile loads, EV growth, tighter regulation, cyber threats, and geopolitical instability. In that world, the digital operating layer is no longer administrative support. It is part of critical infrastructure.  

At Cuculus we are classifying sovereignty into five areas: data sovereignty, operational sovereignty, technological sovereignty, security and trust sovereignty, and strategic and economic sovereignty. This paper uses that structure because it forces a broader view on the topic. A utility may host software locally and still be non-sovereign if, for example, it cannot extract its own data without vendor change requests, cannot introduce a second meter vendor, cannot verify command integrity, depends on e.g. a single communications supplier, or has never tested itself whether backups can actually restore operations. Sovereignty is therefore an end-to-end feature of the solution and the operating model, not a hosting checkbox. 
 
Data sovereignty 
Data sovereignty means more than formal legal ownership. It means the practical ability to decide what data is collected, where it is stored, who can access it, how quickly it can be extracted, and whether it can be reused for new use cases. In utilities, this becomes very concrete. If a DSO has meters already collecting additional values, but retrieving those values requires contract renegotiation with a Metering-as-a-Service provider, then the utility is not truly sovereign over its own data. The same is true if exports require vendor tools, proprietary schemas, or long change cycles. 

The lesson from the market is that openness and interoperability must be designed in early. A useful positive example is Enedis’ Linky program. Enedis shortlisted six manufacturers and required compatibility with its in-house head-end approach over a long lifecycle, explicitly using interoperability to avoid vendor lock-in. That is what sovereignty looks like in data and meter ecosystems: the utility keeps architectural control over the data plane instead of surrendering it to one vendor’s commercial model. 
The opposite pattern is common and dangerous: a utility buys the HES from the meter vendor, incompliances are hidden, standards are only partially followed in practice, and adding a new vendor later, contrasts with what was promised, practically impossible. The result may not be a headline-making outage on day one, but it is still a sovereignty failure. Over ten-year smart metering programs, these hidden constraints become costly: slower tariff changes, delayed flexibility programs, expensive integrations, long lasting security risks, and reduced bargaining power in procurement. 
 
Operational sovereignty 
Operational sovereignty is the ability to see, decide, and act without unacceptable dependency on others. A grid operator is not sovereign if it can only monitor part of the grid in real time, cannot execute commands independently, or cannot resolve incidents without waiting for vendor intervention. 

The clearest real-world example is Ukraine. In December 2015, attackers gained access to utility systems and disconnected substations, causing power outages for roughly 225,000 customers. U.S. government sources later described how attackers obtained illegal access to SCADA environments and used that operational access to disrupt supply. In 2016, the CrashOverride malware showed an even more specialized and extensible capability aimed at industrial control environments. These incidents are usually discussed as cybersecurity cases, but they were also sovereignty failures: external actors penetrated the digital operating layer deeply enough to interfere with grid operation itself. 

The lesson is not merely “improve cyber hygiene.” It is broader. Utilities need operational designs that preserve local visibility, local fallback capability, and clear human authority in degraded conditions. A cloud-connected control stack may be efficient in normal times, but if loss of connectivity means loss of action, then the operator has given away operational sovereignty. The question is always practical: if the communications layer, hosting provider, or vendor support channel disappears for hours or days, can the operator still run the grid safely? 
 
Technological sovereignty 
Technological sovereignty is the ability to shape and evolve the technology stack rather than being shaped by it. This includes architecture control, interoperability, API openness, extensibility, deployment flexibility, and the freedom to add new devices, communications technologies, and adjacent applications over time. 

A practical warning sign is dependence on a single meter vendor or a narrow set of communications technologies. If a utility’s installed base only supports one P2P mobile communications path, then a later political or regulatory restriction can become an operational crisis. The Huawei story in telecoms is the best-known illustration. In the UK, after updated technical advice and sanctions-related concerns, the government decided that affected Huawei equipment should no longer be added to 5G networks and that Huawei should be removed from 5G by the end of 2027. The European Commission likewise supported restrictions on Huawei and ZTE under the 5G toolbox. This was a telecom case, but the sovereignty lesson applies directly to utility communications choices: if critical field communications are tied too tightly to one geopolitically exposed supplier path, the operator may later be forced into expensive remediation with little room to manoeuvre. Is the solution to build your own communication infrastructure? No, it’s not, it’s more of a matter of creating choices. 

The same principle applies to proprietary or overly concentrated communication ecosystems. Even where a standard is marketed as open, the utility should ask whether the operational reality is truly multi-vendor, whether APIs are complete and documented, and whether the utility can write its own extensions. If only the original supplier can add a new function, then sovereignty has already been compromised. Thoughtfully governed open source can help here, not because it is automatically secure, but because it improves inspectability, transparency, and the ability to avoid opaque dependency. U.S. agencies now explicitly treat open-source software as critical to government and critical infrastructure and have issued guidance on strengthening it in OT environments. 
 
Security and trust sovereignty 
Security and trust sovereignty means deciding how trust is established and enforced across the end-to-end solution: keys, certificates, HSMs, command paths, audit trails, backup ownership, and recovery. 

A utility is not sovereign if its cryptographic choices are effectively dictated by others. Export control regimes on encryption are real, and they have historically shaped what products and configurations can be supplied across borders. That is why it is dangerous to assume that security modules, HSM supply chains, or key-management architectures are neutral commodities. If a utility cannot choose the key lengths, trust anchors, or lifecycle controls it believes are appropriate, it has ceded part of its sovereignty. 

Another practical example is backup and recovery. NIST’s current framework explicitly says backups should be created, protected, maintained, and tested. That last word matters. Tested. In March 2021, a fire at OVHcloud’s Strasbourg site destroyed one data centre and damaged others, causing extensive outages and data loss for customers that lacked resilient recovery arrangements. The incident was not a utility-specific failure, but it is directly relevant to utilities because it demonstrates a hard truth: “the backup exists” is not the same as “the utility can restore service.” If the only usable backup sits under the control of the same supplier, in the same dependency chain, or has never been recovery-tested by the utility, sovereignty is weak even if the primary system is local or “secure.” Even one of our customers was affected due to recent war situations in a similar way.  

For utilities and smart metering operators, this leads to uncomfortable but necessary questions. Are backups under utility control? Is there an immutable or otherwise protected copy outside the primary dependency chain? Is a recovery procedure regularly tested? Are systems deployed across redundant data centres? In wartime and other crisis scenarios, critical infrastructure sites can become targets, and resilience assumptions that look adequate in peacetime may collapse quickly. 
 
Strategic and economic sovereignty 
Strategic and economic sovereignty is about the utility’s freedom to choose suppliers, govern cost structure, maintain internal capability, and align technology choices with long-term national and utility strategy. It is also where procurement becomes decisive. 

Many sovereignty problems are created before the project starts, inside the tender structure. If a tender overweights the cheapest compliant bid and underweights interoperability, source-code transparency, exit rights, API completeness, backup control, and multi-vendor readiness, then the utility may lock itself into a non-sovereign position before implementation begins. The purchasing department alone cannot carry this responsibility. Sovereignty is a strategic design issue, not just a sourcing issue.
 
This is why pre-tender phases matter so much. Technical architecture, regulatory interpretation, cyber requirements, interoperability expectations, and long-term evolution should be shaped before the formal procurement language hardens. Once a tender is published with the wrong assumptions, later corrections are expensive and politically hard. National security bodies now emphasize supply-chain security as a core discipline, precisely because organizations often discover too late that their formal supplier choice has embedded hidden dependencies. 

A useful practical test is this: if the country’s long-term energy strategy, cyber posture, and communications policy were to shift materially over the next ten years, could the chosen smart metering and grid platform absorb that change without major re-procurement? If the answer is no, then the utility has not bought a sovereign solution, even if the day-one commercial offer looked attractive. 
 
Conclusion  
Sovereignty in utilities is broad by nature, overlapping and interacting with many other disciplines like security, resilience, safety, purchasing strategies and regulation. It covers data ownership in practice, not just in contracts; operational independence under degraded conditions; architectural freedom to integrate new devices and functions; control over security and trust; tested backup and recovery; and strategic freedom from concentrated suppliers and poorly designed procurement. Real-world events have made this visible. Ukraine showed that loss of digital control can become loss of power supply. Huawei-related remediation showed how geopolitical dependency can force disruptive technology change. The OVHcloud fire showed that resilience claims collapse when backup and recovery are not truly sovereign. Enedis showed the opposite: if interoperability and lifecycle control are designed into the program early, vendor lock-in can be reduced rather than accepted. 
 
The main recommendation is therefore simple: assess the full end-to-end solution earlier, not later. Do not reduce sovereignty to local hosting. Check data access, APIs, standards compliance, communications diversity, key management, backup control, recovery testing, supplier concentration, and exit paths. Above all, move sovereignty thinking upstream into the pre-tender phase and out of the narrow hands of purchasing departments. By the time the tender structure is fixed, much of the future sovereignty outcome is already determined. For utilities running ten-year smart metering and grid modernization programs, that is far too late.