u/CryptographerKind260

Digital sovereignty is usually discussed in terms of cloud platforms, data spaces, artificial intelligence, cybersecurity, and strategic autonomy. Yet every digital public service ultimately depends on a more fundamental layer: the infrastructure where source code is written, reviewed, stored, released, and maintained. This article analyses the Dutch government’s Forgejo-based code.overheid.nl platform as a concrete example of sovereign software-development infrastructure. Using only official Dutch government, European Union, and Forgejo documentation, it argues that a public-sector Git forge is not merely a developer tool but a control point in the software supply chain. The Dutch initiative matters because it operationalises open-source policy, public-code reuse, cyber resilience, interoperability, and European digital commons into a governed environment where public software can be produced under public control. For Europe, such platforms are not symbolic alternatives to commercial forges; they are foundational components of digital sovereignty.

On 29 December 2025, Poland was hit by a coordinated destructive cyber campaign that targeted at least thirty wind and photovoltaic sites, a major combined heat and power plant, and a manufacturing company. The CERT Polska report shows that the operation crossed from enterprise compromise into direct OT sabotage, damaging RTUs, protection relays, HMIs, and serial device servers while also attempting domain-wide data destruction in corporate environments. In the renewable segment, the attack did not stop electricity generation, but it severed communication with distribution system operators and removed remote supervisory control at the grid connection layer, demonstrating that strategic impact on energy systems can occur without an immediate blackout. This article reconstructs the incident from the CERT Polska report and integrates ESET’s DynoWiper analysis together with Dragos’s OT-focused interpretation of the attack on distributed energy resources. The central argument is that the case matters less because of technical novelty than because of what it reveals about exposed remote access, weak identity governance, default credentials, insecure management surfaces, poor segmentation, and fragile recovery paths. The article then extends the lesson to European and Italian energy operators, arguing that distributed generation, BESS, and hybrid plants must be designed as critical cyber-physical infrastructure from the outset. In that context, enterprise architecture and IEC 62443 are not compliance decoration, but cost-effective design disciplines that help align technical reality with the tightening direction of NIS2, PSNC, the Cyber Resilience Act, the Terna Grid Code, and CEI 0-16.