V-DIG Domain Audit: Shell Energy

Target: Shell Energy (retail energy brand under Shell plc) Audit Phase: V-DIG Date: 2026-05-01 Analyst: Cyber-Intelligence Analyst & Technology Supply Chain Researcher

Scope Note: “Shell Energy” refers to the retail energy supplier operating in Australia, the UK, and related markets — a downstream brand under Shell plc (formerly Royal Dutch Shell). Where evidence relates to Shell plc’s broader corporate technology infrastructure, this is noted explicitly. Shell plc’s upstream digital operations, Shell Information Technology International (SITI), and Shell’s enterprise IT stack are included where they demonstrably relate to or encompass the Shell Energy retail brand.

Enterprise Technology Stack & Vendor Relationships

Shell Energy’s retail and corporate operations are underpinned by a large and complex enterprise technology stack, sourced through Shell plc’s centralised procurement and IT governance frameworks.

SAP & ERP Infrastructure Shell plc maintains one of the world’s largest SAP deployments, spanning finance, supply chain, HR, and customer operations across its global business units including the Shell Energy retail brand.¹ SAP S/4HANA migrations have been ongoing across Shell’s global estate, with Shell recognised as a flagship SAP customer. The Shell Energy retail billing and customer management systems in the UK and Australia operate within or alongside this broader SAP environment.¹

Salesforce CRM Shell Energy Australia and Shell Energy UK have deployed Salesforce platforms for customer relationship management, underpinning retail customer accounts, service requests, and digital engagement channels.² Shell plc is a documented Salesforce enterprise customer and Salesforce features in Shell’s customer-facing digital transformation initiatives.

Microsoft (Azure & M365) Shell plc has a long-standing strategic relationship with Microsoft. Shell’s enterprise productivity stack is built on Microsoft 365, and Azure is among the primary cloud platforms used for corporate workloads.³ Shell Energy retail operations inherit this Microsoft dependency, particularly for internal collaboration, identity management, and hosted business applications.

Amazon Web Services (AWS) AWS is referenced in Shell’s public digital transformation communications as a cloud partner for data analytics and innovation programmes.⁴ Shell’s global data and analytics platform — including elements feeding into its energy retail operations — uses AWS infrastructure.

IBM Shell has historically engaged IBM for managed IT services, mainframe infrastructure, and digital transformation consulting. Shell Information Technology International (SITI), Shell’s internal IT entity, has contracted IBM across multiple service lines.⁵

Wipro, Infosys & Indian IT Outsourcing Shell plc operates large IT outsourcing relationships with Indian-headquartered service providers including Wipro and Infosys, who deliver application management, infrastructure services, and digital development work globally, including for retail-facing systems.⁵

Oracle Oracle database technology and Oracle applications are embedded across Shell’s enterprise estate as part of legacy and transitional ERP/middleware layers.¹

Billing & Customer Systems (Australia) Shell Energy Australia, following its acquisition of ERM Power, operates customer billing systems that were historically based on ERM Power’s own platforms prior to integration. The migration and harmonisation of these systems into Shell’s broader SAP/CRM stack has been a material IT project.⁶

UK Retail Acquisition of First Utility Shell Energy UK was established following Shell’s 2018 acquisition of First Utility.⁷ Post-acquisition technology integration involved absorbing First Utility’s billing platform (built on the Junifer Systems CRM/billing platform) into Shell’s broader IT governance.⁷

Surveillance, Biometrics & Retail Technology

Smart Metering Shell Energy UK is a licensed smart meter installer and supplier under the UK’s SMETS2 (second-generation smart meter) rollout.⁸ SMETS2 meters communicate via the DCC (Data Communications Company) infrastructure, operated by Capita, under regulatory oversight from Ofgem. Shell Energy UK has obligations to offer smart meter installations to domestic customers and collect half-hourly consumption data via the DCC network.⁸

Smart Home & Demand Response Shell Energy has marketed smart tariff and demand-response products in Australia and the UK that integrate with smart home devices, including smart thermostats and EV charging equipment. These products involve telemetry data collection from customer premises devices, though the data processing architecture specifics are not fully disclosed publicly.⁹

Identity Verification Shell Energy’s digital onboarding processes for new retail customers involve identity verification steps. In the UK, these are consistent with standard retail energy KYC (Know Your Customer) obligations. No public evidence has been identified of Shell Energy deploying biometric identity verification for retail customers specifically.

CCTV & Physical Surveillance No public evidence identified of Shell Energy operating proprietary surveillance or biometric systems in a retail context beyond standard corporate physical security norms applicable to office premises.

Facial Recognition No public evidence identified.

Cloud Infrastructure, Data Residency & Sovereign Cloud Participation

Shell plc Cloud Strategy Shell plc has publicly committed to a multi-cloud strategy, with Microsoft Azure and AWS serving as primary hyperscaler platforms.³⁴ Google Cloud Platform (GCP) is also referenced in Shell’s data science and AI initiatives. Shell’s cloud adoption is governed through SITI’s global architecture standards, which apply down to business unit level including the Shell Energy retail brand.

Data Residency — Australia Shell Energy Australia’s retail operations are subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Shell Energy’s privacy policy for Australian customers references data storage in Australia and overseas, consistent with cross-border data flows under Shell plc’s global IT infrastructure.¹⁰ No specific sovereign cloud commitment (e.g., AWS Australia Regions with dedicated sovereignty guarantees) has been publicly identified for Shell Energy Australia’s retail workloads.

Data Residency — United Kingdom Shell Energy UK’s retail operations are subject to UK GDPR and the Data Protection Act 2018. Following Brexit, Shell Energy UK’s data transfers to EEA-based Shell entities are conducted under UK Standard Contractual Clauses or equivalent transfer mechanisms.¹¹ Shell plc’s European data centres (including facilities in the Netherlands) are relevant to data flows involving Shell Energy UK customer data.

Sovereign Cloud Participation No public evidence identified of Shell Energy or Shell plc participating in any government-mandated sovereign cloud programme (e.g., UKCloud, AWS GovCloud, or Australian Sovereign Cloud initiatives) specifically for energy retail operations.

Critical Infrastructure Designation Shell Energy’s retail operations in both Australia and the UK are part of the broader energy sector, designated as critical national infrastructure in both jurisdictions. In Australia, the Security of Critical Infrastructure Act 2018 (SOCI Act) imposes obligations on electricity assets, and Shell Energy Australia as an electricity retailer and generator-owner operates within this framework.¹²

Defence, Intelligence & Security Sector Technology Relationships

No Direct Defence Contracts Identified No public evidence has been identified of Shell Energy (the retail brand) holding contracts with defence ministries, intelligence agencies, or security sector entities in Australia, the UK, or elsewhere.

Shell plc & Government Energy Contracts Shell plc at the corporate level holds energy supply contracts with government departments and defence facilities in the UK and Australia as part of its commercial energy supply portfolio. In the UK, Shell Energy has supplied electricity to public sector organisations through framework agreements, though the specific inclusion of defence or intelligence sites is not publicly confirmed.¹³

SOCI Act & Critical Infrastructure (Australia) As noted above, Shell Energy Australia’s electricity generation assets (inherited from the ERM Power acquisition) and its retail licence place it within the SOCI Act critical infrastructure regime. This requires the company to maintain relationships with the Australian Cyber Security Centre (ACSC) and report cyber incidents.¹² This represents a regulatory security relationship rather than a commercial defence contract.

Shell’s Cybersecurity Vendors Shell plc publicly references partnerships with major cybersecurity vendors including Microsoft (Sentinel/Defender), Claroty (OT security), and Palo Alto Networks for enterprise and operational technology security.³ These relationships extend across the Shell group including retail operations. No evidence of classified or intelligence-community-specific technology relationships has been identified.

No Public Evidence of Intelligence Sector Technology Supply No public evidence identified of Shell Energy or Shell plc supplying technology, data analytics, or intelligence services to national intelligence agencies.

AI, Algorithmic & Autonomous Systems

Shell plc AI Strategy Shell plc has publicly invested in AI and machine learning across its business, including retail energy operations. Shell’s AI Centre of Excellence and its data science platforms (including use of Databricks and cloud-native ML services) are applied to demand forecasting, asset optimisation, and customer analytics.¹⁴

Energy Retail AI Applications Shell Energy Australia and UK have deployed or piloted algorithmic systems for:

• Customer churn prediction and retention targeting.²
• Dynamic pricing and tariff optimisation models informed by wholesale market signals.
• Smart meter data analytics for consumption profiling and demand response.⁹

Shell plc & C3.ai Shell plc has a documented commercial relationship with C3.ai, the enterprise AI software company, for predictive maintenance and AI-driven operations across upstream and downstream assets.¹⁵ Whether C3.ai applications extend specifically to Shell Energy retail operations has not been publicly confirmed.

Shell Energy & AI-Powered Customer Service Shell Energy UK has deployed AI-assisted customer service tooling, including chatbot interfaces for digital customer engagement, consistent with broader retail energy sector trends. Specific vendor attribution for these tools has not been publicly disclosed.

Autonomous Systems No public evidence identified of Shell Energy retail operations deploying autonomous physical systems (drones, robotics) in a retail energy context. Shell plc’s upstream operations use autonomous systems in exploration and production, but these are outside the Shell Energy retail brand scope.

Algorithmic Trading & Wholesale Markets Shell Energy Australia participates in the National Electricity Market (NEM) and deploys automated bidding systems as required for wholesale electricity market participation. These systems are governed by AEMO (Australian Energy Market Operator) market rules.¹⁶

Technology Ecosystem & R&D Footprint

Shell GameChanger & Venture Programmes Shell plc operates the Shell GameChanger programme, an internal innovation and R&D pipeline that has historically invested in energy technology startups across renewables, digital energy, and cleantech. Some of these investments have downstream relevance to Shell Energy’s retail product development.¹⁷

Shell Ventures Shell Ventures, Shell plc’s corporate venture capital arm, has made investments in energy technology, battery storage, EV charging, and demand-side management companies. Portfolio companies whose technologies may be integrated into Shell Energy retail products include EV charging and home energy management firms, though specific vendor-to-retail integration details are not always publicly disclosed.¹⁷

ERM Power Acquisition (Australia) Shell’s 2019 acquisition of ERM Power for approximately AUD $617 million brought significant commercial and industrial (C&I) energy retail capabilities, proprietary energy management software (ERM Power’s “Powersource” platform), and an electricity generation portfolio into the Shell Energy Australia brand.⁶ The Powersource energy management and procurement platform represents a material proprietary technology asset within Shell Energy Australia’s stack.

First Utility Acquisition (UK) The 2018 acquisition of First Utility gave Shell its UK retail energy brand (subsequently rebranded Shell Energy).⁷ First Utility had developed in-house digital customer management capabilities and was regarded as a tech-forward challenger supplier.

Partnerships with EV & Smart Home Ecosystem Shell Energy has partnered with EV charging networks and smart home technology providers to develop bundled energy products. In the UK, Shell Energy has offered EV tariffs tied to Shell Recharge charging infrastructure.¹⁸ These partnerships embed Shell Energy into a broader IoT and connected-device data ecosystem.

Academic & Research Partnerships Shell plc maintains research partnerships with institutions including Delft University of Technology, MIT, and Stanford. The relevance of these partnerships to Shell Energy’s retail technology development is indirect and primarily upstream-focused.

Civil Society Scrutiny & Regulatory History

UK Ofgem Enforcement & Compliance Shell Energy UK (formerly First Utility and subsequently rebranded) has been subject to Ofgem regulatory scrutiny as a licensed electricity and gas supplier. Ofgem’s consumer standards regime applies to Shell Energy UK, and the company has faced complaint volumes tracked in Ofgem’s published supplier performance data.¹⁹

Shell Energy UK was subject to Ofgem enforcement action regarding back-billing, customer complaints handling, and compliance with the Standards of Conduct. In 2023, Ofgem published data showing Shell Energy UK among suppliers with elevated complaint rates relative to industry benchmarks.¹⁹

Australian Energy Regulator (AER) & State Regulators Shell Energy Australia (as both a retailer and generator) is regulated by the AER, AEMO, and state-level energy regulators. ERM Power (now Shell Energy Australia) has had compliance matters recorded with the AER relating to market conduct and billing obligations. The AER’s public compliance and enforcement register documents interactions with Shell Energy Australia.²⁰

Privacy Complaints No major public privacy enforcement actions specifically targeting Shell Energy’s data handling practices have been identified in available sources. Shell plc’s global privacy programme is overseen under UK GDPR, EU GDPR (for EEA operations), and the Australian Privacy Act.

Data Breach Incidents Shell plc disclosed a data breach in 2021 related to the Accellion File Transfer Appliance (FTA) zero-day vulnerability, which affected Shell alongside numerous other global enterprises.²¹ The breach involved exfiltration of data from Shell’s Accellion FTA instance by the CLOP ransomware group. Shell confirmed that personal data and confidential company files were accessed. While Shell Energy retail customer data was not specifically confirmed as affected, the breach impacted Shell plc’s global IT estate.²¹

Civil Society & Environmental Advocacy Scrutiny Shell plc is among the most prominent targets of climate litigation and environmental campaigning globally. In 2021, a Dutch court ordered Shell to cut its carbon emissions by 45% by 2030 relative to 2019 levels — a landmark climate liability ruling.²² While this ruling targets Shell plc rather than Shell Energy retail specifically, it has material implications for Shell Energy’s brand and the regulatory trajectory of its retail energy portfolio.

Global Witness, ClientEarth, and other civil society organisations have scrutinised Shell plc’s climate commitments and the consistency of Shell Energy’s retail marketing with Shell’s stated net-zero ambitions.²²

Greenwashing Complaints Shell Energy’s retail marketing in the UK — including claims around “100% renewable electricity” tariff products — has attracted scrutiny from consumer advocates questioning the basis of renewable energy certificates (RECs/REGOs) used to substantiate these claims, consistent with broader UK regulator and Advertising Standards Authority (ASA) scrutiny of the energy retail sector.²³

Cybersecurity Regulatory Obligations Under the UK Network and Information Systems (NIS) Regulations 2018 and Australia’s SOCI Act, Shell Energy’s operations carry mandatory cybersecurity incident reporting obligations to national competent authorities.¹²

End Notes