Information is a strategic asset for EDP, providing additional advantages in terms of innovation, coordination with partners and quality of customer service. EDP's Information Security Policy contributes to the correct management and use of this asset of undeniable value. 

Objectives in the scope of information security

ln the context of information security, the following objectives of the EDP Group should be taken into consideration:

• Maintain the EDP Group's commitment to information security, particularly with regard to ensuring the privacy and protection of personal data and critical information assets;
• Implement the necessary measures to protect and ensure the resilience of assets (facilities, IT or OT systems) in terms of confidentiality, integrity, and availability, supported by risk assessment;
• Ensure access only to strictly necessary information, through the assignment of minimum privileges;
• Ensure a strategic approach to information security that establishes principles based on the inclusion of security measures from the beginning and design of processes and technological solutions, including business processes, as well as continuous validation of security throughout the information lifecycle;
• Ensure the resilience of systems to sustain the continuity of EDP Group's business and the security of critical information and systems against cyber-attacks and other threats;
• Recognizing the role of technology in the energy transition, ensure the adoption of technologies through risk analysis and evaluation with an impact not only on the organization but also on society, without underestimating the increase in the organization's exposure to cyber-attacks;
• Establish a consistent quality standard consistent with the size and importance of the organization, based on a culture of information security, promoting awareness and training of employees and suppliers of goods or services;
• Ensure physical and environmental protection to prevent damage and interference to information and information processing resources of the EDP Group;
• Collaborate with relevant organizations, government agencies, and associations to contribute to the global improvement of information security.
   

To this end, the EDP Group has developed this policy, in line with best market practice, to provide the basis of the Information Security management and organisational system. 

Commitments:

EDP is conscious that the information produced within the EDP Group, particularly sensitive customer and business information, must ensure trust in the market, with customers and employees, and that the following are therefore necessary:

• Ensure compliance with legal, contractual, regulatory requirements, and recommendations or guidelines on information security applicable to the EDP Group;
• Provide the organizational and support infrastructure, ensuring sustainability and the necessary evidence, in alignment with risk management for information security;
• Ensure resources for the operationalization of processes and activities in the scope of information security management, including awareness of internal and external employees on this topic and awareness of their responsibilities;
• Ensure the protection of EDP Group's information, including in processing activities carried out by suppliers or other third-party entities;
• Promote the importance of information authenticity, emphasizing the use of genuine, unaltered data from reliable sources;
• Actively promote cooperation with external entities in the prevention and management of crises related to cybersecurity.

This policy was approved by the Executive Board of Directors (EBD) on November 14th, 2023.