Information Security Management

Governance and accountability

The EDP Group considers information security a fundamental element of operational continuity and trust with stakeholders. Information security management is supported by a governance and accountability model that clearly defines roles and responsibilities across the organisation.
Operational responsibilities for managing and protecting information assets are embedded within business and support functions. Specialised functions provide oversight, guidance and coordination on information security, risk management and compliance matters.
Independent assurance is provided through internal audit activities, which periodically assess the adequacy and effectiveness of information security controls and governance arrangements.

Information security documentation framework
The EDP Group’s information security management is supported by a structured documentation framework that defines principles, requirements and controls across the organisation. This framework aligns strategic direction, tactical requirements and operational execution, supporting consistency with the Group’s information security and business continuity practices.
At the strategic level, corporate policies establish the Group’s objectives and commitments for information security, secure development, data protection and the protection of information throughout its lifecycle.
At the tactical level, standards translate these principles into enforceable requirements covering key domains such as governance, asset and access management, secure operations, incident management, business continuity, supplier security, monitoring, cryptography, vulnerability management and compliance.
At the operational level, formal processes support the day-to-day implementation of information security practices across Information Technology (IT) and Operational Technology (OT) environments, including risk management, incident response, identity and access management, security monitoring, continuity and disaster recovery, change and asset management, compliance monitoring and external evaluations.

Information security capabilities and operating model
Information security is supported by a structured set of capabilities that enable the prevention, detection and response to information security risks across the organisation.
These capabilities are embedded within business and support functions and aligned with the Group’s governance and accountability model. They are underpinned by the information security documentation framework, ensuring consistent implementation, monitoring and review.
As part of this operating model, the EDP Group performs the ongoing monitoring of cybersecurity threats and ensures the coordinated response and mitigation of information security incidents, in alignment with the Group’s information security management framework and governance arrangements, with board-level oversight through the Financial Matters Committee of the General and Supervisory Board.

Continuity of information systems
The EDP Group maintains measures to support the continuity of critical information systems in the event of cyber incidents or other disruptive scenarios.
These measures include information security‑related business continuity arrangements and the regular execution of disaster recovery exercises to validate recovery capabilities.

Identification and management of information security risks
The EDP Group adopts a proactive approach to identifying, assessing and managing information security risks.
This includes ongoing vulnerability analysis and management activities designed to reduce exposure to threats and support the continuous improvement of cybersecurity controls. These activities cover both IT and OT environments, reflecting the Group’s integrated approach to information security risk management.

Assurance and internal control environment
Information security is subject to the Group’s internal control and assurance framework.
Internal audit and review activities assess the adequacy and effectiveness of information security controls, including adherence to internal policies, standards and normative requirements.

Independent certification and external assurance
The EDP Group complements internal assurance mechanisms with independent external certification.
EDP, S.A. is certified according to ISO/IEC 27001:2022 for the management and operation of the EDP Group’s Global Security Operations Center (EDP Global SOC), which operates on a 24‑hour, 7‑day basis.
The certification (certificate number PT19/06879) is issued by “SGS ICS – Serviços Internacionais de Certificação, Lda.”, an IPAC‑accredited certification body, and covers the management and operation of the Global SOC performed by the SOC Iberia and SOC South America teams across the regions where the EDP Group operates.
The certified scope includes real‑time security monitoring, information security incident management, security vulnerability management and threat intelligence management services, in accordance with ISO/IEC 27001:2022 requirements and the applicable Statement of Applicability.
The validity of the certification can be independently verified through the SGS Certified Client Directory.

Reporting culture and incident escalation
Information security is a shared responsibility across the organisation. Employees are expected to report potential information security incidents, identified vulnerabilities or suspicious activities through established internal reporting and escalation mechanisms. These expectations are aligned with the Group’s Code of Ethics, reinforcing individual accountability and a culture of integrity across the organisation.

Awareness, training and workforce engagement
The Group promotes information security awareness through training and engagement initiatives that strengthen employees’ understanding of cybersecurity risks and their individual responsibilities. These initiatives are supported by a formal cybersecurity knowledge and awareness management process, ensuring consistency, measurement and continuous improvement of the security culture across the organisation.

Transparency on information security incidents and personal data breaches
Public disclosures on information security incidents are made in line with applicable requirements and internal governance practices, using aggregate information where appropriate. 
In 2025, EDP Group entities reported zero (0) personal data breaches requiring notification to supervisory authorities, as no situations were identified that were likely to result in a risk to data subjects. This information is disclosed in the EDP Group’s Integrated Annual Report 2025.
This information security management framework is reviewed and maintained on an ongoing basis to ensure continued alignment with the Group’s governance, operational practices and assurance mechanisms.