Digital Technoogy Policy

Digital Technology Policy

25 March 2025

The Board of Directors of IBERDROLA, S.A. (the “Company”) has the power to design, assess and continuously revise the Company’s Governance and Sustainability System, and specifically to approve and update policies, which contain the guidelines governing the conduct of the Company, and furthermore, to the extent applicable, inform the policies that the companies belonging to the group of which the Company is the controlling entity, within the meaning established by law (the “Group”), decide to approve in the exercise of their autonomy.

In exercising these powers and within the framework of legal regulations, the By-Laws and the Purpose and Values of the Iberdrola Group, the Board of Directors hereby approves this Digital Technology Policy (the “Policy”), which respects, further develops and adapts the Ethical and Basic Principles of Governance and Sustainability of the Iberdrola Group with respect to the Company.

1. Scope of Application

This Policy applies to the Company. Without prejudice to the foregoing, it includes basic principles that, in the area of the sustainable value chain, and particularly processes and activities relating to digital technology, complement those contained in the Ethical and Basic Principles of Governance and Sustainability of the Iberdrola Group and, to this extent, must inform the conduct and standards-setting implemented by the other companies of the Group in this area in the exercise of their powers and in accordance with their autonomy.

To the extent that listed country subholding companies form part of the Group, they and their subsidiaries, under their own special framework of enhanced autonomy, may establish principles and rules that must have content consistent with the principles of this Policy. 

To the extent applicable, these principles must also inform the conduct of the foundations linked to the Group.

For companies that do not form part of the Group but in which the Company holds an interest, as well as for joint ventures, temporary joint ventures (uniones temporales de empresas) and other entities in which it assumes management, the Company shall also promote the alignment of its regulations with the basic principles regarding the sustainable value chain, and particularly processes and activities relating to digital technology, contained in this Policy.

2. Purpose

The purpose of this Policy is to establish the global framework for the governance and proactive management of processes and actions related to digital technology, understood as information and operational technology, recognising their importance as a key resource to achieve the objectives of the Company and promote the effective and efficient operation of the business processes, promoting a coordinated approach on architecture, security and potential convergences with other technologies, minimising operational and security risks, as well as ensuring the continuity thereof.

For purposes of this Policy, terms shall have the following meaning:

(i) information technology (“IT”) is the set of physical or material components that comprise a computer or information system (“Hardware”) and the set of IT programmes, instructions, data and rules to execute certain tasks on a computer (“Software”) used for handling data, focused on the management and protection of digital information, including general communication networks, data storage and processing and management systems.

(ii) operational technology (“OT”) is the Hardware and Software used to control and interact with physical industrial processes in real time, including local control systems, SCADA (“Supervisory, Control and Data Acquisition”), remote operation systems and telecommunications between them.

3. Main Principles of Conduct

The Company adopts and promotes the following main principles of conduct that must inform its activities related to the use of digital technology:

(i) Continuity of operations: Endeavour to ensure the continuity of operations that procure the provision of services, applying standards of high availability and resilience, developing business continuity, contingency and disaster recovery plans, all in accordance with the Security Policy, the Operational Resiliency Policy, the General Risk Control and Management Foundations of the Iberdrola Group and the Digital Technology Risk Guidelines and Limits, approved by the Board of Directors.

(ii) Operational efficiency: Push IT and OT assets to operate with the utmost efficiency, optimising personal and material resources and their costs during the asset life cycle, based on reliable processes and technologies that secure high availability of facilities, applying the best practices and recognised standards.

(iii) Risk management: Promote the proactive identification and management of risks in the devices, systems and processes associated with digital technology, ensuring that identified risks are within the thresholds deemed appropriate, particularly those related to security, natural capital, business continuity and those associated with facilities classified as critical according to applicable legal provisions. This particularly includes the planning, implementation and use of solutions that allow for the identification, protection and detection of, response to and recovery from cybersecurity risks, in coordination with the Security Policy and the Operational Resiliency Policy, as well as with the Cybersecurity Risk Guidelines and Limits.

(iv) Technological innovation and life cycle: Promote principles for the secure design, planning, implementation, operation, decommissioning and replacement of IT and OT equipment and systems.

(v) Sustainability and social responsibility: Encourage the selection of technology that optimises energy efficiency and the reduction of consumption, energy losses and greenhouse gas emissions. In particular, special attention shall be paid to ensuring that the devices, systems and processes associated with digital technology do not harm the health of professionals, users, customers and society in general.

(vi) Training and awareness-raising: Encourage the appropriate preparation and training of planners, developers, maintenance personnel and users of digital technology, based on their profile, to understand the risks associated with this technology.

4. Group-level Coordination: the Digital Technology Governance Model

A Digital Technology Governance Model shall be established at the Group level in accordance with the provisions of the Ethical and Basic Principles of Governance and Sustainability of the Iberdrola Group, the Foundations for the Definition and Coordination of the Iberdrola Group and this Policy, setting forth the methodologies, procedures and tools required for the companies of the Group to have a common model that allows them to comply with the main principles of conduct.

The Resources and Services Division (or such division as assumes the powers thereof at any time), through the Security and Resilience Committee (or such committee as assumes the powers thereof at any time), shall supervise the establishment of the aforementioned Digital Technology Governance Model.

Similarly, the Resources and Services Division, through the Security, Resilience and Digital Technology Committee (or such committee as assumes the powers thereof at any time), shall coordinate with any security, resilience and digital technology committees that may be created at the country subholding companies or, in the absence thereof, with the corresponding divisions of the Group’s companies that assume the powers thereof at any time, in order to ensure an appropriate and consolidated level of maturity of the Digital Technology Governance Model.

5. Implementation and Development

For the implementation and monitoring of the provisions of this Policy, the Board of Directors is assisted by the Resources and Services Division (or such division as assumes the powers thereof at any time), which shall further develop the procedures required for such purpose.

The Resources and Services Division (or such division as assumes the powers thereof at any time) shall review this Policy at least once per year to ensure that the content thereof conforms to the ongoing progress, innovations, risks and regulatory changes that are occurring in the area.

* * *

This Policy was initially approved by the Board of Directors on 10 May 2022 and was last amended on 25 March 2025.