Digital Technoogy Policy
Digital Technology Policy
25 February 2025
The Board of Directors of IBERDROLA, S.A. (the “Company”) has the power to design, assess and continuously revise the Governance and Sustainability System, and specifically to approve and update the corporate policies, which contain the guidelines governing the conduct of the Company and the companies belonging to the group of which the Company is the controlling entity, within the meaning established by law (the “Group”).
In exercising these powers and within the framework of legal regulations, the By-Laws and the Purpose and Values of the Iberdrola Group, the Board of Directors hereby approves this Digital Technology Policy (the “Policy”).
1. Purpose
The purpose of this Policy is to establish the global framework for the governance and proactive management of processes and actions related to digital technology, understood as information and operational technology, recognising their importance as a key resource to achieve the objectives of the Company and the other companies of the Group and ensure the effective and efficient operation of the business processes, promoting a coordinated approach on architecture, security and potential convergences with other technologies, minimising operational and security risks, as well as ensuring the continuity thereof.
For purposes of this Policy, terms shall have the following meaning:
(i) information technology (“IT”) is the set of physical or material components that comprise a computer or information system (“Hardware”) and the set of IT programmes, instructions, data and rules to execute certain tasks on a computer (“Software”) used for handling data, focused on the management and protection of digital information, including general communication networks, data storage and processing and management systems.
(ii) operational technology (“OT”) is the Hardware and Software used to control and interact with physical industrial processes in real time, including local control systems, SCADA (“Supervisory, Control and Data Acquisition”), remote operation systems and telecommunications between them.
2. Scope of Application
This Policy applies to all companies belonging to the Group, as well as to the companies in which the Company holds an equity interest that do not form part of the Group but over which it has effective control, within the legally established limits.
Without prejudice to the provisions of the preceding paragraph, listed country subholding companies and their subsidiaries, under their special framework of strengthened autonomy, may establish an equivalent policy that must conform to the principles set out in this Policy and in the other environmental, social and corporate governance and regulatory compliance policies of the Governance and Sustainability System.
At those companies in which the Company holds a stake to which this Policy does not apply, the Company shall promote the alignment of its own policies with those of the Company through its representatives on their management decision-making bodies.
Furthermore, this Policy also applies, where appropriate, to joint ventures, temporary joint ventures (uniones temporales de empresas) and other equivalent associations, when the Company assumes management thereof.
3. Main Principles of Conduct
The Company adopts and promotes the following main principles of conduct that must inform its activities related to the use of digital technology:
(i) Continuity of operations: ensure the continuity of operations that guarantee the provision of services, applying standards of high availability and resilience, developing business continuity, contingency and disaster recovery plans, all in accordance with the Corporate Security Policy, the Operational Resiliency Policy, the General Risk Control and Management Foundations of the Iberdrola Group and the Digital Technology Risk Guidelines and Limits, approved by the Board of Directors.
(ii) Operational efficiency: ensure that IT and OT assets operate with the utmost efficiency, optimising personal and material resources and their costs during the asset life cycle, based on reliable processes and technologies that secure high availability of facilities, applying the best practices and recognised standards.
(iii) Risk management: promote the proactive identification and management of risks in the devices, systems and processes associated with digital technology, ensuring that identified risks are within the thresholds deemed appropriate, particularly those related to security, natural capital, business continuity and those associated with facilities classified as critical according to applicable legal provisions. This particularly includes the planning, implementation and use of solutions that allow for the identification, protection and detection of, response to and recovery from cybersecurity risks, in coordination with the Corporate Security Policy and the Operational Resiliency Policy, as well as with the Cybersecurity Risk Guidelines and Limits.
(iv) Technological and life cycle innovation: promote guidelines for the secure design, planning, implementation, operation, decommissioning and replacement of IT and OT equipment and systems.
In this regard, the companies of the Group shall aim to remain at the forefront of new technologies so that they can be exploited and generate value for their respective businesses, in coordination with the innovation strategy established at the Group level, and to achieve strategic goals and defined objectives. They shall also favour participation in domestic and international standardisation groups, as well as the selection of open standards that avoid confinement.
(v) Sustainability and social responsibility: promote the selection of technology that optimises energy efficiency and the reduction of consumption, energy losses and greenhouse gas emissions. In particular, special attention shall be paid to ensuring that the devices, systems and processes associated with digital technology do not harm the health of professionals, users, customers and society in general.
(vi) Training and education: promote the appropriate preparation and training of planners, developers, maintenance personnel and users of digital technology, based on their profile, to understand the risks associated with this technology.
The companies of the Group shall promote these basic principles to drive the creation of value through the effective, safe and innovative use of digital technology and the satisfaction of internal and external users with the level of commitment established at the Group level regarding the services provided, maintaining a balance between the generation of value, the optimisation of risk levels and the efficient use of resources based on proportionality criteria.
4. Group-level Coordination: the Digital Technology Governance Model
A Digital Technology Governance Model shall be established at the Group level in accordance with the provisions of this Policy, in which the methodologies, procedures and tools required for the companies of the Group to have a common model shall be set forth.
The Resources and Services Division (or such division as assumes the powers thereof at any time), through the Security, Resilience and Digital Technology Committee (or such committee as assumes the powers thereof at any time), shall supervise the establishment of the aforementioned Digital Technology Governance Model.
Similarly, the Resources and Services Division, through the Security, Resilience and Digital Technology Committee (or such committee as assumes the powers thereof at any time), shall coordinate with any security, resilience and digital technology committees that may be created at the country subholding companies or, in the absence thereof, with the corresponding divisions of the Group’s companies that assume the powers thereof at any time, in order to ensure an appropriate and consolidated level of maturity of the Digital Technology Governance Model.
5. Implementation and Development
For the implementation and monitoring of the provisions of this Policy, the Board of Directors is assisted by the Resources and Services Division (or such division as assumes the duties thereof at any time), which shall further develop the procedures required for such purpose.
The Resources and Services Division (or such division as assumes the duties thereof at any time) shall review this Policy at least once per year to ensure that the content thereof conforms to the ongoing progress, innovations, risks and regulatory changes that are occurring in the area.
This Policy was initially approved by the Board of Directors on 10 May 2022 and was last amended on 25 February 2025.
