Cybersecurity

(GRI 3-3)

The constant evolution of cyber threats poses a real risk for all energy suppliers. In this respect, Alpiq takes security very seriously, acting in the way to identify the most important risks and to protect our environments by fixing issues with a risk-based approach. In our security strategy, the detection and anticipation of new incidents is also an important stake, as well as our ability to manage security incidents and recover from potential breaches. Through our actions, we aim to protect the company, contribute to the security of energy supply and respect the regulation. Important achievements were made in 2023 and further improvement potential is addressed in our security roadmap. In 2023, one provider faced a Denial of Service incident with side effects on Alpiq branch offices abroad. The incident was handled in a timely manner by Alpiq and actions were taken to reduce the likelihood of such an event occurring in future. The 2024 roadmap continues with increased effort on access management, network, workplace, cloud, continuity, and vulnerability management.

Milestones

• Improvement in security organisation and governance in 2023 enabled more security domains to be addressed and coverage to be extended in the main entities
• NIST assessments implemented in the main entities in 2023, with associated improvement plans approved and started
• Centralised security monitoring introduced via the Security Operations Centre (SOC)
• Most likely and impacting infrastructure-related security risks identified in 2023, with remediation started and ending in 2024
• Enhanced employee awareness and email protection implemented across Alpiq

Frameworks/Standards

NIST Cybersecurity Framework, Network and Information Security (NIS2) Directive