Data security is essential in ensuring a reliable and resilient energy system. The threat of cyberattacks is real and growing in both frequency and complexity. These attacks are carried out by organised cybercriminals and state actors, among others, and pose risks of disruption and sabotage to critical infrastructure.
We take a proactive and comprehensive approach to data security to meet these challenges. This approach is based on three pillars: technology, people and processes. We continually strengthen our resilience to cyber threats to minimise risk and ensure business continuity. At the same time, we protect the confidentiality of customer and business information. (MDR-P-65e en MDR-M-75)
Our data security policy aligns closely with our business strategy and meets legal and societal requirements. Increasing European regulations, such as the NIS2 Directive and the existing Security of Network and Information Systems Act (Wbni), require us to strengthen further and expand our security measures. This will prepare us for future challenges and contribute to a secure and stable energy system. (MDR-P-65d)
Comprehensive standards framework
Enexis’ information security policy covers the entire organisation, including Enexis Netbeheer and all external partners and suppliers. The policy and security risk management processes cover all processes, ICT systems, operational technology, buildings, premises and assets that are essential for business operations. (MDR-P-65b)
Our data security policy was developed within a comprehensive standards framework based on globally recognised standards and best practices. These include international standards such as ISO 27001 and ISO 27019, supplemented by specific requirements from NIS2 and other relevant laws and regulations. In addition, guidelines from the Royal Netherlands Institute of Chartered Accountants have been integrated to ensure a high level of maturity. The standard framework includes management measures in areas such as organisation, personnel, physical security, incident management, operational management and supplier relations. This approach ensures that security measures are implemented consistently and effectively, with a clear focus on the most critical risks to the organisation. This comprehensive standards framework provides the foundation for strong, future-proof data security that meets the needs of our organisation and the demands of the constantly evolving digital environment. (MDR-P-65a en MDR-P-65d)
The chief information security officer (CISO) is the point of contact for data security and leads the CISO Office. A team of security specialists carries out second-line activities here, focusing on Enexis’ digital resilience. The CISO reports to the CFO, who is the security portfolio holder within the Executive Board. First-line security activities are carried out within the organisational units and operational chains, under the ultimate responsibility of the business owners and directors. They are supported in this by security specialists. (MDR-P-65c)
Objectives and reports
The effectiveness of our data security policy is measured against a set of performance indicators. These indicators focus primarily on risk management and measure how control measures are implemented and comply with our policy and relevant laws and regulations, such as the Wbni. The target for 2024 was 100% implementation of a set number of security measures prioritised by business owners. This target was achieved. (MDR-A-68a)
We take a risk-based approach to evaluate and prioritise risks to our critical processes, considering their importance and the current threat landscape. Based on these evaluations, we implement targeted and appropriate measures to mitigate these risks effectively.
In addition to these measures, we conduct internal audits. The results are reported to the security steering group and relevant risk committees. We maintain control of our data security through clear objectives and regular reporting. This enables us to make timely adjustments where necessary, not only to meet legal requirements but also to maintain the confidence of customers, partners and society in the safety and reliability of our energy services. (MDR-T-80a, b, c)
Privacy
We are committed to protecting the personal data of our customers, employees and other stakeholders. We aim to continuously improve our data protection maturity level. We use a risk-based approach. All processes are subject to a Data Protection Impact Assessment (DPIA). This enables us to map the privacy risks of our data processing. Among other things, this means that processes and systems in which we process sensitive or large amounts of personal data are given the highest priority. We assess these and take additional security measures where necessary. We then manage and monitor the remaining processes.
Governance and privacy
We are responsible for protecting our systems from hackers and information security incidents and managing the personal data of our customers, employees and suppliers. Our team of privacy specialists includes privacy officers and contacts in specific areas. The Corporate Affairs department has a corporate privacy lawyer and a data protection officer, who oversees compliance with the General Data Protection Regulation (GDPR). These specialists handle complex privacy issues, data breaches, policy development and awareness-raising activities. They also advise the business, which is responsible for implementation. Ultimate responsibility lies with the Board of Directors.
The general principle of propriety, and in particular the principle of integrity and confidentiality (Article 5 of the GDPR), requires us to take appropriate technical and organisational measures to protect personal data. To this end, various departments have been set up, and a central information security policy has been adopted (see the ‘Comprehensive standards framework’ section under ‘Data security’). (MDR-P-65)
The responsibilities for implementing the data security policy are described in the ‘Comprehensive standards framework’ section under ‘Data security’. We recently reorganised our privacy structure by integrating the role of privacy officer into the regular organisational structure. This change aims to improve visibility in the organisation and ensure earlier involvement in privacy issues.
Risk-based working approach
Data-driven initiatives in the energy transition are increasing. Examples include the use of smart meters, data exchange at energy hubs, and the use of data to make wind turbines and solar panels more efficient. This data often includes personal information. These developments require collaborative frameworks for large-scale data sharing, and the new Energy Act will require greater processing of customers’ personal data. The societal importance of the energy transition and the speed at which developments are taking place call for an effective and risk-based organisation of data protection. Key principles include integrating privacy into processes and control measures where possible, prioritising high-risk processes and embedding a risk acceptance process. This approach also requires support from the various business areas.
We have developed an action plan for 2024-2025 to establish a widely supported, risk-based privacy organisation. Our efforts focus on:
identifying privacy risks within processes and applications;
monitoring relevant sector developments and potential threats;
creating an Enexis Privacy Standards Framework that translates legal obligations into privacy control measures and subsequently determines the most material privacy measures; and
defining the Executive Board’s risk appetite regarding privacy and implementing a risk acceptance process.
We also use the Privacy Standards Framework to monitor compliance. This fulfils the accountability obligation under Artikel 5(2) GDPR. The framework was developed with reference to the NOREA Privacy Control Framework and our comprehensive data security standards framework. Wherever possible, we align with existing processes and controls. The Privacy Standards Framework consists of 81 control measures. Of these, 18 have been prioritised for implementation and monitoring. This selection is based on identified risks, organisational needs, the impact of implementation on the organisation and the focus of regulators. We will address the remaining measures starting in 2026. (MDR-A-68)
Policy and other actions to safeguard privacy
Our privacy policy outlines the framework for the design, implementation, execution, management, monitoring, and continuous improvement of privacy.
We have established privacy objectives, including meeting transparency obligations. In this context, we have privacy statements for employees and external parties. We have developed process descriptions for other objectives, such as timely incident response and conducting a (D)PIA.
We integrate privacy into the development of products and services (Privacy by Design) as much as possible from the outset. (MDR-P-65a)
We record processing activities and data breaches in an automated system. Incident reports for joint systems and processes of network operators are maintained centrally.
In accordance with Article 33(1) of the GDPR, we report data breaches to the Dutch Data Protection Authority.
We are working on a data protection roadmap, in which we include and monitor short, medium and long-term activities based on, among other things, high-risk processes and applications, the threat landscape, material privacy control measures and domain-specific topics.
|
Number of incident reports of data breaches |
2024 |
2023 |
|
Incident reports in data breach register Enexis |
47 |
54 |
|
Of which reported to the Supervisor (Autoriteit Persoonsgegevens) |
2 |
6 |
|
Incident reports regarding shared systems and processes of network operators |
3 |
5 |
Smart Grid Code of Conduct
Enexis adheres to Netbeheer Nederland’s Smart Grid Code of Conduct. This code, approved by the Dutch Data Protection Authority, requires us to consider consumer privacy when collecting and using data. We must also clearly inform consumers about the data we collect and the reasons for doing so. In July 2023, the supervisory body for this code was accredited by the Dutch Data Protection Authority. As a result, the code officially became a GDPR Code of Conduct. In 2024, the joint network operators addressed and validated 12 use cases under this code. A use case describes the situation for which data from smart meters is needed and how the data will be used. Independent data protection experts test whether the use case complies with GDPR legislation by evaluating the following criteria: (MDR-M-77)
Necessity: is the data really needed for grid management?
Subsidiarity: can the issue be solved without using the smart meter data?
Proportionality: is only the data that is strictly necessary collected and processed?
Grid operators can use the data only after the use case has been approved.