Information security

Information security is essential in ensuring a reliable, resilient, and robust energy system. The threat of cyberattacks is real and growing in both frequency and complexity. These attacks are carried out by organised cybercriminals and state actors and pose risks of disruption and sabotage to critical infrastructure.

To address these challenges, we apply a risk-based approach to information security, built on three pillars: technology, people, and processes. We continuously invest in strengthening our resilience to cyber threats, minimising risks, and safeguarding the continuity of our services. At the same time, we ensure that customer and business information remains confidential and secure.(MDR-P-65e en MDR-M-75)

Our information security policy aligns closely with our business strategy and meets legal and societal requirements. Increasing European regulations, such as the NIS2 Directive and the existing Security of Network and Information Systems Act (Wbni), require us to strengthen and expand our security measures further. This will prepare us for future challenges and help ensure a secure, stable energy system.(MDR-P-65d)

Comprehensive standards framework

Enexis’ information security policy covers the entire organisation, including Enexis Netbeheer and all external partners and suppliers. The policy and security risk management processes cover all aspects of ICT systems, operational technology, buildings, premises, and assets essential to business operations.(MDR-P-65b)

Our information security policy was developed within a comprehensive framework aligned with globally recognised standards and best practices, including ISO 27001 and ISO 27019. This standards framework is supplemented by requirements from European and national regulations, specifically the NIS2 Directive and its future implementation in the Netherlands through the Cyber Security Act and the Critical Entities Resilience Act (WWKe). In addition, guidelines issued by the Royal Netherlands Institute of Chartered Accountants (NBA) have been incorporated to ensure a high level of maturity. The standards framework covers control measures in areas such as governance and organisation, personnel, physical security, incident management, operational management (Information Technology and Operational Technology), and supplier and value chain relationships. This approach ensures that security measures are implemented consistently and effectively, with a clear focus on the organisation’s most critical risks and the resilience of vital processes. The standards framework is updated periodically to ensure it remains aligned with new legal requirements and our organisation’s needs in an increasingly dynamic digital environment. In this way, we lay a robust foundation for strong, future-proof information security.(MDR-P-65a en MDR-P-65d)

The Chief Information Security Officer (CISO) is the point of contact for information security and leads the CISO Office. A team of security specialists carries out second-line activities here, focusing on Enexis’ digital resilience. The CISO reports on this to the Executive Board on a monthly basis, with the CFO acting as the Executive Board member responsible for the security portfolio. The CISO also informs the Supervisory Board on a quarterly basis through the Executive Board, providing insight into the current threat landscape and risk profile related to information security as it applies to Enexis. This supports the Supervisory Board in its supervisory role regarding information security and cyber risks. First-line security activities are carried out within the organisational units and operational chains, under the ultimate responsibility of the business owners and directors. They are supported in this by security specialists.(MDR-P-65c)

Objectives and reports

The effectiveness of our information security policy is measured against defined performance indicators. These indicators focus primarily on risk management and assess how control measures are implemented and whether they comply with our policy and relevant laws and regulations, such as the Wbni and NIS2. We use a risk-based approach to assess and prioritise risks to our critical processes based on the criticality of processes and the current threat landscape. Based on this assessment, we implement targeted, appropriate measures to mitigate these risks.(MDR-A-68a)

In 2025, we aimed to effectively mitigate a set of prioritised risks that fell outside the established risk appetite through appropriate measures. This objective has been partially achieved. The portion of the prioritised risks that was not mitigated in 2025 will still be mitigated in the first half of 2026.

In addition to these measures, we conduct internal audits. The results are reported to the security steering group and relevant risk committees. We maintain control of our information security through clear objectives and regular reporting. This enables us to make timely adjustments where necessary, not only to meet legal requirements but also to maintain the confidence of customers, partners, and society in the safety and reliability of our energy services.(MDR-T-80a, b, c)

Privacy

Protecting the personal data of customers, employees, and other stakeholders is a continuous priority. We apply a risk-based approach that is widely supported across the organisation and aim to further increase our maturity. We use Data Protection Impact Assessments to identify and assess the privacy risks associated with our data processing activities. Processes and systems involving sensitive or large volumes of personal data are given the highest priority.

Governance and privacy

We are responsible for protecting and managing the personal data of customers, employees, and suppliers. To this end, we have a team of privacy specialists consisting of privacy officers, contacts in specific areas, a corporate privacy lawyer, and a data protection officer who oversees compliance with the General Data Protection Regulation (GDPR). These specialists deal with complex privacy issues, data breaches, policy development, and awareness-raising activities. They advise the business, which is responsible for implementation. Ultimate responsibility lies with the Executive Board.

The general principle of propriety, and in particular the principle of integrity and confidentiality (Article 5 of the GDPR), requires us to take appropriate technical and organisational measures to protect personal data. To this end, various departments have been set up, and a central information security policy has been adopted (see the ‘Comprehensive standards framework’ section under ‘Information security’).(MDR-P-65)

The responsibilities for implementing the data security policy are described in the ‘Comprehensive standards framework’ section under ‘Information security’.

Approach to risk-based working

Data-driven initiatives in the energy transition are on the rise. Examples include the use of smart meters, data exchange at energy hubs, and the use of data om to encourage households and businesses to use the electricity grid more efficiently. This involves the processing of personal data. The new Energy Act also requires the processing of customers' personal data on a larger scale. The societal importance of the energy transition and the rapid pace of developments call for an effective, risk-based approach to data protection. Key principles include integrating privacy into processes and control measures where possible, prioritising high-risk processes, and embedding a risk acceptance process. This approach also requires support from the various business areas.

We work to protect personal data in the following targeted and risk-based ways:

  • Identifying privacy risks within processes and applications.

  • Monitoring relevant sector developments and potential threats.

  • We use the Enexis Privacy Standards Framework, based on NOREA’s privacy control framework, to translate legal requirements into concrete privacy control measures. We then identify and prioritise the most material privacy controls.

  • Assessing the Executive Board’s risk appetite regarding privacy and establishing a process for risk acceptance.

We also use the Privacy Standards Framework to monitor compliance. This fulfils the accountability obligation under Article 5(2) GDPR. The control measures from this framework are prioritised for implementation and monitoring. This prioritisation takes into account identified risks, organisational needs, the impact on the organisation in terms of implementation, and the focus of supervisory authorities. We will address the non-prioritised measures from 2026 onwards.(MDR-A-68)

Policy and other measures to safeguard privacy

  • Our privacy policy outlines the framework for the design, implementation, execution, management, monitoring, and continuous improvement of privacy.

  • We have established privacy objectives, including meeting transparency obligations. In this context, we have privacy statements for employees and external parties. We have developed process descriptions for other objectives, such as timely incident response and conducting a (D)PIA.

  • We focus on integrating privacy as much as possible and at an early stage in the development of products and services (Privacy by Design).(MDR-P-65a)

  • We record processing activities and data breaches in an automated system. Incident reports for joint systems and processes of grid operators are maintained centrally.

  • In accordance with Article 33(1) of the GDPR, we report data breaches to the Dutch Data Protection Authority.

Number of incident reports of data breaches

2025

2024

Incident reports in data breach register Enexis

50

47

Of which reported to the Supervisor (Autoriteit Persoonsgegevens)

2

2

Incident reports regarding shared systems and processes of network operators

6

3

Smart Grid Code of Conduct

Enexis adheres to Netbeheer Nederland’s Smart Grid Code of Conduct. This code, approved by the Dutch Data Protection Authority, sets out how grid operators must handle smart meter data and the conditions under which such data may be used. This is set out in a use case. In total, the joint grid operators reviewed 15 use cases (2024: 12) and declared them applicable. A use case describes the situation that requires data from smart meters and how the data is used. Independent privacy experts assess each use case to ensure compliance with GDPR. They do this by testing it against the principles of necessity, subsidiarity, and proportionality. Smart meter data may be used only after a use case has been formally approved.(MDR-M-77)