In 2025, the ICT and Security Strategy was implemented, setting out the key strategic directions for 2026-2028, i.e.:
- IT systems supporting business,
- Operational excellence based on automation,
- Data-based organization,
- Effective security management,
- Modern ICT environment,
- Active management of digital competencies.
The key assumption of the strategy in the area of security is to achieve rapid change in the maturity of ICT (Information and Communication Technology) and OT (Operational Technology) cybersecurity, while simultaneously elevating the systemic and physical protection of facilities vital to the Group’s operations, with particular emphasis on critical infrastructure and infrastructure subject to mandatory protection. As part of the implementation of the Strategy, 23 strategic initiatives have been prepared for the security area. They will affect processes and standards for ICT and OT security, business continuity, physical security, and supply chain integrity. The Management Board of Enea S.A. is responsible for the adoption and oversight of the implementation of the Strategy.
The development of the Strategy was preceded by workshops involving representatives from key Enea Group subsidiaries, and its adoption was communicated to employees during the Q3 2025 earnings conference. The Strategy was developed based on the NIST (National Institute of Standards and Technology) Cybersecurity Framework and ISO/IEC 27001 standards.
In 2025, an ICT cybersecurity audit was also conducted at Enea Centrum, as well as an OT cybersecurity audit across ten Group companies of strategic importance to Poland’s energy security. The objective of these audits was to determine the current level of maturity of cybersecurity processes and the cybersecurity organization within the Group based on international NIST standards. The audit results were used to develop a roadmap for the period from 2026 to 2028, designed to elevate the maturity of ICT and OT cybersecurity in the Group. This roadmap was formally adopted by a resolution of the Enea S.A. Management Board.
To facilitate the Group’s effective digital transformation, the security area was reorganized in 2025. Cybersecurity functions were transferred to Enea Centrum and are now delivered as shared services within the Enea Group. This organizational change was coupled with the elevation of telecommunications and information security competencies in the Group and is aimed toward the ultimate centralization of ICT and OT cybersecurity monitoring processes. Additionally, the Physical Security Division was created in Enea Centrum, which should address the Group’s needs for improving facility protection standards, with particular consideration of critical infrastructure and infrastructure subject to mandatory protection. These changes are aimed at improving the maturity of the security framework.
At the same time, a significant shift occurred in the information security management area: information processed within ICT systems is now subject to systemic protection. In 2025, a DLP (Data Loss Prevention) system was implemented, which monitors data flows across the Group’s IT channels and detects violations of the security policy. This is a modern solution, which effectively strengthens information protection in the Group.
Based on the principle that the human element is the most critical component of the security ecosystem, the Enea Group has launched the CyberBezpieczni training program. The program will take three years and is addressed to 10 thousand employees who have access to the corporate network. The program utilizes professional IT tools and provides continuous training updated in monthly cycles. Its objective is to build awareness, expand employee cybersecurity knowledge, and instill proper responses to cyber threats.
The total cost of implementing security initiatives over the three-year period is estimated at over 70 million PLN.