Specific Policies and Commitments related to Cybersecurity

IT/OT Security Directive

[MDR-P 65a] OMV’s ITInformation technology (IT) security is a set of cybersecurity strategies that prevents unauthorized access to organizational assets, such as computers, networks, and data. It maintains the integrity and confidentiality of sensitive information, blocking the access of sophisticated hackers./OTOT security is defined as operational technology (OT) hardware and software that detect or cause a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprise. OT is common in industrial control systems (ICS), such as a SCADA system. Security Directive provides comprehensive guidelines and preventive measures for protecting the integrity and security of IT/OT systems. These help address the negative impact associated with potential advanced cyberattacks on our IT/OT convergence systems. This directive is crucial in safeguarding critical infrastructure and ensuring the resilience of process control systems against a potential advanced cyberattack. Such an attack could cause malfunctions and disruptions in essential plant process controls, leading to incorrect information about production process parameters and potentially triggering a chain reaction that could result in physical accidents with environmental impacts, such as fires, gas leaks, or oil spills. Our internal IT/OT Security Directive lays out the details of the IT/OT Security Framework, through which topic- or security domain-related security standards and policies are continually aligned and managed. The Security Framework consists of approximately 50 regulatory documents in total and is harmonized with the ISO 27000 series of recommendations for IT controls and domains (specifically ISO/IEC 27001:2022), all of which means we can maintain certification through external monitoring and annual recertification processes. A full recertification assessment was successfully completed in July 2022 and the OMV certification period was extended until 2025. One of the basic principles of an Information Security Management System (ISMS) is incorporating a continuous improvement cycle in order to identify, prevent, mitigate, and remediate potential information security leaks or weaknesses. The framework also covers OMV’s commitment to securing the operation of its services in dedicated areas, such as within the filling station retail business and the related PCI DSSPayment Card Industry Data Security Standard requirements.

The IT/OT Security Directive is complemented by additional internal standards and regulations that detail how we implement, maintain, and monitor the ISMS according to the adopted framework. The ISMS is continuously monitored and designed to minimize risks resulting from cyber threats that could materialize in production disruptions, legal non-compliance, and reputational damage. The IT/OT Security Directive reflects our commitment to safeguarding the confidentiality, integrity, and availability of all information and IT/OT cyber assets within the organization.

[MDR-P 65b, 65c] This directive applies to the whole of the OMV Group globally, including our subsidiaries and OMV Petrom S.A., and take into account, wherever necessary, any local laws and regulations that may apply. However, it excludes SapuraOMV Upstream Sdn. Bhd. and its respective subsidiaries. The directive is approved by the OMV Executive Board, and the most senior level accountable for its implementation is the CIO.

[MDR-P 65e, 65f] The IT/OT Security Framework and Data Protection Directive were both developed through extensive consultation with internal stakeholders, including representatives of our own workforce, the works council, and the business division representatives. All IT/OT policies and internal standards and procedures that guide OMV in the safeguarding of the confidentiality, integrity, and availability of all of the organization’s information and IT/OT cyber assets are regularly communicated to all OMV employees via internal communication channels and via OMV’s Regulations Alignment Platform on the OMV intranet. Relevant aspects for certain external stakeholders, such as suppliers, are incorporated into the contractual agreements.

Data Protection Directive

[MDR-P 65a] To mitigate the risk of potential data leakage or loss through an advanced cyberattack, OMV employs a mature information security management system that aligns with the Data Protection Directive. This directive is the primary source of privacy principles, procedures, and responsibilities within the OMV Group, ensuring compliance with GDPR and other relevant privacy regulations. It consists of a main document and a series of seven annexes that explore relevant issues and regulatory obligations for OMV. The directive includes a broad introduction to principles applicable to the processing of personal data derived from the GDPR, as well as the rights of data subjects and the procedures for exercising these rights. It provides clarifications on contractual relations with suppliers and the use of data for the Company’s marketing purposes. It also addresses cases where personal data is processed by third parties under Article 28 GDPR or transmitted to countries outside the EU with a lower level of data protection than within the Union. Additionally, it offers detailed information on essential procedures and tasks resulting from the GDPR, such as maintenance of the register of processing, performance of a DPIA (Data Protection Impact Assessment), management of possible data breaches, as well as the correct ways of using company devices and the related possible consequences for employees of their misuse.

[MDR-P 65b, c] This directive applies to the whole of OMV Aktiengesellschaft globally, including our subsidiaries Borealis AG and OMV Petrom S.A., and takes into account, wherever necessary, any local laws and regulations that may apply. The Data Protection Directive excludes anonymized data or data related to state security, national defense, and public safety. Every employee, contractor, and business partner of OMV shall follow the guidelines in this directive. The directive is approved by the OMV Executive Board, which is also accountable for its implementation. Responsibility for implementation lies with the SVP Finance, Tax, Treasury, and Risk Management.

[MDR-P 65d, 65f] This OMV Data Protection Directive applies to all systems used Group-wide that process personal data, and to all OMV companies and data processing activities to which Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR) applies (see Section 7 of this Directive, below). The Data Protection Directive is made available to all OMV employees via OMV’s Regulations Alignment Platform on the OMV intranet and serves as a reference for specific employee awareness training sessions. A summary of the key contents and scope of the policy is also available for all OMV employees via the intranet. Relevant aspects for external stakeholders, such as suppliers and business partners, are incorporated into contractual agreements. Additionally, our data protection policy is available on our website. For the Data Protection Directive, the interests of key stakeholders are covered under the IT/OT Security Directive.