With the actions we have in place to address our potential negative impact on humans and the environment as a consequence of an advanced cyberattack, we pursue our overarching cybersecurity ambition of reaching an overall cybersecurity maturity level, meaning all operations are quantitatively managed, with no noteworthy cybersecurity incidents. As the human factor is key to ensuring cybersecurity in daily operations, various awareness formats are developed and released to train our employees accordingly. In 2025, these actions did not exceed our key actions threshold.[MDR-A-69b] Key actions are defined as those requiring CAPEX of EUR ≥5 mn for their implementation through the end of the planning period. In 2025, the planning horizon was shortened from five years to three, resulting in forward-looking CAPEX that is lower compared to the Sustainability Statement 2024. CAPEX includes additions to property, plant, and equipment and to intangible assets (incl. IFRS 16 right-of-use assets) and expenditures for acquisitions, as well as equity-accounted investments and other interest for pre-defined sustainability CAPEX categories. Decommissioning assets, government grants, borrowing costs, additions to assets disposed (under certain conditions), and other additions that by definition are not considered capital expenditure are not included in CAPEX figures. Within the boundaries of applicable accounting standards, expenditure incurred during project implementation is generally capitalized, thus included in the CAPEX figures. OPEX figures related to key actions are not disclosed due to current limitations in data availability and may be included in future reports as reporting practices evolve. Consequently, this topic is not referenced to the financial statement. As the exact subjects and contents of our key actions contain sensitive information that could expose OMV to external risks, we make use of the ESRS 1-7.7 provisions allowing for omission of confidential information. Therefore, no details are disclosed about our cybersecurity key actions.
Further actions that fulfill the objectives of our IT/OT Security Policy Framework and support reaching our cybersecurity ambition exist within our organization as follows:
Risk Assessments and Audits
The IT/OT Security Policy Framework stipulates the need to assess risks related to cyber assets in IT and OT across the Group. Therefore, OMV has been managing an information security/excellence program since 2019. Various projects are conducted annually based on pre-evaluation processes to target newly emerged cyber risks. The implementation of these projects contributes to the targeted security maturity level of OMV as per our cybersecurity ambition, helping reduce exposure to cyber threats. The scope is focused on our own operations worldwide. Risk assessments are an ongoing process, while the OMV ISMS operations are subject to yearly external audits to verify their compliance and efficiency with a related certification. The latest certification according to ISO/IEC 27001:2022 was granted in August 2025.
Technical, Detective, and Reactive Measures
Based on the guidelines of the IT/OT Security Policy Framework, the risk of security breaches is lowered by introducing new tools, individual detection strategies, and response plans to maintain a strong perimeter for our physical and cloud environments. Technical housekeeping measures ensure a solid foundation in the form of up-to-date hardware and software, as do adequate information security processes. We implement security patches and offer guidelines to provide consistent hardware and software life cycles. The ongoing detective and reactive measures are designed and executed on an ongoing basis to create transparency around existing risks, security gaps, and vulnerabilities, thereby supporting the objectives of our IT/OT Security Policy Framework. We integrate these measures to protect our assets from intruders, mitigate possible damage, and ensure a fast and full recovery. Examples of such measures include continuous vulnerability scans of cyber assets, breach and attack simulations to evaluate potential attack surfaces, continuous internal and external penetration tests on critical applications/systems, and external audits as quality assurance (ISO 27000, PCI DSS, NIS, etc.). This approach ensures that we proactively address potential threats and maintain robust security across our systems. The scope is focused on our own operations worldwide. The introduction and identification of new tools, individual detection strategies, and response plans is an ongoing process. We are continuously processing IT projects, assessed by IT security governance to ensure the targeted mitigation of cyber risks.
Training
Continuous awareness-raising and ongoing training on cybersecurity for all employees within our own operations worldwide are essential requirements outlined in the IT/OT Security Policy Framework. OMV runs regular and in-depth training sessions to maintain an adequate level of employee awareness of information security. These awareness efforts cover general information security issues, ad hoc demands as timely countermeasures for specific use cases, and target group-focused subjects. The training formats include mandatory e-learning sessions with knowledge checks, topic-based videos, classroom training sessions, anti-phishing email campaigns, and sharing news via our intranet and internal blog posts. This multifaceted approach ensures continuous learning to effectively enhance our employees’ knowledge of information security, thereby supporting the objectives of the IT/OT Security Policy Framework and our overall cybersecurity ambition.