IT/OT Security Policy Framework
At OMV, IT/OT plays a central role in steering processes at our production facilities through our plant process control systems. If those systems were to be disrupted, e.g., through an advanced cyberattack, consequences could include physical accidents that pose a threat to human and environmental health. To manage this potential negative impact, OMV has a comprehensive IT/OT Security Policy Framework in place. The ITInformation technology (IT) security is a set of cybersecurity strategies that prevents unauthorized access to organizational assets, such as computers, networks, and data. It maintains the integrity and confidentiality of sensitive information, blocking the access of sophisticated hackers./OTOT security is defined as operational technology (OT) hardware and software that detect or cause a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprise. OT is common in industrial control systems (ICS), such as a SCADA system. Security Policy Framework implements a comprehensive layer of security policies, controls, and guidelines to protect the integrity and security of IT/OT systems. This framework is crucial in safeguarding critical infrastructure and ensuring the resilience of process control systems against a potential advanced cyberattack. It consists of a comprehensive set of internal regulatory documents that are linked to the international ISO/IEC 27001:2022 standard and to IEC 62443 for the related OT controls. The effectiveness of OMV’s Information Security Management System (ISMS), which is part of the framework, is subject to regular external audits, and a full recertification assessment was successfully completed in July 2025 with an applied certification period until 2028. The framework also covers OMV’s commitment to securing the operation of its services in dedicated areas, such as within the filling station retail business and the related PCI DSSPayment Card Industry Data Security Standard requirements. This framework applies to the OMV Group globally, including our subsidiaries, Borealis GmbHUntil December 9, 2025, and OMV Petrom S.A., and takes into account, where necessary, any local laws and regulations that may apply. It is approved by the OMV Executive Board, and the most senior level accountable for its implementation is the CIO. The IT/OT Security Policy Framework was developed through extensive consultation with internal stakeholders, including representatives of our own workforce, the Works Council, and the business division representatives. All IT/OT policies and internal standards and procedures included in the framework are regularly communicated to all OMV employees via internal communication channels and via the Regulations Alignment Platform on the OMV intranet. Relevant aspects for certain external stakeholders, such as suppliers, are incorporated into the contractual agreements.