The Group operates multiple, interconnected and complex information systems (databases, servers, networks, applications, etc.) that are essential to the conduct of its commercial and industrial activity, the preservation of its human, industrial and commercial assets, and the protection of personal data (of customers and employees) and that must adapt to a rapidly changing context (digital transition, development of teleworking, new ways to share work in extended companies with suppliers, changes in regulations, etc.)
The facilities and assets used by the Group or its employees may be the target of external attacks or malicious acts of any kind. An attack or malicious act committed on these facilities could have consequences such as injury to persons and/or damage to property, the Group being held liable on the grounds of measures judged to be inadequate, and interruptions in operations. The Group would also be forced to make additional investments or incur additional costs if laws and regulations relating to the protection of sensitive sites and critical infrastructures became more stringent.
The frequency and sophistication of information system hacking and data corruption incidents are increasing worldwide. The impact of a malicious attack – or any other failure resulting in the unavailability of information systems – may have a negative impact on the Group’s operating activity, financial, legal and asset situation, or reputation.
The EDF group has defined an Asset Security policy for malicious acts and an Information System Security policy to prevent this risk and limit its impact in the event of an attack. These policies are supplemented by guidelines on the protection of personal data.
A charter regarding the use of IT resources is annexed to the Company’s internal regulations. IS security training and awareness-raising courses adapted to different profiles (users, project managers, IS security managers, etc.) are offered on a regular basis to employees. The Executive Committee and the Audit Committee of the Board of Directors receive reports on cybersecurity risk management. Several dozen security audits are carried out each year by external PASSI qualified IS security audit companies (IS security audit providers) by the ANSSI (the National Cybersecurity Agency of France), both on IT infrastructures and on business information systems. In addition, the EDF group SOC (Security Operational Center) reports on IS security incidents on a monthly basis. The Group SOC has moreover carried out a qualification process with the ANSSI, which issued a favourable opinion in August 2021 (https://www.ssi.gouv.fr/uploads/2021_2047_np.pdf).
In 2021, the main actions deployed in the areas of cybersecurity, protection of intangible assets and, more generally, the Company’s resilience to the risks of damage to information systems were:
In addition, IS crisis and cybersecurity drills are regularly carried out to test the various measures put in place.
Summary The hydroelectric facilities operated by the Group present risks with potentially serious consequences for people, property and the environment that could have a financial and reputational impact on the Group.
Criticality : ●● Intermediate
Hydropower safety comprises all the measures taken when designing and operating plants to reduce risks and hazards to people and property associated with water and the presence or operation of facilities.
The Group’s hydraulic structures present specific risks with potentially very serious consequences: breakage, overflow during floods, operating manoeuvres.
Hydropower safety is the major and permanent concern of the producer. It falls under the purview of the Group’s CSR “nuclear safety, health and security” issue (see section 3.3.1 “Health & Safety”). It involves three main activities:
EDF regularly monitors and maintains its dams, including through continuous monitoring. The real-time readings and analysis at each site of multiple data (settlement, pressure, leakage measurements, combined with the visual inspection of the concrete and an inspection of the mechanical parts, etc.) enable EDF to conduct a regular assessment on the state of its dams. In Grenoble and Toulouse, EDF teams can analyse the largest dams or those dams that are the hardest to access remotely and in real time, using a series of sensors.
Furthermore, for each of the large dams, a danger study, including a complete examination, is conducted every ten or fifteen years (for one class A dam and one class B dam respectively). This examination requires draining or an inspection of the submerged parts with sub-aquatic equipment. These operations are carried out under the strict control of the French State authorities (Service de contrôle et de sécurité des ouvrages hydrauliques (Hydraulic Works Control and Safety Department) within each DREAL (French regional environment, land use and housing authority)).
At the organisational level, the Hydro Safety Inspector prepares an annual report for the Chairman & Chief Executive Officer of EDF, to which he or she reports directly, as well as to those involved in hydropower safety (see section 1.4.1.3.1.3 “Hydropower Safety”). Issued after analyses, inspections and assessments carried out by the Hydro Safety Inspector, this report aims to give an opinion on the level of hydropower safety of the Group’s facilities and provide a basis for reflection and progress to ensure its improvement and consolidation. This report is made public on the Group’s website.
