Universal Registration Document 2022

Control actions

The EDF group has defined its Security of Assets against Malicious Acts policy and an Information System Security policy to prevent this risk and limit its impact in the event of an attack. These policies are supplemented by guidelines on the protection of personal data.

A charter regarding the use of IT resources is annexed to the Company’s internal regulations. IS security training courses are adapted to the different profiles (users, project managers, application developers, IS security managers, etc.) are offered to employees. The Executive Committee and Audit Committee of the Board of Directors receive reports on cyber security risk management. Several dozen security audits are carried out each year by external IS security audit companies (IS security audit providers), which are PASSI qualified by the ANSSI (French National Agency for Information Systems Security), both on IT infrastructures and on business information systems. In addition, the EDF group SOC (Security Operational Centre) reports on IS security incidents on a monthly basis. This centre is now qualified as a PDIS (security incidents detection service provider).

In 2022, the main actions deployed in the areas of cyber security, protection of intangible assets and, more generally, the Company’s resilience to the risks of damage to information systems were:

• the definition of cyber security goals for the Group entities, their achievement being measured via cyber security reviews;
• the deployment of an e-learning “Cyber Security Passport” module accessible to all (including in subsidiaries) and rendered compulsory for all Group senior executives and managers in France;
• deploying phishing awareness campaigns within the Group’s entities (96,000 people targeted in 2022);
• the continued strengthening of the cyber security operational function that guarantees an efficient response in the event of a security incident: strengthening the specialist teams, promulgation of a cyber security incidents management policy;
• the opening of the Rennes site. The opening of this site completes the EDF cyber system within a relevant European reference territory (graduate schools, research centres, companies, start-ups, the Ministry of the Armed Forces and the National Agency for the Security of Information Systems);
• the creation of the Vulnerability Operation Centre aimed at detecting areas of vulnerability through regular scans and audits conducted on all types of IS;
• continued deployment and assessment within the entities of a security reference framework based on the rules of the Agence Nationale de la Sécurité des Systèmes d’Information (French National Agency for Information Systems Security);
• the periodic publication of a dashboard intended for the Executive Committee, reflecting the Group’s cyber security level, and also adapted for each reporting entity, addressed to each of the Executive Committee members.

In addition, IS crisis and cyber security drills are regularly carried out to test the various measures put in place.

4E – Hydraulic safety violations

Hydropower safety comprises all the measures taken when designing and operating plants to reduce risks and hazards to people and property associated with water and the presence or operation of facilities.

a) Main risks

The Group’s hydraulic structures present specific risks with potentially very serious consequences: breakage, overflow during floods, operating manoeuvres.

b) Control actions

Hydropower safety is the major and permanent concern of the producer. It falls under the purview of the Group’s CSR “nuclear safety, health and security” issue (see section 3.3.1 “Security, health and safety for all”). It involves three main activities:

• measures to address the major risk associated with dam or reservoir failures, through the regular monitoring and maintenance of facilities under the supervision of public authorities, mainly the French regional environment, land use and housing authorities (Directions Régionales de l’Environnement, de l’Aménagement et du Logement – DREAL). Of the largest dams, 67 of them are subject to a special administrative procedure implemented by the competent prefect;
• the management of facilities during periods of exceptionally high water levels, in order to ensure safety at the facilities and for the surrounding communities;
• control of operational risks: changes in the level of the water bodies or the flow of watercourses downstream of the works.

EDF regularly monitors and maintains its dams, including through continuous monitoring. The real-time readings and analysis, at each site, of multiple data (settlement, pressure, leakage measurements, combined with the visual inspection of the concrete and an inspection of the mechanical parts, etc.) enable EDF to conduct a regular assessment on the state of its dams. In Grenoble and Toulouse, EDF teams can analyse the largest dams or those dams that are the hardest to access, remotely and in real time, using a series of sensors.

Furthermore, for each of the large dams, a danger study, including an exhaustive examination, is conducted every ten or fifteen years (for one class A dam and one class B dam respectively). This examination requires draining or an inspection of the submerged parts with sub-aquatic equipment. These operations are carried out under the strict control of the French State authorities (Service de Contrôle et de Sécurité des Ouvrages Hydrauliques [Hydraulic Works Control and Safety Department] within each DREAL [French regional environment, land use and housing authority]).

At the organisational level, the Hydropower Safety Inspector prepares an annual report for the Chairman and CEO of EDF, to whom he or she reports directly, as well as reporting to those involved in hydropower safety (See section 1.4.1.3.1.3 “Hydropower Safety”). Issued after analyses, inspections and assessments carried out by the Hydropower Safety Inspector, this report aims to give an opinion on the level of hydropower safety of the Group’s installations and provide a basis for reflection and progress to ensure its improvement and consolidation. This report is made public on the Group’s website.