Skip to main content

Cyber Security and Data protection

The data and information managed by the A2A Group represent strategic elements that may be targeted by cyber-attacks and accidents caused by the many vulnerabilities present in IT networks. Eventualities of this type can undermine the resilience of the company, compromising the services offered to its customers as well as its own reputation.

It is therefore imperative that these threats are promptly intercepted and effectively managed.

Activities to protect against cyber threats

The “Group Security & Cyber Defence” management team adopts a holistic approach to managing the security of the A2A Group (1); in particular, it undertakes to ensure the protection of data, its employees, customers and all A2A stakeholders.

The A2A Group faces cyber threats through:

  1. Cyber risk analysis of Industrial Assets and Digital Services
  2. Cyber Security processes and safeguards compliant with best practices and international standards (i.e. ISO27001 and IEC 62443) as well as industry regulations
  3. Business continuity and information security management system
  4. Evaluation of the cyber resilience of third parties
  5. Public-Private Partnership
  6. Awareness and continuous employee training
  7. Cyber threat intelligence activity
Corporate Security Policy

Cyber defence

The “Cyber Defence” Structure has been appointed for this purpose, with the mission of managing the growing complexity of threats affecting both the “classic” ICT field and the industrial worlds in a united and convergent manner

Specifically, it guarantees the data protection and cyber resilience of business services and digital infrastructures by implementing the Information Security Management System (ISMS). The “Cyber Defence” function provides, evolves and consolidates next-generation Digital Security services capable of fully protecting our company’s business on its path towards continuous innovation, guaranteeing continuous alignment with the Board.

The “Cyber Defence” structure includes a highly specialised unit called IRIS: Intelligent Resilience Information Security Services. The unit is made up of IT security experts tasked with defending and responding to attacks against information, IT infrastructures and digital business services.

IRIS offers the following IT security services:

Security monitoring activities and fast reaction

Protects the company against digital criminals, is operational 24/7 and monitors in real time the security threats of both the ICT and industrial infrastructure, reducing the exposure and impact of attacks on A2A’s digital and industrial services, applications and assets

Platform resilience

Integrates digital and security technologies, ensuring that the best security strategy and the effectiveness of controls is maintained over time according to the latest “threat models”

Active defence

Assessment of the level of resilience of the company and its services through a Security Lab, a team of white hat (or ethical) hackers and specialists responsible for assessing the level of resilience of the company and its services to define the most critical current risk scenarios and study future threat trends.

Intelligence activities on cyber threats

Provides intelligence capabilities through proactive research and analysis of public and non-public external sources. Supports strategic security decisions and supports Cyber Security Operations by protecting A2A’s data and brand from misuse.


In order to ensure compliance with the provisions of EU Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the “GDPR”), the A2A Group has adopted an Organization and Management Model for personal data in which:

  • the roles actively involved in the management of privacy within the company and the relative responsibilities are identified;
  • the methods of managing personal data in line with the principles and provisions of the GDPR are defined, including the principles of data protection by design (so-called “privacy by design”) and data protection by default (so-called “privacy by default”) on the basis of which the Data Controller puts in place adequate technical and organisational security measures to protect the rights of the data subjects.

The A2A Group has also prepared a procedural system designed to regulate the following issues:

  • the definition of the timing of storage of personal data (so-called data retention);
  • carrying out a preliminary risk assessment for each processing of personal data and an impact assessment in relation to processing operations that present a high risk for the rights and freedoms of natural persons (so-called DPIA – Data Protection Impact Assessment) in order to assess the necessity and proportionality as well as the relative risks of such high risk processing and the identification of suitable measures to address them;
  • the management of requests with which the data subjects exercise their rights;
  • the management of data violations (so-called data breach), which includes the analysis of the importance of the violation and the identification of a corrective action plan (so-called remediation plan) with the aim of managing the identified privacy incident and mitigating the identified risk.

In addition, special agreements are entered into with suppliers who process personal data on behalf of A2A Group companies which, in addition to incorporating the provisions of the law, contain specific instructions that the supplier is required to comply with when managing such data.