Skip to main content

Cyber Security and Data protection

Data and information managed by A2A Group, as strategic elements, may be jeopardized by cyber attacks and incidents caused by many vulnerabilities of digital infrastructures. These occurrences may endanger the resiliency of the company by compromising its services to customers and its own reputation.

A2A must identify these threats very quickly and manage them effectively.

Cyber threat intelligence

“Group Security & Cyber Defence” and “Group Information and Communication Technologies (ICT) & Digital Enablement” departments are committed to ensure data protection for employees, customers and all A2A stakeholders.

A2A is tackling cyber threats through the following defense activities:

  1. Cyber Risk Analysis of Digital Assets and Services (Corporate / Facilities)
  2. IT/OT(1) security processes and controls compliant with the best international standards (ie ISO27001 and IEC 62443) and industry standards
  3. Business continuity and information security management system
  4. Valuation of cyber strength of third parties
  5. Public and private partnership
  6. Awareness – Education - Training
  7. Cyber Threat Intelligence

Note: (1) IT: Information Technology - OT: Operational Technology

Group security & cyber defence

The “Group Security & Cyber Defence” department is active in the security of Operational Technology - OT (Industrial Control Systems and Supervisory Control and Data Acquisition systems) and it is responsible for the following tasks:

  • Monitoring of the OT systems security levels through the analysis of incidents and the definition of remedial actions
  • Reporting on infrastructure monitoring also in case of incident
  • Support to risk owners to define procedures for the most adequate cyber posture

Case study: A2A OT Security Project

The project, launched in September 2019, is aimed at ensuring the security and the resilience of infrastructure and information systems, through well-proportioned operational and technical actions to manage the risk on critical assets, in line with the principles of national framework of cyber security (FNCS).
The project activities regarded hydroelectric generation, electric distribution, gas distribution and water cycle.

1) Assessment of security levels

  • Security assessment of “as is” conditions of infrastructure and information systems
  • Risk analysis on sector threats
  • Risk management plan to mitigate the exposure to threats, raising thus the overall security level

2) Implementation of a Cyber Security management system

Adoption of the most suitable organizational structure in order to guarantee the security and the resilience of infrastructure and information systems: definition of processes, procedures, and competences of people in charge of Operational Technology security.

Group ICT & digital enablement

The “Group ICT & Digital Enablement” is responsible for Digital Security and ensures data protection, the resilience of services and ICT infrastructure, through the implementation of Information Security Management System (ISMS). In particular, the ICT Security department provides, develops and strengthens new Digital Security Services in order to preserve A2A business in its continuous innovation path.

A2A has set up a highly specialized group called IRIS - Intelligent Resilience Information Security Services. This team of IT security experts is committed to defending and responding to attacks against information, IT infrastructure and digital services.

IRIS provides the following IT security services:

Security Monitoring & Readiness Operations

It protects the company against digital criminals, is operating h24x7 and tracks security threats in real time, thus reducing the exposure and impact of attacks on A2A digital services, applications and assets

Platforms resilience & Operations

It includes digital and security technologies, ensures the maintenance of the best security posture and effectiveness of controls over time and according to the most up-to-date "threat model"

Active defense

Assessment of the Company resilience level and its services through a Security Lab, a team of white hat (ethical hackers) and specialists involved in assessing the Company resilience level and its services to define the most critical current risk scenarios and study future threat trends.

Threat Intelligence

It provides intelligence capabilities through proactive research and analysis of public and non-public external sources. Moreover, it supports security strategic decisions and operations by protecting A2A digital data and brand from misuse


In order to ensure compliance with the provisions of EU Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the “GDPR”), the A2A Group has adopted an Organization and Management Model for personal data in which:

  • the roles actively involved in the management of privacy within the company and the relative responsibilities are identified;
  • the methods of managing personal data in line with the principles and provisions of the GDPR are defined, including the principles of data protection by design (so-called “privacy by design”) and data protection by default (so-called “privacy by default”) on the basis of which the Data Controller puts in place adequate technical and organisational security measures to protect the rights of the data subjects.

The A2A Group has also prepared a procedural system designed to regulate the following issues:

  • the definition of the timing of storage of personal data (so-called data retention);
  • carrying out a preliminary risk assessment for each processing of personal data and an impact assessment in relation to processing operations that present a high risk for the rights and freedoms of natural persons (so-called DPIA – Data Protection Impact Assessment) in order to assess the necessity and proportionality as well as the relative risks of such high risk processing and the identification of suitable measures to address them;
  • the management of requests with which the data subjects exercise their rights;
  • the management of data violations (so-called data breach), which includes the analysis of the importance of the violation and the identification of a corrective action plan (so-called remediation plan) with the aim of managing the identified privacy incident and mitigating the identified risk.

In addition, special agreements are entered into with suppliers who process personal data on behalf of A2A Group companies which, in addition to incorporating the provisions of the law, contain specific instructions that the supplier is required to comply with when managing such data.