Cybersecurity and data privacy As we continue digitalizing our operations, it becomes increasingly vital that we protect our digital assets from cyber incidents that could harm our people, disrupt our processes or affect our systems. We are committed to building a resilient organization that can withstand and recover from any cyber incident. To that extend, our cybersecurity management system not only defines and prescribes key controls for implementing and maintaining cybersecurity posture but also seeks to instill an agile and proactive mindset to keep us ahead of cyber threats. Our robust threat intelligence function monitors the cyber landscape and provides timely, actionable insights on threats or risks that may affect our business. Our cybersecurity operations center, which monitors and investigates suspicious activity around the clock, has been enhanced through automation. In addition, our dedicated incident response team responds to and contains cyberattacks, and our business continuity plan protects business operations from disruptions or the effects of adverse events. Our cybersecurity management system has been certified compliant with both national and international standards. Additionally, we have adopted or aligned with a range of other international standards and best practices. We regularly assess and monitor our digital footprint and posture, as well as the performance of our cyber defense and implement proactive measures to mitigate potential digital risks or gaps. We distribute compliance reports detailing remediation actions to management. Investing in our IT infrastructure is a priority to strengthen the effectiveness and robustness of our security measures. We continually monitor our security systems, routinely testing their effectiveness and adapting them as needed to enhance our capabilities and sustain business resilience. We foster a culture of innovation in the cybersecurity domain by combining new technologies and solutions with modern processes, building new cyber capabilities and creating a more resilient digital environment. To protect critical components of our supply chain from cyber threats and improve their resilience, we extend our cyber defense and response coverage to our supplier network. Companies that wish to conduct business with us must register and comply with specific cybersecurity controls under our policies. To support collaboration on cyber threat signals, we have formed alliances with key regional and international industry partners. Data privacy We collect, process and store personal data where necessary. As outlined in our Data Management Policy Statement, we are committed to respecting the privacy of individuals. We take great care to manage personal data appropriately and in compliance with applicable laws, in particular the UAE Personal Data Protection Law (PDPL) and the EU General Data Protection Regulation (GDPR). Our Group Privacy and Data Protection Standard and accompanying procedures ensure personal data is handled in an ethical and lawful manner. Our Information Classification Standard sets out mandatory requirements for classifying digital information, defining data categories and outlining roles and responsibilities for consistent sensitivity labelling. Using technology, we enforce this across all digital information and exchange channels. We are implementing a Group-wide data protection and privacy program to automate and centralize key processes such as data mapping, personal data transfer and breach management, consent tracking, impact assessment and third-party risk assessments to improve compliance. ADNOC uses a third-party ERM platform to record risks in a central location, define mitigation plans and track remediation progress. Each identified risk is assigned to a business owner, with clear remediation timelines and accountabilities. The IT Risk and Compliance function oversees certain risks directly, working closely with senior representatives from business units and Group companies. In 2025, we continued to strengthen digital resilience through enhanced data protection and privacy, strengthened identity, privileged access controls, and improved management and oversight of cyber risk. As part of our broader governance and oversight approach, we maintain open communication channels with stakeholders to support transparency and timely coordination. We engage directly with stakeholders through our digital call center and dedicated third-party cyber risk management email channels, Cybersecurity management system IEC 62443 : Cybersecurity for Operational Technology In Industrial Automation and Control Systems Standards I SO/IEC20000: Service Management Standard ISO 27001: Information Security Management Standard UAE Information Assurance Standard (UIAS) I SO 22301: Business Continuity Management Standard ISO 27701: Privacy Information Management Standard Certified 124

Sustainability Report 2025: Delivering Responsibly - Page 116 Sustainability Report 2025: Delivering Responsibly Page 115 Page 117