Cybersecurity and data privacy As we continue digitalizing our operations, it becomes increasingly vital that we protect our digital assets from cyber incidents that could harm our people, disrupt our processes or affect our systems. We are committed to building a resilient organization that can withstand and recover from any cyber incident. To that extend, our cybersecurity management system not only defines and prescribes key controls for implementing and maintaining cybersecurity posture but also seeks to instill an agile and proactive mindset to keep us ahead of cyber threats. Our robust threat intelligence function monitors the cyber landscape and provides timely, actionable insights on threats or risks that may affect our business. Our cybersecurity operations center, which monitors and investigates suspicious activity around the clock, has been enhanced through automation. In addition, our dedicated incident response team responds to and contains cyberattacks, and our business continuity plan protects business operations from disruptions or the effects of adverse events. Our cybersecurity management system has been certified compliant with both national and international standards. Additionally, we have adopted or aligned with a range of other international standards and best practices. We regularly assess and monitor our digital footprint and posture, as well as the performance of our cyber defense and implement proactive measures to mitigate potential digital risks or gaps. We distribute compliance reports detailing remediation actions to management. Investing in our IT infrastructure is a priority to strengthen the effectiveness and robustness of our security measures. We continually monitor our security systems, routinely testing their effectiveness and adapting them as needed to enhance our capabilities and sustain business resilience. We foster a culture of innovation in the cybersecurity domain by combining new technologies and solutions with modern processes, building new cyber capabilities and creating a more resilient digital environment. To protect critical components of our supply chain from cyber threats and improve their resilience, we extend our cyber defense and response coverage to our supplier network. Companies that wish to conduct business with us must register and comply with specific cybersecurity controls under our policies. To support collaboration on cyber threat signals, we have formed alliances with key regional and international industry partners. Data privacy We collect, process and store personal data where necessary. As outlined in our Data Management Policy Statement, we are committed to respecting the privacy of individuals. We take great care to manage personal data appropriately and in compliance with applicable laws, in particular the UAE Personal Data Protection Law (PDPL) and the EU General Data Protection Regulation (GDPR). Our Group Privacy and Data Protection Standard and accompanying procedures ensure personal data is handled in an ethical and lawful manner. Our Information Classification Standard sets out mandatory requirements for classifying digital information, defining data categories and outlining roles and responsibilities for consistent sensitivity labelling. Using technology, we enforce this across all digital information and exchange channels. We are implementing a Group-wide data protection and privacy program to automate and centralize key processes such as data mapping, personal data transfer and breach management, consent tracking, impact assessment and third-party risk assessments to improve compliance. ADNOC uses a third-party ERM platform to record risks in a central location, define mitigation plans and track remediation progress. Each identified risk is assigned to a business owner, with clear remediation timelines and accountabilities. The IT Risk and Compliance function oversees certain risks directly, working closely with senior representatives from business units and Group companies. In 2025, we continued to strengthen digital resilience through enhanced data protection and privacy, strengthened identity, privileged access controls, and improved management and oversight of cyber risk. As part of our broader governance and oversight approach, we maintain open communication channels with stakeholders to support transparency and timely coordination. We engage directly with stakeholders through our digital call center and dedicated third-party cyber risk management email channels, Cybersecurity management system IEC 62443 : Cybersecurity for Operational Technology In Industrial Automation and Control Systems Standards I SO/IEC20000: Service Management Standard ISO 27001: Information Security Management Standard UAE Information Assurance Standard (UIAS) I SO 22301: Business Continuity Management Standard ISO 27701: Privacy Information Management Standard Certified providing efficient support and clear communication. In addition, companies seeking to conduct business and register with us are required to comply with all controls set out in our Data Management Policy Statement. Training and awareness Our people are the strongest link in our cyber defense and data protection chain. Through our CyberAware program we continue to invest in training them to prevent, protect against and respond to emerging cyber threats and risks, as well as to handle data securely. Our training and awareness programs include regular phishing simulations, engagement in cyber events, specialized on- the-job training programs, tabletop exercises, e-learning and gamification, as well as a community and family cyber outreach program. Our programs are delivered Group-wide, with customized training for specific roles. ADNOC’s CyberAware program actively reinforces our commitment to building a cyber-resilient workforce and raising digital safety awareness. In 2025, we advanced our cybersecurity governance and human risk management framework through large scale awareness programs, capability building initiatives and targeted engagement across all employee segments and third party stakeholders. These initiatives directly support our sustainability strategy, strengthening corporate governance, data protection and operational resilience. >80% of employees completed cybersecurity training and awareness >37,700 employees completed information classification e-learning Engaged Vice Presidents and Senior Vice Presidents in 98 tailored one - on - one cybersecurity sessions to strengthen leadership accountability >6,500 employees completed incident management and reporting training Released management and compliance dashboards and a rulebook, providing team leaders with visibility on participation, compliance and cyber activity insights Rolled out the Digital Track Learning and Hackazon Challenge, reaching >200 participants across key digital roles Showcased our CyberAware program at ADIPEC Provided cybersecurity knowledge and skills to >2,900 students across Abu Dhabi >35,500 employees completed acceptable usage of digital assets e-learning ADNOC CyberAware 2025 highlights 125 ADNOC Sustainability Report 2025 124 HOW WE OPERATE KEEPING OUR PEOPLE SAFE ADVANCING NET ZERO EMPOWERING LIVES SUSTAINABILITY AT ADNOC ABOUT ADNOC PROTECTING NATURE AND BIODIVERSITY
Sustainability Report 2025: Delivering Responsibly Page 61 Page 63