Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

The Company is aware that the oil&gas sector is particularly vulnerable to cybersecurity risks because of the geographical reach of operations, the complexity of integrating IT infrastructures with industrial control systems, and exposure to geopolitical risks.

In this context, Eni’s has adopted a set of processes and systems for assessing, identifying and managing the significant risks related to cybersecurity threats with the goal of minimizing the impacts of any potential cybersecurity incidents and avoid as far as possible any disruptions to the Company’s information systems, information resources, data infrastructures and ultimately to its business operations given that information systems are core to our industrial activities, financial transactions and correct and complete record, storage and use of data regarding acquisition and disposition of Company’s assets, and customers and other third parties data.

Eni’s cybersecurity program includes multi-layered technological capabilities designed to prevent and detect cybersecurity disruptions and is based on industry standard frameworks. The cybersecurity program incorporates an incident response plan to engage cross-functionally across the Corporation and report cybersecurity incidents to appropriate levels of management, including senior management, and the Audit Committee or the Board of Directors, based on potential impact. The Group conducts annual cybersecurity awareness training and routinely tests cybersecurity awareness and business preparedness for response and recovery, which are developed based on real-world threats.

In recent years the business environment has been characterized by a significant rise in the cybersecurity risks, both in terms of frequency of incidents and their relevance, driven by increased operation complexity and geopolitical factors. Eni has established and is maintaining a risk-assessment program specifically designated to identify and to manage cybersecurity risks and based on the outcome of this review has adopted a suite of mitigation measures and protocols. We believe that thanks to those remedies our overall exposure to the cybersecurity risks has remained stable as the Company has been able to counteract an increased number of attacks against the Company’s information systems, which have arisen in connection with the adoption of the hybrid working environment (for example remote working) and a changed environment for cyber threats in connection with a deteriorated geopolitical landscape.

The internal control system has been designed taking into consideration primarily the characteristics of the Eni business, the Company’s long-term strategy, its countries of operations, the specific risks the oil&gas sector is exposed to (see Item 3 - Risk Factors for more information), among which the cybersecurity risk ranks highly.

Looking forward the Company believes that cybersecurity threats in the following areas may materially affect the Company’s business strategy, reputation, results of operations and financial conditions:

• Disruptions to industrial processes which may lead to loss of revenues and unplanned and restoring expenses; 

• Interruption in the IT systems used by the businesses and corporate and finance departments which may lead to a temporarily inability to record physical data and dispositions of Company’s products, to send invoices, to collect receipts which may results in disruptions, loss of revenues and cash collections and higher finance expenses impacting the profit&loss and the financial condition; 

• Breaches, violations, and subtraction of retail customer data which may negatively affect the Company’s reputation and may lead to violations of laws on data protection and claims against us.

Considering the possible risks of cybersecurity incidents, the Group has adopted several mitigation measures of the cybersecurity risks, which include the continuous upgrading of the IT infrastructure, availability of services to protect the Company against cybersecurity threats, extension of those measures to the cloud, also integrating technologies based on AI, strengthening procedures and resources of technological security and governance at the headquarter, foreign subsidiaries and industrial hubs by means of deploying tailored programs of technological enforcement. 

Centralized information systems have been upgraded to improve monitoring and specific controls and procedures have been adopted intended to identify, mitigate, and supervise cyber risks that could be brought in by third parties performing activities on behalf of Eni, including supplier of cloud services. The Group takes a risk-based approach with respect to its third-party service providers, tailoring processes according to the nature and sensitivity of the data or systems accessed by such third-party service providers and performing additional risk screenings and procedures, as appropriate.

To ensure continuity in the functioning of the Company’s information systems, management has deployed several measures (contingency plans) intended to ensure the uninterrupted performance of information systems in case of cybersecurity threats and other malfunctioning of IT systems with possible fallouts on business operations, as well as in case of massive cyber threats having low probability of occurrence but that could cause relevant system disruptions. Those measures include adoption of a continuity management plan of the information system infrastructures, which drives simultaneously technologies, processes and procedures with the goal of ensuring resiliency and recovery of information systems in accordance with minimum services levels dictated by the business lines.  

In addition, the set of countermeasures to mitigate cyber risk has been updated, consistent with recent industry-specific, legal obligations also by disseminating throughout the organization a cybersecurity culture aimed at making managers and employees more conscious about ongoing cyber threats and at how to deal with cyber risks. Those also include the management of fault scenarios, the preparation of contingency plans and the execution of stress tests and test simulations.

The Company owns a proprietary green data center where most of the Company’s applications and systems run, and massive amounts of the Company’s data are stored. Considering that this is a core asset, several measures and procedures have been adopted which are designated to ensure continuity in the performance of the Company’s information systems even in case of an outage of the whole data center, particularly by equipping a backup site to ensure a disaster recovery of most critical information systems and data warehouse, and by preserving continuity at the core business. The green data center has undergone an upgrading plan which comprised:

i)	advances in technological solutions to prevent and manage through automated procedures partial or component faults;
ii)	availability of spare capacity to elaborate and manage data and/or availability of off-line backup data at other sites;
iii)	reinforcement of the geographic enterprise redundant connectivity to consume services from GDC and Cloud suppliers.

Eni’s risk management processes for cybersecurity are part of the Company’s overall integrated internal control system designed to identify, assess, and manage the main risks to which the Company is exposed which include strategic, business, operational and compliance risks, and menaces.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Eni’s risk management processes for cybersecurity are part of the Company’s overall integrated internal control system designed to identify, assess, and manage the main risks to which the Company is exposed which include strategic, business, operational and compliance risks, and menaces.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

As of the date of this report, we have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition.

Cybersecurity Risk Board of Directors Oversight [Text Block]

The Company’s internal control system is designed by the Company’s management under the direct supervision of the Board of Directors and the ultimate supervision of the Board of Statutory Auditors. The Board of Directors sets the guidelines of the internal control system, sets the tone of an effective organizational environment that drives management to continuously monitor and treat Company risks, and finally determines the maximum level of tolerable exposure to the Company’s main risks in view of achieving the Company’s profitability and industrial targets and executing against its stated strategic vision, both on the short and the medium-long term.

In performing its function, the Board is assisted by a committee comprised by all independent board members, named the Internal Control Committee (for a full description of its role, functioning and composition see Item 6), who has the role of examining the Company’s internal control system and of assessing its effectiveness against the Company’s strategy and objectives and ongoing business trends and evolution. As part of this, the Committee formulates proposals, and suggestions to the Board about any possible improvement of the internal control system. This committee is regularly informed by management about ongoing trends in the business environment which could affect the Company’s exposure to the cybersecurity risk, how cyber threats are evolving, changes in the expected probability of cybersecurity incidents to the Company’s information systems, and management’s ongoing or planned action to mitigate emerging risks or an increased probability of cybersecurity incidents. The Board of Statutory Auditors is responsible for the overall supervision of the activities of the Board of Directors (consistent with the functions required by the U.S. SEC rules and the Sarbanes-Oxley Act) and in exercising this function it is kept duly informed by, and it has the power under applicable laws to demand information from, the Board of Directors and management about the Group cybersecurity risks and the processes for assessing and managing such risks.

The CEO of Eni is responsible for establishing and maintaining an effective internal control system and for executing the guidelines defined by the Board. In performing this ample task, the CEO coordinates other management representatives and reports to the Board and the Committee on a quarterly basis about how the Company is responding and reacting to the main risks in the business environment and in the Company’s industrial operations and support processes.

Middle management is responsible for identifying and assessing risks across the whole of Eni’s industrial and business- support processes, which could jeopardize the achievement of the Company’s targets. This activity is performed at various organizational levels: subsidiary, business process, profit center, cost center, department, and business-supporting functions, among others, and is structured in various steps.

• First, risk identification and assessment enable each manager to gain a comprehensive picture of possible adverse events which could negatively affect the effectiveness and efficiency of Company’s processes and operations.

• Second, potential adverse impacts associated with each risk event are estimated both in quantitative (i.e., impacts on financial results and business continuity) and qualitative (i.e., impacts on Company reputation) terms, also weighting impacts by probability of occurrence.

• Third, mitigating actions and plans are implemented or those in place are revised to reduce any possible risks to a tolerable level.

• Finally, controls have been designed to test the effective functioning of mitigating actions.  

Top management is responsible for verifying and monitoring whether all risk-reducing actions and plans are compatible with the ongoing evolution of the Company’s business model, the Company’s strategic guidelines and targets, including financial targets (operating profits and cash flow from operations), operating targets (production volumes, installed capacity, development of new product lines), business security and continuity targets (HSE incidents, cybersecurity threats, security of personnel and assets in high-risk areas, climate-adaptation of Company’s plants and equipment) and preservation of Company’s reputation. Those activities enable management to gain full comprehension of the effectiveness of the internal control system and risk treatment considering current/expected trends in the business environment (market trends, consumer behavior, evolution of technologies and of the competitive landscape) and in the Company’s structure (entrance in new markets, significant asset acquisitions/dispositions, restructuring and reorganizations).

Top management, including the CEO, reports to the Board and the Committee on a regular basis about the effectiveness of the Company’s internal control system, its evolution in connection with emerging risks or significant modifications of the Company’s risk profile and possible improvements, covening all aspects of the business, including the cybersecurity risk.

The manager in charge of running the Company’s IT infrastructures and information systems identifies on a regular basis the main cybersecurity threat, to which the Company is exposed, assesses the level of vulnerability and adopts all IT solutions and security protocols to reduce those risks to an acceptable level.

We believe that this manager has the academic background and the experience in IT systems required to perform its tasks effectively.

The Company’s cybersecurity program is managed by an IT senior manager of IT, with support from cross-functional teams led by Eni’s information technology (IT) and operational technology (OT) cybersecurity operations managers (collectively, Cybersecurity Operations Managers). The Cybersecurity Operations Managers are responsible for the day-to- day management and effective functioning of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents. The Cybersecurity Operations Managers collectively have many years of experience in cybersecurity operations.

IT management provides regular reports to the Company’s senior management throughout the year, and to the Audit Committee or the Board of Directors, as appropriate, on a regular schedule. Such reports typically address, among other things, the Company’s cybersecurity strategy, initiatives, key security metrics, penetration testing and benchmarking learnings, and business response plans as well as the evolving cybersecurity threat landscape.

In the event the Company becomes aware of a pending cybersecurity threat, a “crisis committee” is convened comprising representatives of the Company’s top management (including the Company’s Chief Financial Officer) to decide promptly which course of action is to be implemented to best cope with the threat or to plan remedial actions in case of a significant cybersecurity incident as well as to assess the materiality of a cybersecurity incident and whether to publicly disclose a cybersecurity incident.  

The cybersecurity risk is regularly monitored to assess the effectiveness of the Company’s risk-reducing activities, proper functioning of controls and to identify emerging risks that may warrant improvements/upgrading of the Company’s cybersecurity infrastructures and protocols. Those activities are reported regularly to the Board of Directors and the Internal Control Committee, as part of the general process of reporting the whole of the internal control system for risk management, so directors can appreciate the robustness of the whole of the process for identifying, assessing, and mitigating cybersecurity threats.

As of the date of this report, we have not identified any risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected, or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition.

While Eni believes its cybersecurity program to be appropriate for managing constantly evolving cybersecurity risks, no program can fully protect against all possible adverse events. In 2024, no material cybersecurity incidents were reported. For additional information on these risks and potential consequences if the measures we are taking prove to be insufficient or if our proprietary data is otherwise not protected, see “Item 3 - Risk Factors” in this report.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

In performing its function, the Board is assisted by a committee comprised by all independent board members, named the Internal Control Committee (for a full description of its role, functioning and composition see Item 6), who has the role of examining the Company’s internal control system and of assessing its effectiveness against the Company’s strategy and objectives and ongoing business trends and evolution. As part of this, the Committee formulates proposals, and suggestions to the Board about any possible improvement of the internal control system.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

In performing its function, the Board is assisted by a committee comprised by all independent board members, named the Internal Control Committee (for a full description of its role, functioning and composition see Item 6), who has the role of examining the Company’s internal control system and of assessing its effectiveness against the Company’s strategy and objectives and ongoing business trends and evolution. As part of this, the Committee formulates proposals, and suggestions to the Board about any possible improvement of the internal control system. This committee is regularly informed by management about ongoing trends in the business environment which could affect the Company’s exposure to the cybersecurity risk, how cyber threats are evolving, changes in the expected probability of cybersecurity incidents to the Company’s information systems, and management’s ongoing or planned action to mitigate emerging risks or an increased probability of cybersecurity incidents. The Board of Statutory Auditors is responsible for the overall supervision of the activities of the Board of Directors (consistent with the functions required by the U.S. SEC rules and the Sarbanes-Oxley Act) and in exercising this function it is kept duly informed by, and it has the power under applicable laws to demand information from, the Board of Directors and management about the Group cybersecurity risks and the processes for assessing and managing such risks.

Cybersecurity Risk Role of Management [Text Block]

The CEO of Eni is responsible for establishing and maintaining an effective internal control system and for executing the guidelines defined by the Board. In performing this ample task, the CEO coordinates other management representatives and reports to the Board and the Committee on a quarterly basis about how the Company is responding and reacting to the main risks in the business environment and in the Company’s industrial operations and support processes.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

The Company’s cybersecurity program is managed by an IT senior manager of IT, with support from cross-functional teams led by Eni’s information technology (IT) and operational technology (OT) cybersecurity operations managers (collectively, Cybersecurity Operations Managers). The Cybersecurity Operations Managers are responsible for the day-to- day management and effective functioning of the cybersecurity program, including the prevention, detection, investigation, and response to cybersecurity threats and incidents.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The Cybersecurity Operations Managers collectively have many years of experience in cybersecurity operations.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

In the event the Company becomes aware of a pending cybersecurity threat, a “crisis committee” is convened comprising representatives of the Company’s top management (including the Company’s Chief Financial Officer) to decide promptly which course of action is to be implemented to best cope with the threat or to plan remedial actions in case of a significant cybersecurity incident as well as to assess the materiality of a cybersecurity incident and whether to publicly disclose a cybersecurity incident.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true