XML 306 R52.htm IDEA: XBRL DOCUMENT v3.26.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Framework

In order to mitigate cyber risks across all digital environments of the Group (IT, OT, IoT), Enel adopted the Cyber Security Framework ( the “CS Framework”) in 2017 to guide and manage cybersecurity processes. It has been integrated into each company throughout the entire organization, including Enel Chile. The CS Framework is based on sector best practices

and international standards (ISO 27001/NIST) and addresses the principles and operational processes that support a global strategy of cyber risk analysis, prevention, and management.

The CS Framework is structured around eight core processes and is fully applicable to the complexity of the IT, OT, and IoT environment. It clearly defines roles and responsibilities, actively involving business areas and stakeholders throughout the organization, and establishes a solid basis for the full integration of technologies, core processes and people. The CS Framework focuses on and is driven by a “risk-based” approach and a “cybersecurity by design” principle.

The “risk-based” approach places risk assessment as a prerequisite for the Group’s strategic decisions. The estimation of cybersecurity risk factors (impacts, threats, vulnerabilities) is critical to assess  the Group’s level of cyber risk and to identify appropriate treatment actions to mitigate it. The “cybersecurity by design” principle ensures that cybersecurity requirements are considered throughout the entire lifecycle of systems and services.

The CS Framework provides the overall coverage of the following areas:

·

Cyber Security Risk Assessment: aims to identify, analyze, and evaluate cybersecurity risks, in line with the Group’s risk posture.

·

Cyber Security Strategy: aims to guide cybersecurity strategy, define cybersecurity objectives and priorities, address cybersecurity initiatives, and coordinate investment activities on cybersecurity topics for the Company. It guarantees oversight of international cybersecurity standards and regulations and ensures cybersecurity policy definitions, in accordance with regulatory compliance and Enel Group organizational documents. It also ensures managerial reporting and continuous monitoring of ongoing cybersecurity initiatives.

·

Cyber Security Engineering, Design, and Implementation: aims to ensure the adoption of cybersecurity principles  throughout the entire lifecycle of IT/OT/IoT solutions and infrastructures.

·

Cyber Security Risk Treatment: aims to define and implement the most appropriate risk treatment actions to face cybersecurity risks.

·

Cyber Security Assurance: aims to analyze, verify, and test the effectiveness of the implemented risk response measures, detecting vulnerabilities, and assessing cybersecurity controls, ensuring the monitoring of remediation plans.

·

Cyber Emergency Readiness: aims to monitor, track, and report risk exposures and handle cybersecurity incidents that could occur.

·

Identity Management and Access Control: aims to manage the full lifecycle of digital identities used within the Company and perform security controls on access privileges to highlight possible risks and security improvements, triggering the necessary remediation processes.

·

Cyber Security Awareness and Training: aims to drive and run our Cyber Security Awareness and Training initiatives to focus attention on critical cybersecurity topics, working on behaviors and human factors.

In accordance with the CS Framework, Enel applies a Cyber Security Business Impact Analysis and Risk Assessment methodology (“Cyber Risk Management Procedure”), applicable to the entire  Group. It aims to identify, prioritize, and estimate cybersecurity risks within the Company, taking into consideration established risk acceptance levels. The first phase of the process aims to identify the risk level associated with a logical or physical asset (Risk Center),  while the second phase aims to define the controls necessary to achieve the desired level of risk mitigation.

The Cyber Security unit is engaged in monitoring the relevant cyber security regulatory and legislative framework, analyzing regulatory obligations, and guiding the implementation of necessary technological, organizational, and procedural adjustments to ensure compliance of Group companies subject to the applicable regulations. For example, in 2025, a compliance program aligned with Law No. 21,663 (“Ley Marco sobre la Ciberseguridad e Infraestructura Crítica

de la Información”), which applies to operators of essential services and of vital importance, was implemented for Group companies in Chile. In addition, the Cyber Security unit supports the Group in achieving and maintaining ISO 27001 certifications, obtained in 2025 for the distribution business in Chile.

As part of the Cyber Security unit, Enel’s CERT is a global unit that is active 24 hours a day, whose mission is to protect Enel’s employees and assets (instrumental to our business that could be compromised by cyber threats) by promoting a proactive approach based on “incident readiness” rather than “incident response”. The CERT operates with threat intelligence, incident response, and information sharing processes, and exchanges information within a network of accredited international partners.

The Threat Intelligence service helps Enel’s CERT detect and protect privileged information to avoid, mitigate, or manage a potential cyber incident. The Cyber Incident Response process outlines the responsibilities for implementing corrective actions to put in place when an incident occurs. During the execution of response activities, depending on the type and impact of a cyber incident, all internal stakeholders and required actors support Enel’s CERT to respond to an incident in the shortest time possible, relying on procedures, knowledgeable people, technical resources, and connections to external partners. Depending on the incident typology and related classification of risk level, the Cyber Incident Response process can activate all the procedures defined for incidents and critical events management (e.g., Policy for Data Breach management, Policy for IT Service Continuity Management) to facilitate an efficient and quick response, minimizing impacts on people, services, and assets. Induction sessions are periodically held to inform Enel’s Board about cybersecurity risks and the occurrence of any cybersecurity incidents.

Additionally, Enel’s CERT conducts periodic “cyber exercises” aimed at simulating a cybersecurity incident to increase the ability of response, readiness, incident management, and training of all relevant parties. The exercises involve both technical and business reference structures, and a final report is provided detailing the results of the cyber exercise. These simulations are performed worldwide, including by Enel Chile, to generate awareness and address any need for technical and/or organizational improvements. In 2025, among cyber exercises that involved the Chilean perimeter, Enel Chile participated in “SENEx | 1,a cyber exercise organized by Chilean institutional authorities.

If a cybersecurity incident occurs, it is classified according to the Enel Cyber Impact Matrix considering the improved event correlation capabilities coming from the adoption of new cybersecurity services. Most incidents are classified at low impact levels and are considered “day-by-day” instances because they do not significantly impact the Group’s systems. Enel’s CERT manages these incidents, which are generally blocked automatically or semi-automatically by the Group’s systems, thereby preventing and/or reducing the potential impact of a cyberattack. Incidents classified at medium, high, or critical impact levels of the Enel Cyber Impact Matrix may impact the Group and are managed by Enel’s CERT in conjunction with relevant stakeholders, depending on incident typology, business area, and geographic boundaries.

For the year ended December 31, 2025, based on the Enel Cyber Impact Matrix classification, there were no potentially critical impact cybersecurity incidents.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Framework

In order to mitigate cyber risks across all digital environments of the Group (IT, OT, IoT), Enel adopted the Cyber Security Framework ( the “CS Framework”) in 2017 to guide and manage cybersecurity processes. It has been integrated into each company throughout the entire organization, including Enel Chile. The CS Framework is based on sector best practices

and international standards (ISO 27001/NIST) and addresses the principles and operational processes that support a global strategy of cyber risk analysis, prevention, and management.

The CS Framework is structured around eight core processes and is fully applicable to the complexity of the IT, OT, and IoT environment. It clearly defines roles and responsibilities, actively involving business areas and stakeholders throughout the organization, and establishes a solid basis for the full integration of technologies, core processes and people. The CS Framework focuses on and is driven by a “risk-based” approach and a “cybersecurity by design” principle.

The “risk-based” approach places risk assessment as a prerequisite for the Group’s strategic decisions. The estimation of cybersecurity risk factors (impacts, threats, vulnerabilities) is critical to assess  the Group’s level of cyber risk and to identify appropriate treatment actions to mitigate it. The “cybersecurity by design” principle ensures that cybersecurity requirements are considered throughout the entire lifecycle of systems and services.

The CS Framework provides the overall coverage of the following areas:

·

Cyber Security Risk Assessment: aims to identify, analyze, and evaluate cybersecurity risks, in line with the Group’s risk posture.

·

Cyber Security Strategy: aims to guide cybersecurity strategy, define cybersecurity objectives and priorities, address cybersecurity initiatives, and coordinate investment activities on cybersecurity topics for the Company. It guarantees oversight of international cybersecurity standards and regulations and ensures cybersecurity policy definitions, in accordance with regulatory compliance and Enel Group organizational documents. It also ensures managerial reporting and continuous monitoring of ongoing cybersecurity initiatives.

·

Cyber Security Engineering, Design, and Implementation: aims to ensure the adoption of cybersecurity principles  throughout the entire lifecycle of IT/OT/IoT solutions and infrastructures.

·

Cyber Security Risk Treatment: aims to define and implement the most appropriate risk treatment actions to face cybersecurity risks.

·

Cyber Security Assurance: aims to analyze, verify, and test the effectiveness of the implemented risk response measures, detecting vulnerabilities, and assessing cybersecurity controls, ensuring the monitoring of remediation plans.

·

Cyber Emergency Readiness: aims to monitor, track, and report risk exposures and handle cybersecurity incidents that could occur.

·

Identity Management and Access Control: aims to manage the full lifecycle of digital identities used within the Company and perform security controls on access privileges to highlight possible risks and security improvements, triggering the necessary remediation processes.

·

Cyber Security Awareness and Training: aims to drive and run our Cyber Security Awareness and Training initiatives to focus attention on critical cybersecurity topics, working on behaviors and human factors.
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

At the Enel Group’s executive management level, the Cyber Security Committee addresses and approves the Group cybersecurity strategy and periodically conducts oversight of strategy implementation (at least annually). The committee is chaired by the Enel Group’s CEO and made up of his/her front-line officers, including the head of the Cyber Security unit.

A separate Cyber Risks Operating Committee meets quarterly to define criteria to set priorities for risk analysis and acceptance according to Enel Group risk posture, in addition to sharing best practices and lessons learned. The committee consists of the head of the Cyber Security unit and Cybersecurity Risk “Reference Persons” (i.e., cybersecurity focal points for business areas and holding function—one focal point for each business area and holding function of the Enel Group). These Risk “Reference Persons” report to the head of the Cyber Security unit.

Additionally, cybersecurity risks and strategic initiatives are periodically discussed in depth by the Enel Group’s main executive and supervisory boards, such as the Risk Control Committee. Moreover, cyber risk is defined within the Enel Group Risk Catalogue as a risk related to digital technology.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Cyber Security Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

A separate Cyber Risks Operating Committee meets quarterly to define criteria to set priorities for risk analysis and acceptance according to Enel Group risk posture, in addition to sharing best practices and lessons learned. The committee consists of the head of the Cyber Security unit and Cybersecurity Risk “Reference Persons” (i.e., cybersecurity focal points for business areas and holding function—one focal point for each business area and holding function of the Enel Group). These Risk “Reference Persons” report to the head of the Cyber Security unit.
Cybersecurity Risk Role of Management [Text Block]

Governance

Since September 2016, Enel has operated a Cyber Security unit committed to guaranteeing governance, direction, and control of cybersecurity topics. The head of the Cyber Security unit, who is also Enel’s chief information security officer (“CISO”), reports directly to the head of Security function and to the head of global information and communication technology (“ICT”), the Enel Group’s chief information officer (“CIO”), as part of Global Service function.

At the Enel Group’s executive management level, the Cyber Security Committee addresses and approves the Group cybersecurity strategy and periodically conducts oversight of strategy implementation (at least annually). The committee is chaired by the Enel Group’s CEO and made up of his/her front-line officers, including the head of the Cyber Security unit.

A separate Cyber Risks Operating Committee meets quarterly to define criteria to set priorities for risk analysis and acceptance according to Enel Group risk posture, in addition to sharing best practices and lessons learned. The committee consists of the head of the Cyber Security unit and Cybersecurity Risk “Reference Persons” (i.e., cybersecurity focal points for business areas and holding function—one focal point for each business area and holding function of the Enel Group). These Risk “Reference Persons” report to the head of the Cyber Security unit.

Additionally, cybersecurity risks and strategic initiatives are periodically discussed in depth by the Enel Group’s main executive and supervisory boards, such as the Risk Control Committee. Moreover, cyber risk is defined within the Enel Group Risk Catalogue as a risk related to digital technology.

Mr. Yuri Rassega joined Enel in 2001, and after holding several positions within the ICT and Audit functions, he was appointed CISO and head of the Cyber Security unit for the Enel Group in June 2016. Mr. Rassega oversees all information technology (“IT”), operational technology (“OT”), and Internet of things (“IoT”) processes for Cyber Security Risk Management, Governance, Engineering, Assurance, and Operations areas, including the Enel Group’s Cyber Emergency Readiness Team (“CERT”) and Digital Identity Management.

Before joining Enel, Mr. Rassega served in roles with various responsibilities in the ICT industry, including the development of systems in the finance sector, telecommunications, internet service providers (ISPs), enterprise resource planning (ERP), supervisory control and data acquisition (SCADA) systems, automation control systems (ACS), and industrial control systems (ICS) solutions for several clients. His experience has developed through a wide range of roles, from software development and electronic design to consultancy, entrepreneurial roles, and senior management positions. He is a member of expert working groups sponsored by EU authorities and forums, such as the G7 and G20, the World Economic Forum (with 5 publications), and the International Council on Large Electric Systems (CIGRE). He also delivers seminars and lectures on cybersecurity-related topics at Italian universities.

Mr. Rassega is a founding partner and chairperson of AssoCISO (National Chief Information Security Officer Association) in Italy. He has participated as a speaker, panel chair, and member of the advisory board at dozens of international conferences in Europe, North America, Middle East, and Asia on cybersecurity, digital transformation, and wireless communications technologies. Mr. Rassega has also designed digital fraud detection tools and methods that are patented in Europe, the USA, and Latin America. Furthermore, Mr. Rassega has been appointed to the Technical and Scientific Committee of the Italian ACN (“Agenzia per la Cybersicurezza Nazionale” - National Cybersecurity Agency), a statutory body with advisory and consultative responsibilities and a guarantor role toward third parties.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] chief information security officer (“CISO”)
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Mr. Yuri Rassega joined Enel in 2001, and after holding several positions within the ICT and Audit functions, he was appointed CISO and head of the Cyber Security unit for the Enel Group in June 2016. Mr. Rassega oversees all information technology (“IT”), operational technology (“OT”), and Internet of things (“IoT”) processes for Cyber Security Risk Management, Governance, Engineering, Assurance, and Operations areas, including the Enel Group’s Cyber Emergency Readiness Team (“CERT”) and Digital Identity Management.

Before joining Enel, Mr. Rassega served in roles with various responsibilities in the ICT industry, including the development of systems in the finance sector, telecommunications, internet service providers (ISPs), enterprise resource planning (ERP), supervisory control and data acquisition (SCADA) systems, automation control systems (ACS), and industrial control systems (ICS) solutions for several clients. His experience has developed through a wide range of roles, from software development and electronic design to consultancy, entrepreneurial roles, and senior management positions. He is a member of expert working groups sponsored by EU authorities and forums, such as the G7 and G20, the World Economic Forum (with 5 publications), and the International Council on Large Electric Systems (CIGRE). He also delivers seminars and lectures on cybersecurity-related topics at Italian universities.

Mr. Rassega is a founding partner and chairperson of AssoCISO (National Chief Information Security Officer Association) in Italy. He has participated as a speaker, panel chair, and member of the advisory board at dozens of international conferences in Europe, North America, Middle East, and Asia on cybersecurity, digital transformation, and wireless communications technologies. Mr. Rassega has also designed digital fraud detection tools and methods that are patented in Europe, the USA, and Latin America. Furthermore, Mr. Rassega has been appointed to the Technical and Scientific Committee of the Italian ACN (“Agenzia per la Cybersicurezza Nazionale” - National Cybersecurity Agency), a statutory body with advisory and consultative responsibilities and a guarantor role toward third parties.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true