Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Line Items]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management and Strategy:

The Company has developed and implemented a cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of its Information Systems as well as its critical data.

TotalEnergies designs and evaluates its program based on the Cybersecurity Framework of the National Institute of Standards and Technology (NIST CSF), certain oversight by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) in France, and the ISO 27001 standard for an information security management system. This does not imply that we meet any particular technical specifications or requirements at all times but that the aforementioned frameworks and standards help us identify, assess, and manage cybersecurity risks relevant to our business.

The Company’s cybersecurity risk management program is integrated into TotalEnergies’ overall risk management program and shares common methodologies, reporting channels, and governance processes that apply to other areas of legal, compliance, strategic, operational, and financial risk.

The key elements of the cybersecurity risk management program include, but are not limited to:

● Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader IT environment,

● A cybersecurity team primarily responsible for managing our risk assessment processes, our cybersecurity controls, and our response to cybersecurity incidents,

● The use of external service providers, where applicable, to assess, test, or assist with certain aspects of our cybersecurity controls,

● Training and awareness initiatives on cybersecurity for our employees,

● A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents, and

● A risk management process for key service providers and suppliers who access critical systems and data, based on their risk profile.

In addition, the Company develops and disseminates cybersecurity rules that employees are required to follow. These rules are designed to be implemented throughout the Company.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

TotalEnergies designs and evaluates its program based on the Cybersecurity Framework of the National Institute of Standards and Technology (NIST CSF), certain oversight by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) in France, and the ISO 27001 standard for an information security management system. This does not imply that we meet any particular technical specifications or requirements at all times but that the aforementioned frameworks and standards help us identify, assess, and manage cybersecurity risks relevant to our business.

The Company’s cybersecurity risk management program is integrated into TotalEnergies’ overall risk management program and shares common methodologies, reporting channels, and governance processes that apply to other areas of legal, compliance, strategic, operational, and financial risk.

The key elements of the cybersecurity risk management program include, but are not limited to:

● Risk assessments designed to help identify material cybersecurity risks to our critical systems, information, products, services, and our broader IT environment,

● A cybersecurity team primarily responsible for managing our risk assessment processes, our cybersecurity controls, and our response to cybersecurity incidents,

● The use of external service providers, where applicable, to assess, test, or assist with certain aspects of our cybersecurity controls,

● Training and awareness initiatives on cybersecurity for our employees,

● A cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents, and

● A risk management process for key service providers and suppliers who access critical systems and data, based on their risk profile.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity incidents, that have materially affected us, including our operations, business strategy, results of operations, or financial condition. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. (See section 3.1.3 of Chapter 3 of the 2024 Universal Registration Document, starting on page 137.)

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Governance:

The Board of Directors considers cyber risk to fall within its risk oversight function and has delegated the oversight of cybersecurity risks as well as other IT-related risks to the Audit Committee (the Committee). The mitigation of cybersecurity risks and risks related to external threats is a high priority for the Company and is reflected in a structured governance framework.

The Committee oversees the implementation of the cybersecurity risk management program, including by reviewing the Company’s system of cybersecurity risk controls and overseeing the deployment of certain audit objectives pursuant to the Company’s multi-year audit plan covering the Company’s Enterprise and Industrial information systems. Pursuant to its oversite role, the Committee is informed of the results of cybersecurity-related audit assignments, self-assessments, and, where necessary, any significant cybersecurity incidents. It periodically reports on its activities, including those related to cybersecurity, to the Board of Directors as a whole.

Finally, the Information Systems Department, overseen by the Finance President, annually submits the cybersecurity strategy for the Company’s Enterprise and Industrial Information Systems to the Executive Committee (Comex) for approval.

On an operational level, the management team which includes the Chief Security Officer (CSO), the Chief Information Officer (CIO), the Company Chief Security Officer (C-CISO), and the Branch Chief Information Security Officers (B-CISOs), is responsible for the assessment and management of material risks from cybersecurity threats. This team is in charge of the overall cybersecurity risk management program and oversees both internal staff and external consultants working on cybersecurity. The relevant experience of our management team includes the following:

● The CSO is a former French general of the National Gendarmerie, who led the Gendarmerie Intervention Group (GIGN) and directed counter-terrorism operations.

● The CIO has over 19 years of experience in information systems at TotalEnergies.

● The C-CISO is the former head of EUROPOL (for 11 years), a former colonel of the French Gendarmerie, and the former head of the National Criminal Intelligence Service.

Our management team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Audit Committee (the Committee)

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Board of Directors considers cyber risk to fall within its risk oversight function and has delegated the oversight of cybersecurity risks as well as other IT-related risks to the Audit Committee (the Committee). The mitigation of cybersecurity risks and risks related to external threats is a high priority for the Company and is reflected in a structured governance framework.

The Committee oversees the implementation of the cybersecurity risk management program, including by reviewing the Company’s system of cybersecurity risk controls and overseeing the deployment of certain audit objectives pursuant to the Company’s multi-year audit plan covering the Company’s Enterprise and Industrial information systems. Pursuant to its oversite role, the Committee is informed of the results of cybersecurity-related audit assignments, self-assessments, and, where necessary, any significant cybersecurity incidents. It periodically reports on its activities, including those related to cybersecurity, to the Board of Directors as a whole.

Cybersecurity Risk Role of Management [Text Block]

On an operational level, the management team which includes the Chief Security Officer (CSO), the Chief Information Officer (CIO), the Company Chief Security Officer (C-CISO), and the Branch Chief Information Security Officers (B-CISOs), is responsible for the assessment and management of material risks from cybersecurity threats. This team is in charge of the overall cybersecurity risk management program and oversees both internal staff and external consultants working on cybersecurity. The relevant experience of our management team includes the following:

● The CSO is a former French general of the National Gendarmerie, who led the Gendarmerie Intervention Group (GIGN) and directed counter-terrorism operations.

● The CIO has over 19 years of experience in information systems at TotalEnergies.

● The C-CISO is the former head of EUROPOL (for 11 years), a former colonel of the French Gendarmerie, and the former head of the National Criminal Intelligence Service.

Our management team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

On an operational level, the management team which includes the Chief Security Officer (CSO), the Chief Information Officer (CIO), the Company Chief Security Officer (C-CISO), and the Branch Chief Information Security Officers (B-CISOs), is responsible for the assessment and management of material risks from cybersecurity threats. This team is in charge of the overall cybersecurity risk management program and oversees both internal staff and external consultants working on cybersecurity.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

● The CSO is a former French general of the National Gendarmerie, who led the Gendarmerie Intervention Group (GIGN) and directed counter-terrorism operations.

● The CIO has over 19 years of experience in information systems at TotalEnergies.

● The C-CISO is the former head of EUROPOL (for 11 years), a former colonel of the French Gendarmerie, and the former head of the National Criminal Intelligence Service.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Our management team is informed about and monitors the prevention, detection, mitigation, and remediation of cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; threat intelligence and other information obtained from governmental, public, or private sources, including external consultants engaged by us; and alerts and reports produced by security tools deployed in the IT environment.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true