Operational Resiliency Policy

Operational Resiliency Policy

16 June 2026

The Board of Directors of IBERDROLA, S.A. (the “Company”) has the power to design, assess and continuously revise the Company’s Governance and Sustainability System, and specifically to approve and update policies, which contain the guidelines governing the conduct of the Company, and furthermore, to the extent applicable, inform the policies that the companies belonging to the group of which the Company is the controlling entity, within the meaning established by law (the “Group”), decide to approve in the exercise of their autonomy.

In exercising these powers and within the framework of legal provisions, the By-Laws and the Purpose and Values of the Iberdrola Group, the Board of Directors hereby approves this Operational Resiliency Policy (the “Policy”), which respects, further develops and adapts the Ethical and Basic Principles of Governance and Sustainability of the Iberdrola Group with respect to the Company.

As a provider of essential services and proprietor of critical infrastructure, the Company affirms through this Policy its firm commitment to excellence in business and operational continuity.

1. Scope of Application

This Policy applies to the Company. Without prejudice to the foregoing, it includes basic principles that, in the area of the sustainable value chain, and particularly operational resiliency, complement those contained in the Ethical and Basic Principles of Governance and Sustainability of the Iberdrola Group and, to this extent, must inform the conduct and standards-setting implemented by the other companies of the Group in this area in the exercise of their powers and in accordance with their autonomy.

To the extent that listed country subholding companies form part of the Group, they and their subsidiaries, under their own special framework of enhanced autonomy, may establish principles and rules that must have content consistent with the principles of this Policy.

To the extent applicable, these principles must also inform the conduct of the foundations linked to the Group.

For companies that do not form part of the Group but in which the Company holds an interest, as well as for joint ventures, temporary joint ventures (uniones temporales de empresas) and other entities in which it assumes management, the Company shall also promote the alignment of its regulations with the basic principles regarding the sustainable value chain, and particularly operational resiliency, contained in this Policy.

2. Purpose

This Policy is intended to establish the principles of conduct governing operational resiliency so as to ensure that the appropriate capabilities are in place to address, in a robust, consistent, planned and coordinated manner, unforeseen adverse situations, whether internal or external, that could significantly disrupt or alter the normal operations of the Company and, to the extent applicable, those of the other companies of the Group. The purpose of the aforementioned response shall be to minimise the negative impact or effect of such events as far as possible, maintaining priority operations and processes at predefined levels, restoring stability as quickly as possible and drawing conclusions that make it possible to strengthen the ability to adapt and improve in response to future events.

The Policy also sets out the principles to be followed by the operational resiliency model of the Company and the other companies of the Group (the “Operational Resiliency Model”).

As a provider of essential services and, where applicable, proprietor of critical infrastructure, the Company shall conduct its activities in the area of operational resilience in accordance with applicable legal provisions, the Governance and Sustainability System and any applicable Risk Guidelines and Limits.

3. Main Principles of Conduct

The Company adopts and promotes the following main principles of conduct that must inform all of its activities in the area of operational resilience:

1. Periodically assess and identify, for all organisations, priority business processes, together with their associated resources and operational resilience requirements, based on consistent standards, in order to protect such processes against adverse situations that may affect them.
2. Maintain appropriate response and crisis management capabilities to deal robustly with adverse and crisis situations that may affect the Company’s priority operations, and to properly manage resilience risks, in accordance with the Security Policy, the General Risk Control and Management Foundations of the Iberdrola Group and the Security and Resilience Risk Guidelines and Limits.
3. Regularly review, update and test response and crisis management plans in order to verify their effectiveness and currency, as well as to identify deficiencies and opportunities for improvement and capture lessons learned.
4. Define and implement, through the Operational Resiliency Model, a formal, recurring and measurable practice that establishes, for each level of the organisation, the appropriate operational resilience capabilities, as well as the roles, responsibilities and resources required to implement such capabilities, in accordance with market standards and generally recognised best practices in the area.
5. Regularly assess and monitor the level of implementation and effectiveness of the Operational Resiliency Model, identifying its deficiencies and opportunities, and promote its continuous improvement.
6. Promote an appropriate level of training, skills development and awareness at all levels of the organisation in the area of operational resilience.
7. Maintain appropriate coordination among the divisions of the Group’s companies that have been assigned powers in the areas of operational resilience, risk and internal assurance.
8. Regularly monitor the internal and external context, including evolving threats, vulnerabilities, critical dependencies, internal capabilities, and technological and regulatory, social, economic or competitive changes that may affect operational resilience.
9. Document relevant incidents, tests and drills, assess the causes and impacts of incidents, capture lessons learned and define corrective actions in relation to all of the foregoing.
10. Identify relevant operational resilience stakeholders and consider their needs, expectations and requirements, in accordance with the provisions of the Stakeholder Engagement Policy and the Operational Resiliency Model.
11. Allocate appropriate resources for the performance of the duties and responsibilities established in the Operational Resiliency Model and in the operational resiliency plans.
12. Promote the integration of operational resilience into the Company’s initiatives from their initial and design phases and by default, in coordination with risk management, security, cybersecurity and digital technology.

4. Group-level Coordination: the Operational Resiliency Model

The Security and Resilience Division (or such division as assumes the powers thereof at any time), through the Security, Resilience and Digital Technology Committee (or such committee as assumes the powers thereof at any time) shall regularly review the Operational Resiliency Model, which has been prepared in accordance with the Ethical and Basic Principles of Governance and Sustainability of the Iberdrola Group and the provisions of this Policy.

The Operational Resiliency Model shall establish common standards and practices for conduct, coordination, monitoring and oversight, respecting in all cases the corporate autonomy of the companies of the Group, in order to give effect to the principles of conduct set out in this Policy, defining roles and responsibilities, as well as the rules, programmes, guidelines and procedures necessary for the companies of the Group to have the appropriate capabilities to develop the capacity for operational resiliency on a continuous, formal, consistent, systematic and measurable basis, in line with generally recognised standards and best practices in the area.

The Operational Resiliency Model allows the Company and the other companies of the Group to support the strategic goals and brand image of the of the Group, protect their reputation and credibility, reduce the impacts of disruptive events, protect life, property and natural capital, and maintain proactive and efficient control of risks, while also ensuring compliance with, among other matters, their responsibilities as providers of an essential service like electricity supply, and, if applicable, as proprietors of critical infrastructure.

For these purposes, the Operational Resiliency Model must establish at least the following actions:

1. Regularly analyse the activities and processes of the various corporate and business areas and prioritise them from an operational resilience perspective.
2. Define response plans for adverse situations that are appropriate to their nature and severity, including general incident response procedures, as well as specific business continuity and crisis management plans, which establish the necessary organisational structures, standards and procedures to be followed, as well as the resources required to implement them.
3. Define and carry out tests and drills of response plans, identifying deficiencies and opportunities, and draw conclusions.
4. Regularly assess and monitor the level of implementation and effectiveness of the Operational Resiliency Model.
5. Identify legal or regulatory requirements in the field of operational resilience and validate coverage and compliance therewith.
6. Establish mechanisms for the coordination, monitoring and supervision of the implementation of the Operational Resiliency Model at the country subholding companies, with the possibility of setting up resilience offices at those levels.

The Operational Resiliency Model shall incorporate metrics and monitoring indicators aligned with the Security and Resilience Risk Guidelines and Limits, including, where appropriate, indicators relating to the assessment of processes, the definition and testing of plans, crisis exercises, significant risks pending mitigation and significant incidents.

Based on the provisions of the Operational Resiliency Model, each company of the Group shall prepare its respective operational resiliency plans, which shall include details of the tasks to be carried out in each financial year, in order to effectively deploy, implement and execute the Operational Resiliency Model, applying it in each area for the defined scope in each case.

In addition, the Security, Resilience and Digital Technology Committee (or such committee as assumes the powers thereof at any time) shall coordinate with the corresponding committees of the country subholding companies or, in the absence thereof, with the Security and Resilience Division (or such division as assumes the powers thereof at any time) to endeavour to ensure the preparation of their respective operational resiliency plans at each company of the Group, as well as monitoring of the implementation of such plans and practices, and management of the operational resilience risks within their respective purviews.

The Security, Resilience and Digital Technology Committee (or such committee as assumes the powers thereof at any time) shall monitor the status of the Operational Resiliency Model and its level of implementation at the Group level.

5. Implementation and Monitoring

For the implementation and monitoring of the provisions of this Policy, as well as for the monitoring of the Operational Resiliency Model, the Board of Directors is assisted by the Security and Resilience Division (or such division as assumes the powers thereof at any time), through the Security, Resilience and Digital Technology Committee (or such committee as assumes the powers thereof at any time), which shall establish a procedure for regular monitoring and reporting to the governance bodies.

* * *

This Policy was initially approved by the Board of Directors on 20 February 2024 and was last amended on 16 June 2026.