Privacy and security
Privacy
Protecting the personal data of our customers, employees and other stakeholders has Alliander’s continuous attention. We aim for an increasing level of maturity when it comes to privacy, In 2024, we continued development of our new automated Privacy Control Framework for optimising privacy and control measures. We also devote effort to Privacy by Design, which involves ensuring that privacy is systematically part of a product or service under development from the start of the process. Our development teams are making significant progress in this area. A targeted validation check is performed on all (new) IT applications (data minimisation, authorisations for access rights and removal of personal data).
Data breaches
In 2024, there were no data breaches involving customers that required reporting to the Dutch Data Protection Authority and the customers concerned, but we did investigate a total of 34 data breaches identified within Alliander. Four of these were cases where we had a duty to submit a report to the Dutch Data Protection Authority, in line with the GDPR. In addition, there were 4 incidents that involved centralised processing, so the network operators bear joint responsibility for them.
Security
Retaining the trust of customers and shareholders requires us to remain resilient. Maintaining focus on our strategic goals is only possible if we prevent security incidents or minimise their impact. We achieve this by investing in people, procedures and technology. In recent years, the number and frequency of threats to organisations in general and organisations with vital infrastructure have increased. Examples of these are:
Geopolitical developments and state actors.
Cybercrime, such as hijacking of systems and data.
Vulnerabilities in systems, software and human behaviour within our ecosystem.
Alliander works in accordance with a security strategy to structurally safeguard security within Alliander, maintain our resilience at an adequate level and comply with relevant laws and regulations.
Information Security Management System
We are working towards an Alliander-wide Information Security Management system to manage security within Alliander consistently in a dynamic world. In 2024, we tightened security controls in accordance with the ISO27001 plan-do-check-act cycle. The ISO 27001 certificates for Liander, Alliander Telecom and Qirion were renewed.
Business Continuity Management
We facilitate business continuity management (BCM) to minimise the impact of a crisis or contingency on business processes. We do this by optimising our preparations for a crisis and by defining our actions during and after the crisis. This is structurally embedded in the form of an action plan and policy relating to BCM. The goal of BCM is to implement measures required in our operations and in the area of information technology to safeguard the continuity of the (most critical) business processes and to minimise the impact of outages on the services we provide. We conduct simulations and tests to assess our crisis organisation. These exercises and test activities involve both outages of energy supplies such as gas and electricity, and non-availability of our digitalisation facilities. In addition, specific plans are available to ensure the continuity of internal processes in the event of a crisis or major disruption.
Sufficiently mature security
As a vital infrastructure company, Alliander attaches great importance to its ability to structurally control security risks. This is why we are constantly working on improving our security resilience. In concrete terms this means that we work in accordance with ISO 27001 and that we allow the level at which we do this, the maturity of our security, to be measured using the C2M2 (Cybersecurity Capability Maturity Model) methodology. The C2M2 methodology is specifically designed for energy network operators and includes both the IT and the OT environment of an organisation.
Security by design
Where possible, we apply Security by Design in digitalisation initiatives, whether or not we build them ourselves. This enables us to implement security wishes and requirements efficiently and effectively. How the software will meet these security wishes and requirements is described in advance. We continuously test all (insourced) software for risks and critical findings, and resolve them in an ongoing process.