Information Security Policy

1. CONTEXT
Information is the essential thread that runs through virtually all the business processes of the entities that make up PONS, ensuring that they are carried out efficiently and to a high standard of quality, thereby achieving the strategic objectives formally established by Management.

The main aspects of information security that must be guaranteed in the execution of any business process are:

• Confidentiality: Ensures that information is only accessible to authorised persons, entities or processes.
• Integrity: Ensures that information is generated, modified and deleted only by authorised persons, entities or processes.
• Availability: Ensures that information is accessible when authorised persons, entities or processes require it.
• Traceability: Ensures that information relating to access and activity carried out by persons, entities or processes is available for any analysis of anomalous behaviour patterns that may need to be carried out.

Moreover, there are other dimensions of security, such as party authentication or non-repudiation, which must also be ensured when the security value of the information in the context of the business process in which it is being stored, processed or transmitted so requires.

The Information Security Policy is based on the adoption of clear and well-defined principles that ensure compliance with strategic guidelines, legal requirements, and contractual requirements entered into with third parties or stakeholders. It therefore constitutes the main instrument on which PONS relies for the secure use of information and communications technologies.

The regulations (security instructions, standards and procedures) that arise or are derived from PONS’ Information Security Policy shall become part of such policy once disclosed, and shall be mandatory for all employees and third parties who make use of such information.
Employees shall be responsible for ensuring the security of the information they process, store or transmit in the performance of their duties, and shall be required to know, understand and comply with the guidelines and rules relating to information security, ensuring the correct application of the protection measures put in place.

Employees’ access to information shall be limited to what is strictly necessary for the proper performance of their formally assigned duties, thereby ensuring compliance with the policy of least privilege. Therefore, those responsible for information identified in the various entities that make up PONS shall take into account all technical and organisational security measures to define and maintain the appropriate privileges for access to information, depending on the activities of each job position.

Failure to comply with the guidelines of the Information Security Policy could result in the application of internal administrative sanctions.

Management shall ensure that this Information Security Policy is understood and implemented in all entities belonging to PONS, providing the necessary resources to achieve the objectives defined in this framework for action.

2. OBJECTIVES
The Information Security Policy is established as the high-level document that formalises the various security guidelines adopted by PONS, which shall be described in greater detail in the corresponding security regulations drawn up for this purpose.
Under this premise, therefore, the Information Security Policy contemplates the following main objectives:

• To comply with the applicable legal regulations in the field of information security that have an impact on the context of the main activity carried out.
• To contribute to the fulfilment of the formally established mission and strategic objectives.
• To ensure adequate protection of different information assets based on their degree of sensitivity and criticality (security value of information assets according to the different dimensions considered and formalised in the corresponding Information Value Model).
• To align information security with business requirements by formalising and executing the process of analysing and evaluating the risks to which the various information assets are exposed, thereby defining a strategy for mitigating risks related to the information security environment.
• To ensure an ability to effectively respond to possible information security incidents, minimising the respective operational, financial and reputational impact.
• To facilitate the sizing of the resources necessary for the correct implementation of the technical and organisational security measures set out in the security regulations documented for this purpose.
• To promote the use of good practices in information security and to create a culture of security within the context of organisational structure.
• To implement the definition, implementation and maintenance of a Business Continuity Plan for critical processes identified after the execution of the Business Impact Analysis (BIA).
• To establish mechanisms for review, monitoring, auditing and continuous improvement in order to maintain the appropriate levels of security required by the business model.

3. SCOPE
The Information Security Policy covers under its scope all information assets existing in the various entities that make up PONS, which act as a support infrastructure for the possible execution of its business processes.

4. REGULATORY FRAMEWORK
The formalisation of the Information Security Policy, as well as the security regulations derived from it, shall take into account and integrate the following applicable legal regulations:

• Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, GDPR – General Data Protection Regulation) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter Law 3/2018).
• Law 34/2002 of 11 July on Information Society and Electronic Commerce Services (hereinafter LSSICE).
• Royal Legislative Decree 1/1996 Intellectual Property Law.
• Trademark Law 17/2001.

5. PRINCIPLES
In order to ensure compliance with the security objectives identified above, the Information Security Policy formalises the application of certain security principles.

5.1. SECURITY AS A COMPREHENSIVE PROCESS
Security is understood as a comprehensive process comprising all human, material, technical, legal and organisational elements related to the information systems used to support the execution of business processes. In this regard, therefore, all security activities shall be carried out from this perspective, avoiding any isolated actions or temporary measures.

The utmost attention shall be paid to raising awareness among those involved in the execution of business processes and among supervisors, with the aim of preventing ignorance, lack of organisation and coordination, or inadequate instructions from constituting sources of risk to information security.

5.2. RISK-BASED SECURITY MANAGEMENT
Risk analysis and management is an essential part of the security process and must be a continuous and constantly updated activity.

Risk management shall enable the maintenance of a controlled information environment, minimising risks to acceptable levels formalised by Management.

Risk reduction to such levels shall be achieved through the application of security measures that are balanced and proportionate to the nature of the information processed, the services to be provided and the risks to which the various information assets used are exposed.

5.3. PREVENTION, DETECTION AND RESPONSE
Information security must include actions relating to aspects of prevention, detection and response, in order to minimise existing vulnerabilities and ensure that threats do not materialise or, if they do, that they do not seriously affect the information or services provided.

Preventive measures, which may include components aimed at deterrence or reducing the area of exposure, should reduce the likelihood of threats materialising.

Detection measures shall be aimed at early warning of any scenario in which threats materialise.
Response measures, which shall be managed in a timely manner, shall be aimed at restoring information and services that may have been affected by a security incident.

5.4. EXISTENCE OF LINES OF DEFENCE
It must be ensured that the protection strategy consists of multiple layers of security, arranged in such a way that, when one of the layers is compromised, it is possible to respond appropriately to incidents that could not be prevented, reducing the likelihood of them spreading.

The lines of defence must consist of organisational, physical and logical measures.

5.5. CONTINUOUS MONITORING AND PERIODIC REASSESSMENT
Continuous monitoring shall enable the detection of anomalous activities or behaviour and a timely response.

The ongoing assessment of the security status of information assets shall enable their evolution to be measured, detecting vulnerabilities and identifying configuration deficiencies.
Security measures shall be periodically reassessed and updated, adapting their effectiveness to the evolution of risks and protection systems, and may lead to a rethinking of security, if necessary.

5.6. DIFFERENTIATION OF RESPONSIBILITIES
Responsibility for information security shall be differentiated from responsibility for the operation of information systems.

6. THIRD PARTIES
When any of the entities that make up PONS requires the participation of third parties to provide a service, it shall inform them of the security regulations that are relevant in the context of said collaboration, and they shall be subject to the obligations established in said regulations.

Specific procedures for reporting and resolving security incidents that may arise during the provision of the service shall be formalised.

When any aspect of the security regulations cannot be satisfied by a third party, the authorisation of the ISMS Manager shall be required, after identifying the risks involved and how to deal with them, and it will not be possible to formalise the contract prior to obtaining such authorisation. In any case, these authorisations, depending on their categorisation, shall be reported to the Security Committee so that the appropriate decisions can be made.

Approved exceptions shall be duly recorded in the Exceptions Log.

7. REVISION
The Information Security Policy shall be reviewed annually by the Security Committee or whenever there is a significant change (approach to security management, business circumstances, legal changes, changes in the technical environment, recommendations made by control authorities, and trends related to threats and vulnerabilities) that requires it.

In the event that a new version of the Information Security Policy is obtained, formal approval by Management shall be required prior to its disclosure.

8. APPLICABLE SANCTIONS
Any duly proven breach or violation of the guidelines set out in the Information Security Policy or in the security measures and procedures identified in the regulations derived from it may result in the application of internal administrative sanctions.

Exceptions to this Information Security Policy must be justified in advance through a formal risk acceptance process. Such exceptions must be entered in the Exceptions Log and shall be monitored by the Security Committee.

9. ENTRY INTO FORCE
Text approved by Management on 12 September 2025.
Its entry into force entails the repeal of any other Policy that existed for such purposes, as well as its publication on the corporate intranet.

Corporate Director.