Ethics and compliance

NFS

The Italgas Group operates on the basis of a Corporate Management System comprising an Organisational System and a Regulatory System that defines roles, responsibilities, powers and rules of conduct to be upheld in going about the corporate business. The Corporate Management System is updated continuously with a view to guaranteeing the effectiveness and efficiency of processes, safeguarding the company’s assets and ensuring compliance with legislation, thereby allowing Italgas to also direct the management and coordination of the subsidiaries.

The correctness and transparency of business management aim not only to ensure a correct management model and dialogue with stakeholders, but also to prevent corruption.

The Code of Ethics

On 16 December 2021 the Board of Directors approved the update to the Code of Ethics 25, compared to the version previously adopted on 18 October 2016, which represents a general principle from which no derogation can be made, of the Model 231. It is a collection of the values that the Company recognises, accepts and shares and the responsibilities it assumes within and outside of its organisation. The Code of Ethics has been integrated to assign importance to sustainability topics with formal reference made to the relevant documents (e.g. Sustainability Policy, Human Rights Policy, HSEQE Policy, etc.) and the prevention of and fight against
corruption, also under the certifications of the Italgas Group Companies in accordance with the provisions of standard UNI ISO 37001/2016. The Code of Ethics also recalls the principles of business responsibility, which should be complied with on the subjects of the workplace, relations with stakeholders and suppliers and the matter of personal data protection.

The Code of Ethics applies with regard to “Italgas people” or directors, statutory auditors, management and employees of Italgas, as well as all of those who work to achieve the objectives of Italgas, each within the scope of their functions and responsibilities. The representatives indicated by Italgas on the corporate bodies of affiliate companies, consortia and joint ventures promote the principles and contents of the Code of Ethics within their areas of responsibility. The Supervisory Body acts as guarantor of the principles set forth in the Code of Ethics, reporting back once every six months to the Control and Risks Committee and the Board of Statutory Auditors.

Organisational and management model pursuant to Legislative Decree 231/2001

The Model 231 is a support tool aiming to prevent the administrative liability of the entity and is intended for members of Italgas corporate bodies, management and employees, as well as those operating to achieve Italgas objectives. On 16 December 2021 the Italgas’ Board of Directors approved its organisational, management and control model26 pursuant to Legislative Decree no. 231 of 8 June 2001 (“Model 231”), updating the version previously adopted on 18 October 2016.

The Italgas Model 231 is updated in light of periodic legislative reforms, which modify the list of predicate offences relevant in accordance with Italian Legislative Decree 231/2001, as well as in light of any organisational and regulatory changes within the Italgas Group.

In application of its Model 231, Italgas appoints a Supervisory Body consisting of three external members, one of whom, acting as Chairman, was chosen from scholars and professionals with proven expertise and experience on legal and corporate issues and corporate economics and organisation. The term of office of members of the Supervisory Body is aligned with that of the Board of Directors which appointed them. The term of office of the members expires on the date of the Shareholders’ Meeting called for the approval of the financial statements for the last year of their office, although they continue to carry out their functions over the ad interim period, until new members of the Supervisory Body are appointed.

Each Subsidiary independently adopts its own Model 231 and constantly updates it according to the specific needs of the corporate context, although the main point of reference is the principles of Italgas’ Model 231 and it must take into account the indications and implementation methods laid down by Italgas with regard to the organisational and operating struc- ture of the Group. Additionally, each subsidiary appoints an autonomous and independent Supervisory Body.

Certified management systems and accreditations

For Group companies, Italgas assures the adoption of both the Integrated management system for health and safety at work, the environment, quality and energy (HSEQE) and the Management system for the prevention of and fight against corruption. To this end, for companies that are not yet certified, Italgas has prepared the HSEQE and Anti-corruption certifications development plan.

The Management systems stimulate the involvement of staff and foster the conduct of business according to standards of loyalty, correctness, transparency, honesty and integrity, in compliance with laws, regulations, international standards and guidelines and help improve the processes, to satisfy the expectations of its stakeholders.

With specific reference to the Group’s route towards decarbonisation, it is important to note the 2021 start-up of a plan to spread an energy efficiency culture to the population of the distribution companies, through the delivery of training courses on ISO 50001 as well as basic courses on energy saving and, in some cases, advanced courses for “Energy Management Expert” certification.

The management systems are structured and implemented in compliance with the requirements of reference international standards:

  • UNI ISO 37001:2016 “Management systems for the prevention of corruption”;
  • UNI EN ISO 9001:2015 “Quality management systems”;
  • UNI EN ISO 14001:2015 “Environmental management systems”;
  • UNI ISO 45001:2018 “Management systems for health and safety at work”;
  • UNI CEI EN ISO 50001:2018 “Energy management system”.

and commitments to these topics are expressed in the related corporate policies in order to inspire activities and conduct in specific regulatory and market contexts.

Under the scope of the Group Company management systems, the regulatory tools prepared help ensure regulatory compliance and personal health and safety (of employees, end customers, contractors, etc.) as well as preventing accidents, safeguarding the environment, ensuring public safety and a rational use of energy, global quality and the prevention of and fight against corruption.

To verify compliance of the Management systems with the standard requirements, Italgas uses the DNV Certification Body, which, in 2021, carried out the relevant audits and issued the relevant certificates.

The Companies’ accreditations, or of some sectors of such, are verified and issued by ACCREDIA (single accreditation entity).

According to their corporate purpose and business, as at 2021, the Italgas Group companies have the following certifications and accreditations. 27:

Certifications of Italgas S.p.A. 
Degree of certification coverage
Reference standardYear of first certification
Società/GruppoUNI ISO 370012018
Certifications and accreditations of Italgas reti S.p.A.
Degree of certification/accreditation coverage
Reference standardYear of first certification/
accreditation
CompanyUNI CEI EN ISO 500012012
UNI EN ISO 140012001
UNI ISO 450012019*
UNI EN ISO 90011996
UNI ISO 370012018
Laboratorio di taraturaUNI CEI EN ISO/IEC 170252009
Laboratorio di provaUNI CEI EN ISO/IEC 170251994
Organismo di ispezione di tipo CUNI CEI EN ISO/IEC 170202014

* Since 2001 for the former reference standard OHSAS 18001

Certifications and accreditations of Toscana Energia S.p.A.
Degree of certification/accreditation coverage
Reference standardAnno di prima certificazione/
accreditamento
SocietàUNI CEI EN ISO 500012017
UNI EN ISO 140012003
UNI ISO 450012019*
UNI EN ISO 90011998
UNI ISO 370012020
Organismo di ispezione di tipo CUNI CEI EN ISO/IEC 170202016

* Since 2003 for the former reference standard OHSAS 18001

Certificazioni di Medea S.p.A.
Grado di copertura certificazione
Norma di riferimentoAnno di prima
certificazione
SocietàUNI CEI EN ISO 500012021
UNI EN ISO 140012021
UNI ISO 450012021
UNI EN ISO 90012021*
UNI ISO 370012020

* Since 2014 for the Sassari site only

Certifications of Italgas Acqua S.p.A.
Degree of certification coverage
Reference standardYear of first certification
CompanyUNI CEI EN ISO 500012021
UNI EN ISO 140012021
UNI ISO 450012020
UNI EN ISO 90012020
UNI ISO 370012020
Certifications of Seaside S.p.A.
Degree of certification coverage
Reference standardYear of first certification
CompanyUNI EN ISO 140012021
UNI ISO 450012021
UNI EN ISO 90012021*
UNI ISO 370012020
UNI CEI 113522015
F-GAS (DPR 43/12)2013
SA80002007

* Since 2014 for the Bologna site only

Certifications of Gaxa S.p.A.
Degree of certification coverage
Norma di riferimentoYear of first certification
CompanyUNI EN ISO 140012021
UNI ISO 450012021
UNI EN ISO 90012021
UNI ISO 370012020

Anti-corruption

Italgas operates in fighting and preventing any form of corruption both nationally and internationally.
The relevance of the corruption risk for the company’s activities is specifically analysed and managed in Model 231 and the internal management system specifically adopted. Anti-corruption measures are contained in a specific Compliance Standard that provides a systemic framework for Italgas regulatory instruments in this area, inspired by the principles of conduct set out in the Code of Ethics and the specific Policy for the prevention of and fight against corruption. The Anti-corruption Compliance Standard brings together the measures Italgas has adopted to prevent any form of corruption in relations with third parties, Public Officials and private individuals, both nationally and internationally, to protect the integrity of the business and the reputation of the Group. The Compliance Standard applies to Italgas S.p.A. and its subsidiaries as part of the management and coordination activities performed by the Group’s corporate body. Adhesion to the anti-corruption measures is also required by suppliers, intermediaries and any subject that may entertain relations with Italgas.

In 2021, as already pointed out in 2020, no incidents of corruption took place.

GRI 205-3 Confirmed incidents of corruption and actions takenU.o.m.2019*20202021
Total confirmed incidents of corruptionno.000
Confirmed incidents of corruption with dismissal/disciplinary measure of employees000
Confirmed incidents of corruption with termination/non-renewal of
contracts with business partners
000

*The data reported for FY 2019 refer to the companies Italgas Reti and Italgas S.p.A. only.

GRI 205-2 Disclosure and training on anti-corruption policies and proceduresU.o.m.201920202021
Anti-corruption training*hours3673,8491,950
Attendeesno.3022,9141,686

* The training considered covers the following subjects: Code of Ethics, Model 231, Anti-corruption, Antitrust and Data Protection.

HIGHLIGHT

37001 ISO

At the end of 2021, Italgas S.p.A. and the subsidiary Italgas Reti S.p.A. have achieved renewal for the three-year period 2021-2024 of the certification in accordance with standard UNI ISO 37001:2016 that certifies the conformity of the management system for the prevention and fight of corruption. In addition, during the year, internal audits were carried out that led to the maintenance of certification in accordance with standard UNI ISO 37001:2016 also for all management systems for the prevention of and fight against corruption adopted by Italgas Acqua S.p.A., Seaside S.p.A., Medea S.p.A., Toscana Energia S.p.A. and Gaxa S.p.A.. The management systems for the prevention of and fight against corruption were reassessed for maintenance upon completion of the in-depth audits. The commitment and collaboration was seen of the corporate departments and representatives, supervised by the department for conformity for the prevention of and fight against corruption, in the implementation and observance of the measures adopted in order to assure the adequacy and suitability of each management system for the prevention of and fight against corruption in accordance with standard UNI ISO 37001:2016.

Following the July 2021 establishment of the company Bludigit S.p.A., the latter is planned to adopt and implement its own management system for the prevention of and fight against corruption, which will then be audited in order to obtain UNI ISO 37001:2016 certification in 2022.

Antitrust

On 18 October 2016 the Board of Directors approved its Antitrust Code of Conduct (the “Antitrust Code”) which defines the guidelines of the behaviour which all employees of Italgas and Subsidiaries should conform to in order to guarantee the compliance of Italgas and its Subsidiaries with the principles dictated by the applicable regulations on antitrust issues.

The Antitrust Code applies to the entire Italgas Group as part of Italgas’ management and coordination activities, and is one of the initiatives aimed both at protecting competition as part of the business culture and at implementing suitable procedures and systems for minimising the risk of violations of antitrust laws, under the broader umbrella of the compliance initiatives of the Italgas Group.

The adoption of the Antitrust Code is part of the broader antitrust compliance programme promoted by the Italgas Group, which develops, inter alia, the establishment of an antitrust department within the Legal Department, which anyone in the Group can apply to for communications concerning the interpretation and application of the Antitrust Code and whenever a situation with potential antitrust risk arises.

Due to the evolution of the structure and organisation of the Italgas Group, on 27 July 2020, the Board of Directors approved the update of the “Antitrust Compliance Standard” (“Antitrust and Consumer Protection Code of Conduct”). In particular, on the one hand references to consumer protection provisions were analysed in depth, and, on the other, the description of the main circumstances prohibited by competition law was outlined in more detail, also using accurate references to the decision cases of the Italian Competition Authority. This update was preceded by an assessment aimed at verifying the level of updating, in light of the criteria established by the guidelines of the Italian Competition Authority, of the “Antitrust” Compliance Standard already in force for Group companies.

An updated Antitrust and Consumer Protection Manual is attached to the Antitrust and Consumer Protection Code of Conduct, which describes the main antitrust and consumer protection provisions and provides an overview of the most important decision-making practices of the Italian Competition Authority. The Manual is a more in-depth instrument available to the Italgas Group to carry out training and for any analysis that the Antitrust Oversight may be called to carry out in the exercise of its duties.

By way of completion of the more extensive antitrust compliance programme, during the second half of 2021, training was delivered to all those holding particularly relevant roles in the Group in matters of antitrust and consumer protection.

Cybersecurity

Italgas has innovated its security model, developing an approach that enables for the integrated management of different information levels and, in particular:

  • the level of digital data and IT infrastructures (the “Logical Domain”);
  • the level of material assets and staff (the “Physical Domain”);
  • the level of information (the “Information Domain”);

With the aim of converging towards the Integrated Security System able to interface multi-domain security management platforms, applications, services and operative processes to manage vulnerabilities, threats and security events, to guarantee a quantitative and dynamic vision of the risk and direct and facilitate decision-making processes.

The Group Security and Cybersecurity Departments work together, implementing corporate security policies and procedures; the respective roles and responsibilities are defined through a shared RACI matrix28, which allows for the harmonisation of efforts to protect the company’s information assets.

The principles of Cybersecurity adopted by Italgas include:

  • the development of incremental cybersecurity operating capacities and the update of existing ones in line with the business needs of the Group and in the context of external threats;
  • a clear definition of the roles and responsibilities under the scope of aspects and processes relating to cybersecurity;
  • the guarantee of access to data according to the principle of least privilege;
  • the assurance of confidentiality, integrity and availability of the Group’s information assets;
  • the monitoring by the Enterprise Risk Management Department of the risks connected with cybersecurity in the corporate risk portfolio;
  • the monitoring of aspects of logical and organisational security necessary to maintaining commensurate levels of cybersecurity;
  • the use of communication management processes with specialised groups and professional associations operating in cybersecurity, in order to promote the continuous update, improve knowledge of best practices, exchange information on threats, vulnerabilities, new services, products and/or technologies;
  • specific information sessions for corporate governance bodies regarding events or updates relative to Italian and international legislation.

The Italgas procedures establish that at least once a year, the Group Security Officer (GSO) shall report to the Board of Directors and Control Bodies on the level of conformity with national and international regulations on cybersecurity and the corporate policies on technical-organisational measures able to manage risks and prevent cyber incidents. In addition, the GSO updates the CEO directly and constantly on the topics of interest.

Relative to the working conditions deriving from the current pandemic crisis, Italgas implements technical procedures and controls aimed at allowing internal and external staff to securely connect from a remote position to the company network. Remote connections take place through a private network (VPN), which allows for the protection of the communication present. In addition, Italgas delivers specific training sessions aimed at making all staff aware of the security threats deriving from smart working.

In order to increase the security level and protection of accesses and identities, Italgas has, for all its employees, adopted multi-factor authentication (MFA) technology.

Italgas develops and implements a suitable vulnerability management system, which includes the execution of security checks aimed at noting the application and infrastructural vulnerabilities of the IT and OT systems and defining and accordingly implementing remedial action necessary to solve them, mitigating the related risks.

It guarantees 24-hour monitoring of IT and OT security events, including through a new generation Security Operation Centre (Next Generation-SOC). Specifically, this structure supplies managed security services and continuous activities relating to the monitoring, detection and response of incidents. Indeed, Italgas defines and applies a process that identifies the action to be taken to manage and solve incidents impacting cybersecurity, intended as events that can compromise the confidentiality, integrity or availability of the company information assets, and which may impact business operations and/ or threaten cybersecurity.

The cybersecurity incident management process is structured into the following phases: detection, analysis and classification of the incident, mitigation and resolution of the incident, closure of the incident and reporting and continuous improvement.

In the last three years (2019 – 2021), no incidents were recorded linked to cybersecurity which generated data breaches or compromised the business systems; as a tool for greater protection, Italgas has an insurance policy against IT incidents.

Italgas adopts cyber threat intelligence processes and tools, which allow for the preventive identification of cyber threats and attacks that could impact the organisation, with the aim of proactively implementing security measures and actions aimed at risk reduction and continuous management. Cyber threat intelligence activities flank and supplement the security measures present in the company and offer a tool in support of operations seeking to detect security incidents. Through its cyber threat intelligence capacity, Italgas proactively protects the company’s information assets, reputation and sensitive data. The maturity level of its information security is also constantly verified and monitored using synthetic indicators (ratings), prepared by external international companies, which, in 2021, saw Italgas positioned in the group of the most advanced organisations at global level.

In relation to the management of so-called “Third Parties”, Italgas defines the information security requirements necessary to limit the risks associated with access to information.

Italgas also regulates supplier access to equipment used for processing information, implementing adequate security controls.

In line with the digital transformation initiatives contained in the strategic plan and by virtue of the growing importance of information and data management, in addition to defining adequate security policies, training on cyber risk has been extended to all personnel, through a series of interactive courses and specific awareness-raising campaigns. At the same time, the alerting system has also been strengthened, with the mass dispatch of reporting e-mails, in the case of malicious or phishing campaigns.

In order to consolidate the public-private collaboration network, Italgas held meetings with the government authorities in charge of information security and with the main national and international think tanks. In this regard, Italgas has defined memoranda of understanding with the Postal Service Police (CNAIPIC) and national CSIRT; furthermore, since 2021 Italgas has adhered to the European Cyber Security Organisation (ECSO) in order to implement and strengthen its collaboration with the EU Commission, the European Union Agency for Cybersecurity (ENISA), Competence Centres and academia.

Italgas plays an active role in the “Cyber Resilience of Economy, Infrastructure & Services” Working Group, whose objectives include the creation of a “trusted” Information Sharing and Strategic Threat Intelligence environment and the development, within the European Community of Cybersecurity, of a shared network and exchange of competences with the aim of facilitating dialogue between companies, governments and suppliers and increasing the maturity level on security topics.

Information and personal data security

The Italgas Group approach to personal data protection includes the voluntary adoption of virtuous behaviour that goes beyond mere compliance with regulatory provisions: a specific paragraph of the Code of Ethics requires a specific commitment to be made by employees and the supply chain regarding personal data protection.

In 2018, Italgas adopted a Data Protection Organisational Model defined in compliance with the provisions of Regulation (EU) 2016/679 (GDPR). This Model formalises the roles and responsibilities regarding the protection of personal data processed within the scope of company activities. All contractual agreements with suppliers processing personal data on behalf of Italgas include a specific “Data Protection Agreement” in compliance with the provisions of Art. 28 of the GDPR.

The Company has designated a Data Protection Officer (or “DPO”), identified from the Internal Audit Department, who is responsible for informing and advising the company departments and people involved in the processing of personal data, monitoring compliance with the Regulation, national provisions and company policies on the protection of personal data and cooperating with the Supervisory Authority, acting as a point of contact with the same. The DPO has also assigned tasks relating to the promotion of the personal data protection culture within the company, the management of requests made by data subjects and to support the data protection assessment of aspects of each new project that may impact personal data protection. The DPO is supported by the Data Protection Team, which includes legal, IT, organisational and security experts.

Italgas has also adopted compliance standards regarding data protection, aimed at setting out the principles applicable to the processing of personal data and formalising roles and responsibilities under the scope of the corporate organisational structure to guarantee the correct processing of information relating to data subjects and regarding data breach management, so as to guarantee the governance and implementation of management processes used to address any data breaches.
The data protection compliance standard was updated in 2021 to include the consequences of conduct not compliant with data protection legislation.

Italgas has adopted a register of processing, which includes all information pursuant to Art. 30.1 of the Regulation; in 2021, the register was regularly updated, as were all disclosures regarding processing.

In line with the principle of risk-based management of processing, appropriate technical and organisational measures are implemented to ensure an appropriate level of security, especially taking into account the risks represented by the processing, resulting from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed. Where processing operations may present a high risk to the rights and freedoms of data subjects, a data protection impact assessment has been carried out to determine, in particular, the origin, nature, particularity and severity of that risk, and to implement, where necessary, appropriate additional security measures.

As early as 2019, data protection training was provided to Italgas Group personnel and it is continuously extended and updated, including through remote training tools.

In the context of the changing regulatory framework linked to the Covid-19 pandemic, the major commitment shown in 2021 by all corporate structures, supported by the DPO, in ensuring full compliance with personal data protection regulations, is worthy of note.

All the Subsidiaries defined and formally approved a Data Protection Model consistent with the standards which inspired the Italgas Data Protection Model albeit designed in accordance with their specific requirements and their organisational structure. In implementation of the Model, each subsidiary has adopted procedures, appointed a DPO, implemented its own processing register and defined appropriate security measures and carried out training activities.

With reference to all Italgas Group companies, in the three-year period 2019-2021:

  • no data breach reports were received;
  • no justified complaints relating to personal data breaches were received;
  • the Data Protection Authority did not receive requests of any kind;
  • no penalties for regulatory breaches concerning personal data protection were applied.

With reference to the requests for the exercise of data subject rights, note that in 2021, the process adopted by the Group companies was assigned to independent audit and this audit did not reveal any significant gap.

25 The Code of Ethics is available on the Company’s website: http://www.italgas.it/it/governance/etica-dimpresa/il-codice-etico/

26 The Model 231 may be consulted on the Company website: https://www.italgas.it/export/sites/italgas/italgas-gallery/Documenti_it/07-governance/03-controllointerno- e-compiance/02-responsabilita-amministrativa-231/ItalGas_modello231.pdf

27 All operative Group companies are certified in accordance with standard ISO 140001.

28 The RACI matrix (responsibility assignment matrix) specifies the type of relationship between the resource and the asset: Responsible, Accountable, Consulted, Informed. This instrument is used to indicate “who does what” within an organisation.