v3.26.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Abstract]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Risk Management and Strategy

We maintain a comprehensive process for assessing, identifying, registering, addressing, and managing material risks associated with cybersecurity that may impact on our business, including risks related to disruption of business operations, financial reporting systems, or our financial statements, as well as fraud, regulatory, reputational, and business continuity risks.

We prioritize the identification and management of cyber risks, focusing on adopting controls, technologies and processes that support cybersecurity, developing IT systems and infrastructure, emphasizing the confidentiality and privacy of data and information, and complying with legal and regulatory requirements. Our cybersecurity risk management process includes the following:

 

·Using our cybersecurity risk management practices integrated with our Enterprise Risk Management. We adopted National Institute of Standards and Technology (“NIST”) framework based on six pillars: Govern, Identify, Protect, Detect, Respond and Recover, and in collaboration with external partners, we assess our adherence to the NIST framework through an analysis of our cybersecurity processes and technologies. In 2025, We conducted a maturity assessment based on the NIST framework to prioritize actions for the next two years. Utilizing material components within our cybersecurity framework, such as firewalls, Intrusion Detection and Protection system, endpoint detection and response mechanisms, phishing tests and annual penetration and intrusion tests to identify threats and vulnerabilities that could be exploited by cybersecurity attacks and reviewing relevant tactics, techniques, and procedures to prepare for a cyber-attack;
·Involving a dedicated team of professionals who monitor and act on cybersecurity events and risks including the Information Technology and Automation Technology areas. This team is responsible for creating, implementing, overseeing, and managing controls provided for specific cybersecurity policies and procedures, in addition to presenting priorities and strategies for information and cyber security. This team is overseen by a Chief Information Security Officer (“CISO”) who reports to the Cybersecurity committee (“COSEG”). Furthermore, we partner with strategic vendors to aid in the implementation and management of our cybersecurity controls;
·Providing requisite training and ensuring employees comply with cybersecurity programs and policies;
·Utilizing a comprehensive Cybersecurity Materiality Matrix to identify material cybersecurity incidents;
·Maintaining a comprehensive incident response plan and playbooks in the event of a cyber-attack that consists of defined policies, processes, and protocols for identifying a cybersecurity attack, analyzing the materiality of a cyber incident, responding to and recovering the technological environment, communicating the incidents to internal parties, and if necessary or required under various regulatory regimes, external parties, and completing a closing analysis to identify possible improvements of processes and controls;

 

 

·Utilizing a cyber incident module in the Information Technology Service System to register incidents and conduct materiality analyses.

 
Cybersecurity Risk Board of Directors Oversight [Text Block] Cybersecurity Governance

Board of directors and Audit Committee

Our Board of directors has delegated direct oversight into cybersecurity matters to the Audit Committee. The Audit Committee collaborates with management to implement processes focused on monitoring cybersecurity, receiving regular updates on cybersecurity testing, incident response plans, and policies. The committee ensures regular risk assessments are conducted, receives periodic reports on any significant incidents, and establishes communication protocols for cybersecurity events.

Cybersecurity Management

Cybersecurity at Nexa is managed by COSEG, which is the executive committee responsible for overseeing our cybersecurity strategies and policies, including but not limited to, assessing and managing our material risks from cybersecurity threats. COSEG is composed of our senior managers and executives, including the CIO and CISO. On a regular basis, the results of operational cybersecurity indicators are presented to COSEG by the CISO. Our cybersecurity management is established based on cybersecurity policies and processes, a dedicated cybersecurity budget, technological solutions, human resources, suppliers, and a departmental structure for cybersecurity. COSEG regularly reviews, tests, and updates cybersecurity processes, discussing materiality determinations, ransomware attacks, and breaches. The Management Committee stays updated on technological, industry, and public policy developments related to cybersecurity risks and best practices and evaluates the need for external expert engagement or law enforcement involvement and conduct thorough investigations of cyber breaches. As of the date of this filing, we have not identified any incidents that would be deemed material within the context of the SEC’s requirements.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our Board of directors has delegated direct oversight into cybersecurity matters to the Audit Committee.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Audit Committee collaborates with management to implement processes focused on monitoring cybersecurity, receiving regular updates on cybersecurity testing
Cybersecurity Risk Role of Management [Text Block] Cybersecurity at Nexa is managed by COSEG, which is the executive committee responsible for overseeing our cybersecurity strategies and policies, including but not limited to, assessing and managing our material risks from cybersecurity threats.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] COSEG is composed of our senior managers and executives, including the CIO and CISO. On a regular basis, the results of operational cybersecurity indicators are presented to COSEG by the CISO.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] This team is responsible for creating, implementing, overseeing, and managing controls provided for specific cybersecurity policies and procedures, in addition to presenting priorities and strategies for information and cyber security. This team is overseen by a Chief Information Security Officer (“CISO”) who reports to the Cybersecurity committee (“COSEG”). Furthermore, we partner with strategic vendors to aid in the implementation and management of our cybersecurity controls;
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The committee ensures regular risk assessments are conducted, receives periodic reports on any significant incidents, and establishes communication protocols for cybersecurity events.