Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

Our cybersecurity strategy emphasizes detection, protection, analysis, and rapid recovery from cybersecurity threats, while increasing our resilience against cybersecurity incidents and effective management of cybersecurity risks and events as they arise. Cybersecurity threat management forms an integral part of our broader enterprise risk management process and constitutes a core component of strong and responsible corporate governance. Our strategy is built on two verticals across three continents, namely protection of our operational assets (generation and storage) and protection of the organizational network, each across MENA, Europe, and the U.S.

Based on this, Enlight’s cybersecurity strategy:

•

Adheres to multiple regulatory frameworks, based on geography and vertical (including but not limited to NERC‑CIP, NIS2, NIST, and the Israeli MOE Cyber Regulation);

•

Maps known or potential threats, from acts of terror to corporate espionage; and

•

Augments existing regulatory safeguards with an enhanced security layer, utilizing a detailed severity probability matrix to ensure optimal protection.

In addition, our cybersecurity program incorporates the following specific elements:

•

Strict compliance with applicable regulatory standards across Israel, Europe, and the United States, in each case seeking to apply the highest standard (including NERC, NIS2, NIST CSF 2.0, NERC‑CIP, CIRCIA, and Israeli Ministry of Energy and Israel National Cyber Directorate regulations).

•

Protection of all IT and OT systems across our assets and internal organizational networks to ensure information security, operational control, data‑privacy protection, and business continuity.

•

Periodic internal risk assessments and bi-annual external risk assessments by independent experts (covering both IT and OT), including regulatory compliance, gap‑analysis reports, and internal audit reviews.

•

Development of cyber‑defense programs to help ensure detection of unauthorized access to our systems, continuous monitoring of system vulnerabilities through proactive penetration testing, organizational readiness for cyber events, operational resiliency during incidents, and rapid recovery.

•

Implementation of effective risk‑management procedures, including identification, monitoring, intrusion mapping, activation of an incident‑response team, structured reporting to management and the board of directors, post‑incident investigation, and documenting and implementing lessons learned to our overall strategy.

Cyberattack risk assessments include evaluation of facility size, intrusion frequency, geography and potential impact, including possible harm to organizational systems and those of our business partners. Based on assessed risk levels, we develop appropriate prevention and mitigation plans. For high‑risk systems, risk surveys and penetration tests are conducted at least annually and following a major system change or data‑breach event. Other systems are tested at varying intervals according to their sensitivity. These regular risk assessments are conducted either internally or by qualified third‑party service providers. In addition, from time to time, the Israeli Ministry of Energy reviews our network vulnerability to cybersecurity risks and provides us with findings and instructions on how to improve our network protection and resilience.

Exposure of our data and systems to external parties is minimized and generally granted on a need‑to‑know basis.

Employees receive information‑security training upon hiring and annually, with additional dedicated training for employees with access to sensitive Company systems and information. The Company’s training includes phishing simulations, ransomware‑event drills, and business‑continuity exercises. Employees are required to complete the training through educational software, and we monitor completion. We also leverage partnerships, industry and government associations, third‑party benchmarking, results from regular internal and third‑party audits, threat‑intelligence feeds, and other similar resources to inform our cybersecurity processes and allocate resources.

In 2025, we engaged independent, leading third‑party consultants to assist in assessing, enhancing, implementing, and monitoring comprehensive cybersecurity risk‑management programs, regular system‑resilience maintenance, and responding to any incidents. The consultant also prepared a protection plan based on the said risk analysis.

In addition, we have implemented a requirement for our suppliers to adopt security‑control principles based on industry‑recognized standards, and we maintain a due‑diligence procedure for engagement with third parties across our supply chain, as well as in connection with partnerships, acquisitions, and business integrations. Under these procedures, we assess the compliance of such parties with relevant regulations and with our information‑security and privacy‑protection standards. As our portfolio of projects has increased in size, the size and scope of our technology footprint has similarly increased, and we have had to improve and expand our IT and OT defensive infrastructure. For example, in 2024 we enhanced the security of our corporate servers, added better Multi‑Factor Authentication to our Virtual Private Networks, implemented a new Network Access Control solution, and connected our office network to a specified SIEM/SOC service.

In recent years, our assets in Israel have become more vulnerable due to ongoing regional conflicts. Since the recent outbreak of renewed hostilities involving Hamas, Hezbollah, and Iran, we have identified an increase in attempted cybersecurity attacks on energy facilities in the Middle East, including in Israel. We have adjusted our alertness levels, monitoring, and tracking of intrusion attempts to help ensure safety of critical‑asset endpoint systems. In addition, we have obtained appropriate insurance coverage for cyber‑related events for the majority of our Israeli assets, particularly for our critical facilities.

We utilize artificial‑intelligence tools in our business operations, which may increase information‑security and cyber‑risk exposure. We have implemented and will continue to implement protective measures to safeguard our assets and organizational networks against such emerging risks.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Our board of directors has overall responsibility for risk oversight, with its committees assisting the board in performing this function based on their respective areas of expertise. Our board of directors has delegated certain oversight of risks related to cybersecurity to our audit committee. Key aspects of the board’s role include: Cybersecurity Policy development and approval, risk management, budgetary approval, compliance oversight, crisis management including ransomware events, and continuous improvement.

Ms. Michal Ma’aravi, our Chief Information Systems Officer (CISO), is formally designated as the Company’s CISO under our internal governance framework and is responsible for overseeing the implementation of our Cybersecurity Policy. Ms. Ma’aravi has served as our CISO since 2022 and has completed an external 300‑hour training program for CISOs. In the course of performing her duties as our CISO, Ms. Ma’arravi makes use of services provided by third-party CISO experts.

In cases of significant cybersecurity events, the CISO notifies our Chief Operating Officer, who notifies our Chief Executive Officer. In each such case, the IT team reviews the incident and suggests a remediation plan. In the event of a potentially material cybersecurity event, the chair of the audit committee is notified and briefed, and meetings of the audit committee and/or full board of directors are held, as appropriate. We maintain an incident response team which is responsible for coordinated response, containment, investigation, documentation, and communication during cybersecurity events.

Our CISO periodically briefs the audit committee and board of directors on information technology and data analytics matters, including cybersecurity risks, practices, and real-time reports on cybersecurity incidents. The audit committee and/or the Chief Executive Officer brief the full board of directors on cybersecurity matters discussed during audit committee meetings.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our board of directors has delegated certain oversight of risks related to cybersecurity to our audit committee. Key aspects of the board’s role include: Cybersecurity Policy development and approval, risk management, budgetary approval, compliance oversight, crisis management including ransomware events, and continuous improvement.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Our CISO periodically briefs the audit committee and board of directors on information technology and data analytics matters, including cybersecurity risks, practices, and real-time reports on cybersecurity incidents. The audit committee and/or the Chief Executive Officer brief the full board of directors on cybersecurity matters discussed during audit committee meetings.