Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Risk Management and Strategy Our cybersecurity risk management strategy is designed to detect, prevent, monitor and respond to security incidents, minimize unavailability of our operations, protect integrity and confidentiality of data and prevent data leakage. We have adopted various processes for the assessment, identification and management of risks arising from cybersecurity threats, which are documented in our Cybersecurity Incident Response Procedure, Directives for Cyber Protection in Embraer Group Companies and Procedures for Monitoring and Responding to Information Security Incidents. While assessing cybersecurity risks and security incidents, we evaluate their potential materiality in accordance with applicable laws and our internal policies and procedures, considering both qualitative and quantitative factors. This assessment involves members of senior management, including representatives from the cybersecurity, legal, finance, and compliance functions, and takes into account, among other factors, the potential impact on our business operations, financial condition, results of operations, reputation, and regulatory obligations. We apply cybersecurity procedures to ensure the most appropriate approach, always considering the characteristics of the solutions used by our corporate systems, business processes and products. These procedures and mechanisms are based on best market practices (such as the NIST and ISO27001/2 frameworks ) and undergo periodic reviews to ensure their ability to spot, control, and respond to potential global cyber threats. We have a cybersecurity incident response cycle procedure, which is a four-stage response procedure to be used in case of a cybersecurity incident. The procedure comprises the following stages: (i) training and preparation of our teams to act promptly in response to cybersecurity incidents by implementing controls based on risk assessments; (ii) incident detection and analysis; (iii) actions for containment, eradication and recovery from the incident; (iv) post-incident activities, which comprises activities to avoid, prevent and improve actions in case of new incidents. Training to our employees occurs monthly. We have a cybersecurity committee, responsible for monitoring our technological environment and for assessing any threats and alerts relating to cybersecurity. Once the cybersecurity committee identifies a cybersecurity incident, it must act in conjunction with the affected departments, the legal department and the Data Protection Officer (DPO) (if personally identifiable information was also affected in such incident) to: (i) understand the exact moment of its identification; (ii) the types of data involved in the incident, if any; (iii) its cause, extent and consequences; (iv) how and where it was detected; and (v) assist in proposing measures to repair or prevent the incident, including, if applicable, measures to mitigate its possible negative effects, both with us and, if applicable, with the affected data subjects. As part of our risk management strategy, we contract cybersecurity companies, such as Tempest (part of Embraer Group) others cybersecurity suppliers and independent auditors to assess our cybersecurity controls and procedures annually. We continuously assess and oversee material risks from cybersecurity threats associated with our third-party service providers. Before engaging in business relationships with service providers, the cybersecurity team evaluates whether they meet our minimum standards relating to cybersecurity procedures, governance and risk management. In addition to initial due diligence, we monitor cybersecurity risks associated with key third-party service providers on an ongoing basis, including through periodic reassessments and, where appropriate, contractual requirements related to cybersecurity controls and risk mitigation. Our cybersecurity team is responsible for overseeing and identifying cybersecurity risks. See “—Cybersecurity Governance.” Our cybersecurity and data protection governance structures operate in a coordinated manner. Cybersecurity topics involving personal data are managed through collaboration between the cybersecurity and legal teams, the DPO and the Privacy and Data Protection Committee, of which the cybersecurity function is also a member (see ‘Data Protection Governance’). Cybersecurity risks are integrated into our broader enterprise risk management framework and are evaluated alongside other operational, financial, and strategic risks. Material cybersecurity risks identified through our risk assessment processes are escalated through established governance channels and monitored as part of our ongoing risk management activities. Data Protection Governance Our privacy and data protection governance program is supported by an integrated structure composed of multiple stakeholders with complementary roles and responsibilities. The core of this program consists of the following three governance bodies: ✈Privacy and Data Protection Committee: multidisciplinary and collegiate body responsible for deliberating on strategic decisions, resolving relevant conflicts, overseeing internal controls, and promoting a culture of privacy and data protection across the organization. The committee is composed of representatives from the legal and cybersecurity functions, the Data Protection Officer, or DPO, and external legal advisors, and meets on a biweekly basis. ✈DPO: the DPO serves as the primary point of contact for data subjects and data protection authorities and is responsible for coordinating communications, supporting internal areas, and proposing improvements to the privacy and data protection governance program. The DPO is appointed by the Legal Department, which is responsible for assessing the technical and institutional qualifications required for the role, ensuring the DPO’s autonomy, specialized knowledge, and strategic alignment. ✈Data Protection Working Group: group composed of representatives from various areas of Embraer that provides technical support, disseminates best practices, monitors the implementation of the guidelines established by the Privacy and Data Protection Committee, and proposes operational improvements. The Data Protection Working Group meets on a quarterly basis. This governance structure is designed to ensure that strategic decisions, operational guidelines, and compliance actions related to privacy and data protection are consistently integrated and coordinated throughout the organization. This integrated privacy and data protection governance structure is designed so that personal data are identified, assessed, and managed in a coordinated manner across the organization. Cybersecurity Incidents In the fiscal year ended December 31, 2025, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risk from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For additional information on our cybersecurity exposure, see Item 3. Key Information—D. Risk Factors—Business Operations And Contracts”
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Our cybersecurity risk management strategy is designed to detect, prevent, monitor and respond to security incidents, minimize unavailability of our operations, protect integrity and confidentiality of data and prevent data leakage. We have adopted various processes for the assessment, identification and management of risks arising from cybersecurity threats, which are documented in our Cybersecurity Incident Response Procedure, Directives for Cyber Protection in Embraer Group Companies and Procedures for Monitoring and Responding to Information Security Incidents |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Cybersecurity Governance Our board of directors oversees our cybersecurity committee, which is responsible to make strategic decisions on cybersecurity, approve cybersecurity policies and has full and unrestricted authority to implement projects and mitigation actions, as applicable. The cybersecurity committee meets on a monthly basis, or anytime the chief information security officer (CISO) deems necessary, to periodically monitor, at a high level, our projects related to cybersecurity and advises on measures and improvements to enhance our management of cybersecurity issues. The cybersecurity committee is composed of: ✈our chief executive officer (CEO); ✈our chief financial officer (CFO); ✈our CISO; ✈the vice president of Embraer defense and security; ✈our legal director and DPO; and ✈the vice-president of engineering. Additionally, cybersecurity topics are constantly on the agenda at meetings of our Audit, Risk and Ethics Committee and our board of directors. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The cybersecurity committee is composed of: ✈our chief executive officer (CEO); ✈our chief financial officer (CFO); ✈our CISO; ✈the vice president of Embraer defense and security; ✈our legal director and DPO; and ✈the vice-president of engineering.
|
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The cybersecurity committee meets on a monthly basis, or anytime the chief information security officer (CISO) deems necessary, to periodically monitor, at a high level, our projects related to cybersecurity and advises on measures and improvements to enhance our management of cybersecurity issues. |
| Cybersecurity Risk Role of Management [Text Block] | The cybersecurity committee meets on a monthly basis, or anytime the chief information security officer (CISO) deems necessary, to periodically monitor, at a high level, our projects related to cybersecurity and advises on measures and improvements to enhance our management of cybersecurity issues. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our board of directors oversees our cybersecurity committee, which is responsible to make strategic decisions on cybersecurity, approve cybersecurity policies and has full and unrestricted authority to implement projects and mitigation actions, as applicable |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our board of directors oversees our cybersecurity committee, which is responsible to make strategic decisions on cybersecurity, approve cybersecurity policies and has full and unrestricted authority to implement projects and mitigation actions, as applicable |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The cybersecurity committee meets on a monthly basis, or anytime the chief information security officer (CISO) deems necessary, to periodically monitor, at a high level, our projects related to cybersecurity and advises on measures and improvements to enhance our management of cybersecurity issues. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |