Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk management and strategy

We recognize the critical importance of cybersecurity in protecting our operations, IT infrastructure, and business continuity. Our IT systems support essential functions, including vessel operations, financial reporting, regulatory compliance, and stakeholder communications. To safeguard these systems, we have established a comprehensive cybersecurity framework based on industry standards and best practices.

Hafnia’s IT infrastructure is fully hosted in Azure Enterprise Scale Landing Zones, which provides a secure cloud environment with built-in security controls. We have also outsourced first-level 24/7 cybersecurity surveillance to a third-party security operations center (“SOC”), which follows ISO 27000 standards and utilizes 900+ detection rules, a library of custom automation, and hands-on keyboard responses to detect, halt and eradicate threats including, but not limited to, ransomware, compromised credentials, malicious insider actions, malware, zero-days, non-malware attacks, multi-vector attacks, and malicious links in emails and other communication tools. The digital forensics and incident response provided by the SOC includes forensics, root cause investigation, analysis and reporting to stakeholders, with evidence processed in Azure with a chain of custody, legal support and expert witness testimony. ISO 27000 refers to a series of standards for information security management systems for information published by the International Organization for Standardization (“ISO”) and the International Electrotechnical Commission.

Our cybersecurity risk management strategy aligns with regulatory frameworks, including the NIS2 Directive, SEC disclosure requirements (Item 16K), IMO cybersecurity guidelines and GDPR data protection obligations. As of the date of this Annual Report, we have not experienced any material impact from the implementation of NIS2.

Our cybersecurity strategy includes the following key components:

•

Continuous Security Monitoring: Our IT systems are monitored 24/7 by the SOC to detect and mitigate threats.

•

Quarterly Automated Penetration Testing: We conduct automated penetration testing to identify vulnerabilities proactively.

•

Ongoing Cybersecurity Awareness Training: Employees undergo continuous security awareness and phishing training through a third-party platform that automatically delivers personalized, gamified training.

•

Policies and Guidelines: Detailed set of cybersecurity policies and procedures for employees.

•

Regular Risk Assessments & Audits: Cyber risk assessments are conducted quarterly to identify vulnerabilities and implement controls.

•

Regulatory Compliance: We adhere to NIS2, SEC 16K, IMO, and GDPR cybersecurity standards.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Our cybersecurity risk management strategy aligns with regulatory frameworks, including the NIS2 Directive, SEC disclosure requirements (Item 16K), IMO cybersecurity guidelines and GDPR data protection obligations. As of the date of this Annual Report, we have not experienced any material impact from the implementation of NIS2.

Our cybersecurity strategy includes the following key components:

•

Continuous Security Monitoring: Our IT systems are monitored 24/7 by the SOC to detect and mitigate threats.

•

Quarterly Automated Penetration Testing: We conduct automated penetration testing to identify vulnerabilities proactively.

•

Ongoing Cybersecurity Awareness Training: Employees undergo continuous security awareness and phishing training through a third-party platform that automatically delivers personalized, gamified training.

•

Policies and Guidelines: Detailed set of cybersecurity policies and procedures for employees.

•

Regular Risk Assessments & Audits: Cyber risk assessments are conducted quarterly to identify vulnerabilities and implement controls.

•

Regulatory Compliance: We adhere to NIS2, SEC 16K, IMO, and GDPR cybersecurity standards.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

For the year ended December 31, 2025, through the date of this report, to our knowledge we have not experienced any material cybersecurity incidents. Despite this, we acknowledge the evolving nature of cybersecurity threats, including ransomware attacks, phishing, data breaches, and supply chain vulnerabilities.

Cybersecurity Risk Board of Directors Oversight [Text Block]

Hafnia’s cybersecurity governance structure ensures clear accountability and oversight at the highest levels of the organization.

The Chief Information Officer (CIO), who is ISO 27000 certified, is responsible for overseeing cybersecurity risk management and reports directly to senior leadership and the Board of Directors. Our CIO has more than 25 years of designing, implementing and managing enterprise grade IT infrastructures and has worked with multiple international companies on designing secure and complex infrastructures. In his work experience, our CIO has designed, developed and advised on cybersecurity and cybersecurity strategies.

Key governance measures include:

•

Quarterly Cybersecurity Reporting: The CIO provides quarterly cybersecurity updates to the Audit Committee of the Board of Directors.

•

Executive Oversight: The management team reviews cybersecurity risks regularly to ensure alignment with business strategy.

•

Continuous Risk Monitoring: The IT team conducts ongoing assessments of cyber threats and presents findings to senior leadership.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

•

Quarterly Cybersecurity Reporting: The CIO provides quarterly cybersecurity updates to the Audit Committee of the Board of Directors.

•

Executive Oversight: The management team reviews cybersecurity risks regularly to ensure alignment with business strategy.

•

Continuous Risk Monitoring: The IT team conducts ongoing assessments of cyber threats and presents findings to senior leadership.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

•

Quarterly Cybersecurity Reporting: The CIO provides quarterly cybersecurity updates to the Audit Committee of the Board of Directors.

•

Executive Oversight: The management team reviews cybersecurity risks regularly to ensure alignment with business strategy.

•

Continuous Risk Monitoring: The IT team conducts ongoing assessments of cyber threats and presents findings to senior leadership.

Cybersecurity Risk Role of Management [Text Block]

Governance

Hafnia’s cybersecurity governance structure ensures clear accountability and oversight at the highest levels of the organization.

The Chief Information Officer (CIO), who is ISO 27000 certified, is responsible for overseeing cybersecurity risk management and reports directly to senior leadership and the Board of Directors. Our CIO has more than 25 years of designing, implementing and managing enterprise grade IT infrastructures and has worked with multiple international companies on designing secure and complex infrastructures. In his work experience, our CIO has designed, developed and advised on cybersecurity and cybersecurity strategies.

Key governance measures include:

•

Quarterly Cybersecurity Reporting: The CIO provides quarterly cybersecurity updates to the Audit Committee of the Board of Directors.

•

Executive Oversight: The management team reviews cybersecurity risks regularly to ensure alignment with business strategy.

•

Continuous Risk Monitoring: The IT team conducts ongoing assessments of cyber threats and presents findings to senior leadership.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

The Chief Information Officer (CIO), who is ISO 27000 certified, is responsible for overseeing cybersecurity risk management and reports directly to senior leadership and the Board of Directors.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our CIO has more than 25 years of designing, implementing and managing enterprise grade IT infrastructures and has worked with multiple international companies on designing secure and complex infrastructures. In his work experience, our CIO has designed, developed and advised on cybersecurity and cybersecurity strategies.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Key governance measures include:

•

Quarterly Cybersecurity Reporting: The CIO provides quarterly cybersecurity updates to the Audit Committee of the Board of Directors.

•

Executive Oversight: The management team reviews cybersecurity risks regularly to ensure alignment with business strategy.

•

Continuous Risk Monitoring: The IT team conducts ongoing assessments of cyber threats and presents findings to senior leadership.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true