Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Abstract]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	Cybersecurity Risk Management and Strategy In the ever-evolving digital age, effective cybersecurity management has become an undeniable priority for organizations of all sizes. In this context, a proactive and comprehensive approach is essential to ensure the protection of digital assets and maintain the trust of customers and stakeholders. Our business involves the collection, storage, processing, and transmission of customers', suppliers', and employees' personal or sensitive data. As a result, we may be subject to breaches of the information technology systems we use for these purposes. See “Item 3.D — Risk Factors — Risks Relating to Our Business — Our business is subject to cyberattacks and security and privacy breaches” for further details on this matter. When we face a cybersecurity incident, we act quickly to contact the responsible teams, develop an action plan to resolve the issue, and subsequently identify improvement measures to be implemented promptly to prevent the incident from recurring. Our action plan is prepared by our cybersecurity team in collaboration with other responsible parties impacted by the incident. This plan is designed to address not only immediate measures, but also short-, medium-, and long-term strategies, and is subject to review by our audit, risk management, and data protection (LGPD) teams to ensure its compliance and effectiveness. Furthermore, in cases where the severity of the incident is significant, the incident is promptly communicated to our Board of Directors and/or our Audit Committee for assessment. We believe we adopt a proactive stance, investing in appropriate resources to mitigate cyber threats and protect our digital assets. Additionally, we engage independent third parties on an as-needed basis to assess our cybersecurity capabilities, including to identify ongoing situations, assess how to mitigate any impacts on us, take preventive action where necessary, and follow global market trends. The results of these assessments are shared with our Audit Committee and our Fiscal Council. We believe the engagement of new professionals (cybersecurity service providers, auditors, consultants, and others) reflects our dedication to continuously improving our processes and adopting cutting-edge tools, all with the aim of maintaining a secure environment. We also recognize the importance of a rapid response to specific incidents and, accordingly, have the flexibility to conduct targeted hiring in response to emerging demands. Our surveillance covers not only internal systems, but also service providers that have access to our environment, to ensure that all aspects of our ecosystem are continuously monitored and protected. Given that we consider cyber risk to be one of our principal corporate risks, we work across multiple layers of security, implementing security controls at different levels of our environment, including firewalls, antivirus software, and access policies. Diversifying defenses increases infrastructure resilience and reduces the likelihood of successful cyberattacks. We periodically analyze cyber risks, identify potential vulnerabilities, and implement measures to mitigate them. All of our employees and service providers are covered by this framework, and appropriate actions are taken based on each identified risk or situation. We believe that one of the most important factors in combating cyberattacks is an organizational culture that values cybersecurity, which is essential for strengthening defenses against digital threats. Accordingly, we take continuous action to strengthen this culture, including disseminating guidance materials, live-streamed broadcasts, and videos on the matter. Individuals should be aware of recommended security practices, recognize signs of suspicious activity, and understand their responsibilities in protecting the organization's data. Additionally, we have an information security procedure in place for information technology, available to all employees, which outlines conduct, responsibilities, and operational boundaries for employees and business units. As mentioned in our Form 6-K furnished to the SEC on October 22, 2024, on October 16, 2024, we were subject to a cyberattack that caused instability in our digital network, leading to some non-critical systems being unavailable for a few days. We immediately took all security and control measures and put into practice a plan to restore the affected systems. Following the attack, we engaged experienced external advisors to investigate the cyberattack, including its causes, scope, and potential perpetrators. As part of our ongoing monitoring efforts, we became aware that cybercriminals disclosed the affected data, which was unstructured but consistent with our records. Our external advisors assessed the disclosure and determined that the disclosed records consisted of non-sensitive and low-sensitivity information. We informed the ANPD in accordance with applicable law. In 2025, the ANPD reviewed the matter and closed the related administrative proceeding . Our ability to maintain water supply and sewage collection and treatment operations was not affected by the cyberattack. As of the date of this annual report, we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. See ‘Item 3.D — Risk Factors — Risks Relating to Our Business — Our business is subject to cyberattacks and security and privacy breaches” for further details on this matter.
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]	false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]	we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block]	Cybersecurity Governance We have instituted a governance structure for monitoring cyber risks. Our audit committees monitor the matter in meetings held at least once a year and, in such meeting, the information technology department presents the actions taken, facilitating discussions and enabling the proposal of new actions to address the matter, as necessary. These committees monitor these actions periodically, whether at annual or special meetings. We have a Corporate Risks area responsible for carrying out annual assessments of the main risks we face, including cyberattacks. In this assessment, we consider both the potential impact and the probability of occurrence of each cyber risk. Based on these criteria, we determine the necessary level of reporting, which ranges from reporting to our local management (for low impact risks and remote probability) to reporting to our Board of Directors (for high impact risks and imminent probability). We have also established a security area as part of our organizational structure that acts continuously and promptly on issues related to cybersecurity, with ongoing reporting to superiors on the progress of its activities. The reporting process takes place at meetings with our Chief Information Officer and at our Audit Committee’s annual meeting, where we present the progress of cybersecurity initiatives led by our security team, including our monitoring measures related to the risk of cyberattack to ensure the transparency of our activities and strategic guidance. The security area team is responsible for assessing and managing cybersecurity risks and has in-depth expertise in information and technology security, with a solid academic background and extensive professional experience in relevant areas, such as cybersecurity, computer networks, and other related topics. The team is prepared to deal with the challenges that cybersecurity presents. In addition, we have a Security Operations Center (SOC) dedicated to the continuous monitoring of our systems, which reports to our security team. Using specialized processes, procedures and tools, the SOC aims to identify any potential security incidents. If a potential threat is detected, protocols are activated, with the mobilization of responsible teams and the use of appropriate tools. After confirming an incident, we conduct a thorough analysis of its causes, identifying the mitigation and/or remediation measures necessary to resolve the problem. During this process, we consider the relevance of each action for the effective resolution of the identified incident.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]	Our audit committees monitor the matter in meetings held at least once a year and, in such meeting, the information technology department presents the actions taken, facilitating discussions and enabling the proposal of new actions to address the matter, as necessary. These committees monitor these actions periodically, whether at annual or special meetings.
Cybersecurity Risk Role of Management [Text Block]	We have a Corporate Risks area responsible for carrying out annual assessments of the main risks we face, including cyberattacks. In this assessment, we consider both the potential impact and the probability of occurrence of each cyber risk. Based on these criteria, we determine the necessary level of reporting, which ranges from reporting to our local management (for low impact risks and remote probability) to reporting to our Board of Directors (for high impact risks and imminent probability).
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	We have also established a security area as part of our organizational structure that acts continuously and promptly on issues related to cybersecurity, with ongoing reporting to superiors on the progress of its activities. The reporting process takes place at meetings with our Chief Information Officer and at our Audit Committee’s annual meeting, where we present the progress of cybersecurity initiatives led by our security team, including our monitoring measures related to the risk of cyberattack to ensure the transparency of our activities and strategic guidance.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	The security area team is responsible for assessing and managing cybersecurity risks and has in-depth expertise in information and technology security, with a solid academic background and extensive professional experience in relevant areas, such as cybersecurity, computer networks, and other related topics. The team is prepared to deal with the challenges that cybersecurity presents.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2025

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity Risk Management and Strategy

In the ever-evolving digital age, effective cybersecurity management has become an undeniable priority for organizations of all sizes. In this context, a proactive and comprehensive approach is essential to ensure the protection of digital assets and maintain the trust of customers and stakeholders.

Our business involves the collection, storage, processing, and transmission of customers', suppliers', and employees' personal or sensitive data. As a result, we may be subject to breaches of the information technology systems we use for these purposes. See “Item 3.D — Risk Factors — Risks Relating to Our Business — Our business is subject to cyberattacks and security and privacy breaches” for further details on this matter. When we face a cybersecurity incident, we act quickly to contact the responsible teams, develop an action plan to resolve the issue, and subsequently identify improvement measures to be implemented promptly to prevent the incident from recurring.

Our action plan is prepared by our cybersecurity team in collaboration with other responsible parties impacted by the incident. This plan is designed to address not only immediate measures, but also short-, medium-, and long-term strategies, and is subject to review by our audit, risk management, and data protection (LGPD) teams to ensure its compliance and effectiveness. Furthermore, in cases where the severity of the incident is significant, the incident is promptly communicated to our Board of Directors and/or our Audit Committee for assessment. We believe we adopt a proactive stance, investing in appropriate resources to mitigate cyber threats and protect our digital assets. Additionally, we engage independent third parties on an as-needed basis to assess our cybersecurity capabilities, including to identify ongoing situations, assess how to mitigate any impacts on us, take preventive action where necessary, and follow global market trends. The results of these assessments are shared with our Audit Committee and our Fiscal Council. We believe the engagement of new professionals (cybersecurity service providers, auditors, consultants, and others) reflects our dedication to continuously improving our processes and adopting cutting-edge tools, all with the aim of maintaining a secure environment. We also recognize the importance of a rapid response to specific incidents and, accordingly, have the flexibility to conduct targeted hiring in response to emerging demands. Our surveillance covers not only internal systems, but also service providers that have access to our environment, to ensure that all aspects of our ecosystem are continuously monitored and protected.

Given that we consider cyber risk to be one of our principal corporate risks, we work across multiple layers of security, implementing security controls at different levels of our environment, including firewalls, antivirus software, and access policies. Diversifying defenses increases infrastructure resilience and reduces the likelihood of successful cyberattacks. We periodically analyze cyber risks, identify potential vulnerabilities, and implement measures to mitigate them. All of our employees and service providers are covered by this framework, and appropriate actions are taken based on each identified risk or situation.

We believe that one of the most important factors in combating cyberattacks is an organizational culture that values cybersecurity, which is essential for strengthening defenses against digital threats. Accordingly, we take continuous action to strengthen this culture, including disseminating guidance materials, live-streamed broadcasts, and videos on the matter. Individuals should be aware of recommended security practices, recognize signs of suspicious activity, and understand their responsibilities in protecting the organization's data. Additionally, we have an information security procedure in place for information technology, available to all employees, which outlines conduct, responsibilities, and operational boundaries for employees and business units.

As mentioned in our Form 6-K furnished to the SEC on October 22, 2024, on October 16, 2024, we were subject to a cyberattack that caused instability in our digital network, leading to some non-critical systems being unavailable for a few days. We immediately took all security and control measures and put into practice a plan to restore the affected systems. Following the attack, we engaged experienced external advisors to investigate the cyberattack, including its causes, scope, and potential perpetrators.

As part of our ongoing monitoring efforts, we became aware that cybercriminals disclosed the affected data, which was unstructured but consistent with our records. Our external advisors assessed the disclosure and determined that the disclosed records consisted of non-sensitive and low-sensitivity information. We informed the ANPD in accordance with applicable law. In 2025, the ANPD reviewed the matter and closed the related administrative proceeding . Our ability to maintain water supply and sewage collection and treatment operations was not affected by the cyberattack.

As of the date of this annual report, we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. See ‘Item 3.D — Risk Factors — Risks Relating to Our Business — Our business is subject to cyberattacks and security and privacy breaches” for further details on this matter.

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.

Cybersecurity Risk Board of Directors Oversight [Text Block]

Cybersecurity Governance

We have instituted a governance structure for monitoring cyber risks. Our audit committees monitor the matter in meetings held at least once a year and, in such meeting, the information technology department presents the actions taken, facilitating discussions and enabling the proposal of new actions to address the matter, as necessary. These committees monitor these actions periodically, whether at annual or special meetings. We have a Corporate Risks area responsible for carrying out annual assessments of the main risks we face, including cyberattacks. In this assessment, we consider both the potential impact and the probability of occurrence of each cyber risk. Based on these criteria, we determine the necessary level of reporting, which ranges from reporting to our local management (for low impact risks and remote probability) to reporting to our Board of Directors (for high impact risks and imminent probability).

We have also established a security area as part of our organizational structure that acts continuously and promptly on issues related to cybersecurity, with ongoing reporting to superiors on the progress of its activities. The reporting process takes place at meetings with our Chief Information Officer and at our Audit Committee’s annual meeting, where we present the progress of cybersecurity initiatives led by our security team, including our monitoring measures related to the risk of cyberattack to ensure the transparency of our activities and strategic guidance. The security area team is responsible for assessing and managing cybersecurity risks and has in-depth expertise in information and technology security, with a solid academic background and extensive professional experience in relevant areas, such as cybersecurity, computer networks, and other related topics. The team is prepared to deal with the challenges that cybersecurity presents.

In addition, we have a Security Operations Center (SOC) dedicated to the continuous monitoring of our systems, which reports to our security team. Using specialized processes, procedures and tools, the SOC aims to identify any potential security incidents. If a potential threat is detected, protocols are activated, with the mobilization of responsible teams and the use of appropriate tools. After confirming an incident, we conduct a thorough analysis of its causes, identifying the mitigation and/or remediation measures necessary to resolve the problem. During this process, we consider the relevance of each action for the effective resolution of the identified incident.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our audit committees monitor the matter in meetings held at least once a year and, in such meeting, the information technology department presents the actions taken, facilitating discussions and enabling the proposal of new actions to address the matter, as necessary. These committees monitor these actions periodically, whether at annual or special meetings.

Cybersecurity Risk Role of Management [Text Block]

We have a Corporate Risks area responsible for carrying out annual assessments of the main risks we face, including cyberattacks. In this assessment, we consider both the potential impact and the probability of occurrence of each cyber risk. Based on these criteria, we determine the necessary level of reporting, which ranges from reporting to our local management (for low impact risks and remote probability) to reporting to our Board of Directors (for high impact risks and imminent probability).

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The security area team is responsible for assessing and managing cybersecurity risks and has in-depth expertise in information and technology security, with a solid academic background and extensive professional experience in relevant areas, such as cybersecurity, computer networks, and other related topics. The team is prepared to deal with the challenges that cybersecurity presents.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true