Cyber security management

Sustainability \ Sustainability Governance \ Cyber security management

Fincantieri operates in sectors where the security of information and IT systems—both internal and those integrated into its products—is a strategic priority of the utmost importance. In this context, over the years the Group, through its subsidiary E-phors, has progressively strengthened its commitment to cyber security, launching a broad transformation program aimed at developing in-house specialist expertise.

 

This effort pursues a dual objective: on the one hand, to reinforce the organization’s cyber resilience; on the other, to support the evolution of naval products by integrating advanced cyber defense solutions and services into the Group’s main platforms, both civil and military.

 

This path is underpinned by solid and structured governance, the adoption of targeted Group policies, and the implementation of initiatives guided by a long-term strategic vision. The activities promoted are designed to raise awareness of cyber security both within the organization and among industrial partners, while also enhancing the resilience of corporate systems and developed products.

Cyber security and Compliance: a Strategic and Regulatory Path in Continuous Evolution

Establishing a resilient digital ecosystem at the international level requires a comprehensive and harmonized regulatory framework—one capable of setting clear standards and obligations that are aligned with the constant evolution of cyber threats and the increasing complexity and sophistication of cyberattacks.

As an active player in strategic sectors and an integral part of global value chains, Fincantieri is subject to a complex system of international laws, regulations, and standards on cyber security, which impose stringent requirements regarding governance, protection, and the resilience of information systems.

Among the key developments in cyber security regulation, the Directive (EU) 2022/2555 (NIS2) plays a prominent role. Its objective is to establish a high common level of cyber security across the European Union and it has been transposed into Italian law through Legislative Decree No. 138/2024.

In this context, Fincantieri has launched a structured process to analyse the applicable regulations and assess the Group’s level of compliance, with the aim of identifying strategic initiatives to strengthen and align its cyber posture with the new obligations introduced under NIS2. As part of this effort, a dedicated management model is being defined to reinforce the Group’s commitment and the central role of Top management in overseeing compliance and promoting a strong cyber security culture.

Complementing this approach, Fincantieri aims to establish an ongoing, collaborative dialogue with the relevant authorities, supporting the development of a structured public-private cooperation model. This model, tailored to the specific dynamics of the critical sector in which the Group operates, is intended to ensure more effective, sustainable, and shared management of cyber security responsibilities.

Cyber security governance

To ensure high and consistent cyber security standards across the entire Group—while fully complying with the applicable regulatory framework—Fincantieri has established the Group Cyber Security function, integrated within the Group Operations, Corporate, Strategy and Innovation Department.

This function plays a strategic role in defining, implementing, and overseeing the Group’s cyber security policies, with the aim of:

• Defining and implementing Group-wide cyber security policies;

• Ensuring continuous monitoring of Fincantieri’s digital environment and providing a prompt and effective response to any attempted breaches;

• Identifying strategic drivers for the development of advanced security solutions, with a specific focus on verifying and controlling the digital and electronic supply chain;

• Promoting a shared methodology for assessing and mitigating cyber risk, in line with international best practices and the Group’s existing policies.


Operational responsibility for this function lies with the Group Chief Information Security Officer (CISO), who is entrusted with the following tasks:

• Defining the Group’s overall cyber security strategy;

• Building and maintaining a structured and effective corporate cyber organization;

• Developing and implementing targeted protection programs;

• Designing and ensuring the application of procedures to mitigate cyber risks;

• Ensuring compliance with applicable regulations;
• Reporting to the Security Committee—composed of members of senior management and responsible for strategic direction and oversight—on the progress of cyber security investments, while submitting proposals and initiatives for approval.


At the corporate governance level, oversight of cyber security matters is assigned to the Board of Directors, with an active role played by the Internal Control and Risk Committee. As a board-level body, this Committee is responsible for continuously examining and monitoring the Group’s approach to cyber risk management.

In its operational activities, the Group Cyber Security function is supported by E-phors, a Fincantieri subsidiary and cyber center of excellence. E-phors specializes in cyber security strategies and solutions for complex naval, defense, and industrial programs, fully integrated with the markets in which Fincantieri operates.

Policies and procedures

Fincantieri’s information assets represent a strategic resource of paramount importance and therefore require appropriate protection against risks that could compromise the fundamental principles of security: confidentiality, integrity, and availability.

To ensure this protection, cross-functional processes have been implemented to identify, assess, and mitigate potential risks that could affect the Group’s information assets.

Cyber security standards are structured into policies and procedures that define, with varying levels of detail, the controls and measures adopted to safeguard information security.

An IT Security Policy has been established, clearly expressing the commitment of Senior Management to cyber security. This commitment is reflected in the implementation and maintenance of an Information Security Management System compliant with the ISO 27001 standard, with the aim of:

• Ensuring the security of electronic information and related exchanges, both within the company and with third parties, through information classification and the assignment of responsibilities to relevant users;

• Defining user roles and responsibilities in cyber security, promoting a widespread culture of security across the organization;

• Developing technical countermeasures to prevent unauthorized access to data centers, reducing the risk of loss, damage, theft, or compromise of electronic data;

• Ensuring the issuance and updating of rules aimed at guiding the proper management of IT systems and secure information exchange;

• Controllingaccess to information by internal users and third parties, preventing unauthorized access to data and processing systems;

• Managing cyber security events promptly and effectively;

• Avoiding disruptions to business operations, protecting critical processes from unavailability or major incidents, and ensuring their rapid recovery;

• Ensuring that IT systems comply with applicable regulations and the objectives set by management, while maximizing the effectiveness of IT audit processes.


As part of the broader initiative launched by Fincantieri to define a new Governance Model, the Group has also embarked on the evolution of its corporate regulatory framework. This initiative introduces a new document structure, clearly distinguishing between management and coordination documents—applicable Group-wide—and operational documents tailored to individual companies. The goal is to enhance clarity, integration, accessibility, adaptability, and internal sharing.

Within this framework, the Company’s regulatory structure related to Cyber Security has been further strengthened through the introduction of a Management Guideline and corresponding Global Procedures. These documents outline both the strategic principles and objectives, as well as the detailed design of cyber security processes, including:

• Definition of the organizational model for cyber security;

• Management of compliance with regulatory, contractual, and reference framework requirements;

• Assessment and mitigation of cyber risks, including supply chain risks;

• Promotion of a culture of security at all organizational levels;

• Enforcement of security requirements and technical protection measures;

• Proactive identification of relevant cyber threats;

• Monitoring of system and organizational security posture;

• Structured and effective management of cyber security events and incidents.

Information security management programs

The Group Cyber Security function supports the Group Information Technology function in implementing its Integrated Quality and Information Security Management System, certified in accordance with ISO 9001 and ISO 27001 standards.

As part of the Management System, the controls outlined in Annex A of ISO 27001 are applied. In particular, the following are defined:

• Risk management processes, aimed at conducting risk analyses on IT and OT systems, following a methodology aligned and integrated with the Group’s Enterprise Risk Management approach;

• ICT continuity plans, including response and recovery procedures, outlining how the organization manages ICT service disruptions;

• Vulnerability management processes and appropriate tools for detecting vulnerabilities in assets both inside and outside the organization;

• Information security incident management processes, with clearly defined roles and responsibilities for each phase: identification, escalation, response, containment, resolution, and closure. Notably, the company’s perimeter is continuously protected against potential unauthorized intrusions through 24/7 monitoring by the Security Operation Center;

• Awareness and training activities on information security (e.g., phishing campaigns, online and e-learning courses), designed to raise staff awareness of their responsibilities and the tools available to fulfil them;

• Annual plans to carry out internal audits of the Integrated Management System across the relevant functions and Fincantieri’s Data Centers;

• Third-party audits of the Integrated Quality and Information Security Management System, in compliance with the standards UNI EN ISO 9001:2015 (Quality Management Systems – Requirements) and ISO/IEC 27001:2022 (Information security, cybersecurity and privacy protection – Information security management systems – Requirements);

• Independent audits of the IT infrastructure, conducted on an annual basis.

Our cyber security initiatives

In a global context marked by increasingly sophisticated, pervasive, and evolving digital threats, E-phors reaffirms its strategic commitment to strengthening the Group’s cyber resilience. Protecting the company’s digital perimeter is not only a technological priority, but a fundamental lever to ensure business continuity, safeguard critical assets, and maintain the trust of all stakeholders.

To effectively address these challenges, Fincantieri has launched a structured and ambitious program aimed at significantly enhancing the cyber resilience of the entire Group ecosystem. This program is built upon an integrated and cross-functional approach that involves:

• All Group subsidiaries, with the goal of ensuring operational and strategic consistency in the management of cyber security;

• All employees, through the promotion of a widespread security culture via training, awareness campaigns, and individual accountability initiatives;

• The entire supply chain, by adopting strict security criteria in supplier selection, qualification, and monitoring processes, in order to mitigate indirect risks and ensure the reliability of the entire production cycle.

The program includes the adoption of advanced technologies, alignment with internationally recognized security frameworks, and the implementation of governance processes that enable continuous and responsive oversight across the entire digital landscape.

At the heart of this initiative lies the ambition to position cyber security as an enabler of innovation and competitiveness, establishing Fincantieri as a benchmark for cyber resilience — committed to protecting its know-how, partners, and clients in both the civil and defense sectors.

Security Operation Center (SOC) and Group-wide solution harmonization

As part of its strategic initiatives to enhance the Group’s cyber resilience, E-phors has launched a structured process of centralizing and harmonizing cyber security solutions. The objective is to progressively extend common standards, tools, and protection measures to the Group’s key subsidiaries, thereby strengthening the overall security posture of the corporate ecosystem.

This initiative marks a critical step towards unified cyber security management, based on principles of operational consistency, knowledge sharing, and enhanced centralized oversight.

At the heart of this effort is the Security Operation Center (SOC), which operates 24/7 and monitors the Group’s entire digital perimeter. The SOC provides continuous and proactive surveillance of IT and OT infrastructures, in line with the highest international standards and national cyber security regulations.

This approach enables the early detection of anomalies and threats, activating rapid and effective countermeasures, and thus contributing to the reinforcement of the Group’s overall cyber defense posture.

In recent years, significant progress has been made toward integrated and coordinated threat management, with the goal of making cyber protection increasingly scalable and synergistic. Key developments include:

• Homogeneous and interoperable technological solutions, ensuring consistent and shared protection across the Group’s various entities;

• Standardized operating procedures, applied Group-wide for cyber incident management, aimed at improving response times and coordination among involved teams.


This evolution reflects a long-term strategic vision, focused not only on protecting systems and information, but also on fostering a widespread digital security culture — one that enhances the Group’s resilience, responsiveness, and awareness in the face of a constantly evolving digital landscape.

Training and Awarness

In a context where cyber threats are evolving rapidly and with increasing sophistication, training and awareness-raising activities represent a strategic and indispensable element in strengthening the Group’s overall security posture.

Cyber awareness is recognised as one of the fundamental pillars of the digital resilience strategy. In this perspective, targeted training initiatives are continuously promoted, aimed at disseminating conscious and responsible behaviours in the use of digital tools, thus contributing to the development of a solid cyber security culture.

Among the most significant initiatives are phishing simulation campaigns, designed to assess in a controlled manner the responsiveness of users to simulated cyber-attack attempts. These simulations are based on threat models actually observed at global level, with the goal of reproducing realistic scenarios and enhancing the ability to recognise and handle potentially harmful situations.

The simulation campaigns involve all Group personnel, including Top management, confirming a transversal approach that affects the entire organisation, without exception.

In line with the objective of harmonising and aligning security policies at Group level, E-phors is progressively adopting a model of integrated phishing awareness campaigns, extending their application to all subsidiaries. This approach makes it possible to:

• Ensure standardised and consistent training for all personnel, regardless of geographic location or business function;

• Foster the sharing of best practices and common awareness tools;

• Reinforce individual and collective responsibility in preventing and countering cyber risk.


Through these initiatives, Fincantieri confirms and consolidates its commitment to building a secure, resilient and shared digital environment, where each person is called upon to actively contribute to safeguarding the Group’s informational and technological assets.

Ship and vessels cyber

Modern naval platforms are characterised by high technological complexity, stemming from the integration of diverse digital systems, often interconnected with external environments to meet operational and logistical needs. While this interconnection enables advanced functionalities and a high degree of automation, it also results in increased exposure to increasingly sophisticated cyber threats.

In this context, E-phors plays a strategic role as the design authority for onboard electronic architecture, acting as the guarantor of the security, reliability, and resilience of the digital solutions integrated into the naval units produced.

The cyber security approach adopted is based on the principle of cyber security-by-design, applied throughout the entire life cycle of the platform, starting from the earliest design stages. This paradigm allows for:

• Minimising potential attack surfaces, thereby reducing opportunities for system compromise;

• Anticipating the management of structural vulnerabilities by integrating effective countermeasures from the early stages of development;

• Demonstrating the effectiveness of implemented security measures through technical verifications and validation activities conducted prior to the vessel's delivery.


Each digital architecture is developed on a bespoke basis, through tailor-made solutions calibrated according to the ship’s operational characteristics, mission, and the military or civilian context in which it will be deployed.

Cyber resilience does not end with the delivery of the product. E-phors’s commitment extends into the post-sale phase, through a structured offer of dedicated services aimed at ensuring continuous updates of onboard systems, monitoring the evolution of cyber threats, and providing specialised support throughout the platform’s life cycle.

The integration of naval expertise and digital security is a distinctive element of the industrial approach adopted. Thanks to its proven experience in shipbuilding processes, in-depth knowledge of onboard systems, and its ability to coordinate industrial and institutional actors, Fincantieri confirms its role as a key partner in delivering secure, resilient, and technologically advanced naval platforms.

Cyber security in the supply chain

In an increasingly interconnected industrial context, supply chain cyber security plays a strategic role in protecting the Group’s informational, technological, and operational assets. The supply chain is an integral part of the production ecosystem and, as such, requires a structured extension of cyber security measures to all partners and suppliers involved in company processes.

The value chain handles sensitive data, confidential information, and industrial know-how — elements essential to ensuring the quality, reliability, and competitiveness of the final product. The protection of such assets is a necessary condition for safeguarding process integrity, operational continuity, and project confidentiality.

As part of an integrated security vision, E-phors has adopted structured methodologies for assessing suppliers’ cyber risk, embedded in the procurement process both at the qualification stage and through ongoing performance monitoring. The goal is to ensure that all supply chain actors meet minimum cyber security standards, thereby contributing concretely to the system’s overall resilience and the protection of the entire production ecosystem.

Special focus is placed on suppliers involved in critical components or those that significantly affect the architecture and functionality of strategic systems. The selection and management of these entities are carried out in accordance with major international standards and sector-specific regulations, ensuring full technical and regulatory consistency.

Through this approach, Fincantieri promotes a model of distributed security, capable of extending cyber protection across the entire value chain, contributing to the overall reliability and resilience of the industrial system.

Initiatives with Istitutions

E-phors actively collaborates with institutional bodies to strengthen capabilities in responding to the most complex and sophisticated cyber threats. Within this framework, numerous projects have been launched in the Defense sector, aimed at enhancing the cybersecurity resilience of key naval platforms.

Activities include in-depth analysis of advanced threat scenarios, the development of effective mitigation measures, and specialized personnel training. The latter is supported by realistic cyberattack simulations designed to test, in controlled environments, the operational readiness of operators and the effectiveness of response procedures. These exercises validate the methodological robustness of the adopted solutions and the high operational adaptability of the involved teams.

Complementing this approach, an advanced technological platform has been developed to protect naval units against cyberattacks targeting onboard IT and OT systems. The solution is designed to promptly detect cyber threats and trigger targeted responses, even without specialized expertise from onboard personnel. This technology stems from consolidated experience in shipbuilding processes, deep knowledge of onboard systems, and constant attention to the operational needs of the crew, particularly in high-criticality scenarios.

In the civilian sector as well, E-phors actively collaborates with institutional entities such as port authorities, contributing to the strengthening of digital security measures. In this context, evolutionary pathways are promoted to align cyber posture with emerging threats and requirements set by the National Cybersecurity Agency.

As part of awareness and digital responsibility initiatives, collaboration has also been established with the Postal Police, participating in a webinar dedicated to exploring socially relevant and current cyber issues. Among the topics addressed, particular attention was given to the phenomenon of cyberbullying, tackled through open and constructive dialogue aimed at raising awareness and prevention, especially among younger segments of the population. This initiative provided a significant opportunity for dialogue with a key institutional interlocutor committed to safeguarding cybersecurity and digital rights.

Research and Development

Fincantieri is committed to the development of advanced cybersecurity solutions in the maritime and underwater sectors, adopting an approach that integrates strategic vision, multidisciplinary expertise, and emerging technologies.
The areas of focus include, among others, the development of naval cyber simulation environments for training and testing, the protection of underwater communications, and the creation of intelligent systems for monitoring security both onboard and onshore.

In particular, a Cyber Range Maritime platform is currently under design, conceived to offer an immersive simulation environment where realistic attack scenarios can be recreated and crews trained to respond effectively to cyber threats. This platform also enables the safe testing of new cybersecurity solutions and the execution of penetration tests on virtualized networks, representing a strategic asset for preparedness in managing complex threats without compromising real systems.
The solution is designed to support both technical training and operational validation.

In the underwater domain, Fincantieri is developing advanced solutions to protect communications between underwater drones and between these drones and control centers. In a context characterized by challenges such as latency, operational depth, and lack of stable connectivity, specific technologies are being designed to ensure security and reliability even in the face of future threats and extreme operational conditions.

Finally, on the cyber monitoring front, Fincantieri is developing a comprehensive suite for continuous cybersecurity surveillance onboard ships. Data collection and analysis occur both onboard and onshore, ensuring an integrated view of the entire fleet’s security status. The objective is to transform security management from a reactive to a proactive model, reducing response times and increasing overall resilience.

Research and Development activities are often conducted in synergy with public institutions and centers of excellence. In recent years, Fincantieri has collaborated with prominent national entities such as the SERICS Foundation (SEcurity and RIghts in the CyberSpace), Cyber 4.0, and the National Underwater Hub (PNS).

Furthermore, it has participated in high-profile international calls, including those promoted by the European Defence Fund (EDF) of the European Commission, receiving recognition for the innovativeness of its projects from prestigious bodies such as NATO’s Supreme Allied Commander Transformation (SACT).