D e c l a r a t i o n

of BALKAN GAS HUB EAD Management

SUBJECT:

INFORMATION SECURITY POLICY

BALKAN GAS HUB EAD maintains and operates an electronic platform, based on its own and leased infrastructure, that enables the conclusion of bilateral contracts and exchange-based trading with physical and non-physical products—natural gas, energy products, energy carriers, energy, green and white certificates, carbon emissions, and other products related to energy consumption.

Providing and maintaining reliable information solutions that meet the high demands of the company’s clients is a key factor for the successful business operations of BALKAN GAS HUB EAD.

The electronic trading platform and its associated services offered by the company—including provision, operation, and maintenance of a specialized electronic platform for trading in energy and energy-related products (natural gas) through access to the platform; provision, maintenance, and administration of user access required for exchange trading—comply with all information security requirements.

Our objective and strategic goal is to meet the needs and expectations of our current and potential clients by delivering secure information services.

Recognizing the importance of information security and personal data protection, the management of BALKAN GAS HUB EAD is committed to:

• Developing and maintaining information security policies and objectives aligned with the organization’s development vision;
• Creating the conditions for full and comprehensive integration of the Information Security Management System (ISMS) into the organization’s operational processes;
• Providing all necessary resources for the functioning, monitoring, review, maintenance, and continuous improvement of the ISMS, in accordance with the requirements of the international standard ISO 27001:2022;
• Promoting the importance of effective management of the ISMS and compliance with its requirements by developing and implementing mechanisms to support and encourage employees to contribute to improving its effectiveness;
• Affirming its leadership role in the continuous improvement of the ISMS within the organization.

The Information Security Management System aims to ensure the protection of information in terms of:

• AVAILABILITY - Information processed and stored by BALKAN GAS HUB EAD and its associated assets must be available and accessible to authorized personnel whenever necessary.
• INTEGRITY - BALKAN GAS HUB EAD ensures the protection of the integrity and completeness of the information it processes and stores, as well as of the methods used for its processing, in order to prevent intentional, accidental, partial, or complete destruction or unauthorized alteration of data, in both electronic and non-electronic form.
• CONFIDENTIALITY - Information processed and stored by BALKAN GAS HUB EAD must only be provided or disclosed to authorized individuals.
• Protection of Personal Data and Individual Privacy - The company's personal data protection policy fully complies with the Personal Data Protection Act and the regulatory documents of the European Union (Regulation (EU) 2016/679 – General Data Protection Regulation, GDPR).

The management of BALKAN GAS HUB EAD declares its intent and responsibility to uphold the objectives and principles of information security and personal data protection in accordance with the organization’s vision and business goals.

Identification and assessment of information security risks and their potential occurrence is carried out through a process-based approach, taking into account changes in security requirements, the risk environment, and priorities for risk treatment.

BALKAN GAS HUB EAD has established and approved risk acceptance criteria aligned with the nature of its operations, technical capabilities, regulatory requirements, and financial, social, and human factors.

Identified risks are treated by implementing appropriate control mechanisms in accordance with ISO 27001:2022 and its Annex A.

Legal requirements relevant to the Information Security Management System are determined in accordance with the Energy Act, Personal Data Protection Act, Cybersecurity Act, Electronic Document and Electronic Signature Act, Accounting Act, Classified Information Protection Act, Copyright and Related Rights Act, E-Commerce Act, Electronic Communications Act, Competition Protection Act, Disaster Protection Act, EU Regulations and Directives, and the international standard ISO 27001:2022.

To implement this Information Security Policy and ensure the operation of the ISMS at BALKAN GAS HUB EAD, an Information Security Management System Officer has been appointed, and an Information Security Council has been established.

All employees of BALKAN GAS HUB EAD are required to comply with all information security rules described in procedures, policies, instructions, and other documents from the ISMS.

This Information Security Policy states that disciplinary actions will be taken against individuals who violate its rules and provisions.

The current Information Security Policy will be reviewed regularly—at least once per year—or in the event of significant changes in the organizational environment, business circumstances, applicable legislation, or technical environment, to ensure its relevance, adequacy, and effectiveness.

This Information Security Policy is communicated to all employees of BALKAN GAS HUB EAD as well as to all interested parties.

EXECUTIVE DIRECTOR OF BALKAN GAS HUB EAD

PETYA TODOROVA IVANOVA