1 Company

One of the main highlights for Madrileña Red de Gas during the financial year 2024 was achieving the highest score in the Global Real Estate Sustainability Benchmark (GRESB) index. This milestone makes MRG a leader in the sector in Spain, in Europe and worldwide. In addition, this achievement, together with the company’s strong performance, has earned it the Sustainability Award from Corporate magazine.

Likewise, in 2024 Madrileña Red de Gas reinforced its commitment to regulatory compliance and criminal risk prevention by updating its risk map and drawing up action and training plans.

It has also strengthened its cybersecurity robustness, working in collaboration with INCIBE, among many other initiatives. During this financial year, the strategic Turing Project was launched to drive a transformation towards a data-driven organisation.

1.1Board of Directors

Carmen Gómez de Barreda Tous de Monsalve Chairwoman
Cornelia Bernadette María van Heijningen Director
Suyu Wu Director
Simon Davy Director
Romain Thierry Victor Bruneau Director
Alexandre Pieyre Director
Kai Chen Director
Jan Matthijs Lakerveld Director
Shankar Krishnamoorthy Director
María Martín | Secretary (non-director)

 

1.2Management Committee

Alejandro Lafarga Chief Executive Officer (CEO)
Rafael Fuentes General Counsel (CLO)
Inés Zarauz Chief Financial Officer (CFO)
David Ortiz Expansion Director
Félix Blasco Network Operations Director
Glen Lancastle Director of Systems and Customer Operations
María Vázquez Human Resources Director

1.3Regulatory Framework

On 17 January 2024, the Spanish National Commission of Markets and Competition (CNMC) published the schedule of regulatory Circular letters planned for processing in 2024. Subsequently, on 19 April 2024 the CNMC approved an updated version of said schedule. To date, none of the circular letters related to the gas sector that were scheduled for 2024 has received final approval. The proposed amendments remain in intermediate stages of the regulatory process. On the other hand, on 30 December 2024 the CNMC published the schedule of Regulatory Circular Letters with potential implications for energy policy planned for processing in 2025.

In addition, on 20 September 2024 Order TED/1013/2024 was published, establishing the gas system charges, as well as the remuneration and fees for basic underground storage facilities for the 2025 gas year.

Finally, on 20 December 2024 the CNMC resolution on the calculation, monitoring and assessment of gas system loss balances for the 2023 gas year and their impact on the remuneration of facility owners was approved.

Furthermore, on 23 May 2024 the CNMC approved resolution RAP/DE/010/23, which sets out access tariffs to transmission networks, local distribution networks and regasification for the 2025 gas year.

As outlined in its explanatory memorandum, this resolution aims to detail and justify the methodology used to calculate the access tariffs to transmission networks, local distribution networks and regasification applicable from 1 October 2024, in accordance with Article 36 of Circular 6/2020, of 22 July, which establishes the methodology for calculating access tariffs to transmission, local distribution networks and natural gas regasification.

European regulations for energy transition in the gas sector

On 15 July 2024, Regulation (EU) 2024/1789 on the internal markets for renewable gas, natural gas and hydrogen, as well as Directive (EU) 2024/1788 on common rules for the internal markets for renewable gas, natural gas and hydrogen were published in the Official Journal of the European Union (OJEU). Both documents are part of the so-called «Gas Package».

This regulatory framework aims primarily to facilitate the introduction of green gases, integrate hydrogen into the energy system, update access rules to natural gas and hydrogen networks, and contribute to the decarbonisation and energy transition of the European Union. The Regulation, which is directly applicable, will be fully enforceable from 5 February 2025, although it entered into force twenty days after it was published. Meanwhile, the Directive must be transposed into national law by no later than 5 August 2026.

In 2024, Spain began work to adapt its regulatory framework to align with these provisions, including a preliminary public consultation held between September and October, aimed at gathering proposals for the transposition of the Directive and the adaptation of the Regulation.

This legislative package is a key element in the modernisation and adaptation of the European energy system, promoting a shift towards a more sustainable and efficient model that is aligned with the European Union’s decarbonisation goals.

1.4Prevention of Criminal Offences

Madrileña Red de Gas’s risk management system for the prevention of criminal offences is based on the general principles of:

  • Legality.
  • Due diligence.
  • Ethical and responsible leadership.
  • Compliance monitoring.
  • Review and update.
  • Systematic and adaptive risk management.

In accordance with the provisions of Law 1/2015, which further amends the Spanish Criminal Code and regulates in greater detail the criminal liability of legal entities, establishing the obligation for corporations to implement effective crime prevention measures in their organisations within the scope of their activities, Madrileña Red de Gas has put in place a robust criminal compliance management system which consists of:

  • A crime prevention policy.
  • A criminal risk map.
  • An internal prevention protocol.

El responsable de dicho sistema es el oficial de cumplimiento penal.

The person responsible for overseeing this system is the Criminal Compliance Officer.

Conduct monitoring will determine the information required and the course of action to be followed in situations involving regulatory non-compliance and/or practices that are contrary to the values and principles established in Madrileña Red de Gas’s Code of Ethics and Anti-Corruption Policy.

In this regard, Madrileña Red de Gas has a whistleblowing channel in place (managed by an independent supplier) through which any member of the organisation —regardless of their position or responsibilities—, as well as any customer, supplier or third party, may report any irregularity or behaviour that is contrary to the law or to the rules and procedures established by the company, with the utmost guarantee of confidentiality and absence of retaliation.

Madrileña Red de Gas updated its Whistleblowing Channel and adapted its system for reporting irregularities, thereby complying with the new Whistleblower Protection Act.

Furthermore, in accordance with the new Law 2/2023 of 20 February, regulating the protection of persons who report regulatory infringements and the fight against corruption, Madrileña Red de Gas’s whistleblowing channel was updated with the advice and monitoring of the independent provider. Additionally, the governing body has drawn up and approved policies and procedures aimed at updating the internal system for reporting irregularities, as established by the aforementioned law.

Specifically:

  • The Policy for the Management of Irregularity Reports.
  • The Procedure for the Management of Irregularity Reports.

Madrileña Red de Gas updated its Whistleblowing Channel and adapted its system for reporting irregularities, thereby complying with the new Whistleblower Protection Act.

Furthermore, during 2024, the risk related to the offences included in the company’s risk map was reassessed in order to identify behaviours that could constitute violations of the applicable regulations and entail a liability for the company. As a result of this assessment, the annual compliance review report and the annual action plans addressing the identified needs are prepared. In addition, relevant training on the prevention of criminal offences has continued to be provided, which is currently delivered upon joining the company as part of the induction and onboarding programme for new employees.

1.5Corporate Risk Management

Madrileña Red de Gas has a robust risk management system, with a comprehensive approach, specifically designed for the company. This system enables the identification, prioritisation and implementation of measures and/or controls aimed at recognising, preventing, mitigating or managing the risks the company faces.

The Audit and Risk Committee reports directly to the Board of Directors and operates in accordance with its internal regulations, which define its objectives, functions and composition. This committee is made up of representatives from the Board of Directors of each of the four shareholders, several members of the Executive Committee, and the Risk Management Department.

The agenda items addressed at the committee’s periodic meetings, which are held prior to every meeting of the Board of Directors, are internally agreed upon at the beginning of each financial year. The most recurring topics include the monitoring of the corporate risk map, the most significant risks, and the established or proposed controls and mitigation plans; as well as the financial audit; audits of the integrated prevention, environmental and quality management system; a growing number of sustainability-related issues; the criminal offence prevention policy; the cybersecurity risks; and the audits of the information security system. The outcomes of these activities enable the Audit and Risk Committee to issue recommendations for risk management and/or to the Board of Directors.

The integration of the risk management policy within the company has been articulated through the progressive implementation of cross-functional risk analyses, involving the business units most closely connected to the affected processes. Similarly, risk management is a regular agenda item in the Executive Committee’s periodic meetings.

Currently, the risk map of Madrileña Red de Gas encompasses a wide range of risks, focusing on the ten most significant material risks, which have been assessed based on the following criteria:

  • The probability of occurrence of a risk.
  • The impact of the combination of the effect on net present value and the reputational impact. The effect on net present value considers both the direct economic impact over the next twenty years and potential penalties.
Corporate Risk Map of Madrileña Red de Gas 2024

The risk map incorporates emerging risks through regular updates to its content. Additionally, it establishes new high-level controls that supplement those already in place. The implemented action plans help to mitigate the consequences of these risks.

Compared to previous years, in 2024 the definition and assessment of several risks have been refined through more detailed analyses of their context and of the potential consequences that may arise in the event of their materialisation. At the same time, a parallel strategy has been developed to prevent and mitigate the potential impacts associated with these risks.

1.6Sustainability

After nine consecutive years of participation and with outstanding scores in the three previous editions (93, 96, and 100 out of 100), Madrileña Red de Gas has once again secured its leadership in the sector in Spain with the highest possible rating: 100 out of 100. This accomplishment allows the company to renew, for the fourth consecutive year, the prestigious 5-star rating, which is only awarded to the top 20% of companies with the highest scores in the GRESB assessment.

In addition to this recognition, Madrileña Red de Gas has climbed to the first place in the European sector ranking, as well as worldwide in the multisectoral category, by achieving the top position across the entire spectrum of the GRESB 2024 index.

Madrileña Red de Gas has climbed to the first place in the European sector ranking, as well as worldwide in the multisectoral category

In its 2024 edition, the GRESB infrastructure assessments covered 720 participating companies across all sectors in 81 countries, making MRG’s recognition even more significant as it is awarded in a highly competitive global context.

Madrileña Red de Gas acknowledges that sustainability and economic success will only be possible if it actively, credibly and tangibly contributes to addressing the challenges that our society is facing. To this end, the company has integrated a deep and ongoing commitment to sustainability across all its operations, adopting responsible practices that promote social, environmental and ethical development, always placing the well-being of the community at the core of its work.

As recognition for this effort, and following its success in the GRESB rating, Madrileña Red de Gas has been awarded the Sustainability Award by Corporate magazine, acknowledging its leadership in the implementation of responsible and sustainable practices

Transparency and communication

With the aim of improving communication and transparency on sustainability issues, Madrileña Red de Gas has updated its corporate website with the most relevant policies, the established objectives, and the performance achieved in each of the governance, environmental and social areas, both through the results of its own indicators and through various business excellence certifications and seals.

Moreover, during the first half of 2024 Madrileña Red de Gas prepared and verified its fourth Sustainability Report in accordance with GRI (Global Reporting Initiative) standards, taking into account the current versions and the sector-specific standard for «Oil & Gas».

In this regard, starting in the second quarter of 2024, MRG initiated the implementation of a plan to ensure future compliance with the EU Directive on sustainability reporting requirements (CSRD), starting with a situation analysis and needs assessment, followed by a review of the sustainability management model and a review of double materiality, impacts, risks and opportunities.

As a result of this effort, the company participated in the latest edition of the National Environment Congress (CONAMA). Together with other companies, it shared its experience in the field of sustainability, highlighting the progress achieved to date and its approach to addressing the challenges posed by the new reporting regulations, particularly in relation to the entry into force of the CSRD Directive.

1.7Cybersecurity

Madrileña Red de Gas. Aware of the growing risks associated with digitalisation, data democratisation, cloud systems and the protection of its operations, during the 2024 financial year the company has reinforced its commitment to security through the implementation of a robust and structured action plan.

Figure shows the evolution of cybersecurity spending as a percentage of the total Information Technology budget. In 2024, cybersecurity accounted for 10% of MRG’s total information systems expenditure, in line with global benchmarks for 2024, which range from 6% to 10% (references from Forrester’s 2024 Cybersecurity Benchmarks Global Report).

Evolution of cybersecurity spending

During this financial year, eight key initiatives have been developed to strengthen the company’s security posture.

In addition to these milestones, in 2024 collaboration with the National Cybersecurity Institute (INCIBE) has been strengthened by subscribing to early vulnerability alert, cyberthreat sharing and incident response services. As part of this effort, key information about the company’s systems and networks has been shared, and we have attended specialised forums, such as the International Information Security Meeting (ENISE), held in León.

Madrileña Red de Gas continues to advance its cybersecurity strategy, consolidating a culture of comprehensive protection that safeguards its assets, operations, and the trust of its customers and partners

Finally, looking ahead to 2025, preparations have begun for compliance with the new NIS2 regulation (Network and Information System 2), ensuring adherence to European cybersecurity standards and strengthening the company’s resilience against emerging threats.

In short, Madrileña Red de Gas continues to advance its cybersecurity strategy, consolidating a culture of comprehensive protection that safeguards its assets, operations, and the trust of its customers and partners.

1.8Information Security and Personal Data Protection

In 2024, Madrileña Red de Gas completed the implementation and certification of its information security management system in accordance with the ISO 27001 standard, a model that is fully aligned with the current integrated management system and within the scope of which the personal data protection management model is also included.

MRG has appointed its «Data Protection Officer», who serves as the highest authority on the matter and participates in the Executive Committee, the Audit and Risk Committee, and the Cybersecurity Committee. Additionally, a manager responsible for the information security management system has been designated, along with a technical security manager, who is supported by a team of administrators.

Once again, in the area of personal data protection management, the most relevant activities have primarily focused on the management of data subjects’ rights, the handling of incidents, and the resolution of inquiries; many of these are related to the interpretation of current legislation and the exercise of data protection rights by the data subjects.

Furthermore, based on its information security and personal data protection policies, MRG has developed management manuals in more than eighteen information security and personal data protection procedures. These procedures are subject to periodic reviews to ensure their contents remain up to date.

Through the completion of the asset inventory, eleven asset groups have been identified, broken down into 111 asset types. The criticality of each of these has been assessed from the perspective of confidentiality, integrity and availability, in order to subsequently evaluate the risk as a combination of criticality, probability and impact.

The information security and personal data protection management model provides for interaction with stakeholders through various channels:

  1. Publication of the information security and personal data protection policies on the MRG website. Personal data processing information intended for data subjects has also been published and is disseminated through various communications sent to users.
  2. Active management of the Data Protection Officer’s mailbox, which has received a significant number of requests.
  3. Employee awareness and training activities.
  4. Interaction with organisations and authorities, such as the Spanish Data Protection Agency (AEPD) and the National Cybersecurity Institute (INCIBE).

In 2024, Madrileña Red de Gas completed the implementation and certification of its information security management system in accordance with the ISO 27001 standard, a model that is fully aligned with the current integrated management system and within the scope of which the personal data protection management model is also included

The following actions are also fully integrated into the management system:

  • Establishment of contractual clauses on information security and personal data protection.
  • Identification of the most sensitive suppliers from an information security perspective.
  • Coordination of business activities in the field of data protection with data processors through meetings, unification of criteria, and agreements on best practices.
  • Monitoring of information security and data protection performance across the supply chain through the information provided on the Repro-Achilles portal regarding the maturity of their privacy policies, as well as through audit reports conducted by the Repro-Achilles Community.
  • Recording of information security and data protection incidents, the investigation of which contributes to improvements in information management.
  • High alignment of the goals considered within the system’s annual objectives with the actions established in the current Cybersecurity Master Plan.

The following are notable developments compared to previous years:

  • Increase of more than 50% in the number of inquiries about personal data protection.
  • Four incidents involving personal data protection were recorded, none of which qualified as a data protection security breach. The investigations carried out highlighted the need to incorporate improvements in the management and processing of personal data.
  • The management indicator dashboard has been further enhanced, and a first executive report on the system has been produced, in line with the philosophy and guidelines for this other type of report. The report covers various sections: incident management, physical and environmental security, compliance, supplier relations, asset management, communications security, operations security, human resources security, and Information Security Management System (ISMS) process indicators.
  • Adjustments have been made to various procedures.
  • Review and update of the context analysis with regard to threats, weaknesses, opportunities and strengths.
  • Development of the first cybersecurity emergency plan and execution of a drill applying it, followed by a report outlining different improvement actions.
  • Work has begun to adapt the management model to the requirements of NIS2 and the updated version of ISO 27001, aiming to renew this certification under the new standard next year.

Likewise, with the aim of promoting an internal culture of data protection, news about the revisions and updates made have been published in Madrileña Red de Gas’s internal regulatory repository, ensuring that the documentation compiled there remains up to date.

In 2024, the Turing Project was launched with the aim of transforming Madrileña Red de Gas into a data-driven company

Turing Project: Towards a Data-Driven Organisation

In 2024, the Turing Project was launched with the aim of transforming Madrileña Red de Gas into a data-driven company.

The Turing Project is a strategic initiative sponsored by the top management, aimed at creating an internal team to drive the use of data and its application in decision-making.

A working team was organised to develop the plan, led by the Systems and Processes unit and made up of one member from each business unit. A committee was created that reports directly to the CEO and Management, and a three-year master plan was developed. This plan includes: training the team in strategy and data analytics; fostering a data-driven culture within the organisation; data governance and quality; standardising reports; data-driven decision-making; identifying the use of artificial intelligence; and, finally, predictive analysis in certain cases to help optimise and make business processes more efficient.