XML 434 R41.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] ASML’s competitive edge is based
on knowledge and intellectual
property (IP) developed over
decades. This knowledge sits in
the minds of our employees and
many other people within our
thriving ecosystem of suppliers,
partners, customers and
knowledge institutions.
This ecosystem is largely based on the
exchange of ideas and insights, which makes
the protection of knowledge a challenge, but
also makes it difficult for others to replicate
our work. This knowledge is captured in our
information management infrastructure.
Our prime objective is to protect the integrity
and confidentiality of our critical information
and data while ensuring continuity of our
operations. This should be embedded in our
processes, people and infrastructure.
However, as we innovate and collaborate
together, our partners will inevitably need
access to some parts of our systems'
infrastructure. We must ensure that this is
enabled in a secure way, with best-in-class
security functions deployed across our
infrastructure to manage security threats
and risks.
We are also confronted with new EU
regulations such as NIS2 and the Cyber
Resilience Act (CRA) and in the US with Cyber
Incident Reporting for Critical Infrastructure
(Cybersecurity and Infrastructure Security
Agency), which highlight regulators seeking to
ensure that critical infrastructure organizations
are securing themselves effectively.
As perpetrators make use of more advanced
methods, implementing adequate responses
becomes more complex – so we continue to
take steps to try to deal with this effectively.
In the event of a security incident involving
the loss of information assets, the materiality
of the incident is jointly assessed by
technology leaders and subject matter
experts with support from Corporate
Intellectual Property and Legal and
Compliance.
In 2024, as far as we are aware, ASML had
zero incidents with a material impact.
How we manage information security
We have a dedicated Security function to
ensure we properly manage all security
risks. The security risk assessment process,
which includes cybersecurity, sits within our
ERM process and follows our governance
structure, with the Security Committee as a
sub-committee of the Compliance, Ethics,
Security and Risk Committee (CESR), which
acts as the oversight committee mandated
by the Board of Management (BoM).
The three layers of our security governance
framework are:
1.The Security Committee: Ensures and
promotes the integration of security risk
management methodologies and related
controls in ASML’s business processes.
The Security Committee reports into
the CESR.
2.The Security Function Management
team: Ensures the implementation and
execution of security risk management
methodologies and related controls in
ASML’s business processes.
3.The Security Expert team: Determines
the risk and control strategies and generates
input for tactical plans by providing content
expertise and setting requirements.
This governance framework enables cross-
disciplinary alignment through structured
meetings and ensures integration throughout
our broader risk management profile.
Alongside evaluation by our Internal Audit
department, we have engaged several third
parties to evaluate security capability and
maturity and provide both expertise and
resources to assist in identifying and
managing material cybersecurity risks. Some
examples of these engagements include
external validation of security management
systems, capability assessments, red-
teaming, penetration testing and tabletop
exercises.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] How we manage information security
We have a dedicated Security function to
ensure we properly manage all security
risks. The security risk assessment process,
which includes cybersecurity, sits within our
ERM process and follows our governance
structure, with the Security Committee as a
sub-committee of the Compliance, Ethics,
Security and Risk Committee (CESR), which
acts as the oversight committee mandated
by the Board of Management (BoM).
The three layers of our security governance
framework are:
1.The Security Committee: Ensures and
promotes the integration of security risk
management methodologies and related
controls in ASML’s business processes.
The Security Committee reports into
the CESR.
2.The Security Function Management
team: Ensures the implementation and
execution of security risk management
methodologies and related controls in
ASML’s business processes.
3.The Security Expert team: Determines
the risk and control strategies and generates
input for tactical plans by providing content
expertise and setting requirements.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] We have a dedicated Security function to
ensure we properly manage all security
risks. The security risk assessment process,
which includes cybersecurity, sits within our
ERM process and follows our governance
structure, with the Security Committee as a
sub-committee of the Compliance, Ethics,
Security and Risk Committee (CESR), which
acts as the oversight committee mandated
by the Board of Management (BoM).
The Security function led by the CISO
monitors risk prevention, detection,
mitigation and remediation processes
related to cybersecurity, and regularly
reports to the Security Governance and
to the Audit Committee. We believe each
member of the Supervisory Board is qualified
to advise on the oversight of cybersecurity
risks through their employment experience
and/or educational background in risk
management. We have implemented
processes to identify and respond to
cybersecurity threats intended to comply
with standards set by the International
Organization for Standardization (ISO
27002), International Society of Automation
(ISA/IEC 62443) and US National Institute
of Standards and Technology (NIST
Cybersecurity Framework). We have a
dedicated team that works to increase our
strength and maturity and minimize
exploitable vulnerabilities by monitoring
threats, assessing our vulnerability and
defining incident responses.
The central security organization was set up
to define the policies, procedures and the
adherence to these policies in a second line
role, coordinated closely with the security
representatives in the business.
In addition, the central security organization
delivers operational services to the ASML
organization via the Security Operations
Center (SOC). In case of incidents, the SOC
is to be the central point for dealing with
these incidents effectively.
In the event of a possible material
cybersecurity incident, the Corporate Crisis
Management team (CCMT) verifies the
assessment, proposed response and
disclosure requirements. The CCMT is
chaired by the Chief Operations Officer, who
reports to the Board of Management on our
proposed response and then takes the
decision to the Supervisory Board. A
dedicated governance structure is in place
to deal with a crisis situation effectively. The
Chief Information Security Officer (CISO)
coordinates the response as a second line of
responsibility, along with the security teams
in the business.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] We have a dedicated Security function to
ensure we properly manage all security
risks. The security risk assessment process,
which includes cybersecurity, sits within our
ERM process and follows our governance
structure, with the Security Committee as a
sub-committee of the Compliance, Ethics,
Security and Risk Committee (CESR), which
acts as the oversight committee mandated
by the Board of Management (BoM).
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] We have a dedicated Security function to
ensure we properly manage all security
risks. The security risk assessment process,
which includes cybersecurity, sits within our
ERM process and follows our governance
structure, with the Security Committee as a
sub-committee of the Compliance, Ethics,
Security and Risk Committee (CESR), which
acts as the oversight committee mandated
by the Board of Management (BoM).
In addition, the central security organization
delivers operational services to the ASML
organization via the Security Operations
Center (SOC). In case of incidents, the SOC
is to be the central point for dealing with
these incidents effectively.
In the event of a possible material
cybersecurity incident, the Corporate Crisis
Management team (CCMT) verifies the
assessment, proposed response and
disclosure requirements. The CCMT is
chaired by the Chief Operations Officer, who
reports to the Board of Management on our
proposed response and then takes the
decision to the Supervisory Board. A
dedicated governance structure is in place
to deal with a crisis situation effectively. The
Chief Information Security Officer (CISO)
coordinates the response as a second line of
responsibility, along with the security teams
in the business.
Cybersecurity Risk Role of Management [Text Block] The Security function led by the CISO
monitors risk prevention, detection,
mitigation and remediation processes
related to cybersecurity, and regularly
reports to the Security Governance and
to the Audit Committee. We believe each
member of the Supervisory Board is qualified
to advise on the oversight of cybersecurity
risks through their employment experience
and/or educational background in risk
management. We have implemented
processes to identify and respond to
cybersecurity threats intended to comply
with standards set by the International
Organization for Standardization (ISO
27002), International Society of Automation
(ISA/IEC 62443) and US National Institute
of Standards and Technology (NIST
Cybersecurity Framework). We have a
dedicated team that works to increase our
strength and maturity and minimize
exploitable vulnerabilities by monitoring
threats, assessing our vulnerability and
defining incident responses.
The central security organization was set up
to define the policies, procedures and the
adherence to these policies in a second line
role, coordinated closely with the security
representatives in the business.
In addition, the central security organization
delivers operational services to the ASML
organization via the Security Operations
Center (SOC). In case of incidents, the SOC
is to be the central point for dealing with
these incidents effectively.
In the event of a possible material
cybersecurity incident, the Corporate Crisis
Management team (CCMT) verifies the
assessment, proposed response and
disclosure requirements. The CCMT is
chaired by the Chief Operations Officer, who
reports to the Board of Management on our
proposed response and then takes the
decision to the Supervisory Board. A
dedicated governance structure is in place
to deal with a crisis situation effectively. The
Chief Information Security Officer (CISO)
coordinates the response as a second line of
responsibility, along with the security teams
in the business.
Third-party cybersecurity risks
In order to both oversee and identify risks
from cybersecurity threats associated with
our use of third parties, all providers are
required to comply with our ASML Security
Controls (part of the Supplier Security
Policy). We assess and monitor providers
using a risk-based approach based on
standards set by the International
organization for Standardization (ISO 27002),
the International Society of Automation (ISA/
IEC 62443) and the US National Institute of
Standards and Technology (NIST
Cybersecurity Framework). We also have a
dedicated team to deploy procedures to
increase our resistance strength and
minimize vulnerabilities by monitoring
threats, assessing our vulnerability through
testing and defining responses.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Security function led by the CISO
monitors risk prevention, detection,
mitigation and remediation processes
related to cybersecurity, and regularly
reports to the Security Governance and
to the Audit Committee. We believe each
member of the Supervisory Board is qualified
to advise on the oversight of cybersecurity
risks through their employment experience
and/or educational background in risk
management. We have implemented
processes to identify and respond to
cybersecurity threats intended to comply
with standards set by the International
Organization for Standardization (ISO
27002), International Society of Automation
(ISA/IEC 62443) and US National Institute
of Standards and Technology (NIST
Cybersecurity Framework). We have a
dedicated team that works to increase our
strength and maturity and minimize
exploitable vulnerabilities by monitoring
threats, assessing our vulnerability and
defining incident responses.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The Security function led by the CISO
monitors risk prevention, detection,
mitigation and remediation processes
related to cybersecurity, and regularly
reports to the Security Governance and
to the Audit Committee. We believe each
member of the Supervisory Board is qualified
to advise on the oversight of cybersecurity
risks through their employment experience
and/or educational background in risk
management. We have implemented
processes to identify and respond to
cybersecurity threats intended to comply
with standards set by the International
Organization for Standardization (ISO
27002), International Society of Automation
(ISA/IEC 62443) and US National Institute
of Standards and Technology (NIST
Cybersecurity Framework). We have a
dedicated team that works to increase our
strength and maturity and minimize
exploitable vulnerabilities by monitoring
threats, assessing our vulnerability and
defining incident responses.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] In the event of a possible material
cybersecurity incident, the Corporate Crisis
Management team (CCMT) verifies the
assessment, proposed response and
disclosure requirements. The CCMT is
chaired by the Chief Operations Officer, who
reports to the Board of Management on our
proposed response and then takes the
decision to the Supervisory Board. A
dedicated governance structure is in place
to deal with a crisis situation effectively. The
Chief Information Security Officer (CISO)
coordinates the response as a second line of
responsibility, along with the security teams
in the business.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true