Libelium’s Artificial Inteligence Policy

Introduction

LIBELIUM COMUNICACIONES DISTRIBUIDAS S.L., hereinafter LIBELIUM, has always demonstrated a commitment to standardization, maintenance, and security in its products, architectures, and projects. This commitment is reflected in the company’s Mission, Vision, and Values, which serve as the fundamental basis for all work carried out by the entire staff.

The implementation of the ISO 42001 standard for Artificial Intelligence Management complements this commitment by formalizing it for both customers and suppliers and covering all aspects of security and privacy applicable to the organization.

This document has been approved and thereby enters into force on April 27, 2026. This document, titled ◼ P90_PRC04 Libelium AI Management Policy, Version 00, is effective from that date until it is replaced by a new Policy; see the last page for version control.

Context

Legal Framework

The use of AI in business is not arbitrary; it must comply with current laws to avoid legal risks and penalties:

EU AI Regulation: We comply with the transparency and risk management requirements set by the European Union, particularly in solutions for cities and public services.
Data Protection (GDPR): AI must respect privacy. No personal data is used to train models without the relevant legal safeguards.
National Security Scheme (ENS): As technology providers, we ensure that AI does not create security vulnerabilities in our clients’ infrastructure.

Using AI in Our IoT

At Libelium, AI is used to turn sensor data into useful information. We don’t just collect data—we interpret it:

Predictions: We use algorithms to forecast pollution levels (air quality) or irrigation needs (agriculture) based on sensor history.
Computer Vision: We apply AI to cameras to count vehicles, identify license plates in Low Emission Zones, or automatically detect traffic incidents.
Platform Optimization: Our iris360 platform uses data models to create “digital twins,” allowing customers to see what would happen in their city or industry if certain variables were changed.

Competitors and Market

The market trend has shifted from selling physical products (“boxes”/sensors) to providing solutions (“answers”/AI). We find ourselves in a landscape characterized by:

Major cloud providers (AWS, Google, Microsoft, OVH): They offer computing power, but not the physical sensors or the specific field expertise that we possess.
Pure-play software companies: They analyze data but rely on third parties for data capture. Our advantage is total control: from the sensor to the algorithm.
New players in Smart Cities: Companies trying to replicate our model. We stand out thanks to our 20 years of experience and our strict compliance with European data sovereignty standards.

Purpose

This Artificial Intelligence Management Policy (hereinafter, the AI Management Policy) establishes the principles, commitments, and general guidelines governing the design, procurement, development, use, operation, monitoring, maintenance, and decommissioning of artificial intelligence systems used by LIBELIUM.

The objective of this policy is to ensure that artificial intelligence is used responsibly, ethically, and securely, in compliance with legal, regulatory, and contractual requirements, while minimizing the technical, ethical, legal, and social risks associated with its use.

Scope

This policy applies to all artificial intelligence systems, whether proprietary or third-party, that fall within the scope of LIBELIUM’s Artificial Intelligence Management System (AIMS) and are used:

In the organization’s products, services, or platforms.
In internal environments or customer environments (on-premises, edge, or cloud).
Throughout their entire lifecycle, from acquisition or development through to retirement.

General-purpose tools with embedded AI capabilities are excluded from this policy, provided that such capabilities are not configured, trained, integrated, or used for relevant automated decision-making, nor are they part of products or services offered by the organization.

General Principles

LIBELIUM is committed to ensuring that the use of artificial intelligence is guided by the following principles:

Responsible use aligned with business objectives

AI systems will be used exclusively for legitimate purposes that are aligned with the organization’s strategic objectives and the value provided to customers and stakeholders.

Risk-based approach

AI management will be conducted using a risk-based approach, applying controls that are proportionate to the criticality and potential impact of each AI system.

Safety and reliability

AI systems must be designed, procured, and operated in a manner that ensures an appropriate level of security, availability, integrity, and resilience, consistent with the requirements of the environment and the business.

Transparency and traceability

An appropriate level of transparency and traceability regarding the operation, limitations, and risks of AI systems will be promoted, both internally and with respect to customers and other stakeholders, where applicable.

Ethical use and respect for fundamental rights

The organization will avoid using AI systems that could have unjustified negative impacts on individuals, groups, or fundamental rights, especially in sensitive contexts.

Human supervision

AI systems will be subject to appropriate human oversight, especially when their use may have significant impacts on people, critical processes, or important decisions.

AI Governance

LIBELIUM has established an AI governance model integrated into its existing management system, which ensures:

• Clear assignment of roles and responsibilities regarding AI.
• Oversight of risks associated with AI systems.
• Informed decision-making regarding the use, modification, or decommissioning of AI systems.

Management is committed to actively supporting the AI Governance System and to providing the necessary resources for its implementation, maintenance, and continuous improvement.

Lifecycle Management

All AI systems included within the scope of LIBELIUM’s SGIA must be managed throughout their lifecycle, including:

Pre-acquisition or pre-development assessment.
Risk identification and analysis.
Implementation and controlled operation.
Monitoring of behavior and performance.
Management of significant changes.
Decommissioning or dismantling when appropriate.

Supplier and Third-Party Management

Cuando se utilicen sistemas de IA de terceros, LIBELIUM evaluará, en la medida de lo posible:

Los riesgos asociados al proveedor y a la solución de IA.
Los aspectos de seguridad, fiabilidad, cumplimiento y uso ético.
Las condiciones contractuales relacionadas con el uso de IA.

La evaluación de IA de terceros se integrará en los procesos corporativos de gestión de proveedores.

Incident Management and Unforeseen Uses

LIBELIUM will establish mechanisms to:

Detect and manage incidents related to AI systems.
Identify unintended or improper uses.
Define and implement corrective and preventive actions when necessary.

Relevant AI incidents will be analyzed and reviewed within the framework of the AI Management System (SGIA) as outlined in ◼P90_PRC02 Information Use Policies.

Reports or communications from third parties outside Libelium will be submitted through the reporting channel available on the corporate website, by selecting the option “Other reports/inquiries.”

Awareness and Skills

LIBELIUM is committed to ensuring that individuals responsible for the design, development, use, or oversight of AI systems possess the appropriate awareness and skills commensurate with their roles. All training conducted at LIBELIUM is planned in the Annual Training Plan and managed in accordance with Process ◼P47: Internal and External Training.