Axia Energia (NYSE: EBR) revises risk and internal controls framework
Rhea-AI Filing Summary
Axia Energia S.A. files a Form 6-K presenting Edition 9.0 of its Risk Management and Internal Controls Policy, effective April 30, 2026 and valid for five years. The policy defines how the company identifies, assesses, treats, monitors and communicates risks across its operations.
It formalizes a risk appetite statement, adopts the Three Lines Model, and details responsibilities for the Board of Directors, Executive Board, Audit and Risk Committee, Fiscal Council, risk owner areas, control owner areas and Internal Audit. The framework is aligned with Brazilian anti-corruption laws, FCPA, Sarbanes-Oxley sections 302 and 404, COSO, ISO 31000, IBGC governance guides and B3 Novo Mercado rules, and it revokes the prior policy approved in December 2025.
Positive
- None.
Negative
- None.
Key Figures
Key Terms
Risk Appetite financial
Three Lines Model financial
COSO ERM 2017 financial
Foreign Corrupt Practices Act (FCPA) regulatory
Sarbanes-Oxley Act of 2002 regulatory
Novo Mercado Regulation of B3 regulatory
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
FORM 6-K
Report of Foreign Private Issuer
Pursuant to Rule 13a-16 or 15d-16 of the
Securities Exchange Act of 1934
For the month of May, 2026
Commission File Number 1-34129
AXIA Energia S.A.
(Exact name of registrant as specified in its charter)
AXIA Energia S.A.
(Translation of Registrant's name into English)
Avenida Graça Aranha, 26
Centro, CEP 20030-900
Rio de Janeiro, RJ, Brazil
(Address of principal executive office)
Indicate by check mark whether the registrant files or will file annual reports under cover Form 20-F or Form 40-F.
Form 20-F ___X___ Form 40-F _______
Indicate by check mark whether the registrant by furnishing the information contained in this Form is also thereby furnishing the information to the Commission pursuant to Rule 12g3-2(b) under the Securities Exchange Act of 1934.
Yes _______ No___X____
CLASSIFICATION: PUBLIC POLICY 1/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 PREPARED BY: Vice-Presidency of Governance and Sustainability | Risk Management Directorate REVIEWED BY: Process and Normative Management | Compliance Directorate Corporate Governance Directorate | General Legal Directorate APPROVED BY: Executive Board (DE) – RES-181/2026, of 04/22/2026 Board of Directors (CA) - DEL-051/2026, of 04/30/2026 VALIDITY: 5 years The contents of this document may not be reproduced without proper authorization. All rights belong to Axia Energia. CLASSIFICATION: PUBLIC POLICY 2/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 TABLE OF CONTENTS 1 Introduction ........................................................................................................................ 3 2 References ......................................................................................................................... 3 3 Conceptualization ................................................................................................................ 4 4 Principles ............................................................................................................................ 5 5 Guidelines .......................................................................................................................... 8 6 Responsibilities ................................................................................................................... 10 7 General Provisions .............................................................................................................. 12 8 Amendment History ............................................................................................................ 12 9. Appendices / Annexes ......................................................................................................... 12 CLASSIFICATION: PUBLIC POLICY 3/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 1 INTRODUCTION 1.1 PURPOSE Establish principles, guidelines and responsibilities to guide the processes of identification, evaluation, treatment, monitoring and communication of risks and internal controls inherent to Axia Energia's activities, incorporating the risk perspective into strategic planning and decision-making, as well as the internal controls perspective into its processes, in accordance with applicable regulations and best market practices. 1.2 SCOPE This policy applies to Axia Energia. 2 REFERENCES 2.1 Federal Law no. 12.846/2013 (Anti-Corruption Law) – Provides for the administrative and civil liability of legal entities for the practice of acts against the public administration, national or foreign, and makes other provisions. 2.2 Federal Decree No. 11.129/2022 – Regulates Law No. 12.846, of August 1, 2013, which provides for the administrative and civil liability of legal entities for the practice of acts against the public administration, national or foreign. 2.3 Foreign Corrupt Practices Act (FCPA), 1977. 2.4 Sarbanes-Oxley Act of 2002, with emphasis on sections 302 and 404. 2.5 CVM Resolution No. 80/2022 (as amended a posteriori) – Provides for the registration of issuers of securities admitted to trading on regulated securities markets. 2.6 COSO 2013 (Committee of Sponsoring Organizations of the Treadway Commission) – Internal Control – Integrated Framework. 2.7 COSO ERM 2017 (Committee of Sponsoring Organizations of the Treadway Commission – Enterprise Risk Management). 2.8 Axia Energia's Code of Conduct. 2.9 Code of Best Corporate Governance Practices of the Brazilian Institute of Corporate Governance – IBGC, 2023. 2.10 Corporate Governance Notebooks – Corporate Risk Management – Evolution in Governance and Strategy – IBGC, 2017. 2.11 Standard ABNT NBR ISO 31000:2018 – Risk Management – Guidelines. 2.12 IIA 2020 Three Lines Model (Institute of Internal Auditors). 2.13 Compliance Policy. 2.14 Novo Mercado Regulation of B3 S.A. – Brasil, Bolsa, Balcão. CLASSIFICATION: PUBLIC POLICY 4/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 3 CONCEPTUALIZATION 3.1 ACRONYMS 3.1.1 CA – Board of Directors 3.1.2 CAE – Audit and Risk Committee 3.1.3 CF – Fiscal Council 3.1.4 DE – Executive Board 3.2 CONCEPTS 3.2.1 Risk Appetite – Limit of exposure to risks that the Company is willing to accept to achieve its strategic objectives and create value for shareholders. 3.2.2 Control Owner Area - Organizational unit responsible for internal control, including its adequacy, execution and documentation of evidence. 3.2.3 Risk Owner Area (Risk Owner) – Organizational unit that holds authority and responsibility for risk management. 3.2.4 Axia Energia – Centrais Elétricas Brasileiras S/A and companies in which it has direct or indirect corporate control. 3.2.5 Internal Controls – Set of actions and procedures aimed at managing risks and increasing the likelihood that the objectives and goals established by the Company will be achieved. 3.2.6 Board of Directors - Collegiate body of Axia Energia responsible for establishing the general orientation of the company's business, defining its strategic direction, ensuring the proper functioning of the governance, risk management and internal control systems and ensuring the orderly succession of management. 3.2.7 Deficiency – Absence or failure of control that does not allow adequate mitigation of the associated risk, also known as internal control gap. 3.2.8 Executive Board – Collegiate body composed of the President and Vice-Presidents, which has specific powers and authority conferred by the Bylaws and the Board of Directors. 3.2.9 Risk Event – Event or situation, arising from an internal or external source, that affects, or has the potential to negatively affect, the achievement of a Company objective. 3.2.10 Integrated Management of Risks and Internal Controls – Architecture implemented in the Company for risk management and internal controls, based on common methodology and language and aligned with the other lines. Through a structured approach and a better understanding of the interrelationships between risks and internal controls, it aligns strategy, processes, people, technology and knowledge, with the objective of preserving and creating value for the company and its shareholders. 3.2.11 Impact – Result of the materialization of a risk that affects the Company's business, processes and operations, which may be expressed qualitatively and/or quantitatively. CLASSIFICATION: PUBLIC POLICY 5/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 3.2.12 Uncertainty – State, even if partial, of the deficiency of information related to an event, its understanding, knowledge, consequence or probability, which may constitute a threat to the company. 3.2.13 Risk Indicator – Measurement that, associated with the context assessment, is used to assess the risk behavior and provide alerts regarding the level of exposure or the potential for future loss. 3.2.14 Three Lines Model – Set of principles and guidelines prepared and disseminated by IIA Global (The Institute of Internal Auditors), with the objective of clarifying and organizing the responsibilities and roles of the organization's professionals in risk management and internal controls. 3.2.15 Risk Portfolio – Set of risk events identified by the Company, described and classified into pillars and categories. 3.2.16 Probability – Chance of something happening, regardless of whether it is defined, measured or determined objectively or subjectively, qualitatively or quantitatively. 3.2.17 Professional – For the purposes of this normative document, "professional" is considered to be the term equivalent to "worker", as defined in ISO 45001, covering any person who performs work or carries out work-related activities under the responsibility of Axia Energia, within the scope of its safety, health and occupational protection guidelines. Note 1: This includes people who perform work or work-related activities, paid or unpaid, regularly or temporarily, intermittently or seasonally, on a full-time or part-time basis. Note 2: The concept of professional covers members of Management, as well as people in managerial and non-managerial level positions. Note 3: Work-related activities may be performed by Company employees, external supplier professionals, contractors, agency professionals, individuals or third parties, provided that Axia Energia has responsibility for occupational health and safety conditions, subject to applicable legal and contractual limits. 3.2.18 Remediation of Deficiencies – Action plan documented by the area responsible for the deficiency, in order to address inconsistencies identified during the tests carried out by internal and external audits. 3.2.19 Risk Response – Action taken to reduce, maintain or avoid the Company's exposure to risk, acting on the probability and/or impact, including, but not limited to, internal controls. 3.2.20 Risk – Negative effect of uncertainties on the Company's objectives. 4 PRINCIPLES 4.1 Risk Appetite Statement 4.1.1 Value creation is essential for the Company. Leadership in our market, through investments in generation, transmission and commercialization focused on clean energy, is part of our sustainable growth agenda. We do not tolerate decisions that may compromise the health and safety of our employees and third parties, or any other person, as well as the operational safety of our assets, profitability, financial discipline, corporate sustainability and ethical and compliance standards. We seek CLASSIFICATION: PUBLIC POLICY 6/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 to be innovators, considering the relevance of investing in other segments, diversifying our portfolio of businesses and services, in synergy and appropriate to the company's strategy. 4.2 Value Generation for Axia Energia 4.2.1 The Company recognizes that integrated risk management and internal controls are directly related to the strategic guidelines of sustainable growth, profitability and value creation for the company by allowing the preventive identification of threats to business objectives, weaknesses in processes and risk-based decision-making. 4.3 Adoption of Good Corporate Governance Practices 4.3.1 The Company adopts the best corporate governance practices, with regard to risk management, internal controls and anti-fraud and anti-corruption policies and practices, in a systematic, structured and timely manner, in order to improve and maintain the transparency and quality of its information, disclosed internally and externally, seeking a better reputation with the market and a differential in generating value for its shareholders and other stakeholders. 4.4 Use of Standards and Methodologies Recognized by the Market 4.4.1 With a model based on formalized methodologies and standards, recognized by the market and disseminated in the Company, integrated risk management and internal controls are aligned with strategies, initiatives and organizational structures, in addition to meeting the requirements of sectoral, regulatory and supervisory bodies. 4.4.2 To support risk management and internal control activities, the Company adopts, in an integrated manner, a unique systemic solution that has functionalities for continuous assessment and monitoring of the risks inherent to its business, in addition to allowing the self-assessment of design and effectiveness tests for internal controls, thus allowing the reliability of information and security to the business where the Company operates. 4.5 Establishment of Roles and Responsibilities 4.5.1 The Company formally defines and communicates the roles and responsibilities of each of the employees involved in the risk management and internal control processes. 4.6 Involvement of Governance Bodies 4.6.1 The performance of the Board of Directors, the Audit and Risk Committee, the Fiscal Council and the Executive Board assumes a primordial role for the success of the risk management and internal control processes, since they are the main ones involved in decision-making on strategic issues of the Company. 4.7 Establishment and Maintenance of the Infrastructure Required for Integrated Risk Management and Internal Controls 4.7.1 To manage risks and internal controls efficiently, the Company has an adequate and integrated infrastructure of processes, people and technology, establishing clear and objective communication mechanisms. 4.8 Integration of Risk Management and Internal Controls into Organizational Processes CLASSIFICATION: PUBLIC POLICY 7/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 4.8.1 Integrated risk management and internal controls permeate the Company's organizational practices and processes, in order to: a) ensure the identification of inherent and residual risk events in their business areas, whether individual or corporate; b) ensure the effectiveness of its processes, through periodic mapping, self-assessment and internal control effectiveness tests. 4.9 Periodic Analysis of Risk Management and Internal Controls at Axia Energia 4.9.1 The risk management and internal control areas play a critical role for the Company and must ensure the effectiveness of risk management and internal controls through frequent reviews, supporting the achievement of its objectives. 4.9.2 The Company evaluates its maturity in risk management, through a model adapted from the Corporate Governance Guides – Corporate Risk Management, of the Brazilian Institute of Corporate Governance (IBGC), and evaluates the control environment through tests of effectiveness in its internal controls. 4.10 Adoption of the Three Lines Model 4.10.1 Axia Energia adopts its risk management and internal controls model based on the Three Lines Model, illustrated in the organization chart in Appendix I, which ensures the clear definition of roles and responsibilities to support the achievement of objectives, protection and value creation. In this context: a) First line: It comprises the business areas, process and project managers, being responsible for the execution of operations and the delivery of products and services, including the Presidency and Vice-Presidencies. It is responsible for the direct management of risks and the implementation of effective internal controls, ensuring that activities take place in accordance with corporate, legal and ethical guidelines. By managing risks at source, the first line ensures operational continuity and the generation and protection of value necessary to achieve organizational objectives; b) Second line: It is composed of specialist areas that establish guidelines, methodologies and standards for risk management, internal controls and compliance – being represented by the Governance, Compliance, Information Security, Sustainability and Risks and Internal Controls Boards. Its role is to support the first line through technical support, monitoring and constructive questioning, without replacing its responsibility for risk management and control execution. By strengthening the resilience, integrity and reliability of information, the second line contributes directly to the generation of value for stakeholders, through the creation of an environment of trust and transparency and to the protection of value through risk-based decision-making; c) Third line: Represented by the Internal Audit, reporting to the CAE and the Board of Directors, it provides independent assessment and advice on the effectiveness of governance, risks and internal controls. Acting with full autonomy in relation to management, it reports its conclusions directly to the governance bodies to promote continuous improvement and the achievement of objectives. This function is essential for protecting value, ensuring that organizational processes are resilient, transparent and aligned with Axia Energia's best market practices and strategic objectives. 4.11 Reporting Structure CLASSIFICATION: PUBLIC POLICY 8/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 4.11.1 The company's risk management structure is based on the best governance practices, ensuring the autonomy and independence of the areas responsible for the risk management and audit processes, as well as the transparency and free flow of information to the governance bodies, facilitating decision making. 4.11.2 The reporting lines between the areas involved in the process, with the identification of the performance of the three lines, are illustrated in the organization chart inserted in Appendix I of this policy. 5 GUIDELINES 5.1 Axia Energia, in order to achieve the objectives established in this policy, must perform the macro-steps of the risk management and internal control processes described in the following sub-items. 5.2 Risk identification and mapping of internal controls 5.2.1 The identification of risks must recognize and describe the main risks to which the Company is exposed, whether of a strategic or operational nature, including possible changes in its business environment. 5.2.2 For risks of a strategic nature, a corporate Risk Portfolio with events, their respective descriptions and the owners of the risks must be defined. 5.2.2.1 The identification of risks of a strategic nature must be carried out with the participation of the Executive Board and those responsible for the business areas. 5.2.3 For risks of an operational nature, inherent to the Company's processes, internal controls that operate in accordance with the activities performed by the management area must be mapped and designed, in order to ensure operational efficiency, accurate reports and compliance with current laws, regulations and policies. 5.2.3.1 The documentation of internal controls is a guiding and essential tool for the execution of independent tests, whose working papers and planned activities are based on the controls described therein. 5.3 Assessment of risks and internal control environment 5.3.1 In the case of risks of a strategic nature, after their identification, causes and consequences must be raised and qualitative and/or quantitative analyses must be carried out, aiming at the definition of the impact and probability attributes, used in the prioritization of the risks to be treated. 5.3.1.1 In the assessment of strategic risks, the survey and analysis of existing responses and internal controls should also be considered, thus determining the residual risks. 5.3.2 In the case of risks of an operational nature, the internal control environment must be periodically evaluated through Management's tests, contemplating in its scope the key controls, which must be determined based on their relevance to the results of the processes and to the achievement of the Company's objectives and goals. 5.3.2.1 Management's tests aim to evaluate the effectiveness of controls and identify any ineffective controls, as well as recommend improvements to improve the internal control environment. CLASSIFICATION: PUBLIC POLICY 9/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 5.3.2.2 The external auditor performs the independent tests in accordance with the auditing standards and presents the result of the work through the internal control report, in connection with the financial statements. 5.4 Treatment of risks and remediation of internal control deficiencies 5.4.1 After the evaluation, the Executive Board's position with respect to a risk of a strategic nature must be aligned with the risk appetite defined by the Board of Directors. The positioning options are: a) avoid: the company chooses not to start or continue in business, processes and activities that may generate risks or cause its exposure; b) coexist/accept: the company understands that the exposure to risk is in accordance with its appetite; or understands that the effort to mitigate or transfer it would be greater than the value of the impact caused by its materialization; or, due to the risk being of external origin, but inherent to its activities, there is no way to reduce its exposure. Coexisting with the risk presupposes monitoring the Company's exposure to risk; c) mitigate/transfer: the company seeks to minimize its exposure to risk, either by reducing the impact and/or probability with risk responses and/or design of internal controls, or by transferring/sharing the impacts of the risk with other agents. 5.4.1.1 If the position is to avoid, mitigate or transfer, the Company must execute responses, including through internal controls, aimed at maintaining risk exposure in line with the appetite approved by the Board of Directors. 5.4.2 Deficiencies identified in the internal control environment, whether through Management testing or Independent Audit assessment, must be addressed and remedied through deficiency-specific action plans. 5.4.2.1 Whenever there is a formalized indication of deficiencies, action plans must be created by the areas that own the controls, with the support of the internal controls area, to adapt ineffective controls and/or create necessary controls. 5.5 Monitoring of risks and the internal control environment 5.5.1 In the monitoring process, you must: a) supervise the implementation and maintenance of risk responses and action plans to remedy internal control deficiencies; b) verify the achievement of the objectives of the responses and the remediation plans established, through continuous management activities and/or independent evaluations; c) ensure that responses and remediation plans are fit for purpose, effective and efficient; d) detect changes in the external and internal context, identifying emerging risks; e) analyze changes in risk events, processes, trends, successes and failures, and learn from them. 5.5.1.1 In the periodic assessments of strategic risks, the risk owner areas must make efforts to additionally define proactive monitoring metrics and/or models, or even risk indicators, so that, where defined by the Board of Directors, the status of risk exposure can be monitored, in a more specific format and detail, compared to the limits and tolerances determined by the Board of Directors itself. CLASSIFICATION: PUBLIC POLICY 10/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 5.6 Communication of risks and internal controls 5.6.1 Communication, during all stages of the risk management and internal control processes, must reach all stakeholders, being carried out in a clear and objective manner, respecting the good governance practices required by the market. 6 RESPONSIBILITIES 6.1 Board of Directors 6.1.1 Ratify the approval of this policy. 6.1.2 Approve the reporting schedule, as well as its revisions, upon proposal of the Executive Board and opinion of the CAE. 6.1.3 Determine the risk appetite, upon proposal of the Executive Board and opinion of the CAE. 6.1.4 Supervise the risk management and internal control processes, through regular reports from the Executive Board, evaluated by the CAE, focusing on the adequacy of the process, risk responses and the results of internal control tests. 6.2 Audit and Risk Committee 6.2.1 Monitor the risk management and internal control processes, bringing the most relevant findings to the attention of the Board of Directors. 6.2.2 Analyze all material submitted to the Board of Directors about the Company's risk management and internal controls, issuing a prior opinion. 6.3 Fiscal Council 6.3.1 Contribute to the relevant topics, recording in its minutes the additional information it deems necessary or useful to the risk management and internal control processes. 6.4 Executive Board 6.4.1 Evaluate the adequacy of the risk management and internal control processes through periodic reports, discussing and validating, in the collegiate body or by Vice-Presidency, the evaluations presented by the risk owner areas, as well as defining the risk position, according to the appetite approved by the Board of Directors. 6.4.2 Periodically monitor the results of the control tests performed by the internal and external audits. 6.4.3 Ensure the implementation of risk management and internal controls in the Company, allocating the necessary resources to the process and defining the appropriate infrastructure for the activities. 6.4.4 Approve standards governing risk management processes and internal controls. 6.4.5 Approve the corporate Risk Portfolio. CLASSIFICATION: PUBLIC POLICY 11/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 6.4.6 Define the risk owner areas. 6.4.7 Evaluate deficiencies reported by internal and external audits, according to the degree of criticality. 6.4.8 Approve the Risk Management and Internal Controls Policy, as well as propose the risk appetite and the schedule of risk reports and internal controls, including their reviews, forwarding them to the opinion of the CAE and, subsequently, to the approval of the Board of Directors. 6.5 Risk Management and Internal Controls Areas 6.5.1 Act as a second line, coordinating and defining the standards to be followed with regard to the risk management and internal control processes, their support systems and the forms and frequency of reports. 6.5.2 Support and ensure the identification, assessment, treatment and monitoring of risks and internal controls by the owner areas, as well as consolidate and report to the Executive Board and the Board of Directors the situation of the risks of the corporate Risk Portfolio and the results of the control tests. 6.5.3 Disseminate the culture of risks and internal controls in the Company. 6.5.4. Propose the Risk Management and Internal Controls Policy, standards on risk management and internal control processes and the corporate Risk Portfolio for approval by the Executive Board. 6.6 Risk Owner Areas 6.6.1 Act as the first line, managing the risks inherent to its activities, through identification, evaluation, treatment and monitoring. 6.6.2 Provide the risk management areas with all the necessary information, with robustness and reliability. 6.7 Internal Control Owner Areas 6.7.1 Act as the first line, ensuring the proper execution of internal controls and the documentation of the necessary evidence. 6.7.2 Inform the internal controls area, in a timely manner, of the need to update the controls under its responsibility. 6.7.3 Implement the action plans defined to remedy the deficiencies pointed out by internal and external audits. 6.8 Internal Audit 6.8.1 Evaluate the effectiveness of the risk management and internal control processes, interacting with the responsible areas regarding the verifications carried out. 6.8.2 Evaluate the adequacy of risk responses, recommending, when necessary, improvements to the risk owner areas. 6.8.3 Perform management tests, verifying that internal controls are appropriate and capable of mitigating the associated risks and that they are operating in accordance with the design. CLASSIFICATION: PUBLIC POLICY 12/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 6.8.4 Prepare and submit periodic reports of their evaluations to the Board of Directors and the CAE. 7 GENERAL PROVISIONS 7.1 This policy is in line with the Company's other policies. 7.2 The legal and regulatory provisions related to the subject and the specific legal determinations and agreements currently in force must be observed. 7.3 This policy can be broken down into other specific normative documents, always aligned with the principles and guidelines established herein. 7.4 The normative documents and provisions contrary to this policy are revoked, in particular the Risk Management and Internal Controls Policy, approved by RES-482/2025 OF 12/02/2025 and DEL-209/2025 of 12/11/2025. 8 AMENDMENT HISTORY Edition Name Doc. and date of approval 1.0 Risk Management Policy of Eletrobras Companies RES-1279, of 12/08/2010 and DEL-059/2011, of 04/29/2011 2.0 Risk Management Policy of Eletrobras Companies RES-509/2014, of 07/28/2014, and DEL-132/2014, of 10/30/2014 3.0 Risk Management Policy of Eletrobras Companies RES-521/2016, of 08/23/2016, and DEL-170/2016, of 09/23/2016 4.0 Risk Management Policy of Eletrobras Companies RES-639/2019, of 09/16/2019 and DEL-204/2019, of 09/26/2019 5.0 Risk Management Policy of Eletrobras Companies RES-381/2021, of 06/07/2021, and DEL-135/2021, of 06/18/2021 6.0 Risk Management Policy of Eletrobras Companies RES-539/2022, of 11/14/2022, and DEL-167/2022, of 12/01/2022 7.0 Risk Management and Internal Controls RES-308/2024, of 06/11/2024 and DEL-114/2024, of 06/20/2024 8.0 Risk Management and Internal Controls RES-482/2025, of 12/02/2025 and DEL-209/2025, of 12/11/2025 Main changes Inclusion of item 6.0 Reporting Structure and Appendix I. 9 APPENDICES Appendix I – Risk Management Organizational Structure. CLASSIFICATION: PUBLIC POLICY 13/13 PO-GN.01-002 Risk Management and Internal Controls Edition 9.0 Effective Date 04/30/2026 Appendix I – Risk Management Organizational Structure
SIGNATURE
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized.
Date: May 8, 2026
| AXIA Energia S.A. | ||
| By: |
/S/ Eduardo Haiama |
|
|
Eduardo Haiama Vice-President of Finance and Investor Relations |
||
FORWARD-LOOKING STATEMENTS
This document may contain estimates and projections that are not statements of past events but reflect our management’s beliefs and expectations and may constitute forward-looking statements under Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities and Exchange Act of 1934, as amended. The words “believes”, “may”, “can”, “estimates”, “continues”, “anticipates”, “intends”, “expects”, and similar expressions are intended to identify estimates that necessarily involve known and unknown risks and uncertainties. Known risks and uncertainties include, but are not limited to: general economic, regulatory, political, and business conditions in Brazil and abroad; fluctuations in interest rates, inflation, and the value of the Brazilian Real; changes in consumer electricity usage patterns and volumes; competitive conditions; our level of indebtedness; the possibility of receiving payments related to our receivables; changes in rainfall and water levels in reservoirs used to operate our hydroelectric plants; our financing and capital investment plans; existing and future government regulations; and other risks described in our annual report and other documents filed with the CVM and SEC. Estimates and projections refer only to the date they were expressed, and we do not assume any obligation to update any of these estimates or projections due to new information or future events. Future results of the Company’s operations and initiatives may differ from current expectations, and investors should not rely solely on the information contained herein. This material contains calculations that may not reflect precise results due to rounding.