2022 Universal Registration Document

R i sk and r i sk management

Risk factors

MAIN RISK MANAGEMENT SYSTEMS Given the confidence of investors in the strength of its financial model and with its long-term credit rating (A, negative outlook from the Standard and Poor’s agency since 25 March 2020, confirmed on 17 December 2021 and 21 December 2022), and a comfortable cash position at end-2022, Groupe ADP ensures that, in the event of a significant deterioration in the economic and health situation, it would be in a position to meet its commitments and obtain additional financing. Nevertheless, the risk remains current in the event of a multiplication of pandemics or a prolonged crisis lasting longer than the Covid crisis of 2020. As there were no major refinancing maturities, the Group was not impacted by interest rate increases. In addition, the rate of

the fixed portion of our debt remains high, i.e. 94%, thus limiting the impact of interest rate increases. (see Note 9.4.3 “Analysis of risks related to financial instruments”, detailing the breakdown of fixed-rate/variable-rate financial liabilities). In addition, Aéroport de Paris announced on 19 December 2022 the implementation of its first Euro Medium Term Notes (EMTN) program. The program’s base prospectus received visa 22 492 from the French Financial Markets Authority ( Autorité des marchés financiers - AMF) on 16 December 2022. This EMTN program enables Aéroport de Paris to issue debt securities within very short periods of time.

2

2.1 .3 RISKS OF EXTERNAL THREATS

2 - A: CYBERSECURITY RISKS In a global context of increasing cyber-attacks, Groupe ADP may be exposed to malicious acts on its information systems. Criticality +++ Change in 2022 Detailed description of the risk factor

Potential effects for the Group — Total or partial destruction of the Information System/Theft, encryption or misappropriation of data / paralysis of airport activities — Impairment of intangible assets — Damage to image/reputation — Fines, regulatory non-compliance (GDPR, specific European aviation regulations)

Malicious attacks are multiplying in the digital space at a sustained rate, all over the world, affecting all sectors of the economy. Like all companies, Groupe ADP has seen a significant increase in phishing campaigns and the exploitation of potential vulnerabilities of its digital assets. Malicious acts on the Group’s information systems could affect the availability of critical systems, the confidentiality and integrity of data, whether proprietary or entrusted by customers, suppliers or partners, and could even weaken its security systems, and may have unfavourable consequences on the Group’s operational robustness and performance, as well as on the Group’s image and reputation.

Interconnected risks — Geopolitical risks — Safety and security risks

— Risks related to network management — Risks related to portfolio management — Risks related to data management — Aviation safety risks

MAIN RISK MANAGEMENT SYSTEMS In view of these challenges, Groupe ADP has been undertaking actions for many years to continuously strengthen the security of its information systems while relying on a dedicated policy and governance. Although the implementation of this plan is made more difficult in the post-health crisis socio-economic context, the Company is adapting to the increase in the threat, in particular via an ambitious recruitment plan in a job market in tension. The deployment of the IS Security Policy in the Group’s airports is continuing with the aim of standardising cybersecurity governance. The Group’s cybersecurity activity also remains mainly focused on surveillance, via its Security Operations Center

operated by HubOne/Sysdream, and the rapid reaction to cyber malicious acts. With an increased probability of cyberattacks in the context of the Paris 2024 Olympic and Paralympic Games, the Group aims to implement cyber coordination (alert sharing - coordination in the event of a crisis) at the level of the airport community. Actions to strengthen resilience are also planned for 2023, including partial recovery exercises for the information system in the event of total destruction of the information system.

149

AÉROPORTS DE PAR I S / UN I VERSAL REG I STRAT I ON DOCUMENT 2022