Universal Registration Document 2024

RISK FACTORS AND INTERNAL CONTROL 2 RISK FACTORS

2.1.3 RISKS OF EXTERNAL THREATS

2 – A: CYBERSECURITY RISKS In a global context of increasing cyber-attacks, Groupe ADP may be exposed to malicious acts on its IT systems Criticality +++ Change in 2024 è Detailed description of the risk factor

Potential effects for the Group u Total or partial destruction of the Information System/Theft, encryption or misappropriation of data/standstill of airport activities

Cyber-attacks affect all sectors of the economy. Like other companies, year after year, Groupe ADP is subject to a growing number of attacks, mainly via distributed denial-of-service (DDOS) attacks on its information systems (IS) exposed on the Internet, and phishing campaigns aimed at stealing employees' professional login details.

u Impairment of intangible assets u Damage to image/reputation u Fines, regulatory non-compliance (GDPR, cyber regulations)

Interconnected risks u Geopolitical risks u Safety and security risks

u Risks related to network management u Risks related to portfolio management u Risks related to data management u Risks related to aviation safety

MAIN RISK MANAGEMENT SYSTEMS Faced with the resurgence of cyber-attacks, Groupe ADP is constantly adapting its technical security systems, its response processes, which are fully integrated into the Company’s crisis management, and its employee awareness raising initiatives in order to limit as much as possible the potential impacts on the Group's operational robustness and image. Groupe ADP relies on an information systems security policy and a dedicated governance that are intended to be standardised throughout the Group. The operational cybersecurity activity is comprised of three components: IT security maintenance, continuous monitoring of security events and an around-the-clock response system to combat cyber-attacks.

In preparation for the Olympic and Paralympic Games, Groupe ADP rolled out a programme to manage the specific risks associated with such an event. The absence of any visible impact from the numerous cyber-attacks to which the Group was subject during the Olympic Games has demonstrated the relevance of this programme, the achievements of which are being or will be perpetuated as part of ADP SA's security base.

111

UNIVERSAL REGISTRATION DOCUMENT 2024 w AÉROPORTS DE PARIS