Universal Registration Document 2024

2 RISK FACTORS AND INTERNAL CONTROL INTERNAL CONTROL AND RISK MANAGEMENT

Major incidents Major incidents or incidents linked to unacceptable risks are identified by the Group’s entities and a statement of reported incidents is produced. Internal audit It aims to provide the Group, in complete independence, with reasonable assurance over the degree of control over its operations, provide advice on improvements and contribute to creating added value. Certified by the IFACI since 2008, internal audit, with the support of dedicated and independent teams, assesses the operation of the risk management and internal control systems. Through its recommendations, it helps improve safety and optimise the overall performance of the Group’s entities. It may be mandated on the proposal of the Ethics and Personal Data Department to examine in greater depth certain items resulting from the investigations. The annual audit programme is shared with the Ethics and Personal Data Department and is presented to the Executive Committee and examined by the Audit and Risks Committee. External control structures In the first instance, this relates to the Statutory Auditors appointed by the General Meeting of 11 May 2021: Ernst & Young Audit and Deloitte & Associés. Moreover, Aéroports de Paris is subject to specific controls due to it being a majority French State-owned company. The Court of Auditors, the French Economic Affairs Committee of the National Assembly and the Senate, the French State's Economic and Financial Verification Mission, the French General Council for the Environment and Sustainable Development, in particular, are therefore responsible for overseeing the finance, management and internal control sectors. The Company is also subject to controls of an operational nature, which are carried out by the French Civil Aviation Authority and by the European Commission. Moreover, to obtain or maintain certification of their management systems, the various Group entities that are affected undergo annual external assessment audits, conducted by independent accredited organisations. These audits may lead to requests for improvement. Aéroports de Paris is also subject to assessments by financial and non-financial rating agencies. Limitations The risk control, risk management and internal control system can only provide reasonable and not absolute assurance regarding the overall control of the Group’s risks and objectives. Indeed, these systems have inherent limits, particularly regarding uncertainties affecting the environment and possible failings due to mistakes or human error.

The Group Internal Control team also works closely with its counterparts in the Group's entities to share information and best practices. Any discrepancy identified during self-assessment and field testing campaigns gives rise to action plans overseen by the Groupe ADP Internal Control team. To date, these systems relate in particular to administrative accounting and financial processes, ethics and data protection, personal safety and cybersecurity. Other key control manuals are currently being rolled out (damage to property, airport operations, etc.), as well as within the framework of the CSRD. Business continuity and crisis management Groupe ADP has implemented a business continuity and crisis management process for greater control of risks that have a major impact on business continuity. For this, it is supported by a Group Policy on Business Continuity. The aim is to guarantee services that are essential for the Group’s operations. It provides for different types of solutions (redundancy, fallback sites, downgraded mode, etc.). To date, it has been rolled out: u in France, as part of a business continuity plan (BCP) for each of the hubs (Paris-Charles de Gaulle, Paris-Orly and Paris-Le Bourget) and for each of the support activities essential to the smooth running of airport operations (IT systems and human resources); u abroad, through the formalisation of business continuity plans (BCP) within the Group’s hubs. With regard to crisis management, Groupe ADP’s system aims to ensure continuity of the Group’s operational control and the speed and quality of its response to major events. It must contribute to optimally keep the activities at satisfying levels of quality while remaining in compliance with regulatory security and safety obligations. The Group’s crisis management system is based in particular on the existence of on-call teams trained in the various situations envisaged. Crisis exercises are also carried out several times per year to test the system’s effectiveness, with feedback enabling improvements to be made. Insurance and risk transfer The financial consequences of certain risks can be covered by insurance policies when their order of magnitude justifies it and according to the capacity available in the insurance and reinsurance markets under acceptable terms and conditions (see “Group’s general insurance policy” below). The Legal and Insurance Department oversees the general policy on Group risk transfers (see below), manages the use of insurance within the Group and provides coordination and expertise in this area in France and worldwide. Periodic monitoring of the system Oversight of the risk management system entails: u the monitoring of major incidents and incidents due to unacceptable risks; u internal audit; u external structures (see below).

126

AÉROPORTS DE PARIS w UNIVERSAL REGISTRATION DOCUMENT 2024