Universal Registration Document 2024

SUSTAINABILITY REPORT 4 GOVERNANCE MATTERS

4.4.2.4. Control and whistleblowing systems [G1-1-10-(a)] → Description of mechanisms for identifying, reporting and investigating concerns about unlawful behaviour or behaviour in contradiction of its code of conduct or similar internal rules Deployment, action plans and controls A unit within the Ethics and Personal Data Department oversees the roll-out of the programme across all entities. For entities controlled by Groupe ADP, the programme is deployed in a consistent manner using an annual scorecard. For joint ventures and other entities under joint control, discussions with the partners are used to define the components of the programme to be implemented, ensuring that they cover all of Groupe ADP's pillars and principles. Lastly, with regard to non-controlled entities, Groupe ADP promotes principles and the sharing of experience in order to identify best practices and areas for improvement. The support of entity management and Group representatives on entity management bodies is key to rolling out the programme and promoting ethics and compliance principles. An action plan for each audited entity is drawn up and monitored each year, taking into account actions arising from the mapping of corruption risks, the Ethics Climate Barometer, the deployment of specific ethics and compliance controls, the scorecard and new programme components to be rolled out. In addition to the Ethics and Compliance risk included in the Group risk map, a specific corruption risk map is drawn up on a regular basis to identify potential corruption risk scenarios and define prevention actions. The last exercise was carried out in 2024. The results of this mapping are shared with the management bodies of the various subsidiaries, as well as with departments that have populations at risk. They are subject to follow-up action plans. In order to monitor action plans over a longer period, mapping exercises are carried out every three years, with the exception of newly integrated entities, for which the mapping exercise is carried out within a year of their integration. As with the other systems, ethics and compliance is subject to customary audit and internal controls (first level control self-assessments and second level control field testing). Internal control is based on the Group's key control manuals: u a manual identifying anti-corruption and fraud controls; u an ethics and compliance manual designed in particular to monitor the application of the pillars of the anti-corruption programme; u a data protection manual to ensure compliance with the GDPR. Groupe ADP carries out spot checks on audited entities using the questionnaire issued by the French Anti-Corruption Agency: the entities complete the questionnaire and a dedicated data room is set up. In 2024, the Group requested a review of this exercise by an external firm on a limited scope in connection with the mapping of corruption risks. This completes the set of first-level control exercises. In 2024, Groupe ADP also received confirmation that the World Bank sanction had been lifted.

Project risk prevention and third-party assessment The Group's procedure for assessing third parties makes it possible to prevent, identify and assess the risks relating to corruption, conflicts of interest, etc. to which Groupe ADP is exposed in its business relationships. It therefore applies to all third parties upstream of the business relationship. The assessment aims to ensure: u their integrity with regard to corruption, fraud, money laundering, financing of terrorism, Human Rights and environmental violations, protection of personal data, etc.; u their consistency with the Group's ethical principles, u that lessons learned from the mapping of corruption risks and from the control exercises described above are acted upon. 2024 metrics Nearly 60,000 third parties assessed since the launch of the platform in 2020, including 8,000 in 2024, of which around 40% are customers, partners (business and non-profits) and 60% suppliers 100% of controlled entities conduct third-party assessments, with the exception of entities integrated in 2024, for which the system is currently being rolled out. In 2024, the Group continued to standardise the third-party assessment process, which has been translated into operating procedures for each entity. These are validated by teams from the Group's Ethics and Personal Data Department. The teams in charge of the third parties in question (buyers, development team, etc.) are trained to use the dedicated tool independently, with support from the Ethics and Personal Data Department. The degree of assessment varies according to the type of project, the risk related to the countries and the status of the third party (customer, supplier, partner, non-profit). There are currently four levels of assessment: u level 0: existence of international sanctions against the third party, ongoing or having ended less than five years ago, existence of an embargo violation; u level 1: in addition to the elements sought in Level 0, presence of politically exposed persons, convictions of corporate officers, the Company and external politicians over the last five years, relating to an ethics and compliance issue, reputational elements, in particular negative press articles reporting unethical behaviour (suspicion of corruption, money laundering, terrorist financing, and more broadly fraud, Human Rights or environmental harm); u level 2: reputational survey conducted by an analyst on the basis of open source data; u level 2+: on-site survey. In addition, all third parties assessed are subject to continuous monitoring in order to detect any new risks for Groupe ADP and to implement the necessary remediation measures during the performance of the contracts. In the case of projects presenting a significant risk relating to the country and/or third party, the regulations of the commitments committees provide for compulsory validation by them.

501

UNIVERSAL REGISTRATION DOCUMENT 2024 w AÉROPORTS DE PARIS