ANTIN // 2021 Universal Registration Document

RISK FACTORS 3 Risk management and internal control systems

3.5.2.2 Delegation and outsourcing Antin may outsource certain functions to external parties. When relying upon a third-party for the performance of operational functions which are critical for the performance of regulated activities, listed activities or ancillary services on a continuous and satisfactory basis, Antin ensures that it takes reasonable steps to avoid undue additional operational risk. In particular, Antin ensures that: 3 appropriate due care, skill and diligence was exercised by Antin entity prior to entering into any such relationship; 3 the external party has the ability and experience to perform such functions and does so on a satisfactory basis; 3 the external party performs such functions in accordance with an appropriate service level agreement; 3.5.2.3 System protection and IT security The Business Continuity Plan Antin has established a Business Continuity and Disaster Recovery Plan (“ BCP ”) aimed at ensuring, in the case of any interruption to its systems and procedures, that Antin can continue to conduct its business, or at a minimum, resume its business in a timely manner. The BCP outlines the following: 3 the process for implementing the plan, together with relevant contact information; 3 alternate physical locations for employees; 3 data backup and recovery; 3 communication arrangements for internal and external parties, including regulators, service providers and Fund Investors; and 3 annual testing to evaluate the adequacy and effectiveness of the plan. Antin takes appropriate measures to address any deficiencies noted during the annual testing. The Head of IT ensures each employee receives a copy of Antin’s BCP and is trained upon joining Antin and upon material revision. The Cybersecurity Policy Antin has established cybersecurity policies and procedures (the “ Cybersecurity Policy ”) to protect Antin and its Fund Investors from cyber threats and address cybersecurity risk. The Head of IT provides training on Antin’s Cybersecurity Policy.

3 Antin monitors the quality of the outsourced service on a periodic and ongoing basis; 3 outsourcing does not impair the quality of Antin’s internal controls; and 3 outsourcing does not impair the ability of the appropriate regulator to monitor Antin’s compliance with its regulatory obligations. The outsourcing of any critical functions must have the approval of the CCO who reviews and approves any new outsourced agreements. The CCO monitors outsourced arrangements and periodically undertakes service provider reviews to confirm that third parties do not pose any undue risk to Antin. Prior to implementing the Cybersecurity Policy, Antin performed an initial assessment to determine the following: 3 the nature, sensitivity and location of information that Antin collects, processes and/or stores and the technology systems it uses; 3 internal and external cybersecur i ty threats to and vulnerabilities of, Antin’s information and technology systems; 3 security controls and processes currently in place; 3 the impact should the information or technology systems become compromised; and 3 the effectiveness of the governance structure for the management of cybersecurity risk. Antin’s Cybersecurity Policy is organised around the following principles: 3 hosting of Antin’s servers are hosted in a secured Tier IV Datacentre, which is the highest standard for security and risk prevention; 3 strong password policies and multifactor authentication are in place for most of the applications and for remote access; 3 effective protection of endpoints by an antivirus solution which rely on an endpoint detection and response platform; 3 regular update of all equipment through a vulnerability assessment process; and 3 monitoring of Antin’s information system in real time by a cyberSecurity (security operation centre), in charge of identifying a possible cyber-attack or intrusion by collecting logs from endpoints, firewal ls and appl ications. They determine if a threat is a genuine and act accordingly and also perform a regular vulnerability check on all systems. Antin performs regular penetration tests (external and internal) to ensure that the information system is appropriately secured or patched if needed. Antin also performs regular phishing campaigns to help final users better identifying this threat; users are also regularly informed and trained on cybersecurity best practices All employees must familiarise themselves with Antin’s policies and procedures as they may impose upon individuals a reporting or notification requirement. The policies and procedures are designed to assist both Antin and employees in meeting their regulatory obligations. Failure to adhere to them may lead to disciplinary action against individuals, in addition to regulatory action against Antin and/or individuals.

3.5.2.4 Insider trading prevention and compliance The entities within Antin, in particular the regulated entities AIP UK, AIP SAS and AIP US, are subject to strict compliance obligations in relation to market abuse and insider trading. All employees are subject to Antin compliance manual and Code of Ethics which is designed to provide an overview of the compliance arrangements, policies and procedures operated by Antin to ensure compliance with all applicable laws and regulations.

84 ANTIN INFRASTRUCTURE PARTNERS S.A. - UNIVERSAL REGISTRATION DOCUMENT 2021