Airbus - 2022 Universal Registration Document

1. Information on the Company’s Activities /

1.2 Non-Financial Information

01

Cyber security risk management is under regular internal and external audit, confirming processes and implementation to both the Company’s and industry standards. Technical audits are also conducted regularly on applications, systems and infrastructures in the form of cyber security penetration testing. Technical red-team (offensive) cyber exercises are conducted minimally once per year for the evaluation of detection and response planning. These are in addition to annual cyber security crisis simulations for evaluation of business continuity and reactivity. See “– Risk Factors – Business-Related Risks – Cyber Security Risks'.” IV. Implementation/Activities Building upon the enhancements of 2021, a number of key initiative were undertaken in 2022 to improve the cyber security position, reduce associated risks and decrease the likelihood of successful cyber attacks, including: – maintaining full coverage of core divisional company-issued laptops deployed with Endpoint Detection & Response (EDR) tools; –further enhancing data encryption mechanisms, especially for cloud based security; –maintaining compliance with existing and evolving cyber security regulations, and anticipating future national, international, and sector-specific cyber security laws; I. Introduction The Company continues to pursue its zero-harm aspiration. The safety of its employees and others is its top priority. The Company aims to improve the health and well-being of its employees and everyone else who works within the Company perimeter. Health and safety primarily addresses risk identification, and its elimination or prevention, to promote safer and healthier conditions in the workplace. Aligned with its ERM process, the Company has identified the following priority topics to manage: mental health and wellbeing, hazardous substances and materials, working environment, and 1.2.9 Health and Safety

–conducting an in-house full red-team cyber exercise for continual process improvement and controls maturity. In addition to a crisis management anticipation exercise around a ransomware scenario; – certified Airbus cyber security diploma launched in France, in order to reinforce and future-proof existing cyber security competency, in addition to building an appropriate pipeline for future skills and needs. This diploma was validated by the French administration in charge of delivering professional certifications; –such activities have continued to reduce the overall cyber security risk, specifically around the increasing threat from ransomware. V. Outlook There are no signs globally that the threats of cyber attack will decrease; therefore, the Company maintains an advanced cyber security posture and anticipates future threats. Specific focus is placed on: – ensuring continued compliance to international, national, and industry specific cyber security regulations; – company resilience; ensuring prevention and recovery from cyber skirmishes, and destructive ransomware attacks; –extended enterprise and supply chain cyber security collaborations.

on-site contractors health and safety management. Associated mitigation plans are defined jointly by the health and safety and operational organisations. The Company is applying the principles of the ISO 45001 for its management systems. The Company risk mitigation plans follow the recognised health and safety hierarchy of control, which is hazards elimination, substitution, engineering control, administrative controls and, as a final measure, personal protective equipment.

97

Airbus / Universal Registration Document 2022