Airbus // Universal Registration Document 2021

1. Information on the Company’s Activities /

1.2 Non-Financial Information

1

Cyber security

CRI

SASB

SDGs

Others

Data Security

9, 12

Corporate Security Council Digital Security Team (cyber Security Validation Body)

Highest governance body(ies) involved

A08 - Airbus Company Security Policy A1044 - Security Requirements for Company Information & Data Classification and Protection A1058 - Security Requirements for Information Systems Management A1043 - Security Requirements for Affiliates A 1664 - Security Requirements for Industrial Automation and Control Systems A 1666 - Requirements for Product Security A1015 0 - Requirements on Information Security for Suppliers A1015 1 - Specific Requirements on Information Security for IT Services Providers

Related Corporate Policies and Directives

MC AS - Manage Airbus Company Security - aligned to ISO27001 standard MC AS 01: Monitor Identify & Report Company Asset Vulnerabilities MC AS 02: Assess & Treat Company Asset Security Risk

Management system

Key metrics

2021

2020

Number of data breaches reported to data authorities

1

1

Percentage involving confidential information

100% 100%

Cyber security awareness training e-learning participation (started 1 Jan. 2020, reporting period 1 Oct.-30 Sep.)

10,328

67,475

Corporate & IM Cyber Security Headcount

216,5

290

II. Governance The Company has undertaken a cyber security transformation since 2019 with the establishment of a federated model to digital security encompassing accountable leaders in respective organisational structures such as IT, engineering and operations. A dedicated team for security governance was established, repor ting to the company Chief Security Of f icer (CSO), responsible for the definition and audit of cyber security directives and methods aligned to major industry standards such as ISO27001 or IEC62443. The company Chief Information Security Officer reports to the CSO with a direct reporting line to Airbus CEO. Such an approach ensures localised accountability and reactivity to cyber risks with centralised governance, reporting, technical standards, and processes. Cyber security governance scope encompasses all Divisions and global operations plus affiliates. Corporate Security Council The Company has established a Corporate Security Council, chaired by the Chief Security Officer, for the coordination of security governance and to ensure consolidated security risk reporting from each of the four asset clusters; IT, industrial, product & services, and people & workplace. Security governance directives Security directives are published and audited to ensure the company business, including affiliates and subsidiary companies, follows the same standards for data protection and systems security. Key cyber security directives include: – – A08 – Company Security Policy; – – A1044 – Security Requirements for Company Information & Data Classification and Protection; – – A1058 – Security Requirements for Information Systems Management;

– – A1043 – Security Requirements for Affiliates; – – A1664 – Security Requirements for Industrial Automation and Control Systems; – – A1666 – Requirements for Product Security; – – A1015.0 – Requirements on Information Security for Suppliers; – – A1015.1 – Specific Requirements on Information Security for IT Service Providers. III. Risk Management Confidentiality, integrity and availability are well-known to define cybersecurity objectives when thinking about systems risks. Corporate Security owns the accountability of security risk management and is in charge of defining cyber security risks taxonomy and managing the lifecycle in ERM, including strategy, organisation, roadmap and initiatives at Company-wide level. In terms of cyber security, risk management is the aggregation of continual risk reporting, cyber security validation processes embedded within security by design principles for projects, applications and infrastructures – in addition to the implementation of digital security controls aligned to the Airbus enterprise security architecture standards. Risk mitigation measures follow the principle of people, process, and technology controls to reduce likelihood and/or impact from cyber incidents. The Company incorporates mandatory cyber security training and awareness for all employees with additional engagements for employees in higher risk categories or where additional regulatory stipulations apply. Security processes are fixed through security governance directives, business management processes ( e.g. MC.AS.01 Vulnerability Management), and operating models. Technical security controls are implemented and measured in accordance with ISO27001 and other industry standard information security management standards.

75

Airbus / Registration Document 2021