Airbus // Universal Registration Document 2023

1. Information on the Company’s Activities 1.2 Non-Financial Information

Cyber security

GRI

SASB

SDGs

Others

Data Security

9, 12

Highest governance body(ies) involved

Corporate Security Council; Digital Security Team (Cyber Security Validation Body)

Airbus Company Security Policy Security Requirements for Company Information & Data Classification and Protection, Security Requirements for Information Systems Management, Security Requirements for Affiliates, Security Requirements for Industrial Automation and Control Systems, Requirements for Product Security, Requirements on Information Security for Suppliers, Specific Requirements on Information Security for IT Service Providers Manage Airbus Company Security – aligned to ISO27001 standard, Monitor, Identify & Report Company Asset vulnerabilities, Assess & Treat Company Asset Security Risk

Related corporate policies and directives

Management system

Key metrics

2023

2022

Number of data breaches reported to data authorities

0

1

Percentage involving confidential information

N/A

100%

Number of mandatory cyber security awareness e-learnings (01 October – 30 September)

80,480

81,476

II. Governance The Company has undertaken a cyber security transformation since 2019 with the establishment of a federated model of digital security encompassing accountable leaders in respective organisational structures such as IT, engineering and operations. A dedicated team for security governance was established, reporting to the Company Chief Security Officer, responsible for the definition and audit of cyber security directives and methods aligned to major industry standards such as ISO27001 or IEC62443. The Company Chief Information Security Officer reports to the Chief Security Officer, who in turn has a direct reporting line to the CEO. Such an approach ensures localised accountability and reactivity to cyber risks with centralised governance, reporting, technical standards, and processes. Cyber security governance encompasses both Divisions and global operations plus affiliates. The Company Board of Directors are regularly updated on cyber security topics, with two dedicated sessions in 2023 and receipt of quarterly “Executive Reports” that cover all major achievements, challenges and trends. The three CEOs of the Company and its Divisions are briefed on security topics every two months. Corporate Security Council. The Company has established a Corporate Security Council, chaired by the Chief Security Officer, for the coordination of security governance and to ensure consolidated security risk reporting from each of the four asset clusters: IT, industrial, product and services, and people and workplace. Security governance directives are published and audited to ensure the Company business follows the same standards for data protection and systems security. Key cyber security directives include the ones listed in the table above. III. Risk Management Confidentiality, integrity and availability are known to define cyber security objectives when thinking about systems risks. Corporate Security is accountable for security risk management and is in charge of defining cyber security risks taxonomy and managing the lifecycle in ERM, including strategy, organisation, roadmap and initiatives at company-wide level. In terms of cyber

security, risk management is the aggregation of continual risk reporting, cyber security validation processes embedded within security by design principles for projects, applications and infrastructures – in addition to the implementation of digital security controls aligned to the Company’s enterprise security architecture standards. A fully industrialised framework and toolkit has been deployed to ensure the standardised prescription, deployment and assessment of these controls across the Company. Risk mitigation measures follow the principle of people, process, and technology controls to reduce the likelihood and/or impact of cyber incidents. The Company incorporates mandatory cyber security training and awareness for all employees with additional engagements for employees in higher risk categories or where additional regulatory stipulations apply. Security processes are fixed through security governance directives, business management processes ( e.g. MC.AS.01 Vulnerability Management and MC.AS.02 Risk Management), and operating models. Technical security controls are implemented and measured in accordance with ISO27001 and other industry standard information security management standards. The Company implements a number of key technical security controls in the reduction of cyber incident likelihood including the rollout of endpoint protection and data loss prevention tools, the implementation of multi-factor authentication, and the adoption of enterprise security architecture approaches. To reduce impact from cyber events, it operates in-house security operations centres covering both commercial and national activities; plus a Computer Emergency Response (CERT) team analysing cyber security threat intelligence and rapidly investigating and containing cyber security incidents. Cyber security risk management is under regular internal and external audit, confirming processes and implementation to both the Company’s and industry standards. Technical audits are also conducted regularly on applications, systems and infrastructures in the form of cyber security penetration testing. Technical red-team (offensive) cyber exercises are conducted at least once per year for the evaluation of detection and response planning. These are in addition to annual cyber security crisis simulations for evaluation of business continuity and reactivity.

104 Airbus Annual Report

Universal Registration Document 2023