Airbus // Universal Registration Document 2023

Risk Factors 2 Business and Operations-related Risks

Cyber Security Risks

The Company’s extensive information and communications systems, industrial environment, products and services are exposed to cyber security risks. Cyber security threats are continually and rapidly changing and scenarios of attacks are becoming more sophisticated. The Company is exposed to a number of different cyber security risks, directly or through its supply chain, arising from actions that may be intentional and hostile, accidental or negligent. Some of the objectives of an attacker are espionage, to influence, to create an obstacle to functioning, or to extract payment. The main cyber security risks for the Company are intrusion in systems leading to data leakage, attacks impacting the resilience of industrial systems and compromising the development, use or operation of products and services. All of the above-mentioned risks are heightened in the context of the increasingly common use of digital solutions by the Company (including greater use of cloud services, mobile devices, “internet of things”), increasingly capable adversaries and integration with the extended enterprise. Risks related to the Company’s industrial control systems, manufacturing processes and products are growing with the increase of interconnectivity and digitalisation. Moreover, a primary challenge is maintaining an appropriate level of security of complex and legacy industrial systems to Regional conflicts, terrorist attacks, public health crises (such as the global COVID-19 pandemic), and rising military and civil tensions have demonstrated that such events may negatively affect public perception of air travel, which may in turn reduce demand for air travel and commercial aircraft. The outbreak of wars, riots or political unrest or uncertainties including those resulting in economic effects such as recession, unemployment or an acute increase of cost of living may also negatively affect the public’s desire to travel by air. Furthermore, major aircraft accidents may have a negative effect on the public’s or regulators’ perception of the safety of a given class of aircraft, a given airline, a form of design of aircraft or of air traffic management. Flight activity ramp-up requires particular focus on safety aspects such as removing aircraft from storage and pilot training. As a result of such factors, the aeronautic industry may be confronted from time to time with events leading to sudden, short-term or prolonged reduced demand for air transport, and may be compelled to take additional costly security and safety measures. The Company may, therefore, suffer from a decline in demand for all or certain types of its aircraft or other products, and the Company’s customers may postpone delivery or cancel orders.

face attacks from hackers, who are constantly and rapidly improving their techniques and skills. Further, the Company is subject to data privacy laws in many jurisdictions, a violation of which (whether accidentally, or through a deliberate internal or external act) could result in legal, reputational, commercial, financial or other consequences for the Company. Finally, the Company is exposed to reputational damage and destabilisation from the growing volume of false and malicious information injected into the media and social networks. The Company continues to make significant efforts to prevent such risks from materialising. Targeted investments will reduce but not eradicate likelihood and impact through strengthening the business’ cyber protection and resilience. The materialisation of one or several of such risks could lead to severe damage, including but not limited to significant financial loss, need for additional investment, contractual or reputational performance degradation, loss of intellectual property, loss of business data and information, operational business degradation or disruptions, and product or services malfunctions. Loss of personal data may result in administrative, civil or criminal liabilities including significant fines and penalties. In addition to affecting demand for its products, catastrophic events on a wider scale or events targeting the Company in particular could disrupt the Company’s internal operations, supply chain or its ability to deliver products and services. Disruptions may take the form of direct disruptions to the supply chain (including transportation networks), threats to infrastructure and public services, personnel and physical security, and may arise through terrorism or other deliberate malicious acts, regional conflict and civil unrest, natural disasters or incidents of another nature. In addition to purely physical incidents, “hybrid” incidents ( i.e. combining cyber and physical) may occur, such as for example coordinated disruptions of air traffic utilising drones. The effects of these events may be amplified if they happen on single points of failure (SPOFs), therefore dedicated identification and mitigation measures are maintained in this regard. Any resulting impact on the Company’s production, services or information systems could have a significant adverse effect on the Company’s operations, financial condition and results of operations as well as on its reputation and on its products and services.

Physical Security, Hybrid Threats, Regional Conflict and other Catastrophic Events

14 Airbus Annual Report

Universal Registration Document 2023