Euronext - 2019 Universal Registration Document

Risk Management & Control Structure 2 Risk Factors

OPERATIONAL RISKS

Cyber Security

Risk Identification and Description

Potential Impacts on the Group

Risk Control & Mitigation Euronext Group has a specific cybersecurity strategy, roadmap and an established governance model supported with dedicated resources. The roadmap and strategy are under scrutiny of internal audits, external auditors and a college of regulators from all countries where Euronext operates regulated markets. Euronext follows and implements best security practices aligned and certified with the recognized global standards ( e.g. ISO 9001, ISO 27001, NIST cybersecurity strategy of Identify, Protect, Detect, Respond and Recover) to address global data protection regulations and ensure a high level of cybersecurity maturity. Additionally, Euronext has a dedicated cybersecurity insurance for the Group. n persons who circumvent deployed security measures could wrongfully access the Group’s or its customers information, or cause interruptions or malfunctions in the Company’s operations; n data protection regulations increases the risks associated with regulatory non-compliance. The Group Strategy and strategic plan to grow and secure transmission of business confidential information over public and other networks is a critical element of Euronext’s operations. As a result of its expansion, the Group is more exposed in the digital world, accumulates,stores and usesmore business datawhich is protected by business contracts and regulated by various law, including data protection, in the countries in which it operates. The Group may be vulnerable to exfiltration, unauthorized access and other security incidents including: n third parties, including cloud computing services, to whom Euronext provides information and may not be diligent in safeguarding it; n as the volume of cyber-attacks are increasing in general and, consequently, within the financial sector, the Group systems may experience security incidents from hacking groups or advanced persistent threats – the last one most effective and disruptive as they are cyber-attacks sponsored by organized crime or states with malicious intentions; n open source software used by Euronext within its software solutions. As the source code of open source components is available to the public, hackers may take advantage from publicly available code to find unknown or undisclosed vulnerabilities;

The impacts of a successful cybersecurity attack would depend on the nature of the attack: n security breaches, leakage, loss or theft of sensitive, personal, strategic or confidential data, also impacting data protection laws, and other related security incidents could cause Euronext to incur reputational damage, regulatory sanctions,litigation and/or have an impact on its financial results; n successful cybersecurity attack on IT systems affecting confidentiality, availability or integrity of information; n system failures due to vulnerabilities exploitation. While the Group is committed to investment in maintaining and safeguarding IT systems, with a particular attention in external growing threats (such as cybercriminals), any malfunctions, significant disruption, loss or disclosure of sensitive data could disrupt the normal course of business and have financial, operational or reputational consequences leading to a security incident and proper response.

The security of infrastructure, websites and networks is assured at a Group leveI: 1. infrastructure monitoring and management performed constantly; 2. continuous IT assessments and security audits (internal, external and third-party) are performed to assess whether the level of security is adequate; 3. Awareness campaigns are conducted as are tests on the resilience of the cybersecurity response in case a cyberattack; 4. Involvement of cybersecurity architects on the early phases of new projects.

48

www.euronext.com

2019 UNIVERSAL REGISTRATION DOCUMENT