Euronext - 2020 Universal Registration Document

Risk Management & Control Structure

Risk Factors

OPERATIONAL RISKS

CYBER SECURITY RISK

Risk Identification and Description

Potential Impact on the Group

Cybersecurity resilience is a critical priority for the Group. The Group’s growth in terms of employees, geographical, and business footprint increases the Group’s exposure to cybersecurity threats meaning that secure transmission of business information over public and other networks are critical elements to the Group’s operations. The volume of cyber-attacks have been increasing in general and, consequently, within the financial sector. As the Group expands, it accumulates, stores and uses more business data which are protected by business contracts and regulated by various laws, including data protection, in the countries in which it operates. The Group may be exposed to exploitation of its internet exposed applications by threat actors, data theft, including ransomware, unauthorized access or other security incidents including: n breaches at the level of third parties, including cloud computing services, to whom Euronext provides information and may not be fully diligent in safeguarding it; n dDoS threats on internet exposed assets and applications of the Group; n remote working conditions for employees; n state sponsored or organised crime hacking groups with malicious intentions which may target the financial sector; n third-party open source software used by Euronext within its software solutions, which is available to the public andmay be exposed to of unknown or undisclosed vulnerabilities (Zero-days); n persons who circumvent deployed security measures and that could wrongfully access the Group’s or its customers information, or cause interruptions or malfunctions in the Group’s operations; n data protection regulations increases the risks associated with regulatory non-compliance in case there is an incident. Technology is a key component of Euronext’s business strategy, and is crucial to the Company’s success. Euronext’s business depends on the security, performance and stability of complex computer and communications systems which at times are managed by critical third party vendors. The Group’s markets have experienced systems failures and delays in the past and could experience future systems failures and delays, impacting ourmembers and clients and related trade executions. Such failures may arise for a wide variety of reasons, such as softwaremalfunctions, insufficient capacity, including network bandwidth, in particular, heavy use of Euronext’s platforms and order routing systems during peak trading times or at times of unusual market volatility, as well as hardware and software malfunctions or defects, or complications experienced in connection with the operation of such systems, including system upgrades. Euronext’s future success will depend, in part, on continued innovation and investment in its trading systems and related ability to respond to customer demands, understand and react to emerging industry standards and practices on a cost-effective and timely basis, as well as in other technologies including leveraging cloud hosting for support and future services. Euronext depends on the services of InterContinental Exchange, (“ICE”) for the provision of network and colocation and data centre services. Equinix provides the Company with its back up network and data centre service. Euronext depends on Amazon Web Services (AWS) for selected post-trade cloud services. There is a risk that if the Group’s (or those of its third-party service providers’) technology and/or information systems suffer frommajor or repeated failures, this could interrupt or disrupt the Group’s operations or services and undermine confidence in the Group, cause reputational damage, lead to customer claims, litigation and regulatory action including investigations and sanctions. TECHNOLOGY RISK Risk Identification and Description

The impacts of a successful cybersecurity attack depend on the nature of the attack and the scope attacked, for example: n security breaches, leaks, loss or theft of sensitive, personal, strategic or confidential data, including data subject to protection laws, and other related security incidents could cause Euronext to incur reputational damage, regulatory sanctions, litigation and/or have an impact on its financial results; n a successful cybersecurity attack on the Group’s IT systems may affect the confidentiality, availability or integrity of information; n a cybersecurity attack may result in system operational failures due to vulnerability exploitation; n Internet facing Systems downtime due to DDoS attack. While the Group is committed to investment inmaintaining and safeguarding its IT systems and information, with particular attention on external growing threats and threat actors (such as cybercriminals). Any malfunctions, significant disruption, loss or disclosure of sensitive data could disrupt the Group’s operations, result in significant reputational harm or have a material adverse effect on the Group’s business, results of operations, financial condition and prospects.

2

Potential Impact on the Group

Exploiting technology and the ability to expand systemcapacity and performance to handle increased demand or any increased regulatory requirements is critical to Euronext’s success. However, if the Group’s technology is not properly managed or the resources supporting changes are not invested at the required level or properly allocated, or if despite the continuous improvement measures, any system issue occurs during operations, that impacts the our markets or services, the Group may suffer negative impacts on its reputation, business via lost market share or volumes, which could have a further detrimental effect on business and impact financial results. In case of a major service failure there may be significant financial losses, litigation as well as reputation damage. While Euronext actively manages its relationships with its key strategic technology suppliers, and includes framework Service Level Agreements to ensure services are guaranteed, should a significant disruption occur, including a discontinuation of services or a service failure, the Group may experience significant disruption to its business andmay be subject to, reputational damage litigation by its customers or increased regulatory scrutiny or regulatory fines.

51

2020 UNIVERSAL REGISTRATION DOCUMENT