Euronext // 2021 Universal Registration Document

Risk management & Control Structure 2 Risk Factors

OPERATIONAL RISKS

CYBER SECURITY RISK

Risk Identification and Description

Potential Impact on the Group

Cyber resilience is a critical priority for the Group. The Group’s growth in terms of employees, geographical, and business footprint increases the Group’s exposure to cybersecurity threats meaning that secure transmission of business information over public and other networks are critical elements to the Group’s operations. The volume of cyber-attacks have been increasing in general and, consequently, within the financial sector. As the Group expands, it accumulates, stores and uses more business data which are protected by business contracts and regulated by various laws, including data protection, in the countries in which it operates. The Group may be exposed to exploitation of its internet exposed applications by malicious actors, data leakage, including ransomware, unauthorized access or other security incidents including: n breaches at the level of third parties, including cloud computing services, to whom Euronext provides information and may not be fully diligent in safeguarding it; n DDoS threats on internet exposed assets and applications of the Group; n attacks leveraging potentially unsecure internet connections for employees working remotely; n advanced persistent threats from state sponsored or organised crime hacking groups with malicious intentions which may target the financial sector; n third-party open source software used by Euronext within its software solutions, which is available to the public and may be exposed to of unknown or undisclosed vulnerabilities (zero-days); n phishing attacks targeting Group employees; n persons who circumvent deployed security measures that could wrongfully access the Group’s or its customers information, or cause interruptions or malfunctions in the Group’s operationsData protection regulations increases the risks associated with regulatory non-compliance in case there is an incident. Technology is a key component of Euronext’s business strategy, and is crucial to the Company’s success. Euronext’s business depends on the security, performance and stability of complex computer and communications systems. The Group’s markets have experienced systems failures and delays in the past and could experience future systems failures and delays, impacting our members and clients and related trade executions. Such failures may arise for a wide variety of reasons, such as obsolescence, insufficient capacity, including network bandwidth, in particular, heavy use of Euronext’s platforms and order routing systems during peak trading times or at times of unusual market volatility, as well as hardware and software malfunctions or defects, or complications experienced in connection with the operation of such systems, including system upgrades. There is a risk that if the Group’s technology and/or information systems suffer from major or repeated failures, this could interrupt or disrupt the Group’s operations or services. TECHNOLOGY RISK Risk Identification and Description

The impacts of a successful cybersecurity attack depend on the nature and scope of the attack, for example: n security breaches, leaks, loss or theft of sensitive, personal, strategic or confidential data, including data subject to protection laws, and other related security incidents could cause Euronext to incur reputational damage, regulatory sanctions, litigation and/or have an impact on its financial results; n a successful cybersecurity attack on the Group’s IT systems may affect the confidentiality, availability or integrity of information; n a cybersecurity attack may result in system operational failures due to vulnerability exploitation; n internet facing Systems downtime due to DDoS attack. The Group is committed to investment in maintaining and safeguarding its IT systems and information, with particular attention on external growing threats and threat actors (such as cybercriminals). However, malfunctions, significant disruption, loss or disclosure of sensitive data could disrupt the Group’s operations, result in significant reputational harm or have a material adverse effect on the Group’s business, results of operations, financial condition and prospects.

Potential Impact on the Group

Exploiting technology and the ability to expand system capacity and performance to handle increased demand or any increased regulatory requirements is critical to Euronext’s success. Euronext’s future success will depend, in part, on continued innovation and investment in its trading systems and related ability to respond to customer demands, understand and react to emerging industry standards and practices on a cost-effective and timely basis, as well as in other technologies including leveraging cloud hostings for support and future services. However, if the Group’s technology is not properly managed or the resources supporting changes are not invested at the required level or properly allocated, or if despite the continuous improvement measures, any system issue occurs during operations, that impacts our markets or services, it may undermine confidence in the Group, cause reputational damage, lead to customer claims, litigation and regulation action including investigations and fines.

56

2021 UNIVERSAL REGISTRATION DOCUMENT