Euronext // 2021 Universal Registration Document

Risk management & Control Structure

Control Framework

n Approves strategic objectives and validates the risk appetite n Reviews Euronext’s risk management and internal control systems n Assess these systems’ effectiveness via its Risk and Audit Committees

Supervisory Board

n Oversees the suitable design and sustainable implementation of Enterprise Risk Management (ERM) and internal control systems across the Group n Defines and allocates risk appetite across the Group n Dedicated governance of risk management

Managing Board

2

Three Lines of Defence Model

1 ST LINE OF DEFENCE

2 ND LIND OF DEFENCE

3 RD LINE OF DEFENCE

Risk Management, Internal Control, Compliance, Specialist Functions

Internal Audit

Business & Operations Management

Develops and promotes the ERM framework supporting management in the identification, assessment, management, monitoring and reporting of risks Facilitates consistent and period reviews of the design and implementation of internal control systems

External Auditors Regulators

Provides independent assurance of the effectiveness of the risk management and internal control frameworks and activities in the Group

Identifies and manages risks in its scope and responsibility Maintains effective day-to-day control

2.3.1 FIRST LINE OF DEFENCE The First Line of Defence, represented by the department risk owner is accountable and has the authority to manage risk. The first line identifies, notifies, assesses, and manages/mitigates risks within their relevant scope in coordination with the Second Line of Defence. Furthermore, the First Line of Defence cascades the risk appetite throughout their scope, monitors risk and validates risk- related information. The first line is accountable for maintaining accurate information regarding the action plans related to identified risks. The progress and effectiveness of action plans (as well as the implemented risk mitigation measures) is monitored by the relevant risk owners and, regularly or upon request by the RM Function. SECOND LINE OF DEFENCE The Second Line of Defence, represented by the risk management teamdevelops the riskmanagement policy, including framework and processes, ensuring consistent application across the Group. The risk management Team coordinates the risk management activities across the Group, and reports to the relevant (see governance above) risks that exceed stated risk appetite levels (see Section 2.3.2.1 for details on Risk Appetite ). The risk management team is tasked with challenging the first line risk owners on risks and related mitigation measures and action plans and recommendations for managing risks. Risk management further coordinates risk information from other specialist risk and control functions as necessary. 2.3.2

Euronext’s internal risk management and control is a process executed by the Managing Board, management and other employee stakeholders. It is designed to provide reasonable assurance regarding the achievement of objectives in the following categories: n effectiveness and efficiency of operations; n reliability of financial and non-financial information; n compliance with laws, regulations and internal policies; n safeguarding of assets, and identification and management of liabilities; and n strategic and business objectives. No major failings were identified over the course of 2021 in the Risk and Internal Control Program. Euronext’s first and second lines of defence perform their roles in risk assessment and reporting on risk management and control systems. The concluding results are reported in Group Risk Profile and discussed regularly at Managing Board meetings and with the Supervisory Board via the Audit Committee (as of July 2021 the Risk Committee of the Supervisory Board). Internal Audit, as the third line of defence, evaluates the design and effectiveness of Euronext’s governance, as well as its risk management and control systems. Audit reports are discussed with risk and process owners. The Head of Internal Audit attends Managing Board meetings on a regular basis to discuss its findings and recommendations.

65

2021 UNIVERSAL REGISTRATION DOCUMENT