Euronext // 2021 Universal Registration Document

Risk management & Control Structure

Control Framework

Risk Response determines and implements the most appropriate treatment to the identified risks. It encompasses the following: avoidance, reduction, transfer and acceptance. Organisational units and employees perform risk management and implement mitigating actions as required by the risk appetite and escalation process. As noted, residual risks may remain after such management process is applied (see Section 2.1 – Risk Factors ). Risk Reporting – The Supervisory and Managing Boards and Internal Risk Committee of the Managing Board, comprised of Senior Managers, are informed in a timely and consistent manner about material risks, whether existing or potential, and about related risk management measures in order to take appropriate action. Reports are issued to the above mentioned boards and Risk Committee of the Group on a regular basis. Ad hoc reports may be issued when a new risk or the development of an existing risk warrants escalation to the relevant Committees of the Company.

framework includes escalation and communications rules, guidelines for action, and clearly defined roles and responsibilities. In 2021, in addition to regular training, testing and exercises, work was undertaken to help improve, mature and embed Business Continuity at Euronext. In 2021 BCM plans continued to be tested by the outbreak of the COVID-19 pandemic with lockdown measures occuring in multiple Euronext locations. Furthermore, the BCM programme has continued to mature through maturing and testing crisis management plans. 2.3.2.4 ERM Programme Development Euronext continues to drive improvements to its risk management process and the quality of risk information generation, while at the same time maintaining a simple and practical approach. The roadmap for 2021 for the ERM evolution included 3 key elements: n embedding culture of risk management: risk appetite discussions at group level and cascading process to legal entities and businesses, ongoing training at various levels of the organisation; n involvement in key initiatives related to Borsa Italiana Group integration, Core Data Centre migration, European expansion of Euronext Clearing and other internal development programs; n reporting/operation: ongoing risk appetite evolution, risk tool maturity, further alignment of risk management and internal control approach for addressing risk and identifying controls. The 2022 roadmap will continue with the topics aboveand ongoing integration of new acquisitions. The risk management team will continue to work with the Group ESG team to establish and embed an approach to analyse the performance and specific ESG risks that could translate into reputational risks and negative environmental and social impacts and work to include analysis of these ESG risks in group processes. Euronext seeks to continuously evaluate and improve the operating effectiveness of the ERM process. 2.3.2.5 Internal Control Euronext has established a framework of internal control across its business areas and functions. This framework is based on ethical principles, established procedures and training of the key personnel who are responsible for implementing and overseeing it. Euronext ensures that their internal control organisation abides by key principles including direct involvement of management and accountability of all concerned, coverage enterprise wide of activities and risks, including outsourced activities, effective segregation between operations and control functions, existence of decision- making processes, formalisation of documents relative to the organization and supervision of activities, deployment of specialised control functions, independent from operating units, and reporting to management on activities. Components of internal control include: an accounting and information processing system providing an efficient audit trail, a documentation and information system, a risk measurement and monitoring system and a system of control covering verifications performed across the Group and the implementation of appropriate corrective actions.

2

Set and launch objectives & strategies (commercial, financial & operations)

Identify & assess risks

Sustain & improve processes & infrastructure

Create and preserve value for stakeholders

Design & implement control

Monitor, report and escalate risks

Determine risk responses

2.3.2.3 Business Continuity Management A component of efficient risk management is understanding that the identification of each risk that may be faced is an insurmountable task, therefore business continuity arrangements are necessary to respond to unforeseen events as quickly as possible, in the event of any disruption to the working environment. Effective Business Continuity Management and Disaster Recovery are vital in protecting and underpinning the reputation, efficiency, resilience and competitiveness of the Company, as well as the Company’s stakeholders. Business Continuity at Euronext is supported by the Business Continuity Steering Group and consists of representatives from the Company’s major departments. Its role is to approve the Business Continuity & Disaster Recovery and Crisis Management policies and procedures and to provide guidance to the BCM team in the development of its function. The Business Continuity framework and its implementation at Euronext is based on internationally recognised business continuity principles including those developed by the Disaster Recovery Institute International (“DRII”), the International Organization for Standardization (“ISO”) and the Business Continuity Institute (“BCI”). Euronext’s Crisis Management

67

2021 UNIVERSAL REGISTRATION DOCUMENT