UNIVERSAL REGISTRATION DOCUMENT 2023

8 ADDITIONAL INFORMATION Regulatory environment

8.3.4 This EU regulation builds on the historical national regulatory frameworks of the various EU countries, where they existed before 2018. The GDPR has several objectives: provide a standard legal framework applicable throughout the European Union, facilitate data transfers between Member States, strengthen the fundamental rights of individuals to control their personal data, with greater transparency as to how such data are used, make companies accountable through probation measures to ensure their compliance at all times, give credibility to the regulation by allowing the supervisory authorities to impose sanctions of up to 4% of a group’s global revenue. The GDPR also provides for some adaptability of its articles, at the hands of the national protection authorities, to allow the specific features of national legal frameworks of the member countries to be integrated. Furthermore, although the GDPR aims to facilitate data exchange between Member States, it provides a very strict framework for transfers of personal data outside the EU Member States. This aspect was further strengthened following the July 2020 ECJ “Schrems2” ruling invalidating the existing EU ‑ US Privacy Shield. As such, any transfer of data to a non ‑ EU country that has not been the subject of a decision by the European Commission as to whether that country has an adequate level of data protection, requires organisations to conduct very precise assessments of the characteristics of the non ‑ EU country with regard to the presented risks for the fundamental rights of the persons for whom their data are transferred. This reinforcement of control has an impact on the choice of the location of data processors and partners with which group companies can exchange data. The adoption on 9 December 2023 of the European regulation on artificial intelligence (IA Act), which has some similarities with the GDPR, requires a specific assessment of processing operations involving algorithms and falling within the framework of artificial intelligence from the perspective of personal data protection and, in particular, on the aspects of explicit determination of the purposes of processing and automated decision making. The EU financial system is subject to specific obligations to combat money laundering and terrorist financing (AML/CFT). At the EU level, these obligations have resulted from five successive directives since 1991. The Directive of 30 May 2018 amending the Directive of 20 May 2015 on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing, known as the “Fifth Directive”, was transposed by the order of 12 February 2020. It strengthens and complements the existing system and the obligations imposed on regulated professionals. A decree of 6 January 2021 on the AML/CFT system and internal control, the freezing of assets and the prohibition on making funds or economic resources available or using them, clarifies and supplements the applicable regulations, particularly with regard to the organisation and implementation of internal control of the system. ANTI ‑ MONEY LAUNDERING AND COMBATING THE FINANCING OF TERRORISM

8.3.5 Provisions are also applicable with regard to the freezing of assets and the prohibition of the provision of funds or economic resources. The AML/CFT systems of international subsidiaries may vary according to national legislation and, for those established in the European Union, according to the transposition of the directives on the subject. In groups, French regulations require parent companies to define at the Group level an internal organisation and procedures taking into account the assessment of money laundering and terrorist financing (ML/FT) risks and to ensure that this organisation and these procedures are deployed by their international subsidiaries, taking into account their specific characteristics and the ML/FT risks to which they are exposed. The Group’s regulated companies, including insurance companies, are subject to obligations to assess their ML/FT risks, conduct customer due diligence measures, and report suspicious transactions. They must be equipped with appropriate tools and control mechanisms as well as sufficient physical and human resources to enable these obligations to be effectively implemented. The system of supervision and sanctions for regulated professionals has been strengthened. In France, the ACPR is responsible for monitoring compliance with these obligations for the financial sector and has the power to impose sanctions. In addition to the national accounting standards to which each of the Group’s entities is subject, the Group has applied since 2005 for the preparation of the combined financial statements the provisions of the International Financial Reporting Standards (IFRS) and the interpretations of the IFRS Interpretations Committee applicable to the closing of accounts as adopted by the European Union. The main methods of their application by Groupama Assurances Mutuelles are described in the notes to the combined financial statements (see paragraph 7.1.6 ‑ point 2 of this Universal Registration Document). The combined financial statements relate to Groupama group and include all local mutuals, regional mutuals, Assurances Mutuelles, and its subsidiaries. Subsidiaries, joint ventures, and related companies of the consolidation scope are consolidated within the scope in accordance with the provisions of IFRS 10, IFRS 11, and IAS 28. However, no IFRS standard specifically deals with the methods for aggregating the financial statements of entities forming the Mutual Insurance Division (local mutuals and regional mutuals). The Group has therefore adopted the combination rules defined in Title II of Book III of Regulation no 2020 ‑ 01 of the French Accounting Standards Authority relating to the specific provisions of the combined financial statements of insurance companies. ACCOUNTING STANDARDS

379

Document d’Enregistrement Universel 2023 GROUPAMA ASSURANCES MUTUELLES