Groupe La Poste // CSR REPORT 2022

Accelerating the digital transformation by ensuring ethics and digital security 4 FOSTERING ETHICAL, INCLUSIVE AND FRUGAL DIGITAL SERVICES ■

4.1.4 Digital accessibility La Poste Groupe offers most of its services – including those of La Banque Postale – online 24 hours a day, seven days a week, to individual and professional customers, in order to simplify their daily lives. At the end of 2022, the digital accessibility governance within the group was in place: a digital accessibility officer was appointed for all ISDs. They are led by i-Team’s group accessibility officer. The multi-year accessibility plans have been published for i-Team and the Services-Mail-Parcels IS Department and are in the process of being validated for the other ISDs.

La Poste strives to make all of its internal and external digital media (websites, intranet and extranet) easy to access, intuitive and responsible: ■ a range of training courses, ranging from awareness-raising to the development of accessible websites, is available to employees, regardless of the functions concerned: purchasing, IT, communication, etc.; ■ for pooled purchasing for the group, accessibility criteria, including compliance, usability and reliability, are included in the specifications of service providers in the context of calls for tenders. The rating, submissions and progress plans are supported by the group accessibility officer. The digital services offered are subject to an eco-socio-design. opportunity for La Poste employees with an affinity for IT. They can acquire a designer-developer diploma and join La Poste’s IT departments. The success of this system is undeniable. Digital training for employees is a key issue identified in the “La Poste 2030, committed for you” strategic plan, which provides that digital training will be offered to each employee with an adapted pathway. The Cybersecurity Department continued the development of the cybersecurity coordination and governance bodies. Thus, the group has the following committees that ensure the deployment of La Poste Groupe’s information systems security policy: ■ the Group Cyber Committee : the group’s Governance Committee; ■ the Cyber Regulatory Monitoring Committee : monitoring of national and international regulations and regulatory projects related to information security; ■ the Cyber Operational Coordination Committee : improvement of operational coordination and studies of changes to operational security structures; ■ the Cyber Scientific and Technical Committee : establishment of an inventory and maintenance of a permanent understanding of the equipment used to protect the group and its business units and subsidiaries, and definition of the detection and reaction policies in context for the group, its business units and its subsidiaries; ■ the Strategic Steering Committee : oversight of the regulatory compliance of the group and La Banque Postale; ■ several Operational and Technical Committees complete this system. La Poste Groupe’s information systems security policy, approved in December 2019, is being rolled out. This document, based on the ISO/IEC 270021 standard and an EBIOS 2010 risk analysis system, is supplemented by 15 strategic directives with which it constitutes the group’s security framework.

4.1.5 Training on and awareness of responsible digital services Because digital technology is an important driver of growth and development, the group offers career paths to employees to support them in these new professions.

In 2015, La Poste Groupe partnered with Simplon (1) to train non-IT employees (postmen, counter clerks, employees in support services, etc.) in web development and computer coding. The digital transition is becoming a radical career development 4.1.6 Cybersecurity Le Groupe La Poste implements a comprehensive approach to cybersecurity, the aim of which is to ensure its compliance with regulations and laws. The framework of its cyber governance, validated by the Board of Directors in 2018, was built around the cybersecurity requirements defined by the ISO 27001 and 27002 standards, supplemented by the requirements of the National Institute of Standards and Technologies (NIST) for its financial and insurance activities. The requirements of the NIS 2 and DORA directives are being integrated into the group’s information systems security policy. The security of the group’s IS, users, equipment and subsidiaries is managed under the 4x100% plan. The group’s cyberdefence organisation is undergoing a transformation process that should result in the creation of a group cyberdefence centre whose operations will be aligned with market standards with a view to making it an internal MSSP. This cyberdefence also relies on the Telecoms, Network and Security Services Department, which handles the security of the network and employees who access the group’s IS via teleworking. To strengthen the expertise of the specialised workforce (15 cybersecurity business lines represented in the group according to the SECNUMEDU standard of the French National Cybersecurity Agency (Agence nationale de la sécurité des systèmes d’information - ANSSI), the group is developing an internal training programme “the Group’s Cybersecurity School”. IT and cybersecurity are included in the employee assessment criteria.

(1) Simplon is a social and solidarity-based economy start-up founded in 2013 that initially offered free coding training. Simplon has now broadened its scope of IT training.

64 CSR Report 2022/ LA POSTE GROUPE