NATIXIS -2020 Universal Registration Document

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Natixis now has a large inventory of laptops that enable it to respond appropriately in the event of a slow-moving crisis (Seine flood, strikes, etc.) This enabled it to effectively manage the COVID-19 crisis by relying heavily and securely on remote working. Natixis regularly tests this entire framework using first- and second-level controls, crisis management exercises and backup solution tests. In this context, Natixis carries out a multi-year test plan of its resilience capacities in the event of cyber-attacks. Control of IT processes Natixis has extended its technological risk management system to include risks related to IT processes (IT governance and strategy, IT production, IT system development management). The ISS-BC department has modified its risk mapping accordingly and has drawn up operational policies aimed at controlling all these risks. Their deployment should take place in 2021, as well as the associated second-level controls. Personal data protection 3.2.8.6 Reporting to the Chief Compliance Officer, the Natixis Data ProtectionOfficer coordinates a communityof “data privacy liaisons” distributed across all Natixis entities and business lines. This unit aims to ensure that Natixis complies with all regulations relating to the protection of personal data and, more specifically, to ensure compliance with the European Regulation on the protection of personal data (GDPR). A Data Privacy Committeemeets regularly to monitor the function’s activities and manage the remaining alignment measures required. These include the launching by the IT Departmentof a multi-year project for the remediationof the relevant IT assets. Natixis has a personal data register and procedures for key processes, such as handling data leaks, processing requests by individuals to exercise their rights, dealing with referrals to the authorities, updating and annually reviewing the register, carrying out the first and second-level control plan, managing training needs, conducting the regulatory watch and ensuring Privacy by Design/Default in projects. The processing register, as well as the first and second level controls, will be subject to a furlleview in 2021. Internationally, in the EMEA and APAC regions, gap analysis and remediation projects related to GDPR and applicable local regulations were conducted and will continue in 2021.

Technological risks 3.2.8.5 In accordancewith the directives of the European Banking Authority on information and communication technology risks, Natixis has strengthened its technological risk management system. In particular, Natixis has set up two lines of defense, the effective coordinationof which is guaranteed by the holding of regular “Cyber security and continuity” Steering Committee Meetings. The IT Department and business line correspondents make up the first level. The Information Systems Security and Business Continuity (ISS-BC) Department, which reports to the Compliance Department, forms the second line of defense. Natixis is also part of Groupe BPCE’s Information Systems Security and Business Continuity divisions. As such, it applies the policies and methods defined by Groupe BPCE. Information Systems Security The ISS-BC Department coordinates its activities based on risks. It employs a method which identifies, in terms of operational risk, the risk situationsof concern to the business lines and their vulnerable IT assets. Risk assessments may be conducted during the annual review or may be completedas part of work done to support another project. The business projects monitored by ISS-BC generally give rise to specific security requirements in order to better controrlisks. In light of these risks, the ISS-BC Department implements an annual second-level permanent control plan covering all areas of IT system security. Particular attention is paid to checks on access rights and intrusion tests on information assets exposed on the Internet. The risk-based approach was also used to help define the 2018-2020 strategic program. This program, named NewSec , is intended to convert the current model, which is mainly based on perimeter security, into an “airport”-type model. 2020 therefore saw the effective implementation of structuring projects to improve the protection of Natixis’ information assets and the detection of possible attacks. Given the scale of the transformation,residual work is expected to continue until 2022. Business continuity Natixis’ business continuity framework combines incident management based on their consequences (unavailability of the IT system, sites, or critical skills or suppliers)with emergencymeasures specific to each scenario (overflowing of the Seinec, yberattack, etc.).

164

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2020