NATIXIS // 2021 Universal Registration Document

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Natixis now has a large inventory of laptops that enables it to respond appropriately in the event of a slow-moving crisis (Seine flood, strikes, etc.). This enabled it to effectively manage the COVID-19 crisis by relying heavily and securely on remote working. Natixis regularly tests this entire framework using first- and second-level controls, crisis management exercises and backup solution tests. In this context, Natixis carries out a multi-year test plan of its resilience capacities in the event of cyber-attacks. Control of IT processes Natixis has extended its technological risk management system to include risks related to IT processes (IT governance and strategy, IT production, IT system development management). The G-TRM Department has modified its risk mapping accordingly and has drawn up operational policies aimed at controlling all these risks. They were rolled out in 2021 for all entities backed by Natixis’ cross-functional information system. An initial second-level control plan made it possible to verify its proper application. Personal data protection 3.2.9.6 Reporting to the Chief Compliance Officer, the Natixis Data Protection Officer coordinatesa communityof “data privacy liaisons” distributed across all Natixis entities and business lines. This unit aims to ensure that Natixis complies with all regulations relating to the protection of personal data and, more specifically, to ensure compliance with the European Regulation on the protection of personal data (GDPR). A Data Privacy Committeemeets regularly to monitor the function’s activities and manage the remaining alignment measures required. Natixis has a personal data register and procedures for key processes, such as handling data leaks, processing requests by individuals to exercise their rights, dealing with referrals to the authorities, updating and annually reviewing the register, carrying out the first and second-level control plan, managing training needs, conducting the regulatory watch and ensuring Privacy by Design/Default in projects.

IT risk 3.2.9.5 In applicationof the directivesof the EuropeanBankingAuthorityand the decree of February 25, 2021 on IT risk, Natixis has strengthened its IT risk management system. In particular, Natixis has set up two lines of defense, the proper coordination of which is guaranteed by the holding of a regular, global operational Committee Meeting to manage technological risks. The IT teams and correspondents within the business lines constitute the first level. The Global Technology Risks Management (G-TRM) Department (reporting to the Compliance Department) provides the second level. Natixis is also part of Groupe BPCE’s Information Systems Security and Business Continuity divisions. As such, it applies the policies and methods defined by Groupe BPCE. Information Systems Security The G-TRM Department manages its activity through risks. It employs a methodwhich identifies, in terms of operational risk, the risk situations of concern to the business lines and their potentially vulnerable IT assets. Risk assessments may be conducted during the annual review or may be completed as part of work done to support another project. The business projects monitored by G-TRM generally give rise to the expressionof specific requirementsin order to better manage risks. In light of these risks, the G-TRM Department implements an annual second-level permanent control plan covering all areas of IT system security. Particular attention is paid to checks on access rights and intrusion tests on information assets exposed on the Internet. The risk-based approach also helped to establish the strategic plan for 2024. This program, entitled CyberResilience aims to bring the level of maturity of the current system to that of the best market standards, to broaden our risk-based approach, to significantly strengthen the industrialization of the cybersecurity model, and to improve Natixis’ ability to cope with a major cyber disaster and continue to protect our data. Business continuity Natixis’ business continuity framework combines incident management based on their consequences (unavailability of the IT system, sites, or critical skills or suppliers)with emergencymeasures specific to each scenario (overflowing of the Seinec, yberattack, etc.). Legal risk 3.2.10 Like many banking groups, Natixis and its consolidated subsidiaries are involved in litigation before the courts and may be investigated by regulatory authorities. As assessed as of December 31, 2021, the financial consequences of litigation deemed likely to have, or which have in the recent past had, a material impact on the financial position of Natixis and/or Natixis and its consolidated subsidiaries as a whole, or on their profitability or their business, have been included in Natixis’ consolidated financial statements. The most significant disputes are described below. Their inclusion in the list does not indicate that they will necessarilyhave an impact on Natixis and/or its consolidated subsidiaries. The other disputes are deemed unlikely to have a material impact on Natixis’ financial position or profitability and/or that of Natixis and its consolidated subsidiariesas a whole, or have not reached a stage where it can be determined whether they will have such an impact.

Legal and arbitration 3.2.10.1 proceedings Madoff fraud

The Madoff outstandings are estimated at €319.3 million in equivalent value at December 31, 2021, fully provisionedat this date, compared to €503.4 million at December 31, 2020, following the confirmation of the liquidation of certain assets deposited in the name of Natixis and fully provisioned. The effective impact of this exposure will depend on both the extent of recovery of down invested for Natixis and the outcome of the measures taken by the bank, notably in terms of legal proceedings. Furthermore, in 2011 a dispute emerged over the application of the insurance policy for professional liability in this case, which had been taken out with successive insurers for a total amount of €123 million. In November 2016, the Paris Court of Appeal vindicated the Commercial Court’s prior ruling that primary insurers were liable to cover the losses incurred by Natixis due to the Madoff fraud, up to the amount for which the bank was insured. On September 19,2018, the Court of Cassation subsequently annulled the judgment under appeal and referred the case back to the Paris Court of Appeal with a differently constituted bench. On September 24, 2019, the Court

158

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2021