QUADIENT // 2021 Universal Registration Document

RISK FACTORS AND INTERNAL CONTROL Risk factors

Lasting difficulties to reach existing or potential - customers: changes in working habits from prospects Delay in delivery time and deterioration of customer - satisfaction HR ● Changes in the ways of working and interactions - between employees: difficulties in continuing to be effective, cohesive and team-oriented The Group has to hire new people and train them, - onboard them, teach them tools and processes all remotely Departure of key collaborators that are opposed to - vaccination Telemarketing people may be frustrated and may - leave (high turnover position) Risk management measures The Company has made investments in IT equipment and digital tools over the last years to enable the employees working remotely and make the operational processes running, notably to diversify its ways of acquiring new customers. In addition, Quadient’s sales force and Customer support teams remained in constant dialogue with its customers to support them for their need and has increased commercial partnerships playing a significant role in that strategy. In addition, strong actions to adapt the cost base to Covid-19 consequences were also taken, and among others: A freeze on new hirings was put in place; ● Salary increases were postponed; ● Furlough measures were implemented; ● All travels were stopped. ● In 2021, the emergence of new variants has led the company to continue to apply the precautionary principle and enable its employees to work remotely which became the new standard of work in Quadient. The return to the workplace was applied progressively during the second half of 2021. CRITICAL INFORMATION SECURITY INCIDENT (CYBER-ATTACK, MALWARE, RANSOMWARE) WITH A LASTING EFFECT ON THE COMPANY’S ACTIVITIES Risk description As part of its business the Company manages several IT systems, infrastructure, applications and databases for its own usage but also to deliver the services to its customers. The Company could face malicious actions, individual or organized, of internal or external origin, on the Company's assets that could compromise the security of its data or could cause interruptions in the operations of its businesses and expose the Company to increased costs, litigation and other liabilities. Risks relating to the company operations

Potential impacts This risk could affect the company on the following: Operational ● Significant business disruption, not being able to - deliver on the roadmap Financial ● Costs of bringing the systems up & running - Fines or penalties in case of non-compliance with - external standards (Data privacy, GDPR etc.): have to notify national authorities about the incident and potential leakage Reputational ● Degradation of the reputation with customers globally - Risk management measures The Company has set a general information security framework in which security policies and internal digital standards have been implemented as well as mitigating measures to address the security and cyber-attack risks. The Company has the ability and the skills to restore all its business critical systems thanks to disaster recovery plans and data backup tested on a regular basis. The Director of Information Security chairs a Corporate Information Security Board to govern corporate information security activities. The Security Board meets quarterly and includes representation from Solutions Security teams, the Data Protection Organization, Corporate Compliance, Digital Organization and Corporate Information Security. This is the overarching Information Security technical governance authority within Quadient, reporting to the Quadient Executive Committee. Its role is notably to establish global information security objectives and priorities, perform global information security risk assessments, maintain Information Security policies, and create global awareness of Information Security Policies and safe working practices. The information security also depends on the awareness and ability of the Company's staff to understand the stakes of security. In this respect, the Company has implemented a mandatory training program for all employees. SIGNIFICANT FAILURES IN THE DEPLOYMENT OF CRITICAL IT TOOLS Risk description Quadient past decentralized organization and growth by acquisitions has led the Company to manage a large range of information systems. In the framework of the "Back to Growth" strategy, the Company is currently in the process of deploying new IT tools like for instance a new ERP and a new HRIS for which the Company may experience failures in the subsequent deployment (delays, additional costs, non-deployed functions, etc.).

4

91

UNIVERSAL REGISTRATION DOCUMENT 2021