QUADIENT // 2021 Universal Registration Document

4 RISK FACTORS AND INTERNAL CONTROL Risk factors

Risk management measures Quadient has established long-lasting relationships with postal regulators and the Company has appointed a local relay in each region to assist the VP of Global Postal Relations. The dialogue with postal authorities gives most of the time sufficient visibility to the Company ahead of the plan, so that the Company has the capacity to anticipate and respond to these changes. LOSS/THEFT/CORRUPTION OF DATA AND/OR INFORMATION Risk description In the context of its activities, the Company collects, uses and processes various customer and employee data, including personal data. Beyond GDPR in the European Union, the laws and regulations related to personal data is increasing in other countries where the Company operates such as US, Canada and Brazil. The risk is that the Company accidentally or unlawfully loses, alters, destroys or discloses data or information (confidential or personal) to the detriment of the Company. Potential impacts This risk could affect the company on the following: Operational ● Inability to efficiently understand and reach customers - (lack of Business Intelligence / Market Insights) Fine in case of non-compliance with external - standards (Data privacy, GDPR etc.) Legal ● International & economic sanctions, criminal - conviction of leaders Prosecution by data subjects - Reputational ● Degradation of the reputation on the market - Risk management measures Quadient has nominated a Data Protection Officer leading the implementation of the data protection compliance program. The data protection team is composed of regional DPOs in charge of applying the data privacy policy. Among other things, they define and maintain a register of data processing, answer to Data Subject Access Requests (DSAR), conduct Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA), establish Data Processing Agreement with the suppliers and sub-contractors, and manage data privacy incident and data breach. The DPO team is part of the Compliance team and works closely with the Information Security HR and Legal teams. Financial ●

of breach and that the Company has the option of terminating the relationship. In 2021, the Company has decided to implement a new compliance organization around a center of excellence and regional teams. Several compliance policies and practices have been revised and implemented. For instance, the whistleblowing system has been extended to all third parties, the due diligence process for third party onboarding has been revised, a third-party management platform has been implemented to evaluate risks and their compliance level. In order to check compliance of its operations, the compliance team works hand-in-hand with the Internal control and internal audit team to set audits and implement controls. The Company evaluates its suppliers during on-site audits whenever possible: quality of components/products, industrial landscape but also CSR-related criteria (do they have a code of conduct, how do they train people, etc.). ACCELERATION OF NEW POSTAL REGULATIONS UNFAVORABLE (AND/OR UNANTICIPATED) TO QUADIENT'S BUSINESS Risk description The MRS business is subject to postal regulations in the countries where the Company operates. The Company could face increased difficulties to maintain its activities in a strategic country following the implementation of new regulations by governments or the various postal authorities, thus removing it from its dominant position. The Company could also lose its certifications, which would threaten its MRS business. Potential impacts This risk could affect the company on the following: Financial ● Attrition of the Group's P&L: diluting the cash - generation of the MRS Business Operational ● Adaptation costs: accelerated renewal of the installed - base Strategic ● Accelerated decline in EBIT generation by MRS would - compromise the ability to invest in new businesses Loss of market share, loss of access to certain - markets, the right to operate or the right to market a product

96

UNIVERSAL REGISTRATION DOCUMENT 2021