Aéroport de Paris - 2018 Registration document

RISK MANAGEMENT AND CONTROL 04 RISK FACTORS

Risks linked to airport safety

RISK IDENTIFICATION

RISK MONITORING AND MANAGEMENT

As an airport operator, Groupe ADP is responsible for airport safety (in particular, maintenance, operation, development, surveillance, etc.) at the airports for which it is responsible. In France and in the European Union, the Group holds a European Airport Safety Certificate for each of its airports. Since 2017, the national certificates held by Paris-Charles de Gaulle, Paris-Orly and Paris-Le Bourget airports have been converted into European Airport Safety certificates 1 . In application of the commitments made as part of the European certification, a Compliance Monitoring Manager was appointed within the Airport Operations Division. For all airports in countries outside the European Union in which it operates concessions, Groupe ADP introduces best practices in accordance with the ICAO’s international standards.

The safety of civil aviation is a priority for the air transport industry. Safety standards are established at a global level under the aegis of the International Civil Aviation Organisation (ICAO). These measures include the standards and practices recommended by the ICAO and which the signatory states of the Chicago Convention of 7 December 1944 have undertaken to implement. They are not directly applicable and are only ascribed a regulatory value when they are transposed into the states’ national laws. For airports situated in the European Union, the applicable legal framework is set by European Community law and by the rules of the European Aviation Safety Agency (EASA), which reflect the ICAO’s recommended standards and practices. On this basis, the European Airport Security Certificate can be granted in accordance with the provisions of Regulation (EC) No. 216/2008 of the European Parliament and of the Council of 20 February 2008. For airports situated in countries outside the European Union, Groupe ADP is subject to the current local certification processes. Violation of these standards is likely to jeopardise the safety of air transport, prevent the operation of airports and the Group could be held liable. In addition, these standards could be strengthened, making Groupe ADP responsible for fulfilling additional obligations.

Management organisation risks Risks related to data protection and cyber security

RISK IDENTIFICATION

RISK MONITORING AND MANAGEMENT

In view of the challenges, the Group’s data protection and IT protection systems are based on: ® Group policies on information protection, personal data protection and IT system security, which all contribute to the security of Groupe ADP’s data; ® dedicated organisations and governance with specifically: ® a Strategic Committee for the Security of IT Systems (C3SI), which defines the strategic guidelines on IT system security, ® an Operational Committee for the Security of IT Systems (COSSI), which approves measures that ensure compliance with the strategic guidelines on IT system security, ® a Head of Group IT System Security (RSSI), who coordinates these bodies and also represents the Group to external bodies, ® a network of IT system security correspondents in each Group entity. The context has led Groupe ADP to commit to a number of actions including: ® a major awareness raising plan for Group staff, called Vigie Info; ® a Group GDPR compliance plan, which led in particular to the appointment of Data Protection Officers for Aéroports de Paris and its main subsidiaries 2 in 2018; ® an assessment of the compliance of its critical IT systems with regulatory obligations and the implementation of any corrective actions.

Data protection and IT systems are a major challenge for Groupe ADP. The risk of data leaks or tampering through negligence, malevolent acts or intrusion into IT systems may have a very significant impact on the Group’s image, reputation, operational robustness and performance, if they were to occur. Increasingly frequent and sophisticated large-scale and worldwide cyber attacks, associated with the increasing digitisation of the Group’s activities and the opening of the information system to the airport ecosystem, are such as to expose the Group to increased risks. In addition, the new regulatory obligations (particularly with the entry into force in May 2018 of the new European data protection regulation (GRPD)) have led Groupe ADP to reinforce its vigilance and to introduce compliance plans.

1 See Commission Regulation No. 139/2014 of 12 February 2014.

2 Hub One, ADP International, ADP ingénierie.

26

AÉROPORTS DE PARIS ® REGISTRATION DOCUMENT 2018