OVHcloud’s position as the leading European cloud provider traces its roots to its founding in 1999 as an internet hosting company in France. Over the past 20 years, OVHcloud has expanded significantly, initially by developing its infrastructure and growing its presence within Europe, and then by diversifying its cloud offerings and expanding its operations globally.

Cloud computing means providing users with storage, computing and network resources on demand. Cloud resources are located in datacenters that house servers and equipment used to process, store and transmit data. Users of cloud computing services can access stored data and instruct processing units to perform computing functions automatically, without the need for human interaction, minimising the computing and storage capacities needed on their devices (such as personal computers, tablets and mobile phones). Wherever they are located, as long as they have an internet connection, users are able to access IT services through the cloud.

Businesses can establish and operate their own datacenters using internal IT staff, or they can outsource some or all functions to cloud service providers such as OVHcloud. For many businesses, the time and financial investment required makes proprietary cloud computing less attractive than outsourcing, which means paying only for the resources they actually use. Additionally, it can be difficult for businesses that are not specialised in IT services to innovate at the requisite levels in order to ensure that their cloud infrastructure provides them with adequate services and protections, such as data security. Internal IT systems also might not be sufficiently scalable to meet peak-load demands (unless businesses maintain costly excess capacity).

Servers maintained in datacenters can be used for multiple functions, each of which is accessed through a “virtual machine” created on the server. The virtual machines are operated and separated from one another through a software platform known as a “virtualisation stack.” Each virtual machine can have its own operating system that permits users to develop and run applications. Through a function known as a “hypervisor,” the server’s capacity is allocated to the virtual machines in accordance with the demands of users. More recently, software applications have been written to be bundled in “containers” that run directly on the operating system of the server itself, coordinated through platforms known as “orchestration” systems, which generally take up less space and can provide better performance than hypervisor-based virtualisation stacks.

The ability to create multiple virtual machines in each server or to deploy container-based systems allows a cloud service provider to allocate its capacity among multiple user groups or customers in a secure manner. Service providers can dedicate a server to a single customer (a “Private Cloud” system), allocating the server’s capacity among user groups authorised by the customer. Alternatively, a server can be shared among multiple customers (a “Public Cloud” system). Private Cloud customers generally pay monthly charges for dedicated capacity, whether or not they use that capacity. Public Cloud customers generally pay for the capacity they actually use.

In order to optimise the cost of cloud services, many businesses are deploying “hybrid cloud” strategies, in which they combine on-premises or outsourced Private Cloud capacity for their most sensitive functions and data, with Public Cloud capacity for their less sensitive needs. Customers are also deploying “multi-cloud” strategies, purchasing cloud services from several providers. To meet the growing demand for hybrid cloud and multi-cloud services, a cloud provider must offer packages that allow the various solutions to function as an integrated whole.

Cloud computing encompasses a range of services that include providing access to infrastructure (Infrastructure-as-a-Service or “IaaS”), selecting and operating platforms such as operating systems, virtualisation stacks and security systems (Platform-as-a-Service or “PaaS”), and offering applications that are developed and can function on cloud platforms (Software-as-a-Service or “SaaS”). These features are illustrated in the following graphic:

The cloud solutions market also includes Web services targeted mainly at individuals and small and medium-sized businesses. The web cloud market largely consists of web and domain hosting, including leasing servers for websites, selling secondary services (such as software packages) and domain name registration, renewal and transfer services.

OVHcloud provides two main Private Cloud offerings: Bare Metal and Hosted Private Cloud.

OVHcloud’s Bare Metal Cloud service provides dedicated physical servers to customers, who have full control over the server, including the choice of operating system. The Bare Metal Cloud allows them to have a similar experience to the one they would have with on-premises solutions managed by their internal teams, while taking advantage of the benefits offered by outsourcing.

OVHcloud’s main Bare Metal Cloud offering consists of high-end servers and mid-to-high-level services. OVHcloud also has a lower-priced offering marketed as part of the “Eco” range, which uses refurbished servers that provide quality services at a reduced cost, while improving environmental efficiency.

Bare Metal Cloud services provide business customers with high-level computing power and strict service level agreements in a secure environment appropriate for sensitive data applications. The server can be customised to meet customer requirements and can be operated without allocating the server’s capacity to virtual machines through a hypervisor, allowing the customer to use the server’s full capacity. Any unused capacity can be deployed within minutes, although the total capacity is limited by that of the dedicated server.

Bare Metal Cloud customers pay monthly fees that depend on the performance levels they select. They may also choose options (such as server customisation or data backup) for additional fees.

The main uses of Bare Metal Cloud services include the computation of complex data, low latency operations, streaming, online gaming and critical business applications such as ERP and CRM.

OVHcloud offers Hosted Private Cloud services to its business customers, providing servers fully managed by OVHcloud, including the operating system and the virtualisation layer, in partnership with VMware or Nutanix offerings.

1. VM: Virtual Machine

Within its Hosted Private Cloud service, OVHcloud has two main offerings: (i) Essential and (ii) Premier.

• ▶Essential allows customers to benefit from dedicated and virtualised servers, fully managed by OVHcloud, with a 99.9% service level. Essential customers are mainly medium-sized companies.
• ▶Premier provides high-end dedicated virtualised servers, and includes virtual storage and backup management as well as 24/7 support, with a 99.9% service level. The servers are certified to host information from customers in a variety of sensitive sectors, including healthcare in France (HDS certification), Germany, the United Kingdom and Poland, and finance, including credit card payments (PCI DSS certification). Premier customers are primarily large companies and public sector players looking to move to a cloud service provider.

OVHcloud’s Hosted Private Cloud services provide customers with private access to servers that can be customised to meet their specific requirements. They meet the needs of customers seeking isolation and security, scalable resources and resilience.

The main uses for Hosted Private Cloud services include deployment in hybrid cloud strategies, media encoding, big data analytics and disaster recovery, as well as the storage and processing of sensitive data in key sectors such as healthcare, finance and the public sector.

OVHcloud offers Public Cloud solutions based on open source technologies such as OpenStack (a platform for deploying processing, storage and networking resources) and Kubernetes (a container orchestration platform that has become a market benchmark). The use of these standard platforms provides customers with easy data transfer capability and deliberately transparent access to source code, facilitating reversibility and eliminating “vendor lock-in”. This feature of the OVHcloud offering is particularly attractive for customers looking to deploy multi-cloud strategies.

Public Cloud solutions provide users with virtually unlimited computing capacity, with the only constraint being the demands of other users and the total installed capacity of the cloud provider. It is possible to deploy new Public Cloud instances automatically and in seconds. As the Public Cloud service is based on shared servers, customisation options are defined by OVHcloud. The flexibility of the hardware architecture offers high service levels.

Public Cloud customers pay usage fees for the capacity they actually use. The OVHcloud model offers much more predictability than models used by hyperscalers and many other competitors. In particular, unlike hyperscalers, OVHcloud does not charge additional fees for outgoing data transfers or API calls, except for block and archive storage, and for services located in Asia-Pacific.

The Group’s Public Cloud offering provides three core cloud computing services: computer performance, storage and network capabilities.

Customers of OVHcloud's Public Cloud solutions can choose fully scalable Public Cloud services on virtual machines that are hosted on shared servers and networks.

OVHcloud’s Public Cloud service is attractive for customers seeking highly scalable resources, with significant peak management demands across multiple access locations, and a high degree of resilience. This service is used for applications with high-demand bursts and services that use large volumes of data, such as video and music streaming.

OVHcloud's Public Cloud customers can also choose from a number of on-demand (SaaS) software running on OVHcloud's Public Cloud servers. In particular, OVHcloud offers its customers access to Microsoft Exchange messaging and calendar solutions, SharePoint data storage and management solutions, and the Office365 business software suite.

1. VM: Virtual Machine

OVHcloud also offers a virtual private server option, providing IT capabilities located on shared servers, but with virtual machines isolated through the use of virtual private networks.

The virtual private server option is attractive to customers seeking tailored resources, particularly for short-term operations with volatile workloads and server demand. Virtual private server solutions are used primarily for applications testing and other one-time projects, the management of short-term peak loads and backup functions.

1. VM: Virtual Machine

As part of its growth strategy, OVHcloud is developing and implementing a comprehensive PaaS offering, overlaying its Private Cloud and Public Cloud IaaS products. In addition to developing products in-house, OVHcloud has announced several partnerships and acquisitions, in order to accelerate its development plan, enabling it to offer more than 80 IaaS and PaaS solutions to its customers by the end of the 2023 financial year, mainly in the following areas:

• ▶Storage. OVHcloud now offers its customers a comprehensive portfolio of storage solutions such as Object Storage S3 (High Performance and Standard), Block Storage, File Storage, Snapshot & Backup and Archive;
• ▶Database-as-a-Service. Data management software allows users to manage their databases to enable queries and updates. It includes programmes that execute queries on data and provide visual representation of the data in formats such as spreadsheets, enabling users to build applications faster and automate database management. OVHcloud announced a partnership with MongoDB in April 2021 and a partnership with Aiven in July 2021 to make several types of database available on the OVHcloud infrastructure;
• ▶AI, Machine Learning & Analytics. Artificial intelligence and analytics solutions include tools and services that support data analysis and presentation. OVHcloud is particularly advanced in high-performance computing solutions for artificial intelligence and machine learning, and intends to continue its development in this area. In April 2022, OVHcloud announced the acquisition of ForePaaS, a company specialising in analytics. Throughout 2023, OVHcloud strengthened its artificial intelligence product offering, such as AI Notebook, AI Deploy, AI Training, AI App Builder and AI Endpoint;
• ▶Security & Encryption. OVHcloud is expanding its offering of identity access management and encryption solutions, including end-to-end encryption that secures customer data in all states. In July 2021, OVHcloud announced the acquisition of BuyDRM, a US company specialising in this area;
• ▶Application platforms. Application platforms are back-end server software solutions that provide developers with a runtime and development environment.

OVHcloud has offered Web Cloud services since its founding in 1999. With its leading position in the French market and strong positions elsewhere in Europe, the Web Cloud offering provides a stable, recurring revenue base and regular growth.

OVHcloud offers three principal solutions to Web Cloud customers:

• ▶Web hosting and domain names. This includes the leasing of hosting capacity on servers, allowing customers to connect their websites to the internet, as well as domain name registration, renewal and transfers. Customers can choose basic packages offering just one or a few websites, or packages targeted at professionals and developers that wish to host multiple websites, together with email addresses and storage options. OVHcloud offers its customers additional services, such as Secure Socket Layer (SSL) certificates, which enable secure connections between a web server and a browser;
• ▶Telephony and connectivity. Customers can purchase VoIP (Voice over IP) systems for use as switchboards and interactive voice response systems. OVHcloud also offers customers internet access through ADSL and fibre networks, with basic and professional packages;
• ▶Support and services. OVHcloud offers its customers additional levels of support and services, including a range of support, expertise and online services. There are two levels of support offering: i) Business, which corresponds to the level suitable for production environments, or ii) Enterprise, which offers a key account experience for critical production environments. Additional services are proposed in the Professional Services offering, which provides access to technical support and advice during infrastructure migration or IT architecture changes.

OVHcloud’s main customers in the Web Cloud segment are small and medium-sized businesses, as well as certain individual customers and entrepreneurs. Web Cloud customers generally seek secure and reliable web and communications services, to establish their web presence, and to digitise business functions.

OVHcloud pursues a growth strategy adapted to its three main customer segments: (i) technology and software companies, (ii) large corporates, SMEs and public entities, as well as (iii) white labellers, resellers and private individuals.

This customer segment is historically favourable for OVHcloud. In order to extend its growth in this segment, OVHcloud has implemented an enhanced digital marketing strategy, including an improved customer experience on the Group’s websites with a customer-centric interface, focused on usage and products, a prospect relationship management programme, online support such as chatbots and training materials such as webinars and technical documentation.

In order to continue enriching this ecosystem, OVHcloud is developing several programmes:

• ▶the Startup Program helps startups grow and develop by providing them with technology credits, resources, training and advice. This programme is particularly useful for startups still in the idea-forming stage. The 12-month programme allows the use of up to €10,000 in technology credits and several hours of technical support. Since 2015, more than 1,800 startups and scale-ups from all over the world have joined the programme and the ecosystem;
• ▶the Market Place brings together innovative and trusted technology and software companies as part of a SaaS (Software-as-a-Service) marketplace hosted by OVHcloud.

OVHcloud is implementing a three-part strategy to achieve growth with large corporates, SMEs, and public entities. As part of this strategy, OVHcloud is addressing the needs of these customers for transformation and support as they consider migrating to the cloud.

• ▶OVHcloud is leveraging its position as a European “trusted cloud” provider, meeting the security and data sovereignty needs of European companies and public sector entities handling highly sensitive or strategic data. OVHcloud does not use or sell its customers' data, which is stored in the datacenters chosen by its customers. It offers the highest level of security with numerous recognised certifications, including SecNumCloud certification from the French National Cybersecurity Agency (ANSSI), attesting to Europe's highest level of IT security for the hosting of sensitive and strategic data in the cloud. OVHcloud has also launched the Trusted Zone sovereign solution, which is designed to meet the highest security standards of public sector and critical services operators. It is also one of the founding members of the Gaia-X initiative, helping to promote a European sovereign cloud. OVHcloud is constantly improving its offers by investing in security and encryption solutions.
• ▶OVHcloud is strengthening its marketing channels to enhance its position with large corporate customers and public entities. As part of this strategy, OVHcloud has strengthened its relationships with its network of almost 1,000 IT partners, reinforcing its position with large system integrators such as Accenture, Capgemini, Sopra Steria and Deloitte and specialised system integrators such as Neurones IT, providing OVHcloud with a strong platform to capture a broader share of the IT spending of their corporate customer base. At the same time, OVHcloud has substantially increased its direct sales force that serves the needs of its large corporate customers, as well as providing enhanced customer support and services to guide corporate customers in their cloud migration projects.
• ▶OVHcloud has developed specific offerings for small and medium-sized businesses. For this segment, OVHcloud is leveraging its strong relationships with IT advisors and web agencies, while offering maximum flexibility through an automated self-service channel that can be used by customers directly or through their IT advisors. OVHcloud is also enhancing its multi-location, multi-language support offering for small businesses.

OVHcloud has a long history of commercial success through web agencies that resell OVHcloud solutions, sometimes under their own brand names. For individuals in particular, significant work has been ongoing for several years to offer an optimised digital sales channel, new and improved product offerings, and improved support. This continuous improvement aims to promote the acquisition of new customers along with cross-selling opportunities to existing customers. OVHcloud is also developing a “DataCenter-as-a-Service (DCaaS)” offering for corporates to deliver high performance and data sovereignty for their on-premises resources.

OVHcloud is the European leader in the large and rapidly growing cloud services market.

It is one of the two main providers of Private Cloud services in Europe. Additionally, as a Europe-based cloud provider, the Group is able to meet the requirements of European customers for data sovereignty and security.

OVHcloud has a growing presence in the Public Cloud market, which is dominated globally by the American “hyperscalers” (Amazon Web Services, Google Cloud Platform and Microsoft Azure). It is the only European provider of Public Cloud infrastructure services that was positioned as a major player in the IDC MarketScape (IDC – September 2022), based on its infrastructure offering.

As a French cloud service provider, OVHcloud is subject to European regulations across a wide number of areas, including information technology (“IT”) services, cybersecurity, online content moderation and data protection. OVHcloud may also be subject to sectoral regulatory regimes applicable to certain customers and generally applicable regulations such as contract laws and consumer protection policies.

OVHcloud is subject to European regulations aimed at strengthening cybersecurity across the European Union (the “EU”). Transposed into French law on 26 February 2018, Directive (EU) 2016/1148 of 9 July 2016 established requirements for cloud service providers with respect to network and information systems security. The French law(2) transposing Directive (EU) 2016/1148 classifies cloud service providers as digital service providers. As a digital service provider, OVHcloud must guarantee a level of information security adapted to the relevant risks and adopt appropriate organisational and technical measures. Any security incident having a significant impact on the provision of services must be declared to the French National Cybersecurity Agency (“ANSSI”). The French Prime Minister may also open investigations upon receiving information of non-compliance by the digital service provider with security obligations. Fines for non-compliance with security obligations range from €50,000 to €100,000.

The ANSSI has adopted security standards for cloud service providers(3). In particular, cloud companies must set up a security policy for information relating to the service and carry out a risk assessment covering the entire service. If applicable security standards are met, the ANSSI grants the “SecNumCloud” label certifying an enhanced level of security for the storage of sensitive information. In October 2022, the ANSSI extended OVHcloud's “SecNumCloud” security visa for its Hosted Private Cloud until December 2023. For the protection of critical information systems, the ANSSI recommends that operators of essential services (e.g., gas supply companies, airline carriers, health institutions, banks) use security products and services with an ANSSI security visa.

The role of the European Union Agency for Cybersecurity (the “ENISA”) was strengthened by Regulation (EU) 2019/881 of 17 April 2019 (the “Cybersecurity Act”). The ENISA is tasked with establishing and maintaining a European-wide cybersecurity certification scheme applicable to cloud service providers, including a comprehensive set of rules, technical requirements, standards and procedures. In July 2020, the ENISA published a proposal that would enable cloud service providers to obtain certifications across the EU attesting to the level of security of their services.

In September 2022, the European Commission unveiled its proposed Cyber Resilience Act (“CRA”). This proposal fixes a series of general and organisational cybersecurity requirements for products containing digital elements (for example: software, hardware products, data processing). It aims to adopt a common base within the European Union to limit cyberattacks. The CRA applies differently to supply chain players: manufacturers, importers and distributors. The text is awaiting examination by the European Parliament and then by the Council of the European Union; during this procedure, which may take up to two years, the current text will most likely undergo certain changes. It is therefore still too early to comment on the impacts this text may have on OVHcloud.

As a provider of cloud and telecommunications services, OVHcloud processes, stores and transmits a substantial amount of personal data. As a result, OVHcloud must comply with a number of European regulations and national laws relating to personal data protection.

A cornerstone of personal data protection in the European Union since it came into force in May 2018, the GDPR has three main objectives: (i) to establish rules relating to the protection of individuals with regard to the processing of their personal data as well as rules relating to the free movement of such data, (ii) to strengthen the application of the regulation by providing a unified legal framework for organisations processing personal data, and finally (iii) to strengthen the responsibility of parties processing personal data (data controllers and processors) by requiring that processing and the tools/applications used be documented.

The GDPR places organisations under strict obligations in terms of information and transparency with regard to the personal data processing they carry out on their own behalf or on behalf of others.

It also confers a number of rights on data subjects with regard to the processing of their personal data, such as the right of access, the right to rectification and the right to erasure ("right to be forgotten"), giving them greater control over the use of their personal data.

The GDPR also requires organisations to implement appropriate technical and organisational security measures for the processing of personal data as soon as a new product or service is designed, in order to ensure that personal data security and confidentiality requirements are met ("Privacy by design").

Lastly, the GDPR requires organisations responsible for processing personal data to notify the supervisory authority of any breach that is likely to result in a risk to the rights and freedoms of natural persons and data subjects.

Passed on 22 September 2021, the Act to modernise legislative provisions as regards the protection of personal information, known as "Law 25", makes major changes to the Act respecting the protection of personal information in the private sector ("ARPPIPS"), giving citizens greater control over their personal data and making organisations more accountable for the way they manage this information. This law establishes new obligations and transparency rules for Quebec companies, such as the appointment of a Data Protection Officer, in order to establish governance policies and practices regarding personal information, and conducting privacy impact assessments (PIAs), respecting the new rights granted to individuals with regard to their personal data, in particular the right to require that such information cease to be disseminated, or that it be re-indexed or de-indexed (the right to be forgotten) before being communicated outside Quebec, and ensuring that technological products and services offered to the public have settings that provide the highest level of confidentiality by default.

The new responsibilities and requirements applicable to organisations processing personal data are coming into force progressively in September 2022, 2023 and 2024.

In order to ensure compliance with applicable data protection regulations, OVHcloud has implemented a personal data management system based on the ISO 27701 standard.

OVHcloud also relies on the Cloud Infrastructure Service Providers in Europe (CISPE) Code of Conduct, with its certified Bare Metal Cloud and Hosted Private Cloud powered by VMWare offerings, to ensure and demonstrate the compliance of its IaaS activities.

Regulation (EU) 2018/1807 of 14 November 2018 (“Regulation on the free flow of non-personal data”) aims to ensure the free flow of non-personal data between EU Member States (the “Member States”) and IT systems in the EU. Non-personal data is either (i) data not linked to identified or identifiable natural persons, or (ii) anonymised personal data. This regulation enables the storage and processing of non-personal data anywhere in the EU, prohibits data localisation and ensures the availability of data for regulatory control.

The Regulation on the free flow of non-personal data also provides that the European Commission must encourage the development of self-regulatory codes of conduct to facilitate portability between service providers. To that end, OVHcloud participated in the drafting of two voluntary codes of conduct on switching cloud service providers and data portability through the working group on switching cloud providers and porting data (“SWIPO”). Published in July 2020, the codes of conduct for Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) provide guidance for cloud service providers and customers on switching cloud provider and porting non-personal data. The adoption of such codes of conduct aims to reduce the risks of vendor lock-in (i.e., situations where customers are dependent on a particular provider due to significant switching costs) by cloud service providers. It also provides guidance for customers on the transfer of non-personal data.

As a hosting service provider, OVHcloud must comply with a number of laws on content moderation, including those moderating terrorist content, child sexual abuse material and the infringement of intellectual property rights.

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (“Digital Services Act”) entered into force on 18 November 2022. This new framework aims to harmonise the rules applicable in the different Member States of the European Union and replaces the framework adopted in 2000 with regard to liability of intermediaries in relation to illegal content while maintaining the fundamental principles of freedom of expression and freedom to provide services.

The regulation also establishes new obligations of due diligence and transparency for hosting services such as OVHcloud, both vis-à-vis the authorities and users, particularly on the processing of reports of illegal content. It also increases the level of penalties that can be imposed in the event of a breach of the obligations established by the regulation, with fines of up to 6% of the intermediary service provider’s global annual revenue. A certain number of measures are applicable on a deferred basis over the next two years and involve the adoption of texts at the national level. OVHcloud will carefully monitor their publication in order to comply with its obligations.

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (“Digital Markets Act”) aims to make the digital sector fairer and more competitive by introducing preventive measures for large digital companies as gatekeepers on the European market. In particular, the regulation provides for several obligations and prohibitions against gatekeeping online platforms and strengthens the sanctioning powers of the European Commission, which will be assisted by an advisory committee and a high-level group. So, for example, gatekeepers must allow users to easily uninstall pre-installed software on their devices and easily unsubscribe from an essential platform service such as a cloud service. Gatekeepers will no longer be able to impose software such as internet browsers or default search engines or reuse users' personal data for the purpose of targeted advertising without their explicit consent.

Applicable from 2 May 2023, the companies concerned must report to the European Commission and ensure that they are compliant by March 2024 at the latest. The legislation gives the Commission the exclusive power to monitor compliance with their obligations, and new sanctions, including a fine of up to 10% of the company's total global revenue from the previous financial year.

The adoption of this new legislation is a positive step towards regulating the practices of the dominant digital players on the European market. However, its effectiveness will depend on the means that the European Commission devotes to ensuring compliance with it. OVHcloud will pay particular attention to the forthcoming details regarding the teams tasked with monitoring gatekeepers' compliance.

OVHcloud entities are telecommunications operators in four (4) Member States: Belgium, France, Germany and Spain. OVHcloud is subject to specific obligations when providing telecommunications services. Because the EU and its Member States have been regulating the telecommunications sector for many years, there are a variety of different implementing measures, guidelines and authorities across the EU. OVHcloud entities are also telecommunications operators in the United Kingdom and Switzerland, which have their own telecommunications regulations. The United Kingdom also implemented the requirements of the European Electronic Communications Code into its national regulatory framework prior to Brexit.

The Directive (EU) 2018/1972 of 11 December 2018 established the European Electronic Communications Code. Although this directive has not yet been transposed in all Member States where OVHcloud acts as an operator, several other directives applicable in the telecommunications sectors, such as Directives 2002/19/EC, 2002/20/EC, 2002/21/EC and 2002/22/EC of the European Parliament and of the Council, have been substantially amended. Directive 2018/1972 was transposed into French law in May 2021(4). The key objective of this European Electronic Communications Code is to create a comprehensive set of updated rules to regulate electronic communications and protect EU citizens when they communicate through traditional or web-based services, encourage competition between telecommunications operators, and ensure that national regulatory authorities are protected against external intervention or political pressure.

As a cloud service provider, OVHcloud is subject to obligations when providing services to organisations in the health sector. For example, French law requires health data hosting providers (i.e., any person hosting personal health data collected in the course of prevention, diagnosis, care or social and medical monitoring activities on behalf of natural or legal persons having produced or collected such data or on behalf of the patients themselves) to comply with specific obligations. Such obligations include obtaining proper certification or receiving prior approval from public authorities as per the French Public Health Code, and entering into an agreement with customers in the health sector, setting out the mandatory provisions prescribed by Article L. 1111-8 of the French Public Health Code. OVHcloud is also subject to the requirements of other jurisdictions in which it operates, such as Italy, Poland, Germany and the United Kingdom.

In 2016, OVHcloud obtained the “health data host” accreditation and, since 2018, the Group has operated a management system that allows several of its cloud offerings to comply with the requirements of this accreditation. In 2019, OVHcloud obtained the French HDS (Hébergeur de Données de Santé – health data host) certification for its Hosted Private Cloud offering. In 2020, this certification was extended to OVHcloud’s dedicated servers, and it was extended to OVHcloud’s Public Cloud offering and Trusted Exchange in 2021.

Companies in the financial sector (including credit institutions and investment firms) may also be subject to industry-specific obligations that may reflect on OVHcloud in the context of the provision of its services. In particular, in 2019, the European Banking Authority (“EBA”) issued “Recommendations on outsourcing to cloud service providers” applicable to outsourcing arrangements. These recommendations create obligations with respect to information systems security and audit rights for the outsourcing banks, which they must impose on their cloud service providers when using their services. OVHcloud aims to offer contractual conditions applicable to financial service operators that ensure that customers are able to implement an outsourcing policy which is compliant with the EBA’s recommendations and with local European regulations.

Financial service operators may also require OVHcloud to comply with specific national regulations. For instance, OVHcloud may have to comply with French regulations such as those of France's banking and insurance supervisor, Autorité de contrôle prudentiel et de résolution (“ACPR”) on critical outsourced services such as banking operations. Companies outsourcing critical services must ensure that service providers guarantee the protection of confidential information, implement back-up mechanisms in the event of significant difficulties affecting service continuity and provide the ACPR, in carrying out its duties, with access to critical outsourced information. With respect to internal procedures for managing information system security, the American Institute of Certified Public Accountants (“AICPA”) granted OVHcloud SOC I-II type 2 certifications.

With respect to hosting banking data and reducing card fraud, OVHcloud’s main Hosted Private Cloud offering is compliant with the Payment Card Industry Data Security Standard (“PCI DSS”). OVHcloud’s datacenters in France, Canada, the United Kingdom, Germany and Poland comply with PCI-DSS.

On 27 November 2022, the European Commission adopted a Regulation on Digital Operational Resilience for the Financial Sector (“DORA”). Following a proposal by the 2020 European Commission, this regulation imposes a number of requirements on cloud outsourcing arrangements in the financial sector. The proposed regulation covers a broad range of regulated financial entities, including credit institutions (such as banks), central securities depositaries, insurance companies and certain fund managers, among others. It imposes a number of information and communications technology risk management requirements on these financial entities, some of which apply directly to outsourced cloud activities.

In particular, financial sector entities covered by the proposed regulation are required to take a number of steps to address risks in their relationships with third parties, such as cloud service providers, including ensuring that their cloud services contracts provide a full description of the services proposed with qualitative and quantitative performance targets, and include provisions governing integrity, security, personal data protection, recovery in case of failure, rights of inspection and audit, and termination provisions with clear exit strategies. The regulation proposes the approval of standardised contractual terms by the European Commission.

In addition, the regulation imposes a new oversight framework on critical third-party service providers (including cloud service providers), subjecting them to individual oversight plans adopted by the European financial regulatory bodies responsible for supervising banks, securities markets or insurance companies, depending on the sector primarily using the services of the relevant provider. The determination of which services are critical depends on their potential systemic impact, the dependence of financial entities on them for critical functions and the availability of alternatives. The oversight plan can impose requirements in areas such as security and quality, contractual terms, and subcontracting, with financial penalties imposed in case of non-compliance, up to 1% of the service provider's global revenue in the most recent year. The oversight bodies have broad inspection and auditing rights and investigative powers. The adopted regulation also prohibits financial entities from using a service provider from a country outside the EU for critical cloud functions.

Many of OVHcloud’s datacenters are located in former industrial buildings, some of which are classified as presenting environmental or other risks under applicable French legislation. OVHcloud’s datacenters outside of France may also be classified as presenting environmental risks under local regulations. In order to comply with the applicable regulations, OVHcloud is sometimes required to submit applications and obtain operating licenses. OVHcloud may be required to take certain remedial measures as part of the application process.

Operating licenses are required in most countries where OVHcloud operates its datacenters. The regulations primarily concern air emissions, industrial waste management, water and effluent management, fire risk management and noise management.

The simplified organisational chart below shows the Company's legal structure and its consolidated subsidiaries as of the date of this Universal Registration Document. The percentages indicated below represent the percentages of share capital. There has been no significant change in capital ownership since 31 August 2023.

Central to its governance mechanism, OVHcloud's risk management system helps the Group achieve its strategic objectives while protecting its assets and reputation. It also helps to mobilise employees around a common approach to risk. OVHcloud is committed to regularly assessing risks and implementing internal controls and action plans to mitigate them.

The risk management system aims to identify, analyse and manage the main risks to which the Group is exposed. It contributes to the control and security of its activities, the effectiveness of its operations and the efficient use of resources.

This system comprises a series of processes aiming to identify, assess and prioritise risks, prevent and control them, and monitor action plans to limit them. It relies on the Group's employees, particularly in internal control and compliance, and on external expertise where required. Group management, the Board of Directors and the Audit Committee closely monitor risk management and define the most appropriate strategy.

CSR risks are covered in Chapter 3 – Non-financial performance statement of this Universal Registration Document.

In 2020, the Group drew up a risk map, which was updated in 2022 and 2023.

Carried out with the support of an external specialised consultant and the involvement of top management from all the Group’s activities, the risk mapping process has made it possible to identify the main risks to which the Group is exposed and to assess their potential impact, taking into account their criticality and probability of occurrence.

The most significant risks have been grouped into different families (strategy and markets, operational, human resources, financial, regulatory and legal, information systems) and a description is provided of their causes and potential impact, as well as the actions taken to manage them.

One or more risk owners are appointed for each risk to complete the risk analysis, identify the actions and resources needed to mitigate the risk, and manage the corresponding action plans.

The relevance and progress of the action plans are monitored by members of the Group's Executive Committee, including the Chief Executive Officer, Chief Financial Officer and General Counsel, who review them on a quarterly basis. Risk mapping and action plans are presented annually to the Group’s Audit Committee, and more frequently upon request.

The Group's Legal Department negotiates all insurance contracts centrally for the entire Group, excluding subsidiaries in the United States, which determine their own insurance policy and take out their own insurance policies.

Insurance policies are either taken out by the Group, on its own behalf and on behalf of its subsidiaries, or directly by its subsidiaries, through brokers mandated to negotiate with the main insurance companies to set up or renew the most appropriate guarantees for risk coverage requirements.

Insurance companies are selected on the basis of criteria such as the amount of premiums, the scope of coverage offered, the ability to set up integrated programmes such as master policies, the duration of the commitment, their availability to insure the risks in question in light of all their other commitments in the segment and market in question, and the ability to offer qualitative support in order to better understand risk management.

The Group's insurance policy aims to:

• ▶adapt its insurance coverage each year, when renewing its policies, according to developments in the risks related to the growth of its usual activities and its steady increase in capital. To do so, the Group uses an external firm to appraise the assets of its largest sites;
• ▶pursue an active prevention and protection policy at its industrial sites, in particular through its HYR prevention plan, designed to protect them against accidental fire risks. The Group has most of its industrial sites audited annually by its brokers’ and insurers’ prevention engineers;
• ▶communicate to the insurance and reinsurance market at the roadshows organised by the Group, on the information detailed in the HYR prevention plan;
• ▶set up awareness-raising sessions on fire risk, with a technical and insurance-based approach, for a wide range of operational staff;
• ▶develop risk prevention, such as exposure to natural and environmental disasters, in order to enhance existing insurance coverage.

All insurance contracts were renewed at 1 January 2023, with the exception of a few contracts with expiry dates later in the year.

OVHcloud prefers to take out “master” policies in order to pool coverage within the Group. For regulatory or factual reasons, such as the size of a subsidiary, OVHcloud also uses local or “standalone” policies taken out directly by its subsidiaries.

The Group also has insurance policies taken out directly by the Group or through its subsidiaries, covering the liability of its executives, risks relating to all its offices, its car fleet, the use by its employees of their own vehicle for business trips, professional assignments, expatriate employees, construction work, installation of equipment or fittings in its datacenters or offices, the transportation of goods, rented accommodation made available to staff during occasional business trips to the head office, as well as the medical office of the doctor also working on behalf of OVHcloud.

Through its subsidiaries, the Group also has a number of insurance policies covering property damage, civil and employer liability and compensation for employees, offices and international datacenters.

Based on the AMF reference framework, OVHcloud has set up an internal control system comprising a set of resources, policies, behaviours, procedures and appropriate actions designed to ensure:

• ▶the application of instructions and guidelines set by management;
• ▶the operation of internal processes to ensure the effectiveness and control of activities;
• ▶the reliability of accounting and financial information;
• ▶compliance with laws and regulations;
• ▶the management of risks.

A number of players are involved in the internal control system:

Delegated by the Board of Directors, the Audit Committee is responsible for monitoring the preparation of financial information and the effectiveness of internal control, risk management and internal audit systems.

The Audit Committee reports to the Board of Directors on these aspects.

See Chapter 4 – Corporate governance for a detailed description of the tasks of the Board of Directors and the Audit Committee.

Senior Management is responsible for deploying the internal control system and overseeing risk mapping. To achieve this, Senior Management relies on the support of the Finance Department and the Audit, Internal Control and Risk Department.

The first line of control is made up of operations that formalise and implement operational processes to ensure control of day-to-day operations and their internal control.

Internal control is an integral part of each operational department’s mission. The management of the operational departments is responsible for checking that the Level 1 procedures and controls are being properly applied by carrying out Level 2 controls, for example via sampling and by implementing application controls and validation circuits. The Management Control function may also be responsible for carrying out Level 2 controls.

Lastly, the functional departments are responsible for defining the guidelines and controls to be applied by all the commercial and industrial entities and for managing the operational risks in their respective areas: for example, the Legal, Quality, Standards, Safety and Working Environment, Cybersecurity, Human Resources, Finance and Insurance Departments. These functional departments may also be called upon to verify that Level 1 rules have been applied correctly through Level 2 control campaigns.

With a view to strengthening its internal control and improving coordination, OVHcloud has set up an Audit, Internal Control and Risk Department, which reports to the Group's Finance Department. This department assists the operational and functional departments in setting up their Level 1 and 2 control systems. The Audit, Internal Control and Risk Department also carries out internal control campaigns based on the operational departments’ self-assessment of whether controls have been applied correctly. The Audit Committee monitors the rollout of the internal control system.

The third line of control is the Audit, Internal Control and Risk Department. On the basis of an annual audit plan, approved by Senior Management and the Audit Committee, audits are carried out in a fully independent manner and are the subject of an audit report which identifies any risks and the action plans needed to mitigate them.

The findings of internal audits are reported to the operational departments, as well as to Senior Management and the Audit Committee for the main findings, in order to provide reasonable assurance on the effectiveness of the internal control and risk management system.

OVHcloud's business model is detailed in the introduction to this Universal Registration Document.

OVHcloud structured its CSR approach during the 2022 financial year. With nearly 2,900 employees and a global industrial and commercial footprint, the Group is fully aware of its responsibility in a world where data have a major impact on private, social and professional lives on an economic, geopolitical, ethical and environmental level. They impact relationships between people and their use reflects a vision of the world and the type of society in which everyone wants to live. Driven by its ambition, “Leading the data revolution for a responsible future”, OVHcloud’s mission is to build an open and trusted cloud, enabling businesses and society to make the most of the data revolution while minimising its environmental impacts.

This vision and the related mission are reflected in a CSR policy, which is closely integrated into the Group’s strategy. This policy is based on three pillars of commitment, each of which in turn breaks down into three areas of action:

• ▶Guaranteeing data sovereignty and freedom

OVHcloud is at the heart of the digital revolution, which opens the way to a multitude of opportunities in applications and technology. In this context, the Group offers its customers cloud solutions covering all their uses – supporting them in their digital transformation, enabling them to innovate by building cloud native applications or helping them leverage the power of data. In fulfilling this mission, the Group offers its customers the freedom to build their most ambitious projects, in a secure, compliant and sustainable cloud environment, according to three areas of action:

• •defending data sovereignty, security and privacy;
• •guaranteeing freedom of choice and reversibility;
• •offering predictable and transparent pricing.

• ▶Pioneering the sustainable cloud

At the forefront of the sustainable cloud, since its creation, OVHcloud has integrated sustainability at the heart of its business model, aiming to minimise its environmental impact at every stage. OVHcloud’s environmental action is structured around three priorities:

• •placing innovation at the heart of its industrial model;
• •contributing to global Net Zero by 2030;
• •raising awareness among stakeholders of all the impacts of the cloud, in order to initiate a collective approach to reducing the environmental footprint.

• ▶Driving collective progress of the cloud for the benefit of society

At OVHcloud, everything starts with people. Men and women are the Company's best assets: it is their talent that ensures its success. “Working together” is one of the Group's fundamental values. This collective aspect is extended to its ecosystem, and in the desire to see the European cloud segment progress. This third pillar of commitment breaks down into three areas of action:

• •attracting and developing skills in a collective adventure within a diverse and inclusive Company;
• •collaborating and developing coalitions with stakeholders in the European cloud ecosystem;
• •promoting local anchoring and societal commitment by working on digital inclusion.

To manage its corporate social responsibility (CSR) ambitions, OVHcloud has set up a dedicated governance structure, closely associated with the management of the Group’s overall strategy.

The Board of Directors strives to promote the Company’s long-term value creation by considering the social and environmental challenges of its activities. In connection with the strategy defined, it regularly examines the opportunities and risks such as financial, legal, operational, social and environmental risks, including climate risk, as well as the measures taken as a result. The medium-term CSR priorities and targets were approved by the Board of Directors in 2022. They are monitored by building on the work of its committees.

Established after the Group’s IPO in 2021, the Strategy and CSR Committee has the task of preparing the work and facilitating the decision-making process of the Board of Directors on strategic and CSR issues. In terms of CSR, it is notably responsible for:

• ▶ensuring that matters relating to social and environmental responsibility (such as diversity and non-discrimination policies and compliance and ethics policies) are taken into account in the Group’s strategy and in its implementation;
• ▶reviewing the non-financial performance statement on social and environmental matters provided for in Article L. 22-10-36 of the French Commercial Code (Code de commerce);
• ▶examining the opinions expressed by investors, analysts and other third parties and, if applicable, the potential action plan drawn up by the Company to improve the points raised on social and environmental matters;
• ▶reviewing and assessing the relevance of the Group’s social and environmental commitments and strategic directions on social and environmental matters, in light of the challenges specific to its activity and objectives, and monitoring their implementation.

The Audit Committee ensures the effectiveness of the operational risk monitoring and internal control system, including CSR risks and climate change risk, as well as the review and monitoring of the systems and procedures in place to ensure the dissemination and the application of policies and rules of best practice in terms of ethics, competition, fraud and corruption and, more generally, compliance with regulations in force.

Lastly, the Appointments, Compensation and Governance Committee is responsible, among other duties, for the annual review of the Board of Directors’ diversity policy as well as monitoring the gender parity rate, age and diversity of skills.

The role and work of the Board of Directors and its committees are presented in Sections 4.1.5 and 4.1.6 of this Universal Registration Document.

The Strategy and CSR Department, which reports to the Chief Executive Officer, is responsible for the implementation of the Group’s major strategic directions, which it helps to define, as well as for the development and coordination of the CSR policy, with the aim of engaging the Company in a process of continuous improvement, of enhancing its commitments and of measuring the effects of the CSR programme. The Strategy and CSR Department reports to the Executive Committee on a regular basis on the progress of the CSR programme, its main initiatives and their updates.

The CSR programme commitments are drawn up and monitored by the CSR Steering Committee. Coordinated by the Strategy and CSR Department, it is composed of a central CSR team and operational department representatives involved in the implementation of the CSR action plan. The Committee meets weekly to define, monitor and adjust CSR action plans.

OVHcloud developed a Group risk map in 2020, which has been reviewed and updated twice: first in 2022 and again in 2023 (see Chapter 2 of this Universal Registration Document for a description of the Group's risk factors). In addition, the Group created its first materiality matrix in 2022, focusing on CSR issues.

In 2022, OVHcloud put together its first materiality matrix by interviewing its external and internal stakeholders, in order to determine the Group's most material CSR issues, i.e., those that have or could have an impact on the Group’s ability to create or protect financial and non-financial value for itself and its stakeholders.

This exercise was carried out in four stages: identification of potential CSR issues, confrontation of these issues with external and internal stakeholders, consolidation of the results and the main lessons learned from the analysis of these results.

OVHcloud has defined a list of 24 potential CSR issues, subdivided into three categories: environment, business conduct and social/societal.

OVHcloud addressed this list of potential issues with its internal and external stakeholders during interviews, conducted in particular with its customers, suppliers, investors, representatives of its ecosystem (associations, NGOs, partners, etc.) as well as the Group's directors and managers, including the Executive Committee, in order to collect their point of view and expectations regarding each of the issues. The interviews were conducted by OVHcloud's teams, with the exception of investors, who were consulted through a perception study carried out by an external service provider. OVHcloud also consulted its employees (excluding the Executive Committee and other managers) through an online survey.

An interview guide has been drawn up to guide the various interviews. This guide was used as the basis for the online survey tool.

The main question concerned the rating of the issues according to the level of expectation for each of them, according to the following grid:

• ▶0: no expectation. OVHcloud does not have to particularly commit to this issue;
• ▶1: limited. Issue for which OVHcloud can implement some actions, without integrating them into its strategy;
• ▶2: important. OVHcloud should adopt a policy, targets and an action plan concerning this issue;
• ▶3: priority. This issue must be a major strategic priority for OVHcloud.

A total of 231 people were consulted, including:

• ▶management (shown on the horizontal axis of the matrix):
  • •the Chairman of the Board of Directors,
  • •18 management representatives including the Chief Executive Officer and the entire Executive Committee as well as the main regional managers;
• ▶stakeholders (represented on the vertical axis of the matrix):
  • •34 external stakeholder representatives: customers, suppliers, public authorities, investors, members of the OVHcloud ecosystem (associations, partners, NGOs, etc.);
  • •178 employees surveyed.

The voice of the public authorities was expressed by the person responsible for public affairs at OVHcloud.

For investors, the rating was carried out by transposing the 2022 “ESG Investors” perception study carried out by an external service provider to a similar rating grid and a slightly more limited list of issues.

The analysis of quantitative and qualitative data was carried out with the support of a CSR consulting firm, according to the following methodology:

• 1 .consolidation of results: for internal and external stakeholders, the average rating of the issues was established on the basis of an equal weighting of the results within each stakeholder category, then between the categories. For management, the ratings assigned by the Chairman and the Chief Executive Officer were given more weight than the responses of management representatives;
• 2 .formalisation of the matrix: the ratings thus obtained made it possible to place each issue on the horizontal axis (average allocated by management) and on the vertical axis (average allocated by internal and external stakeholders);
• 3 .analysis of the results: the key lessons are drawn from the compilation of the analysis (correlations, dispersions, ranking of issues, comparison according to stakeholders) of the results.

* For the detailed wording of the issues, see the table in the section on identifying issues on page 60.

• ▶Overall, internal and external stakeholders are aligned on the most material issues, particularly those related to the Group’s core business, a sign of a good understanding between OVHcloud and its ecosystem. These are issues relating to data sovereignty, low-carbon trajectory, efficient energy management, cybersecurity and data protection, environmental labelling and carbon transparency, and securing strategic supplies.
• ▶Three major issues stand out in particular, consistent with the Group’s vision and strategic directions:
  • •data sovereignty;
  • •low-carbon trajectory;
  • •efficient energy management.
• ▶Important issues are also aligned on more generic but fundamental issues for the Company's operation such as a responsible supply chain, eco-design, business ethics, responsible water management, attraction and retention of talent, reliability and customer trust, health, safety at work and employee well-being, diversity and inclusion, innovation and R&D for Green IT.
• ▶Regarding deviations (which remain limited), we note that management places particular importance on the attraction of talent and customer trust, whereas stakeholders have strong expectations concerning continuity of service – in terms of cybersecurity and resilience to climate change – and environmental labelling.
• ▶OVHcloud is clearly recognised for issues relating to the differentiation of its offering, linked to its value proposition: price transparency, eco-design, a responsible approach to resource management and, above all, data sovereignty. Nevertheless, expectations are very high regarding these issues, which rank among the most material.
• ▶When asked about the issues on which OVHcloud needs to progress, stakeholders were generally less vocal than management. The most frequently mentioned issues were cybersecurity and data protection, environmental labelling, diversity and inclusion, talent attraction and retention and contribution to the digital transition and digital accessibility.

• ▶Interactions with the Group's various stakeholders during the 2023 financial year confirm the main conclusions drawn from the analysis carried out in 2022.

Leading European cloud services provider, OVHcloud, is at the heart of the digital revolution, which opens the way to a multitude of opportunities in terms of applications and technology. In this context, the Group offers its customers cloud solutions covering all their uses – supporting them in their digital transformation, enabling them to innovate by building cloud native applications or helping them leverage the power of data. In fulfilling this mission, the Group offers its customers the freedom to build their most ambitious projects in a secure, compliant and sustainable cloud environment. For OVHcloud, everyone must be able to control their data and be guaranteed that they are secure. Free choice and openness in terms of services and innovation are the foundation of the relationship of trust established with its customers and partners. This also involves a range of services offering the best price-performance ratio and transparent and predictable rates.

OVHcloud’s activities focus on the computing capacity, storage, processing and transfer of its customers’ data, including personal data, as well as business-critical data. Data sovereignty, security and confidentiality form the basis of the Group’s value proposition and the foundation of the relationship of trust that unites it with its customers. OVHcloud ensures the highest level of data protection. This level of excellence is supported by an effective data governance system. The Group is also campaigning for a European cloud, guaranteeing the technological independence of Europe and the sovereignty of its data.

OVHcloud implements security measures at all its datacenters and processes to protect its customers worldwide.

OVHcloud considers cybersecurity to be a pillar of its development strategy. The Group's ability to protect its customers' data and processing workloads is a key factor in the trust they place in the Group. The Information Systems Security Policy (ISSP(1)) provides the cybersecurity reference framework for OVHcloud. It describes the context in which it was set up and its three basic principles:

• ▶deployment of a large-scale, industrial approach to security. Security is an integral part of the product development cycle. The security team is constantly involved in deciding what security measures to adopt to prevent and mitigate risks. This approach is based on standardised security measures, architectures that are secure from the outset, and formal, tried-and-tested, highly automated processes. The standardised security measures are supplemented by additional measures in consideration of the specific features of each project. Lastly, OVHcloud operates a permanent threat analysis system based on the continuous system monitoring, enabling it to systematically adapt its operational practices to immediate risks and to respond effectively to security incidents;
• ▶positioning of OVHcloud as a trusted player within the ecosystem. As a global cloud provider, OVHcloud has a major responsibility in the fight against security threats. The Group deploys large-scale protection tools and automates the protection of its customers' systems against these threats. OVHcloud's security team and technical experts maintain strong operational relationships with security expert communities, authorities, software publishers and hardware manufacturers. This enables the Group to anticipate new threats and vulnerabilities, and mitigate the related risks. In addition, OVHcloud shares its innovations and knowledge with the security community and promotes responsible disclosure. Lastly, the Group's security systems are regularly assessed by trusted third parties on the basis of recognised audit standards;
• ▶operating a trusted cloud for all. OVHcloud offers its solutions to all types of customer across all industries: start-ups, SMEs, large companies, public authorities and multinational companies. Every OVHcloud customer has its own approach to security, depending on its business sector and/or sovereignty requirements. OVHcloud ensures the security of the services provided and the underlying infrastructure, and offers its customers a high level of transparency regarding the accompanying security measures. OVHcloud is also committed to personal data protection, as a controller for its customers' data and as a personal data processor in cases where its customers are themselves data controllers. The information systems security policy supports this commitment by defining, implementing and improving security measures to protect hosted personal data.

Security management is organised based on internationally recognised standards that highlight these principles. The Group has obtained numerous national (SecNumCloud by ANSSI, Agid, ENS, C5)(2) and international (ISO 27001, ISO 27701, PCI DSS, SOC 2 type 2) certifications and certifications specific to certain segments (HDS, HIPAA and HITECH for health, EBA and ACPR PSEE for financial services), which meet the highest French, European and international data protection standards.

In addition, OVHcloud has internal procedures for information systems security and constantly raises its employees’ awareness of the risk of computer attacks, in particular by carrying out cyber attack simulations. The Group organises up to three campaigns per week, built from sophisticated scenarios inspired by real cases, tested on randomly targeted populations. Several indicators are observed, including the percentage of employees tested, the reporting rate and the compromise rate (percentage of employees on whom the phishing worked) and conversely, the success rate of simulation campaigns. It is the latter indicator that constitutes the benchmark performance indicator. In 2023, the success rate of cyber attack simulation campaigns was 89%, which is stable compared to the previous two years, despite simulation campaigns having become more sophisticated.

As the cloud relies on physical infrastructures, data security also involves securing OVHcloud’s sites, with particular attention paid to its datacenters, which house the servers on which the data are stored or transferred. These sites are particularly important to ensure the continuity of customers’ business. OVHcloud therefore implements a large number of measures to protect its sites, including:

• ▶security and 24/7 surveillance;
• ▶an anti-intrusion system;
• ▶strict access control;
• ▶regular contact with the authorities.

On the night of 9 to 10 March 2021, a fire broke out in one of the four OVHcloud datacenters in Strasbourg, France. The incident is detailed in Chapter 2 – Risk factors and internal control of this Universal Registration Document. The forensic appraisers' investigation was extended until 30 August 2024 and is still ongoing to date.

Following the fire, OVHcloud set up a Hyper Resilience plan, aimed, in particular, at taking safety standards beyond regulatory standards and insurers’ recommendations.

The inauguration of the new datacenter in Strasbourg, SBG5, in September 2022, demonstrated the first concrete results of the Hyper Resilience plan. The result of a €30 million investment launched in April 2021, the site is the first of a new generation of hyper-resilient and more sustainable datacenters. Covering an area of 1,700 sq.m., SBG5 has a total of 19 isolated rooms with masonry that compartmentalises the different segments in order to provide two hours of fire resistance.

Press release: https://corporate.ovhcloud.com/en-gb/newsroom/news/SBG5-opening/

In accordance with its commitments, the Group has launched a new datacenter dedicated to raw data backups (snapshots) and remotely situated from service operating sites. Initially deployed for French customers, the Group plans to roll out this service more generally in order to extend it to all its solutions and locations.

OVHcloud processes a very large amount of personal data every day, both on behalf of its customers, through its Cloud products and services, and on its own behalf.

OVHcloud's top priorities are data security, the transparent and proportionate use of the Group's customer information, and the protection of customer data from foreign laws with extraterritorial application.

OVHcloud has adopted a personal data processing policy that complies with the strictest regulations and applies to all its entities and employees. The policy guarantees customers that their data are secure and ensures compliance with the GDPR and all applicable national legislation, such as the UK Data Protection Act, the Australian Data Protection Act and Quebec's Law 25. It is implemented under the supervision of the Data Protection Officer (DPO), whose role is described in Chapter 2 of this Universal Registration Document.

• ▶Data governance

The following data protection committees and workshops are held on a regular basis to ensure compliance with applicable laws and to monitor any measures these laws may require:

• •Strategic Data Committee, which is attended by members of the Group's Executive Committee and whose purpose is to define and ensure the implementation of a coherent data processing strategy within OVHcloud (monthly meetings);
• •Internal Project Review Committee, whose purpose is to review project relevance and compliance with the principle of privacy by design by taking into account technical, IT security and personal data processing requirements (21 meetings during the 2023 financial year);
• •ad hoc committees to manage projects involving new tools or services for customers;
• •monthly monitoring committees between the DPO and key data protection players, such as the Chief Information Systems Officer (CISO), Customer Service staff and representatives of the Information Systems Department.

• ▶Team training and awareness-raising

Group employees are given mandatory training in data protection as soon as they join OVHcloud, regardless of the Group subsidiary for which they work.

The training takes place in two stages: (i) during induction week, attended by all new employees, including members of the Executive Committee, and (ii) through the compulsory e-learning programme accessible via the Group's e-learning platform.

• ▶Compliance documentation and procedures

OVHcloud documents compliance through its data processing records and impact assessments.

To facilitate the management of this documentation, OVHcloud has invested in a data governance tool that centralises all key data protection information.

In addition, OVHcloud has a set of procedures designed to ensure compliance with data protection principles. These include:

• •a policy for handling requests to exercise rights (see below);
• •a personal data storage policy;
• •a policy for managing security incidents (data breaches);
• •a policy for managing data retrieval requests;
• •a policy for managing authorisations to travel with OVHcloud equipment outside the European Union (see below).

• ▶Rights of data subjects

OVHcloud has made an online form available on its website to enable data subjects to exercise their rights. The form ensures that requests are traceable and receive a response within the appropriate time frame.

Requests are handled by a dedicated five-person team within the Group customer service division, who respond to such requests on a daily basis.

• ▶Data breaches

Data security is central to OVHcloud's business. The Group has put in place a series of measures designed to prevent data breaches (see above).

In addition, the DPO's and CISO's teams work closely together to ensure that IT incidents are properly addressed and to prevent any personal data breaches.

OVHcloud also keeps records of data incidents and breaches in accordance with the GDPR and local legislation such as Quebec's Law 25.

• ▶Protection against foreign interference

OVHcloud implements technical and organisational measures to protect data hosted by its European customers within the European Union against interference from non-European authorities. From a technical perspective, neither the infrastructure hosting this data nor any personal data relating to customers can be accessed by OVHcloud entities or third-party partners located in third countries that do not guarantee the same level of data protection as the European Union.

For this reason, the Group's US entities are not involved in the services provided to OVHcloud's European customers and do not have the technical ability to access the data these customers host in OVHcloud's European datacenters. As a result, the US entities have no control over the data stored in these datacenters and cannot comply with data requests from the US authorities.

Only entities located within the European Union or in countries whose level of protection has been the subject of an adequacy decision by the European Commission, in particular Canada, may, under the terms of service in force, take part in the provision of services to OVHcloud's European customers and perform technical work on the infrastructure hosting these customers' data.

Data sovereignty refers to the ability of a public or private organisation to maintain control of its data and the data entrusted to it by its customers. Depending on the organisations concerned, this issue intersects two needs:

• ▶on the one hand, the need to control the organisation's strategic data (trade secrets, raw data on the functioning of its business, intellectual property, data on its research projects, etc.) and
• ▶on the other hand, protecting the personal data of employees or customers and thus restoring the trust of people in the digital services that will process the data concerning them.

Technological sovereignty refers to the ability of a country such as France or an area such as the European Union to master strategic technologies, therefore guaranteeing their autonomy. This dimension specifically questions the public policies put in place in France or by the European Union to control (or regain control) of the strategic components of its sovereignty, from end to end. Hardware (electronic components, ability to manufacture servers in the EU), and also software (operating systems, software in the fields of cybersecurity, artificial intelligence and quantum computing) then need to be taken into account.

Ethical data processing has always been at the heart of OVHcloud's business model. It involves processing users' data in such a way as to guarantee privacy, and is demonstrated through four commitments:

In order to carry out these various projects and commitments, OVHcloud has set up several bodies enabling federated data governance:

• ▶the Data Governance Committee brings together data managers who implement processes and practices guaranteeing federated governance;
• ▶the Data Coordination Committee guarantees strict control of the quality of the data and its consistency by reinforcing ISO 27001 and ISO 27701 standards;
• ▶the Sovereignty working group brings together various OVHcloud players to protect customer data from international players.

OVHcloud defends a European open cloud model, which guarantees the protection of the data of citizens and organisations and which ensures Europe’s digital sovereignty, a key component of the continent's strategic independence. To this end, OVHcloud shares its vision and proposals with political and institutional participants in public decision-making, either directly with these players or in conjunction with representative associations, through its ecosystem of partners or as part of public events.

OVHcloud intends to fully assume its role as the European cloud leader. Spearheading initiatives on a French, European and international scale, the Group is proactively campaigning for the development of an ecosystem of European cloud providers capable of meeting the needs of users.

Digital sovereignty and a level playing field in the European cloud market are fundamental to guaranteeing freedom of choice for cloud service users. OVHcloud works on several fronts to raise awareness of the issues surrounding data processing – and the importance for organisations of controlling their most sensitive data – and cloud interoperability, for example. Its initiatives include participation in trade fairs, round tables, debates, keynotes and discussions with representatives of national, European and international institutions, as well as the organisation of ad hoc events.

The Group also spreads its vision through responses to public consultations, contributions to white papers and the publication of brochures, infographics, opinion pieces and other documents. For example, during the 2023 financial year, OVHcloud responded to 12 public consultations, including one by the French National Health Agency (Agence Nationale de Santé – ANS) – which saw the Group make proposals on changes to the health data hosting framework, published on the public consultation website – and another by the UK Office of Communications(4) on the competitive situation in the cloud market. It also co-signed an opinion piece(5) calling for a level playing field in the cloud market, as part of debates in France on the bill to secure and regulate the digital environment.

The European cloud model championed by the Group implies a European vision of personal data protection, and consequently a commitment at the level of the ecosystem, on both a European and a national scale.

• ▶Creation of the Trusted Tech Strategic Sector Committee(6)

In October 2022, the Chief Executive Officer of OVHcloud was tasked by the French government with structuring and consolidating the French trusted tech sector, in which the cloud plays a central role.

• ▶Founding member of Gaia-X

OVHcloud participated in the creation of Gaia-X(7), a European initiative launched in 2020 whose objective is to build a federated, open, secure and transparent digital ecosystem. It aims to enable users to benefit from cloud services that meet their needs, both technically and legally, and offer them appropriate guarantees, in particular in terms of data protection, interoperability, security or immunity to extraterritorial laws. As part of Gaia-X, OVHcloud is promoting the introduction of a label for cloud services guaranteeing users an appropriate level of data protection. In 2023, OVHcloud was re-elected to Gaia-X's Board of Directors.

• ▶Founding member of the European Alliance for Industrial Data, Edge and Cloud

OVHcloud is also a founding member of the European Alliance for Industrial Data, Edge and Cloud(8), an initiative launched by the European Commission, which mobilises over 50 European industrial players to strengthen Europe’s ability to develop its own cloud and edge technology, taking into account the challenges of sovereignty and sustainable development. During the 2023 financial year, OVHcloud took part in the Alliance's first and second general meetings. Within this framework, OVHcloud contributed to the development of the industrial roadmap(9) of the Edge-Cloud working group, which aims to identify investment priorities to strengthen the competitiveness of the European ecosystem.

Building on all these commitments, the Group, alongside its ecosystem, supports legislative projects and initiatives that are able to support European digital sovereignty and the establishment of a level playing field for the European cloud market, such as the Digital Markets Act (DMA), the Data Act and the development of a European cybersecurity scheme for the certification of cloud services, known as EUCS. The Group also backs ongoing investigations worldwide into restrictive practices in the cloud market, as recently identified by the French Competition Authority and many other countries including the Netherlands, Japan and South Korea.

At the forefront of the sustainable cloud, since its creation, OVHcloud has integrated sustainability at the heart of its business model by developing industrial innovations to limit its environmental impact. The Group has set itself ambitious targets that structure its action.

• ▶contribute to global Net Zero (scopes 1 and 2) by 2025 by following a reduction pathway compatible with global warming of 1.5°C, i.e., balancing carbon emissions and offsetting actions on both direct emissions (scope 1) and certain indirect emissions (scope 2);
• ▶contribute to global Net Zero by 2030, by following a reduction pathway compatible with global warming of 1.5°C, i.e., balancing carbon emissions and offsetting actions across all scopes (1, 2 and 3);
• ▶use 100% low-carbon energy by 2025*;
• ▶zero waste to landfill from production centres by 2025**.

* Revised in 2022, replacing the target of using 100% renewable energies in 2025, given the current energy mix which already favours the use of low-carbon energy such as nuclear (France).

** On a constant scope basis, i.e., on the basis of the geographical scope of the 2022 financial year, the year in which the CSR approach was structured.

OVHcloud’s environmental action is structured around three pillars:

• ▶innovation, at the heart of its industrial model;
• ▶the contribution to achieving global Net Zero by 2030;
• ▶communication and awareness-raising on all the impacts of the cloud, in order to guide consumption choices.

At OVHcloud, everything starts with people. Men and women are the Company's best assets: it is their talent that ensures its success. “Working together” is one of the Group's fundamental values. This collective aspect is extended to its ecosystem, and in the desire to see the European cloud segment progress. Aware of its impact and its responsibility, OVHcloud intends to make digital technology a driver for socio-economic development.

During the 2023 financial year, competition for talent continued despite a less favourable macroeconomic environment. In this context, attracting and developing new skills remains a strategic priority for OVHcloud. The Group recruited 523 people, resulting in a net increase in headcount of over 3% in the 2023 financial year and over 18% in the last two financial years.

In addition to recruitment, talent retention is a second key issue in order to capitalise on knowledge and enable the overall skills development of the teams. The benchmark performance indicator for monitoring talent retention is the loyalty rate, which measures the rate of employees present in the Group one year after their arrival. This rate was maintained at 79% in 2023, close to the Group's target of 80%.

The Group also monitors the rate of voluntary departures, which measures staff turnover. In 2023, the staff turnover rate was 10%, in line with OVHcloud's objective of maintaining a voluntary departure rate of 15% or less, and an improvement of 4 points compared with 2022. In addition, the average length of service for voluntary departures stabilised at 3.6 years in the 2023 financial year.

Lastly, OVHcloud regularly measures the level of engagement of its employees based on the results of internal surveys conducted each year via a survey software (Peakon). The engagement scores for the 2023 financial year were 7.7 in the December survey and 7.2 in the June survey, representing an average of 7.45 for the year as a whole. The participation rates were 84% and 87%, respectively, further testifying to the level of employee implication. The employee engagement score is a key performance indicator that was included in the annual variable compensation of executive corporate officers (for 15%) and members of the Executive Committee (for 9%) in 2023.

OVHcloud is distinguished by its flagship commitments, particularly in support of data sovereignty, and by a strong corporate culture, backed by common values that guide each of the Group’s actions:

• ▶Trust: trust commits OVHcloud to its ecosystem and enables its employees to express their talent.
• ▶Working together: OVHcloud has a profound belief that individual success only serves collective success. The collective dimension is essential for exploring and building the cloud of tomorrow and to achieve this, each person is important and makes a contribution at their own level.
• ▶Passion: the passion for technology and adventure is essential at OVHcloud, it promotes innovation and surpassing oneself.
• ▶Disruption: OVHcloud is constantly seeking to simplify its processes and organisations in order to be more efficient and reduce costs. Thinking differently is encouraged by the Group to create ever more value for customers and the ecosystem.
• ▶Responsibility: OVHcloud takes its responsibilities seriously. The Group is aware that each innovation can be positive or negative depending on how it is used.

The OVHcloud employer brand is the core of its employee value proposition and aims to attract and retain talent.

The OVHcloud employer brand is built around four pillars that echo the Group’s values:

• 1 .“At OVHcloud, everything starts with people”: people are at the heart of the Group’s DNA, which is why OVHcloud has developed services and benefits to improve the quality of life at work for all. From concierge services to company daycare, from contracted remote working to collaborative spaces, everything is done to ensure that everyone finds their place, at their own pace and in accordance with their values.
• 2 .“Innovate in total freedom”: an OVHcloud expert is one who has acquired cutting-edge skills while maintaining the desire to explore, break new ground and innovate. OVHcloud recruits passionate and exciting people who want to do and share. Designing the cloud of tomorrow is a question of disruption. To this end, the Group needs everyone's input.
• 3 .“Growing and fulfilling”: moving in step with technology and thinking outside the box is what characterises OVHcloud. Change position or profession, there is no ready-made trajectory at OVHcloud. The aim is to offer everyone the opportunity to take an interest in a new field, to extend their skills and think about their new expertise through the prism of their experience.
• 4 .“Building the world of tomorrow together”: as a major cloud player, the Group believes we all have a role to play in the industrial transformation of the sector, and more broadly in the changes impacting our world. Providing an open, sustainable and people-centric cloud means working hand in hand for collective progress.

The new Career site, the first version of which was uploaded in 2022 with a new version planned for 2024, showcases and promotes the OVHcloud employer brand. During the 2023 financial year, the Group took part in around 40 employer brand events as well as school events and employment forums.

Aware of the importance of cultivating its human capital, OVHcloud trained 68% of its workforce in 2023. Although the training rate was down on the previous year, it remains close to the Group's structural objective of training at least 70% of its employees each year. More than 1,900 employees attended at least one training course in the 2023 financial year, a volume stable year on year.

The training initiatives rolled out in 2023 focused on business issues (support for sales, customer relations and marketing teams, strengthening of security skills to meet the company's operational challenges), whereas 2022 was marked by a large number of training sessions on product launches and the deployment of internal tools.

OVHcloud aims to be a learning organisation, promoting employee skills development. In keeping with this goal, the Group continues to invest in the following areas in particular, which are considered essential to achieving its strategic ambitions:

• ▶operational excellence, to optimise execution efficiency by developing skills in project management methods, with a strong focus on agility. More than 300 employees have been trained in agility, from awareness of the Safe framework to the roles of product owner and scrum master;
• ▶management, based on an ambitious programme aimed at all managers and tailored to their level of management experience. The aim is to train all new managers, 70% of middle managers and 100% of advanced managers in two years. This programme is accompanied by in-depth work on the OVHcloud leadership model;
• ▶business and technology skills, through various programmes aimed (i) at sales teams, in order to serve OVHcloud's growth objectives and consolidate the customer-oriented culture, and (ii) at technical teams, with a view to developing OVHcloud solutions and strengthening employee expertise. Under this scheme, employees can have their skills certified. Product and technology courses accounted for 39% of all training received in FY2023;
• ▶language courses, to support OVHcloud's international positioning. In FY2023, 15% of all training was in English.

To support its training policy and reinforce its role as a learning organisation, OVHcloud has made a major change to its Learning Management System (LMS) and now has a dedicated skills development solution to speed up the roll-out of training initiatives.

OVHcloud's ambition is also to strengthen its partners' expertise in its solutions through certification training courses available to members of the Partners programme, depending on their partnership level. More than 1,000 certifications were delivered in 2023.

In order to welcome new employees, OVHcloud has also introduced a systematic onboarding week during which they have the opportunity to discover the Group in all its dimensions. It obtained a satisfaction rate of 4.58/5. Using the onboarding tool, the Group has set up 19 different induction programmes based on the profile and location of the new joiner to ensure they have everything they need for a successful integration.

Safety at work is a central priority for OVHcloud and is a key performance indicator of the CSR policy. During the 2023 financial year, the total number of accidents remained relatively stable, reflecting a continued decline in the number of accidents with lost time and an increase in the number of accidents without lost time, which nevertheless remained below the 2021 level. Based on a slight increase in the number of hours worked, the corresponding accident frequency rates, with and without lost time, show an improvement compared with 2022.

In order to promote the prevention of health and safety risks, the Group has defined a policy based on three key targets:

• ▶minimising work-related accidents;
• ▶complying with legal health, safety and environment (HSE) requirements and other requirements applicable in all countries;
• ▶implementing all satisfactory measures to protect the health and physical integrity of the Group’s employees, customers and local communities and protecting the environment.

The measures for implementing this policy are based on the following guiding principles:

• ▶involving the entire management line in the commitment to its health, risk prevention and environment policy;
• ▶empowering all employees to maintain a healthy and safe workplace;
• ▶developing a culture of professionalism, discipline and respect for the rules among all employees;
• ▶ensuring the deployment of the “Be Smart, Be Safe!” Health and Safety Programme.

OVHcloud has defined ten golden rules in terms of safety as part of its #StaySafe approach. The ten golden rules deal with:

• ▶work permits;
• ▶shared vigilance and cooperation;
• ▶the working environment;
• ▶fire prevention and evacuation;
• ▶pedestrian traffic;
• ▶movement of machines;
• ▶personal and collective protective equipment;
• ▶work at a height;
• ▶energy and reporting;
• ▶movements and postures.

The #StaySafe approach is a mindset to be adopted in order to identify and avoid dangers. It follows four steps:

• ▶Survey the work environment and identify hazards;
• ▶Analyse the consequences of hazards and anticipate the necessary individual and/or collective protection measures;
• ▶Foster reliability by implementing prevention measures with the help of the health and safety department, contractors and managers;
• ▶Execute the work once all the safety conditions have been met.

During the 2023 financial year, in order to strengthen its safety culture, the Group continued its efforts to train technical teams. Training of on-site managers was finalised and the training module for all technicians was approved for roll out in 2024. One to three safety champions were also appointed at each site among volunteers, to liaise with the technical teams to improve the safety culture. Lastly, the Group organised internal awareness-raising events such as World Safety Week, which is held each year at all OVHcloud sites and to which all employees and permanent employees are invited. In 2023, World Safety Week took place from 2 to 12 May and focused on a number of topics, with workshops and conferences open to all employees:

• ▶electrical risk;
• ▶movements and postures risk;
• ▶concurrent work risks;
• ▶the risk of cuts;
• ▶psychosocial risks;
• ▶road-related risk.

OVHcloud is committed to employee health, with a focus on prevention:

• ▶since 2016, the Roubaix site has had a dedicated medical centre with various health professionals (an osteopath, dietitian, physiotherapist, optician, etc.) available to employees;
• ▶awareness-raising conferences led by health specialists and open to all employees are regularly organised on various subjects. For example, as part of Pink October, breast cancer prevention month, a breast and cervical cancer awareness conference was held;
• ▶following on from the RPS programme resulting from the psychosocial risk survey carried out in 2019, OVHcloud launched a new RPS diagnostic programme which will take place over the first half of the 2024 financial year. Building on what was achieved during the previous campaign, the Group wants to go further by adopting a business approach to estimate the six psychosocial risks. The aim is twofold: to identify the psychosocial risks faced by employees and to define and roll out preventive measures to mitigate them. The first evaluation phase began in September 2023, based on the scientifically-approved online COpenhagen PsychoSOcial Questionnaire (COPSOQ) administered by an external expert. This was followed by workshops with employees to identify the jobs (grouped into work units) most at risk, and then with managers and relevant HR partners to define preventive measures to mitigate the risks.

The Group also implements different measures:

• ▶medical teleconsultation with Angel in France and Dialogue in Canada;
• ▶initiatives to promote regular sports activities (gyms, activities for coaches, support for sports assessments);
• ▶psychological, social and legal assistance with Qualisocial and Dialogue in Canada.

To promote quality of life at work, OVHcloud actively offers parenthood initiatives. The Group provides support to parents by helping them find crèches and leisure centres. In addition to the crèche located at the company's premises in Roubaix for the past decade, OVHcloud has entered into a nationwide partnership with Babilou. A portal providing parenthood support has also been set up for employees, offering experience-sharing, conferences and parenting services. Lastly, the Group held five parenting workshops for its employees in 2022, covering the following topics: managing emotions in children and teenagers, self-confidence, authoritative parenting and parenting styles, early childhood, stress and the mental load. During the 2023 financial year, four workshops were held on children (and adults) with special needs: high intellectual potential (HIP), sensory processing sensitivity, attention deficit disorder, autism spectrum disorder and learning difficulties.

The Group has received several awards in recognition of its efforts in recent years:

• ▶the Compensation & Benefits Trophy awarded by the ORAS(15) club in December 2021 for the Group's employee well-being programme;
• ▶seventh place ranking among the best High-Tech employers in France according to Capital magazine;
• ▶the gold prize at the Human Capital Leaders' Victories on the quality of work life theme in May 2022;
• ▶the Wellbeing Leader Certificate from the Polish Wellbeing Institute in 2021 and 2022, also in recognition of the Group's quality of life at work policy.

Further recognition received during the 2023 financial year included:

• ▶for the third consecutive year, the HappyIndex®Trainees & HappyIndex®Trainees Alternance 2022-2023 label, which rewards companies that take care of their interns and apprentices;
• ▶in France, a Silver Victory award from Human Capital Leaders' Victories in November 2022, in recognition of OVHcloud's C&B policy;
• ▶in Germany, recognition as Top Company 2023 by Kununu for the second year running.

Convinced that everyone has a role to play in facing the biggest societal challenges of our time, OVHcloud wishes to support its employees in their life journey, so that everyone can grow and develop in a caring environment. In the same spirit, the Group is committed to combating all forms of discrimination and harassment by applying a zero-tolerance policy. OVHcloud provides a working environment that values differences, allowing everyone to fully express their talents. In 2023, OVHcloud structured its diversity and inclusion policy around various major events covering subjects such as neurodiversity, multiculturalism in the workplace, stereotypes and prejudice, racism, sexism and ageism.

• ▶Diversity and collective intelligence are key drivers for innovating and achieving excellence. Globalisation of the teams is one component. In 2023, more than 60 nationalities were represented within the Group. The proportion of women in teams, which is a major issue for tech businesses, is a key priority and a performance indicator for the Group’s CSR policy. A gender equality action plan is drawn up and reviewed regularly with employee representatives in France. The plan addresses the issues of recruitment, professional development, compensation and work-life balance. In recent years, the proportion of women in the Group’s workforce has steadily increased. In 2023, the proportion of women in the total workforce increased by one point to reach 22%. The proportion of women in management improved by three points to 23%. The rate also improved for the Executive Committee during the 2023 financial year, reaching 36%. Within OVHcloud, an independent group initiative called "Women at OVHcloud" was launched during the 2023 financial year, supplementing the Company's actions in this area. A first lever for action concerns the low proportion of female students in the digital sector (less than 20%). The group is working to promote scientific subjects among female secondary school students, complementing the Group's initiatives in higher education in the digital sector. The second lever aims to build an internal network to facilitate the exchange of information and best practices.
• ▶Facilitating access to employment for people with disabilities is a second important area of initiatives to promote diversity and inclusion. Among the actions implemented, the Group called on ergonomists and occupational therapists to adapt and set up workstations for people with disabilities, allocated service employment vouchers worth €350 per year to workers with disabilities and published its job offers on the AGEFIPH website(16). In 2023, OVHcloud strengthened its collaboration with the association "Le Mouton à 5 pattes" by rolling out support systems for managers and career paths for atypical employees. To measure its level of progress compared to the requirements of the RGAA digital accessibility decree(17), OVHcloud carried out audits on two commercial sites and two production sites.
• ▶Several events to raise the awareness of internal teams on diversity and inclusion issues were organised during the year, Notably, June 2023 was an opportunity to raise awareness on topics such as the inclusion of LGBTQIA+(18) people in collaboration with the Pride in London association and to remind all employees that OVHcloud guarantees the right to respect the sexual orientations and identities of its employees and equal access to the rights and benefits granted by the Company in the context of marital status and parenthood. Awareness-raising sessions on women's rights were also organised, including a tribute to sociologist Sandrine Meyfret in May 2023.

In 2022, in collaboration with Gloria, a company specialising in the challenges of diversity and inclusion in the workplace, OVHcloud carried out an audit of its communication and practices, including recruitment, in order to detect any bias or discriminatory practices. This approach was accompanied by training on diversity in general, with a focus on unconscious bias for recruiters. In 2023, the Group opened this programme to all employees.

OVHcloud attaches great importance to social dialogue, a guarantee of involvement and collective performance, and maintains high-quality relationships with its employees and their representatives.

In France, employee representation is organised within an economic and social unit (unité économique et sociale). The current Social and Economic Committee (SEC) members were elected in 2019. As their term of office is due to expire, professional elections will be held at the end of the 2023 calendar year. In addition, three union section representatives were appointed in 2023.

A Corporate Advisory Commission has also been set up in Tunisia. Professional elections will be held when the terms of office of the current members expire in April 2024. With regard to employee representation on management bodies, two directors representing employees were appointed to the Board of Directors in 2022.

For OVHcloud, “working together” also means involving employees as much as possible in Company’s results. On the occasion of its IPO on Euronext Paris on 15 October 2021, the Group set up its first collective employee shareholding plan, open to more than 2,000 employees in France and abroad. 97.8% of eligible employees at that date became shareholders of OVHcloud (77.6% having invested voluntarily). In 2021, the Group was awarded the FAS Grand Prize(19), which showcases companies that develop the best practices in employee share ownership.

In 2022, the Group allowed all its employees to invest all or part of their share of the proceeds of the incentive plan in OVHcloud shares (via the FCPE mutual fund or directly depending on the country) and to benefit from a matching contribution from the Group, without increasing its capital. In all, 70% of eligible employees decided to take up this option (over 81% in France and over 41% internationally).

In 2023, 0.65% of the share capital was held by employees through the FCPE mutual fund.

In France, a mandatory profit-sharing agreement (accord de participation) applies at the level of the social and economic unit, which provides for the distribution between eligible employees of a share of the profit of such companies, parties to the social and economic unit, calculated based on the statutory formula. The profit share is distributed on a pro rata basis according to the employee's effective presence during the period.

An incentive agreement was signed with the Social and Economic Committee in 2022, applicable until 2024. It concerns all employees at the global level with at least three months of seniority. The performance indicators used to calculate the share of profits attributable to eligible employees include, as in the previous plan, indicators relating to adjusted EBITDA and revenue growth, to which two CSR criteria are added: energy efficiency (via PUE or power usage effectiveness) and employee retention.

An amendment to this agreement was signed in 2023, making the indicators independent of each other and adjusting the allocation key used to differentiate between beneficiaries. Under the plan, profit is distributed on a pro rata basis according to the share of the country's payroll in the Group total; at the country level, profit is now distributed exclusively on a pro rata basis according to each employee's effective presence during the financial year.

In France, the social and economic unit provides:

• ▶a Group Savings Plan (plan d’épargne groupe), which allows eligible employees to invest their savings, including payments under the profit-sharing agreement and the global incentive plan, in diversified investment funds and to benefit from certain social and tax advantages in exchange for a lock-up period, generally of five years;
• ▶a Time Savings Account (compte épargne-temps – CET), which allows eligible employees to save unused rest days (certain holidays, RTT, etc.) or part of their thirteenth month converted into days. They can then take these days at any time, ask to be paid for them or transfer them to another scheme to prepare for their retirement;
• ▶a Group Retirement Savings Plan (plan d'épargne retraite collectif – PERCO) which allows eligible employees to invest the payments under the profit-sharing agreement and the global incentive plan in diversified investment funds for their retirement. This scheme allows employees to benefit from certain social and tax advantages as consideration for a lock-up period until retirement. It is also a way for employees to prepare for their retirement by making voluntary payments or by transferring days from their CET to the PERCO (up to ten days per year). This transfer is then matched by their employer.
•  

The Taxonomy Regulation is a key element of the European Commission’s action plan aimed at redirecting capital flows towards a more sustainable economy. It represents an important step towards achieving carbon neutrality by 2050, in line with the EU’s objectives, as the Taxonomy is a classification system for environmentally sustainable economic activities.

The section below presents, as a non-financial parent company, the share of the Group’s revenue (turnover), capital expenditure (capex) and operating expenses (opex) for the 2023 financial year, associated with economic activities eligible for the Taxonomy and linked to the first two environmental targets (mitigation of climate change and adaptation to climate change), in accordance with Article 8 of the Taxonomy Regulation and Article 10 (2) of the Delegated Act supplementing Article 8 of the Taxonomy Regulation.

On the basis of the analyses carried out, a significant portion of the Group's activities is eligible for the Taxonomy under Activity 8.1. – Data processing, hosting and related activities described in Annex I of the Delegated Act on the climate change mitigation target.

The eligible shares of the three financial indicators required by the text – revenue, capex and opex – are presented below on the basis of consolidated IFRS data for the financial year ended 31 August 2023.

The term “economic activity eligible for the Taxonomy” refers to any economic activity described in the delegated acts supplementing the Taxonomy Regulation (currently the Delegated Act relating to the climate aspect of the Taxonomy), whether or not it meets some or all of the technical review criteria set out in these delegated acts.

The Group’s eligible economic activities have been analysed on the basis of OVHcloud’s service offerings (as detailed in Chapter 1 of this Universal Registration Document) and have been assigned to the following economic activities, in accordance with Annexes I and II of the Delegated Act relating to the climate aspect of the Taxonomy. 

The table below indicates for which environmental target the activities are considered eligible:

A significant portion of the Group’s activities is considered eligible under Activity 8.1. Data processing, hosting and related activities of the climate change mitigation target. Offerings based mainly on services for the provision of storage capacity (“hosting”) meet the description of this activity. The following offerings are therefore considered eligible:

• ▶Private Cloud offerings (Bare Metal Cloud and Hosted Private Cloud) in their entirety, corresponding to offers for the provision of either dedicated physical servers or cloud capacities running on dedicated physical servers (see Section 1.3.1.1 of this Universal Registration Document for more details on the solutions proposed by the Group).
• ▶Public Cloud offerings in their entirety (see Section 1.3.1.2 of this Universal Registration Document for more details on the solutions offered by the Group). The PaaS and SaaS solutions offered by OVHcloud and hosted directly on the Group’s infrastructures are considered eligible insofar as OVHcloud has control over the physical equipment and can act on its energy efficiency.
• ▶“Web Cloud & Other” offerings only for the “Web hosting” and “Services” part, corresponding to the hosting of customer websites on the Group’s physical servers and the assistance necessary for the proper functioning of the equipment and compliance with the Group’s commitments under all of its offerings (see Section 1.3.1.3 of this Universal Registration Document for more details on the solutions proposed by the Group). Offerings or solutions relating to domain names, telephony and connectivity are not considered eligible to date because they are not directly related to the physical servers.

In general, all the solutions offered by OVHcloud, hosted directly on physical servers belonging to the Group or directly controlled by the Group, were deemed eligible for the European Taxonomy under Activity 8.1. of the climate change mitigation target.

Unlike eligibility, which is solely based on the description of the activities, alignment takes into account the substantial contribution criteria, the "do no significant harm" principle and the minimum safeguards.

With regard to Activity 8.1 ‒ Data processing, hosting and related activities, the Group has analysed its alignment with objective 1 ‒ climate change mitigation.

The Group has analysed the three cumulative substantial contribution criteria for Activity 8.1 ‒ Data processing, hosting and related activities with respect to the mitigation objective as follows:

In order to validate the alignment of its datacenters with Activity 8.1 of the climate change mitigation objective, OVHcloud then ensured compliance with the DNSH criteria for all its datacenters meeting the substantial contribution criteria (see details above):

Finally, OVHcloud has ensured that the minimum safeguards have been met. The Group has a set of policies and processes in place to ensure that it meets the Taxonomy requirements in the areas of:

• ▶Human rights and labour law (see Section 3.3.1 – Collectively attracting and developing talent within a diverse and inclusive company, Section 3.3.2.2 – Collaborating with suppliers in a responsible purchasing approach, and Section 3.3.2.3 – Ethics and business conduct)
• ▶Competition (see Section 3.3.2.3 – Ethics and business conduct)
• ▶Corruption (see Section 3.3.2.2 – Collaborating with suppliers in a responsible purchasing approach, and Section 3.3.2.3 – Ethics and business conduct)
• ▶Tax (see Section 2.1.2.4 – Financial risks and Section 3.3.3.2 – Local presence and socio-economic impact)

The Group has put in place procedures for identifying, analysing, monitoring, evaluating and updating all the pillars.

The Group asks its suppliers to sign the supplier code of conduct, which provides that human rights, and in particular the principles set out in the Universal Declaration of Human Rights, must be respected. The Group continues to analyse human rights across its entire value chain.

OVHcloud complies with the provisions of the Sapin II Act of 9 December 2016.

Lastly, the Group has not been convicted for material breaches of any of the various aspects of the minimum safeguards.

The scope considered for the estimation of the three indicators is the Group consolidated scope as defined in Note 5.5. to the 2023 consolidated financial statements presented in Chapter 5 of this Universal Registration Document.

The proportion of economic activities eligible for the Taxonomy in OVHcloud's consolidated revenue was obtained by dividing the share of revenue generated by the sale of services associated with economic activities eligible for the Taxonomy (numerator) by the net revenue (denominator), in each case for the financial year from 1 September 2022 to 31 August 2023.

The denominator of the revenue indicator is based on OVHcloud's consolidated revenue, in accordance with IAS 1.82 (a) (see Note 4.3. to the 2023 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

The numerator of the indicator is defined as the proportion of net revenue generated by services associated with the economic activities eligible for the Taxonomy, as described above in the paragraph “Determination of OVHcloud's economic activities eligible for the European Taxonomy” in this section. This share was estimated on the basis of OVHcloud's management reports including the level of detail necessary for direct reading.

The aligned revenue corresponds to the revenue generated by the datacenters that have been audited by the independent third party and certified as compliant with the Code of Conduct. On the basis of the revenue generated by these datacenters, the Group has applied the allocation key described in the previous section, "Substantial contribution criteria", in order to retain only the revenue generated by watercooled servers.

At 31 August 2023, the proportion of eligible and aligned revenue was 88% and 64%, respectively, as shown in the table below:

The capex indicator is calculated by dividing capex eligible for the Taxonomy (numerator) by total capex (denominator).

Total capex (the denominator) includes acquisitions of property, plant and equipment and intangible assets during the financial year, before depreciation/amortisation and before any remeasurement, including remeasurements resulting from revaluations and impairments excluding changes in fair value. It includes acquisitions of property, plant and equipment (IAS 16), intangible assets (IAS 38), right-of-use assets (IFRS 16) and investment properties (IAS 40), as well as additions resulting from business combinations (see Notes 4.10, 4.11 and 4.23 to the 2023 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

The numerator consists solely of capex related to assets or processes essential to the performance of the economic activities eligible for the Taxonomy [(“category a”)], which represent almost all of the capex for the financial year.

As capex is not currently monitored by service offering in the Group’s reports, a detailed analysis by type of asset was carried out and led to the following capex being considered essential for the execution of eligible economic activities:

• ▶All capex (acquisitions of fixed assets or increases in IFRS 16 rights of use) relating to infrastructures (hardware) and their operation (fibre, network, IP addresses, components, maintenance);
• ▶A portion of capitalised R&D costs estimated as follows:
  • •100% of capitalised R&D costs relating to infrastructure efficiency improvement projects (equipment or software);
  • •a portion of capitalised R&D costs relating to software developments that are used across all Group activities. This share is based on the proportion of revenue eligible for the Taxonomy;
• ▶All changes in scope impacting intangible assets and property, plant and equipment and relating to the acquisition of ForePaaS, reinforcing the eligible offers of OVHcloud under Activity 8.1.;
• ▶A portion of the capex relating to offices estimated according to the portion of eligible revenue.

In order to determine the aligned portion of this eligible capex, the Group has used an allocation key based on the portion of eligible revenue that is Taxonomy-aligned. This allocation key has only been used for eligible capex relating to infrastructures ('hardware') and their operation (fibre, network, IP addresses, components, maintenance), as these investments are correlated with the Group's revenue trends.

As the other eligible capex is not directly correlated with revenue, and as it is impossible to link them precisely to the datacenters that have validated the alignment criteria, the Group considered that this eligible capex was not aligned.

At 31 August 2023, the proportions of eligible and aligned capex stood at 99% and 40%, respectively, as shown in the table below:

The indicator relating to opex is calculated by dividing opex eligible for the Taxonomy (numerator) by total opex (denominator).

Total opex as defined by the Taxonomy refers to non-capitalised costs related to research and development, building renovation measures, short-term leases, maintenance and repairs, and all other direct expenses related to the daily use of property, plant and equipment.

Thus, total opex as defined by the Taxonomy represents approximately 11% of the Group's total opex, compared with 8% the previous year, amounting to €101 million and corresponding to the sum of personnel expenses, operating expenses, depreciation and amortisation and other non-recurring operating expenses (see Notes 4.4, 4.5, 4.6 and 4.7 to the 2023 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

As the Group's opex is monitored by segment but not on a granular level by service offering, allocation keys were used to identify the proportion of economic activities eligible for the Taxonomy in opex:

• ▶Maintenance and repair costs as well as expenses related to non-capitalised leases were allocated on the basis of the eligible revenue share.
• ▶R&D costs were allocated in proportion to the allocation of capitalised R&D costs.

In order to determine the aligned portion of eligible opex, the Group used an allocation key based on the ratio of aligned revenue to eligible revenue, given that R&D and maintenance and repair costs are mainly related to technologies used for datacenter operations.

At 31 August 2023, the proportions of eligible and aligned opex amounted to 88% and 49%, respectively, as shown in the table below:

The non-financial performance statement for 2023, presented in this Universal Registration Document, endeavours to produce the most relevant non-financial information for the Group with regard to its business model, its activities, its major challenges from the materiality matrix and the Group’s main risks. 

Therefore, OVHcloud focused on the issues and risks identified as priorities and excluded the following topics from its scope of analysis:

• ▶combating food waste;
• ▶combating food insecurity;
• ▶respect for animal welfare;
• ▶respect for responsible, fair and sustainable food.

OVHcloud measures the Group’s progress in terms of CSR in the following three areas: Environment, Business Conduct, and Social/Societal. Fifteen indicators, presented in the table below, were selected and audited by the independent third party.

Two indicators relating to the Business Conduct category were added for the 2023 financial year: signature rate for the supplier code of conduct and anti-corruption training validation rate.

Each indicator is described in this methodological note, specifying:

• ▶the method of calculating the indicator;
• ▶the data production process.

A summary table presenting the indicators and their values for the 2021, 2022 and 2023 financial years can be found in the introductory chapter of the non-financial performance statement in the “Materiality analysis and CSR risk assessment” section.

This is a free English translation of the Statutory Auditor's report issued in French and is provided solely for the convenience of English-speaking readers. This report should be read in conjunction with, and construed in accordance with, French law and professional standards applicable in France.

Year ended August 31st 2023

To the annual general meeting,

In our capacity as Statutory Auditor of your company. (hereinafter the “entity”) appointed as independent third party, and accredited by the French Accreditation Committee (COFRAC) under number 3-1884(23), we have undertaken a limited assurance engagement on the historical information (observed or extrapolated) in the consolidated non-financial statement, prepared in accordance with the entity's procedures (hereinafter the "Guidelines"), for the year ended 31st August 2023 (hereinafter, the "Information" and the "Statement" respectively), presented in the Group's management report pursuant to the legal and regulatory provisions of Articles L. 225 102-1, R. 225-105 and R. 225-105-1 of the French Commercial Code (code de commerce).

Based on the procedures we performed as described under the "Nature and scope of procedures" paragraph and the evidence we obtained, nothing has come to our attention that causes us to believe that the Statement is not prepared in accordance with the applicable regulatory provisions and that the Information, taken as a whole, is not presented fairly in accordance with the Guidelines, in all material respects.

Since the admission of the Company’s shares to trading on the Euronext Paris regulated market in October 2021, the Company has referred to and complies with the Corporate Governance Code for Listed Companies drawn up by the Association française des entreprises privées (the “AFEP”) and the Mouvement des entreprises de France (the “MEDEF”) as updated in January 2020 (the “AFEP-MEDEF Code”), except for the recommendation in Article 11.3 for the reasons detailed below.

The AFEP-MEDEF Code with which the Company complies may be consulted online at http://www.medef.com or http://www.afep.com. The Company permanently maintains copies of the code for consultation by the members of its corporate bodies.

Since the publication of the 2022 Universal Registration Document, there has been no change in the composition of the Board of Directors and its committees.

As of the date of this Universal Registration Document, the Company has a Board of Directors composed of eleven (11) members, a majority of whom are independent directors and two (2) non-voting members:

• ▶four (4) directors appointed on the proposal of the Klaba family:
  • •Octave Klaba (Chairman of the Board of Directors),
  • •Miroslaw Klaba,
  • •Henryk Klaba, and
  • •Michel Paulin (Chief Executive Officer);
• ▶five (5) independent directors:
  • •Bernard Gault (lead director),
  • •Isabelle Tribotté,
  • •Corinne Fornara,
  • •Diana Einterz, and
  • •Sophie Stabile;
• ▶two (2) directors representing employees:
  • •Pauline Wauquier, and
  • •Hugues Bodin;
• ▶two (2) non-voting members:
  • •Karim Saddi, and
  • •Jean-Pierre Saad.

The table below shows the composition of the Board of Directors at the date of this Universal Registration Document:

The General Shareholders’ Meeting of the Company of 14 October 2021 decided to modify the term of office of directors to allow staggered renewal, subject to the condition precedent that its shares would be admitted to trading on the Euronext Paris regulated market. Accordingly, the term of office of directors has been modified as follows:

• ▶Miroslaw Klaba: one year, i.e., until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended 31 August 2022;
• ▶Isabelle Tribotté: one year, i.e., until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended 31 August 2022;
• ▶Henryk Klaba: two years, i.e., until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended 31 August 2023;
• ▶Sophie Stabile: two years, i.e., until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended 31 August 2023;
• ▶Corinne Fornara: three years, i.e., until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ending 31 August 2024;
• ▶Bernard Gault: three years, i.e., until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ending 31 August 2024; and
• ▶Diana Einterz: three years, i.e., until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ending 31 August 2024.

Miroslaw Klaba and Isabelle Tribotté were reappointed as directors, each for a four-year term, at the General Meeting of 16 February 2023.

The terms of office of Michel Paulin and Octave Klaba remain unchanged.

In addition, two directors representing employees were appointed on 13 April 2022, in accordance with Article 13.3 of the Company’s Articles of Association and Article L. 225-27-1 of the French Commercial Code (Code de commerce), and one of them, Hugues Bodin, joined the Appointments, Compensation and Governance Committee on 27 October 2022 as a member.

The Board of Directors is also composed of two (2) non-voting members, whose profiles are presented below. Karim Saddi and Jean-Pierre Saad were appointed as non-voting members of the Board of Directors on 18 October 2021 and the decision was ratified by the General Meeting of 15 February 2022. Non-voting directors are not remunerated. They participate in the work of the Board of Directors without having a right to vote and do not, at this stage, benefit from any specific missions.

By law, the Board of Directors elects, from among its members, a Chairman who is a natural person and whose role is described in Section 3.2.1.5 above.

The Board of Directors entrusts the general management of the Company either to the Chairman of the Board of Directors (who holds the title of Chairman and Chief Executive Officer) or to another natural person, who may or may not be a director, holding the title of Chief Executive Officer.

As set out in the AFEP-MEDEF Code, the law does not give preference to either governance method over the other and it is up to the Company's Board of Directors to choose between exercising unified or separate general management, depending on its particular requirements.

Governance method

Octave Klaba was appointed Chairman of the Board of Directors at the Board of Directors’ meeting of 28 September 2021, for a period equivalent to his term of office as a director, i.e., until the end of the Ordinary General Meeting of the Company called to approve the financial statements for the financial year ending 31 August 2025.

Michel Paulin was appointed Chief Executive Officer at the Board of Directors’ meeting of 28 September 2021, for a period equivalent to his term of office as a director, i.e., until the end of the Ordinary General Meeting of the Company called to approve the financial statements for the financial year ending 31 August 2025.

The separation of these positions was motivated by the need to retain the skills and experience of Octave Klaba, founder of OVHcloud, at a decisive moment in the Company's history with its IPO in 2021. Notwithstanding the fact that this corporate governance structure is considered by investors and voting advisory agencies to be best practice.

In accordance with the law, the Chief Executive Officer is vested with the broadest powers to act in all circumstances in the name of the Company. He exercises his powers within the limits of the corporate purpose. However, as an internal rule, the Chief Executive Officer exercises his powers within the limits set by the Board of Directors' internal regulations. The following decisions by the Chief Executive Officer require the prior authorisation of the Board of Directors:

• ▶the Group’s annual budget and business plan, including any modifications thereto;
• ▶any decision regarding any individual capital expenditure that would exceed the annual budget by 7.5%;
• ▶any acquisition or sale of assets (including patents and intellectual property rights), business goodwill or shares by a company of the Group, not included in the annual budget, for an individual amount exceeding €25 million;
• ▶authorisation for the Chairman to grant sureties, endorsements and guarantees;
• ▶any amendment to the Company’s Articles of Association; and
• ▶any decision of a Group company to enter into a new financing agreement with a third party (other than with a Group company and other than in the context of an existing Revolving Credit Facility) for an amount exceeding €25 million and not included in the annual budget.

To the best of the Company’s knowledge, the following transactions were carried out during the past financial year in the Company’s shares by the persons referred to in Article L. 621-18-2 of the French Monetary and Financial Code:

The information relating to corporate governance and constituting the report of the Board of Directors on this subject is already included in other sections of this Universal Registration Document. In order to limit repetition, the cross-reference table below provides a link between each section of the report and the corresponding paragraph of this document.

The summary of the compensation components of the executive corporate officers, Octave Klaba and Michel Paulin, paid during or awarded in respect of the 2023 financial year, as well as the 2024 compensation policy, submitted to the vote of the shareholders at the Combined General Meeting of 16 February 2023, are presented in Section 4.5.2.2.

Total compensation paid during or awarded in respect of the 2023 financial year to the Chairman of the Board of Directors and the Chief Executive Officer, the directors and other non-corporate officer executives, both by the Company and by controlled companies, within the meaning of Article L. 233-16 of the French Commercial Code, is detailed below. At its meeting of 14 November 2023, the Board of Directors of OVH Groupe confirmed that the AFEP-MEDEF Code is the code to which the Company refers, in particular concerning the compensation of executive corporate officers. This Universal Registration Document, and in particular the tables in Section 4.5.2.2 (stock subscription and/or purchase options, free shares, performance shares), have been prepared in accordance with the format recommended by the AFEP-MEDEF Code and AMF recommendation 2012-02.

The principles and criteria for determining, distributing and awarding the fixed, variable and exceptional components of the total compensation and benefits in kind attributable to the executive corporate officers by virtue of their office, constituting the compensation policy concerning them, are approved by the Board of Directors on the recommendations of the Appointments, Compensation and Governance Committee, and are subject to shareholder approval (“ex-ante vote on the compensation policy”) at the General Shareholders’ Meeting in accordance with Article L. 225-37-2 of the French Commercial Code.

In addition, pursuant to Article L. 22-10-34 of the French Commercial Code, the General Shareholders’ Meeting votes on: (i) the fixed, variable and exceptional components of the total compensation and (ii) the benefits in kind paid during or awarded in respect of the previous financial year to the executive corporate officers (“ex-post vote on compensation in respect of the previous financial year”). As a result, the payment of variable or exceptional compensation in respect of a financial year is subject to their approval by the General Shareholders’ Meeting called to approve the financial statements of that financial year.

Octave Klaba, Chairman of the Board of Directors, and Michel Paulin, Chief Executive Officer, are the only executive corporate officers.

Related entities mainly include companies controlled by Octave Klaba, founder and Chairman of OVH Groupe’s Board of Directors, and other entities controlled by other members of the Klaba family, who are direct or indirect partners of the Company or by the Chairman of OVH SAS and Chief Executive Officer of OVH Groupe.

Pursuant to the agreements detailed below entered into with related parties and related to the conduct of the business, the Group recognised a total amount of operating expenses of €6,445,738 for 2023 versus €13,895,000 for 2022, and concerning net financial income (expense) (IFRS 16), income of €106,854 for 2023 versus an expense of €125,000 for 2022. More detailed figures for related-party transactions are included in the consolidated financial statements for the year ended 31 August 2023.

The main related-party transactions are described in this chapter.

The Company has granted a non-compete clause to Michel Paulin, the Company’s Chief Executive Officer, for a period of one year following the end of his term of office, in consideration of compensation representing 50% of his compensation (fixed + variable) for the financial year preceding his departure. This clause will not apply in the event of retirement or once he reaches the age of 65.

The Company reserves the right to unilaterally waive this non-compete undertaking as from the date of notification of the termination of his duties, in which case the Chief Executive Officer will be free and no compensation will be due.

It is in the Company’s interest to be able to ensure, in the event of Michel Paulin’s departure, that the Company is able to prohibit him from competing with the Company, under the conditions provided for in the non-compete clause.

This agreement was the subject of prior approval by the Board of Directors on 28 September 2021 and of a special report on 29 September 2021. This agreement was approved by the Combined General Shareholders’ Meeting on 14 October 2021.

None.

a. Shadow SAS (formerly Hubic SAS – Blade SAS) – Cloud Services

The relationships between OVH SAS and the Shadow entities are as follows:

• ▶Services covering audit, project management and the supply of temporary storage servers: agreement effective from 15 March 2021 and terminated, after six renewals, on 30 November 2022.
• ▶Accounting, billing and support services provided by OVH SAS to Shadow SAS for the "Hubic" business: an agreement (transitional agreement) was signed when the "Hubic" business was sold by OVH to Shadow (amended in August 2021 and February 2022 to adjust services and rates). The agreement ended on 15 October 2022.

Since customer invoicing and collection is not a usual activity for OVH SAS, this agreement was considered to be a regulated related-party agreement and was approved by the Chairman of OVH SAS in 2021.

• ▶Storage and retrofit services for equipment owned by Shadow in France. Since July 2021, OVH SAS has been storing servers for Shadow which were retrofitted by OVH SAS and recovered by Shadow in April 2022. This agreement expired on 14 March 2023.

This transaction does not fall within OVH SAS's ordinary course of business and as such, is considered to be a regulated related-party agreement and was approved by the Chairman of OVH SAS in 2022.

b. A transitional Transaction Services Agreement (TSA) by OVH SAS for Shadow SAS (Hubic SAS until July 2021)

As part of the Hubic business acquired by Shadow SAS (formerly Hubic SAS) in 2021, a transitional Transaction Services Agreement was entered into between OVH SAS and Shadow SAS under which OVH SAS agreed to provide administrative services to Shadow SAS. This agreement was amended in September 2021 and in March 2022 to adjust the services provided and the associated compensation.

The amount invoiced by OVH SAS during the 2023 financial year under this agreement amounted to €0 excluding tax, versus €131,987.10 excluding tax for 2022.

The provision of these services remains exceptional for OVH SAS since they are provided in connection with the takeover of the assets sold in order to ensure the best possible transition. However, this type of transitional Transaction Services Agreement is very common when assets are sold.

c. Credit issuance and repayment service by OVH SAS for customers of Shadow SAS

As part of the activities of Hubic acquired by Shadow SAS in 2021, Shadow SAS wished to migrate the existing historical “Hubic” platform and propose to its customers to migrate, at their expense, to a new data storage service, Shadow Drive.

In this respect, on 23 August 2022, Shadow SAS ordered a service from OVH SAS to issue credit notes and repay certain customers on its behalf, since the latter issues invoices and collects receivables in respect of the historical “Hubic” service under the “TSA”.

This service was provided during the 2023 financial year, and OVH SAS invoiced these transactions for a total amount of €8,900 excluding tax.

This service of issuing credit notes and repayments for a third party is not part of OVH SAS’s usual activity, but can be considered ancillary to the TSA.

d. Retrofit agreement between OVH SAS and Shadow SAS

Shadow SAS signed an agreement with OVH SAS for the purpose of providing services on IT equipment, including the testing of computer components and the assembly of the functional components to make servers from 5 July 2021.

OVH SAS has a plant that assembles IT components in order to build its own servers, and has developed a “retrofit” activity to disassemble and then reassemble existing equipment components. An agreement was therefore signed with Shadow for the disassembly and reassembly (retrofit), storage and transportation of certain IT components.

OVH SAS does not usually offer this type of service for third parties.

The amount of this service is €21,151.78 excluding tax.

This agreement ended on 8 March 2023.

e. IT equipment purchase agreement between Shadow SAS and OVH SAS

A purchase agreement was signed on 9 June 2022 between OVH SAS and Shadow SAS for the sum of €1,912,808 excluding tax for the purchase by OVH SAS of used IT equipment located in France.

The agreement provides for the acquisition by OVH SAS of used equipment in order to migrate it within its datacenters.

These acquisitions and migrations are unusual for OVH SAS. However, they are consistent with OVH Groupe’s ambitions to limit its environmental impact, in particular by reusing existing equipment after confirming that it meets performance standards.

OVH’s General Shareholders’ Meetings are convened and deliberate under the conditions provided for by law and in the Articles of Association.

The provisions of OVH’s Articles of Association relating to General Meetings and the procedures for exercising voting rights at General Meetings are set out in Title IV – General Meetings – Article 22 – Meetings, Composition, Deliberations, of OVH’s Articles of Association, which are available online at www.corporate.ovhcloud.com, Governance section.

The following table presents the key figures for FY2023.

OVHcloud reported sustained growth in FY2023 and generated unlevered free cash-flow of €25 million in the second half:

• ▶Revenue of €897 million in FY2023, up 13.4% on FY2022 on a like-for-like basis
• ▶Strong like-for-like full-year revenue growth of 21.0% for the Public Cloud segment and 15.1% for the Private Cloud segment
• ▶Adjusted EBITDA of €325 million, giving a margin of 36.3% in FY2023
• ▶Generation of €25 million of unlevered free cash-flow (cash flow from operating activities adjusted for capex, excluding acquisitions, change in working capital requirement and corporation tax paid) in the second half of 2023
• ▶Recurring and growth capex representing 16.3% and 23.6% of revenue for the period respectively

OVHcloud CEO Michel Paulin said:

“We delivered a strong set of results in FY2023, highlighting OVHcloud’s capacity to achieve robust and sustainable growth. This success is underpinned by the strong momentum in our cloud businesses, which now account for over 80% of our business, and OVHcloud’s distinctive, successful offerings. Our sustainable cloud solutions, which prioritise performance-price ratio and data sovereignty, are perfectly aligned with the evolving needs of our expanding and loyal customer base as well as the needs of new customers who wish to control their costs and ensure the protection of their data.

Notably, in FY2023, we achieved a significant milestone by generating positive unlevered free cash-flow in the second half of the year. This was made possible by the improved efficiency of growth-related capital expenditure – marking a shift away from two years of non-recurring capex tied to post-COVID supply chain disruptions and the development of PaaS solutions – all while maintaining a disciplined approach to operating costs.

OVHcloud has confirmed its position as a leader in the sustainable cloud, with key performance indicators that are among the best in the market and ambitious medium-term commitments:

• ▶100% low-carbon energy by 2025, with the aim of limiting the use of high-carbon energy by promoting renewable energy and other low-carbon energy sources.
• ▶Contribution to global Net Zero across scopes 1 and 2 by 2025, and across all scopes by 2030.
• ▶Target of zero waste to landfill from production centres by 2025.

As of FY2023, OVHcloud obtained a score of 71/100 in the S&P Rating and, according to the rating from Sustainalytics, is one of the 15% highest performing companies in the Technological sector for ESG. OVHcloud's constant efforts to innovate and improve the climate footprint of its activity will reduce its customers' Scope 3 emissions.

During the 2023 financial year, OVHcloud announced the availability of OVHcloud Cold Archive, a new solution adding to its Public Cloud portfolio of storage offers.

OVHcloud Cold Archive is an innovative and sustainable storage solution for cold data (data rarely used and therefore rarely accessed). From data protection to archiving, Cold Archive is designed for companies of all kinds looking to improve the protection of their data, by allowing it to be hosted in a different location.

OVHcloud Cold Archive is a unique and cost-effective way to preserve that data. It is equally ideally suited to answer data sovereignty concerns in line with OVHcloud’s commitment to providing a trusted cloud, offering users total control over their data.

OVHcloud acquired its first quantum powered machine during the year. Designed by French company Quandela, the MosaiQ computer is powered by a photonic processor. This purchase kicks off a number of research and development projects.

Doubling down on its efforts in quantum computing, the Group’s goal is to provide its research and development department with the right tools to experiment with a Quantum Processing Unit (QPU) based machine for various use cases, in order to also offer its customers quantum-compatible environments from the outset.

OVHcloud announced the launch of its first datacenter in India, as part of its Asia Pacific expansion plans, which will see the deployment of two additional datacenters in Singapore and Australia by next year. Adding to OVHcloud's network of datacenters worldwide, the new Mumbai facility is part of its global strategic plan to build 15 new sites by 2024. The global expansion will provide OVHcloud customers with open, trusted, sovereign and sustainable cloud solutions that will enable them to meet growing digital needs.

The current macroeconomic environment remains degraded by inflationary trends, particularly around energy costs. Against this backdrop, the Group has launched a specific price increase campaign for some of its services to offset the inflationary impact on its costs.

On 4 September 2023, OVHcloud completed the acquisition of 100% of the German company gridscale for a share purchase price of €28 million. gridscale is specialised in hyperconverged infrastructure (unified systems combining all the elements of a traditional datacenter: storage, computing, networking and management), and attained €5.6 million in revenue for the year ended 31 August 2023.

This acquisition is a strategic milestone in the Group's geographical expansion, with gridscale's unique technology enabling it to rapidly deploy a public cloud environment through limited infrastructure in new geographies, and hence to invest progressively as it grows in these new territories.

The Group's performance in FY2023 confirms its ability to implement its strategic plan and its sustained growth trajectory.

For FY2024, OVHcloud is targeting organic revenue growth of between 11% and 13%, an adjusted EBITDA margin of over 37% and recurring and growth capex representing approximately 16% and 24% of revenue respectively.

OVHcloud also aims to generate positive unlevered free cash-flow in the second half of 2024 (excluding M&A).

The outlook for FY2024 is based on assumptions of an ongoing upward trend in average revenue per active customer (ARPAC), new customer acquisitions, a price effect of between 1% and 2% over the year, mainly in the first quarter, and strict discipline of operating costs and capex.

As part of its ongoing strategic review, OVHcloud has noted certain trends it expects to see in FY2025:

• ▶Organic revenue growth should improve versus FY2024
• ▶Adjusted EBITDA margin should improve versus FY2024
• ▶Capex as a percentage of revenue should be slightly lower than in FY2024
• ▶The Group should generate positive unlevered free cash-flow for the full year (excluding M&A)