OVHcloud’s position as the leading European cloud provider traces its roots to its founding in 1999 as an internet hosting company in France. Over the past 25 years, OVHcloud has developed significantly, initially by expanding its infrastructure and growing its presence within Europe, and then by diversifying its cloud offerings and expanding its operations globally.

Cloud computing means providing users with storage, computing and network resources on demand. Cloud resources are located in datacenters that house servers and equipment used to process, store and transmit data. Users of cloud computing services can access stored data and instruct processing units to perform computing functions automatically, without the need for human interaction, minimising the computing and storage capacities needed on their devices (such as personal computers, tablets and mobile phones). Wherever they are located, as long as they have an internet connection, users are able to access IT services through the cloud.

Businesses can establish and operate their own datacenters using internal IT staff, or they can outsource some or all functions to cloud service providers such as OVHcloud. For many businesses, the time and financial investment required makes proprietary cloud computing less attractive than outsourcing, which means paying only for the resources they actually use. Additionally, it can be difficult for businesses that are not specialised in IT services to innovate at the requisite levels in order to ensure that their cloud infrastructure provides them with adequate services and protections, such as data security. Internal IT systems also might not be sufficiently scalable to meet peak-load demands (unless businesses maintain costly excess capacity).

Servers maintained in datacenters can be used for multiple functions, each of which is accessed through a “virtual machine” created on the server. The virtual machines are operated and separated from one another through a software platform known as a “virtualisation stack.” Each virtual machine can have its own operating system that permits users to develop and run applications. Through a function known as a “hypervisor,” the server’s capacity is allocated to the virtual machines in accordance with the demands of users. Furthermore, software applications have been written to be bundled in “containers” that run directly on the operating system of the server itself, coordinated through platforms known as “orchestration” systems, which generally take up less space and can provide better performance than hypervisor-based virtualisation stacks.

The ability to create multiple virtual machines in each server or to deploy container-based systems allows a cloud service provider to allocate its capacity among multiple user groups or customers in a secure manner. Service providers can dedicate a server to a single customer (a “Private Cloud” system), allocating the server’s capacity among user groups authorised by the customer. Alternatively, a server can be shared among multiple customers (a “Public Cloud” system). Private Cloud customers generally pay monthly charges for dedicated capacity, whether or not they use that capacity. Public Cloud customers generally pay for the capacity they actually use.

In order to optimise the cost of cloud services, many businesses are deploying “hybrid cloud” strategies, in which they combine on-premises or outsourced Private Cloud capacity for their most sensitive functions and data, with Public Cloud capacity for their less sensitive needs. Customers are also deploying “multi-cloud” strategies, purchasing cloud services from several providers. To meet the growing demand for hybrid cloud and multi-cloud services, a cloud provider must offer packages that allow the various solutions to function as an integrated whole.

Cloud computing encompasses a range of services that include providing access to infrastructure (Infrastructure-as-a-Service or “IaaS”), selecting and operating platforms such as operating systems, virtualisation stacks and security systems (Platform-as-a-Service or “PaaS”), and offering applications that are developed and can function on cloud platforms (Software-as-a-Service or “SaaS”). These features are illustrated in the following graphic:

The cloud solutions market also includes Web services targeted mainly at individuals and small and medium-sized businesses. The Web Cloud market largely consists of web and domain hosting, including leasing servers for websites, selling secondary services (such as software packages) and domain name registration, renewal and transfer services.

OVHcloud provides two main Private Cloud offerings: Bare Metal and Hosted Private Cloud.

OVHcloud’s Bare Metal Cloud service provides dedicated physical servers to customers, who have full control over the server, including the choice of operating system. The Bare Metal Cloud allows them to have a similar experience to the one they would have with on-premises solutions managed by their internal teams, while taking advantage of the benefits offered by outsourcing.

OVHcloud’s main Bare Metal Cloud offering consists of high-end servers and mid-to-high-level services. OVHcloud also has a lower-priced offering marketed as part of the “Eco” range, which uses refurbished servers that provide quality services at a reduced cost, while improving environmental efficiency.

Bare Metal Cloud services provide business customers with high-level computing power and strict service level agreements in a secure environment appropriate for sensitive data applications. The server can be customised to meet customer requirements and can be operated without allocating the server’s capacity to virtual machines through a hypervisor, allowing the customer to use the server’s full capacity. Any unused capacity can be deployed within minutes, although the total capacity is limited by that of the dedicated server.

Bare Metal Cloud customers pay monthly fees that depend on the performance levels they select. They may also choose options (such as server customisation or data backup) for additional fees.

The main uses of Bare Metal Cloud services include the computation of complex data, low latency operations, streaming, online gaming and critical business applications such as ERP and CRM.

OVHcloud offers Hosted Private Cloud services to its business customers, providing servers fully managed by OVHcloud, including the operating system and the virtualisation layer, in partnership with VMware or Nutanix offerings.

1. VM: Virtual Machine

OVHcloud’s Hosted Private Cloud services provide customers with private access to servers that can be customised to satisfy their specific requirements. They meet the needs of customers seeking isolation and security, scalable resources and resilience.

The main uses for Hosted Private Cloud services include deployment in hybrid cloud strategies, media encoding, big data analytics and disaster recovery, as well as the storage and processing of sensitive data in key sectors such as healthcare, finance and the public sector.

Since 2021, OVHcloud has been offering SecNumCloud-certified Hosted Private Cloud services. SecNumCloud certification gives customers the assurance of choosing solutions that comply with the highest ANSSI security standards, as well as the guarantee of having solutions tailored to the sensitive data of public authorities and businesses.

OVHcloud offers Public Cloud solutions based on open source technologies such as OpenStack (a platform for deploying processing, storage and networking resources) and Kubernetes (a container orchestration platform that has become a market benchmark). The use of these standard platforms provides customers with easy data transfer capability and deliberately transparent access to source code, facilitating reversibility and eliminating “vendor lock-in”. This feature of the OVHcloud offering is particularly attractive for customers looking to deploy multi-cloud strategies.

Public Cloud solutions provide users with virtually unlimited computing capacity, with the only constraint being the demands of other users and the total installed capacity of the cloud provider. It is possible to deploy new Public Cloud instances automatically and in seconds. As the Public Cloud service is based on shared servers, customisation options are defined by OVHcloud. The flexibility of the hardware architecture offers high service levels.

Public Cloud customers pay usage fees for the capacity they actually use. The OVHcloud model offers much more predictability than models used by hyperscalers and many other competitors. In particular, unlike hyperscalers, OVHcloud does not charge additional fees for outgoing data transfers or API calls, except for block and archive storage, and for services located in Asia-Pacific.

The Group’s Public Cloud offering provides three core cloud computing services: computer performance, storage and network capabilities.

Customers of OVHcloud's Public Cloud solutions can choose fully scalable Public Cloud services on virtual machines that are hosted on shared servers and networks.

OVHcloud’s Public Cloud service is attractive for customers seeking highly scalable resources, with significant peak management demands across multiple access locations, and a high degree of resilience. This service is used for applications with high-demand bursts and services that use large volumes of data, such as video and music streaming.

OVHcloud's Public Cloud customers can also choose from a number of on-demand (SaaS) software running on OVHcloud's Public Cloud servers. In particular, OVHcloud offers its customers access to Microsoft Exchange messaging and calendar solutions, SharePoint data storage and management solutions, and the Office365 business software suite.

1. VM: Virtual Machine

OVHcloud also offers a virtual private server option, providing IT capabilities located on shared servers, but with virtual machines isolated through the use of virtual private networks.

The virtual private server option is attractive to customers seeking tailored resources, particularly for short-term operations with volatile workloads and server demand. Virtual private server solutions are used primarily for applications testing and other one-time projects, the management of short-term peak loads and backup functions.

1. VM: Virtual Machine

As part of its growth strategy, OVHcloud is developing and implementing a comprehensive PaaS offering, overlaying its Private Cloud and Public Cloud IaaS products. In addition to developing products in-house, OVHcloud has announced several partnerships and acquisitions, in order to accelerate its development plan, enabling it to offer more than 80 IaaS and PaaS solutions to its customers by the end of the 2024 financial year, mainly in the following areas:

• ▶Storage. OVHcloud now offers its customers a comprehensive portfolio of storage solutions such as Object Storage S3 (High Performance and Standard), Block Storage, File Storage, Snapshot & Backup and Archive;
• ▶Database-as-a-Service. Data management software allows users to manage their databases to enable queries and updates. It includes programmes that execute queries on data and provide visual representation of the data in formats such as spreadsheets, enabling users to build applications faster and automate database management. OVHcloud announced a partnership with MongoDB in April 2021 and a partnership with Aiven in July 2021 to make several types of database available on the OVHcloud infrastructure;
• ▶AI, Machine Learning & Analytics. Artificial intelligence and analytics solutions include tools and services that support data analysis and presentation. OVHcloud is particularly advanced in high-performance computing solutions for artificial intelligence and machine learning, and intends to continue its development in this area. In April 2022, OVHcloud announced the acquisition of ForePaaS, a company specialising in analytics. Over the last two years, OVHcloud has strengthened its artificial intelligence product offering, including AI Notebook, AI Deploy, AI Training, AI App Builder and AI Endpoint;
• ▶Security & Encryption. OVHcloud is expanding its offering of identity access management and encryption solutions, including end-to-end encryption that secures customer data in all states. In July 2021, OVHcloud announced the acquisition of BuyDRM, a US company specialising in this area;
• ▶Application platforms. Application platforms are back-end server software solutions that provide developers with a runtime and development environment.

OVHcloud has offered Web Cloud services since its founding in 1999. With its leading position in the French market and strong positions elsewhere in Europe, the Web Cloud offering provides a stable, recurring revenue base and regular growth.

OVHcloud offers three principal solutions to Web Cloud customers:

• ▶Web hosting and domain names. This includes the leasing of capacity on servers, allowing customers to connect their websites to the internet, as well as domain name registration, renewal and transfers. Customers can choose basic packages offering just one or a few websites, or packages targeted at professionals and developers that wish to host multiple websites, together with email addresses and storage options. OVHcloud offers its customers additional services, such as Secure Socket Layer (SSL) certificates, which enable secure connections between a web server and a browser;
• ▶Telephony and connectivity. Customers can purchase VoIP (Voice over IP) systems for use as switchboards and interactive voice response systems. OVHcloud also offers customers internet access through ADSL and fibre networks, with basic and professional packages;
• ▶Support and services. OVHcloud offers its customers additional levels of support and services, including a range of support, expertise and online services. There are two levels of support offering: i) Business, which corresponds to the level suitable for production environments, or ii) Enterprise, which offers a key account experience for critical production environments. Additional services are proposed in the Professional Services offering, which provides access to technical support and advice during infrastructure migration or IT architecture changes.

OVHcloud’s main customers in the Web Cloud segment are small and medium-sized businesses, as well as certain individual customers and entrepreneurs. Web Cloud customers generally seek secure and reliable web and communications services, to establish their web presence, and to digitise business functions.

Since 2021 and its IPO, OVHcloud has been deploying its strategic roadmap. The Group has succeeded in:

• ▶developing key customer segments with average ARPAC(3) growth of 48% between 2021 and 2024;
• ▶addressing a broader market by currently offering customers over 40 Public Cloud products;
• ▶extending its geographical footprint with the opening of more than 10 new datacenters since 2021, to reach 43 datacenters by the end of FY2024;
• ▶investing in internal development with cumulative growth capex of nearly €900 million between 2021 and 2024, and external growth opportunities, with three acquisitions since 2021 (BuyDRM in security, ForePaaS in data management, and gridscale, to open Local Zones with minimum capital intensity).

Following these significant investments, OVHcloud introduced a new plan centred around four strategic pillars: (i) Be the data sovereignty reference, (ii) Innovate for next tech revolutions, (iii) Deliver sustainable and profitable growth, and (iv) Maximise cash generation.

OVHcloud already benefits from a structural differentiator in that it is not subject to extraterritorial laws, and has developed a successful strategy of certifications with national and international regulators.

In the coming years, the Group will continue to expand its range of certified products, in particular with plans to extend SecNumCloud certification in France to its Public Cloud and Bare Metal Cloud services from 2024-2025. At the end of 2023, OVHcloud also inaugurated a third SecNumCloud-certified datacenter in France.

In addition, specific services are currently being developed to respond even more precisely to the needs of certain verticals, in particular the public sector and healthcare.

Innovation is at the heart of OVHcloud's DNA, and the Group will continue to invest to innovate and prepare for the upcoming technological revolutions, such as artificial intelligence – which is already underway – and quantum computing in the medium term.

With regard to artificial intelligence, OVHcloud is continuing to strengthen its offering, in particular by developing AI solutions that guarantee customer data confidentiality and data sovereignty. OVHcloud offers its customers a broad portfolio of NVIDIA Tensor Core GPUs (H100, A100, L4, L40S) accessible in the Public Cloud and top-of-the line AI models integrating the latest open-source LLMs, like Mistral 8x22B or Llama3, which are notably available on the shelf via the OVHcloud AI Endpoints serverless solution. AI is opening up new opportunities and is at the heart of a revolution, creating extremely high stakes, especially in terms of intellectual property and data confidentiality.

OVHcloud is also ahead of the curve on quantum computing, which will be one of the next technological revolutions of the 21st century. OVHcloud is the only European cloud provider to offer its customers five quantum notebooks and one quantum emulator. The Group also supports 14 leading quantum startups and owns one Quandela photonic computer.

Since 2021, OVHcloud has opened more than ten new datacenters, invested significantly in the development of new products and set up a programme to improve the resilience of its infrastructure.

Over the next few years, OVHcloud plans to optimise the utilisation rate of its datacenters, which was just over 60% in 2024, improve inventory management and stabilise investments in new products in absolute value terms.

Lastly, the Group expects to reduce one-off investments (hyper-resilience plan, IPv4 purchases and improvement of inventories linked to supply chain tensions) between now and 2026.

OVHcloud targets an improvement in its unlevered free cash-flow in FY2025 versus FY2024 and positive free cash-flow as from FY2026.

OVHcloud is the European Cloud leader and the only non-US or non-Chinese player among the ten largest global cloud service providers(4). It is the only major player of its size that is not subject to extraterritorial laws.

In addition to its structural differentiator, OVHcloud has developed a very large number of certifications worldwide in order to comply with various national and international regulations.

Source: At 31 August 2024, Company.

(1) A point of presence is a point at which the network establishes a connection with the internet.

(2) Tera bits per second.

As a French cloud service provider, OVHcloud is subject to European regulations across a wide number of areas, including information technology (“IT”) services, cybersecurity, online content moderation and data protection. OVHcloud may also be subject to sectoral regulatory regimes applicable to certain customers and generally applicable regulations such as contract laws and consumer protection policies.

OVHcloud is subject to European regulations aimed at strengthening cybersecurity across the European Union (the “EU”). Transposed into French law on 26 February 2018, Directive (EU) 2016/1148 of 9 July 2016 established requirements for cloud service providers with respect to network and information systems security. The French law(6) transposing Directive (EU) 2016/1148 classifies cloud service providers as digital service providers. As a digital service provider, OVHcloud must guarantee a level of information security adapted to the relevant risks and adopt appropriate organisational and technical measures. Any security incident having a significant impact on the provision of services must be declared to the French National Cybersecurity Agency (“ANSSI”). The French Prime Minister may also open investigations upon receiving information of non-compliance by the digital service provider with security obligations. Fines for non-compliance with security obligations range from €50,000 to €100,000.

The ANSSI has adopted security standards for cloud service providers(7). In particular, cloud companies must set up a security policy for information relating to the service and carry out a risk assessment covering the entire service. If applicable security standards are met, the ANSSI grants the “SecNumCloud” label certifying an enhanced level of security for the storage of sensitive information. In October 2022, the ANSSI extended OVHcloud's “SecNumCloud” security visa for its Hosted Private Cloud until December 2023. For the protection of critical information systems, the ANSSI recommends that operators of essential services (e.g., gas supply companies, airline carriers, health institutions, banks) use security products and services with an ANSSI security visa.

The role of the European Union Agency for Cybersecurity (the “ENISA”) was strengthened by Regulation (EU) 2019/881 of 17 April 2019 (the “Cybersecurity Act”). The ENISA is tasked with establishing and maintaining a European-wide cybersecurity certification scheme applicable to cloud service providers, including a comprehensive set of rules, technical requirements, standards and procedures. In July 2020, the ENISA published a proposal that would enable cloud service providers to obtain certifications across the EU attesting to the level of security of their services.

In September 2022, the European Commission unveiled its proposed Cyber Resilience Act (“CRA”). This proposal fixes a series of general and organisational cybersecurity requirements for products containing digital elements (for example: software, hardware products, data processing). It aims to adopt a common base within the European Union to limit cyberattacks. The CRA applies differently to supply chain players: manufacturers, importers and distributors. The text is awaiting examination by the European Parliament and then by the Council of the European Union; during this procedure, which may take up to two years, the current text will most likely undergo certain changes. It is therefore still too early to comment on the impacts this text may have on OVHcloud.

As a provider of cloud and telecommunications services, OVHcloud processes, stores and transmits a substantial amount of personal data. As a result, OVHcloud must comply with a number of European regulations and national laws relating to personal data protection.

A cornerstone of personal data protection in the European Union since it came into force in May 2018, the GDPR has three main objectives: (i) to establish rules relating to the protection of individuals with regard to the processing of their personal data as well as rules relating to the free movement of such data, (ii) to strengthen the application of the regulation by providing a unified legal framework for organisations processing personal data, and finally (iii) to strengthen the responsibility of parties processing personal data (data controllers and processors) by requiring that processing and the tools/applications used be documented.

The GDPR places organisations under strict obligations in terms of information and transparency with regard to the personal data processing they carry out on their own behalf or on behalf of others.

It also confers a number of rights on data subjects with regard to the processing of their personal data, such as the right of access, the right to rectification and the right to erasure ("right to be forgotten"), giving them greater control over the use of their personal data.

The GDPR also requires organisations to implement appropriate technical and organisational security measures for the processing of personal data as soon as a new product or service is designed, in order to ensure that personal data security and confidentiality requirements are met ("Privacy by design").

Lastly, the GDPR requires organisations responsible for processing personal data to notify the supervisory authority of any breach that is likely to result in a risk to the rights and freedoms of natural persons and data subjects.

Passed on 22 September 2021, the act to modernise legislative provisions as regards the protection of personal information, known as "Act 25", makes major changes to the act respecting the protection of personal information in the private sector ("ARPPIPS"), giving citizens greater control over their personal data and making organisations more accountable for the way they manage this information. This act establishes new obligations and transparency rules for Quebec companies, such as the appointment of a Data Protection Officer, in order to establish governance policies and practices regarding personal information, conduct privacy impact assessments (PIAs), and respect the new rights granted to individuals with regard to their personal data, in particular the right to require that such information cease to be disseminated, or that it be re-indexed or de-indexed (the right to be forgotten) before being communicated outside Quebec, and ensure that technological products and services offered to the public have settings that provide the highest level of confidentiality by default.

The new responsibilities and requirements applicable to organisations processing personal data came into force progressively in September 2022, 2023 and 2024.

In order to ensure compliance with applicable data protection regulations, OVHcloud has implemented a personal data management system based on the ISO 27701 standard.

OVHcloud also relies on the Cloud Infrastructure Service Providers in Europe (CISPE) Code of Conduct, with its certified Bare Metal Cloud and Hosted Private Cloud powered by VMWare offerings, to ensure and demonstrate the compliance of its IaaS activities.

Regulation (EU) 2018/1807 of 14 November 2018 (“Regulation on the free flow of non-personal data”) aims to ensure the free flow of non-personal data between EU Member States (the “Member States”) and IT systems in the EU. Non-personal data is either (i) data not linked to identified or identifiable natural persons, or (ii) anonymised personal data. This regulation enables the storage and processing of non-personal data anywhere in the EU, prohibits data localisation and ensures the availability of data for regulatory control.

The Regulation on the free flow of non-personal data also provides that the European Commission must encourage the development of self-regulatory codes of conduct to facilitate portability between service providers. To that end, OVHcloud participated in the drafting of two voluntary codes of conduct on switching cloud service providers and data portability through the working group on switching cloud providers and porting data (“SWIPO”). Published in July 2020, the codes of conduct for Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) provide guidance for cloud service providers and customers on switching cloud provider and porting non-personal data. The adoption of such codes of conduct aims to reduce the risks of vendor lock-in (i.e., situations where customers are dependent on a particular provider due to significant switching costs) by cloud service providers. It also provides guidance for customers on the transfer of non-personal data.

As a hosting service provider, OVHcloud must comply with a number of laws on content moderation, including those moderating terrorist content, child sexual abuse material and the infringement of intellectual property rights.

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (“Digital Services Act”) entered into force on 18 November 2022. This new framework aims to harmonise the rules applicable in the different Member States of the European Union and replaces the framework adopted in 2000 with regard to liability of intermediaries in relation to illegal content while maintaining the fundamental principles of freedom of expression and freedom to provide services.

The regulation also establishes new obligations of due diligence and transparency for hosting services such as OVHcloud, both vis-à-vis the authorities and users, particularly on the processing of reports of illegal content. It also increases the level of penalties that can be imposed in the event of a breach of the obligations established by the regulation, with fines of up to 6% of the intermediary service provider’s global annual revenue. A certain number of measures are applicable on a deferred basis over the next two years and involve the adoption of texts at the national level. OVHcloud will carefully monitor their publication in order to comply with its obligations.

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (“Digital Markets Act”) aims to make the digital sector fairer and more competitive by introducing preventive measures for large digital companies as gatekeepers on the European market. In particular, the regulation provides for several obligations and prohibitions against gatekeeping online platforms and strengthens the sanctioning powers of the European Commission, which will be assisted by an advisory committee and a high-level group. So, for example, gatekeepers must allow users to easily uninstall pre-installed software on their devices and easily unsubscribe from an essential platform service such as a cloud service. Gatekeepers will no longer be able to impose software such as internet browsers or default search engines or reuse users' personal data for the purpose of targeted advertising without their explicit consent.

Applicable from 2 May 2023, the companies concerned must report to the European Commission and ensure that they are compliant by March 2024 at the latest. The legislation gives the Commission the exclusive power to monitor compliance with their obligations, and imposes new sanctions, including a fine of up to 10% of the company's total global revenue from the previous financial year.

The adoption of this new legislation is a positive step towards regulating the practices of the dominant digital players on the European market. However, its effectiveness will depend on the means that the European Commission devotes to ensuring compliance with it. OVHcloud will pay particular attention to the forthcoming details regarding the teams tasked with monitoring gatekeepers' compliance.

OVHcloud entities are telecommunications operators in four (4) Member States: Belgium, France, Germany and Spain. OVHcloud is subject to specific obligations when providing telecommunications services. Because the EU and its Member States have been regulating the telecommunications sector for many years, there are a variety of different implementing measures, guidelines and authorities across the EU. OVHcloud entities are also telecommunications operators in the United Kingdom and Switzerland, which have their own telecommunications regulations. The United Kingdom also implemented the requirements of the European Electronic Communications Code into its national regulatory framework prior to Brexit.

The Directive (EU) 2018/1972 of 11 December 2018 established the European Electronic Communications Code. Although this directive has not yet been transposed in all Member States where OVHcloud acts as an operator, several other directives applicable in the telecommunications sectors, such as Directives 2002/19/EC, 2002/20/EC, 2002/21/EC and 2002/22/EC of the European Parliament and of the Council, have been substantially amended. Directive 2018/1972 was transposed into French law in May 2021(8). The key objective of this European Electronic Communications Code is to create a comprehensive set of updated rules to regulate electronic communications and protect EU citizens when they communicate through traditional or web-based services, encourage competition between telecommunications operators, and ensure that national regulatory authorities are protected against external intervention or political pressure.

As a cloud service provider, OVHcloud is subject to obligations when the Group provides services to organisations in the health sector. For example, French law requires health data hosting providers (i.e., any person hosting personal health data collected in the course of prevention, diagnosis, care or social and medical monitoring activities on behalf of natural or legal persons having produced or collected such data or on behalf of the patients themselves) to comply with specific obligations. Such obligations include obtaining proper certification or receiving prior approval from public authorities as per the French Public Health Code, and entering into an agreement with customers in the health sector, setting out the mandatory provisions prescribed by Article L. 1111-8 of the French Public Health Code. OVHcloud is also subject to the requirements of other jurisdictions in which it operates, such as Italy, Poland, Germany and the United Kingdom.

In 2016, OVHcloud obtained the “health data host” accreditation and, since 2018, the Group has operated a management system that allows several of its cloud offerings to comply with the requirements of this accreditation. In 2019, OVHcloud obtained the French HDS (Hébergeur de données de santé – health data host) certification for its Hosted Private Cloud offering. In 2020, this certification was first extended to OVHcloud’s dedicated servers and then to OVHcloud’s Public Cloud offering and Trusted Exchange in 2021.

Companies in the financial sector (including credit institutions and investment firms) may also be subject to industry-specific obligations that may reflect on OVHcloud in the context of the provision of its services. In particular, in 2019, the European Banking Authority (“EBA”) issued “Recommendations on outsourcing to cloud service providers” applicable to outsourcing arrangements. These recommendations create obligations with respect to information systems security and audit rights for the outsourcing banks, which they must impose on their cloud service providers when using their services. OVHcloud aims to offer contractual conditions applicable to financial service operators that ensure that customers are able to implement an outsourcing policy which is compliant with the EBA’s recommendations and with local European regulations.

Financial service operators may also require OVHcloud to comply with specific national regulations. For instance, OVHcloud may have to comply with French regulations such as those of France's banking and insurance supervisor, Autorité de contrôle prudentiel et de résolution (“ACPR”) on critical outsourced services such as banking operations. Companies outsourcing critical services must ensure that service providers guarantee the protection of confidential information, implement backup mechanisms in the event of significant difficulties affecting service continuity and provide the ACPR, in carrying out its duties, with access to critical outsourced information. With respect to internal procedures for managing information system security, the American Institute of Certified Public Accountants (“AICPA”) granted OVHcloud SOC I-II type 2 certifications.

With respect to hosting banking data and reducing card fraud, OVHcloud’s main Hosted Private Cloud offering is compliant with the Payment Card Industry Data Security Standard (“PCI DSS”). OVHcloud’s datacenters in France, Canada, the United Kingdom, Germany and Poland comply with PCI-DSS.

On 27 November 2022, the European Commission adopted a Digital Operational Resilience Act for the Financial Sector (“DORA”). Following a proposal by the 2020 European Commission, this regulation imposes a number of requirements on cloud outsourcing arrangements in the financial sector. The proposed regulation covers a broad range of regulated financial entities, including credit institutions (such as banks), central securities depositaries, insurance companies and certain fund managers, among others. It imposes a number of information and communications technology risk management requirements on these financial entities, some of which apply directly to outsourced cloud activities.

In particular, financial sector entities covered by the proposed regulation are required to take a number of steps to address risks in their relationships with third parties, such as cloud service providers, including ensuring that their cloud services contracts provide a full description of the services proposed with qualitative and quantitative performance targets, and include provisions governing integrity, security, personal data protection, recovery in case of failure, rights of inspection and audit, and termination provisions with clear exit strategies. The regulation proposes the approval of standardised contractual terms by the European Commission.

In addition, the regulation imposes a new oversight framework on critical third-party service providers (including cloud service providers), subjecting them to individual oversight plans adopted by the European financial regulatory bodies responsible for supervising banks, securities markets or insurance companies, depending on the sector primarily using the services of the relevant provider. The determination of which services are critical depends on their potential systemic impact, the dependence of financial entities on them for critical functions and the availability of alternatives. The oversight plan can impose requirements in areas such as security and quality, contractual terms, and subcontracting, with financial penalties imposed in case of non-compliance, up to 1% of the service provider's global revenue in the most recent year. The oversight bodies have broad inspection and auditing rights and investigative powers. The adopted regulation also prohibits financial entities from using a service provider from a country outside the EU for critical cloud functions.

Many of OVHcloud’s datacenters are located in former industrial buildings, some of which are classified as presenting environmental or other risks under applicable French legislation. OVHcloud’s datacenters outside of France may also be classified as presenting environmental risks under local regulations. In order to comply with the applicable regulations, OVHcloud is sometimes required to submit applications and obtain operating licenses. OVHcloud may be required to take certain remedial measures as part of the application process.

Operating licenses are required in most countries where OVHcloud operates its datacenters. The regulations primarily concern air emissions, industrial waste management, water and effluent management, fire risk management and noise management.

The simplified organisational chart below shows the Company's legal structure and its consolidated subsidiaries as of the date of this Universal Registration Document. The percentages indicated below represent the percentages of share capital. There has been no significant change in capital ownership since 31 August 2024.

Central to its governance mechanism, OVHcloud's risk management system helps the Group achieve its strategic objectives while protecting its assets and reputation. It also helps to mobilise employees around a common approach to risk. OVHcloud is committed to regularly assessing risks and implementing internal controls and action plans to mitigate them.

The risk management system aims to identify, analyse and manage the main risks to which the Group is exposed. It contributes to the control and security of its activities, the effectiveness of its operations and the efficient use of resources.

This system comprises a series of processes aiming to identify, assess and prioritise risks, prevent and control them, promote a risk management culture, and monitor action plans to limit risks. It draws on the skills of the Group's employees, particularly in internal audit and compliance, and on external expertise where required.

CSR risks are covered in Chapter 3 – Non-financial performance statement of this Universal Registration Document.

In 2020, the Group drew up a risk map, which was updated in 2022 and 2023.

Carried out across the Group and with the involvement of top management from all the Group’s activities, the risk mapping process has made it possible to identify the main risks to which the Group is exposed and to assess their potential impact, taking into account their criticality and probability of occurrence. The Group's risk map also takes into account specific risk mapping exercises on topics such as cybersecurity and anti-corruption, and the monitoring of operational and emerging risks.

The most significant risks have been grouped into different families (strategy and markets, business, human resources, financial, regulatory and legal, information systems). For each risk, a description is provided of their causes and potential impact, as well as the actions taken to manage them.

Group management, the Board of Directors and the Audit Committee closely monitor risk management and define the most appropriate strategy.

One or more risk owners are appointed for each risk to complete the risk analysis, identify the actions and resources needed to mitigate the risk, and manage the corresponding action plans.

The relevance and progress of the action plans are monitored by members of the Group's Executive Committee, including the Chief Executive Officer, Chief Financial Officer and General Counsel, who review them on a quarterly basis. Risk mapping and action plans are presented annually to the Group’s Audit Committee, and more frequently upon request.

The Group's Legal Department negotiates all insurance contracts centrally for the entire Group, excluding subsidiaries in the United States, which determine their own insurance policy and take out their own insurance policies.

Insurance policies are either taken out by the Group, on its own behalf and on behalf of its subsidiaries, or directly by its subsidiaries, through brokers mandated to negotiate with the main insurance companies to set up or renew the most appropriate guarantees for risk coverage requirements.

Insurance companies are selected on the basis of criteria such as the amount of premiums, the scope of coverage offered, the ability to set up integrated programmes such as master policies, the duration of the commitment, their availability to insure the risks in question in light of all their other commitments in the segment and market in question, and the ability to offer qualitative support in order to better understand risk management.

The Group's insurance policy aims to:

• ▶adapt its insurance coverage each year, when renewing its policies, according to developments in the risks related to the growth of its usual activities and its steady increase in capital. To do so, the Group uses an external firm to appraise the assets of its largest sites;
• ▶pursue an active prevention and protection policy at its industrial sites, in particular through its HYR prevention plan, designed to protect them against accidental fire risks. The Group has most of its industrial sites audited annually by its brokers’ and insurers’ prevention engineers;
• ▶communicate to the insurance and reinsurance market at the roadshows organised by the Group, on the information detailed in the HYR prevention plan;
• ▶set up awareness-raising sessions on fire risk, with a technical and insurance-based approach, for a wide range of operational staff;

• ▶develop risk prevention, such as exposure to natural and environmental disasters, in order to enhance existing insurance coverage.

All insurance contracts were renewed at 1 January 2024, with the exception of a few contracts with expiry dates later in the year.

OVHcloud prefers to take out “master” policies in order to pool coverage within the Group. For regulatory or factual reasons, such as the size of a subsidiary, OVHcloud also uses local or “standalone” policies taken out directly by its subsidiaries.

The Group also has insurance policies taken out directly by the Group or through its subsidiaries, covering the liability of its executives, risks relating to all its offices, its car fleet, the use by its employees of their own vehicle for business trips, professional assignments, expatriate employees, construction work, installation of equipment or fittings in its datacenters or offices, the transportation of goods, rented accommodation made available to staff during occasional business trips to the head office, as well as the medical office of the doctor also working on behalf of OVHcloud.

Through its subsidiaries, the Group also has a number of insurance policies covering property damage, civil and employer liability and compensation for employees, offices and international datacenters.

Based on the AMF reference framework, OVHcloud has set up an internal control system comprising a set of resources, policies, behaviours, procedures and appropriate actions designed to ensure:

• ▶the application of instructions and guidelines set by management;
• ▶the operation of internal processes to ensure the effectiveness and control of activities;
• ▶the reliability of accounting and financial information;
• ▶compliance with laws and regulations;
• ▶the management of risks.

A number of players are involved in the internal control system:

Delegated by the Board of Directors, the Audit Committee is responsible for monitoring the preparation of financial information and the effectiveness of internal control, risk management and internal audit systems.

The Audit Committee reports to the Board of Directors on these aspects.

See Chapter 4 – Corporate governance for a detailed description of the tasks of the Board of Directors and the Audit Committee.

Senior Management is responsible for deploying the internal control system and overseeing risk mapping. To achieve this, Senior Management relies on the support of the Finance Department and the Audit, Internal Control and Risk Department.

The first line of control is made up of operations that formalise and implement operational processes to ensure control of day-to-day operations and their internal control.

Internal control is an integral part of each operational department’s mission. The management of the operational departments is responsible for checking that the Level 1 procedures and controls are being properly applied by carrying out Level 2 controls, for example via sampling and by implementing application controls and validation circuits. The management control function may also be responsible for carrying out Level 2 controls.

Lastly, the functional departments are responsible for defining the guidelines and controls to be applied by all the commercial and industrial entities and for managing the operational risks in their respective areas: for example, the Legal, Quality, Standards, Safety and Working Environment, Cybersecurity, Human Resources, Finance and Insurance Departments. These functional departments may also be called upon to verify that Level 1 rules have been applied correctly through Level 2 control campaigns.

With a view to strengthening its internal control and improving coordination, OVHcloud has set up an Audit, Internal Control and Risk Department, which reports to the Group's Finance Department. This department assists the operational and functional departments in setting up their Level 1 and 2 control systems. The Audit, Internal Control and Risk Department also carries out internal control campaigns based on the operational departments’ self-assessment of whether controls have been applied correctly. The Audit Committee monitors the rollout of the internal control system.

The third line of control is the Audit, Internal Control and Risk Department. On the basis of an annual audit plan, approved by Senior Management and the Audit Committee, audits are carried out in a fully independent manner and are the subject of an audit report which identifies any risks and the action plans needed to mitigate them.

The findings of internal audits are reported to the operational departments, as well as to Senior Management and the Audit Committee for the main findings, in order to provide reasonable assurance on the effectiveness of the internal control and risk management system.

Follow-up on action plans is presented to the Executive Committee and the Audit Committee twice a year. The Internal Audit department is also independently empowered to alert Senior Management and directors if necessary.

OVHcloud's business model is detailed in the introduction to this Universal Registration Document.

OVHcloud structured its CSR approach during the 2022 financial year. With nearly 3,000 employees at 31 August 2024 and a global industrial and commercial footprint, the Group is fully aware of its responsibility in a world where data have a major impact on private, social and professional lives on an economic, geopolitical, ethical and environmental level. They impact relationships between people and their use reflects a vision of the world and the type of society in which everyone wants to live. Driven by its ambition, “Leading the data revolution for a responsible future”, OVHcloud’s mission is to build an open and trusted cloud, enabling businesses and society to make the most of the data revolution while minimising its environmental impacts.

This vision and the related mission are reflected in a CSR policy, which is closely integrated into the Group’s strategy. This policy is based on three pillars of commitment, each of which in turn breaks down into three areas of action:

• ▶Guaranteeing data sovereignty and freedom

OVHcloud is at the heart of the digital revolution, which opens the way to a multitude of opportunities in applications and technology. In this context, the Group offers its customers cloud solutions covering all their uses – supporting them in their digital transformation, enabling them to innovate by building cloud native applications or helping them leverage the power of data. In fulfilling this mission, the Group offers its customers the freedom to build their most ambitious projects, in a secure, compliant and sustainable cloud environment, according to three areas of action:

• •defending data sovereignty, security and privacy;
• •guaranteeing freedom of choice and reversibility;
• •offering predictable and transparent pricing.

• ▶Pioneering the sustainable cloud

At the forefront of the sustainable cloud, OVHcloud has integrated sustainability at the heart of its business model since its creation, aiming to minimise its environmental impact at every stage. OVHcloud’s environmental action is structured around three priorities:

• •placing innovation at the heart of its industrial model;
• •aligning OVHcloud with the Paris Agreement, which includes the major objective of continuing efforts to limit the increase in average global temperature to 1.5°C above pre-industrial levels;
• •raising awareness among stakeholders of all the impacts of the cloud, in order to initiate a collective approach to reducing the environmental footprint.

• ▶Driving collective progress of the cloud for the benefit of society

At OVHcloud, everything starts with people. Men and women are the Company's best assets: it is their talent that ensures its success. “Working together” is one of the Group's fundamental values. This collective aspect is extended to its ecosystem, and in the desire to see the European cloud segment progress. This third pillar of commitment breaks down into three areas of action:

• •attracting and developing skills in a collective adventure within a diverse and inclusive Company;
• •collaborating and developing coalitions with stakeholders in the European cloud ecosystem;
• •promoting local anchoring and societal commitment by working on digital inclusion.

To manage its corporate social responsibility (CSR) ambitions, OVHcloud has set up a dedicated governance structure, closely associated with the management of the Group’s overall strategy.

The Board of Directors strives to promote the Company’s long-term value creation by considering the social and environmental challenges of its activities. In connection with the strategy defined, it regularly examines the opportunities and risks such as financial, legal, operational, social and environmental risks, including climate risk, as well as the measures taken as a result. The medium-term CSR priorities and targets were approved by the Board of Directors in 2022 and are reviewed annually by said Board. They are monitored by building on the work of its committees. In May 2024, an extraordinary strategy seminar attended by the independent directors was organised, at which a wide range of topics concerning governance and management were discussed, including the CSR policy, its application and the progress of related projects.

Established after the Group’s IPO in 2021, the Strategy and CSR Committee has the task of preparing the work and facilitating the decision-making process of the Board of Directors on strategic and CSR issues. In terms of CSR, it is notably responsible for:

• ▶ensuring that matters relating to social and environmental responsibility (such as diversity and non-discrimination policies and compliance and ethics policies) are taken into account in the Group’s strategy and in its implementation;
• ▶reviewing the non-financial performance statement on social and environmental matters provided for in Article L. 22-10-36 of the French Commercial Code (Code de commerce);
• ▶examining the opinions expressed by investors, analysts and other third parties and, if applicable, the potential action plan drawn up by the Company to improve the points raised on social and environmental matters;
• ▶reviewing and assessing the relevance of the Group’s social and environmental commitments and strategic directions on social and environmental matters, in light of the challenges specific to its activity and objectives, and monitoring their implementation.

The Audit Committee ensures the effectiveness of the risk monitoring and internal control system, including CSR risks and climate change risk, as well as the review and monitoring of the systems and procedures in place to ensure the dissemination and the application of policies and rules of best practice in terms of ethics, fraud and corruption and, more generally, compliance with regulations in force.

Lastly, the Appointments, Compensation and Governance Committee is responsible, among other duties, for the annual review of the Board of Directors’ diversity policy as well as monitoring the gender parity rate, age and diversity of skills.

The role and work of the Board of Directors and its committees are presented in Sections 4.1.5 and 4.1.6 of this Universal Registration Document.

The Strategy and CSR Department, which reports to the Chief Executive Officer, is responsible for the implementation of the Group’s major strategic directions, which it helps to define, as well as for the development and coordination of the CSR policy, with the aim of engaging the Company in a process of continuous improvement, of enhancing its commitments and of measuring the effects of the CSR programme. The Strategy and CSR Department reports to the Executive Committee on a regular basis on the progress of the CSR programme, its main initiatives and their updates.

The CSR programme commitments are drawn up and monitored by the CSR Steering Committee. Coordinated by the Strategy and CSR Department, it is composed of a central CSR team and operational department representatives involved in the implementation of the CSR action plan. The Committee meets weekly to define, monitor and adjust CSR action plans.

OVHcloud developed a Group risk map in 2020. It has been updated twice: first in 2022 and again in 2023 (see Chapter 2 of this Universal Registration Document for a description of the Group's risk factors). In addition, the Group created its first materiality matrix in 2022, focusing on CSR issues. Its review in 2024 did not result in an update.

In 2022, OVHcloud put together its first materiality matrix by interviewing its external and internal stakeholders, in order to determine the Group's most material CSR issues, i.e., those that have or could have an impact on the Group’s ability to create or protect financial and non-financial value for itself and its stakeholders.

This exercise was carried out in four stages: identification of potential CSR issues, confrontation of these issues with external and internal stakeholders, consolidation of the results and, lastly, the main lessons learned from the analysis of these results.

OVHcloud has defined a list of 24 potential CSR issues, subdivided into three categories: environment, business conduct and social/societal.

OVHcloud addressed this list of potential issues with its internal and external stakeholders during interviews, conducted in particular with its customers, suppliers, investors, representatives of its ecosystem (associations, NGOs, partners, etc.) as well as the Group's directors and managers, including the Executive Committee, in order to collect their point of view and expectations regarding each of the issues. The interviews were conducted by OVHcloud's teams, with the exception of investors, who were consulted through a perception study carried out by an external service provider. OVHcloud also consulted its employees (excluding the Executive Committee and other managers) through an online survey.

An interview guide has been drawn up to guide the various interviews. This guide was used as the basis for the online survey tool.

The main question concerned the rating of the issues according to the level of expectation for each of them, according to the following grid:

• ▶0: no expectation. OVHcloud does not have to particularly commit to this issue;
• ▶1: limited. Issue for which OVHcloud can implement some actions, without integrating them into its strategy;
• ▶2: important. OVHcloud should adopt a policy, targets and an action plan concerning this issue;
• ▶3: priority. This issue must be a major strategic priority for OVHcloud.

A total of 231 people were consulted, including:

• ▶management (shown on the horizontal axis of the matrix):
  • •the Chairman of the Board of Directors,
  • •18 management representatives including the Chief Executive Officer and the entire Executive Committee as well as the main regional managers;
• ▶stakeholders (represented on the vertical axis of the matrix):
  • •34 external stakeholder representatives: customers, suppliers, public authorities, investors, members of the OVHcloud ecosystem (associations, partners, NGOs, etc.),
  • •178 employees surveyed.

The voice of the public authorities was expressed by the person responsible for public affairs at OVHcloud.

For investors, the rating was carried out by transposing the 2022 “ESG Investors” perception study carried out by an external service provider to a similar rating grid and a slightly more limited list of issues.

The analysis of quantitative and qualitative data was carried out with the support of a CSR consulting firm, according to the following methodology:

• 1 .consolidation of results: for internal and external stakeholders, the average rating of the issues was established on the basis of an equal weighting of the results within each stakeholder category, then between the categories. For management, the ratings assigned by the Chairman and the Chief Executive Officer were given more weight than the responses of management representatives;
• 2 .formalisation of the matrix: the ratings thus obtained made it possible to place each issue on the horizontal axis (average allocated by management) and on the vertical axis (average allocated by internal and external stakeholders);
• 3 .analysis of the results: the key lessons are drawn from the compilation of the analysis (correlations, dispersions, ranking of issues, comparison according to stakeholders) of the results.

* For the detailed wording of the issues, see the table in the section on identifying issues above.

• ▶Overall, internal and external stakeholders are aligned on the most material issues, particularly those related to the Group’s core business, a sign of a good understanding between OVHcloud and its ecosystem. These are issues relating to data sovereignty, low-carbon trajectory, efficient energy management, cybersecurity and data protection, environmental labelling and carbon transparency, and securing strategic supplies.
• ▶Three major issues stand out in particular, consistent with the Group’s vision and strategic directions:
  • •data sovereignty;
  • •low-carbon trajectory;
  • •efficient energy management.
• ▶Important issues are also aligned on more generic but fundamental issues for the Company's operation such as a responsible supply chain, eco-design, business ethics, responsible water management, attraction and retention of talent, reliability and customer trust, health, safety at work and employee well-being, diversity and inclusion, innovation and R&D for Green IT.
• ▶Regarding deviations (which remain limited), we note that management places particular importance on the attraction of talent and customer trust, whereas stakeholders have strong expectations concerning continuity of service – in terms of cybersecurity and resilience to climate change – and environmental labelling.
• ▶OVHcloud is clearly recognised for issues relating to the differentiation of its offering, linked to its value proposition: price transparency, eco-design, a responsible approach to resource management and, above all, data sovereignty. Nevertheless, expectations are very high regarding these issues, which rank among the most material.
• ▶When asked about the issues on which OVHcloud needs to progress, stakeholders were generally less vocal than management. The most frequently mentioned issues were cybersecurity and data protection, environmental labelling, diversity and inclusion, talent attraction and retention and contribution to the digital transition and digital accessibility.

• ▶Interactions with the Group's various stakeholders during the 2024 financial year confirm the main conclusions drawn from the analysis carried out in 2022.

Leading European cloud services provider, OVHcloud, is at the heart of the digital revolution, which opens the way to a multitude of opportunities in terms of applications and technology. In this context, the Group offers its customers cloud solutions covering all their uses – supporting them in their digital transformation, enabling them to innovate by building cloud native applications or helping them leverage the power of data. In fulfilling this mission, the Group offers its customers the freedom to build their most ambitious projects in a secure, compliant and sustainable cloud environment. For OVHcloud, everyone must be able to control their data and be guaranteed that they are secure. Free choice and openness in terms of services and innovation are the foundation of the relationship of trust established with its customers and partners. This also involves a range of services offering the best price-performance ratio and transparent and predictable rates.

OVHcloud’s activities focus on the computing capacity, storage, processing and transfer of its customers’ data, including personal data, as well as business-critical data. Data sovereignty, security and confidentiality form the basis of the Group’s value proposition and the foundation of the relationship of trust that unites it with its customers. OVHcloud ensures the highest level of data protection. This level of excellence is supported by an effective data governance system. The Group is also campaigning for a European cloud, guaranteeing the technological independence of Europe and the sovereignty of its data.

OVHcloud implements security measures at all its datacenters and processes to protect its customers worldwide.

OVHcloud considers cybersecurity to be a pillar of its development strategy. The Group's ability to protect its customers' data and processing workloads is a key factor in the trust they place in the Group. The Information Systems Security Policy (ISSP(1)) provides the cybersecurity reference framework for OVHcloud. It describes the context in which it was set up and its three basic principles:

• ▶deployment of a large-scale, industrial approach to security. Security is an integral part of the product development cycle. The security team is constantly involved in deciding what security measures to adopt to prevent and mitigate risks. This approach is based on standardised security measures, architectures that are secure from the outset, and formal, tried-and-tested, highly automated processes. The standardised security measures are supplemented by additional measures in consideration of the specific features of each project. Lastly, OVHcloud operates a permanent threat analysis system based on continuous system monitoring, enabling it to systematically adapt its operational practices to immediate risks and to respond effectively to security incidents;
• ▶positioning of OVHcloud as a trusted player within the ecosystem. As a global cloud provider, OVHcloud has a major responsibility in the fight against security threats. The Group deploys large-scale protection tools and automates the protection of its customers' systems against these threats. OVHcloud's security team and technical experts maintain strong operational relationships with security expert communities, authorities, software publishers and hardware manufacturers. This enables the Group to anticipate new threats and vulnerabilities, and mitigate the related risks. In addition, OVHcloud shares its innovations and knowledge with the security community and promotes responsible disclosure. Lastly, the Group's security systems are regularly assessed by trusted third parties on the basis of recognised audit standards;
• ▶operating a trusted cloud for all. OVHcloud offers its solutions to all types of customer across all industries: startups, SMEs, large companies, public authorities and multinational companies. Every OVHcloud customer has its own approach to security, depending on its business sector and/or sovereignty requirements. OVHcloud ensures the security of the services provided and the underlying infrastructure, and offers its customers a high level of transparency regarding the accompanying security measures. OVHcloud is also committed to personal data protection, as a controller for its customers' data and as a personal data processor in cases where its customers are themselves data controllers. The information systems security policy supports this commitment by defining, implementing and improving security measures to protect hosted personal data.

Security management is organised based on internationally recognised standards that highlight these principles. The Group has obtained numerous national (SecNumCloud, ACN, ENS, C5)(2) and international (ISO 27001, ISO 27701, PCI DSS, SOC 2 type 2) certifications and certifications specific to certain segments (HDS, HIPAA and HITECH for health, EBA and ACPR PSEE for financial services), which meet the highest French, European and international data protection standards.

In addition, OVHcloud has internal procedures for information systems security and constantly raises its employees’ awareness of the risk of computer attacks, in particular by carrying out cyber attack simulations. The Group organises up to three campaigns per week, built from sophisticated scenarios inspired by real cases, tested on randomly chosen populations. Several indicators are observed, including the percentage of employees tested, the reporting rate and the compromise rate (percentage of employees on whom the phishing worked) and conversely, the success rate of simulation campaigns. It is the latter indicator that constitutes the benchmark performance indicator. In 2024, the success rate of cyber attack simulation campaigns was 87%, a slight decline compared to 2023, due to tougher test campaigns to prepare teams for more realistic scenarios. As the calculation of this key indicator does not take into account the complexity of campaigns, it does not fully reflect the reality of user awareness on a comparable basis from one year to the next.

As the cloud relies on physical infrastructures, data security also involves securing OVHcloud’s sites, with particular attention paid to its datacenters, which house the servers on which the data are stored or transferred. These sites are particularly important to ensure the continuity of customers’ business. OVHcloud therefore implements a large number of measures to protect its sites, including:

• ▶security and 24/7 surveillance;
• ▶an anti-intrusion system;
• ▶strict access control;
• ▶regular contact with the authorities.

On the night of 9 to 10 March 2021, a fire broke out in one of the four OVHcloud datacenters in Strasbourg, France. Since then, the Group has launched a Hyper Resilience plan, aimed, in particular, at taking safety standards beyond regulatory standards and insurers’ recommendations.

The inauguration of the new datacenter in Strasbourg, SBG5, in September 2022, demonstrated the first concrete results of the Hyper Resilience plan. The result of a €30 million investment launched in April 2021, the site is the first of a new generation of hyper-resilient and more sustainable datacenters. Covering an area of 1,700 sq.m., SBG5 has a total of 19 isolated rooms with masonry that compartmentalises the different segments in order to provide two hours of fire resistance.

Press release: https://corporate.ovhcloud.com/en-gb/newsroom/news/SBG5-opening/

In accordance with its commitments, the Group has launched a new datacenter dedicated to raw data backups (snapshots) and remotely situated from service operating sites. Initially deployed for French customers, the Group plans to roll out this service more generally in order to extend it to all its solutions and locations.

OVHcloud processes a very large amount of personal data every day, both on behalf of its customers, through its cloud products and services, and on its own behalf.

OVHcloud's top priorities are data security, the transparent and proportionate use of the Group's customer information, and the protection of customer data from foreign laws with extraterritorial application.

OVHcloud has adopted a personal data processing policy that complies with the strictest regulations and applies to all its entities and employees. The policy guarantees customers that their data are secure and ensures compliance with the GDPR and all applicable national legislation, such as the UK Data Protection Act, the Australian Data Protection Act and Quebec's Law 25. It is implemented under the supervision of the Data Protection Officer (DPO), whose role is described in Chapter 2 of this Universal Registration Document.

• ▶Data governance

The following data protection committees and workshops are held on a regular basis to ensure compliance with applicable laws and to monitor any measures these laws may require:

• ▶the Internal Project Review Committee, whose purpose is to review project relevance and compliance with the principle of privacy by design by taking into account technical, IT security and personal data processing requirements (50 projects reviewed during the 2024 financial year);
• ▶ad hoc committees to manage projects involving new tools or services for customers;
• ▶monthly monitoring committees between the DPO and key data protection players, such as the Chief Information Systems Officer (CISO), customer service staff and representatives of the Information Systems Department.
• ▶Team training and awareness-raising

Group employees are given mandatory training in data protection as soon as they join OVHcloud, regardless of the Group subsidiary for which they work.

The training takes place in two stages: (i) during onboarding week, attended by all new employees, including members of the Executive Committee, and (ii) through the compulsory e-learning programme accessible via the Group's e-learning platform.

• ▶Compliance documentation and procedures

OVHcloud documents compliance through its data processing records and impact assessments.

To facilitate the management of this documentation, OVHcloud has invested in a data governance tool that centralises all key data protection information.

In addition, OVHcloud has a set of procedures designed to ensure compliance with data protection principles. These include:

• •a policy for handling requests to exercise rights;
• •a personal data storage policy;
• •a policy for managing security incidents (data breaches);
• •a policy for managing data retrieval requests;
• •a policy for managing authorisations to travel with OVHcloud equipment outside the European Union.

• ▶Rights of data subjects

OVHcloud has made an online form available on its website to enable data subjects to exercise their rights. The form ensures that requests are traceable and receive a response within the appropriate time frame.

Requests are handled by a dedicated five-person team within the Group customer service division, who respond to such requests on a daily basis.

• ▶Data breaches

Data security is central to OVHcloud's business. The Group has put in place a series of measures designed to prevent data breaches.

In addition, the DPO's and CISO's teams work closely together to ensure that IT incidents are properly addressed and to prevent any personal data breaches.

OVHcloud also keeps records of data incidents and breaches in accordance with the GDPR and local legislation such as Quebec's Law 25.

• ▶Protection against foreign interference

OVHcloud implements technical and organisational measures to protect data hosted by its European customers within the European Union against interference from non-European authorities. From a technical perspective, neither the infrastructure hosting this data nor any personal data relating to customers can be accessed by OVHcloud entities or third-party partners located in third countries that do not guarantee the same level of data protection as the European Union.

For this reason, the Group's US entities are not involved in the services provided to OVHcloud's European customers and do not have the technical ability to access the data these customers host in OVHcloud's European datacenters. As a result, the US entities have no control over the data stored in these datacenters and cannot comply with data requests from the US authorities.

Only entities located within the European Union or in countries whose level of protection has been the subject of an adequacy decision by the European Commission, in particular Canada, may, under the terms of service in force, take part in the provision of services to OVHcloud's European customers and perform technical work on the infrastructure hosting these customers' data.

Ethical data processing has always been at the heart of OVHcloud's business model. It involves processing users' data in such a way as to guarantee privacy, and is demonstrated through four commitments:

In order to carry out these various projects and commitments, OVHcloud has set up several bodies enabling federated data governance:

• ▶the Data Coordination Committee guarantees strict control of the quality of the data and its consistency by reinforcing ISO 27001 and ISO 27701 standards;
• ▶the Sovereignty working group brings together various OVHcloud players to protect customer data from international players.

OVHcloud defends a European open cloud model, which guarantees the protection of the data of citizens and organisations and which ensures Europe’s digital sovereignty, a key component of the continent's strategic independence. To this end, OVHcloud shares its vision and proposals with political and institutional participants in public decision-making, either directly with these players or in conjunction with representative associations, through its ecosystem of partners or as part of public events.

OVHcloud intends to fully assume its role as the European cloud leader. Spearheading initiatives on a French, European and international scale, the Group is proactively campaigning for the development of an ecosystem of European cloud providers capable of meeting the needs of users.

Digital sovereignty and a level playing field in the European cloud market are fundamental to guaranteeing freedom of choice for cloud service users. OVHcloud works on several fronts to raise awareness of the issues surrounding data processing – and the importance for organisations of controlling their most sensitive data – and cloud interoperability, for example. Its initiatives include participation in trade fairs, round tables, debates, keynotes and discussions with representatives of national, European and international institutions, as well as the organisation of ad hoc events.

The European cloud model championed by the Group implies a European vision of personal data protection, and consequently a commitment at the level of the ecosystem, on both a European and a national scale.

• ▶Creation of the Trusted Tech Strategic Sector Committee(4)

In October 2022, Michel Paulin, then Chief Executive Officer of OVHcloud, was tasked by the French government with structuring and consolidating the French trusted tech sector, in which the cloud plays a central role.

• ▶Founding member of Gaia-X

OVHcloud participated in the creation of Gaia-X(5), a European initiative launched in 2020 whose objective is to build a federated, open, secure and transparent digital ecosystem. It aims to enable users to benefit from cloud services that meet their needs, both technically and legally, and offer them appropriate guarantees, in particular in terms of data protection, interoperability, security or immunity to extraterritorial laws. As part of Gaia-X, OVHcloud is promoting the introduction of a label for cloud services guaranteeing users an appropriate level of data protection. In 2023, OVHcloud was re-elected to Gaia-X's Board of Directors for two years.

• ▶Founding member of the European Alliance for Industrial Data, Edge and Cloud

OVHcloud is also a founding member of the European Alliance for Industrial Data, Edge and Cloud(6), an initiative launched by the European Commission, which mobilises 57 European industrial players to strengthen Europe’s ability to develop its own cloud and edge technology, taking into account the challenges of sovereignty and sustainable development. OVHcloud took part in the Alliance's general meetings and contributed to deliverables.

Building on all these commitments, the Group, alongside its ecosystem, supports legislative projects and initiatives that are able to support European digital sovereignty and the establishment of a level playing field for the cloud market, such as in France with the bill to secure and regulate the digital environment, and in Europe with the Digital Markets Act (DMA), the Data Act and the development of a European cybersecurity scheme for the certification of cloud services, known as EUCS. The Group also backs ongoing investigations worldwide into restrictive practices in the cloud market, as recently identified by the French Competition Authority and many other countries including the Netherlands, Spain and the United Kingdom.

At the forefront of the sustainable cloud, OVHcloud has integrated sustainability at the heart of its business model since its creation, by developing industrial innovations to limit its environmental impact. During the 2024 financial year, OVHcloud pursued its climate performance trajectory by fine tuning its existing environmental objectives. Accordingly, the quantified objectives presented by the Group this year reflect its ongoing commitment in favour of sustainable and responsible practices.

OVHcloud’s environmental action is structured around three pillars:

• ▶innovation, at the heart of its industrial model;
• ▶implementation of the Paris Agreement;
• ▶communication and awareness-raising on all the impacts of the cloud, in order to guide consumption choices.
• The Paris Agreement, adopted in 2015, aims to limit the global average temperature increase to 1.5°C above pre-industrial levels. The parties to the Agreement commit to reducing their greenhouse gas emissions and strengthening their resilience to climate change. In this context, OVHcloud has been committed since 2023 to a process following the Science Based Target initiative (SBTi), an international benchmark that helps organisations to align their decarbonisation strategy with the pathway defined by the Paris Agreement.

To measure its energy and environmental performance, OVHcloud monitors four key indicators:

• ▶PUE (Power Usage Effectiveness), which measures the energy efficiency of the Group’s datacenters: it is the ratio between the total energy used and the electricity used to power the servers;
• ▶WUE (Water Usage Effectiveness), which measures the efficiency of water use: it is the ratio between the water consumption of cooling systems in litres and the electricity used to power the servers;
• ▶CUE (Carbon Usage Effectiveness), which measures the carbon intensity of the datacenters, taking into account the characteristics of the energy source: this is the ratio between greenhouse gas emissions from scopes 1 and 2 and the electricity used to power servers;
• ▶REF (Renewable Energy Factor), which measures the proportion of renewable energy consumed by the datacenters compared to their total consumption.
• GHG (Green House Gas) emissions are measured in kilograms or tonnes of carbon dioxide(8). OVHcloud changed its methodology for measuring greenhouse gas emissions to adopt the GHG Protocol, in preparation for its SBTi process. Two accounting methods are implemented in parallel: the location-based approach, which takes into account the average emission intensity of the local electricity grid where the energy consuming company is located, and the market-based approach, which takes into account the energy sourcing choices made by the company, including Energy Attributes Certificates (EACs), which are official and traceable instruments for certifying the renewable origin of a given quantity of electricity.
• In 2023, the scope of measurement for PUE and WUE had changed compared with 2022. It remained constant in 2024. In addition, as part of its ongoing pursuit of transparency, the Group has expanded its list of monitored performance indicators.
•  

At OVHcloud, everything starts with people. Men and women are the Company's best assets: it is their talent that ensures its success. “Working together” is one of the Group's fundamental values. This collective aspect is extended to its ecosystem, and in the desire to see the European cloud segment progress. Aware of its impact and its responsibility, OVHcloud intends to make digital technology a driver for socio-economic development.

In order to maintain the reliability and comparability of the indicators set out below, the Group has not included Gridscale, which was acquired on 4 September 2023 and is currently being included for CSR reporting purposes. Once it has been included, the Group can guarantee that its social responsibility approach is comprehensive.

In a highly competitive job market despite the tense international environment, attracting and developing new skills remains a priority for OVHcloud.

The Group continued to hire during the 2024 financial year. As a result, 437 people embarked on the OVHcloud adventure, representing a net increase in headcount of more than 1% over the past year, primarily outside of France, which increased the number of employees on permanent contracts in the Group's workforce. In two years, the Group's total headcount has grown by more than 4%.

In addition to recruitment, talent retention is a second key issue in order to capitalise on knowledge and enable the overall skills development of the teams. The benchmark performance indicator for monitoring talent retention is the loyalty rate, which measures the rate of employees present in the Group one year after their arrival. This rate continued to improve, reaching 81% in 2024.

The Group also monitors the rate of voluntary departures, which measures staff turnover. In 2024, this rate amounted to 9.20%, a one-point improvement on 2023 (which was already a year-on-year improvement of over 4 points). The aim is to maintain the voluntary departure rate at 15% or less (which is considered to be the industry average). In addition, the average length of service for voluntary departures has stabilised at over three years since the 2021 financial year (3.4 years in the 2024 financial year).

Lastly, OVHcloud regularly measures the level of engagement of its employees based on the results of internal surveys conducted each year via a survey software (Peakon). The engagement scores for the 2024 financial year were 7.2/10 in the December survey and 7.3/10 in the June survey. The response rates were 84% and 86% (similar to last year), respectively, further testifying to the level of employee engagement. The employee engagement score is a key performance indicator that was included in the annual variable compensation of executive corporate officers (for 15%) and members of the Executive Committee (for 9%) in 2024.

OVHcloud is distinguished by its flagship commitments, particularly in support of data sovereignty, and by a strong corporate culture, backed by common values that guide each of the Group’s actions:

• ▶Trust: trust commits OVHcloud to its ecosystem and enables its employees to express their talent.
• ▶Working together: OVHcloud has a profound belief that individual success only serves collective success. The collective dimension is essential for exploring and building the cloud of tomorrow and to achieve this, each person is important and makes a contribution at their own level.
• ▶Passion: the passion for technology and adventure is essential at OVHcloud, it promotes innovation and surpassing oneself.
• ▶Disruption: OVHcloud is constantly seeking to simplify its processes and organisations in order to be more efficient and reduce costs. Thinking differently is encouraged by the Group to create ever more value for customers and the ecosystem.
• ▶Responsibility: OVHcloud takes its responsibilities seriously. The Group is aware that each innovation can be positive or negative depending on how it is used.

The OVHcloud employer brand is the core of its employee value proposition and aims to attract and retain talent.

The OVHcloud employer brand is built around four pillars that echo the Group’s values:

• 1 .“At OVHcloud, everything starts with people”: people are at the heart of the Group’s DNA, which is why OVHcloud has developed services and benefits to improve the quality of life at work for all. From concierge services to company daycare, from contracted remote working to collaborative spaces, everything is done to ensure that everyone finds their place, at their own pace and in accordance with their values.
• 2 .“Innovate in total freedom”: an OVHcloud expert is one who has acquired cutting-edge skills while maintaining the desire to explore, break new ground and innovate. OVHcloud recruits passionate and exciting people who want to do and share. Designing the cloud of tomorrow is a question of disruption. To this end, the Group needs everyone's input.
• 3 .“Growing and fulfilling”: moving in step with technology and thinking outside the box is what characterises OVHcloud. Change position or profession, there is no ready-made trajectory at OVHcloud. The aim is to offer everyone the opportunity to take an interest in a new field, to extend their skills and think about their new expertise through the prism of their experience.
• 4 .“Building the world of tomorrow together”: as a major cloud player, the Group believes we all have a role to play in the industrial transformation of the sector, and more broadly in the changes impacting our world. Providing an open, sustainable and people-centric cloud means working hand in hand for collective progress.

With all business units represented and women representing almost 30% of employees by 2024, the ambassador programme is helping to boost OVHcloud's image, thanks to its dynamic community. Our ambassadors participated in over 35 physical events (conferences, school events, trade fairs, tech events and job fairs).

The Careers site, the first version of which went online in 2022, was overhauled in 2024 with the addition of a page dedicated to diversity, equity and inclusion. While it has helped to highlight and promote the OVHcloud employer brand, it will be modernised in 2025 and will provide more content to meet the expectations of prospective employees.

Aware of the importance of cultivating its human capital, OVHcloud trained 75% of its workforce in 2024. In the 2024 financial year, 2,200 employees attended at least one training course, i.e., almost 250 more employees trained compared to the prior year.

Not only is OVHcloud continuing to strengthen the key skills needed to support the Company's growth, such as management, safety and technical skills, but, in 2024, the Group also offered more cross-functional (Other) training to develop the career prospects of its employees and its commitment to compliance topics by increasing the number of employees trained from 3% to 18%.

OVHcloud confirms its desire to encourage the development of skills in all areas and become a learning organisation. The Company therefore continues to invest in the following areas, which are considered essential to achieving its strategic ambitions:

• ▶supporting managers in their role, based on an ambitious programme aimed at all managers and tailored to their position in the Group's organisational structure. The aim is to train all new managers, 70% of middle managers and 100% of advanced managers in two years in line with OVHcloud's leadership module. More than 400 managers attended at least one training course in the 2024 financial year;
• ▶reinforcing the acquisition of cross-functional skills to develop employability and meet our compliance commitments. For example, nearly 300 employees received training on the Climate Fresk, i.e., almost 10% of the workforce;
• ▶continuing to invest significantly in technical skills to support growth through training on products, technology and operations, and offering the possibility to certify these skills;
• ▶developing a strong culture of safety and resilience to support the opening of new datacenters around the world;
• ▶language courses, to enhance OVHcloud's international positioning.

To support its training policy and reinforce its role as a learning organisation, OVHcloud has made a major change to its Learning Management System (LMS) and now has a dedicated skills development solution to speed up the roll-out of training initiatives. With almost 86% of employees having connected at least once to the new LMS and more than 115,000 visits in 2024, OVHcloud is making it easier for its employees to access training.

OVHcloud is also looking to familiarise its employees with the challenges of the future by offering awareness-raising webinars throughout the year in areas such as artificial intelligence, soft skills and cybersecurity. The webinars on artificial intelligence, for example, were attended by over 600 participants.

Safety at work is a central priority for OVHcloud and is a key performance indicator of the CSR policy. In order to promote the prevention of health and safety risks, the Group has defined three major priorities:

• ▶reducing the number of work-related accidents;
• ▶complying with legal health, safety and environment (HSE) requirements and other requirements applicable in all countries;
• ▶implementing all satisfactory measures to protect the health and physical integrity of the Group’s employees, customers and local communities and protecting the environment.

To achieve this, the following measures were implemented:

• ▶involving the entire management line in the commitment to its health, risk prevention and environment policy;
• ▶anticipating risks upstream in the product design phase;
• ▶empowering all employees to maintain a healthy and safe workplace;
• ▶developing a culture of professionalism, discipline and respect for the rules among all employees;
• ▶ensuring the deployment of the “Be Smart, Be Safe!” Health and Safety Programme.

During the 2024 financial year, the total number of accidents fell again, both in terms of the number of accidents and their severity.

This was made possible by a number of actions taken during the 2024 financial year:

• ▶review by OVHcloud of part of its golden rules in terms of safety as part of its #StaySafe approach. The golden rules deal with:
  • •the working environment,
  • •work permits,
  • •fire prevention and evacuation; and
• ongoing compliance with its other golden rules:
  • •shared vigilance and cooperation,
  • •pedestrian traffic,
  • •movement of machines,
  • •personal and collective protective equipment,
  • •work at a height,
  • •energy and reporting,
  • •movements and postures.

The #StaySafe approach embodies a mindset to be adopted in order to identify and avoid dangers. It follows four steps:

• ▶survey the work environment and identify hazards;
• ▶analyse the consequences of hazards and anticipate the necessary individual and/or collective protection measures;
• ▶foster reliability by implementing prevention measures with the help of the health and safety department, contractors and managers;
• ▶execute the work once all the safety conditions have been met.

In the 2024 financial year, the Group continued to invest in training its technical teams with the aim of strengthening its safety culture. Training of on-site managers has been rolled out to part of the workforce. In 2024, the safety champions took action to improve safety at their respective sites. at each site among volunteers, to liaise with the technical teams to improve the safety culture. Lastly, the Group organised internal awareness-raising events such as World Safety Week, which is held each year at all OVHcloud sites and to which all employees and permanent employees are invited.

In addition, OVHcloud is committed to employee health, with a focus on prevention.

• ▶Since 2016, the Roubaix site has had a dedicated medical centre with various health professionals (general practitioner, osteopath, dietitian, physiotherapist, optician, etc.) available to employees.

• ▶Awareness-raising conferences led by health specialists and open to all employees are regularly organised on various subjects (conferences on psychosocial risks).

OVHcloud will continue its commitment to prevention in 2025. The priorities are as follows:

• ▶The month of October 2024 is dedicated to the fight against cancers that affect women: as part of Pink October, OVHcloud will continue to raise awareness of breast cancer by organising workshops led by midwives or nurses to its employees in France and an awareness-raising conference for all employees in France and internationally.
• ▶The month of November 2024 is dedicated to the fight against cancers that affect men: as part of Movember, the Group will be organising workshops led by urologists to its employees in France and an awareness-raising conference for all employees in France and internationally.
• ▶The prevention of musculoskeletal disorders (MSD): the Group will be organising workshops in France to prevent occupational risks in terms of movements and postures, as well as a conference on adapting workstations for remote working and manual jobs for all employees in France and internationally.
• ▶Melanoma prevention: the Group is planning to organise dermatological screening days at its sites in France.

The Group also implements different measures:

• ▶medical teleconsultation with Angel in France and Dialogue in Canada;
• ▶initiatives to promote regular sports activities (gyms, activities for coaches, support for sports assessments);
• ▶psychological, social and legal assistance with Qualisocial and Dialogue in Canada.

To promote quality of life at work, OVHcloud also actively offers parenthood initiatives. As a result, a position of parenting advisor, responsible for supporting, advising and guiding all parents and future parents has been created. In addition to the crèche located at the Company's premises in Roubaix for the past decade, a nationwide partnership with Babilou(12) and an OVHcloud parenting handbook, specific support is provided when a child arrives. This includes support in announcing the arrival of a child, preparation for maternity, adoption or parental leave, support when returning to the Company with a dedicated re-boarding process, support in finding childcare, etc. Conferences and workshops are also offered on a regular basis.

The Group has received several awards in recognition of its efforts in recent years:

• ▶the Compensation & Benefits Trophy awarded by the ORAS(13) club in December 2021 for the Group's employee well-being programme;
• ▶the gold prize at the Human Capital Leaders' Victories on the quality of work life theme in May 2022;
• ▶the Wellbeing Leader Certificate from the Polish Wellbeing Institute in 2021 and 2022, also in recognition of the Group's quality of life at work policy.

Further recognition received during the 2024 financial year included:

• ▶for the fourth consecutive year, the HappyIndex®Trainees & HappyIndex®Trainees Alternance 2023-2024 label, which rewards companies that take care of their interns and apprentices;
• ▶in Germany, recognition as Top Company 2023 by Kununu for the third year running;
• ▶ranking second in the 2024 LinkedIn Top Companies list (in the midsize companies with between 250 and 5,000 employees category);
• ▶the International Employee Share Ownership Trophy awarded by the ORAS club in December 2023.

Convinced that everyone has a role to play in facing the biggest societal challenges of our time, OVHcloud wishes to support its employees in their life journey, so that everyone can grow and develop in a caring environment. With this in mind, the Group is committed to combating all forms of discrimination and to offering a working environment that respects differences and allows everyone to fully express their talents. OVHcloud has structured its diversity, equity and inclusion policy in 2022 and intends to strengthen it during the 2025 financial year. An internal charter exemplifies this policy. It is shared via the Company's intranet and is available to all Group employees.

• ▶Diversity and collective intelligence are key drivers for innovating and achieving excellence. Globalisation of the teams is one component. In 2024, more than 60 nationalities were represented within the Group.
• ▶The proportion of women in teams, which is a major issue for tech businesses, is a key priority and a performance indicator for the Group’s CSR policy. A gender equality action plan is drawn up and reviewed regularly with employee representatives in France. The plan addresses the issues of recruitment, professional development, compensation and work-life balance. In recent years, the proportion of women in the Group’s workforce has steadily increased. In the 2024 financial year, the proportion of women in the total workforce increased by one point to reach 23%. The proportion of women in management has improved by three points since 2022 to 23%. The rate for the Executive Committee remained largely unchanged throughout the 2024 financial year, at 33%.
• ▶Throughout the year, a number of initiatives were put in place to inform in-house teams about diversity and inclusion issues. Notably, in January 2024, OVHcloud joined the #StOpE initiative, aimed at combating everyday sexism on a long-term basis. It also marked the start of a series of initiatives to raise awareness on the challenges and benefits of an "inclusive company", by breaking down stereotypes, prejudices and unconscious biases. The aim of these initiatives was to provide a better understanding of the main forms of discrimination while offering concrete strategies for breaking down stereotypes in everyday life.
• ▶Facilitating access to employment for people with disabilities and in collaboration with the adapted employment sector is a second important area of initiatives to promote diversity and inclusion. Through a worldwide disability policy, OVHcloud has provided the resources and means necessary to guarantee an inclusive organisation, with designated disability contact persons who implement the policy locally. All recruiters are trained in diversity issues and employees are made aware of the related challenges. Job offers are also published on the AGEFIPH (French agency promoting the employment of disabled people – Association de gestion du fonds pour l'insertion professionnelle des personnes handicapées) website.

OVHcloud attaches great importance to social dialogue, a guarantee of involvement and collective performance, and maintains high-quality relationships with its employees and their representatives. This includes negotiation, consultation and exchanges of information between management, employees and their representatives. The topics covered by social dialogue are health and safety, working hours, compensation, training and quality of life at work.

Around the world:

• ▶the proportion of employees represented by trade unions or employee representatives in 2024 was 69.60%;
• ▶the proportion of employees covered by a collective bargaining agreement in 2024 was 74.94%.

In France, employee representation is organised within an economic and social unit (unité économique et sociale) covering the French companies. The membership of the Social and Economic Committee (Comité Social et Economique – SEC) (Social and Economic Committee of the economic and social unit) was renewed at the end of 2023 and it is now composed of 43 members (incumbent and alternates combined). Three representative trade unions appointed representatives, opening up the possibility of negotiating collective bargaining agreements.

In 2024, two collective bargaining agreements were signed, one on salaries and the other on social dialogue. The agreement on social dialogue demonstrates the Company's commitment through the resources allocated to employee representatives (additional time allowances for these duties, creation of a committee dedicated to environmental issues and strategic directions, allocation of a budget for the training and travel needs of employee representatives, appointment of local representatives at all sites, etc.). With regard to employee representation on management bodies, two directors representing employees have sat on the Board of Directors since 2022.

Lastly, as mentioned above, as a company that is in touch with its employees, OVHcloud has been conducting internal opinion surveys (OVHcloud Spirit) among all its employees worldwide since 2019. The survey is conducted every six months to obtain opinions and expectations about the Company on a range of topics such as engagement, diversity and inclusion, talent development, working conditions, recognition, etc.

For OVHcloud, “working together” also means involving employees as much as possible in Company’s results. On the occasion of its IPO on Euronext Paris on 15 October 2021, the Group set up its first collective employee shareholding plan, open to more than 2,000 employees in France and abroad. 97.8% of eligible employees at that date became shareholders of OVHcloud (77.6% having invested voluntarily). In 2021, the Group was awarded the FAS Grand Prize(14), which showcases companies that develop the best practices in employee share ownership.

In 2022, the Group allowed all its employees to invest all or part of their share of the proceeds of the incentive plan in OVHcloud shares (via the FCPE mutual fund or directly depending on the country) and to benefit from a matching contribution from the Group, without increasing its capital. For this long-term approach, the Company was awarded the International Employee Share Ownership Trophy by the ORAS(15) club in December 2023. In 2023, around 70% of eligible employees decided to invest their incentive bonus (the same order of magnitude as the previous year).

In 2024, 0.6% of the share capital was held by employees through the FCPE mutual fund.

In France, a mandatory profit-sharing agreement (accord de participation) applies at the level of the social and economic unit, which provides for the distribution between eligible employees of a share of the profit of such companies, parties to the social and economic unit, calculated based on the statutory formula. The profit share is distributed on a pro rata basis according to the employee’s effective presence during the period.

An incentive agreement was signed with the Social and Economic Committee in 2022, applicable until 2024. It concerns all employees at the global level with at least three months of seniority. The performance indicators used to calculate the share of profits attributable to eligible employees include, as in the previous plan, indicators relating to adjusted EBITDA and revenue growth, to which two CSR criteria are added: energy efficiency (via PUE or Power Usage Effectiveness) and employee retention. Under the plan, profit is distributed on a pro rata basis according to the share of the country's payroll in the Group total; at the country level, profit is distributed exclusively on a pro rata basis according to each employee's effective presence during the financial year.

An amendment to this agreement was signed in 2024, increasing the weighting of CSR indicators to 60% (30% for energy efficiency and 30% for employee retention).

In France, the social and economic unit provides:

• ▶a Group Savings Plan (plan d’épargne groupe), which allows eligible employees to invest their savings, including payments under the profit-sharing agreement and the global incentive plan, in diversified investment funds and to benefit from certain social and tax advantages in exchange for a lock-up period, generally of five years;
• ▶a Time Savings Account (compte épargne-temps – CET), which allows eligible employees to save unused rest days (certain holidays, RTT, etc.) or part of their thirteenth month converted into days. They can then take these days at any time, ask to be paid for them or transfer them to another scheme to prepare for their retirement;
• ▶a Group Retirement Savings Plan (plan d'épargne retraite collectif – PERCO) which allows eligible employees to invest the payments under the profit-sharing agreement and the global incentive plan in diversified investment funds for their retirement. This scheme allows employees to benefit from certain social and tax advantages as consideration for a lock-up period until retirement. It is also a way for employees to prepare for their retirement by making voluntary payments or by transferring days from their CET to the PERCO (up to ten days per year). This transfer is then matched by their employer.

In 2024, an international employee retention plan was launched in all the Group's countries. Employees with five years of seniority were all awarded the same number of points (known as Kudos). The number of Kudos was the same, whatever the country of the employee, only its value varied according to the purchasing power parity. The Kudos can be converted into cash, gift cards, OVHcloud shares or a mixture of the three options, as desired.

The Taxonomy Regulation is a key element of the European Commission’s action plan aimed at redirecting capital flows towards a more sustainable economy. It represents an important step towards achieving carbon neutrality by 2050, in line with the EU’s objectives, as the Taxonomy is a classification system for environmentally sustainable economic activities.

The section below presents, as a non-financial parent company, the proportion of the Group’s revenue (turnover), capital expenditure (capex) and operating expenses (opex) for the 2024 financial year, associated with economic activities eligible for the Taxonomy in accordance with Article 8 of the Taxonomy Regulation and Article 10 (2) of the Delegated Act supplementing Article 8 of the Taxonomy Regulation.

For the 2024 financial year, OVHcloud was required to disclose the alignment of the Group’s activities under the two climate change objectives and just the proportion of its activities that were eligible under the following objectives: sustainable use and protection of water and marine resources ("WTR"), transition to a circular economy ("CE"), pollution prevention and control ("PPC") and protection and restoration of biodiversity and ecosystems ("BIO").

OVHcloud has analysed the technical criteria for the activities presented below in accordance with Regulation (EU) 2021/2139 as amended by Regulation (EU) 2023/2485 and has taken into account the various interpretations and frequently asked questions (FAQs) published by the European Commission, in particular, those dated 19 December 2022.

On the basis of the analyses carried out, a significant proportion of the Group's activities is eligible for the Taxonomy under Activity 8.1 Data processing, hosting and related activities described in Annex I of the Delegated Act on the climate change mitigation (“CCM”) target and CE activity 5.5 Product-as-a-service and other circular use- and result-oriented service models.

The eligible and aligned proportions under Activity CCM 8.1 Data processing, hosting and related activities of the three financial indicators required by the text – revenue, capex and opex – are presented below on the basis of consolidated IFRS data for the financial year ended 31 August 2024.

The proportion of revenue eligible for the Group's datacenter activities (CCM 8.1) increased by one point compared with the previous financial year, while those for capex and opex fell by 16 and 19 points respectively. This decrease is the result of OVHcloud's ongoing and proactive pursuit of improving the granularity of its capex and opex analysis.

In particular, this results in increased alignment of revenue and capex, with the datacenters aligned in the 2024 financial year unchanged from the previous financial year.

The term “economic activity eligible for the Taxonomy” refers to any economic activity described in the delegated acts supplementing the Taxonomy Regulation, whether or not it meets some or all of the technical review criteria set out in these delegated acts.

In order to carry out its analysis, the Group took into account all of the delegated acts describing the Taxonomy activities, namely:

• ▶the "Climate Delegated Act” (EU 2021/2039) published in April 2021 specifying the technical environmental screening criteria for the first two climate objectives; and
• ▶the "Environment Delegated Act” (EU 2023/2486) published in June 2023, which sets out the economic activities relating to the four other environmental objectives.

The Group’s eligible economic activities have been analysed on the basis of OVHcloud’s service offerings (as detailed in Chapter 1 of this Universal Registration Document) and have been assigned to the following economic activities, in accordance with the six environmental objectives of the Taxonomy.

An the beginning of the 2023 financial year, a significant proportion of the Group’s activities was considered eligible under Activity 8.1 Data processing, hosting and related activities for the climate change mitigation target. Offerings based mainly on services for the provision of storage capacity (“hosting”) meet the description of this activity. The following offerings are therefore considered eligible:

• ▶Private Cloud offerings (Bare Metal Cloud and Hosted Private Cloud) in their entirety, corresponding to offers for the provision of either dedicated physical servers or cloud capacities running on dedicated physical servers (see Section 1.3.1.1 of this Universal Registration Document for more details on the solutions proposed by the Group).
• ▶Public Cloud offerings in their entirety (see Section 1.3.1.2 of this Universal Registration Document for more details on the solutions offered by the Group). The PaaS and SaaS solutions offered by OVHcloud and hosted directly on the Group’s infrastructures are considered eligible insofar as OVHcloud has control over the physical equipment and can act on its energy efficiency.
• ▶“Web Cloud & Other” offerings only for the “Web hosting” and “Services” part, corresponding to the hosting of customer websites on the Group’s physical servers and the assistance necessary for the proper functioning of the equipment and compliance with the Group’s commitments under all of its offerings (see Section 1.3.1.3 of this Universal Registration Document for more details on the solutions proposed by the Group). Offerings or solutions relating to domain names, telephony and connectivity are not considered eligible to date because they are not directly related to the physical servers.

In general, all the solutions offered by OVHcloud, hosted directly on physical servers belonging to the Group or directly controlled by the Group, were deemed eligible for the European Taxonomy under Activity 8.1 of the climate change mitigation target.

When considering the climate change adaptation objective ("CCA"), CCA Activity 8.1 Data processing, hosting and related activities is not considered to be an enabling activity by Annex II of the Climate Delegated Act. For this reason, OVHcloud cannot consider the revenue relating to this activity as eligible, as set out in the Eligibility FAQ of 2 February 2022.

In analysing the activities under the transition to a circular economy objective, the Group identified activity CE 5.5 Product-as-a-service and other circular use- and result-oriented service models which consists of providing customers with access to products by means of service models. OVHcloud provides its customers with access to computer servers, which they can use. OVHcloud’s offerings eligible under Activity CCM 8.1 are therefore also eligible under CE 5.5.

In addition, OVHcloud designs and manufactures its own servers at its two sites in Croix (France) and Beauharnois (Canada) for its own use, as described in section 3.2.1.1 of this Universal Registration Document. The Group has therefore included CE 1.2 Manufacture of electrical and electronic equipment in its eligibility analysis. However, in the case of the manufacture of servers that the Group uses solely for its offerings, the capex relating to the manufacturing activity is taken into account and eligible under CE 5.5 Product-as-a-service and other circular use- and result-oriented service models.

OVHcloud has not identified any eligible activities linked to the objectives of sustainable use and protection of water and marine resources, pollution prevention and control, or the prevention and restoration of biodiversity and ecosystems.

The table below summarises for which environmental target the activities are considered eligible:

Unlike eligibility, which is solely based on the description of the activities, alignment takes into account the substantial contribution criteria, the "do no significant harm" principle and the minimum safeguards. For the financial year ended 31 August 2024, the alignment analysis concerns only the first two climate objectives, in accordance with the Taxonomy Regulation.

With regard to Activity 8.1 ‒ Data processing, hosting and related activities, the Group has analysed its alignment with objective 1 ‒ climate change mitigation (CCM) and objective 2 – climate change adaptation (CCA).

The Group has analysed the three cumulative substantial contribution criteria for Activity 8.1 Data processing, hosting and related activities with respect to the mitigation objective as follows:

In order to validate the alignment of its datacenters with Activity 8.1 of the climate change mitigation objective, OVHcloud then ensured compliance with the DNSH criteria for all its datacenters meeting the substantial contribution criteria (see details above).

Lastly, OVHcloud has ensured that the minimum safeguards have been met. The Group has a set of policies and processes in place to ensure that it meets the Taxonomy requirements in the areas of:

• ▶human rights and labour law (see Section 3.3.1 – Collectively attracting and developing talent within a diverse and inclusive company, Section 3.3.2.2 – Collaborating with suppliers in a responsible purchasing approach, and Section 3.3.2.3 – Ethics and business conduct);
• ▶competition (see Section 3.3.2.3 – Ethics and business conduct);
• ▶corruption (see Section 3.3.2.2 – Collaborating with suppliers in a responsible purchasing approach, and Section 3.3.2.3 – Ethics and business conduct);
• ▶tax (see Section 2.1.2.4 – Financial risks and Section 3.3.3.2 – Local presence and socio-economic impact).

The Group has put in place procedures for identifying, analysing, monitoring, evaluating and updating all the pillars.

The Group asks its suppliers to sign the supplier Code of Conduct, which provides that human rights, and in particular the principles set out in the Universal Declaration of Human Rights, must be respected. The Group continues to analyse human rights across its entire value chain.

OVHcloud complies with the provisions of the Sapin II Act of 9 December 2016.

Lastly, the Group has not been convicted for material breaches of any of the various aspects of the minimum safeguards.

The scope considered for the estimation of the three indicators is the Group consolidated scope as defined in Note 5.5. to the 2024 consolidated financial statements presented in Chapter 5 of this Universal Registration Document.

The proportion of economic activities eligible for the Taxonomy in OVHcloud's consolidated revenue was obtained by dividing the share of revenue generated by the sale of services associated with economic activities eligible for the Taxonomy (numerator) by the net revenue (denominator), in each case for the financial year from 1 September 2023 to 31 August 2024.

The denominator of the revenue indicator is based on OVHcloud's consolidated revenue, in accordance with IAS 1.82 (a) (see Note 4.3. to the 2024 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

The numerator of the indicator is defined as the proportion of net revenue generated by services associated with the economic activities eligible for the Taxonomy, as described above in the paragraph “Determination of OVHcloud's economic activities eligible for the European Taxonomy” in this section. This share was estimated on the basis of OVHcloud's management reports including the level of detail necessary for direct reading.

The aligned revenue corresponds to the revenue generated by the datacenters that have been audited by the independent third party and certified as compliant with the Code of Conduct. On the basis of the revenue generated by these datacenters, the Group has applied the allocation key described in the previous section, "Substantial contribution criteria", in order to retain only the revenue generated by watercooled servers.

At 31 August 2024, the proportion of eligible and aligned revenue was 89% and 66%, respectively, as shown in the table below:

For activities identified under multiple environmental objectives in the Taxonomy, the breakdown is as follows:

The capex indicator is calculated by dividing capex eligible for the Taxonomy (numerator) by total capex (denominator).

Total capex (the denominator) includes acquisitions of property, plant and equipment and intangible assets during the financial year, before depreciation/amortisation and before any remeasurement, including remeasurements resulting from revaluations and impairments excluding changes in fair value. It includes acquisitions of property, plant and equipment (IAS 16), intangible assets (IAS 38), right-of-use assets (IFRS 16), as well as additions resulting from business combinations (see Notes 4.10, 4.11 and 4.23 to the 2024 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

The table below shows the reconciliation of total Taxonomy capex in the Group's consolidated financial statements:

The numerator consists solely of capex related to assets or processes essential to the performance of the economic activities eligible for the Taxonomy (“category a”), which represent almost all of the capex for the financial year.

As capex is not currently monitored by service offering in the Group’s reports, a detailed analysis by type of asset was carried out and led to the following capex being considered essential for the execution of eligible economic activities:

• ▶the alignment of all capex relating to infrastructures (hardware) and their operation (fibre, network, IP addresses, components, maintenance) was determined using an allocation key based on the ratio of servers operated for an eligible economic activity to the total number of servers operated by the Group;
• ▶the eligible proportion of capitalised R&D costs was estimated at the level of each project, in order to obtain more relevant information in terms of granularity:
  • •100% of capitalised R&D costs relating to infrastructure efficiency improvement projects (equipment or software) were considered eligible as they were related to eligible economic activities;
  • •capitalised R&D costs not related to projects involving eligible activities were considered ineligible;
• ▶the eligible proportion of right-of-use assets (IFRS 16) was determined at the level of each datacenter, using an allocation based on the ratio of servers operated for an eligible economic activity to the number of servers hosted in the datacenter.

In order to determine the aligned proportion of this eligible capex, the Group used an allocation key based on the alignment percentage of each datacenter, weighted by the number of servers hosted in each datacenter. This allocation key has only been used for eligible capex relating to infrastructures (hardware) and their operation (fibre, network, IP addresses, components, maintenance).

At 31 August 2024, the proportions of eligible and aligned capex stood at 83% and 50%, respectively, as shown in the table below:

For activities identified under multiple environmental objectives in the Taxonomy, the breakdown is as follows:

The indicator relating to opex is calculated by dividing opex eligible for the Taxonomy (numerator) by total opex (denominator).

Total opex as defined by the Taxonomy refers to non-capitalised costs related to research and development, building renovation measures, short-term leases, maintenance and repairs, and all other direct expenses related to the daily use of property, plant and equipment.

Thus, total opex as defined by the Taxonomy represents approximately 31% of the Group's total opex, compared with 33% the previous year, amounting to €119.6 million and corresponding to the sum of personnel expenses, operating expenses, depreciation and amortisation and other non-recurring operating expenses (see Notes 4.4, 4.5, 4.6 and 4.7 to the 2024 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

As the Group's opex is monitored by segment but not on a granular level by service offering, allocation keys were used to identify the proportion of economic activities eligible for the Taxonomy in opex:

• ▶maintenance and repair costs, as well as rental contract costs, have been allocated to the number of servers used in an eligible economic activity, based on the number of servers hosted in the datacenter;
• ▶the proportion of eligible non-capitalised R&D costs has been estimated at the level of each project, in order to obtain information at a more granular level:
  • •100% of non-capitalised R&D costs relating to projects to improve infrastructure efficiency (equipment or software) were considered eligible, as they related to eligible economic activities,
  • •non-capitalised R&D costs not relating to projects involving eligible activities (projects relating to support functions and projects relating to telephony, connectivity and domain names) were considered ineligible.

In order to determine the aligned portion of this eligible opex, the Group used an allocation key based on the alignment percentage of each datacenter, weighted by the number of servers hosted in each datacenter. This allocation key was only used for eligible opex.

At 31 August 2024, the proportions of eligible and aligned opex amounted to 59% and 42%, respectively, as shown in the table below:

For activities identified under multiple environmental objectives in the Taxonomy, the breakdown is as follows:

In accordance with the FAQ of December 2023, OVHcloud publishes the mandatory table templates for activities related to nuclear energy and fossil gases. As the Group has no activities in these sectors, all lines indicate "No".

The non-financial performance statement for 2024, presented in this Universal Registration Document, endeavours to produce the most relevant non-financial information for the Group with regard to its business model, its activities, its major challenges from the materiality matrix and the Group’s main risks.

Therefore, OVHcloud focused on the issues and risks identified as priorities and excluded the following topics from its scope of analysis:

• ▶combating food waste;
• ▶combating food insecurity;
• ▶respect for animal welfare;
• ▶respect for responsible, fair and sustainable food.

OVHcloud measures the Group’s progress in terms of CSR in the following three areas: Environment, Business Conduct, and Social/Societal. Fifteen indicators, presented in the table below, were selected and audited by the independent third party.

Each indicator is described in this methodological note, specifying:

• ▶the method of calculating the indicator;
• ▶the data production process.

A summary table presenting the indicators and their values for the 2022, 2023 and 2024 financial years can be found in the introductory chapter of the non-financial performance statement in the “Materiality analysis and CSR risk assessment” section.

Year ended August 31, 2024

This is a free English translation of the Statutory Auditor’s report issued in French and is provided solely for the convenience of English-speaking readers. This report should be read in conjunction with, and construed in accordance with, French law and professional standards applicable in France

To the annual general meeting,

In our capacity as Statutory Auditor of your company (hereinafter the “Entity”) appointed as independent third party, and accredited by the French Accreditation Committee (COFRAC) under number 3-1884(22), we have undertaken a limited assurance engagement on the historical information (observed or extrapolated) in the consolidated non-financial statement, prepared in accordance with the entity’s procedures (hereinafter the "Guidelines"), for the year ended August 31, 2024 (hereinafter, the "Information" and the "Statement" respectively), presented in the Group’s management report pursuant to the legal and regulatory provisions of Articles L. 225 102-1, R. 225-105 and R. 225-105-1 of the French Commercial Code (code de commerce).

Based on the procedures we performed as described under the "Nature and scope of procedures" paragraph and the evidence we obtained, nothing has come to our attention that causes us to believe that the consolidated]non-financial statement is not prepared in accordance with the applicable regulatory provisions and that the Information, taken as a whole, is not presented fairly in accordance with the Guidelines, in all material respects.

Since the admission of the Company’s shares to trading on the Euronext Paris regulated market in October 2021, the Company has referred to and complies with the Corporate Governance Code for Listed Companies drawn up by the Association française des entreprises privées (the “AFEP”) and the Mouvement des entreprises de France (the “MEDEF”) as updated in December 2022 (the “AFEP-MEDEF Code”).

The AFEP-MEDEF Code with which the Company complies may be consulted online at http://www.medef.com or http://www.afep.com. The Company permanently maintains copies of the code for consultation by the members of its corporate bodies.

At its meeting on 18 July 2024, on the recommendation of the Appointments, Compensation and Governance Committee and Michel Paulin, Chief Executive Officer, the Board of Directors appointed Benjamin Revcolevschi as Deputy Chief Executive Officer of the Company.

Michel Paulin then announced that, on 23 October 2024, he wished to step down from the positions he had held as Chief Executive Officer and director since 28 September 2021.

The Board of Directors’ meeting held on October 2024 acknowledged the resignation of Michel Paulin as director and Chief Executive Officer of the Company and decided to appoint Benjamin Revcolevschi as Chief Executive Officer of the Company, following the recommendation of the Appointments, Compensation and Governance Committee. It was decided to co-opt him as director subject to the ratification of this appointment at the next General Meeting for the remainder of Michel Paulin's term of office, i.e., until 2026. Benjamin Revcolevschi also joined the Strategy and CSR Committee.

By law, the Board of Directors elects, from among its members, a Chairman who is a natural person and whose role is described in Section 3.2.1.5 above.

The Board of Directors entrusts the general management of the Company either to the Chairman of the Board of Directors (who holds the title of Chairman and Chief Executive Officer) or to another natural person, who may or may not be a director, holding the title of Chief Executive Officer.

As set out in the AFEP-MEDEF Code, the law does not give preference to either governance method over the other and it is up to the Company's Board of Directors to choose between exercising unified or separate general management, depending on its particular requirements.

Governance method

Octave Klaba was appointed Chairman of the Board of Directors at the Board of Directors’ meeting of 28 September 2021, for a period equivalent to his term of office as a director, i.e., until the end of the Ordinary General Meeting of the Company called to approve the financial statements for the financial year ending 31 August 2025.

Michel Paulin was appointed Chief Executive Officer at the Board of Directors’ meeting of 28 September 2021, for a period equivalent to his term of office as a director, i.e., until the end of the Ordinary General Meeting of the Company called to approve the financial statements for the financial year ending 31 August 2025. As mentioned in Section 4.1.1, Benjamin Revcolevschi has been appointed Chief Executive Officer and co-opted director, on a temporary basis, to replace Michel Paulin for the remainder of his predecessor's term of office, i.e., until the end of the General Shareholders' Meeting to be held in 2026 to approve the financial statements for the year ending 31 August 2025, subject to ratification of the co-optation by the next General Meeting to be held.

The separation of these positions was motivated by the need to retain the skills and experience of Octave Klaba, founder of OVHcloud, at a decisive moment in the Company's history with its IPO in 2021.

In accordance with the law, the Chief Executive Officer is vested with the broadest powers to act in all circumstances in the name of the Company. He exercises his powers within the limits of the corporate purpose. However, as an internal rule, the Chief Executive Officer exercises his powers within the limits set by the Board of Directors' internal regulations. The following decisions by the Chief Executive Officer require the prior authorisation of the Board of Directors:

• ▶the Group’s annual budget and business plan, including any modifications thereto;
• ▶any decision regarding any individual capital expenditure that would exceed the annual budget by 7.5%;
• ▶any acquisition or sale of assets (including patents and intellectual property rights), business goodwill or shares by a company of the Group, not included in the annual budget, for an individual amount exceeding €25 million;
• ▶authorisation for the Chairman to grant sureties, endorsements and guarantees;
• ▶any amendment to the Company’s Articles of Association within the conditions provided for by law; and
• ▶any decision of a Group company to enter into a new financing agreement with a third party (other than with a Group company and other than in the context of an existing Revolving Credit Facility) for an amount exceeding €25 million and not included in the annual budget.

To the best of the Company’s knowledge, the following transactions were carried out during the past financial year in the Company’s shares by the persons referred to in Article L. 621-18-2 of the French Monetary and Financial Code:

The information relating to corporate governance and constituting the report of the Board of Directors on this subject is already included in other sections of this Universal Registration Document. In order to limit repetition, the cross-reference table below provides a link between each section of the report and the corresponding paragraph of this document.

The summary of the compensation components of the executive corporate officers, Octave Klaba and Michel Paulin, paid during or awarded in respect of the 2024 financial year, as well as the 2025 compensation policy, submitted to the vote of the shareholders at the Combined General Meeting of 15 February 2024, are presented in Section 4.5.2.2.

Total compensation paid during or awarded in respect of the 2024 financial year to the Chairman of the Board of Directors and the Chief Executive Officer, the directors and other non-corporate officer executives, both by the Company and by controlled companies, within the meaning of Article L. 233-16 of the French Commercial Code, is detailed below. At its meeting of 14 November 2024, the Board of Directors of OVH Groupe confirmed that the AFEP-MEDEF Code is the code to which the Company refers, in particular concerning the compensation of executive corporate officers. This Universal Registration Document, and in particular the tables in Section 4.5.2.2 (stock subscription and/or purchase options, free shares, performance shares), have been prepared in accordance with the format recommended by the AFEP-MEDEF Code and AMF recommendation 2012-02.

The principles and criteria for determining, distributing and awarding the fixed, variable and exceptional components of the total compensation and benefits in kind attributable to the executive corporate officers by virtue of their office, constituting the compensation policy concerning them, are approved by the Board of Directors on the recommendations of the Appointments, Compensation and Governance Committee, and are subject to shareholder approval (“ex-ante vote on the compensation policy”) at the General Shareholders’ Meeting in accordance with Article L. 225-37-2 of the French Commercial Code.

In addition, pursuant to Article L. 22-10-34 of the French Commercial Code, the General Shareholders’ Meeting votes on: (i) the fixed, variable and exceptional components of the total compensation and (ii) the benefits in kind paid during or awarded in respect of the previous financial year to the executive corporate officers (“ex-post vote on compensation in respect of the previous financial year”). As a result, the payment of variable or exceptional compensation in respect of a financial year is subject to their approval by the General Shareholders’ Meeting called to approve the financial statements of that financial year.

Octave Klaba, Chairman of the Board of Directors, and the Chief Executive Officer, are the only executive corporate officers. Michel Paulin stepped down from his positions as director and Chief Executive Officer, and was replaced by Benjamin Revcolevschi by decision of the Board of Directors on 23 October 2024.

Related entities mainly include companies controlled by Octave Klaba, founder and Chairman of OVH Groupe’s Board of Directors, and other entities controlled by other members of the Klaba family, who are direct or indirect partners of the Company or by the Chairman of OVH SAS and Chief Executive Officer of OVH Groupe.

Pursuant to the agreements detailed below entered into with related parties and related to the conduct of the business, the Group recognised a total amount of operating expenses of €5,922,055 for FY2024 versus €6,445,738 for FY2023, and concerning net financial income (expense) (IFRS 16), a net expense of €77,756 for FY2024 versus €106,854 for FY2023. More detailed figures for related-party transactions are included in the consolidated financial statements for the year ended 31 August 2024.

The main related-party transactions are described in this chapter.

The Company had put in place a non-compete clause with regard to Michel Paulin, the Company’s Chief Executive Officer, for a period of one year following the end of his term of office, in consideration of compensation representing 50% of his compensation (fixed + variable) for the financial year preceding his departure. This clause was not applicable in the event of retirement or once he reaches the age of 65.

The Company reserved the right to unilaterally waive this non-compete undertaking as from the date of notification of the termination of his duties, in which case the Chief Executive Officer would be free and no compensation would be due.

This agreement was the subject of prior approval by the Board of Directors on 28 September 2021 and of a special report on 29 September 2021. This agreement was approved by the Combined General Shareholders’ Meeting on 14 October 2021.

Michel Paulin resigned from his position as Chief Executive Officer on 23 October 2024. In accordance with the provisions of the clause, the Company has decided to unilaterally waive this non-compete undertaking.

A similar clause was put in place for Benjamin Revcolevschi on 23 October 2024 in the context of his appointment as Chief Executive Officer on 23 October 2024.

OVH’s General Shareholders’ Meetings are convened and deliberate under the conditions provided for by law and in the Articles of Association.

The provisions of OVH’s Articles of Association relating to General Meetings and the procedures for exercising voting rights at General Meetings are set out in Title IV – General Meetings – Article 22 – Meetings, Composition, Deliberations, of OVH’s Articles of Association, which are available online at
www.corporate.ovhcloud.com, Governance section.

The following table presents the key figures for FY2024.

OVHcloud reported solid results, in line with FY2024 targets and embarks on a new development phase

• ▶Revenue of €993 million in FY2024, up 10.3% on FY2023 on a like-for-like basis
• ▶Improved adjusted EBITDA margin of 38.4%, up 2.1 points in FY2024
• ▶Generation of €25 million in unlevered free cash-flow (adjusted EBITDA less capex, working capital requirement and corporation tax paid)
• ▶Recurring and growth capex representing 13% and 22% of revenue for the period respectively

Benjamin Revcolevschi, CEO of OVHcloud, stated:

“OVHcloud confirmed the robustness of its model in FY2024 and the trust of our customers. These results, in line with our objectives, prove this, in a complex macro-economic backdrop. Being appointed as CEO of OVHcloud is both an exciting and demanding challenge. I would, of course, like to thank Octave, Michel and the Board of Directors for their confidence in me. I look forward to defining and delivering, alongside our teams, a trajectory towards sustainable, profitable and cash-generating growth. This new phase of development for OVHcloud is the perfect moment to launch the proposed share buyback offer, in order to give all shareholders the opportunity to continue to support the Group in its development or to cash in on their investment.”

Michel Paulin, the former CEO of OVHcloud, stated:

“After more than six wonderful years with OVHcloud, I decided a few months ago to step down from my position as CEO. Together with Octave and the Board of Directors, over the past few months, I have been supporting Benjamin in taking over this role.

As OVHcloud prepares to enter a new phase, it seemed essential to adapt its governance to ensure the successful execution of this long-term project.

OVHcloud’s industrial path is unique and proves that alternative models can be competitive and innovative and offer an open, reversible, interoperable, sustainable cloud with affordable prices for all. This industrial adventure is above all a human adventure. I would like to thank Octave, the whole Klaba family, the entire Executive Committee, the teams and our customers, for their confidence over the years.”

Octave Klaba, founder and Chairman of OVHcloud, added:

“I would like to extend my warmest thanks to Michel for all his work over these last few years, which has been instrumental in taking OVHcloud into a new dimension both in France and internationally, allowing to double our revenue in six years. Michel has been a remarkable leader for OVHcloud and enables us today to begin this new phase with strong fundamentals.

I am also delighted to welcome Benjamin as CEO. Since his arrival, Benjamin has demonstrated his leadership and his commitment to OVHcloud’s values day after day. I am convinced that he will lead and shape the Group's future.”

At its meeting on 23 October 2024, the Board of Directors acknowledged the resignation of Michel Paulin from his positions as director and Chief Executive Officer of OVH Groupe, and, on the recommendation of the Appointments, Compensation and Governance Committee, appointed Benjamin Revcolevschi as Chief Executive Officer of the Company. He was co-opted as a director, subject to ratification at the next Shareholders’ Meeting, for the remainder of Michel Paulin’s term of office, i.e., until 2026. Benjamin Revcolevschi is also joining the Strategy and CSR Committee.

A seasoned leader in the telecommunications and IT sectors, Benjamin Revcolevschi joined OVHcloud on 6 May 2024 as Deputy Chief Executive Office, to head up all of the Group’s operations, both in France and internationally. After beginning his career at Boston Consulting Group, he held operational and business management positions at Neuf Cegetel/SFR before becoming Managing Director of Fujitsu in France and Head of France and Benelux for DXC Technology.

On 28 March 2024, the Group acquired a new datacenter in Italy (Milan) for €2.6 million. This is the Group's first site in Italy.

The Group has also announced the opening of its first Public Cloud Local Zones, most of which are in Europe and the USA. Driven by innovative technology from gridscale, the Group can now deploy cloud capacity within weeks to serve new international locations with a limited investment. The Local Zones bring new options for customers to access Public Cloud services, with low latency and local data residency.

OVHcloud was positioned in the Major Players category of the IDC European Public Cloud Infrastructure as a Service 2024 Vendor Assessment (doc #EUR151035423, August 2024). The report evaluated 19 companies in Europe, assessing their strategies and capabilities.

OVHcloud was named a “Major Player” two years ago in the IDC MarketScape: Worldwide Public Cloud Infrastructure as a Service 2022 Vendor Assessment (being the only European-headquarter player evaluated). And the IDC MarketScape: European Public Cloud Infrastructure as a Service 2024 study appears to confirm the Group’s foothold on the European market.

At its meeting on 23 October 2024, the Board of Directors of OVH Groupe (“OVH Groupe” or the “Company”) approved the launch by the Company of a share buyback offer (the “Share Buyback Offer”) for an amount of €350,000,001 relating to a maximum of 20.41% of the Company’s share capital at a price of €9.00 per share. The shares bought back pursuant to the offer will be cancelled as part of a capital reduction.

The Share Buyback Offer will give shareholders the opportunity to cash out their shares at a price of €9.00 per share, representing a premium of 14.6% on the closing price on 23 October 2024 (the last trading day prior to the announcement of the Share Buyback Offer) and premiums of 32.0% and 41.0% on the volume-weighted average share prices over a 1 and 3-month period prior to said date, respectively.

The firm Accuracy was appointed as an independent expert by the Company’s Board of Directors, upon the recommendation of an ad hoc committee made up exclusively of independent members and chaired by Bernard Gault (lead director), to give an opinion on the financial terms of the proposed Share Buyback Offer. The independent expert confirmed that the proposed price of €9.00 per share is fair from a financial point of view.

Based on the work of the independent expert and the recommendations of the ad hoc committee, the Company’s Board of Directors has issued a reasoned opinion, in which it has concluded that the proposed Share Buyback Offer is in the best interests of the Company, its shareholders and its employees.

The draft offer document relating to the Share Buyback Offer, including the reasoned opinion of the Board of Directors and the independent expert’s report, will be filed today with the French Financial Markets Authority (Autorité des Marchés Financiers – the “AMF”) and will be made available to the public in accordance with Article 231-16 of the AMF’s General Regulations.

The Share Buyback Offer remains subject to review by the AMF and to shareholder approval at the Shareholders’ Meeting to be held on 4 December 2024 to approve the capital reduction by way of a Share Buyback Offer and the ratification of Benjamin Revcolevschi’s co-optation as a director.

The Share Buyback Offer and its financing are part of a broader refinancing of the Company, with the Group’s debt maturing in October 2026 (term and revolving credit facilities, with the exception of the loan from the European Investment Bank for a principal amount of €200 million).

The Share Buyback Offer will be financed by drawing on three credit lines made available to the Group for a maximum total principal amount of €1,120 million, which will also be used to refinance existing debt (with the exception of the loan from the European Investment Bank) and the Group’s future general requirements.

Following the Share Buyback Offer, OVHcloud would maintain its solid financial structure, in line with its new development strategy and growth targets. The firm Accuracy, which was also asked to give an opinion on the impact of this refinancing on the Group, concluded that the Company's financial structure following the share buyback offer would be reasonable over the timeframe of its business plan.

OVHcloud solutions are now offered in the portfolio of Bouygues Telecom Entreprises. Bouygues Telecom Entreprises has chosen the Hosted Private Cloud solution, a fully dedicated infrastructure solution hosted in OVHcloud datacenters, combined with options such as a Disaster Recovery Plan or Backup-as-a-Service.

Leveraging on OVHcloud infrastructure, customers will benefit from end-to-end support from dedicated experts at Bouygues Telecom Entreprises’ Cloud Excellence Center, from infrastructure audit, application migration, infrastructure maintenance, and managed services.

Through physical and software isolation, Bare Metal Pod is undergoing ANSSI (Agence nationale de la sécurité des systems d’information) SecNumCloud qualification.

The AIFE (Agence pour l’Informatique Financière de l’Etat), attached to the French Ministry of the Economy and Finance, is the first institutional customer using Bare Metal Pod. The PPF (Portail Public de Facturation) will handle highly sensitive data with dense traffic, making Bare Metal Pod the logical choice for a sovereign solution combining dedicated and powerful servers in a SecNumCloud qualified environment.

After a period of major investment OVHcloud is now embarking on a new development phase, with the appointment of Benjamin Revcolevschi as Chief Executive Officer and new objectives beyond FY2025.

For FY2025, OVHcloud is targeting organic revenue growth of between 9%-11%, an adjusted EBITDA margin of approximately 40% and recurring capex and growth capex of between 11%-13% and 19%-21% of revenue, respectively.

OVHcloud also aims to increase unlevered free cash-flow in FY2025 compared to FY2024.

In the coming months, OVHcloud’s management will introduce new initiatives to pursue a pathway to profitable growth and cash generation beyond FY2025:

• ▶Solid, sustainable growth of around 10%, by capitalising in particular on the Group’s position as a Private Cloud leader and by reinforcing its commercial Public Cloud offering;
• ▶Adjusted EBITDA margin structurally above 40%, thanks to operating leverage improvements and operational excellence;
• ▶In FY2026, the Group should generate positive levered free cash-flow, thanks, in particular, to improved EBITDA, cost-cutting measures and operational efficiency.