OVHcloud’s position as the leading European cloud provider traces its roots to its founding in 1999 as an internet hosting company in France. Over the past 26 years, OVHcloud has developed significantly, initially by expanding its infrastructure and growing its presence within Europe, and then by diversifying its cloud offerings and expanding its operations globally.

Cloud computing means providing users with storage, computing and network resources on demand. Cloud resources are located in datacenters that house servers and equipment used to process, store and transmit data. Users of cloud computing services can access stored data and instruct processing units to perform computing functions automatically, without the need for human interaction, minimising the computing and storage capacities needed on their devices (such as personal computers, tablets and mobile phones). Wherever they are located, as long as they have an internet connection, users are able to access IT services through the cloud.

Businesses can establish and operate their own datacenters using internal IT staff, or they can outsource some or all functions to cloud service providers such as OVHcloud. For many businesses, the time and financial investment required makes proprietary cloud computing less attractive than outsourcing, which means paying only for the resources they actually use. Additionally, it can be difficult for businesses that are not specialised in IT services to innovate at the requisite levels in order to ensure that their cloud infrastructure provides them with adequate services and protections, such as data security. Internal IT systems also might not be sufficiently scalable to meet peak-load demands (unless businesses maintain costly excess capacity).

Servers maintained in datacenters can be used for multiple functions, each of which is accessed through a “virtual machine” created on the server. The virtual machines are operated and separated from one another through a software platform known as a “virtualisation stack.” Each virtual machine can have its own operating system that permits users to develop and run applications. Through a function known as a “hypervisor,” the server’s capacity is allocated to the virtual machines in accordance with the demands of users. Furthermore, software applications have been written to be bundled in “containers” that run directly on the operating system of the server itself, coordinated through platforms known as “orchestration” systems, which generally take up less space and can provide better performance than hypervisor-based virtualisation stacks.

The ability to create multiple virtual machines in each server or to deploy container-based systems allows a cloud service provider to allocate its capacity among multiple user groups or customers in a secure manner. Service providers can dedicate a server to a single customer (a “Private Cloud” system), allocating the server’s capacity among user groups authorised by the customer. Alternatively, a server can be shared among multiple customers (a “Public Cloud” system). Private Cloud customers generally pay monthly charges for dedicated capacity, whether or not they use that capacity. Public Cloud customers generally pay for the capacity they actually use.

In order to optimise the cost of cloud services, many businesses are deploying “hybrid cloud” strategies, in which they combine on-premises or outsourced Private Cloud capacity for their most sensitive functions and data, with Public Cloud capacity for their less sensitive needs. Customers are also deploying “multi-cloud” strategies, purchasing cloud services from several providers. To meet the growing demand for hybrid cloud and multi-cloud services, a cloud provider must offer packages that allow the various solutions to function as an integrated whole.

Cloud computing encompasses a range of services that include providing access to infrastructure (Infrastructure-as-a-Service or “IaaS”), selecting and operating platforms such as operating systems, virtualisation stacks and security systems (Platform-as-a-Service or “PaaS”), and offering applications that are developed and can function on cloud platforms (Software-as-a-Service or “SaaS”). These features are illustrated in the following graphic:

The cloud solutions market also includes Web services targeted mainly at individuals and small and medium-sized businesses. The Web Cloud market largely consists of web and domain hosting, including leasing servers for websites, selling secondary services (such as software packages) and domain name registration, renewal and transfer services.

OVHcloud provides two main Private Cloud offerings: Bare Metal and Hosted Private Cloud.

OVHcloud’s Bare Metal Cloud service provides dedicated physical servers to customers, who have full control over the server, including the choice of operating system. The Bare Metal Cloud allows them to have a similar experience to the one they would have with on-premises solutions managed by their internal teams, while taking advantage of the benefits offered by outsourcing.

OVHcloud’s main Bare Metal Cloud offering consists of high-end servers and mid-to-high-level services. OVHcloud also has a lower-priced offering marketed as part of the “Eco” range, which uses refurbished servers that provide quality services at a reduced cost, while improving environmental efficiency.

Bare Metal Cloud services provide business customers with high-level computing power and strict service level agreements in a secure environment appropriate for sensitive data applications. The server can be customised to meet customer requirements and can be operated without allocating the server’s capacity to virtual machines through a hypervisor, allowing the customer to use the server’s full capacity. Any unused capacity can be deployed within minutes, although the total capacity is limited by that of the dedicated server.

Bare Metal Cloud customers pay monthly fees that depend on the performance levels they select. They may also choose options (such as server customisation or data backup) for additional fees.

The main uses of Bare Metal Cloud services include the computation of complex data, low latency operations, streaming, online gaming and critical business applications such as ERP and CRM.

In 2025, OVHcloud launched Bare Metal Pod, a sovereign infrastructure that is SecNumCloud 3.2 certified by ANSSI and dedicated to offering the power of the cloud combined with the physical isolation of Bare Metal servers, designed to host critical or sensitive environments.

OVHcloud offers Hosted Private Cloud services to its business customers, providing servers fully managed by OVHcloud, including the operating system and the virtualisation layer, in partnership with VMware or Nutanix offerings.

1. VM: virtual machine.

OVHcloud’s Hosted Private Cloud services provide customers with private access to servers that can be customised to satisfy their specific requirements. They meet the needs of customers seeking isolation and security, scalable resources and resilience.

The main uses for Hosted Private Cloud services include deployment in hybrid cloud strategies, media encoding, big data analytics and disaster recovery, as well as the storage and processing of sensitive data in key sectors such as healthcare, finance and the public sector.

Since 2021, OVHcloud has been offering SecNumCloud-certified Hosted Private Cloud services. SecNumCloud certification gives customers the assurance of choosing solutions that comply with the highest ANSSI security standards, as well as the guarantee of having solutions tailored to the sensitive data of public authorities and businesses.

In 2025, OVHcloud launched On-Prem Cloud Platform, a ready-to-use on-premises cloud platform. The launch was marked by the signing of a commercial contract with DEEP. On 31 March 2025, DEEP, part of POST Group, the leader in telecoms and ICT, postal and postal financial services in Luxembourg, and OVHcloud signed a strategic partnership to develop a sovereign cloud in Luxembourg. The DEEP Sovereign Cloud will be based on OVHcloud's On-Prem Cloud Platform (OPCP): an integrated cloud platform (hardware and software), which will be hosted and operated autonomously by DEEP in its own Tier IV certified data centres in Luxembourg, in an offline mode.

OVHcloud offers Public Cloud solutions based on open source technologies such as OpenStack (a platform for deploying processing, storage and networking resources) and Kubernetes (a container orchestration platform that has become a market benchmark). The use of these standard platforms provides customers with easy data transfer capability and deliberately transparent access to source code, facilitating reversibility and eliminating “vendor lock-in”. This feature of the OVHcloud offering is particularly attractive for customers looking to deploy multi-cloud strategies.

Public Cloud solutions provide users with virtually unlimited computing capacity, with the only constraint being the demands of other users and the total installed capacity of the cloud provider. It is possible to deploy new Public Cloud instances automatically and in seconds. As the Public Cloud service is based on shared servers, customisation options are defined by OVHcloud. The flexibility of the hardware architecture offers high service levels.

Public Cloud customers pay usage fees for the capacity they actually use. The OVHcloud model offers much more predictability than models used by hyperscalers and many other competitors. In particular, unlike hyperscalers, OVHcloud does not charge additional fees for outgoing data transfers or API calls, except for block and archive storage, and for services located in Asia-Pacific.

The Group’s Public Cloud offering provides three core cloud computing services: computer performance, storage and network capabilities.

Customers of OVHcloud’s Public Cloud solutions can choose fully scalable Public Cloud services on virtual machines that are hosted on shared servers and networks.

OVHcloud’s Public Cloud service is attractive for customers seeking highly scalable resources, with significant peak management demands across multiple access locations, and a high degree of resilience. This service is used for applications with high-demand bursts and services that use large volumes of data, such as video and music streaming.

OVHcloud’s Public Cloud customers can also choose from a number of on-demand (SaaS) software running on OVHcloud’s Public Cloud servers. In particular, OVHcloud offers its customers access to Microsoft Exchange messaging and calendar solutions, SharePoint data storage and management solutions, and the Office365 business software suite.

As of this year, OVHcloud offers Public Cloud products in the 3-AZ Paris region. This region offers businesses and organisations a presence in three geographically close datacenters (AZ or Availability Zones) so that they can benefit from high resilience and low latency between the three datacenters.

1. VM: virtual machine.

OVHcloud also offers a virtual private server option, providing IT capabilities located on shared servers, but with virtual machines isolated through the use of virtual private networks.

The virtual private server option is attractive to customers seeking tailored resources, particularly for short-term operations with volatile workloads and server demand. Virtual private server solutions are used primarily for applications testing and other one-time projects, the management of short-term peak loads and backup functions.

1. VM: virtual machine.

As part of its growth strategy, OVHcloud is developing and implementing a comprehensive PaaS offering, overlaying its Private Cloud and Public Cloud IaaS products. In addition to developing products in-house, OVHcloud has announced several partnerships and acquisitions in order to accelerate its development plan, enabling it to offer more than 80 IaaS and PaaS solutions to its customers by the end of the 2024 financial year, mainly in the following areas:

• ▶Storage. OVHcloud now offers its customers a comprehensive portfolio of storage solutions such as Object Storage S3 (High Performance and Standard), Block Storage, File Storage, Snapshot & Backup and Archive;
• ▶Database-as-a-Service. Data management software allows users to manage their databases to enable queries and updates. It includes programmes that execute queries on data and provide visual representation of the data in formats such as spreadsheets, enabling users to build applications faster and automate database management. OVHcloud announced a partnership with MongoDB in April 2021 and a partnership with Aiven in July 2021 to make several types of database available on the OVHcloud infrastructure;
• ▶AI, Machine Learning & Analytics. Artificial intelligence and analytics solutions include tools and services that support data analysis and presentation. OVHcloud is particularly advanced in high-performance computing solutions for artificial intelligence and machine learning, and intends to continue its development in this area. In April 2022, OVHcloud announced the acquisition of ForePaaS, a company specialising in analytics. Over the last two years, OVHcloud has strengthened its artificial intelligence product offering, including AI Notebook, AI Deploy, AI Training, AI App Builder and AI Endpoint, a platform that uses an application programming interface (API) to provide easy access to numerous pre-trained artificial intelligence models (LLM, voice, image, etc.) for rapid integration into applications;
• ▶Security & Encryption. OVHcloud is expanding its offering of identity access management and encryption solutions, including end-to-end encryption that secures customer data in all states. In July 2021, OVHcloud announced the acquisition of BuyDRM, a US company specialising in this area;
• ▶Application platforms. Application platforms are back-end server software solutions that provide developers with a runtime and development environment.

OVHcloud has offered Web Cloud services since its founding in 1999. With its leading position in the French market and strong positions elsewhere in Europe, the Web Cloud offering provides a stable, recurring revenue base and regular growth.

OVHcloud offers three principal solutions to Web Cloud customers:

• ▶Web hosting and domain names. This includes the leasing of capacity on servers, allowing customers to connect their websites to the internet, as well as domain name registration, renewal and transfers. Customers can choose basic packages offering just one or a few websites, or packages targeted at professionals and developers that wish to host multiple websites, together with email addresses and storage options. OVHcloud offers its customers additional services, such as Secure Socket Layer (SSL) certificates, which enable secure connections between a web server and a browser;
• ▶Telephony and connectivity. Customers can purchase VoIP (Voice over IP) systems for use as switchboards and interactive voice response systems. OVHcloud also offers customers internet access through ADSL and fibre networks, with basic and professional packages;
• ▶Support and services. OVHcloud offers its customers additional levels of support and services, including a range of support, expertise and online services. There are two levels of support offering: i) Business, which corresponds to the level suitable for production environments, or ii) Enterprise, which offers a key account experience for critical production environments. Additional services are proposed in the Professional Services offering, which provides access to technical support and advice during infrastructure migration or IT architecture changes.

OVHcloud’s main customers in the Web Cloud segment are small and medium-sized businesses, as well as certain individual customers and entrepreneurs. Web Cloud customers generally seek secure and reliable web and communications services to establish their web presence, and to digitise business functions.

Since 2021 and its IPO, OVHcloud has been deploying its strategic roadmap. The Group has succeeded in:

• ▶developing key customer segments with average ARPAC(3) growth of 60% between 2021 and 2025;
• ▶addressing a broader market by currently offering customers over 40 Public Cloud products;
• ▶extending its geographical footprint with the opening of 11 new datacenters since 2021, to reach 44 datacenters by the end of FY2025;
• ▶investing in internal development with cumulative growth capex of around €1,100 million between 2021 and 2025, and external growth opportunities, with three acquisitions since 2021 (BuyDRM in security, ForePaaS in data management, and gridscale, to open Local Zones with minimum capital intensity).

Following these significant investments, OVHcloud introduced a new plan centred around four strategic pillars: (i) Be the data sovereignty reference, (ii) Innovate for next tech revolutions, (iii) Deliver sustainable and profitable growth, and (iv) Maximise cash generation.

OVHcloud already benefits from a structural advantage in that it is not subject to extraterritorial laws, and has developed a successful strategy of certifications with national and international regulators.

In the coming years, the Group will continue to expand its range of certified products, in particular with plans to extend SecNumCloud certification in France to its Public Cloud by end-2025. In addition, this year OVHcloud launched Bare Metal Pod, a sovereign infrastructure that is SecNumCloud 3.2 certified by ANSSI and dedicated to offering the power of the cloud combined with the physical isolation of bare metal servers, designed to host critical or sensitive environments.

In addition, specific services are currently being developed to respond even more precisely to the needs of certain verticals, in particular the public sector and healthcare.

Innovation is at the heart of OVHcloud’s DNA, and the Group will continue to invest to innovate and prepare for the upcoming technological revolutions, such as artificial intelligence – which is already underway – and quantum computing in the medium term.

With regard to artificial intelligence, OVHcloud is continuing to strengthen its offering, in particular by developing AI solutions that guarantee customer data confidentiality and data sovereignty. OVHcloud offers its customers a broad portfolio of NVIDIA Tensor Core GPUs (H100, A100, L4, L40S) accessible in the Public Cloud and top-of-the line AI models integrating the latest open-source LLMs, like Mistral 8x22B or Llama3, which are notably available on the shelf via the OVHcloud AI Endpoints serverless solution. AI is opening up new opportunities and is at the heart of a revolution, creating extremely high stakes, especially in terms of intellectual property and data confidentiality.

OVHcloud is also ahead of the curve on quantum computing, which will be one of the next technological revolutions of the 21st century. OVHcloud is the only European cloud provider to offer its customers five quantum notebooks and one quantum emulator. The Group supports 14 leading quantum startups and owns one Quandela photonic computer.

Furthermore, in September 2025, OVHcloud became the first global player to strengthen website access security using a quantum computer. In association with Quandela, the Group has introduced quantum entropy-enhanced SSL certificates, improving the random generation of encryption keys.

Since 2021, OVHcloud has opened more than eleven new datacenters, invested significantly in the development of new products and set up a programme to improve the resilience of its infrastructure.

Over the next few years, OVHcloud plans to optimise the utilisation rate of its datacenters, which stood at 66% at 31 August 2025 (up six points compared to 2024), improve inventory management and stabilise investments in new products in absolute value terms.

Lastly, the Group expects to reduce one-off investments (hyper-resilience plan, IPv4 purchases and improvement of inventories linked to supply chain tensions) between now and 2026.

OVHcloud has increased its unlevered free cash flow by a factor of 2.3 to €57.6 million in FY2025 compared with FY2024. The Group aims to generate free cash flow as from 2026.

OVHcloud is the European Cloud leader and the only non-US or non-Chinese player among the ten largest global cloud service providers(4). It is the only major player of its size that is not subject to extraterritorial laws.

In addition to its structural differentiator, OVHcloud has developed a very large number of certifications worldwide in order to comply with various national and international regulations.

As a French cloud service provider, OVHcloud is subject to European regulations across a wide number of areas, including information technology (“IT”) services, cybersecurity, online content moderation and data protection. OVHcloud may also be subject to sectoral regulatory regimes applicable to certain customers and generally applicable regulations such as contract laws and consumer protection policies.

OVHcloud is subject to European regulations aimed at strengthening cybersecurity across the European Union (the “EU”). Transposed into French law on 26 February 2018, Directive (EU) 2016/1148 of 9 July 2016 established requirements for cloud service providers with respect to network and information systems security. The French law(5) transposing Directive (EU) 2016/1148 classifies cloud service providers as digital service providers. As a digital service provider, OVHcloud must guarantee a level of information security adapted to the relevant risks and adopt appropriate organisational and technical measures. Any security incident having a significant impact on the provision of services must be declared to the French National Cybersecurity Agency (“ANSSI”). The French Prime Minister may also open investigations upon receiving information of non-compliance by the digital service provider with security obligations. Fines for non-compliance with security obligations range from €50,000 to €100,000.

The ANSSI has adopted security standards for cloud service providers(6). In particular, cloud companies must set up a security policy for information relating to the service and carry out a risk assessment covering the entire service. If applicable security standards are met, the ANSSI grants the “SecNumCloud” label certifying an enhanced level of security for the storage of sensitive information. In October 2022, the ANSSI extended OVHcloud’s “SecNumCloud” security visa for its Hosted Private Cloud until December 2023. For the protection of critical information systems, the ANSSI recommends that operators of essential services (e.g., gas supply companies, airline carriers, health institutions, banks) use security products and services with an ANSSI security visa.

The role of the European Union Agency for Cybersecurity (the “ENISA”) was strengthened by Regulation (EU) 2019/881 of 17 April 2019 (the “Cybersecurity Act”). The ENISA is tasked with establishing and maintaining a European-wide cybersecurity certification scheme applicable to cloud service providers, including a comprehensive set of rules, technical requirements, standards and procedures. In July 2020, the ENISA published a proposal that would enable cloud service providers to obtain certifications across the EU attesting to the level of security of their services.

In September 2022, the European Commission unveiled its proposed Cyber Resilience Act (“CRA”). This proposal fixes a series of general and organisational cybersecurity requirements for products containing digital elements (for example: software, hardware products, data processing). It aims to adopt a common base within the European Union to limit cyberattacks. The CRA applies differently to supply chain players: manufacturers, importers and distributors. The text is awaiting examination by the European Parliament and then by the Council of the European Union; during this procedure, which may take up to two years, the current text will most likely undergo certain changes. It is therefore still too early to comment on the impacts this text may have on OVHcloud.

As a provider of cloud and telecommunications services, OVHcloud processes, stores and transmits a substantial amount of personal data. As a result, OVHcloud must comply with a number of European regulations and national laws relating to personal data protection.

A cornerstone of personal data protection in the European Union since it came into force in May 2018, the GDPR has three main objectives: (i) to establish rules relating to the protection of individuals with regard to the processing of their personal data as well as rules relating to the free movement of such data, (ii) to strengthen the application of the regulation by providing a unified legal framework for organisations processing personal data, and finally (iii) to strengthen the responsibility of parties processing personal data (data controllers and processors) by requiring that processing and the tools/applications used be documented.

The GDPR places organisations under strict obligations in terms of information and transparency with regard to the personal data processing they carry out on their own behalf or on behalf of others.

It also confers a number of rights on data subjects with regard to the processing of their personal data, such as the right of access, the right to rectification and the right to erasure (“right to be forgotten”), giving them greater control over the use of their personal data.

The GDPR also requires organisations to implement appropriate technical and organisational security measures for the processing of personal data as soon as a new product or service is designed, in order to ensure that personal data security and confidentiality requirements are met (“Privacy by design”).

Lastly, the GDPR requires organisations responsible for processing personal data to notify the supervisory authority of any breach that is likely to result in a risk to the rights and freedoms of natural persons and data subjects.

Passed on 22 September 2021, the act to modernise legislative provisions as regards the protection of personal information, known as “Act 25”, makes major changes to the act respecting the protection of personal information in the private sector (“ARPPIPS”), giving citizens greater control over their personal data and making organisations more accountable for the way they manage this information. This act establishes new obligations and transparency rules for Quebec companies, such as the appointment of a Data Protection Officer, in order to establish governance policies and practices regarding personal information, conduct privacy impact assessments (PIAs), and respect the new rights granted to individuals with regard to their personal data, in particular the right to require that such information cease to be disseminated, or that it be re-indexed or de-indexed (the right to be forgotten) before being communicated outside Quebec, and ensure that technological products and services offered to the public have settings that provide the highest level of confidentiality by default.

The new responsibilities and requirements applicable to organisations processing personal data came into force progressively in September 2022, 2023 and 2024.

In order to ensure compliance with applicable data protection regulations, OVHcloud has implemented a personal data management system based on the ISO 27701 standard.

OVHcloud also relies on the Cloud Infrastructure Service Providers in Europe (CISPE) Code of Conduct, with its certified Bare Metal Cloud and Hosted Private Cloud powered by VMWare offerings, to ensure and demonstrate the compliance of its IaaS activities.

Regulation (EU) 2018/1807 of 14 November 2018 (“Regulation on the free flow of non-personal data”) aims to ensure the free flow of non-personal data between EU Member States (the “Member States”) and IT systems in the EU. Non-personal data is either (i) data not linked to identified or identifiable natural persons, or (ii) anonymised personal data. This regulation enables the storage and processing of non-personal data anywhere in the EU, prohibits data localisation and ensures the availability of data for regulatory control.

The Regulation on the free flow of non-personal data also provides that the European Commission must encourage the development of self-regulatory codes of conduct to facilitate portability between service providers. To that end, OVHcloud participated in the drafting of two voluntary codes of conduct on switching cloud service providers and data portability through the working group on switching cloud providers and porting data (“SWIPO”). Published in July 2020, the codes of conduct for Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) provide guidance for cloud service providers and customers on switching cloud provider and porting non-personal data. The adoption of such codes of conduct aims to reduce the risks of vendor lock-in (i.e., situations where customers are dependent on a particular provider due to significant switching costs) by cloud service providers. It also provides guidance for customers on the transfer of non-personal data.

As a hosting service provider, OVHcloud must comply with a number of laws on content moderation, including those moderating terrorist content, child sexual abuse material and the infringement of intellectual property rights.

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (“Digital Services Act”) entered into force on 18 November 2022. This new framework aims to harmonise the rules applicable in the different Member States of the European Union and replaces the framework adopted in 2000 with regard to liability of intermediaries in relation to illegal content while maintaining the fundamental principles of freedom of expression and freedom to provide services.

The regulation also establishes new obligations of due diligence and transparency for hosting services such as OVHcloud, both vis-à-vis the authorities and users, particularly on the processing of reports of illegal content. It also increases the level of penalties that can be imposed in the event of a breach of the obligations established by the regulation, with fines of up to 6% of the intermediary service provider’s global annual revenue. A certain number of measures are applicable on a deferred basis over the next two years and involve the adoption of texts at the national level. OVHcloud will carefully monitor their publication in order to comply with its obligations.

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (“Digital Markets Act”) aims to make the digital sector fairer and more competitive by introducing preventive measures for large digital companies as gatekeepers on the European market. In particular, the regulation provides for several obligations and prohibitions against gatekeeping online platforms and strengthens the sanctioning powers of the European Commission, which will be assisted by an advisory committee and a high-level group. So, for example, gatekeepers must allow users to easily uninstall pre-installed software on their devices and easily unsubscribe from an essential platform service such as a cloud service. Gatekeepers will no longer be able to impose software such as internet browsers or default search engines or reuse users’ personal data for the purpose of targeted advertising without their explicit consent.

Applicable from 2 May 2023, the companies concerned must report to the European Commission and ensure that they are compliant by March 2024 at the latest. The legislation gives the Commission the exclusive power to monitor compliance with their obligations, and imposes new sanctions, including a fine of up to 10% of the company’s total global revenue from the previous financial year.

The adoption of this new legislation is a positive step towards regulating the practices of the dominant digital players on the European market. However, its effectiveness will depend on the means that the European Commission devotes to ensuring compliance with it. OVHcloud will pay particular attention to the forthcoming details regarding the teams tasked with monitoring gatekeepers' compliance.

OVHcloud entities are telecommunications operators in four (4) Member States: Belgium, France, Germany and Spain. OVHcloud is subject to specific obligations when providing telecommunications services. Because the EU and its Member States have been regulating the telecommunications sector for many years, there are a variety of different implementing measures, guidelines and authorities across the EU. OVHcloud entities are also telecommunications operators in the United Kingdom and Switzerland, which have their own telecommunications regulations. The United Kingdom also implemented the requirements of the European Electronic Communications Code into its national regulatory framework prior to Brexit.

The Directive (EU) 2018/1972 of 11 December 2018 established the European Electronic Communications Code. Although this directive has not yet been transposed in all Member States where OVHcloud acts as an operator, several other directives applicable in the telecommunications sectors, such as Directives 2002/19/EC, 2002/20/EC, 2002/21/EC and 2002/22/EC of the European Parliament and of the Council, have been substantially amended. Directive 2018/1972 was transposed into French law in May 2021(7). The key objective of this European Electronic Communications Code is to create a comprehensive set of updated rules to regulate electronic communications and protect EU citizens when they communicate through traditional or web-based services, encourage competition between telecommunications operators, and ensure that national regulatory authorities are protected against external intervention or political pressure.

As a cloud service provider, OVHcloud is subject to obligations when the Group provides services to organisations in the health sector. For example, French law requires health data hosting providers (i.e., any person hosting personal health data collected in the course of prevention, diagnosis, care or social and medical monitoring activities on behalf of natural or legal persons having produced or collected such data or on behalf of the patients themselves) to comply with specific obligations. Such obligations include obtaining proper certification or receiving prior approval from public authorities as per the French Public Health Code, and entering into an agreement with customers in the health sector, setting out the mandatory provisions prescribed by Article L. 1111-8 of the French Public Health Code. OVHcloud is also subject to the requirements of other jurisdictions in which it operates, such as Italy, Poland, Germany and the United Kingdom.

In 2016, OVHcloud obtained the “health data host” accreditation and, since 2018, the Group has operated a management system that allows several of its cloud offerings to comply with the requirements of this accreditation. In 2019, OVHcloud obtained the French HDS (hébergeur de données de santé – health data host) certification for its Hosted Private Cloud offering. In 2020, this certification was first extended to OVHcloud’s dedicated servers and then to OVHcloud’s Public Cloud offering and Trusted Exchange in 2021.

Companies in the financial sector (including credit institutions and investment firms) may also be subject to industry-specific obligations that may reflect on OVHcloud in the context of the provision of its services. In particular, in 2019, the European Banking Authority (“EBA”) issued “Recommendations on outsourcing to cloud service providers” applicable to outsourcing arrangements. These recommendations create obligations with respect to information systems security and audit rights for the outsourcing banks, which they must impose on their cloud service providers when using their services. OVHcloud aims to offer contractual conditions applicable to financial service operators that ensure that customers are able to implement an outsourcing policy which is compliant with the EBA’s recommendations and with local European regulations.

Financial service operators may also require OVHcloud to comply with specific national regulations. For instance, OVHcloud may have to comply with French regulations such as those of France’s banking and insurance supervisor, Autorité de contrôle prudentiel et de résolution (“ACPR”) on critical outsourced services such as banking operations. Companies outsourcing critical services must ensure that service providers guarantee the protection of confidential information, implement backup mechanisms in the event of significant difficulties affecting service continuity and provide the ACPR, in carrying out its duties, with access to critical outsourced information. With respect to internal procedures for managing information system security, the American Institute of Certified Public Accountants (“AICPA”) granted OVHcloud SOC I-II type 2 certifications.

With respect to hosting banking data and reducing card fraud, OVHcloud’s main Hosted Private Cloud offering is compliant with the Payment Card Industry Data Security Standard (“PCI DSS”). OVHcloud’s datacenters in France, Canada, the United Kingdom, Germany and Poland comply with PCI-DSS.

On 27 November 2022, the European Commission adopted a Digital Operational Resilience Act for the Financial Sector (“DORA”). Following a proposal by the 2020 European Commission, this regulation imposes a number of requirements on cloud outsourcing arrangements in the financial sector. The proposed regulation covers a broad range of regulated financial entities, including credit institutions (such as banks), central securities depositaries, insurance companies and certain fund managers, among others. It imposes a number of information and communications technology risk management requirements on these financial entities, some of which apply directly to outsourced cloud activities.

In particular, financial sector entities covered by the proposed regulation are required to take a number of steps to address risks in their relationships with third parties, such as cloud service providers, including ensuring that their cloud services contracts provide a full description of the services proposed with qualitative and quantitative performance targets, and include provisions governing integrity, security, personal data protection, recovery in case of failure, rights of inspection and audit, and termination provisions with clear exit strategies. The regulation proposes the approval of standardised contractual terms by the European Commission.

In addition, the regulation imposes a new oversight framework on critical third-party service providers (including cloud service providers), subjecting them to individual oversight plans adopted by the European financial regulatory bodies responsible for supervising banks, securities markets or insurance companies, depending on the sector primarily using the services of the relevant provider. The determination of which services are critical depends on their potential systemic impact, the dependence of financial entities on them for critical functions and the availability of alternatives. The oversight plan can impose requirements in areas such as security and quality, contractual terms, and subcontracting, with financial penalties imposed in case of non-compliance, up to 1% of the service provider’s global revenue in the most recent year. The oversight bodies have broad inspection and auditing rights and investigative powers. The adopted regulation also prohibits financial entities from using a service provider from a country outside the EU for critical cloud functions.

Many of OVHcloud’s datacenters are located in former industrial buildings, some of which are classified as presenting environmental or other risks under applicable French legislation. OVHcloud’s datacenters outside of France may also be classified as presenting environmental risks under local regulations. In order to comply with applicable regulations, OVHcloud is sometimes required to submit applications and obtain operating licenses. OVHcloud may be required to take certain remedial measures as part of the application process.

Operating licenses are required in most countries where OVHcloud operates its datacenters. The regulations primarily concern air emissions, industrial waste management, water and effluent management, fire risk management and noise management.

The simplified organisational chart below shows the Company’s legal structure and its consolidated subsidiaries as of the date of this Universal Registration Document. The percentages indicated below represent the percentages of share capital. There has been no significant change in capital ownership since 31 August 2024.

Central to its governance mechanism, OVHcloud's risk management system helps the Group achieve its strategic objectives while protecting its assets and reputation. It also helps to mobilise employees around a common approach to risk. OVHcloud is committed to regularly assessing risks and implementing internal controls and action plans to mitigate them.

The risk management system aims to identify, analyse and manage the main risks to which the Group is exposed. It contributes to the control and security of its activities, the effectiveness of its operations and the efficient use of resources.

This system comprises a series of processes aiming to identify, assess and prioritise risks, prevent and control them, promote a risk management culture, and monitor action plans to limit risks. It draws on the skills of the Group's employees, particularly in internal audit and compliance, and on external expertise where required.

CSR risks are covered in Chapter 3 – Sustainability Statement, which includes new CSRD-related requirements, of this Universal Registration Document.

In 2020, the Group drew up a risk map, which was updated in 2022 and 2023. In 2025, risk mapping was revised with the new Chief Executive Officer, as part of the risk monitoring governance process. Certain risk levels and designations were adjusted.

Carried out across the Group and with the involvement of top management from all the Group's activities, the risk mapping process has made it possible to identify the main risks to which the Group is exposed and to assess their potential impact, taking into account their criticality and probability of occurrence. The Group's risk map also takes into account specific risk mapping exercises on topics such as cybersecurity and anti-corruption, and the monitoring of operational and emerging risks.

The most significant risks have been grouped into different families (strategy and markets, business, human resources, financial, regulatory and legal, information systems). For each risk, a description is provided of their causes and potential impact, as well as the actions taken to manage them.

Group management, the Board of Directors and the Audit Committee closely monitor risk management and define the most appropriate strategy.

One or more risk owners are appointed for each risk to complete the risk analysis, identify the actions and resources needed to mitigate the risk, and manage the corresponding action plans.

The relevance and progress of the action plans are monitored by members of the Group's Executive Committee, including the Chief Executive Officer, Chief Financial Officer and General Counsel, who review them on a quarterly basis. Risk mapping and action plans are presented annually to the Group's Audit Committee, and more frequently upon request.

The Group's insurance policy aims to protect its employees, assets, customers and shareholders against the financial consequences of major events.

Its purpose is to ensure business continuity and the operational resilience of the services provided to customers, to reduce the Group's financial exposure in the event of an incident and to strengthen the confidence of all its stakeholders.

It complements the risk prevention and control systems put in place by the Group, such as:

• ▶an active prevention and protection policy at its industrial sites, in particular through its “Hyper Resilience” (HYR) prevention plan, designed to protect them against fire risks. The Group has most of its industrial sites audited annually by its brokers' and insurers' prevention engineers;
• ▶awareness-raising sessions on fire risk, with a technical and insurance-based approach, for a wide range of operational staff;
• ▶the development of risk prevention, such as exposure to natural and environmental disasters, therefore enhancing existing insurance coverage.

The insurance policy is part of the Group's overall strategy, taking into account the specific features of its business sector, its growth and its strong international presence.

To ensure that the insurance programme is relevant and appropriate, the Legal Department works constantly to identify risks that could be covered by insurance, in conjunction with all the Departments (Finance, Resilience and QSE, IT, Human Resources, etc.). These risks include:

• ▶all infrastructure-related damage (fire, explosion, natural events, etc.);
• ▶cyber risks (damage, theft, extortion, phone hacking, etc.);
• ▶professional civil liability and operational liability risks;
• ▶liability risks for executive corporate officers and non-executive officers;
• ▶risks related to the safety of employees;
• ▶risks related to business trips;
• ▶risks related to the transportation of goods.

Based on the AMF reference framework, OVHcloud has set up an internal control system comprising a set of resources, policies, behaviours, procedures and appropriate actions designed to ensure:

• ▶the application of instructions and guidelines set by management;
• ▶the operation of internal processes to ensure the effectiveness and control of activities;
• ▶the reliability of accounting and financial information;
• ▶compliance with laws and regulations;
• ▶the management of risks.

A number of players are involved in the internal control system.

Delegated by the Board of Directors, the Audit Committee is responsible for monitoring the preparation of financial information and the effectiveness of internal control, risk management and internal audit systems.

The Audit Committee reports to the Board of Directors on these aspects.

See Section 4.1 – Governance overview for a detailed description of the tasks of the Board of Directors and the Audit Committee.

Senior Management is responsible for deploying the internal control system and overseeing risk mapping. To achieve this, Senior Management relies on the support of the Finance Department and the Audit, Internal Control and Risk Department.

The first line of control is made up of operations that formalise and implement operational processes to ensure the control of day-to-day operations and their internal control.

Internal control is an integral part of each operational department's mission. The management of the operational departments is responsible for checking that the Level 1 procedures and controls are being properly applied by carrying out Level 2 controls, for example via sampling and by implementing application controls and validation circuits. The management control function may also be responsible for carrying out Level 2 controls.

Lastly, the functional departments are responsible for defining the guidelines and controls to be applied by all the commercial and industrial entities and for managing the operational risks in their respective areas: for example, the Legal, Quality, Standards, Safety and Working Environment, Cybersecurity, Human Resources, Finance and Insurance Departments. These functional departments may also be called upon to verify that Level 1 rules have been applied correctly through Level 2 control campaigns.

With a view to strengthening its internal control and improving coordination, OVHcloud has set up an Audit, Internal Control and Risk Department, which reports to the Group's Finance Department. This department assists the operational and functional departments in setting up their Level 1 and 2 control systems. The Audit, Internal Control and Risk Department also carries out internal control campaigns based on the operational departments' self-assessment of whether controls have been applied correctly. The Audit Committee monitors the rollout of the internal control system.

The third line of control is the Audit, Internal Control and Risk Department. On the basis of an annual audit plan, approved by Senior Management and the Audit Committee, audits are carried out in a fully independent manner and are the subject of an audit report which identifies any risks and the action plans needed to mitigate them.

The findings of internal audits are reported to the operational departments, as well as to Senior Management and the Audit Committee for the main findings, in order to provide reasonable assurance on the effectiveness of the internal control and risk management system.

Follow-up on action plans is presented to the Executive Committee and the Audit Committee twice a year. The Internal Audit department is also independently empowered to alert Senior Management and directors if necessary.

This sustainability statement for the 2025 financial year has been drawn up in accordance with the European Union Corporate Sustainability Reporting Directive (CSRD – directive 022/2464), as transposed into French law by Order no. 2023-1142 of 6 December 2023, and in accordance with the EU Taxonomy Regulation on sustainable activities (Regulation (EU) 2020/852) which establishes a classification system to identify environmentally sustainable activities.

This year, OVHcloud is presenting its annual sustainability information for the consolidated Group in accordance with the European Sustainability Reporting Standards (ESRS), as required by the CSRD.

The same scope of consolidation is used as for OVHcloud's consolidated financial statements. Exclusions from this scope will be specified in the relevant section, where applicable.

Sustainability matters have also been analysed across the Group's upstream and downstream value chains, as have policy and action plans where applicable.

The sustainability statement covers all of OVHcloud's operations, covering the Group's upstream and downstream value chains. The policies, actions and targets are applied throughout the value chain in question, in order to address the impacts, risks and opportunities (IROs) that have been determined as material under the double materiality analysis.

This first report has been drawn up to the best of our understanding of ESRS requirements. This first financial year of applying the directive and materiality analysis is marked by uncertainties over the interpretation of the requirements, the absence of established processes and comparative data, in a few rare cases, as well as a number of difficulties in collecting data, particularly within the value chain.

OVHcloud has not used the option to omit specific information corresponding to intellectual property, know-how or the results of innovation.

Unless otherwise specified, the terms "short-", "medium-" and "long-" term used in the analysis are used as defined by ESRS 1. As the reporting period for this analysis starts at end-2024, short-, medium- and long-term are defined as one year or less (2025), two to five years (2026 to 2029) and more than five years (2030 and beyond) respectively.

In some cases, the Group has used estimates, particularly when obtaining information on the value chain in the case of greenhouse gas (GHG) emissions, or has made interpretations, particularly for the metrics requested for resource inflows, which cannot be measured comprehensively. These estimates are described in the methodological note in Section 3.2.5 – Methodological note for assessing the environmental footprint.

At the forefront of the sustainable cloud, since its creation, OVHcloud has integrated sustainability at the heart of its business model by developing industrial innovations to limit its environmental impact. During the 2025 financial year, OVHcloud pursued its climate performance trajectory. On the strength of its commitment to the SBTi, OVHcloud is making climate change mitigation an important part of its Group strategy.

OVHcloud has included environmental criteria directly linked to the achievement of its ESG objectives into executive variable compensation (see Sections 3.1.2.3 – GOV-3 – Integration of sustainability-related performance in incentive schemes and 4.5 – Compensation and benefits in Chapter 4 of the URD).

The table below lists the IROs related to climate change that OVHcloud estimated as material during the double materiality assessment:

Among the risks identified in the double materiality assessment:

• ▶two physical risks:
  • •extreme physical or climatic event causing disruption (or even interruption) to the Group's growth due to a supply shortage in the upstream value chain,
  • •extreme physical or climatic event (excluding access to water) causing disruption (or even interruption) to datacenter operations, resulting in reputational damage, loss of revenue and increased costs (penalties, infrastructure repairs);
• ▶one transition risk:
  • •reinforcement of local regulations on climate change adaptation, generating costs (e.g., investment in infrastructure adaptation).

In its assessment, OVHcloud takes into account the environmental realities associated with its business model, including external requirements to reduce greenhouse gas emissions and how climate change-related risks affect its business and its value chain. The risks associated with climate change include natural disasters and extreme climatic events, as well as the tightening of regulations governing companies as they adapt to climate change. In this context, a climate risk assessment was carried out based on the analysis of climate risk scenarios described below.

In 2024, OVHcloud carried out a climate risk analysis across all its industrial sites (datacenters and assembly centres), as well as the Roubaix and Croix offices (they share buildings with industrial sites).

The latter, carried out by an external body, uses a climate risk analysis to assess the physical risks for four climate change scenarios mentioned by the IPCC (Intergovernmental Panel on Climate Change), as well as the regional loss experience over four different time horizons (2030, 2040, 2050, 2100), according to which risks may vary (for example, the frequency of heatwaves increasing from 2030, and marine submersion in 2100). The four scenarios, known as SSPs (Shared Socio-economic Pathways), are as follows, ranging from the least risky to the most risky:

• ▶Scenario SSP1-2.6: the scenario describes a future focused on sustainable development, with a global transition to clean energy, reinforced governance and low-carbon lifestyles. CO₂ emissions are falling, limiting warming to around 1.8°C by 2100 compared with the pre-industrial era. This scenario significantly reduces the intensity and frequency of extreme weather events compared with warmer trajectories, while remaining in line with the Paris Agreement.
• ▶Scenario SSP2-4.5: this scenario extends current socio-economic trends, with moderate growth, slow technological progress and persistent inequalities. CO₂ emissions are expected to remain stable until 2050 and then decline, leading to an average global warming of around +2.7 C by 2100 compared with the pre-industrial era. The challenges are medium to high in terms of mitigation and adaptation.
• ▶Scenario SSP3-7.0: a scenario marked by a resurgence of nationalism, low investment in education and technology, and slow and unequal economic growth. In this scenario, GHG emissions are set to double between now and 2100, leading to global warming of around +3.6 C to +4.6 C. The challenges for mitigation and adaptation are very high.
• ▶Scenario SSP5-8.5: intensification of energy-intensive lifestyles, fuelled by massive use of fossil fuels, while benefiting from strong growth and technological progress. In this scenario, CO₂ emissions are already set to double around 2050, and could triple by the end of the century, with global warming reaching around +4.4 C by 2100 (between +3.3 C and +5.7 C depending on the model). Despite high adaptive capacity, the absence of climate policies makes this scenario very risky.

Depending on the scenarios, their time horizon and their severity, the potential exposure to physical risks would be the following:

• ▶regarding extreme natural disasters: an increase in events such as floods, droughts, forest fires, cyclones and tsunamis, which can damage infrastructure and disrupt operations;
• ▶regarding resource shortages: risks of occasional or permanent shortages impacting operations and, consequently, a potential tightening of regulations (stricter standards on energy management, water use and eco-design).

These climatic impacts can subsequently lead to potential financial risks such as:

• ▶increased investment: the regulatory environment becomes more complex in terms of environmental standards and compliance, requiring additional resources to ensure compliance;
• ▶increased operating costs: for example, heat waves can increase the operating costs of cooling systems. This phenomenon also impacts the sites as regards maintaining good working conditions for the Group's employees;
• ▶disruption of services: inability to provide services in accordance with contractual conditions, resulting in financial compensation or additional costs;
• ▶shortages of raw materials: climate change may cause shortages, making raw materials more expensive.

OVHcloud identified climate-related material IROs as part of its double materiality assessment, as described above.

As part of its assessment and evaluation of physical risks, the Group relied on historical data, mainly on optimistic and sometimes more pessimistic scenarios, which predict an increase in the frequency and intensity of extreme weather events such as floods, droughts, forest fires, cyclones, etc., that could damage physical infrastructures and disrupt the Group's operations or have a negative impact on its value chain. Scenario SSP1-2.6 was also taken into account in the context of a financial risk generated by the strengthening of environmental regulations causing additional costs.

For the purposes of climate change mitigation, the SSP1 and SSP2 scenarios were considered. Materiality was established by taking into account the level of GHG emissions as they currently stand, without any means of remediation and with a business-as-usual approach. As a topical issue, the environmental impact of datacenters and their emissions is inevitably a key topic for the Group.

With regard to energy, due to the impact of datacenters on energy appropriation – particularly with the growth of generative AI (artificial intelligence) – the Group identified two negative impacts both for its own operations and for its value chain.

OVHcloud is putting GHG emissions reduction at the heart of its ambitions, by focusing on three main priorities:

• ▶reduction of compressible emissions by 2030;
• ▶involvement of the ecosystem: partners, customers, suppliers and employees in a process to reduce their carbon footprint;
• ▶contribution to increasing carbon sinks for all residual emissions.

OVHcloud developed a short-term strategy leading to the objectives described above. These objectives have been developed by incorporating the resources required to achieve them into the Group’s business plan.

The carbon footprint established in 2022 (baseline year) was verified by an external body.

OVHcloud has been committed since 2023 to a process following the SBTi, an international benchmark that helps organisations to align their decarbonisation strategy with the pathway defined by the Paris Agreement.

The SBTi deemed OVHcloud's two near-term objectives, established according to a specific sectoral pathway (softwares & services), as being compatible with the 1.5°C global objective.

The reduction in compressible emissions is reflected in the near-term commitments made and validated by the SBTi at the end of 2024.

The main reduction objectives are presented below:

OVHcloud is not engaged in activities meeting the exclusion criteria of Articles 12.1 (1) and 12.2 (2) of Commission Delegated Regulation (EU) 2020/1818 of 17 July 2020.

OVHcloud has no locked-in emissions, as the Company's assets are mainly powered by electricity grids.

The main decarbonisation levers are as follows:

• ▶decarbonising the energy mix and improving energy efficiency (scopes 1 and 2);
• ▶purchasing more efficient equipment and implementation of circularity (scope 3).

An exhaustive list of decarbonisation levers and their implementation is presented in Section 3.2.1.6 – E1-3/E4 Actions and targets in relation to climate change policies.

The near-term commitments and Group CSR policy were approved by the Group's Executive Committee and Senior Management, signatories of the SBTi commitment letter.

In terms of adaptation, OVHcloud has prioritised adaptation to physical risks that could lead to business interruption.

These initiatives are part of a proactive approach to adapting to the impacts of climate change, thereby ensuring the sustainability of OVHcloud's infrastructure and services.

The Group implemented the “hyper resilience” program, aimed at strengthening physical security and continuity of services in the face of extreme events. This programme includes the construction of datacenters that meet enhanced security standards.

In addition, through the analysis of climate scenarios, specific action plans for each site were drawn up and presented to the risk monitoring governance body. Measures were taken to mitigate the prevailing risks in order to limit the risk of business interruption or service interruptions (hail, storms, cold weather, flooding, etc.) at the various locations where the Group's infrastructures are located. The Group also carries out risk analyses before acquiring new sites.

The Group is still studying medium- and long-term priorities for reducing its exposure to the risks quantified in the various scenarios.

OVHcloud launched its approach to climate change in 2022, fine-tuning its objectives and structuring its approach by mobilising various players in the Group and its value chain. With this in mind, various Group departments are supporting this transition by developing committed policies.

The CSR policy covers all Group entities with regard to environmental topics and defines environmental targets.

The Supplier Code of Conduct and the sustainable procurement policy reinforce this approach by incorporating climate change-related criteria. The Purchasing Department requires its suppliers to reduce their GHG emissions, by prioritising low-carbon solutions and raising their employees' awareness of climate matters, and to provide OVHcloud with the necessary data to calculate its own carbon emissions accurately and within a reasonable timeframe. It also requires its suppliers to commit to improving their energy efficiency.

The table below summarises OVHcloud's actions and targets in relation to climate change:

Constant attention is paid to energy efficiency, particularly watercooling which is the foundation and cornerstone of the cooling technologies rolled out for over 20 years and used on a large scale. This technology eliminates the need for air conditioning in server rooms, with significant benefits in terms of cost management and reduced environmental impacts.

Direct watercooling removes heat from the most energy intensive components, such as processors (CPU, CGU), and the air (which is then cooled inside the rack using water through a heat exchanger) and removes heat from other components. The heated water is then cooled using dry cooling towers. OVHcloud stands out with its closed circuit system that reduces the leakage of fluid, and by the use of dry coolers and the absence of air conditioning in the server rooms. In addition to being very efficient in terms of water and energy consumption, OVHcloud’s watercooling technology has relatively low maintenance costs.

The deployment of the latest-generation cooling systems (5th generation) continued in 2025, enabling the infrastructure to be operated at higher water temperature regimes, with higher efficiency (partial PUE of 1.06).

The roll out of new electrical units is being accompanied by the installation of more efficient equipment (high-yield UPS or inverters, busbars).

The plan to modernise the oldest datacenters, such as RBX1 (Roubaix 1), is currently underway. This upgrade will improve the Group's energy efficiency, as the older datacenters are less energy-efficient than newer ones.

Remaining within the framework of eliminating waste, the Company's own datacenters are implementing optimised settings in rooms that are still air-conditioned (network rooms, technical rooms or battery rooms). Servers not in use are switched off to avoid unnecessary energy consumption.

Implementation of the energy performance plan, in conjunction with the French Regional Department for the Environment, Planning and Housing (DREAL – Direction Régionale de l'Environnement, de l'Aménagement et du Logement), is ongoing at Gravelines, while studies into waste heat recovery are being carried out at the Roubaix and Strasbourg sites.

A fraction of this waste heat from the IT servers is already being reused internally to:

• ▶heat offices at the Limburg site (Germany), saving around 100,000 kWh of gas;
• ▶preheat the Roubaix generators.

Energy performance can be assessed according to the processes implemented within the Group. The Group is constantly making strides in its energy performance, as demonstrated by obtaining ISO 50001 certification for improving energy performance and by the continuous improvement of the PUE energy performance metric. This metric stood at 1.24 at the end of FY2025 (compared with 1.26 at the end of FY2024).

This year, OVHcloud extended ISO 50001 certification to its European datacenters Erith (UK), Limburg (Germany) and Ożarów (Poland), in addition to the French datacenters, which already received the certification in previous years.

OVHcloud also contributes to the EU Code of Conduct on Energy Efficiency, with all its own operated datacenters now registered, including those in North America.

The PUE results are given below:

The IT energy consumption (consumption of electricity by IT systems) of directly operated datacenters was measured in all datacenters with the exception of the first Beauharnois datacenters (BHS). The Group deemed that this represented a relevant and representative panel. The coverage rate will naturally increase to 100% as the first BHS datacenters are upgraded in the future.

The supply of renewable energy is a target in its own right for OVHcloud. For its directly held datacenters, the Group set itself the target of achieving 100% renewable electricity supply by 2025.

A number of Corporate Power Purchase Agreements (CPPAs) were signed to this end, including:

• ▶in France, for 40 GWh/year, in production since 1 January 2025;
• ▶in Germany, for 25 GWh/year, in production since 1 January 2025;
• ▶in Poland, for 5 GWh/year, which will come into production in 2026.

OVHcloud will set up other CPPAs to guarantee its supply of low-carbon and renewable electricity.

Energy Attribute Certificates (EACs) are also acquired in the various countries in which OVHcloud operates its datacenters.

In addition to electricity, OVHcloud's datacenters consume domestic heating oil on a small scale. This heating oil is used to produce electricity as a last resort, via the emergency generators installed in the datacenters.

Domestic fuel consumption, although low, is as a result of maintenance and shutdown tests (except in the event of a power cut).

OVHcloud is gradually replacing the fossil fuel (domestic heating oil) used by its generators with HVO fuel, derived from organic waste and residues (which do not compete with food crops).

The Roubaix, Gravelines, Strasbourg and Erith datacenters are now equipped with HVO fuel.

The REF results are detailed below:

The reduction in scope 1 and 2 GHG emissions was essentially driven by the topics covered in the two previous paragraphs:

• ▶improve energy efficiency;
• ▶supply renewable and low-carbon energy.

Another source of GHG emissions comes from the use of refrigerants (HFCs) in datacenters. Fugitive emissions, caused by accidental leaks in air conditioning systems, are the cause.

The majority of refrigerants installed in OVHcloud's directly operated datacenters are at its oldest datacenter, RBX1. This datacenter will be upgraded over the coming years, and will be equipped with the watercooling technologies now present in the latest datacenters. This will not only improve energy performance, but also eliminate the use of HFCs, thereby eliminating the risk of leakage at the source of the problem.

More generally, particular attention is paid to complying with the Kyoto Protocol and the Kigali Amendment: using fewer and better quality HFCs (i.e., with lower global warming powers). Since 2011, the server rooms operated in OVHcloud's own datacenters have had no direct cooling, and do not rely on HFCs. Since 2020, the UPS rooms have also been cooled using watercooling. Only the battery rooms and network rooms are currently air-conditioned in OVHcloud datacenters, i.e., less than 5% of the heat to be evacuated from said datacenters.

The list of actions contributing to the reduction of scope 1 and 2 emissions is summarised below:

As the Group's largest source of emissions in the 2022 baseline year – with more than 62,700 tCO2e – the purchase of IT components is the main item on which OVHcloud is taking action.

The carbon footprint of IT components was calculated based on data from comparative studies carried out by an independent third-party expert in sustainable IT and Green IT.

OVHcloud has since set up a process for collecting primary data from its suppliers in order to better identify these component purchases.

In 2025, the Group obtained the emission factor for 64% of its IT components from its suppliers (as a percentage of functional units).

Collecting primary data from suppliers facilitates decision-making for component purchases.

Another way of avoiding waste is to implement the circular economy for buildings and IT components. Although this part is detailed in Section 3.2.3 – ESRS E5 – Resource use and circular economy, positive external factors also contribute to OVHcloud’s carbon footprint. The rate of reused components is a good indicator for quantifying avoided emissions, since a reused component is a component that has not been purchased.

With regard to in-house equipment needed by employees, OVHcloud implemented voluntary actions, such as awareness-raising, preventive maintenance and repairs, with the aim of extending their lifespan. At 31 August 2025, around 40% of laptops given to employees were over three years old, and 65% of smartphones were more than two years old.

With regard to employee commuting, the Group introduced measures to promote soft mobility, rewarding employees who cycle or take public transport to work.

The list of actions contributing to the reduction of scope 3 GHG emissions is summarised below:

Environmental labelling is a powerful tool for users to measure the impact of the products and services consumed. OVHcloud has developed a “carbon calculator”, now referred to as the Impact Tracker, to give customers a better understanding of their cloud infrastructure’s carbon footprint, and help them with their environmental transition and consumption choices. Its name change follows OVHcloud’s research work to make this tool multi-criteria (see Section 3.2.2 – ESRS E3 – Water and marine resources and Section 3.2.3 – ESRS E5 – Resource use and circular economy).

This tool is the result of a rigorous design process of developing a reliable, robust and exhaustive methodology, as well as rapid IT development. The methodology, which was audited and certified by an independent consulting firm specialising in sustainable IT, is based on LCA (life cycle analysis) principles, reference databases for environmental impact factors, such as the French Agency for Ecological Transition (Agence de l'environnement et de la maîtrise de l'énergie – ADEME) Base IMPACTS® 3.0, and the first recommendations of ADEME’s Product Category Rules for digital services. To enhance the reliability of its solutions' environmental labelling, OVHcloud has worked in collaboration with its main suppliers, the academic world (Inria) and associations (Boavizta) to improve its knowledge about the carbon footprint of their activities. The Group now has more precise data on the supply of access to energy, specifying if they are "location-based" or "market-based", and a significant proportion of its components, taking into account any retrofitting.

OVHcloud launched the first version of its carbon calculator in July 2023 for the Bare Metal Cloud range. The first enhancement for Hosted Private Cloud customers took place in the first quarter of the 2024 financial year. Barely three months after it was made available to customers, OVHcloud's carbon calculator was awarded the Green Trophy at The Big Green forum, an event dedicated to CSR. The award recognises the technical sophistication of the calculator's methodology and its comprehensiveness. OVHcloud is the first company to provide such comprehensive environmental information to its customers. Since then, the tool has been enhanced with more precise calculation elements, thanks to the dual display of emissions linked to the use phase (market-based and location-based) and also to the manufacturing phase, thanks to the inclusion of component reconditioning.

Following the production launch of the tool in 2023, and its subsequent update in 2024, OVHcloud decided to extend the portfolio of products covered by the tool. In 2025, the Public Cloud sector integrated the tool through compute and storage products. This sector represents a growing share of the Group’s revenue and a methodological challenge for the extension of the tool (the physical layer of the infrastructures is totally abstract/invisible for public cloud customers).

Accessible to customers directly from their OVHcloud space, the tool integrates the estimated power consumption of servers based on the monitoring of OVHcloud datacenters. It then maps them to their carbon emissions equivalent, taking into account cooling and network systems as well as transport, manufacturing, end-of-life and waste management, to provide a complete picture of the current carbon footprint. The results for cloud usage, which each user can download, are broken down into three emission categories:

• ▶the manufacturing phase: upstream GHG emissions linked to the purchase and assembly of components;
• ▶the use phase: electricity-related emissions;
• ▶ancillary emissions: other indirect emissions such as freight and the impact of employees – known as "operations".

Since it went online, the tool has generated an average of around 500 downloads per month.

OVHcloud’s aim is to establish best practices in the supply chain by ripple effect, and in particular, data-driven decision making.

The table below shows the energy consumption of OVHcloud's own datacenters. This is expressed in GWh and by type of energy:

The total energy consumption of the datacenters not operated by OVHcloud is estimated at 28 GWh.

The table below shows OVHcloud’s GHG emissions statistics for each of scopes 1, 2 and 3. The year 2022 is also presented as a baseline year. It should be noted that the Group measures its GHG emissions in accordance with the GHG Protocol.

Scope 1

• ▶Scope 1 emissions amounted to 1,325 tCO2e in FY2025. Emissions have fallen since 2024 and are stable compared with 2022.
• ▶Fugitive emissions (unintentional gas emissions) related to refrigerant (HFC) leaks are returning to 2022 and 2023 levels.
• ▶Emissions from the vehicle fleet are stable.
• ▶Emissions linked to the operation of emergency generators are increasing as the Group grows. These are mainly used for testing and maintenance. To date, HVO fuel has not been accounted for.

Scope 2

• ▶Location-based: despite the increase in the Group's electricity consumption, emissions are falling due to the improved performance of France's nuclear power plants since 2024, offsetting emissions linked to growth in areas with more carbon-intensive electricity. Scope 2 location-based emissions amounted to 58,087 tCO2e.
• ▶Market-based: purchases of EACs for the Vint Hill site in Virginia resulted in emissions reductions, compared to 2024. All the other datacenters were covered in previous years. Residual emissions, which are not covered by EACs, are due to energy consumption by datacenters that are not operated directly by the OVHcloud Group, in shared datacenters or Local Zones. Scope 2 market-based emissions amounted to 9,981 tCO2e.

Scope 3

• ▶Category 1 (Purchased goods and services): emissions increased due to greater use of outsourced services.
• ▶Category 2 (Capital goods): emissions decreased thanks to a purchasing policy that accounts for the carbon footprint of the IT equipment used by the manufacturers to construct the servers.
• ▶Category 3 (Fuel and energy-related activities): location-based emissions decreased due to the increased performance of France’s nuclear power plants since 2024. Market-based emissions increased due to greater use of biomass for energy at Vint Hill.
• ▶Category 4 (Upstream transportation and distribution): the increase in emissions is explained by the greater use of air freight this year. The Group is currently working to limit this practice by favouring sea freight, particularly for transfers between the Croix and Beauharnois sites.
• ▶Category 8 (Upstream leased assets): emissions decreased, mainly due to a more accurate quantification of the impacts relating to the backbone of the OVHcloud network. Previously, OVHcloud extrapolated the results of a study revised in 2021 ("Report: evaluation of the carbon footprint of the transmission of a gigabyte of data on the RENATER network") and applied them to the backbone of its own network.
• This year, OVHcloud developed a new methodology, assessing the impacts associated with POPs (“Point of Presence” leases) throughout the lifecycle, terrestrial links (optical fibres) and undersea telecommunications cables separately.
• The following blog page details the methodology used: https://blog.ovhcloud.com/ovhcloud-backbone-network-environmental-impact-assessment-methodology/
• Emissions due to electricity consumption by leased offices, recorded in this category, remain stable.
• ▶Category 11 (Use of sold products): emissions are falling thanks to the improved performance of France's nuclear power plants since 2024, reducing emissions linked to the use of products by our customers: switchboards, VOiP (Voice Over Internet Protocol), modems.

The other categories are stable.

Overall, scope 3 emissions were down by more than 9% on the base year, and by 36% in GEVA.

Through its approach and its commitment to human rights, OVHcloud's human rights policy aims to reflect a vision of the world and the type of society in which everyone wishes to live. It is based on the Ten Principles of the UN Global Compact and is broken down as follows:

• ▶ensuring equal treatment and opportunities. OVHcloud is committed to combating all forms of discrimination and harassment by applying a zero-tolerance policy. OVHcloud is committed to promoting a human-centred environment, characterised by respect and diversity, and to supporting its employees based solely on competence. OVHcloud does not practice any form of discrimination or harassment linked to gender, disability, family background, political involvement, religious faith, sexual orientation, trade union activities or ethnic origins;
• ▶guaranteeing freedom of expression and dialogue with the Group's customers, employees and suppliers;
• ▶implementing freedom of association and collective bargaining. OVHcloud attaches great importance to social dialogue, a guarantee of involvement and collective performance, and maintains ongoing high-quality relationships with employees and their representatives within the bodies created for this purpose;
• ▶ensuring a workplace free from all forms of moral and sexual harassment, therefore fostering interaction in a human-centred, diverse environment that drives the Group's business. OVHcloud is committed to maintaining a safe and healthy working environment, ensuring that safety procedures are understood by each employee and that each individual action does not entail any risk. Every employee has the right to be treated with respect and dignity. The Group refuses to ignore any situation that could lead to harassment or unhappiness among its employees;
• ▶providing safe and healthy workplaces for all employees on our sites. In order to promote the prevention of health and safety risks, OVHcloud has defined procedures aimed at complying with legal requirements in terms of health, safety and the environment in all countries where the Group operates, and at implementing all satisfactory measures to protect the health and physical integrity of workers, customers and local communities in order to protect the environment. OVHcloud is committed to maintaining a safe and healthy working environment, ensuring that all its employees are aware of emergency procedures and that individual actions do not entail any risk. The implementation of these procedures involves engagement across all levels of management and the accountability of all employees. In addition, the Group ensures that all employees are aware of and comply with rules regarding health, safety and working conditions, and that they report any behaviour, installation or situation that could lead to an accident to management (see Section 3.3.2.4 – Management of impacts related to health and safety);
• ▶fighting against child or forced labour or human trafficking. OVHcloud does not employ minors or children in its businesses and strives to ensure that its suppliers do not engage in any form of child labour along their supply chains. OVHcloud does not use forced labour, servitude or modern slavery and all its employees have an employment contract, which they can terminate at any time in accordance with the applicable laws. The Group respects labour law in all the countries where it operates;
• ▶ensuring the protection and confidentiality of data entrusted to us by customers and, more generally, by all stakeholders. The Group is also campaigning for a European cloud, guaranteeing the technological independence of Europe and the sovereignty of its data. In order to guarantee the protection of the data entrusted to it, OVHcloud deploys all necessary means in terms of cybersecurity and physical protection of its sites. In addition, internal procedures for IT security and raising employees’ awareness of the risk of IT attacks, in particular by carrying out simulations, have been put in place. OVHcloud has adopted a personal data processing policy that complies with the strictest regulations and applies to all its entities and employees. The policy guarantees customers that their data are secure and ensures compliance with the General Data Protection Regulation and all applicable national legislation, such as the UK Data Protection Act, the Australian Data Protection Act and Quebec's Law 25.
• ▶supporting the right to education. OVHcloud invests in training and development by creating training courses adapted to the needs of its employees (see Section – 3.3.2.5 Management of impacts related to talent management and skills development).

Since 2023, the human rights policy has applied to all OVHcloud entities and subsidiaries (excluding US entities), regardless of their location in the world, as well as to all stakeholders.

OVHcloud Group's human rights policy refers to the following international frameworks:

• ▶the Ten Principles of the UN Global Compact. These fundamental principles concern human rights, labour law, environmental law and anti-corruption;
• ▶the Universal Declaration of Human Rights;
• ▶the International Covenant on Civil and Political Rights;
• ▶the International Covenant on Economic, Social and Cultural Rights;
• ▶the ILO Declaration on Fundamental Principles and Rights at Work;
• ▶the Convention on the Elimination of All Forms of Discrimination against Women;
• ▶the Convention on the Rights of the Child;
• ▶the Convention on the Rights of Persons with Disabilities;
• ▶the International Convention on the Elimination of All Forms of Racial Discrimination.

It also complies with local regulations on the fight against modern slavery, in particular the UK's Modern Slavery Act.

The human rights policy was drafted by the Ethics and Compliance Department in consultation with the various stakeholders, and validated by the Group's Executive Committee (Comex) and the Board of Directors. On an operational level, the human rights policy is implemented by various OVHcloud contributors (Comex, Human Resources Department, Purchasing Department, Legal Department, etc.) and may be reinforced by specific policies, charters or documents (HSE policy – health, safety and environment, diversity policy, etc.), as well as by versions of these policies adapted at local levels.

The commitments and monitoring of the human rights policy are drawn up and monitored by the CSR Steering Committee, as set out in Section 3.1.2.1 – GOV-1 – The role of the administrative, management and supervisory bodies.

All the Group's policies and procedures, whether they concern its employees, the workers in its value chain or its customers, are based on the principles set out in this chapter. To ensure that it is properly applied and disseminated, the policy is available and can be consulted on the corporate.ovhcloud.com website(2).

OVHcloud is aware of its duty to the community and is taking action to minimise its impact on the environment and make a positive contribution to it. OVHcloud is committed to protecting human rights at all levels and at all stages of its value chain.

• ▶through the code of ethics, which sets out the Group's commitments to its stakeholders on a day-to-day basis;
• ▶in terms of purchasing, OVHcloud requires its suppliers, through its Supplier Code of Conduct, to respect human rights, and reminds them of the obligations relating to the non-use of child labour and forced labour, the fight against discrimination and harassment, freedom of association, as well as compliance with legislation on working hours and health and safety measures. Any breach will automatically justify the termination of business relations;
• ▶the "ROGER" (Respect OVHcloud Guidelines & Ethical Rules) platform enables workers in the value chain to report breaches in this area. The whistleblowing system is accessible 24 hours a day, 7 days a week (24/7) for stakeholders.

In general, OVHcloud handles all reports relating to the human rights policy from communities or customers.

Above all, these measures ensure that OVHcloud conducts its business in an ethical manner that respects human rights in all spheres of its business practices.

In the United States, OVHcloud US is committed to respecting human rights through its code of ethics and internal regulations for employees, which were drawn up by the entity's legal and human resources departments. It is committed to respecting rules concerning equal opportunities, fair treatment and respect for each individual internally, in order to guarantee a healthy and safe environment for its employees. It also encourages its employees to choose partners who respect good working conditions in their practices (decent wages, safety, etc.) and to report any non-compliant behaviour.

As part of the identification and assessment of material IROs, the Group has identified impacts and risks relating to governance, corporate culture, ethics and its supply chain.

The process for identifying material IROs is detailed in Section 3.1.4.1. IRO-1 – Description of the process to identify and assess material IROs. OVHcloud has identified the following material IROs related to governance:

As part of its double materiality assessment, OVHcloud has identified challenges related to cybersecurity, data protection and data sovereignty as material for the Group, both in terms of the impact on its customers and the financial impact on the Group.

Cybersecurity is a central issue in the Group’s business. Security and data breaches have a major potential impact both on the Group’s customers and on the Group itself. But this also poses an opportunity for the Group, as it is equipped with high-performance security systems to meet the needs of its customers.

Data sovereignty is also one of the major pillars of OVHcloud's strategy, and represents an advantage over its competitors. It enables the Group’s customers to entrust their data to a system that protects them from extraterritorial interference at a large proportion of its sites.

This is a translation into English of the statutory auditor report on the certification of sustainability information and verification of the disclosure requirements under Article 8 of Regulation (EU) 2020/852 of the Company issued in French and it is provided solely for the convenience of English speaking users.

This report should be read in conjunction with, and construed in accordance with, French law and the H2A guidelines on “Limited assurance engagement - Certification of sustainability reporting and verification of disclosure requirements set out in Article 8 of Regulation (EU) 2020/852".

Report on the certification of sustainability information and verification of the disclosure requirements under Article 8 of Regulation (EU) 2020/852

August 31st, 2025

To the Annual General meeting of OVH Groupe S.A.,

This report is issued in our capacity as statutory auditor of OVH Groupe S.A.. It covers the sustainability information and the information required by Article 8 of Regulation (EU) 2020/852, relating to the year ended August 31st, 2025 and included in section 5 in the group management report and presented in Part 3 “Sustainability Statement” in the Universal Registration Document (hereinafter the “Sustainability Statement”).

Pursuant to Article L. 233-28-4 of the French Commercial Code, OVH Groupe S.A. is required to include the above mentioned information in a separate section of the group management report. This information has been prepared in the context of the first time application of the aforementioned articles, a context characterized by uncertainties regarding the interpretation of the laws and regulations, the use of significant estimates, the absence of established practices and frameworks in particular for the double-materiality assessment, and an evolving internal control system. It enables an understanding of the impact of the activity of the group on sustainability matters, as well as the way in which these matters influence the development of the business of the group, its performance and position. Sustainability matters include environmental, social and corporate governance matters.

Pursuant to Article L.821-54 paragraph II of the aforementioned Code our responsibility is to carry out the procedures necessary to issue a conclusion, expressing limited assurance, on:

• ▶compliance with the sustainability reporting standards adopted pursuant to Article 29 b of Directive (EU) 2013/34 of the European Parliament and of the Council of 14 December 2022 (hereinafter ESRS for European Sustainability Reporting Standards) of the process implemented by OVH Groupe S.A. to determine the information reported, and compliance with the requirement to consult the social and economic committee provided for in the sixth paragraph of Article L. 2312- 17 of the French Labour Code;
• ▶compliance of the sustainability information included in section the Sustainability Statement with the requirements of L. 233-28-4 of the French Commercial Code, including ESRS; and
• ▶compliance with the reporting requirements set out in Article 8 of Regulation (EU) 2020/852.

This engagement is carried out in compliance with the ethical rules, including independence, and quality control rules prescribed by the French Commercial Code.

It is also governed by the H2A guidelines on “Limited assurance engagement - Certification of sustainability reporting and verification of disclosure requirements set out in Article 8 of Regulation (EU) 2020/852".

In the three separate sections of the report that follow, we present, for each of the sections of our engagement, the nature of the procedures that we carried out, the conclusions that we drew from these procedures and, in support of these conclusions, the elements to which we paid particular attention and the procedures that we carried out with regard to these elements. We draw your attention to the fact that we do not express a conclusion on any of these elements taken individually and that the procedures described should be considered in the overall context of the formation of the conclusions issued in respect of each of the three sections of our engagement.

Finally, where deemed necessary to draw your attention to one or more disclosures of sustainability information provided by OVH Groupe S.A. in the group management report, we have included an emphasis of matter paragraph hereafter.

As the purpose of our engagement is to express limited assurance, the nature (choice of techniques), extent (scope) and timing of the procedures are less than those required to obtain reasonable assurance.

Furthermore, this engagement does not provide guarantee regarding the viability or the quality of the management of OVH Groupe S.A., in particular it does not provide an assessment, of the relevance of the choices made by OVH Groupe S.A. in terms of action plans, targets, policies, scenario analyses and transition plans, which would go beyond compliance with the ESRS reporting requirements.

It does, however, allow us to express conclusions regarding the entity’s process for determining the sustainability information to be reported, the sustainability information itself, and the information reported pursuant to Article 8 of Regulation (EU) 2020/852, as to the absence of identification or, on the contrary, the identification of errors, omissions or inconsistencies of such importance that they would be likely to influence the decisions that readers of the information subject to this engagement might make.

Any comparative information that would be included in the in the group management report are not covered by our engagement.

Since the admission of the Company’s shares to trading on the Euronext Paris regulated market in October 2021, the Company has referred to and complies with the Corporate Governance Code for Listed Companies drawn up by the Association française des entreprises privées (the “AFEP”) and the Mouvement des entreprises de France (the “MEDEF”) as updated in December 2022 (the “AFEP-MEDEF Code”).

The AFEP-MEDEF Code with which the Company complies may be consulted online at http://www.medef.com or http://www.afep.com. The Company permanently maintains copies of the code for consultation by the members of its corporate bodies.

At its meeting on 20 October 2025, the Board of Directors noted the decision to terminate the separate governance structure, on the recommendation of the Appointments, Compensation and Governance Committee, and decided to appoint Octave Klaba as Chairman and Chief Executive Officer of the Company. The term of office of Benjamin Revcolevschi ended automatically on said date.

By law, the Board of Directors elects, from among its members, a Chairman who is a natural person and whose role is described in Section 4.1.9.7 above.

The Board of Directors entrusts the general management of the Company either to the Chairman of the Board of Directors (who holds the title of Chairman and Chief Executive Officer) or to another natural person, who may or may not be a director, holding the title of Chief Executive Officer.

As set out in the AFEP-MEDEF Code, the law does not give preference to either governance method over the other and it is up to the Company’s Board of Directors to choose between exercising unified or separate general management, depending on its particular requirements.

Governance method

At its meeting on 20 October 2025, the Board of Directors decided to adjust its governance structure by reuniting the previously separated roles of Chairman of the Board of Directors and Chief Executive Officer, with Octave Klaba being appointed Chairman and Chief Executive Officer.

Reuniting these roles is the most effective way of exercising general management in the implementation of the Company's new strategic plan, in order to strengthen the link between vision, strategy and the execution of the plan. In addition, combining these roles is better suited to OVHcloud in this context, as it allows for greater efficiency in managing strategy and in governance, which will be facilitated and streamlined around a tighter-knit Board of Directors.

In accordance with the law, the Chief Executive Officer is vested with the broadest powers to act in all circumstances in the name of the Company. He exercises his powers within the limits of the corporate purpose. However, as an internal rule, the Chief Executive Officer exercises his powers within the limits set by the Board of Directors’ internal regulations. The following decisions by the Chief Executive Officer require the prior authorisation of the Board of Directors:

• ▶the Group’s annual budget and business plan, including any modifications thereto;
• ▶any decision regarding any individual capital expenditure that would exceed the annual budget by 7.5%;
• ▶any acquisition or sale of assets (including patents and intellectual property rights), business goodwill or shares by a company of the Group, not included in the annual budget, for an individual amount exceeding €25 million;
• ▶authorisation for the Chairman to grant sureties, endorsements and guarantees;
• ▶any amendment to the Company’s Articles of Association within the conditions provided for by law; and
• ▶any decision of a Group company to enter into a new financing agreement with a third party (other than with a Group company and other than in the context of an existing Revolving Credit Facility) for an amount exceeding €25 million and not included in the annual budget.

To the best of the Company’s knowledge, the following transactions were carried out during the past financial year in the Company’s shares by the persons referred to in Article L. 621-18-2 of the French Monetary and Financial Code:

The information relating to corporate governance and constituting the report of the Board of Directors on this subject is already included in other sections of this Universal Registration Document. In order to limit repetition, the cross-reference table below provides a link between each section of the report and the corresponding paragraph of this document.

In accordance with the provisions of the AFEP-MEDEF Code, the Board of Directors, acting on the recommendations of its Appointments, Compensation and Governance Committee, carries out an annual review of the compensation of executive corporate officers.

In particular, the review ensures that the compensation policy applicable to executive corporate officers is aligned with the Group's strategy and that there is an appropriate breakdown between the various compensation components (fixed and variable annual compensation, long-term compensation plan and other benefits or additional compensation elements). The review of the compensation components of the Chairman of the Board of Directors and the Chief Executive Officer also takes into account studies and benchmarks relating to the compensation applicable in companies comparable to OVH Groupe and in SBF 120 companies.

The summary of the compensation components of the executive corporate officers paid during or awarded in respect of the 2025 financial year, as well as the 2026 compensation policy, submitted to the vote of the shareholders at the Combined General Meeting of 12 February 2026, are presented below.

At its meeting of 20 October 2025, the Board of Directors of OVH Groupe confirmed that the AFEP-MEDEF Code is the code to which the Company refers, in particular concerning the compensation of executive corporate officers. This Universal Registration Document, and in particular the tables in Section 4.5.2.2 (stock subscription and/or purchase options, free shares, performance shares), have been prepared in accordance with the format recommended by the AFEP-MEDEF Code and AMF recommendation 2012-02.

The principles and criteria for determining, distributing and awarding the fixed, variable and exceptional components of the total compensation and benefits in kind attributable to the executive corporate officers by virtue of their office, constituting the compensation policy concerning them, are approved by the Board of Directors on the recommendations of the Appointments, Compensation and Governance Committee, and are subject to shareholder approval (“ex-ante vote on the compensation policy”) at the General Shareholders’ Meeting in accordance with Article L. 22-10-8 of the French Commercial Code.

In addition, pursuant to Article L. 22-10-34 of the French Commercial Code, the General Shareholders’ Meeting votes on: (i) the fixed, variable and exceptional components of the total compensation and (ii) the benefits in kind paid during or awarded in respect of the previous financial year to the executive corporate officers (“ex-post vote on compensation in respect of the previous financial year”). As a result, the payment of variable or exceptional compensation in respect of a financial year is subject to their approval by the General Shareholders’ Meeting called to approve the financial statements of that financial year.

Related entities mainly include companies controlled by Octave Klaba, founder and Chairman of OVH Groupe’s Board of Directors, and other entities controlled by other members of the Klaba family, who are direct or indirect partners of the Company or by the Chairman of OVH SAS and Chief Executive Officer of OVH Groupe.

Pursuant to the agreements detailed below entered into with related parties and related to the conduct of the business, the Group recognised a total amount of operating expenses of €10,227,582 for FY2025 versus €5,922,055 for FY2024, and concerning net financial income (expense) (IFRS 16), a net expense of €72,028 for FY2025 versus €77,756 for FY2024. More detailed figures for related-party transactions are included in the consolidated financial statements for the year ended 31 August 2025.

The main related-party transactions are described in this chapter.

None.

OVH’s General Shareholders’ Meetings are convened and deliberate under the conditions provided for by law and in the Articles of Association.

The provisions of OVH’s Articles of Association relating to General Meetings and the procedures for exercising voting rights at General Meetings are set out in Title IV – General Meetings – Article 22 – Meetings, Composition, Deliberations, of OVH’s Articles of Association, which are available online at
 www.corporate.ovhcloud.com, Governance section.

The following table presents the key figures for FY2025.

OVHcloud has achieved all its FY2025 objectives, with net income.

• ▶Revenue broke through the billion euro mark, up 9.3% on FY2024 on a like-for-like basis.
• ▶Adjusted EBITDA margin above 40%.
• ▶Doubling of Unlevered Free Cash Flow (adjusted EBITDA less capex, working capital requirement and corporation tax paid).
• ▶Recurring and growth capex representing 12% and 21% of revenue for the period respectively.

Octave Klaba, Chairman and CEO of OVHcloud, said:

“In 2025, OVHcloud broke through the symbolic €1 billion revenue mark. We achieved our objectives for the year. I would like to thank Benjamin Revcolevschi for his commitment during this final year of the 2021-2025 strategic plan. Over the past five years, among other things, we have successfully built up the Corporate segment, where we now generate over €200 million in revenue. We have developed and rolled out 40 Public Cloud products, which now bring in revenue of over €100 million. We have also successfully established a strong presence in the United States, generating more than €100 million in revenue. These results are testament to the unwavering commitment of our teams, who I would like to congratulate and thank, and the support of our financial partners, who have placed their trust in us since our IPO in 2021.

The geopolitical context and the surge in the cloud and AI markets mean we must increase our rate of development in order to stay one step ahead. That is why the Board of Directors decided to align vision, strategy, and execution by appointing me as Chairman and Chief Executive Officer. In a few months, I will be presenting our 2026-2030 strategic plan, “Step Ahead”, through which we aim to guide our teams and support our customers, while generating value for our shareholders.”

During FY2025, OVHcloud carried out a successful refinancing and was able to diversify its funding sources. The new funding includes:

• ▶€500 million in senior unsecured bonds at a fixed rate of 4.75%, maturing in 2030, issued on 5 February 2025. This inaugural issue has refinanced part of the Group’s existing debt. It has been rated BB- by S&P and Ba3 by Moody's;
• ▶a €450 million green bank loan maturing at the end of 2029. OVHcloud became the first European cloud player to take out an EU Taxonomy-aligned green loan;
• ▶a multi-purpose drawable credit facility for €200 million (not yet drawn down), maturing in 2029.

OVHcloud has developed Bare Metal Pod, a Private Cloud platform that gives users complete autonomy in creating and managing their cloud. SecNumCloud qualified, it offers native integration of the essential security building blocks: data encryption, key management, network isolation and access control.

On 31 March 2025, DEEP, part of POST Group, the leader in telecoms and ICT, postal and postal financial services in Luxembourg, and OVHcloud signed a strategic partnership to develop a sovereign Cloud in Luxembourg. The DEEP Sovereign Cloud will be based on OVHcloud's On-Prem Cloud Platform (OPCP): an integrated cloud platform (hardware and software), which will be hosted and operated autonomously by DEEP in its own Tier IV certified data centres in Luxembourg, in an offline mode.

With Kubernetes becoming the base of Cloud Native infrastructures, OVHcloud launched Managed Kubernetes Service (MKS) Standard, a managed platform designed to meet the requirements of mission-critical applications in multi-cloud environments. This new Public Cloud offering is now available in the 3-AZ Paris region, and will be rolled out in the 3-AZ Milan region this fall.

Designed to help small and medium-sized businesses, the Public VCF as-a-Service solution makes it easy to modernise VMware deployments so that SMEs can continue to benefit from their VMware investments.

OVHcloud deepens its partnership with Nutanix with NC2. With this solution, customers can now deploy, migrate and operate Nutanix Clusters on OVHcloud’s sovereign infrastructure solutions directly from the Nutanix customer portal, and benefit from unified billing.

No significant events are to be reported.

For FY2026, OVHcloud is targeting organic revenue growth of between 5% and 7%, a higher adjusted EBITDA margin than in 2025 and capex representing between 30% and 32% of revenue.

OVHcloud is also targeting positive levered free cash flow.