OVHcloud’s position as the leading European cloud provider traces its roots to its founding in 1999 as an internet hosting company in France. Over the past twenty years, OVHcloud has expanded significantly, initially by developing its infrastructure and growing its presence within Europe, and then by diversifying its cloud offerings and expanding its operations globally.

Cloud computing means providing users with storage, computing and network resources, over the internet, on demand. Cloud resources are located in data centres that house servers and equipment used to process, store and transmit data. Users of cloud computing services can access stored data and instruct processing units to perform computing functions automatically, without the need for human interaction, minimising the computing and storage capacities needed on their devices (such as personal computers, tablets and mobile phones). Wherever they are located, so long as they have an internet connection, users are able to access IT services through the cloud.

Businesses can establish and operate their own data centres using internal IT staff, or they can outsource some or all functions to cloud service providers such as OVHcloud. For many businesses, the time and financial investment required makes proprietary cloud computing less attractive than outsourcing, which involves paying only for the resources they actually use. Additionally, it can be difficult for businesses that are not specialised in IT services to innovate at the requisite levels in order to ensure that their cloud infrastructure provides them with adequate services and protections, such as data security. Internal IT systems also might not be sufficiently scalable to meet peak-load demands (unless businesses maintain costly excess capacity).

Servers maintained in data centres can be used for multiple functions, each of which is accessed through a “virtual machine” created on the server. The virtual machines are operated and separated from one another through a software platform known as a “virtualisation stack.” Each virtual machine can have its own operating system that permits users to develop and run applications. Through a function known as a “hypervisor,” the server’s capacity is allocated to the virtual machines in accordance with the demands of users. More recently, software applications have been written to be bundled in “containers” that run directly on the operating system of the server itself, coordinated through platforms known as “orchestration” systems, which generally take less space and can provide better performance than hypervisor-based virtualisation stacks.

The ability to create multiple virtual machines in each server or to deploy container-based systems allows a cloud service provider to allocate its capacity among multiple user groups or customers in a secure manner. Service providers can dedicate a server to a single customer (a “Private Cloud” system), allocating the server’s capacity among user groups authorised by the customer. Alternatively, a server can be shared among multiple customers (a “Public Cloud” system). Private Cloud customers generally pay monthly charges for dedicated capacity, whether or not they use that capacity. Public Cloud customers generally pay for the capacity they actually use.

In order to optimise the cost of cloud services, many businesses are deploying “hybrid cloud” strategies, in which they combine on-premises or outsourced Private Cloud capacity for their most sensitive functions and data, with Public Cloud capacity for their less sensitive needs. Customers are also deploying “multi-cloud” strategies, purchasing cloud services from several providers. To meet the growing demand for hybrid cloud and multi-cloud services, a cloud provider must offer packages that allow the various solutions to function as an integrated whole.

Cloud computing encompasses a range of services that include providing access to infrastructure (Infrastructure as a Service or “IaaS”), selecting and operating platforms such as operating systems, virtualisation stacks and security systems (Platform-as-a-Service or “PaaS”), and offering applications that are developed and can function on cloud platforms (Software-as-a-Service or “SaaS”). The following graphic illustrates these features:

The cloud solutions market also includes web services targeted mainly at individuals and small and medium businesses. The Web Cloud market largely consists of web and domain hosting, including leasing servers for websites, selling secondary services (such as software packages) and domain name registration, renewal and transfer services.

OVHcloud provides two main Private Cloud offerings: Baremetal and Hosted Private Cloud.

OVHcloud’s Baremetal Cloud service provides dedicated physical servers to customers, who have full control over the server, including the choice of operating system. The Baremetal Cloud allows them to have a similar experience to the one they would have with on-premise solutions managed by their internal teams, while taking advantage of the benefits offered by outsourcing.

OVHcloud’s main Baremetal Cloud offering sells high-end servers and mid-to-high-level services. OVHcloud also has a lower priced offering marketed under the “Eco” range, with the “So You Start” and “Kimsufi” products, using refurbished servers that provide quality services at a reduced cost, while improving environmental efficiency.

Baremetal Cloud services provide business customers with high-level computing power and strict service level agreements, in a secure environment appropriate for data-sensitive applications. The server can be customised to meet customer requirements and can be operated without a need to allocate the server’s capacity to virtual machines through a hypervisor, which allows the customer to use the server’s full capacity. Any unused capacity can be deployed within minutes, although the total capacity is limited by that of the dedicated server.

Baremetal Cloud customers pay monthly fees that depend on the performance levels they select. They may also choose options (such as server customisation or data backup) for additional fees.

The main uses of Baremetal Cloud services include the computation of complex data, low latency operations, streaming, online gaming, critical business applications such as ERP and CRM.

OVHcloud offers Hosted Private Cloud services to its business customers, providing servers fully managed by OVHcloud, including the operating system and the virtualisation layer, in partnership with VMware or Nutanix offerings.

Note: 1. VM: Virtual Machine

Within its Hosted Private Cloud service, OVHcloud has two main offerings: (i) Essential and (ii) Premier.

• ▶Essential allows customers to benefit from dedicated and virtualised servers, fully managed by OVHcloud, with a 99.9% service level. Essential's customers are mainly medium-sized companies.
• ▶Premier provides high-end dedicated virtualised servers, and includes virtual storage and backup management as well as 24/7 support, with a 99.9% service level The servers are certified to host information from customers in a variety of sensitive sectors, including healthcare in France (HDS certification), Germany, the United Kingdom and Poland, and finance, including credit card payments (PCI DSS certification). Premier's customers are primarily large companies and public sector customers looking to move to a cloud service provider.

OVHcloud’s Hosted Private Cloud services provide customers with private access to servers that can be customised to meet the customer’s specific requirements. It meets the needs of customers seeking isolation and security, scalable resources and resilience.

The main usages for Hosted Private Cloud services include deployment in hybrid cloud strategies, media encoding, big data analytics and disaster recovery, as well as the storage and processing of sensitive data in key sectors such as healthcare, finance and the public sector.

OVHcloud offers Public Cloud solutions based on open source technologies such as OpenStack (a platform for deploying processing, storage and networking resources) and Kubernetes (a container orchestration platform that has become a market benchmark). The use of these standard platforms provides customers with easy data transfer capability and access to source code, facilitating reversibility and eliminating “vendor lock-in”. This feature of the OVHcloud offering is particularly attractive for customers looking to deploy multi-cloud strategies.

Public Cloud solutions provide users with virtually unlimited computing capacity, with the only constraint being the demands of other users and the total installed capacity of the cloud provider. It is possible to deploy new Public Cloud instances automatically and in seconds. Because Public Cloud service is based on shared servers, customisation options are defined by OVHcloud. Service levels are high given the flexibility of the hardware architecture.

Public Cloud customers pay usage fees for the capacity they actually use. The OVHcloud model offers much more predictability than models used by hyperscalers and many other competitors. In particular, unlike hyperscalers, OVHcloud does not charge additional fees for outgoing data transfers or API calls, except for block and archive storage, and for services located in Asia-Pacific.

The Group’s Public Cloud offering provides three core cloud computing services: computer performance, storage and network capabilities.

Customers of OVHcloud's Public Cloud solutions can choose fully scalable public cloud services on virtual machines that are hosted on shared servers and networks.

OVHcloud’s Public Cloud service is attractive for customers seeking highly scalable resources, with significant peak management demands across multiple access locations, and a high degree of resilience. This service is used for applications with high-demand bursts and services that use large volumes of data, such as video and music streaming.

OVHcloud's Public Cloud customers can also choose from a number of on-demand (SaaS) software running on OVHcloud's Public Cloud servers. In particular, OVHcloud offers its customers access to Microsoft Exchange messaging and calendar solutions, SharePoint data storage and management solutions, and the Office365 business software suite.

Note: 1. VM: Virtual Machine

OVHcloud also offers a virtual private server option, providing IT capabilities located on shared servers, but with virtual machines isolated through the use of virtual private networks.

The virtual private server option is attractive to customers seeking tailored resources, particularly for short-duration operations with volatile workloads and server demand. Virtual private server solutions are used primarily for applications testing and other one-time projects, the management of short-duration peak loads and backup functions.

As part of its growth strategy, OVHcloud is developing and implementing a comprehensive PaaS offering that it intends to overlay on its Private Cloud and Public Cloud IaaS products. In addition to developing products in-house, OVHcloud has announced several partnerships and acquisitions, in order to accelerate its development plan, which allows it to offer 81 IaaS and PaaS solutions to its customers at the end of the 2022 financial year, mainly in the following areas:

• ▶Storage. OVHcloud now offers its customers a comprehensive portfolio of storage solutions such as Object Storage S3 (High Performance and Standard), Block Storage, File Storage, Snapshot & Backup and Archive;
• ▶DataBase-as-a-Service. Data management software allows users to manage their databases to enable queries and updates. It includes programmes that execute queries on data and provide visual representation of the data in formats such as spreadsheets, enabling users to build applications faster and automate database management. OVHcloud announced a partnership in April 2021 with MongoDB, and in July 2021 with Aiven to make several types of databases available on the OVHcloud infrastructure;
• ▶AI, Machine Learning & Analytics. Artificial intelligence and analytics solutions include tools and services that support data analysis and presentation. OVHcloud is particularly advanced in high-performance computing solutions for artificial intelligence and machine learning, and intends to continue its development in this area. In April 2022, OVHcloud announced the acquisition of ForePaaS, a company specialising in the field of analytics;
• ▶Security & Encryption. OVHcloud is expanding its offering of identity access management and encryption solutions, including end-to-end encryption that secures customer data in all states. In July 2021, OVHcloud announced the acquisition of BuyDRM, a US specialist company in this area;
• ▶Application platforms. Application platforms are back-end server software solutions that provide developers with a runtime and development environment.

OVHcloud has offered Webcloud services since its founding in 1999. With its leading position in the French market and strong positions elsewhere in Europe, the Web Cloud offering provides a stable, recurring income base and regular growth.

OVHcloud offers three principal solutions to Web Cloud customers:

• ▶Web hosting and domain names. This includes the leasing of capacity on web servers, allowing customers to connect their websites to the internet, as well as domain name registration, renewal and transfers. Customers can choose basic packages offering one or only a few websites, or packages targeted at professionals and developers that wish to host multiple websites, together with email addresses and storage options. OVHcloud offers its customers additional services, such as Secure Socket Layer (SSL) certificates, which enable secure connections between a web server and a browser;
• ▶Telephony and connectivity. Customers can purchase VoIP (Voice over IP) systems enabling uses such as switchboards and interactive voice response systems. OVHcloud also offers customers internet access through ADSL and fibre networks, with basic and professional packages;
• ▶Support and services. OVHcloud offers its customers additional levels of support and service, which include a range of support, expertise and online services. Support offerings may be Business, which corresponds to the level suitable for production environments, or Enterprise, which offers a key account experience for critical production environments. Additional services are offered in the Professional Services offering, which provides access to technical support and advice during infrastructure migration or IT architecture changes.

OVHcloud’s main customers in the Web Cloud segment are small and medium-sized businesses, as well as certain individual customers and entrepreneurs. Web Cloud customers are generally seeking secure and reliable web and communications services, to establish their web presence, and to digitise business functions.

OVHcloud pursues a growth strategy adapted to its three main customer segments: (i) technology and software companies, (ii) large corporates, SMEs and public entities, as well as (iii) White-Label, resellers and private individuals.

This customer segment is historically favourable for OVHcloud. In order to extend its growth in this segment, OVHcloud has put in place an enhanced digital marketing strategy, including an improved customer experience on the Group’s websites with a customer-centric interface, focused on usage and products, a prospect relationship management programme, online support such as chatbots and training courses such as webinars or technical documentation.

In order to continue to enrich this ecosystem, OVHcloud is developing several programmes:

• ▶the Start-up programme helps start-ups grow and develop by providing them with technology credits, resources, training and advice. This programme is particularly useful for start-ups still in the idea-forming stage. The 12-month programme allows the use of up to €10,000 in technology credits and several hours of technical support. Since 2015, more than 1,800 start-ups and scale-ups from all over the world have joined the programme and the ecosystem;
• ▶the Market Place brings together innovative and trusted technology and software companies as part of a SaaS (Software-as-a-Service) marketplace hosted by OVHcloud.

OVHcloud is implementing a three-part strategy to realise growth with large corporates, SMEs, and public entities. As part of this strategy, OVHcloud is addressing the needs of these customers for transformation and support as they consider migrating to the cloud.

• ▶OVHcloud is leveraging its position as a European “trusted cloud” provider, answering security and data sovereignty needs of European companies and public sector entities handling highly sensitive or strategic data. OVHcloud does not use or sell its customers' data, which is stored in the data centres chosen by its customers. It offers the highest level of security with numerous recognised certifications, including the SecNumCloud qualification delivered by the French National Cybersecurity Agency (ANSSI), attesting to the highest level of IT security in Europe for the hosting of sensitive and strategic data in the cloud. OVHcloud has also launched the Trusted Zone Sovereign Solution, which is designed to meet the highest security standards of public sector and critical services operators. It is also one of the founding members of the Gaia-X initiative to help promote a European sovereign cloud. OVHcloud is constantly improving its offers by investing in security and encryption solutions.
• ▶OVHcloud is strengthening its marketing channels to enhance its position with large corporate customers and public entities. As part of this strategy, OVHcloud has strengthened its relationships with its network of almost 1,000 IT partners, reinforcing its position with large system integrators such as Accenture, Capgemini, Sopra Steria and Deloitte and specialised system integrators such as Neurones IT, providing OVHcloud with a strong platform to capture a broader share of the IT spending of their corporate customer base. At the same time, OVHcloud has substantially increased its direct sales force that serves the needs of its large corporate customers, as well as providing enhanced customer support and services to accompany corporate customers in their cloud migration projects.
• ▶OVHcloud has developed specific offerings for small and medium businesses. For this segment, OVHcloud is leveraging its strong relationships with IT advisors and web agencies, while offering maximum flexibility through an automated self-service channel that can be used by customers directly or through their IT advisors. OVHcloud is also enhancing its multi-location, multi-language support offering for small businesses.

OVHcloud has a long history of commercial success through web agencies that resell OVHcloud solutions, sometimes under their own brand names. For individuals in particular, significant work has been undertaken for several years to offer an optimised digital sales channel, new and improved product offerings, and improved support. This continuous improvement aims to promote the acquisition of new customers along with cross-selling opportunities to existing customers. OVHcloud is also developing a “DataCentre-as-a-Service (DCaaS)” offering for corporates to deliver high performance and data sovereignty for their “on premises” resources.

OVHcloud is the European leader in the large and rapidly growing cloud services market.

OVHcloud is one of the two main providers of Private Cloud services in Europe. According to Forrester (June 2020), OVHcloud is a leader in Hosted Private Cloud services in Europe based on its current offering, market presence, and strategy. Additionally, as a Europe-based cloud provider, OVHcloud is able to meet the requirements of European customers for data sovereignty and security.

OVHcloud has a growing presence in the Public Cloud market, which is dominated globally by the so-called “hyperscalers” (Amazon Web Services, Google Cloud Platform and Microsoft Azure). It is the only European provider of Public Cloud infrastructure services that was named a contender in the IDC MarketScape (IDC (September 2020)), based on its infrastructure offering.

As a French cloud service provider, OVHcloud is subject to European regulations across a wide number of areas, including information technology (“IT”) services, cybersecurity, online content moderation and data protection. OVHcloud may also be subject to sectoral regulatory regimes applicable to certain customers and generally applicable regulations such as contract laws and consumer protection policies.

OVHcloud is subject to European regulations aimed at strengthening cybersecurity across the European Union (the “EU”). Transposed into French law on 26 February 2018, Directive (EU) 2016/1148 of 9 July 2016, established requirements for cloud service providers with respect to security of network and information systems. According to French law(2) transposing Directive (EU) 2016/1148, cloud service providers are classified as digital service providers. As a digital service provider, OVHcloud must guarantee a level of information security adapted to the relevant risks and adopt appropriate organisational and technical measures. In the event of a security incident having a significant impact on the provision of services, a declaration must be made with the French National Cybersecurity Agency (“ANSSI”). The French Prime Minister may also open investigations upon receipt of information of a non-compliance by the digital service provider with security obligations. Fines for non-compliance with security obligations range from €50,000 to €100,000.

The ANSSI has adopted security standards for cloud service providers(3). In particular, cloud companies must set up a security policy for information relating to the service and carry out a risk assessment covering the entire service. If applicable security standards are met, the ANSSI delivers a qualification called “SecNumCloud” certifying an enhanced level of security for storage of sensitive information. In October 2022, ANSSI extended a security visa to OVHcloud for the “SecNumCloud” qualification for its Hosted Private Cloud, valid until December 2023. For the protection of critical information systems, the ANSSI recommends that operators of essential services (e.g. gas supply companies, airline carriers, health institutions, banks) use security products and services with an ANSSI security visa.

The role of the European Union Agency for Cybersecurity (the “ENISA”) was strengthened by Regulation (EU) 2019/881 of 17 April 2019 (the “Cybersecurity Act”). The ENISA is tasked with establishing and maintaining a European wide cybersecurity certification scheme applicable to cloud service providers, including a comprehensive set of rules, technical requirements, standards and procedures. In July 2020, ENISA published a proposal that would enable cloud service providers to obtain certifications across the EU attesting to the level of security of their services.

The European Commission unveiled in September 2022 its proposed Cyber ​​Resilience Act (“CRA”). This proposal fixes a series of general and organizational requirements in terms of cyber security for products containing elements digital (for example: software, hardware products, data processing). It aims to adopt a common base within the European Union to limit cyber-attacks. The  "CRA" applies differently to actors in the supply chain: manufacturers, importers or distributors. the text must still be examined by the European Parliament and then by the Council of the European Union; during this procedure, which may take up to two years, the current text will most likely be led to evolve. It is therefore still premature to comment on the potential impacts of this text on OVHcloud.

OVHcloud’s business involves the storage and transfer of substantial quantities of personal data, which must be done in manner that is consistent with the provisions of the GDPR as supplemented by applicable national data protection laws. The GDPR came into force in May 2018 and established requirements applicable to the processing of personal data by businesses established in the EU, or which offer products and services to individuals in the EU, or which monitor the behaviour of persons as far as such behaviour takes place within the EU. The GDPR places organisations under strict obligations in terms of security and reporting, strengthens the rights of individuals and increases the enforcement powers of supervisory authorities. Any action involving any information on an identified or identifiable individual will fall in the scope of the GDPR.

The GDPR distinguishes between (i) controllers, which, alone or jointly, determine the purposes and means of processing and (ii) processors, which process personal data on behalf, and under instructions, of a controller. In certain situations, multiple parties involved in the processing of personal data may qualify as joint controllers where they jointly determine the purposes and/or means of processing. While controllers are primarily responsible for the processing, processors may be directly liable to individuals and regulators for their own breaches of the GDPR or where they acted outside or contrary to lawful instructions of the controller.

OVHcloud is subject to the GDPR and national data protection laws when it processes personal data in the context of the activities of its EU establishments or otherwise conducted in the EU. OVHcloud generally qualifies as a processor when it provides services to customers, as it processes the data provided, and used, by its customers. In this case, OVHcloud’s customers then qualify as controllers, and OVHcloud acts pursuant to their instructions.

OVHcloud also qualifies as a controller when it processes its customers’ data for its own purposes, in particular for the purposes of (i) managing the customer relationship, including commercial activities, customer information and support, claims, payment and loyalty programme membership, (ii) managing the delivery of its services, including maintenance, development and system security, (iii) preventing fraud, payment default and use of its cloud services in ways that do not comply with applicable laws and regulations or the terms and conditions, (iv) complying with applicable laws and regulations, such as the obligation to archive and retain certain customer data, and (v) enforcing its rights.

A breach of the GDPR by a controller may lead to administrative fines of up to the higher of €20 million or 4% of the global annual revenue of the controller from the preceding year, while the breach of most obligations incumbent on processors is subject to a lower (but still significant) level of administrative fines of up to the higher of €10 million or 2% of the annual revenue from the preceding year. However, the breach of obligations relating to transfers of personal data outside the EU may be sanctioned by the highest level of fines regardless of whether it is committed by a controller or processor.

OVHcloud is acting as a processor whenever personal data are stored on its infrastructure on behalf of, and at the instruction of, its customers. Processors are responsible for (i) complying with their customers’ instructions, although the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, (ii) implementing technical and organisational measures that ensure a level of security appropriate to the risks inherent to the data processing, and (iii) assisting the controller with the notification of breaches and in responding to individuals’ requests.

Controllers and processors must enter into an agreement setting out mandatory provisions prescribed by Article 28 of the GDPR. That agreement must set out details of the processing to be conducted by the processor on behalf of the controller, such as the duration of the processing, its purpose, categories of data to be processed, obligations of the controller and those of the processor, including: ensuring that processing is conducted by individuals subject to a confidentiality obligation, implementing appropriate security measures and making available to the controller any and all information needed to show compliance and/or to facilitate audits and inspections authorised by the controller.

In May 2018, OVHcloud updated its general terms and conditions of service with the inclusion of a data processing agreement, which it amended in 2020. Consistent with the provisions of Article 28 of the GDPR, this data processing agreement sets forth the conditions under which OVHcloud is entitled as a processor to carry out the processing of personal data on behalf of, and on instructions from, its customers. The latest version of the general terms and conditions provides that OVHcloud customers are responsible for compensating data subjects (such as the customers’ own customers) for any breach of processing obligations, and may subsequently recover from OVHcloud any portion of the compensation for which OVHcloud is properly liable.

OVHcloud also acts as a controller whenever it determines the purposes for which, and means by which, personal data is processed. It also acts as a controller when collecting personal data on its employees. Data controlling includes activities such as management of customer relationships, support and maintenance activities, sales prospecting, accountancy or managing accounts receivable. For specific activities (including mailing, marketing analysis or surveys), OVHcloud may also rely on third-party providers acting under its instructions.

Controllers are responsible in particular for (i) implementing technical and organisational measures to protect the data, (ii) ensuring the processing of data in a lawful and transparent manner to the customers, (iii) using only processors that can provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of EU Laws(4) and, in particular, the GDPR, and (iv) notifying the supervisory authority of any breaches likely to result in a risk to the rights and freedoms of natural persons and the relevant data subjects.

Pursuant to Article 13 of the GDPR, OVHcloud’s processing activities are subject to mandatory disclosure obligations. Therefore, OVHcloud informs its customers and regularly updates the information disclosed to them on a regular basis to ensure transparency of its processing activities. In addition, OVHcloud discloses these obligations to data subjects, users and customers through its data processing agreements and several other policies, such as its cookie policy and privacy policy.

In order to ensure compliance with applicable data protection regulations, OVHcloud has implemented a personal information management system based on the ISO 27701 standard.

In addition, as a founding member of the Cloud Infrastructure Service Providers in Europe (the “CISPE”), OVHcloud participated in the drafting of a transnational code of conduct of good practices for cloud infrastructure service providers (the “CISPE Code of Conduct”) in order to ensure both compliance with GDPR and protection of customers’ personal data.

On 19 May 2021, the European Data Protection Board (the “EDPB”), an independent body of the European Union established by the GDPR and composed of representatives of the national supervisory authorities of the EU Member States and the European Data Protection Supervisor, adopted an opinion 17/2021 under Article 64 of the GDPR on the draft decision presented to the EDPB by the French supervisory authority (the “CNIL”) concerning the CISPE Code of Conduct. In the draft opinion, the European Data Protection Supervisor confirmed that it believes the CISPE Code of Conduct complies with the GDPR and fulfils the requirements set forth in Articles 40 and 41 of the GDPR. In its decision 2021-065 dated 3 June 2021, the CNIL approved the CISPE Code of Conduct.

OVHcloud is also relying on the CISPE Code of Conduct, with its certified offerings Baremetal Cloud and Hosted Private Cloud powered by VMWare, to ensure and demonstrate compliance of its IaaS activities.

As a cloud service provider operating 33 data centres worldwide in 12 locations (in France and the European Union, the United Kingdom, North America, Singapore and Australia), OVHcloud is subject to restrictions imposed on cross-border transfers, including those imposed by the GDPR.

Personal data can be transferred freely within the EU and the European Economic Area (the “EEA”), provided that such transfers meet the criteria applicable to all processing of personal data under the GDPR. For example, the controller must inform individuals of the transfer and the data must not be further processed for purposes incompatible with the initial purposes.

Transfers of personal data outside of the EEA must take place only to the extent that an adequate level of protection can be ensured, through an adequacy decision issued by the European Commission or through appropriate safeguards or based on certain derogations set forth in Article 49 of the GDPR. Appropriate safeguards include: (i) parties entering into a set of standards contractual clauses (“SCCs”) issued by the European Commission, (ii) binding corporate rules adopted by entities belonging to the same group of companies, (iii) a code of conduct approved by applicable data protection authorities, or (iv) approved certification mechanisms.

The fact that servers are located within the EEA is not sufficient to assume that no personal data is being transferred outside of the EEA. Pursuant to the EDPB’s recommendations 01/2020 of 18 June 2021 (“Recommendations 01/2020”), if personal data is technically accessible from a country outside the EEA, such personal data is deemed transferred to that third country under the GDPR. In that case, an adequate level of protection must be ensured in the same manner as if servers were located outside of the EEA. OVHcloud therefore limits such processing and handles such transfers accordingly.

In order to carry out processing operations, and unless otherwise stipulated in the general terms of service, only European and Canadian entities of OVHcloud can process the data stored by European customers in the data centres located in the EU. On 20 December 2001, the European Commission issued an adequacy decision declaring that Canadian law offers an adequate level of protection for personal data transferred from the European Union to recipients subject to the Canadian Personal Information Protection and Electronic Documents Acts (“PIPEDA”), which is the case for OVHcloud’s Canadian entities. As a result, these processing activities performed remotely by Canadian entities do not require additional safeguards.

Further to its decision to leave the EU, the United Kingdom entered into a Trade and Cooperation Agreement with the EU on 24 December 2020, allowing personal data to continue to flow freely between them for a transitional period of up to 6 months, during which the European Commission would examine the possibility of granting the United Kingdom a decision recognising that it has an adequate level of data protection, which would allow data to permanently flow freely from the EU to the United Kingdom. On 28 June 2021, the European Commission adopted the adequacy decision on the GDPR recognising a level of data protection substantially equivalent to the level guaranteed by the European legislation and allowing the free flow of personal data from the EU to the UK for a period of four years.

While the United States has not been recognised as offering an adequate level of personal data protection by the European Commission so as to enable the free transfer of personal data to the United States from the EU, the European Commission decided in July 2000 that US companies that agreed to comply with the principles of the so-called “EU-US Safe Harbour” scheme were allowed to freely import data from the EU. On 6 October 2015, the EU-US Safe Harbour system was invalidated by the Court of Justice of the European Union (the “CJEU”) in its Maximilian Schrems v. Data Protection Commissioner (“Schrems I”) ruling due to the access granted to US public authorities (including law enforcement authorities) to the content of electronic communications.

In July 2016, the European Commission and the United States adopted another scheme called the “EU-US Privacy Shield” as a successor to the EU-US Safe Harbour. On 16 July 2020, the CJEU issued its decision in the Data Protection Commissioner v. Facebook Ireland and Schrems (“Schrems II”) case, which invalidated the EU-US Privacy Shield for transfers of personal data from the EU to entities certified under this mechanism in the United States of America (the “United States”). As in Schrems I, US surveillance laws were deemed by the CJEU to provide US authorities with access to personal data in a manner not compliant with the guarantees of the GDPR and the EU Charter of Fundamental Rights.

In Schrems II, the CJEU upheld SCCs as a valid safeguard for cross-border data transfers, but imposed stricter requirements. Parties must ensure that (i) the surveillance and data monitoring laws of the country to which personal data is transferred enable them to perform the obligations set out in the SCCs or (ii) additional safeguards are added to such SCCs to that effect. On 4 June 2021, the European Commission issued new SCCs for international transfers. The new SCCs reflect the requirements under the GDPR and take into account the Schrems II ruling. While the new SCCs can serve as a valid safeguard for cross-border data transfers, responsible parties must still carry out an examination of the legislation and practice of the third country where data is transferred and additional supplementary measures may be necessary. On 18 June 2021, the EDPB adopted the final version of its Recommendations 01/2020 setting out possible additional safeguards that companies may use to supplement SCCs to transfer personal data to a country where the law or practice are not sufficient to guarantee an “essentially equivalent” level of data protection to that of the EU, which is the case for the United States. Recommendations 01/2020 indicate that no such supplementary measure could be envisioned for transferring personal data to cloud services that are not encrypted or pseudonymised. This may cause significant obstacles for cloud service providers that transfer data in a non-encrypted or non-pseudonymised form to certain countries, including to the United States.

OVHcloud's non-US entities do not transfer their customers’ data to the United States. The data centres located in the United States do not host any of the services provided by OVHcloud's non-US entities. Additionally, OVHcloud’s US entities do not participate in the services provided by OVHcloud’s non-US entities. As a result, the invalidation of the “EU-US Privacy Shield” should have no impact on such services.

Finally, OVHcloud follows developments relating to to the negotiations on Privacy Shield 2 between the European Commission and the United States following the signature by the President Biden of an Executive Order on October 7, 2022 aimed at responding the shortcomings raised by the Court of Justice of the Union European in its judgment of July 16, 2020 called "Schrems II" which leads to the cancellation of the Privacy Shield as well as the projects of legislative developments in the United Kingdom and India.

Regulation (EU) 2018/1807 of 14 November 2018 (“Free Flow of Non-Personal Data Regulation”) aims to ensure the free flow of non-personal data between EU Member States (the “Member States”) and IT systems in the EU. Non-personal data is either (i) data not linked to identified or identifiable individuals, or (ii) anonymised personal data. This regulation enables the storage and processing of non-personal data anywhere in the EU, prohibits data localisation and ensures the availability of data for regulatory control.

The Free Flow of Non-Personal Data Regulation also provides that the European Commission must encourage the development of self-regulatory codes of conduct to facilitate portability between service providers. To that end, OVHcloud participated in the drafting of two voluntary codes of conduct on switching cloud service providers and data portability through the working group on switching cloud providers and data porting (“SWIPO”). Published in July 2020, the Codes of Conduct for Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) provide guidance for cloud service providers and customers on switching cloud provider and porting non-personal data. The adoption of such codes of conduct aim at reducing the risks of vendor lock-in (i.e., situations where customers are dependent on a particular provider due to significant switching costs) by cloud service providers. They also provide guidance for customers on the transfer of non-personal data.

As a hosting service provider, OVHcloud has to comply with a number of laws on content moderation, including those moderating terrorist content, child sexual abuse material, hate speech and the infringement of intellectual property rights. 

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a single market for services and amending Directive 2000/31/EC (“Regulation on digital services”) entered into force on November 18, 2022. This new framework aims to harmonize the rules applicable in the different Member States of the Union European Union and replaces the one adopted in 2000 with regard to liability of intermediaries with regard to illegal content while maintaining the fundamental principles of freedom of expression and freedom to provide services. The regulation also establishes new obligations of diligence and transparency for hosting services such as that OVHcloud, both vis-à-vis the authorities and users, by particular on the processing of reports of illegal content. He also increases the level of penalties that can be imposed in the event of breach of the obligations established by the regulations, with fines of up to 6% of the turnover intermediary service provider’s annual global business report. A certain number of measures are applicable on a deferred basis over the next two years and involve the adoption of texts at the national level. OVHcloud will carefully monitor their publication in order to comply with its obligations.

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (“Digital Markets Regulation”) aims to make the digital sector fairer and more competitive, by introducing preventive measures for large companies as access controllers on the market European. In particular, the regulation provides for several obligations and prohibitions against online platforms in a position of access controllers and strengthens the powers of sanction of the European Commission, which will be assisted by a committee advisory committee and a high-level group. So, for example, the access controllers must allow users to easily uninstall pre-installed software on their devices and easily unsubscribe from an essential platform service such as a cloud service. Access controllers will no longer be able to impose software such as internet browsers or default search engines, reuse personal data of a user for the purpose of targeted advertising without their consent explicit.

Applicable from 2 May 2023, the companies concerned must report to the European Commission and put themselves in compliance no later than March 2024. The legislation gives the Commission the exclusive power to monitor compliance with their obligations, and new sanctions, including a fine up to 10% of total worldwide turnover made by the company during the previous financial year.

The adoption of this new legislation is a positive step to regulate the practices of the dominant digital players on the European market, but its effectiveness will depend on the means that the European Commission will devote to the service of compliance with it. OVHcloud will pay particular attention to the details expected on the staff who will be dedicated to the control of obligations of access controllers

OVHcloud entities are telecommunications operators in four (4) Member States: Belgium, France, Germany and Spain. OVHcloud is subject to specific obligations when providing telecommunication services. Because the EU and its Member States have been regulating the telecommunications sector for many years, there are a variety of different implementing measures, guidelines and authorities across the EU. OVHcloud entities are also telecommunications operators in the United Kingdom and Switzerland, which have their own telecommunications regulations. The United Kingdom has also implemented the requirements of the European Electronic Communications Code into its national regulatory framework prior to Brexit.

The Directive (EU) 2018/1972 of 11 December 2018 established the European Electronic Communications Code. Although this directive has not yet been transposed in all Member States where OVHcloud acts as an operator, several other directives applicable in the telecommunications sectors, such as Directives 2002/19/EC, 2002/20/EC, 2002/21/EC and 2002/22/EC of the European Parliament and of the Council, have been substantially amended. Directive 2018/1972 was transposed into French law in May 2021(5). The key objective of this European Electronic Communications Code is to create a comprehensive set of updated rules to regulate electronic communications and protect EU citizens when they communicate through traditional or web-based services, encourage competition between telecommunication operators, and ensure that national regulatory authorities are protected against external intervention or political pressure.

As a cloud service provider, OVHcloud is subject to obligations when providing services to organisations in the health sector. For example, French law requires health data hosting providers (i.e., any person hosting personal health data collected in the course of prevention, diagnosis, care or social and medical monitoring activities on behalf of natural or legal persons having produced or collected such data or on behalf of the patients themselves) to comply with specific obligations. Such obligations include receiving proper certification or receiving prior approval from public authorities as per the French Public Health Code, and entering into an agreement with customers in the health sector, setting out mandatory provisions prescribed by L. 1111-8 of the French Public Health Code. OVHcloud is also subject to the requirements of other jurisdictions in which it operates, such as Italy, Poland, Germany and the United Kingdom.

In 2016, OVHcloud benefited from the “health data host” accreditation and, since 2018, it has operated a management system that allows several of its cloud offerings to comply with the requirements of this accreditation. In 2019, OVHcloud obtained the French HDS (hébergeur de données de santé – health data host) certification for its Hosted Private Cloud offering. In 2020, this certification was extended to OVHcloud’s dedicated servers, and it was extended to OVHcloud’s Public Cloud offering and Trusted Exchange in 2021.

Companies in the financial sector (including credit institutions and investment firms) may also be subject to industry specific obligations that may reflect on OVHcloud in the context of the provision of its services. In particular, in 2019, the European Banking Authority (“EBA”) issued “Recommendations on outsourcing to cloud service providers” applicable to outsourcing arrangements. These recommendations create obligations with respect to security of information systems and audit rights for the benefit of the outsourcing banks, which they must impose on their cloud service providers when using their services. OVHcloud aims to offer contractual conditions applicable to financial service operators that ensure that customers are able to implement an outsourcing policy which is compliant with the EBA’s recommendations and with local European regulations.

Financial service operators may also require OVHcloud to comply with specific national regulations. For instance, OVHcloud may have to comply with French regulations such as of the French Prudential Supervision and Resolution Authority (“ACPR”) on essential outsourced services such as banking operations. Companies outsourcing essential services must ensure that service providers guarantee the protection of confidential information, implement back-up mechanisms in the event of significant difficulties affecting service continuity and provide the ACPR, in carrying out its missions, with access to essential outsourced information. With respect to internal procedures for managing information system security, the American Institute of Certified Public Accountants (“AICPA”) delivered SOC I-II type 2 certifications to OVHcloud.

With respect to bank data hosting and the reduction of card fraud, OVHcloud’s premier Hosted Private Cloud is compliant with the Payment Card Industry Data Security Standard (“PCI DSS”). OVHcloud’s data centres in France, Canada, the United Kingdom, Germany and Poland comply with PCI-DSS.

On 27 November 2022, the European Commission adopted a Regulation on Digital Operational Resilience for the Financial Sector (“DORA”). This regulation follows a proposal by the 2020 European Commission imposes a number of requirements on cloud outsourcing arrangements in the financial sector. The proposed regulation covers a broad range of regulated financial entities, including credit institutions (such as banks), central securities depositaries, insurance companies and certain fund managers, among other entities. It imposes a number of risk management requirements on these financial entities relating to information and communications technology, some of which apply directly to outsourced cloud activities.

In particular, financial sector entities covered by the proposed regulation are required to take a number of steps to address risks in their relationships with third parties, such as cloud service providers, including ensuring that their cloud services contracts provide a full description of the services provided with qualitative and quantitative performance targets, and include provisions governing integrity, security, protection of personal data, recovery in case of failure, rights of inspection and audit, and termination provisions with clear exit strategies. The proposed regulation contemplates the approval of standardised contractual terms by the European Commission.

In addition, the regulation imposes a new oversight framework on critical third-party service providers (including cloud service providers), subjecting them to individual oversight plans adopted by European financial regulatory bodies responsible for supervision of banks, securities markets or insurance companies, depending on which such sector primarily uses the services of the relevant provider. The determination of which services are critical depends on their potential systemic impact, the dependence of financial entities on them for critical functions and the availability of alternatives. The oversight plan can impose requirements in areas such as security and quality, contractual terms, and subcontracting, with financial penalties imposed in case of non-compliance, up to 1% of global revenue of the service provider in the most recent year. The oversight bodies have broad inspection and auditing rights and investigative powers. The adopted regulation also prohibits financial entities from using a service provider from a country outside the EU for critical cloud functions.

Many of OVHcloud’s data centres are located in former industrial buildings, some of which are classified as presenting environmental or other risks under applicable French legislation. OVHcloud’s data centres outside of France may also be classified as presenting environmental risks under local regulations. In order to comply with the applicable regulations, OVHcloud is sometimes required to submit applications and receive authorisations to operate. In connection with the application process, OVHcloud may be required to take certain remedial measures.

Additionally, operations permits are required in most countries where OVHcloud operates its data centres. The regulations primarily concern air emissions, industrial waste management, water and effluent management, fire risk management and noise management.

The simplified organisational chart below shows the legal organisation of the Company and its consolidated subsidiaries as of the date of this Universal Registration Document. The percentages indicated below represent the percentages of share capital. There was no significant change in the capital ownership since end of august 2022.

Risk management is closely monitored by Group management. The main mission of risk management is to identify, evaluate and prioritise (based on potential impact and probability of occurrence) risks, as well as to assist Group management in choosing the most appropriate risk management strategy and, in order to limit the remaining significant risks, to define and monitor the related action plans.

CSR risks are covered in Appendix II “Statement of Non-Financial Performance” (“Déclaration de Performance Extra-Financière” of this Universal Registration Document.

The Group has developed a risk map in order to prevent the major risks relating to its activity, with the support of an external consultant specialising in these subjects. The risk mapping process, which was initiated in 2020, has made it possible to identify the main risks to which the Group is exposed and to assess their potential impact, taking into account their criticality, i.e. their potential severity and probability of occurrence.

The process of risk mapping involves the management of all Group activities and functions to a large extent, enabling the targets and challenges of all stakeholders to be taken into account. The exercise consists in particular of identifying the most significant risks for the Group, grouped into different families (strategy and markets, operational, human resources, financial, regulatory and legal, information systems). A description of the risks and their causes is provided, and for each of these risks, the probability of occurrence, their potential impact on the Group, and their current level of control are assessed. Following the assessment of the control of these risks, action plans are defined.

Progress in implementing the action plans is the responsibility of the Company’s Executive Committee, which reviews them every two months. Risk mapping and action plans are presented to the Company’s Audit Committee twice a year.

Insurance policies are generally taken out by the Company, on its own behalf and on behalf of its subsidiaries, through a broker mandated to negotiate with the main insurance companies to set up or renew the most appropriate guarantees for risk coverage requirements. Insurance companies are selected on the basis of criteria such as the amount of premiums, the scope of coverage offered, the ability to set up integrated programmes such as master policies, the duration of the commitment, their availability to insure the risks in question in the light of all their other commitments in the segment and market in question, and the ability to offer qualitative support in order to better understand risk management.

OVHcloud adapts its insurance coverage according to the evolution of risks related to its usual activities.

Coverage is normally renewed annually, except for certain one-time contracts taken out for one-time projects covering a specific period. The insurance contracts expiring on 6 and 15 October 2021 and 1 January 2022 have been renewed. The insurance contracts maturing at the end of August/beginning of September 2022 have been extended to cover identical guarantees or reassessed as necessary, until 31 December 2022 in order to harmonise the maturities of all insurance contracts. At the time of publication of this document, OVHcloud has obtained an agreement in principle on the renewal of the insurance policies that expire on 31 December 2022.

Below is a summary of the main insurance policies taken out by OVHcloud. OVHcloud prefers to take out “master” policies in order to pool coverage within the Group. For regulatory or factual reasons, such as the size of a subsidiary, OVHcloud also uses local or “standalone” policies taken out directly by its subsidiaries.

The Group also has insurance policies covering the liability of executives (“D&O” policy), risks relating to office facilities, its car fleet, and the travel of its employees using their own vehicle for business and occasional trips, professional assignments, construction work, installation of equipment or fittings in its data centres or offices or the transport of goods (mainly technological and IT equipment). The Group has numerous comprehensive home insurance policies covering rented homes made available to staff during occasional business trips to the head office, as well as the medical office of doctors also working on behalf of OVHcloud. Through its subsidiaries, the Group also has a number of insurance policies covering property damage, civil and employer’s liability and compensation for employees, offices and international data centres.

OVHcloud’s property and casualty insurance policy is based on the principle of “all risks except” covering all non-excluded material damages. The Company has taken out this policy which applies to certain subsidiaries in France, Germany, Belgium and the United Kingdom.

This contract was renewed on 1 September 2021 with AXA, as leading insurer with 35% of the risk shares and seven co-insurers sharing 65% of the remaining risk and according to the conditions of a prevention plan established and extended under the same guarantees until 31 December 2022.At the time of publication of this document, OVHcloud has obtained an agreement in principle on the renewal of the insurance policies that expire on 31 December 2022.

This insurance policy covers, in particular, direct material damage to insured property of accidental origin, including buildings, furniture, equipment and/or rental risks, miscellaneous costs and losses resulting from the covered material damage, financial consequences of civil liability following a fire, an explosion, water damage, attacks and acts of terrorism in France as well as the costs of resumption of activity following the material damage covered and the experts' fees following material damage.

The maximum compensation due for all losses covered (including direct damage, business recovery costs, all coverages, including costs and losses and liabilities) amounts to €140 million per claim. Coverage limits and sub-limits are applicable depending on the nature of the damage suffered or the category of property insured. The deductible for all damages amounts to €3 million. In the absence of the installation of automatic protection in accordance with AXA’s recommendations, this deductible is increased to €15 million for the Roubaix, Gravelines and Strasbourg sites, €6 million for the Croix site and an additional €10 million deductible for the Erith (United Kingdom) and Limburg (Germany) sites, taking the deductible to €13 million, as well as €3 million for the Paris 19th site taking the deductible to €6 million. These deductibles will be reduced to €3 million on completion of an investment programme agreed with the insurers and according to their recommendations, the amount of which is already included in the capital budget for the coming years (see Section 1.4.5 “Medium-term targets” of this Universal Registration Document). In addition, at the Roubaix, Gravelines, Strasbourg and Croix sites, the Company must maintain in place three specific complementary fire prevention measures (security guards, fire permits and means of intervention in charge on the premises), failing which the deductible would increase by 100% in the event of a claim. An additional contractual provision to terminate the insurance policy was given to the insurer at the renewal on 1 September 2021. The right of cancellation is conditional on the failure to implement a number of personnel and organisational recommendations or the placing of orders relating to the implementation of complete protection on the Roubaix, Strasbourg, Gravelines, Croix, Erith and Limburg sites, in accordance with the insurer’s recommendations and according to a procedure including the insurer for validating these projects, prior to 31 December 2021. All human and organisational recommendations were carried out successively on 31 December 2021 and 30 April 2022. On 30 April 2022, AXA confirmed that OVHcloud had fulfilled its contractual obligations in terms of risk prevention in accordance with its recommendations, and the early termination option was therefore cancelled.

The exclusions are in line with market standards and include, in particular, late payment penalties, fines, penalties and other criminal sanctions, loss of business and customers, operating losses and damage resulting from epidemics, pandemics or epizootics, as well as costs and losses, operating losses and damage resulting from administrative measures, sanitary measures, total or partial closure or withdrawal of administrative authorisation, impossibility, restriction or difficulty of access.

The amount of the insurance contract premium for the insurance period from 1 September 2022 to 31 December 2022 will be prorated and subject to the increase in insured capital due to the integration of new data centres in the policy.

Operational risk management is the responsibility of the Ethics and Compliance and Data Protection Departments, which report to the Legal Department, as well as the Quality, Health, Environment and Information Systems Security Departments, which report to the Operations Department.

The Group pays strict attention to the compliance of its procedures and employee practices with applicable regulations. The Group has thus deployed ethics and anti-corruption codes with associated training. In addition, the Group raises awareness among its employees of whistleblowing issues, in particular as part of the measures put in place in accordance with the law of 9 December 2016 on transparency, the fight against corruption and influence peddling and the modernisation of economic life (the so-called “Sapin II” law). A platform accessible at all times has been set up on which employees can declare any observed act violating the Group’s ethical code: “ROGER” (Respect OVHcloud Guidelines and Ethical Rules).

Under the supervision of its Data Protection Officer (DPO), the Group implements a rigorous personal data protection policy. A policy for the use of personal data has been established which describes precisely the processing that OVHcloud may be required to carry out on data concerning customers, suppliers and partners, as well as the conditions of their implementation.

In the context of the processing operations covered by the personal data use policy, OVHcloud complies, in its capacity as data controller, with the regulations in force, in particular with the GDPR, as well as with any regulations of the Member States of the European Union that may apply to said processing operations, in particular French law No.78-17 of 6 January 1978 relating to data processing, files and freedoms, as amended.

In this respect, OVHcloud undertakes in particular to:

• ▶only collect personal data that are necessary for the above-mentioned purposes;
• ▶implement processes to ensure the accuracy and updating of data used in the context of the said processing, as well as their deletion when they are no longer useful for the purposes pursued;
• ▶not to process personal data in its possession for purposes other than those mentioned in this policy, unless it obtains the consent of the data subjects, or informs them in advance about processing on legal grounds other than consent;
• ▶document the processing operations carried out in a register and carry out all the necessary impact analyses prior to their implementation;
• ▶implement an incident and data breach management process, and in the event of a breach, notify the protection authority under the conditions of Article 33 of the GDPR, and inform the data subjects, in accordance with Article 34 of the GDPR when the breach is likely to result in a high risk to rights and freedoms; as well as
• ▶implement technical and organisational measures to protect personal data against security risks, as defined in OVHcloud’s information systems security policy.

Information security is the subject of a programme and commitments developed within the OVHcloud Information Systems Security Policy (“ISSP”). This policy puts forward the following principles of application:

• ▶deployment a large-scale, industrial approach to security;
• ▶positioning OVHcloud as a trusted player in the ecosystem;
• ▶operating a secure cloud for all;
• ▶implementation of security management systems (ISMS) and privacy management systems (PIMS);
• ▶risk-based approach to safety;
• ▶demonstration of security through certification, internal control and external audit;
• ▶unified response to security incidents and personal data breaches;
• ▶integration of security and privacy issues into product development; and
• ▶safety assessment and implementation of continuous improvement.

The Information Systems Security Policy (“ISSP”), under the responsibility of the Chief Information Systems Officer (“CISO”), is reviewed by the Executive Committee, which verifies that its content is consistent with the Group’s strategic targets. It is revised once a year. The ISSP applies to all Group companies, employees, suppliers, service providers, subcontractors and users of the information system, regardless of their status.

Under the responsibility of the Chief Information Systems Officer (“CISO”), the OVHcloud security team is itself composed of three teams:

• ▶Tool security, in charge of developing and operating the tools supporting the security policy;
• ▶Operations security, responsible for ensuring the implementation of good security practices within operations and the implementation of formal security management processes, supporting the integration of security tools and the alignment of security arrangements within the Company; and
• ▶Security.cert, in charge of monitoring threat sources, identifying cyber attack tools and methods to anticipate them, and managing security incidents.

OVHcloud ensures that employees are aware of the challenges of IT security and, more specifically, of cybersecurity. To this end, the Group regularly conducts cyber attack simulation campaigns (phishing) designed on the basis of sophisticated scenarios. The latest campaigns have shown very good results with a 91% success rate.

Through its Health and Safety policy, OVHcloud oversees the implementation of measures to offer safe and healthy workspaces for all its employees and stakeholders, its sites and its products. The Group’s industrial risk management policy is based on two axes: (i) prevention through audits carried out by external bodies at each of the sites, which result in reports with both human and material recommendations, and (ii) protection through the development of risk reduction plans, incorporating short- and medium-term investments as well as organisational or management actions.

Finally, the Company’s Audit Committee plays a role in risk management and internal control. It ensures the relevance, reliability and implementation of the Company’s internal control, identification, hedging and risk management procedures relating to its activities and financial and non-financial accounting information. The Group’s risk mapping and the action plans implemented are reported twice a year by the Group’s Chief Financial Officer.

OVHcloud's business model is detailed in the introduction to this Universal Registration Document.

During the 2022 financial year, OVHcloud undertook work to structure its CSR approach. With nearly 2,800 employees and a global industrial and commercial footprint, the Group is fully aware of its responsibility in a world where data has a major impact on private, social and professional lives and with regard to economic, geopolitical, ethical and environmental aspects. They impact the relationships between people and their use reflects a vision of the world and the type of society in which everyone wants to live. Driven by its ambition: “leading the data revolution for a responsible future”, OVHcloud’s mission is to build an open and trusted cloud, enabling businesses and society to make the most of the data revolution while minimising its environmental impacts.

This vision and the associated mission are reflected in a CSR policy, which is closely integrated into the Group’s strategy. This policy is based on three pillars of commitment, each of which in turn breaks down into three areas of action:

• ▶Guaranteeing data sovereignty and freedom

OVHcloud is at the heart of the digital revolution, which opens the way to a multitude of opportunities in applications and technology. In this context, the Group offers its customers cloud solutions covering all their uses – supporting them in their digital transformation, enabling them to innovate by building “cloud native” applications or helping them leverage the power of data. In fulfilling this mission, the Group offers its customers the freedom to build their most ambitious projects, in a secure, compliant and sustainable cloud environment, according to three areas of action:

• •Defending data sovereignty, security and privacy;
• •Guaranteeing freedom of choice and reversibility;
• •Offering predictable and transparent pricing.

• ▶Pioneering sustainable cloud

At the forefront of sustainable cloud, OVHcloud has integrated sustainability at the heart of its business model since its creation, aiming to minimise its environmental impact at every stage. OVHcloud’s environmental action is structured around three axes:

• •Placing innovation at the heart of its industrial model;
• •Contributing to global Net Zero by 2030;
• •Raising awareness among stakeholders of all the impacts of the cloud, in order to initiate a collective approach to reducing the environmental footprint.

• ▶Driving collective progress of the cloud for the benefit of society

At OVHcloud, everything starts with people. The men and women make up the Company's wealth: it is the talents that ensure its success. "Working together” is one of the Group's fundamental values. This collective aspect is extended to its ecosystem, and in the desire to enable the entire European cloud segment to progress. This third pillar of commitment is broken down into three courses of action:

• •Attracting and developing talents in a collective adventure within a diverse and inclusive company;
• •Collaborating and developing coalitions with stakeholders in the European cloud ecosystem;
• •Promoting local anchoring and societal commitment by working on digital inclusion.

To manage its corporate social responsibility (CSR) ambitions, OVHcloud has set up a dedicated governance, closely associated with the management of the Group’s overall strategy.

The Board of Directors strives to promote the Company’s long-term value creation by considering the social and environmental challenges of its activities. In connection with the strategy defined, it regularly examines the opportunities and risks such as the financial, legal, operational, social and environmental risks as well as the measures taken as a result. The medium-term Corporate Social Responsibility priorities and targets were approved by the Board of Directors in 2022. They are monitored by building on the work of its committees.

Established after the Group’s IPO in 2021, the Strategy and CSR Committee has the task of preparing the work and facilitating the decision-making process of the Board of Directors on strategic and CSR issues. In terms of CSR, it is notably responsible for:

• ▶ensuring that matters relating to social and environmental responsibility (such as diversity and non-discrimination policies and compliance and ethics policies) are taken into account in the Group’s strategy and in its implementation;
• ▶reviewing the Statement of Non-Financial Performance on social and environmental matter provided for in Article L. 22-10-36 of the French Commercial Code;
• ▶examining the opinions expressed by investors, analysts and other third parties and, if applicable, the potential action plan drawn up by the Company to improve the points raised on social and environmental matters; and
• ▶reviewing and assessing the relevance of the Group’s social and environmental commitments and strategic directions on social and environmental matters, in light of the challenges specific to its activity and targets, and following their implementation.

The Audit Committee ensures the effectiveness of the operational risk monitoring and internal control system, including CSR risks, as well as the review and monitoring of the systems and procedures in place to ensure the dissemination and the application of policies and rules of best practice in terms of ethics, competition, fraud and corruption and, more generally, compliance with regulations in force.

Lastly, the Nomination, Remuneration and Governance Committee is responsible, among other duties, for the annual review of the Board of Directors’ diversity policy as well as monitoring the gender parity rate, age and diversity of skills.

The role and work of the Board of Directors and its committees are presented in Sections 4.1.5 and 4.1.6 of this Universal Registration Document.

The Strategy and CSR Department, which reports to the Chief Executive Officer, is responsible for the implementation of the Group’s major strategic orientations, which it helps to define, as well as for the development and coordination of the CSR policy, with aim of engaging the Company in a process of continuous improvement, of enhancing its commitments and of measuring the effects of the CSR programme. The Chief Strategy and CSR Officer, who is a member of the Executive Committee, regularly reports to it on the progress of the CSR programme, its main initiatives and their updates.

The CSR programme commitments are drawn up and monitored by the CSR Steering Committee. Chaired by the Chief Strategy and CSR Officer, it is composed of a central CSR team and representatives of the operational departments involved in the implementation of the CSR action plan. The committee meets weekly to define, monitor and adjust CSR action plans.

OVHcloud developed a Group risk mapping in 2020, which was reviewed and updated in 2022 (see Chapter 2 of this Universal Registration Document for a description of Group's risk factors), and built its first materiality matrix in 2022.

In 2022, OVHcloud built its first materiality matrix by interviewing its external and internal stakeholders, in order to determine the Group's most material CSR issues, i.e. those that have or could have an impact on the Group’s ability to create or protect financial and non-financial value for itself and its stakeholders.

This exercise was carried out in four stages: identification of potential CSR issues, confrontation of these issues with external and internal stakeholders, consolidation of the results and the main lessons learned from the analysis of these results.

OVHcloud has defined a list of 24 potential CSR issues, subdivided into three categories: environment, business conduct and social/societal.

OVHcloud confronted this list of potential issues with its internal and external stakeholders during interviews, conducted in particular with its customers, suppliers, investors, representatives of its ecosystem (associations, NGOs, partners, etc.) as well as the Group's directors and managers, including the Executive Committee, in order to collect their point of view and expectations regarding each of the issues. The interviews were conducted by OVHcloud teams, with the exception of investors, who were consulted through a perception study carried out by an external service provider. OVHcloud also consulted its employees (excluding the Executive Committee and other managers) through an online survey.

An interview guide has been drawn up to guide the various interviews. This guide was used as the basis for the online survey tool.

The central question concerned the rating of the issues according to the level of expectation for each of them, according to the following grid:

• ▶0: no expectation. OVHcloud does not have to commit particularly to this issue;
• ▶1: limited. Issue for which OVHcloud can implement some actions, without integrating them into its strategy;
• ▶2: important. OVHcloud should adopt a policy, targets and an action plan concerning this issue;
• ▶3: priority. This issue must be a major strategic priority for OVHcloud.

A total of 231 people were consulted, including:

• ▶Management (shown on the horizontal axis of the matrix)
  • •Chairman of the Board of Directors
  • •18 management representatives including the Chief Executive Officer and the entire Executive Committee as well as the main regional managers
• ▶Stakeholders (represented on the vertical axis of the matrix)
  • •34 representatives of external stakeholders: customers, suppliers, public authorities, investors, members of the OVHcloud ecosystem (associations, partners, NGOs, etc.)
  • •178 employees surveyed

The voice of the public authorities was expressed by the person responsible for public affairs at OVHcloud.

For investors, the rating was carried out by transposing the 2022 “ESG Investors” perception study carried out by an external service provider to a similar rating grid and a slightly more restricted list of issues.

The analysis of quantitative and qualitative data was carried out with the support of a CSR consulting firm, according to the following methodology:

• Consolidation of results: For internal and external stakeholders, the average rating of the issues was established on the basis of an equal weighting of the results within each stakeholder category, then between the categories. For management, the ratings assigned by the Chairman and the Chief Executive Officer were overweighted compared to the responses of management representatives;
• Formalisation of the matrix: The ratings thus obtained made it possible to place each issue on the horizontal axis (average allocated by management) and on the vertical axis (average allocated by internal and external stakeholders);
• Analysis of the results: the key lessons are drawn from the compilation and analysis (correlations, dispersions, ranking of issues, comparison according to stakeholders) of the results.

* For the detailed wording of the issues, see the table in the section on identifying the issues on page 60.

• ▶Internal and external stakeholders are globally aligned with the most material issues, particularly those related to the Group’s core business, a sign of a good understanding between OVHcloud and its ecosystem. These are issues relating to data sovereignty, low-carbon trajectory, efficient energy management, cybersecurity and data protection, environmental display and carbon transparency, and securing strategic supplies.
• ▶Three major issues stand out in particular, consistent with the Group’s vision and strategic orientations:
  • •Data sovereignty
  • •Low-carbon trajectory
  • •Efficient energy management
• ▶On the important issues, an alignment is also noted on more generic but fundamental issues for the Company's operation: responsible supply chain, eco-design, business ethics, responsible water management, attraction and retention of talents, reliability and customer trust, health, safety at work and employee well-being, diversity and inclusion, innovation and R&D for Green IT.
• ▶Regarding the deviations (which remain limited), we note that while management places particular importance to the attraction of talent and customer trust, stakeholders have strong expectations concerning the continuity of service – in terms of cybersecurity and resilience to climate change – as well as environmental display.
• ▶OVHcloud is clearly recognised for the issues relative to the differentiation of its offering, linked to its value proposition: price transparency, eco-design, a responsible approach to resource management and, above all, data sovereignty. Nevertheless, expectations are very high on these issues, which rank among the most material.
• ▶When asked about the issues for which OVHcloud has room for progress, stakeholders were generally less vocal than management. The most frequently mentioned issues were: cybersecurity and data protection, environmental display, diversity and inclusion, attraction and retention of talents and contribution to the digital transition and digital accessibility.

Leading European cloud services provider, OVHcloud is at the heart of the digital revolution, which opens the way to a multitude of opportunities in terms of applications and technology. In this context, the Group offers its customers cloud solutions covering all their uses – supporting them in their digital transformation, enabling them to innovate by building “cloud native” applications or helping them leverage the power of data. In fulfilling this mission, the Group offers its clients the freedom to build their most ambitious projects, in a secure, compliant and sustainable cloud environment. For OVHcloud, everyone must be able to keep control of their data and be guaranteed that they are secure. Free choice and openness in terms of services and innovation are the foundation of the relationship of trust established with its customers and partners. This also involves a range of services offering the best price-performance ratio and transparent and predictable rates.

OVHcloud’s activities focus on the computing capacity, storage, processing and transfer of its customers’ data, including personal data, as well as business-critical data. The sovereignty, security and confidentiality of data form the basis of the Group’s value proposition and the foundation of the relationship of trust that unites it with its customers. OVHcloud ensures the highest level of data protection. This level of excellence is supported by an effective data governance system. The Group is also campaigning for a European cloud, guaranteeing the technological independence of Europe and the sovereignty of its data.

In order to guarantee the protection of the data entrusted to it, OVHcloud deploys all necessary means in terms of cybersecurity and physical protection of its sites. The Group has obtained numerous national (SecNumCloud by ANSSI, Agid, G-Cloud, C5) and international (ISO 27001, ISO 27791, PCI DSS, SOC 2) certifications and certifications specific to certain segments (HDS for health, finance), which meet the highest French, European and international standards in terms of data protection.

In addition, OVHcloud has internal procedures in terms of information systems security and constantly raises its employees’ awareness of the risk of computer attacks, in particular by carrying out cyber attack simulations. The Group organises up to three campaigns per week, built from sophisticated scenarios inspired by real cases, tested on randomly targeted populations. Several indicators are observed, including the percentage of employees tested, the reporting rate and the compromise rate (percentage of employees on whom the phishing worked) and conversely, the success rate of simulation campaigns. It is the latter indicator that constitutes the benchmark performance indicator. In 2022, the success rate of simulated cyber attack campaigns was 89%, at the same level as FY2021.

As the cloud relies on physical infrastructures, data security also involves securing OVHcloud’s sites, with particular attention paid to its datacenters, which house the servers on which the data is stored or transits. These sites are particularly important to ensure the continuity of customers’ business. OVHcloud therefore implements a multitude of actions to protect its sites, including:

• ▶security and 24/7 surveillance;
• ▶an anti-intrusion system;
• ▶strict access control;
• ▶regular contact with the authorities.

On the night of 9 to 10 March 2021, a fire broke out in one of the four OVHcloud data centres in Strasbourg, France. The incident is detailed in Chapter 2, “Risk factors” of this Universal Registration Document. To date, the investigation to determine the cause of the incident is still ongoing, the mission of forensic experts having been extended until 30 August 2023.

Following the fire, OVHcloud set up a Hyper Resilience plan, aimed, among other things, at taking safety standards beyond regulatory standards and insurers’ recommendations.

The inauguration of the new data centre in Strasbourg, SBG5, in September 2022, made it possible to show the first concrete results of the Hyper Resilience plan. The result of a €30 million investment launched in April 2021, the site is the first in a new generation of hyper-resilient and more sustainable data centres. Covering an area of 1,700 m2, SBG5 has a total of 19 isolated rooms with masonry that compartmentalises the different segments in order to provide two hours of fire resistance.

Press release: https://corporate.ovhcloud.com/en/newsroom/news/sbg5-opening/

In accordance with its commitments, the Group will launch a new data centre dedicated to raw data backups (snapshots) and remote from service operating sites. Deployed initially for French customers, the Group plans to roll out this service more generally in order to extend it to all its solutions and locations.

European legislation protects the personal data of European citizens and requires that restrictions on this protection respect the principle of proportionality and operate within the limits of what is strictly necessary.

Any restriction must be accompanied by clear and precise rules circumscribing its scope and application as well as minimum requirements, so that individuals have sufficient guarantees to effectively protect their data against the risk of misuse.

Certain foreign laws, and mainly US law, contain extraterritorial provisions that could undermine the protection of personal data (see Section 2.1.2.5 of this Universal Registration Document).

It is in this context that the Court of Justice of the European Union, through the Schrems I (2015) and Schrems II (2020) rulings, twice cancelled the “Safe Harbor” and “Privacy Shield” adequacy decisions between the European Union and the US.

The awareness of European cloud customers of the challenges related to digital sovereignty represents a strong opportunity for European cloud players, foremost among them OVHcloud.

A growing number of European companies are looking for alternatives to American hyperscalers and other cloud providers based in the United States in order to protect their data, and in particular personal data, from the risk of interference by American intelligence agencies.

In order to prevent this risk, OVHcloud has developed sovereign cloud offers, allowing these customers to host their data in the territory of the European Union, without any transfer of personal data to a third country and protected from the effects of legislation of countries outside the European Union.

Data sovereignty refers to the ability of a public or private organisation to maintain control of its data and the data entrusted to it by its customers. Depending on the organisations concerned, this issue intersects two needs.

• ▶On the one hand, the need to control the organisation's strategic data (trade secrets, raw data on the functioning of its activity, intellectual property, data on its research projects, etc.).
• ▶On the other hand, to protect the personal data of employees or customers and thus restore the trust of people in the digital services that will process the data concerning them.

Technological sovereignty refers to the ability of a country such as France or an area such as the European Union to master the technologies that are strategic to them and thus guarantee their autonomy. This dimension specifically questions the public policies put in place in France or by the European Union to control (or regain control) of the strategic components of its sovereignty, from end to end. The hardware part (electronic components, ability to manufacture servers in the EU), and also the software part (operating systems, software in the fields of cybersecurity, artificial intelligence and quantum computing) then need to be taken into account

The ethical treatment of data, which has always been at the heart of OVHcloud’s business model, is formalised by four commitments:

In order to carry out these various projects and commitments, OVHcloud has set up several bodies enabling federated data governance:

• ▶The Data Governance Committee brings together the data managers who implement the processes and practices guaranteeing federated governance.
• ▶The Data Coordination Committee guarantees strict control of the quality of the data and its consistency by reinforcing our ISO 27001 and ISO 27701 standards.

OVHcloud defends a European open cloud model, which guarantees the protection of the data of European citizens and organisations and which ensures Europe’s digital sovereignty and strategic independence.

As such, OVHcloud participated in the creation of Gaia-X, a European initiative launched in 2020 whose objective is to build a federated, open, secure and transparent digital ecosystem. It aims to enable users to benefit from cloud services that meet their needs both technically and legally and offer them appropriate guarantees, in particular in terms of data protection, interoperability, security or immunity to extraterritorial laws.

OVHcloud intends to fully assume its role as a European cloud leader and is campaigning for the development of a European cloud provider ecosystem. This is reflected in educational actions such as:

• ▶The creation of content (videos, articles, etc.) and presentations to explain the issues raised by data processing and the importance, for organisations, of ensuring control of their most sensitive data;
• ▶The organisation, throughout the French Presidency of the Council of the European Union, of a tour of Europe around digital sovereignty. This “Roadshow” resulted in the participation in the international conference “Building Europe’s digital sovereignty”, organised on 7 and 8 February 2022 by the French government and the organisation of five round tables in Germany, Poland, Spain, Estonia and Italy on this topic. It led to the publication of the “Rome Consensus”, a pragmatic roadmap to ensure the digital sovereignty of the European Union and the development of a European ecosystem of digital champions.

This European cloud model necessarily implies a European vision of personal data protection, which can only be addressed at the level of the ecosystem, both European and national. In this respect, the Group took part in the founding of the CISPE (Cloud Infrastructure Service Providers in Europe), which established a charter of best practices aimed at guaranteeing the highest level of personal data protection. OVHcloud also created the “Open Trusted Cloud” label, which currently has 75 active members (compared to 60 in 2021). This label certifies that their solutions are open and comply with European standards in terms of personal data protection, and allows them to be hosted by OVHcloud.

OVHcloud is also a founding member of the European Alliance for Industrial Data, Edge, and Cloud, an initiative launched by the European Commission and which brings together nearly 50 European industrial players mobilised to strengthen Europe’s ability to develop its own cloud and edge technology, taking into account the challenges of sovereignty and sustainable development

Building on these commitments, the Group supports legislative projects and initiatives that can support European digital sovereignty and the establishment of a level playing field for the cloud market in Europe such as the Digital Markets Act (DMA), the Data Act, the development of a European cybersecurity scheme for the certification of cloud services, known as EUCS.

At the forefront of the sustainable cloud, OVHcloud has integrated sustainability at the heart of its business model since its creation by developing industrial innovations to limit its environmental impact. The Group has set itself ambitious targets that structure its action.

• ▶contribute to global Net Zero (scopes 1 and 2) by 2025, by following a reduction trajectory compatible with a warming of 1.5°C, i.e. balancing carbon emissions and offsetting actions on both direct emissions (scope 1) and certain indirect emissions (scope 2);
• ▶contribute to global Net Zero by 2030, by following a reduction trajectory compatible with a warming of 1.5°C, i.e. balancing carbon emissions and offsetting actions across all scopes 1, 2 and 3;
• ▶use 100% low-carbon energy by 2025*;
• ▶zero waste to landfill from production centres by 2025.

(*) Revised in 2022, replacing the target of 100% renewable energies in 2025, given the current energy mix which already favours the use of low-carbon energy such as nuclear (France) and hydroelectricity (Quebec).

OVHcloud’s environmental action is structured around three pillars:

• ▶innovation, at the heart of its industrial model;
• ▶the contribution to achieving global Net Zero by 2030;
• ▶communication and awareness-raising on all the impacts of the cloud, in order to guide consumption choices.

At OVHcloud, everything starts with people. The men and women make up the Company's wealth: it is the talents that ensure its success. “Working together” is one of the Group's fundamental values. This collective aspect is extended to its ecosystem, and in the desire to enable the entire European cloud segment to progress. Aware of its impact, and its responsibility, OVHcloud intends to make digital technology a driver for socio-economic development.

In a context of shortage and competition for talent in the IT field, attracting and developing new skills is a strategic priority for OVHcloud.

During the 2022 financial year, the Group succeeded in meeting its growth ambitions with the recruitment of 661 people, i.e. 18% more than the previous financial year, which itself was up by 15% compared to FY2020. To support this change, the Group has strengthened its recruitment teams in order to have increased capacity for local action, in the regions where tensions are the highest, and by business line.

In addition to recruitment, talent retention is a second key issue, in order to capitalise on knowledge and enable the overall skills development of the teams. The benchmark performance indicator for monitoring is the loyalty rate, which measures the rate of employees present in the Group one year after their arrival. This rate increased by two points in 2022 to 79%. The Group also monitors the rate of voluntary departures, which measures the rate of staff turnover. In 2022, this rate amounted to 14.6%, an annual increase of 3.6 points, mainly reflecting a normalisation after the health crisis. This level, in line with the target of maintaining a voluntary departure rate of 15% or less, remains in line with the levels observed in the IT industry. The average length of service for voluntary departures in FY2022 was 3.6 years compared to 3 years in FY2021.

Lastly, OVHcloud regularly measures the level of engagement of its employees based on the results of internal surveys conducted each year via a survey software (Peakon). The engagement score for the 2022 financial year was 7.5, up 20 basis points compared to the previous year. The participation rate for the last survey conducted in FY2022 was 84%, also testifying to the level of employee engagement. The employee engagement score is a key performance indicator that is included in the annual variable compensation of executive corporate officers and members of the Executive Committee in 2022 (up to 15%).

OVHcloud is distinguished by its flagship commitments, in favour of data sovereignty in particular, and by a strong corporate culture, supported by common values that guide each of the Group’s actions:

• ▶Trust: it commits OVHcloud to its ecosystem and enables its employees to express their talent;
• ▶Working together: OVHcloud is deeply convinced that individual success only serves collective success and that the whole is greater than the sum of its parts. The collective dimension is essential for exploring and building the cloud of tomorrow. For this, each person is important and contributes at their own level;
• ▶Passion: The passion for technology and adventure is essential at OVHcloud. It promotes innovation and surpassing oneself;
• ▶Disruption: OVHcloud is constantly seeking to simplify its processes and organisations in order to be more efficient and reduce costs. Thinking differently is encouraged by the Group to create ever more value for customers and the ecosystem;
• ▶Responsibility: OVHcloud takes its responsibilities seriously. The Group is aware that each innovation can be positive or negative depending on the use made of it.

The OVHcloud employer brand is the core of its employee value proposition and aims to attract and retain talent.

The OVHcloud employer brand is built around five pillars that echo the Group’s values:

• “With us, everything starts with people”: people are at the heart of the Group’s DNA, which is why OVHcloud has developed services and benefits to improve the quality of life at work for all. From concierge services to company daycare, from contracted remote working to collaborative spaces, everything is done to ensure that everyone finds their place, at their own pace and in accordance with their values.
• “A community of experts with ideas full of tech”: an OVHcloud expert is one who has acquired cutting-edge skills while maintaining the desire to explore, break new ground and innovate. OVHcloud recruits passionate and exciting people who want to do and share.
• “Growing and fulfilling”: moving in step with technology and thinking outside the box, is what characterises OVHcloud. Change position or profession, there is no ready-made trajectory at OVHCloud. The aim is to offer everyone the opportunity to take an interest in a new field, to extend their skills and think about their new expertise through the prism of their experience.
• “Building the world of tomorrow together”: designing the cloud of tomorrow is a question of disruption. And for this, OVHcloud relies on the collaboration of all. To move forward every day and change the rules of the game, the Group relies on its strengths: a dynamic ecosystem, open and transparent exchanges.
• “A team where innovation is king and trust reigns”: listening to everyone to help everyone evolve and build the OVHcloud of tomorrow.

The new Career site, the first version of which was uploaded in 2022 and a new version is planned for 2023, has made it possible to showcase and promote the OVHcloud employer brand. During the 2022 financial year, the Group took part in more than 50 employer brand events as well as school events and employment forums.

Aware of the importance of cultivating its human capital, OVHcloud trained 73% of its workforce in 2022 (i.e. 2,035 people) and thus exceeded its target of training at least 70% of its employees. In addition to obligations, the Group invests in training around three areas:

• ▶Operational excellence by developing skills in the various project management methods in order to optimise its execution efficiency and deploy business agility (project management, crisis management, etc.). More than 100 people are trained on average each year in operational excellence.
• ▶A programme for managers, co-developed with EDHEC, on leadership, finance and communication, and with a four-day support programme for all first-time managers.
• ▶Technical training to develop OVHcloud solutions and strengthen the expertise of its employees with the possibility of certifying their skills. More than 10% of people trained were certified in 2022.

In order to welcome new employees, OVHcloud has also introduced a systematic induction week during which they have the opportunity to discover the Group in all its dimensions. It obtained a satisfaction rate of 4.56/5.0.

Number of work-related accidents per million hours worked

Safety at work is a central priority for OVHcloud and is a key performance indicator of the CSR policy. During the 2022 financial year, the number of accidents with and without lost time decreased, as did the corresponding frequency rates. In order to promote the prevention of health and safety risks, the Group has defined a policy based on three key targets:

• ▶Minimising work-related accidents;
• ▶Complying with legal Health, Safety and Environment requirements and other requirements applicable in all countries;
• ▶Implementing all satisfactory measures to protect the health and physical integrity of the Group’s employees, customers and local communities and protecting the environment.

The measures for implementing this policy are based on the following guiding principles:

• ▶Involving the entire management line in the commitment of its Health, Risk Prevention and Environment policy;
• ▶Empowering all employees to maintain a healthy and safe workplace;
• ▶Developing a culture of professionalism, rigour and respect for the rules to all employees;
• ▶Ensuring the deployment of the “Be Smart, Be Safe!” Health and Safety Programme”.

In order to strengthen the safety culture within the Group, internal awareness-raising events are organised such as “World Safety Week” which is held each year at all OVHcloud sites, to which all employees and permanent contract employees are invited. In 2022, it was held from 13 to 17 June on the theme “The ten golden rules of safety”. OVHcloud has defined ten golden rules in terms of safety as part of its #StaySafe approach. This approach is a mindset to be adopted in order to identify and avoid dangers. It follows four steps:

• ▶Investigate the work environment and identify hazards;
• ▶Analyse the consequences of hazards and anticipate the necessary individual and/or collective protection measures;
• ▶Increase reliability by implementing prevention measures with the help of the health and safety department, contractors or managers;
• ▶Carry out the work once all the safety conditions have been met.

The ten golden rules deal with:

• ▶work permits
• ▶shared vigilance and co-activity
• ▶working environment
• ▶fire prevention and evacuation
• ▶pedestrian traffic
• ▶machine circulation
• ▶personal and collective protective equipment
• ▶work at height
• ▶energy and consignment
• ▶gestures and postures

OVHcloud is committed to employee health and invests in prevention. Since 2016, the Roubaix site has had a dedicated medical centre bringing together various health professionals (osteopath, dietitian, physiotherapist, optician, etc.) available to employees. Awareness-raising conferences led by health specialists and open to all employees are regularly organised on various subjects. For example, as part of “Pink October”, the breast cancer prevention month, a breast and cervical cancer awareness conference was offered.

The Group also implements various actions:

• ▶medical teleconsultation with Qare in France and Dialogue in Canada;
• ▶actions to promote regular sports activities (sports halls, activities for coaches, support for sports assessments);
• ▶psychological, social and legal assistance with Qualisocial.

In order to promote quality of life at work, OVHcloud is committed to parenting. For example, the Group supports parents in their search for crèches and leisure centres: OVHcloud has had a company crèche in Roubaix for ten years and has forged a national partnership with Babilou(9). OVHcloud has also developed a parenthood kit aimed, in particular, for the employees concerned, to prepare for maternity or paternity leave, and for all teams, to support and manage the announcement of a pregnancy in the company. The Group offered five parenting workshops to its employees in 2022.

Several awards have recognised the Group’s efforts in France this year:

• ▶The Oras(10) club “Trophée Compensations & Benefits” for its employee well-being programme;
• ▶The 7th best High-Tech employer in France according to Capital magazine;
• ▶The gold award at the “Victoires des leaders du capital human” (Human Capital Leadership Awards) on the theme of quality of life at work;
• ▶The HappyIndex®Trainees & HappyIndex®Trainees Alternance 2021-2022 label, which rewards companies taking care of their interns and work-study students, received for the second consecutive year.

Internationally, OVHcloud’s quality of life at work policy was also recognised in Poland, where the Group received the “Wellbeing Leader Certificate” from the Polish Institute of Well-Being. In Germany, OVHcloud won the Top Company 2022 Kununu award.

Convinced that everyone has a role to play in meeting the major societal challenges of our time, OVHcloud wishes to support its employees in their life journey, so that everyone can flourish in a caring environment. With this in mind, the Group is committed to combating all forms of discrimination and to offering a working environment that respects differences and allows everyone to fully express their talents. OVHcloud has structured a diversity and inclusion policy in 2022 that it intends to strengthen during the 2023 financial year. An internal charter is relayed via its intranet and available to all Group employees.

• ▶Diversity and collective intelligence are key drivers for innovation and achieving excellence. The internationalisation of the teams is one component. In 2022, more than 60 nationalities were represented within the Group.
• ▶The proportion of women in teams, which is a major issue for the Tech businesses, is a key priority and a performance indicator for the Group’s CSR policy. A Gender Equality action plan is drawn up and reviewed regularly with employee representatives in France. This plan addresses the issues of recruitment, professional development, compensation and work-life balance. In recent years, the proportion of women in the Group’s workforce has steadily increased. In 2022, the proportion of women in the total headcount increased by one point to reach 21%. The proportion of women in management improved by two points to 20%. Concerning the Executive Committee, the rate for the 2022 financial year reflects a temporary situation at 31 August (transitional vacancy period for one of the functions). From September 2022, the rate rose to 31% (four women represented on a 13-member Executive Committee).
• ▶Facilitating access to employment for people with disabilities is a second important area of initiatives to promote diversity and inclusion. Among the actions implemented, the Group called on ergonomists to adapt and arrange workstations for people with disabilities, allocates service employment vouchers worth €350 per year to workers with disabilities and publishes its job offers on the AGEFIPH website(11). To measure its level of progress compared to the requirements of the RGAA digital accessibility decree(12), OVHcloud carried out audits on two commercial sites and two production sites.

• ▶Several events to raise awareness of internal teams on diversity and inclusion issues were organised during the year. In particular, in June 2022, a diversity week was organised. This was an opportunity to raise awareness on topics such as the inclusion of LGBTQIA + people(13) and to remind all employees that OVHcloud guarantees the right to respect for the sexual orientations and identities of its employees and equal access to the rights and benefits granted by the Company in the context of marital status and parenthood. Awareness-raising sessions on women's rights are also organised, the first of which honoured by Anastasia Mikova in March 2022.

OVHcloud carried out an audit in 2022 with Gloria, a company specialising in the challenges of diversity and inclusion in the company, in terms of its communication and practices, including recruitment, in order to detect any bias or discriminatory practices. This approach was accompanied by training on diversity in general, with a focus on unconscious bias for recruiters. The Group aims to extend this programme to all managers.

OVHcloud attaches great importance to social dialogue, a guarantee of involvement and collective performance, and maintains high-quality relationships with its employees and their representatives.

In France, employee representation is organised in an economic and social unit (unité économique et sociale). A Social and Economic Committee (comité social et économique – SEC) was elected in 2019, currently composed of 24 elected members (incumbent and alternates combined). In addition, local representatives have been appointed at sites that do not have an elected representative on the SEC. There is no designated trade union organisation in France. An Enterprise Consultative Commission (ECC) is also in place in Tunisia.

With regard to employee representation in management bodies, two directors representing employees were appointed to the Board of Directors in 2022, as announced at the time of the IPO on 15 October 2021.

For OVHcloud, “working together” also means associating employees as much as possible in the Company’s results. On the occasion of its IPO on Euronext Paris on 15 October 2021, the Group set up its first collective employee shareholding plan, open to more than 2,000 employees in France and abroad. 97.8% of eligible employees on this date became shareholders of OVHcloud (77.6% having invested voluntarily). In 2021, the Group was awarded the Grand Prix FAS(14), which showcases companies developing best practices in employee shareholding. In 2022, 0.6% of the share capital was held by employees through the FCPE mutual fund.

In France, a mandatory profit-sharing agreement (accord de participation) applies at the level of the social and economic unit which provides for the distribution between eligible employees of a share of the profit of such companies parties to the social and economic unit, calculated based on the statutory formula. The distribution is made on a pro rata basis according to the time of presence during the period.

A new incentive agreement was signed with the trade Social and Economic Committee in 2022 applicable until 2024. It concerns all employees at the global level (with the exception of interns, temporary workers and service providers) with at least three months of seniority. The performance indicators used to calculate the share of profits attributable to eligible employees include, as in the previous plan, indicators relating to adjusted EBITDA and revenue growth, to which the same CSR criteria as those used for the executive corporate officers and the Executive Committee are added (see Section 4.2.2.2 of this Universal Registration Document for more details).

In France, there are within the social and economic unit:

• ▶a Group Savings Plan (plan d’épargne groupe), which allows eligible employees to invest their savings, including payments under the profit-sharing agreement and the global incentive plan, in diversified investment funds and to benefit from certain social and tax advantages in exchange of a lock-up period of generally five years;
• ▶a Time Savings Account (Compte Épargne-Temps – CET), which allows eligible employees to save unused rest days (certain holidays, RTT, etc.) or part of their 13th month converted into days. They can then take these days at any time, ask to be paid for them or transfer them to another scheme to prepare their retirement;
• ▶a Group Retirement Savings Plan (Plan d'Épargne Retraite Collectif – PERCO) which allows eligible employees to invest the payments under the profit-sharing agreement and the global incentive plan in diversified investment funds in view of their retirement. This scheme allows employees to benefit from certain social and tax advantages as consideration for a lock-up period until retirement. It is also a way for employees to prepare for their retirement by making voluntary payments or by transferring days from their CET to the PERCO (up to 10 days per year). This transfer is then matched by their employer.

The Taxonomy Regulation is a key element of the European Commission’s action plan aimed at redirecting capital flows towards a more sustainable economy. It represents an important step towards achieving carbon neutrality by 2050, in line with the EU’s objectives, as the taxonomy is a classification system for environmentally sustainable economic activities.

The section below presents, as a non-financial parent company, the share of the Group’s income, capital expenditure (Capex) and operating expenses (Opex) for the 2022 financial year, associated with economic activities eligible for the taxonomy and linked to the first two environmental targets (mitigation of climate change and adaptation to climate change), in accordance with Article 8 of the Taxonomy Regulation and Article 10 (2) of the Delegated Act supplementing Article 8 of the Taxonomy Regulation.

On the basis of the analyses carried out, a significant portion of the Group's activities is eligible for the Taxonomy under Activity 8.1. – Data processing, hosting and related activities described in Appendix I of the Delegated Act on the climate change mitigation target.

The eligible shares of the three financial indicators required by the text – income, Capex and Opex – are presented below on the basis of consolidated IFRS data for the financial year ended 31 August 2022.

As eligibility is solely based on the description of the activities and does not take into account the criteria of substantial contribution, the fact of “not causing significant harm” or the minimum social guarantees, the indicators aligned with the European Taxonomy that will be presented in 2023 may be lower than the eligible indicators presented in this section.

The term “economic activity eligible for the taxonomy” refers to any economic activity described in the delegated acts supplementing the Taxonomy Regulation (currently the Delegated Act relating to the climate aspect of the taxonomy), whether or not it meets some or all of the technical review criteria set out in these delegated acts.

The Group’s eligible economic activities have been analysed on the basis of OVHcloud’s service offerings (as detailed in Chapter 1 of this Universal Registration Document) and have been assigned to the following economic activities, in accordance with Appendices I and II of the Delegated Act relating to the climate aspect of the taxonomy. The table below indicates for which environmental target the activities are considered eligible:

A significant portion of the Group’s activities is considered eligible under Activity 8.1. – Data processing, hosting and related activities of the climate change mitigation target. Offerings based mainly on services for the provision of storage capacity (“hosting”) meet the description of this activity. The offerings thus considered eligible are the following:

• ▶Private Cloud offerings (Baremetal cloud and Hosted Private Cloud) in their entirety, corresponding to offers for the provision of either dedicated physical servers or cloud capacities running on dedicated physical servers (see Section 1.3.1.1 of this Universal Registration Document for more details on the solutions proposed by the Group);
• ▶Public Cloud offerings in their entirety (see Section 1.3.1.2 of this Universal Registration Document for more details on the solutions offered by the Group). The PaaS and SaaS solutions offered by OVHcloud and hosted directly on the Group’s infrastructures are considered eligible insofar as OVHcloud has control over the physical equipment and can act on its energy efficiency;
• ▶“Web Cloud & Other” offerings only for the “Web hosting” and “Services” part, corresponding to the hosting of customer websites on the Group’s physical servers and the assistance necessary for the proper functioning of the equipment and compliance with the Group’s commitments under all of its offerings (see Section 1.3.1.3 of this Universal Registration Document for more details on the solutions proposed by the Group). Offerings or solutions relating to domain names, telephony and connectivity are not considered eligible to date because they are not directly related to the physical servers.

In general, all the solutions offered by the OVHcloud Group, hosted directly on physical servers belonging to the Group or directly controlled by the Group, were deemed eligible for the European Taxonomy under Activity 8.1. of the climate change mitigation target.

OVHcloud is also developing certain solutions (such as a carbon calculator, which will allow customers to estimate the carbon footprint associated with the use of some of the OVHcloud products), which could be eligible under Activity 8.2. – Data-driven solutions for GHG emission reductions. As the income and Capex related to these solutions were not material during the financial year, this activity was not taken into account in the 2022 indicators but could be in the future.

The scope considered for the estimation of the three indicators is the Group consolidated scope as defined in Note 5.5. of the 2022 consolidated financial statements presented in Chapter 5 of this Universal Registration Document.

The share of economic activities eligible for taxonomy in OVHcloud's consolidated income was obtained by dividing the share of income generated by the sale of services associated with economic activities eligible for the taxonomy (numerator) by the net income (denominator), in each case for the financial year from 1 September 2021 to 31 August 2022.

The denominator of the income indicator is based on OVHcloud's consolidated income (€788m in fiscal year 2022), in accordance with IAS 1.82 (a) (see Note 4.3. to the 2022 annual consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

The numerator of the indicator is defined as the share of the net income generated by services associated with the economic activities eligible for the taxonomy, as described above in the paragraph “Determination of the economic activities of the OVHcloud Group eligible for the European Taxonomy” in this section. This share was estimated on the basis of OVHcloud Group management reports including the level of detail necessary for direct reading.

The Capex indicator is calculated by dividing the Capex eligible for taxonomy (numerator) by the total Capex (denominator).

The Capex denominator (€472m in fiscal year 2022) includes acquisitions of property, plant and equipment and intangible assets made during the financial year, before amortisation and before any remeasurement, including remeasurements resulting from revaluations and impairments, excluding changes in fair value. It includes acquisitions of property, plant and equipment (IAS 16), intangible assets (IAS 38), right-of-use assets (IFRS 16) and investment properties (IAS 40), as well as additions resulting from business combinations (see Notes 4.10, 4.11 and 4.23 to the 2022 annual consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

The numerator consists solely of Capex related to assets or processes essential to the performance of the economic activities eligible for the taxonomy, which represent almost all of the Capex for the financial year. As Capex is not currently monitored by service offering in the Group’s reports, a detailed analysis by type of asset was carried out which led to the following Capex being considered essential for the execution of eligible economic activities:

• ▶All Capex (acquisitions of fixed assets or increases in IFRS 16 rights of use) relating to infrastructures (hardware) and their operation (fibre, network, IP addresses, components, maintenance);
• ▶A portion of capitalised R&D costs estimated as follows:
  • •100% of capitalised R&D costs relating to infrastructure efficiency improvement projects (equipment or software),
  • •A portion of capitalised R&D costs relating to software developments that are used across all Group activities. This share is based on the share of income eligible for taxonomy;
• ▶All changes in scope impacting intangible assets and property, plant and equipment and relating to the acquisition of ForePaaS, reinforcing the eligible offers of OVHcloud under Activity 8.1.;
• ▶A portion of the Capex relating to offices estimated according to the portion of eligible income.

The indicator relating to Opex is calculated by dividing the Opex eligible for taxonomy (numerator) by the total Opex (denominator).

Total Opex as defined by the Taxonomy are non-capitalised costs related to research and development, building renovation measures, short-term leases, maintenance and repairs, and all other direct expenses related to the daily use of property, plant and equipment.

Thus, total Opex as defined by the Taxonomy represents approximately 8% of the Group’s total Opex (€809 million), corresponding to the sum of personnel expenses, operating expenses, depreciation and amortisation and other non-recurring operating expenses.

Given that the OVHcloud Group’s Opex are not currently monitored in the IT systems by service offering, we used allocation keys to identify the share of economic activities eligible for the taxonomy in our Opex:

• ▶Maintenance and repair costs as well as expenses related to non-capitalised leases were allocated on the basis of the eligible income share.

R&D costs were allocated in proportion to the allocation of capitalised R&D costs.

The Statement of Non-Financial Performance for 2022, presented in this Universal Registration Document, endeavours to produce the most relevant non-financial information for the Group with regard to its business model, its activities, its major challenges from the materiality matrix and the Group’s main risks. Thus, OVHcloud focused on the issues and risks identified as priorities and excluded the following topics from its scope of analysis:

• ▶Combatting food waste;
• ▶Combatting food insecurity;
• ▶Respect for animal welfare;
• ▶Respect for responsible, fair and sustainable food.

OVHcloud measures the Group’s progress in terms of CSR in the following three areas: Environment, Business Conduct, Social and Societal. Thirteen indicators, presented in the table below, were selected and audited by the independent third party.

A fourteenth indicator: the rate of signature of the supplier code of conduct, falling under the Business Conduct category, was presented in the summary table of indicators (Introduction – Materiality analysis and CSR risk assessment) and in the paragraph on suppliers (Section 3.3.2.2 of this Universal Registration Document). It was subject to a qualitative review and will be included in the list of performance indicators for the Statement of Non-Financial Performance for financial year 2023.

Each indicator is described in this methodological note, specifying:

• ▶The method of calculating the indicator;
• ▶The data production process.

A summary table presenting the indicators and their values for the 2020, 2021 and 2022 financial years can be found in the introductory chapter of the Statement of Non-Financial Performance in the “Materiality analysis and assessment of CSR risks” section.

For the period ended 31 August 2022

To the Annual General Meeting,

In our capacity as statutory auditor of your company (hereinafter “entity”), designated as an independent third party or OTI (“third party”), accredited by COFRAC under number 3-1884(20), we carried out work aimed at formulating a reasoned opinion expressing a conclusion of moderate assurance on the historical information (recorded or extrapolated) of the consolidated Statement of Non-Financial Performance, prepared in accordance with the entity’s procedures (hereinafter the “Guidelines”), for the financial year ended 31 August 2022 (hereinafter the “Information” and the “Statement” respectively), presented in the Group’s management report pursuant to the provisions of Articles L. 225-102-1, R. 225-105 and R. 225-105-1 of the French Commercial Code.

Based on the procedures we have implemented, as described in the “Nature and scope of our work” section, and the information we have collected, we have not identified any material misstatements that would call into question the fact that the Statement complies with the applicable regulatory provisions and that the Information, taken as a whole, is presented fairly in accordance with the Guidelines.

Since the admission of the Company’s shares to trading on the Euronext Paris regulated market in October 2021, the Company has referred to and complies with the Corporate Governance Code for Listed Companies drawn up by the French Association of Private Companies (the “AFEP”) and the Mouvement des entreprises de France (the “MEDEF”) in its version updated in January 2020 (the “AFEP-MEDEF Code”), except for the Article 11.3 recommendation for the reasons detailed below.

The AFEP-MEDEF Code with which the Company complies may be consulted online at http://www.medef.com or http://www.afep.com. The Company permanently maintains copies of such code that may be reviewed by the members of its corporate bodies.

Since the publication of the 2021 Universal Registration Document, there has been no change in the composition of the Board of Directors and its committees except for the appointment of two directors representing employees appointed to the Board on 5 April 2022.

As of the date of this Universal Registration Document, the Company has a Board of Directors composed of eleven (11) members, a majority of whom are independent directors and two (2) non-voting members:

• ▶Four (4) directors appointed on the proposal of the Klaba family:
  • •Mr. Octave Klaba (Chairman of the Board of Directors),
  • •Mr. Miroslaw Klaba,
  • •Mr. Henryk Klaba, and
  • •Mr. Michel Paulin (Chief Executive Officer).
• ▶Five (5) independent directors:
  • •Mr. Bernard Gault (lead director),
  • •Ms. Isabelle Tribotté,
  • •Ms. Corinne Fornara,
  • •Ms. Diana Einterz, and
  • •Ms. Sophie Stabile.
• ▶Two (2) directors representing employees:
  • •Ms. Pauline Wauquier,
  • •Mr. Hugues Bodin.
• ▶Two (2) non-voting members:
  • •Mr. Karim Saddi
  • •Mr. Jean-Pierre Saad.

The table below shows the composition of the Board of Directors at the date of this Universal Registration Document:

The General Shareholders’ Meeting of the Company of 14 October 2021 decided to modify the term of office of directors to allow staggered renewal, subject to the condition precedent of the admission of the shares to trading on the Euronext Paris regulated market. Accordingly, the term of office of directors has been modified as follows:

• ▶Miroslaw Klaba: one year, i.e. until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended on 31 August 2022;
• ▶Isabelle Tribotté: one year, i.e. until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended on 31 August 2022;
• ▶Henryk Klaba: two years, i.e. until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended on 31 August 2023;
• ▶Sophie Stabile: two years, i.e. until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended on 31 August 2023;
• ▶Corinne Fornara: three years, i.e. until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended on 31 August 2024;
• ▶Bernard Gault: three years, i.e. until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended on 31 August 2024; and
• ▶Diana Einterz: three years, i.e. until the end of the Ordinary General Meeting called to approve the financial statements for the financial year ended on 31 August 2024;

The terms of office of Michel Paulin and Octave Klaba remain unchanged.

In addition, two directors representing employees were appointed on 13 April 2022, in accordance with Article 13.3 of the Company’s bylaws and Article L. 225-27-1 of the French Commercial Code, and one of them, Hugues Bodin joined the Appointments, Compensation and Governance Committee on 27 October 2022 as a member.

The Board of Directors is also composed of two (2) non-voting members, whose profiles are presented below. Messrs. Karim Saddi and Jean-Pierre Saad were appointed as non-voting members of the Board of Directors on 18 October 2021 and the decision was ratified by the General Meeting of 15 February 2022. Non-voting directors will not be remunerated. Non-voting directors will participate in the work of the Board of Directors without having a right to vote and will not, at this stage, benefit from any specific missions.

The summary of the components of the compensation of the executive corporate officers, Mr. Octave Klaba and Mr. Michel Paulin, paid during or awarded in respect of the 2022 financial year, as well as the 2023 compensation policy, submitted to the vote of the shareholders at the Combined General Meeting of 16 February 2023, are presented in Section 4.2.2.2.

Total compensation paid during the 2022 financial year or awarded in respect of the same financial year to the Chairman of the Board of Directors and the Chief Executive Officer, directors and other non-corporate officers, both by the Company and by controlled companies within the meaning of Article L. 233-16 of the French Commercial Code, is detailed below. It is recalled that the Board of Directors of OVH Groupe, at its meeting of 15 December 2022, confirmed that the AFEP-MEDEF Code is the one to which the Company refers, in particular concerning the compensation of executive corporate officers. This Universal Registration Document and in particular the tables in Section 4.2.2.2 (share subscription and/or purchase options, free shares, performance shares), have been prepared in accordance with the format recommended by the AFEP-MEDEF Code and AMF recommendation 2012-02.

The principles and criteria for determining, distributing and awarding the fixed, variable and exceptional components of the total compensation and benefits of any kind attributable to the executive corporate officers (1) by virtue of their office constituting the compensation policy concerning them are approved by the Board of Directors on the recommendations of the Appointments, Compensation and Governance Committee, and are subject to shareholder approval (“ex-ante vote on the compensation policy”) at the General Shareholders’ Meeting in accordance with Article L. 225-37-2 of the French Commercial Code.

In addition, pursuant to Article L. 22-10-34 of the French Commercial Code, the General Shareholders’ Meeting rules on: (i) the fixed, variable and exceptional components of the total compensation and (ii) the benefits of any kind paid during the past financial year or awarded in respect of the same financial year to the executive corporate officers (“ex-post vote on compensation in respect of the previous financial year”). As a result, the payment of variable or exceptional compensation in respect of a financial year is subject to their approval by the General Shareholders’ Meeting called to approve the financial statements of that financial year.

Mr. Octave Klaba in his capacity as Chairman of the Board of Directors and Mr. Michel Paulin in his capacity as Chief Executive Officer are the only corporate officers.

Related entities mainly include companies controlled by Mr. Octave Klaba, founder and current Chairman of the Company’s Board of Directors, and other entities controlled by other members of the Klaba family, who are direct or indirect partners of the Company. The Company is currently controlled by the Klaba family.

Pursuant to the agreements detailed below entered into with related parties and related to the conduct of the business, the Group recognised a total amount of operating expenses of €13,895,000 for 2022 versus €7,523,000 for 2021, and concerning net finance income (expense) (IFRS 16), €(125,000) for 2022 versus €(140,000) for 2020. More detailed figures for the related-party transactions are set out in Note 5.3 to the consolidated financial statements for the period ended 31 August 2022, contained in Chapter 5 of this Universal Registration Document. .

The main related-party transactions are described in this chapter.

Agreements entered into as part of the Company’s initial public offering

1. ▶Underwriting Agreement

The placement of the Company’s shares as part of its IPO was guaranteed by a group of financial institutions comprising BNP Paribas, Citigroup Global Markets Europe AG, J.P. Morgan AG and KKR Capital Markets (Ireland) Limited as global coordinators (the “Global Coordinators”), lead managers and associate bookrunners, Crédit Suisse Bank (Europe) S.A., Goldman Sachs Bank Europe SE, Morgan Stanley Europe SE and Société Générale as lead managers and associate bookrunners and Crédit Industriel et Commercial S.A. as lead partner (the “Guarantors”) for all the shares offered under the terms of a contract in English (“Underwriting Agreement”).

This agreement was entered into on 14 October 2021 between the Company, BNP Paribas Securities Services (“BP2S”, acting as seller, on behalf of individuals from whom BP2S acquired shares of the Company) and the other selling shareholders, namely Spiral Holdings SCA, Spiral Holdings BV, Deep Code SAS and Digital Scale SAS (together with BP2S, the “Selling Shareholders”), on the one hand, and the Guarantors on the other hand, the latter having each undertaken up to a maximum number of shares offered specified in the said contract, to acquire and pay, subscribe and pay up, or where applicable to acquire and pay up, subscribe for and release themselves, the shares offered as part of the initial public offering at the price of the offer on the settlement date.

The maximum amount of fees payable by the Company under the Underwriting Agreement amounts to approximately €9.7 million excluding tax.

The signature of the Underwriting Agreement was authorised by the Company’s Board of Directors at its meeting of 14 October 2021.

The conclusion of the Underwriting Agreement was authorized by the Board of Directors of the Company at its meeting of October 14, 2021. The directors concerned, namely Octave Klaba, Miroslaw Klaba, Michel Paulin, Bernard Gault, Daniel Bernard and Jean-Pierre Saad abstained from participating in the vote.

• ▶Non-compete compensation for the Chief Executive Officer

The Company has granted Michel Paulin, the Company’s Chief Executive Officer, a non-compete clause for a period of one year following the end of his term of office, as consideration for 50% of his compensation (fixed + variable) for the year preceding his departure. This clause will not apply in the event of retirement or in case of reaching the age of 65.

This commitment will be applicable in the Territory (defined as the worldwide) for the duration of the term of office (including in the event of renewal) and for a period of one year, starting from the date of termination of the duties of Chief Executive Officer.

The Company reserves the right to unilaterally waive this non-compete undertaking as from the date of notification of the termination of duties, in which case the Chief Executive Officer will be free and no compensation will be due.

It is in the Company's interest to be able to ensure, in the event of Mr. Michel Paulin’s departure, that the Company is able to prohibit him from competing with the Company, under the conditions provided for in the non-compete clause.

This agreement was the subject of prior approval by the Board of Directors on 28 September 2021 and of a special report on 29 September 2021. This agreement was approved by the Combined General Shareholders' Meeting on 14 October 2021. Mr. Michel Paulin abstained from participating in the vote.

At its meeting held on 15 December 2022, the Board of Directors reviewed the agreements and commitments authorised and entered into during previous financial years, the execution of which was continued during the 2022 financial year, in accordance with Article L. 225-40-1 of the French Commercial Code.

None.

a. Service agreement known as “TSA” by OVH SAS for the benefit of Shadow SAS (formerly called Hubic SAS)

Under the terms of a share purchase agreement dated 18 December 2020, OVH SAS sold to Jezby Ventures SAS, a company controlled by Octave Klaba, the entire share capital of Hubic SAS, then a subsidiary created by OVH SAS to operate its offer called “Hubic”. The Group ceased to develop this activity as it was not considered to be a strategic activity for the Group. Hubic SAS was renamed “Shadow SAS” in July 2021, now held indirectly by Messrs. Octave and Miroslaw Klaba. Shadow SAS offers file storage and other related digital services to individuals.

In this context, a transitional service agreement was signed on 11 February 2021 between OVH SAS and Shadow SAS under the terms of which OVH SAS undertook to provide administrative services to Shadow SAS. This agreement was amended in September 2021 and in March 2022 to adjust the services provided and the associated compensation.

The amount invoiced by OVH SAS during the 2022 financial year in respect of this contract amounts to €131,987.10 excluding tax.

The contracts between Shadow SAS and OVH SAS are agreements in which the ultimate beneficiaries are Octave and Miroslaw Klaba for Shadow SAS and OVH SAS, in which they indirectly hold more than 10% of the share capital.

The provision of these services, incidental to the disposal of Hubic SA, remains exceptional for OVH SAS since they are intended to support the takeover of the assets sold in order to ensure the best possible transition. These agreements correspond to transactions that do not present the nature of current agreements and therefore fall within the scope of regulated agreements for the entity OVH SAS.

b. Equipment acquisition agreement between Shadow SAS and OVH SAS following the takeover of Blade SAS

Following the takeover by Shadow SAS of the company Blade in April 2021 as part of the receivership procedure of Blade SAS, Shadow acquired second-hand equipment that it did not wish to operate directly but which could be used by OVH SAS. OVH SAS and Shadow therefore entered into a purchase agreement on 9 June 2022 for an amount of €1,912,808 excl. tax setting the terms and conditions of purchase by OVH SAS of this used IT equipment located in France.

This contract provides for the acquisition of used equipment in order to migrate it within these data centres and reuse it.

These acquisitions of second-life equipment and their migration to OVH SAS data centres are not routine for the company. However, they are consistent with OVH Groupe SA’s ambitions to limit its environmental impact, in particular by using existing equipment and components whose performance allows reuse.

c. Credit issuance and repayment service by OVH SAS for customers of Shadow SAS

As part of the activities of Hubic acquired by Shadow SAS in 2021, Shadow SAS wished to migrate the marketing of the existing “Hubic” platform and propose to its customers to migrate to a new data storage service, called “Shadow Drive”.

To this end, on 23 August 2022, Shadow SAS ordered a service from OVH SAS to issue credit notes and repay certain customers on its behalf, since the latter issues invoices and collects receivables in respect of the historical “Hubic” service under the TSA services contract.

This service will be provided during the 2023 financial year, and OVH SAS will invoice these transactions for a total amount of €8,900 excl. tax.

This service of issuing credit notes and repayments for a third party is not part of the current business of OVH SAS but is ancillary to the so-called “TSA” contract.

d. Retrofit agreement between OVH SAS and Shadow SAS

Shadow SAS signed a contract with OVH SAS for the purpose of providing services on IT equipment, including the assembly of computer components to make servers from 5 July 2021.

OVH SAS has a plant that assembles IT components in order to build its own servers, and has developed a “retrofit” activity to disassemble and then reassemble existing equipment components. A contract was therefore signed with Shadow SAS for the disassembly and reassembly (retrofit), storage and transport of certain IT components.

OVH SAS does not usually offer this type of service for third parties.

The amount of this service is €21,151.78 excl. tax.

OVH's General Shareholders' Meetings are convened and deliberate under the conditions provided for by law and in the bylaws.

The provisions of OVH's bylaws relating to General Meetings and the procedures for exercising voting rights at General Meetings are set out in Title IV – General Meetings – Article 22 – Meetings, Composition, Deliberations, of OVH's bylaws, which are available online at www.corporate.ovhcloud.com, Governance section).

The following table presents the key figures for the 2022 period.

• ▶Revenue of €788 million in 2022, up strongly by 18.8% compared to 2021. Like-for-like revenue growth of 12.4%
• ▶Adjusted EBITDA of €308 million, a 39.0% margin, and reported growth of 17.4% compared to the previous period
• ▶Recurring and growth Capex respectively 19% and 36%(1) of revenue for the period
• ▶Acceleration trajectory confirmed for 2023 with an organic revenue growth target of between +14% and +16% and an adjusted EBITDA margin in line with FY2022
• ▶Targeted recurring and growth Capex of 16-20% and 28-32% of 2023 revenue respectively
• ▶Confirmed mid-term targets with an organic revenue growth around 25%, an adjusted EBITDA margin close to 42%, recurring Capex and growth Capex respectively between 14% and 16% and between 28% and 32%

OVHcloud Chief Executive Officer Michel Paulin said:

“The 2022 annual results demonstrate OVHcloud’s ability to deliver a strong, sustainable and profitable growth acceleration strategy. In a hyper-growth cloud market, our European leadership has enabled us to step up the deployment of our sovereign solutions while constantly increasing our environmental responsibility. Building on our skills, along with robust, innovative partnerships, our expansion has been particularly supported by the rapid enrichment of our product portfolio and our customers’ international development. Our integrated operating model and trusted offering allow us to successfully absorb the volatility of the current environment. We are particularly confident in our ability to continue this momentum throughout 2023 and thereafter in order to achieve our 2025 targets.”

In 2022, OVHcloud confirmed its position as the leader for a sustainable cloud with ambitious medium-term commitments and key performance indicators amongst the best in the market.

Ambitious medium-term commitments:

• ▶100% low-carbon energy by 2025, with the aim of limiting the use of high-carbon energy by promoting renewable energy and other low-carbon energy sources;
• ▶Contribution to global Net Zero for scopes 1 & 2 by 2025, with scopes 1 & 2 representing almost 40% of OVHcloud’s carbon footprint;
• ▶Contribution to global Net Zero for all scopes by 2030, with scope 3 being mainly related to component manufacturing;
• ▶0% landfill by 2025, for waste related to OVHcloud’s processes, on a LFL (Like-for-like) basis in terms of geographical scope.

Similarly, OVHcloud has an ambitious and recognised human resources policy. At end August 2022, the Group employed 2,800 people, including 60% tech. OVHcloud is particularly focused on its employees’ well-being, which can be seen in a strong engagement score (7.5/10, up 0.2 point compared to 2021) and a high loyalty rate of 79%. These very encouraging scores give OVHcloud confidence in its ability to deliver its growth acceleration plan.

Strasbourg 5: the first achievement of the hyper resilience plan

SBG5, a strong symbol of the Group’s industrial strategy, is the first data centre designed as part of the hyper resilience plan. The site, with a surface area of 1,700 m2, has a total of 19 isolated rooms with masonry that compartmentalises the different segments in order to provide two hours of fire resistance. The gas fire extinguishing system meets the APSAD R13 standard and the VESDA smoke detectors comply with the APSAD R7 standard. The seven power rooms and the three battery rooms are located outside the building.

In addition, in order to manage the environmental impact, the SBG5 site benefits from the principles of frugality and efficiency perfected for more than 20 years by OVHcloud, particularly its water-cooling system for server components that achieves a water efficiency index (WUE) of less than 0.2 L/kWh, i.e. the equivalent of a glass of water to cool a server for 10 hours of use. OVHcloud stands out with its closed circuit system that limits liquid losses, and also by the use of dry coolers and the absence of air conditioning in the server rooms.

Commercial performance

2022 was marked by numerous commercial wins, notably in Q4 with the signature of new contracts and the acquisition of new customers such as AIFE (State financial agency), Mastercard, Arianespace, Alstom, Fencecore, EQS Group and Efalia. Growth was notably driven by continuous improvement in ARPAC(2) and the development of strong partnerships with IT integrators such as Capgemini, Accenture and Sopra Steria. OVHcloud also recorded double-digit revenue growth with its global and local partners, which now number 1,100 including over 500 international partners. Lastly, at end August 2022, OVHcloud was offering 81 IaaS and PaaS solutions to its customers, with a doubling, during the year, of PaaS solutions in general availability. The development of PaaS solutions is in line with the Group’s initial business plan. OVHcloud’s ability to grow with its customers is reflected in a net revenue retention rate of 114% for FY2022. It reached 108% LFL (Like-for-like), up significantly compared to the previous year.

2022 also demonstrated the success of the strategy implemented by OVHcloud. The Group is driven by continued solid sales momentum, notably in Public Cloud and Private Cloud, development in PaaS uses by customers, sustained international development and a sovereign offering that has shown results with over 35 customers for its SecNumCloud offering, up significantly during Q4.

This year’s positive momentum is also reflected in the shift of the business mix towards Public Cloud and Private Cloud and the growing share of international business in the Group’s revenue, reaching 51% for the year. By reaching a share of 54% of revenue over the year, up 2 percentage points compared to the previous year, the Enterprise segment confirms its good performance and the effectiveness of its dedicated growth strategy.

Expanding and strengthening its global footprint

OVHcloud confirms the deployment of the industrial component of its growth acceleration plan. The latter includes the extension of historical sites, along with new sites and new countries:

• ▶The Roubaix campus will be strengthened by a tenth data centre;
• ▶In Gravelines, OVHcloud will deploy new capacities with a new dedicated space;
• ▶An AZ (availability zone) region of three data centres in the Paris region will be commissioned in 2023;
• ▶On the other side of the Rhine, the Limburg campus will open a new data centre in Q3 2023 to support local growth and a new remote site has been launched to open in 2024;
• ▶As a result of strong growth in North America, the Group plans to equip the Beauharnois campus with its ninth data centre and to open a new data centre in Toronto in 2023;
• ▶In the Asia region, in which OVHcloud is also seeing strong growth, the Group deployed its first data centre in Mumbai, India in 2022. From 2023, the Group plans to deploy a second data centre in Singapore.

ForePaas: acquisition of complementary technological bricks

The Group acquired ForePaaS in April 2022 as part of its external growth policy, and in particular its desire to target startups with active customer bases or technologies allowing synergies with the rest of the OVHcloud portfolio and accelerate the development of its Platform as a Service (PaaS) offering. ForePaas is a unified platform specialising in data analytics, machine learning and artificial intelligence projects for companies. This merger will actively contribute to the deployment of OVHcloud’s growth acceleration strategy through the enrichment of its offering (PaaS).

Macroeconomic environment

The current macroeconomic environment is particularly deteriorated by inflationary trends (in particular the increase in energy costs), and by the war in Ukraine.

The Group has several key assets in this inflationary dynamic:

• ▶OVHcloud operates according to a vertically integrated model, which gives it control of its value chain;
• ▶the Group has set up two interest rate swaps (exchanging the variable rate of the term loan for fixed rates) (Note 4.19 to the consolidated financial statements) enabling it to limit the risk induced by interest rate fluctuations;
• ▶the Group uses forward foreign exchange contracts (Note 4.20 to the consolidated financial statements) to limit its exposure to potential currency fluctuations;
• ▶the Group obtains its supplies through forward purchase contracts, at fixed or indexed prices, in order to reduce its exposure to the risk of an increase in the purchase price of energy. OVHcloud has also entered into an energy purchase agreement with the EDF Renouvelables group, providing for the provision by EDFR of electricity from an agrivoltaic park, for the exclusive benefit of the Group. OVHcloud plans to consume 100% of the green energy produced by this park, from January 2025, representing around 25% of the current annual electricity needs in France. This contract provides long-term visibility of the price of the electricity to be supplied.

With regard to the current geopolitical situation between Russia and Ukraine, the Group is constantly monitoring its domestic customers in Russia, Belarus and Ukraine. In this context, the Group is rigorously complying with all regulations in force. Furthermore:

• ▶revenue generated in Russia, Belarus and Ukraine represents approximately 1.5% of the Group’s revenue as at 31 August 2022;
• ▶the Group does not have any employees in Ukraine, Russia or Belarus;
• ▶the Group has no service providers (individuals) based in Ukraine;
• ▶it has no infrastructure in these three countries;
• ▶there is no material risk of recovery of receivables due at 31 August 2022.

2022 confirms the Group’s ability to implement its strategic plan and its growth acceleration trajectory.

2023 outlook

For FY2023, OVHcloud is targeting an organic revenue growth of 14-16%, up compared to FY2022.

The cost of electricity, particularly in Europe, is one of the most significant inflationary factors. Thanks to its active electricity hedging policy and government decisions, the Group already knows the cost of 90% of its electricity consumption for the 2023 financial year. This visibility enables OVHcloud to expect its electricity costs in 2023 to be around mid to high-single digit percentage of its revenue, up compared to mid-single digit in 2022. In this context, OVHcloud has announced gradual price increases, in line with cloud industry-wide rises, which will enable OVHcloud to maintain its 2023 adjusted EBITDA margin in line with 2022. OVHcloud’s customer dynamic has been so far unaffected by those announcements.

Lastly, the Group is targeting recurring Capex between 16% and 20% of revenue and growth Capex between 28% and 32% of revenue. The lowering of the growth Capex range has been made possible by the scheduled reduction in component inventories, which expanded considerably during FY2022 in order to offset shortages, increased operational efficiency, mainly due to the SAP solution deployed in December 2021, and the expected levelling of average component prices compared to FY2022, a year marked by strong inflation.

Medium-term outlook confirmed

The Group reiterates its medium-term financial targets and aims to achieve the following by 2025:

• ▶organic revenue growth accelerating to around 25% by FY2025 driven by a shift in business mix, deployment of the “Move to PaaS” strategy, international expansion, the benefits from the market shift to hybrid- and multi-cloud and the focus on data sovereignty;
• ▶adjusted EBITDA margin close to 42%, by partly reinvesting economies of scale mainly achieved through better absorption of fixed costs over the period;
• ▶recurring Capex benefiting from productivity improvements and decrease as a percentage of revenue towards a range of between 14% and 16%; likewise, growth Capex as a percentage of revenue, within a range of 28% to 32%.

OVHcloud Group is a global player and the European cloud leader active on five continents. For over twenty years, the Group has relied on an integrated model that has given it complete control of its value chain: from the design of its servers to that of cloud platform solutions that it provides to its customers together with the construction and management of its data centres, and the organisation of its fibre optic network. This unique approach allows OVHcloud Group to cover all of its customers’ uses in a fully independent way. Today, the Group offers state-of-the-art solutions combining high performance, price predictability and total sovereignty over their data, to support their growth in complete freedom.

The terms “OVHcloud” and the “Group”, as used in the consolidated financial statements, unless otherwise expressly stated, refer to the Company, its subsidiaries and its direct and indirect equity interests.

The parent company of the OVHcloud Group (the “Group”) is OVH Groupe (the “Company”) which was founded in 1999 and is currently registered at 2, rue Kellerman, 59100 Roubaix, France.

The Group's consolidated financial statements at 31 August 2022 were approved by the Group's Board of Directors on 25 October 2022.

The consolidated financial statements are presented in thousands of euros (unless otherwise stated). The amounts are indicated without decimals and rounded to the nearest thousand euros and may, in certain cases, lead to non-material discrepancies in the totals and sub-totals shown in tables.

The financial statements for the financial year below cover the period from 1 September 2021 to 31 August 2022, i.e. a period of 12 months.

At 31 August 2022, the statement of financial position total amounted to €1,265,336,872 and revenue was €36,554,098.

OVH Groupe S.A. was listed on compartment A of the Euronext Paris regulated market on 15 October 2021 in order to finance its growth strategy, which is to include the financing of its geographical expansion, the construction of data centres, the development of new products and external growth transactions where applicable. The total number of OVHcloud shares newly issued as part of the initial public offering is 18,918,919, with a unit value of €18.50, i.e. a primary offering of approximately €350 million.

On 18 January 2022, the Group set up a liquidity contract to ensure an active market for OVH Groupe shares on Euronext Paris. €5 million in cash was allocated to implement this contract.