Presentation of the Group

1.1History

OVHcloud’s position as the leading European cloud provider traces its roots to its founding in 1999 as an internet hosting company in France. Over the past 25 years, OVHcloud has developed significantly, initially by expanding its infrastructure and growing its presence within Europe, and then by diversifying its cloud offerings and expanding its operations globally.

Key developments

1.2The cloud computing market

1.2.1Cloud computing

Cloud computing means providing users with storage, computing and network resources on demand. Cloud resources are located in datacenters that house servers and equipment used to process, store and transmit data. Users of cloud computing services can access stored data and instruct processing units to perform computing functions automatically, without the need for human interaction, minimising the computing and storage capacities needed on their devices (such as personal computers, tablets and mobile phones). Wherever they are located, as long as they have an internet connection, users are able to access IT services through the cloud.

Businesses can establish and operate their own datacenters using internal IT staff, or they can outsource some or all functions to cloud service providers such as OVHcloud. For many businesses, the time and financial investment required makes proprietary cloud computing less attractive than outsourcing, which means paying only for the resources they actually use. Additionally, it can be difficult for businesses that are not specialised in IT services to innovate at the requisite levels in order to ensure that their cloud infrastructure provides them with adequate services and protections, such as data security. Internal IT systems also might not be sufficiently scalable to meet peak-load demands (unless businesses maintain costly excess capacity).

Servers maintained in datacenters can be used for multiple functions, each of which is accessed through a “virtual machine” created on the server. The virtual machines are operated and separated from one another through a software platform known as a “virtualisation stack.” Each virtual machine can have its own operating system that permits users to develop and run applications. Through a function known as a “hypervisor,” the server’s capacity is allocated to the virtual machines in accordance with the demands of users. Furthermore, software applications have been written to be bundled in “containers” that run directly on the operating system of the server itself, coordinated through platforms known as “orchestration” systems, which generally take up less space and can provide better performance than hypervisor-based virtualisation stacks.

The ability to create multiple virtual machines in each server or to deploy container-based systems allows a cloud service provider to allocate its capacity among multiple user groups or customers in a secure manner. Service providers can dedicate a server to a single customer (a “Private Cloud” system), allocating the server’s capacity among user groups authorised by the customer. Alternatively, a server can be shared among multiple customers (a “Public Cloud” system). Private Cloud customers generally pay monthly charges for dedicated capacity, whether or not they use that capacity. Public Cloud customers generally pay for the capacity they actually use.

In order to optimise the cost of cloud services, many businesses are deploying “hybrid cloud” strategies, in which they combine on-premises or outsourced Private Cloud capacity for their most sensitive functions and data, with Public Cloud capacity for their less sensitive needs. Customers are also deploying “multi-cloud” strategies, purchasing cloud services from several providers. To meet the growing demand for hybrid cloud and multi-cloud services, a cloud provider must offer packages that allow the various solutions to function as an integrated whole.

Cloud computing encompasses a range of services that include providing access to infrastructure (Infrastructure-as-a-Service or “IaaS”), selecting and operating platforms such as operating systems, virtualisation stacks and security systems (Platform-as-a-Service or “PaaS”), and offering applications that are developed and can function on cloud platforms (Software-as-a-Service or “SaaS”). These features are illustrated in the following graphic:

The cloud solutions market also includes Web services targeted mainly at individuals and small and medium-sized businesses. The Web Cloud market largely consists of web and domain hosting, including leasing servers for websites, selling secondary services (such as software packages) and domain name registration, renewal and transfer services.

1.2.2A large and fast-growing market(1)

1.2.2.1Overview of the cloud market

Market size in 2024

OVHcloud holds leading positions in Europe, based on revenue, in Private Cloud services. OVHcloud is also recognised by IDC and Forrester for the strength of its Public and Private Cloud offerings.

The estimated potential growth figures are necessarily subject to uncertainty, and actual growth may prove to be different (possibly significantly so) from the figures below.

In 2024, the global market for IaaS and PaaS cloud offerings was estimated at approximately €300-330 billion. This includes an IaaS market of an estimated €170-190 billion and a PaaS market estimated at €130-140 billion.

The IaaS market includes an estimated amount of €17.5-20.5 billion in 2024 for Private Cloud services (including Bare Metal Cloud) and the rest for the Public Cloud.

Segments linked to public services, health, financial services, professional services and telecommunications are particularly sensitive to data sovereignty. Data sovereignty encompasses, more specifically, the importance of providing customers with assurance that cloud providers have full control over the management and localisation of their data.

The European data sovereignty market was worth close to €13 billion in 2023, representing between 20% and 25% of the total European market, and is expected to grow by 29% a year over the 2022-2027(2) period.

For several years, OVHcloud has been developing a trusted offering that complies with European Union Member States' security standards. OVHcloud has been SecNumCloud-certified by ANSSI (the French cybersecurity service providing protection against non-European laws) in France since 2021. The label was reissued for three years in December 2023. OVHcloud built its Hosted Private Cloud powered by VMware offering on this basis in 2021. In addition, the new Bare Metal Pod offering (stand-alone rack of servers dedicated to each customer) is currently undergoing SecNumCloud certification. In Europe, the Group has had several of its products certified by trusted standard-setters in Italy (ACN), Spain (ENS) and Germany (C5), for example.

1.2.2.2Private and Public Cloud market trends

OVHcloud believes the cloud market's strong growth trend should continue in the coming years because the market benefits from the following robust structural levers:

• the "Move to Cloud" dynamic for most companies and users;
• the rise of multi-cloud (having several cloud providers) and hybrid cloud (having several types of cloud) solutions;
• strong demand for artificial intelligence;
• the growing importance of data sovereignty;
• the increasing number of customers seeking affordable cloud solutions.

The global IaaS and PaaS markets are set to grow at a compound annual rate of around 23% between 2024 and 2027.

OVHcloud believes the market’s growth has been and should continue to be driven by a steady increase in corporate IT spending, and a continued trend towards outsourcing, particularly with respect to cloud-related IT spending.

These strong growth trends, which have been confirmed for the medium term, are being impacted in 2023 and 2024 by the macroeconomic environment, which is encouraging most economic players to streamline their IT spending, particularly in the cloud. This leads to the postponement of migration projects or the optimisation of existing cloud infrastructure.

Although OVHcloud predicts sharp growth in each market segment, the growth rate may vary significantly by segment, driven by specific usages and customer requirements:

• Public Cloud is expected to be the most dynamic segment, with annual global growth of over 20% from 2024 to 2027, driven by high scalability and the wide range of potential uses of Public Cloud services;
• Private Cloud is also expected to grow substantially, as businesses seek to combine outsourcing and data privacy needs. OVHcloud forecasts annual global growth of roughly 10% from 2024 to 2027 for Private Cloud services. OVHcloud believes this growth will be fuelled by a continued trend for outsourcing, the development of hybrid cloud and multi-cloud solutions, and an increasing need for dedicated, secure solutions with robust data privacy protections, which are more difficult to guarantee on the Public Cloud.

The PaaS market is expected to grow at a rate of more than 20%, driven by artificial intelligence and database management.

The cloud services market is also evolving rapidly, changing some of the main factors driving market growth, particularly for business customers. While overall growth reflects a need to store and process ever-increasing amounts of data, OVHcloud believes the market is placing a greater emphasis on topics such as data sovereignty, data security and the environmental impact of datacenter management.

1.2.2.3The Web Cloud services market

The global web and domain hosting market was estimated to be worth around €5 billion in 2020. OVHcloud operates in the Web Cloud market through website hosting and domain name registration, as well as through the provision of internet access services and voice over internet protocol solutions.

Europe's Web Cloud market is more mature than the Private and Public Cloud market. OVHcloud expects the web and domain hosting market in Europe to continue to grow in the coming years, though perhaps at a slightly slower rate than previously.

OVHcloud believes future market growth will be driven by the fact that a web presence is seen as critical for many businesses, as well as opportunities for both cross-selling and upselling of additional services to existing Web Cloud users.

1.2.3A European cloud leader

The global Private Cloud market is fragmented, with the top five players representing less than half of the market. OVHcloud believes it is one of the two main providers of Private Cloud services in continental Europe, along with IBM Cloud. Other leading Private Cloud providers in continental Europe include Hetzner (Germany) and Rackspace (US/international). In 2020, IBM Cloud and Rackspace were the leaders in the United States and Northern Europe (including the United Kingdom), where OVHcloud has a significant market share, albeit less than 5% given the market fragmentation.

The Public Cloud market is dominated by the so-called hyperscalers, Amazon Web Services, Microsoft Azure and Google Cloud Platform, which together represented approximately 70% of the worldwide Public Cloud market in March 2024.

Based on customer feedback, OVHcloud believes the key factors driving the selection of a cloud services provider include the price/performance ratio, continuity and reliability of service, technical performance, data security/sovereignty and datacenter location. The price/performance ratio is the most significant criterion in the Bare Metal Cloud segment, while continuity and reliability of service are of approximately equal importance with price/performance in the Hosted Private Cloud segment, and represent the most important factor in the Public Cloud segment. In the Public Cloud segment, the choice of supplier also takes into account the reversibility and flexibility provided by the use of open source technologies and the pay-per-use model, respectively.

OVHcloud currently has PaaS offerings in areas such as containerisation, data management and artificial intelligence integrated with its IaaS offerings, and is in the process of expanding its presence in the PaaS market. For this reason, OVHcloud does not have a significant market share in identified PaaS offerings, a market currently dominated by the hyperscalers, and, to a lesser extent, specialist vertical players. As part of its growth strategy, OVHcloud plans to continue expanding the PaaS components of its offerings and to continue its development in the field of artificial intelligence. Thanks to the complementary nature of these PaaS offerings and its extensive IaaS catalogue, OVHcloud is able to offer an attractive alternative to its customer base comprising large companies and technology companies. The OVHcloud offering also continues to stand out thanks to different deployment methods and local certifications.

1.3Business

1.3.1A comprehensive range of solutions

1.3.1.1Private Cloud

OVHcloud provides two main Private Cloud offerings: Bare Metal and Hosted Private Cloud.

Bare Metal Cloud

OVHcloud’s Bare Metal Cloud service provides dedicated physical servers to customers, who have full control over the server, including the choice of operating system. The Bare Metal Cloud allows them to have a similar experience to the one they would have with on-premises solutions managed by their internal teams, while taking advantage of the benefits offered by outsourcing.

OVHcloud’s main Bare Metal Cloud offering consists of high-end servers and mid-to-high-level services. OVHcloud also has a lower-priced offering marketed as part of the “Eco” range, which uses refurbished servers that provide quality services at a reduced cost, while improving environmental efficiency.

Bare Metal Cloud services provide business customers with high-level computing power and strict service level agreements in a secure environment appropriate for sensitive data applications. The server can be customised to meet customer requirements and can be operated without allocating the server’s capacity to virtual machines through a hypervisor, allowing the customer to use the server’s full capacity. Any unused capacity can be deployed within minutes, although the total capacity is limited by that of the dedicated server.

Bare Metal Cloud customers pay monthly fees that depend on the performance levels they select. They may also choose options (such as server customisation or data backup) for additional fees.

The main uses of Bare Metal Cloud services include the computation of complex data, low latency operations, streaming, online gaming and critical business applications such as ERP and CRM.

Hosted Private Cloud

OVHcloud offers Hosted Private Cloud services to its business customers, providing servers fully managed by OVHcloud, including the operating system and the virtualisation layer, in partnership with VMware or Nutanix offerings.

1. VM: Virtual Machine

OVHcloud’s Hosted Private Cloud services provide customers with private access to servers that can be customised to satisfy their specific requirements. They meet the needs of customers seeking isolation and security, scalable resources and resilience.

The main uses for Hosted Private Cloud services include deployment in hybrid cloud strategies, media encoding, big data analytics and disaster recovery, as well as the storage and processing of sensitive data in key sectors such as healthcare, finance and the public sector.

Since 2021, OVHcloud has been offering SecNumCloud-certified Hosted Private Cloud services. SecNumCloud certification gives customers the assurance of choosing solutions that comply with the highest ANSSI security standards, as well as the guarantee of having solutions tailored to the sensitive data of public authorities and businesses.

1.3.1.2Public Cloud

OVHcloud offers Public Cloud solutions based on open source technologies such as OpenStack (a platform for deploying processing, storage and networking resources) and Kubernetes (a container orchestration platform that has become a market benchmark). The use of these standard platforms provides customers with easy data transfer capability and deliberately transparent access to source code, facilitating reversibility and eliminating “vendor lock-in”. This feature of the OVHcloud offering is particularly attractive for customers looking to deploy multi-cloud strategies.

Public Cloud solutions provide users with virtually unlimited computing capacity, with the only constraint being the demands of other users and the total installed capacity of the cloud provider. It is possible to deploy new Public Cloud instances automatically and in seconds. As the Public Cloud service is based on shared servers, customisation options are defined by OVHcloud. The flexibility of the hardware architecture offers high service levels.

Public Cloud customers pay usage fees for the capacity they actually use. The OVHcloud model offers much more predictability than models used by hyperscalers and many other competitors. In particular, unlike hyperscalers, OVHcloud does not charge additional fees for outgoing data transfers or API calls, except for block and archive storage, and for services located in Asia-Pacific.

The Group’s Public Cloud offering provides three core cloud computing services: computer performance, storage and network capabilities.

Customers of OVHcloud's Public Cloud solutions can choose fully scalable Public Cloud services on virtual machines that are hosted on shared servers and networks.

OVHcloud’s Public Cloud service is attractive for customers seeking highly scalable resources, with significant peak management demands across multiple access locations, and a high degree of resilience. This service is used for applications with high-demand bursts and services that use large volumes of data, such as video and music streaming.

OVHcloud's Public Cloud customers can also choose from a number of on-demand (SaaS) software running on OVHcloud's Public Cloud servers. In particular, OVHcloud offers its customers access to Microsoft Exchange messaging and calendar solutions, SharePoint data storage and management solutions, and the Office365 business software suite.

1. VM: Virtual Machine

Virtual private servers

OVHcloud also offers a virtual private server option, providing IT capabilities located on shared servers, but with virtual machines isolated through the use of virtual private networks.

The virtual private server option is attractive to customers seeking tailored resources, particularly for short-term operations with volatile workloads and server demand. Virtual private server solutions are used primarily for applications testing and other one-time projects, the management of short-term peak loads and backup functions.

1. VM: Virtual Machine

Platform-as-a-Service (PaaS)

As part of its growth strategy, OVHcloud is developing and implementing a comprehensive PaaS offering, overlaying its Private Cloud and Public Cloud IaaS products. In addition to developing products in-house, OVHcloud has announced several partnerships and acquisitions, in order to accelerate its development plan, enabling it to offer more than 80 IaaS and PaaS solutions to its customers by the end of the 2024 financial year, mainly in the following areas:

• Storage. OVHcloud now offers its customers a comprehensive portfolio of storage solutions such as Object Storage S3 (High Performance and Standard), Block Storage, File Storage, Snapshot & Backup and Archive;
• Database-as-a-Service. Data management software allows users to manage their databases to enable queries and updates. It includes programmes that execute queries on data and provide visual representation of the data in formats such as spreadsheets, enabling users to build applications faster and automate database management. OVHcloud announced a partnership with MongoDB in April 2021 and a partnership with Aiven in July 2021 to make several types of database available on the OVHcloud infrastructure;
• AI, Machine Learning & Analytics. Artificial intelligence and analytics solutions include tools and services that support data analysis and presentation. OVHcloud is particularly advanced in high-performance computing solutions for artificial intelligence and machine learning, and intends to continue its development in this area. In April 2022, OVHcloud announced the acquisition of ForePaaS, a company specialising in analytics. Over the last two years, OVHcloud has strengthened its artificial intelligence product offering, including AI Notebook, AI Deploy, AI Training, AI App Builder and AI Endpoint;
• Security & Encryption. OVHcloud is expanding its offering of identity access management and encryption solutions, including end-to-end encryption that secures customer data in all states. In July 2021, OVHcloud announced the acquisition of BuyDRM, a US company specialising in this area;
• Application platforms. Application platforms are back-end server software solutions that provide developers with a runtime and development environment.

1.3.1.3Web Cloud and Other

OVHcloud has offered Web Cloud services since its founding in 1999. With its leading position in the French market and strong positions elsewhere in Europe, the Web Cloud offering provides a stable, recurring revenue base and regular growth.

OVHcloud offers three principal solutions to Web Cloud customers:

• Web hosting and domain names. This includes the leasing of capacity on servers, allowing customers to connect their websites to the internet, as well as domain name registration, renewal and transfers. Customers can choose basic packages offering just one or a few websites, or packages targeted at professionals and developers that wish to host multiple websites, together with email addresses and storage options. OVHcloud offers its customers additional services, such as Secure Socket Layer (SSL) certificates, which enable secure connections between a web server and a browser;
• Telephony and connectivity. Customers can purchase VoIP (Voice over IP) systems for use as switchboards and interactive voice response systems. OVHcloud also offers customers internet access through ADSL and fibre networks, with basic and professional packages;
• Support and services. OVHcloud offers its customers additional levels of support and services, including a range of support, expertise and online services. There are two levels of support offering: i) Business, which corresponds to the level suitable for production environments, or ii) Enterprise, which offers a key account experience for critical production environments. Additional services are proposed in the Professional Services offering, which provides access to technical support and advice during infrastructure migration or IT architecture changes.

OVHcloud’s main customers in the Web Cloud segment are small and medium-sized businesses, as well as certain individual customers and entrepreneurs. Web Cloud customers generally seek secure and reliable web and communications services, to establish their web presence, and to digitise business functions.

1.3.2Customer segmentation

OVHcloud serves approximately 1.6 million customers, including large corporates, public entities, small and medium-sized businesses, and a wide range of individual customers.

The customer base is highly diversified, with the top 50 customers representing approximately 10% of FY2024 revenue, and the top 500 customers approximately 25%.

In order to understand and respond as effectively as possible to the needs of these customers, OVHcloud's sales strategy is based on two sales channels, each with its own sales strategy: the Digital channel and the Enterprise channel.

The Digital channel

Historically, OVHcloud has occupied a strong position with small and medium-sized business customers, whether or not they specialise in technology. To best serve these companies, OVHcloud set up the digital sales channel to offer them cloud and/or web solutions with the best performance/price ratio, that are fast and flexible thanks to a fully digital pathway, with no direct human contact.

OVHcloud’s technology sector customers subscribe to OVHcloud products and services through digital marketing channels, attracted by rapid access to services and the ability to select from a broad range of solutions that can be customised on OVHcloud's website to address their requirements. The customer's experience on the site is carefully structured and after the sale, high-potential customers are identified to capitalise on up-sell and cross-sell opportunities.

The sales strategy for this channel is particularly effective for penetrating new geographical regions, as it allows OVHcloud to gradually progress in new markets, with a limited financial commitment, before expanding with local physical sales teams.

The Digital channel accounts for around 44% of 2024 revenue and has achieved a compound annual growth rate (CAGR) of 11.5% over the last three years.

The Enterprise channel, comprising Corporate & Partners and Tech

The Enterprise channel represents OVHcloud's direct and indirect sales strategy for its large corporate, SME and public entity customer base, which is in the process of massively moving to the cloud. This sales channel comprises two sub-channels: the Corporate & Partners channel and the Tech channel.

The Corporate & Partners channel, which is mainly made up of indirect sales, relies on OVHcloud's solid and extensive network of over 1,300 IT integrator partners, including world-renowned consulting firms such as Accenture and Capgemini. The channel mainly targets medium-sized and large traditional companies, which are not, by nature, digital businesses. As well as seeking high performance in a secure environment, these businesses are generally large companies undergoing digital transformation that are on the look out for a high level of support.

In the field, sales are facilitated by these IT integrator partners, and the next steps in the customer experience are managed internally by the technical account management, professional services and key account management teams.

This indirect sales strategy is particularly effective when targeting governments and public sectors, such as the health sector, which is one of the sectors that generates the most data. As the European champion of data sovereignty, boasting the highest standards and certifications, OVHcloud is intrinsically suited to meeting the rigorous requirements of these businesses. OVHcloud offers the public sector SecNumCloud-certified solutions that comply with the highest ANSSI security standards. In the health sector, OVHcloud holds the highest certifications for the processing of medical data in France with the Hébergeur de données de santé (HDS) standard and in the United States with the Health Insurance Portability and Accountability Act (HIPAA) standard.

The second sub-channel, the Tech channel, consists mainly of direct sales via OVHcloud's internal sales force. Tech channel customers are generally digital companies by nature, seeking high-performance solutions in a secure environment. Given their propensity to innovate and the highly technical nature of their requirements, OVHcloud assigns dedicated expert teams (sales staff, developers and account managers) to its customers, who remain in direct contact with them throughout the process. To further support these technophile customers in their efforts to innovate, OVHcloud is also rolling out specialist programmes such as a dedicated programme for startups and the Open Trusted Cloud programme.

Overall, with these two sub-channels, the Enterprise channel accounts for around 56% of 2024 revenue and has seen a compound annual growth rate (CAGR) of 16.9% over the last three years.

1.3.3Geographical footprint

OVHcloud has developed a global footprint with a strong customer base in Europe, the United States and Asia. Geographical expansion is a significant part of OVHcloud’s growth strategy.

In 2024, OVHcloud generated 48.6% of its revenue from customers located in France, 29.1% from customers located elsewhere in Europe, and 22.3% from customers located in the Rest of the World.

As part of its geographical expansion strategy, OVHcloud has established geographical groupings in clusters based on common features such as languages and cloud usage trends. The clusters are illustrated by the following graphic:

The sales clusters operate on the basis of a strategy that combines global efficiency and local service. In its clusters, OVHcloud offers services such as local language e-commerce sites and support, and dedicated partner and startup programmes, as well as local sales staff attuned to the trends in the markets they serve.

1.4Strategy and targets

1.4.1A strategy built around four pillars

Since 2021 and its IPO, OVHcloud has been deploying its strategic roadmap. The Group has succeeded in:

• developing key customer segments with average ARPAC(3) growth of 48% between 2021 and 2024;
• addressing a broader market by currently offering customers over 40 Public Cloud products;
• extending its geographical footprint with the opening of more than 10 new datacenters since 2021, to reach 43 datacenters by the end of FY2024;
• investing in internal development with cumulative growth capex of nearly €900 million between 2021 and 2024, and external growth opportunities, with three acquisitions since 2021 (BuyDRM in security, ForePaaS in data management, and gridscale, to open Local Zones with minimum capital intensity).

Following these significant investments, OVHcloud introduced a new plan centred around four strategic pillars: (i) Be the data sovereignty reference, (ii) Innovate for next tech revolutions, (iii) Deliver sustainable and profitable growth, and (iv) Maximise cash generation.

Be the data sovereignty reference

OVHcloud already benefits from a structural differentiator in that it is not subject to extraterritorial laws, and has developed a successful strategy of certifications with national and international regulators.

In the coming years, the Group will continue to expand its range of certified products, in particular with plans to extend SecNumCloud certification in France to its Public Cloud and Bare Metal Cloud services from 2024-2025. At the end of 2023, OVHcloud also inaugurated a third SecNumCloud-certified datacenter in France.

In addition, specific services are currently being developed to respond even more precisely to the needs of certain verticals, in particular the public sector and healthcare.

Innovate for next tech revolutions

Innovation is at the heart of OVHcloud's DNA, and the Group will continue to invest to innovate and prepare for the upcoming technological revolutions, such as artificial intelligence – which is already underway – and quantum computing in the medium term.

With regard to artificial intelligence, OVHcloud is continuing to strengthen its offering, in particular by developing AI solutions that guarantee customer data confidentiality and data sovereignty. OVHcloud offers its customers a broad portfolio of NVIDIA Tensor Core GPUs (H100, A100, L4, L40S) accessible in the Public Cloud and top-of-the line AI models integrating the latest open-source LLMs, like Mistral 8x22B or Llama3, which are notably available on the shelf via the OVHcloud AI Endpoints serverless solution. AI is opening up new opportunities and is at the heart of a revolution, creating extremely high stakes, especially in terms of intellectual property and data confidentiality.

OVHcloud is also ahead of the curve on quantum computing, which will be one of the next technological revolutions of the 21st century. OVHcloud is the only European cloud provider to offer its customers five quantum notebooks and one quantum emulator. The Group also supports 14 leading quantum startups and owns one Quandela photonic computer.

Deliver sustainable and profitable growth and Maximise cash generation

Since 2021, OVHcloud has opened more than ten new datacenters, invested significantly in the development of new products and set up a programme to improve the resilience of its infrastructure.

Over the next few years, OVHcloud plans to optimise the utilisation rate of its datacenters, which was just over 60% in 2024, improve inventory management and stabilise investments in new products in absolute value terms.

Lastly, the Group expects to reduce one-off investments (hyper-resilience plan, IPv4 purchases and improvement of inventories linked to supply chain tensions) between now and 2026.

OVHcloud targets an improvement in its unlevered free cash-flow in FY2025 versus FY2024 and positive free cash-flow as from FY2026.

1.4.2A plan based on three growth drivers

The development plan is based on three growth drivers:

1. Products:
   • address a larger market, in particular by developing an ever-expanding range of PaaS products;
   • offer artificial intelligence solutions that respect customer data privacy;
   • expand the range of data sovereignty certified products.
2. Customers:
   • continue to expand the OVHcloud customer base, in particular by targeting specific verticals (public sector, health sector);
   • reinforce the partners sales channel;
   • fuel customer acquisition with marketing investments.
3. Geographies:
   • improve the occupancy rates of existing datacenters around the world;
   • deploy new locations with lower capital intensity.

1.4.32025 and 2026 financial targets

For FY2025, OVHcloud is targeting the following financial guidance:

• Organic revenue growth is expected to be between 9% and 11% compared to FY2024;
• Adjusted EBITDA margin is expected to be approximately 40%;
• Recurring capex and growth capex are expected to be between 11%-13% and 19%-21% of Group revenue, respectively;
• Positive unlevered free cash-flow is expected to grow versus 2024.

After a period of major investment, OVHcloud is now embarking on a new development phase with new financial objectives beyond FY2025

• Solid, sustainable growth of around 10%;
• Adjusted EBITDA margin structurally above 40%;
• Positive levered free cash-flow in FY2026.
•  

1.5OVHcloud’s competitive advantages

1.5.1Data sovereignty champion with a global presence

OVHcloud is the European Cloud leader and the only non-US or non-Chinese player among the ten largest global cloud service providers(4). It is the only major player of its size that is not subject to extraterritorial laws.

In addition to its structural differentiator, OVHcloud has developed a very large number of certifications worldwide in order to comply with various national and international regulations.

Source: At 31 August 2024, Company.

(1) A point of presence is a point at which the network establishes a connection with the internet.

(2) Tera bits per second.

1.5.2Predictable and transparent pricing

OVHcloud offers predictable and transparent prices, i.e., easy to understand with no hidden costs, and no economic lock-in (without egress fees) or technological lock-in. Prices advertised to customers include network costs, which are often one of the main unexpected variables in their monthly bills.

1.5.3An integrated industrial model that is proving its economic efficiency

OVHcloud has developed a fully integrated industrial model that enables it to be more economically efficient. The Group acquires electronic components, assembles servers, operates datacenters and develops its cloud technology (in-house or open-source). This integrated model ensures efficiency throughout the chain and limits the margins of intermediaries, while allowing the implementation of cutting-edge technologies such as watercooling.

In addition, thanks to this sustainable model, OVHcloud can recycle its servers, giving them a second and third commercial life with a retrofit. The model also enables us to customise our offering to customers and therefore to propose a particularly wide range of products.

OVHcloud has two dedicated production sites – in France and in Canada – for assembling different hardware components into servers. Once the various components have been assembled, they are transported to the datacenter and customised as necessary prior to delivery to the customer.

Since OVHcloud manufactures its servers in-house, the Group is not dependent on a third-party manufacturer, which reduces the risk of supply chain disruption.

In addition, by owning and operating its datacenters, OVHcloud has more control over each stage of the production process, which, in turn, provides its customers with more opportunities for customisation. With datacenters spread over 18 sites in nine countries around the world, OVHcloud is able to deliver servers to its customers within a short time frame: at OVHcloud’s European and North American sites, it takes approximately 14 days from server production to delivery. OVHcloud’s datacenters are generally housed in former industrial buildings, which has provided a cost advantage and has reduced its environmental impact through the repurposing of existing resources.

Used for over 20 years, OVHcloud’s watercooling technology combines watercooled servers with air-cooled datacenters, thereby removing the need for air conditioning, which has significant environmental and cost benefits. It uses direct watercooling to remove the heat from CPUs, and air – which is then cooled inside the rack using water through a heat exchanger – to remove the heat from other components. The heated water is then cooled using dry cooling towers. In addition to being highly energy and water efficient, OVHcloud’s watercooling technology also has relatively low maintenance costs.

1.5.4One of the best performance/price ratios in the industry

Thanks to its integrated model, OVHcloud is able to offer one of the best performance/price ratios in the cloud industry. This is particularly the case for the latest NVIDIA A100 graphics cards (GPUs), where OVHcloud stands out as one of the most affordable providers for a comparable service(5).

1.5.5A sustainable cloud by design

Complete control of the value chain means that OVHcloud is, by design, a pioneer of the sustainable cloud. Its watercooling technology means it consumes less electricity and less water. In addition to the economic benefits, the Group has some of the best environmental ratios (audited) in the industry, with a PUE (Power Usage Effectiveness) of 1.26 and a WUE (Water Usage Effectiveness) of 0.37 L/kWh in 2024.

Patents

In order to support its research and development initiatives, OVHcloud is proactive about seeking the patents necessary to protect its intellectual property. At 31 August 2024, OVHcloud held 189 patent families, which can be broadly grouped into the following categories:

• Software. Software patents cover software-related technologies that are used in the context of installing, deploying, configuring, operating, monitoring and maintaining servers and equipment operated in datacenters. These software-related technologies cover a wide variety of fields, such as network orchestration, storage configuration and management, power supply management, health monitoring, artificial intelligence techniques used in the context of operating datacenters and higher level software applications, such as web applications. They comprise the largest percentage of OVHcloud’s portfolio: at 31 August 2024, these represented approximately 35% of patents;
• Cooling. Cooling patents cover technologies relating to systems and methods for extracting heat from electronic components, in particular from servers operating in racks stacked in datacenters. The technologies covered span from extracting thermal energy from the electronic components to rejecting extracted thermal energy into an outside environment. This category includes air cooling, liquid cooling and immersive cooling. At 31 August 2024, these represented approximately 37% of OVHcloud’s portfolio of patents;
• Electronic. Electronic patents cover technologies relating to electronic components facilitating the deployment and operation of servers in datacenters. These electronic components provide functionalities such as data exchange interfaces, power supply and/or cooling control. These patents represented approximately 14% of OVHcloud’s portfolio of patents at 31 August 2024;
• Mechanical. These patents, which represented approximately 14% of OVHcloud’s patent portfolio at 31 August 2024, cover technologies relating to the structural design of racks, support for racks, tools to be used for rack installation and structural components for heat exchangers.

1.5.6Values fostering a collaborative, entrepreneurial culture

OVHcloud was founded in 1999 by Octave Klaba, its current Chairman, who developed the business from its origins as a web hosting group to its current position as a leading cloud provider. The members of the senior management team have extensive experience in some of the most dynamic growth businesses, providing the Group with a solid and experienced leadership team that is well positioned to drive the achievement of OVHcloud’s strategic growth plan. Since 23 October 2024, this team has been led by Benjamin Revcolevschi who was appointed Chief Executive Officer of OVHcloud. A seasoned leader in the telecommunications and IT sectors, Benjamin Revcolevschi joined OVHcloud on 6 May 2024 as Deputy Chief Executive Office, to head up all of the Group’s operations, both in France and internationally. After beginning his career at Boston Consulting Group, he held operational and business management positions at Neuf Cegetel/SFR before becoming Managing Director of Fujitsu in France and Head of France and Benelux for DXC Technology.

At the end of August 2024, the Group employed almost 3,000 people in 15 different countries, representing more than 60 nationalities. Employee opinion surveys show a very high level of commitment, with a score of 7.2 and the voluntary departure rate is 9.2% for 2024.

1.6Legislative and regulatory environment

1.6.1Legislation and regulations in the European Union

As a French cloud service provider, OVHcloud is subject to European regulations across a wide number of areas, including information technology (“IT”) services, cybersecurity, online content moderation and data protection. OVHcloud may also be subject to sectoral regulatory regimes applicable to certain customers and generally applicable regulations such as contract laws and consumer protection policies.

1.6.1.1Cybersecurity

OVHcloud is subject to European regulations aimed at strengthening cybersecurity across the European Union (the “EU”). Transposed into French law on 26 February 2018, Directive (EU) 2016/1148 of 9 July 2016 established requirements for cloud service providers with respect to network and information systems security. The French law(6) transposing Directive (EU) 2016/1148 classifies cloud service providers as digital service providers. As a digital service provider, OVHcloud must guarantee a level of information security adapted to the relevant risks and adopt appropriate organisational and technical measures. Any security incident having a significant impact on the provision of services must be declared to the French National Cybersecurity Agency (“ANSSI”). The French Prime Minister may also open investigations upon receiving information of non-compliance by the digital service provider with security obligations. Fines for non-compliance with security obligations range from €50,000 to €100,000.

The ANSSI has adopted security standards for cloud service providers(7). In particular, cloud companies must set up a security policy for information relating to the service and carry out a risk assessment covering the entire service. If applicable security standards are met, the ANSSI grants the “SecNumCloud” label certifying an enhanced level of security for the storage of sensitive information. In October 2022, the ANSSI extended OVHcloud's “SecNumCloud” security visa for its Hosted Private Cloud until December 2023. For the protection of critical information systems, the ANSSI recommends that operators of essential services (e.g., gas supply companies, airline carriers, health institutions, banks) use security products and services with an ANSSI security visa.

The role of the European Union Agency for Cybersecurity (the “ENISA”) was strengthened by Regulation (EU) 2019/881 of 17 April 2019 (the “Cybersecurity Act”). The ENISA is tasked with establishing and maintaining a European-wide cybersecurity certification scheme applicable to cloud service providers, including a comprehensive set of rules, technical requirements, standards and procedures. In July 2020, the ENISA published a proposal that would enable cloud service providers to obtain certifications across the EU attesting to the level of security of their services.

In September 2022, the European Commission unveiled its proposed Cyber Resilience Act (“CRA”). This proposal fixes a series of general and organisational cybersecurity requirements for products containing digital elements (for example: software, hardware products, data processing). It aims to adopt a common base within the European Union to limit cyberattacks. The CRA applies differently to supply chain players: manufacturers, importers and distributors. The text is awaiting examination by the European Parliament and then by the Council of the European Union; during this procedure, which may take up to two years, the current text will most likely undergo certain changes. It is therefore still too early to comment on the impacts this text may have on OVHcloud.

1.6.1.2Data protection

As a provider of cloud and telecommunications services, OVHcloud processes, stores and transmits a substantial amount of personal data. As a result, OVHcloud must comply with a number of European regulations and national laws relating to personal data protection.

European Union – the General Data Protection Regulation (GDPR)

A cornerstone of personal data protection in the European Union since it came into force in May 2018, the GDPR has three main objectives: (i) to establish rules relating to the protection of individuals with regard to the processing of their personal data as well as rules relating to the free movement of such data, (ii) to strengthen the application of the regulation by providing a unified legal framework for organisations processing personal data, and finally (iii) to strengthen the responsibility of parties processing personal data (data controllers and processors) by requiring that processing and the tools/applications used be documented.

The GDPR places organisations under strict obligations in terms of information and transparency with regard to the personal data processing they carry out on their own behalf or on behalf of others.

It also confers a number of rights on data subjects with regard to the processing of their personal data, such as the right of access, the right to rectification and the right to erasure ("right to be forgotten"), giving them greater control over the use of their personal data.

The GDPR also requires organisations to implement appropriate technical and organisational security measures for the processing of personal data as soon as a new product or service is designed, in order to ensure that personal data security and confidentiality requirements are met ("Privacy by design").

Lastly, the GDPR requires organisations responsible for processing personal data to notify the supervisory authority of any breach that is likely to result in a risk to the rights and freedoms of natural persons and data subjects.

Canada, Province of Quebec – An Act to modernise legislative provisions as regards the protection of personal information

Passed on 22 September 2021, the act to modernise legislative provisions as regards the protection of personal information, known as "Act 25", makes major changes to the act respecting the protection of personal information in the private sector ("ARPPIPS"), giving citizens greater control over their personal data and making organisations more accountable for the way they manage this information. This act establishes new obligations and transparency rules for Quebec companies, such as the appointment of a Data Protection Officer, in order to establish governance policies and practices regarding personal information, conduct privacy impact assessments (PIAs), and respect the new rights granted to individuals with regard to their personal data, in particular the right to require that such information cease to be disseminated, or that it be re-indexed or de-indexed (the right to be forgotten) before being communicated outside Quebec, and ensure that technological products and services offered to the public have settings that provide the highest level of confidentiality by default.

The new responsibilities and requirements applicable to organisations processing personal data came into force progressively in September 2022, 2023 and 2024.

Compliance tools

In order to ensure compliance with applicable data protection regulations, OVHcloud has implemented a personal data management system based on the ISO 27701 standard.

OVHcloud also relies on the Cloud Infrastructure Service Providers in Europe (CISPE) Code of Conduct, with its certified Bare Metal Cloud and Hosted Private Cloud powered by VMWare offerings, to ensure and demonstrate the compliance of its IaaS activities.

1.6.1.3Free movement of non-personal data

Regulation (EU) 2018/1807 of 14 November 2018 (“Regulation on the free flow of non-personal data”) aims to ensure the free flow of non-personal data between EU Member States (the “Member States”) and IT systems in the EU. Non-personal data is either (i) data not linked to identified or identifiable natural persons, or (ii) anonymised personal data. This regulation enables the storage and processing of non-personal data anywhere in the EU, prohibits data localisation and ensures the availability of data for regulatory control.

The Regulation on the free flow of non-personal data also provides that the European Commission must encourage the development of self-regulatory codes of conduct to facilitate portability between service providers. To that end, OVHcloud participated in the drafting of two voluntary codes of conduct on switching cloud service providers and data portability through the working group on switching cloud providers and porting data (“SWIPO”). Published in July 2020, the codes of conduct for Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) provide guidance for cloud service providers and customers on switching cloud provider and porting non-personal data. The adoption of such codes of conduct aims to reduce the risks of vendor lock-in (i.e., situations where customers are dependent on a particular provider due to significant switching costs) by cloud service providers. It also provides guidance for customers on the transfer of non-personal data.

1.6.1.4Online content moderation

As a hosting service provider, OVHcloud must comply with a number of laws on content moderation, including those moderating terrorist content, child sexual abuse material and the infringement of intellectual property rights.

European legislation on digital services (Digital Services Act, “DSA”) 

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (“Digital Services Act”) entered into force on 18 November 2022. This new framework aims to harmonise the rules applicable in the different Member States of the European Union and replaces the framework adopted in 2000 with regard to liability of intermediaries in relation to illegal content while maintaining the fundamental principles of freedom of expression and freedom to provide services.

The regulation also establishes new obligations of due diligence and transparency for hosting services such as OVHcloud, both vis-à-vis the authorities and users, particularly on the processing of reports of illegal content. It also increases the level of penalties that can be imposed in the event of a breach of the obligations established by the regulation, with fines of up to 6% of the intermediary service provider’s global annual revenue. A certain number of measures are applicable on a deferred basis over the next two years and involve the adoption of texts at the national level. OVHcloud will carefully monitor their publication in order to comply with its obligations.

1.6.1.5Fight against anti-competitive practices on digital markets

European legislation on digital markets (Digital Markets Act, “DMA”) 

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (“Digital Markets Act”) aims to make the digital sector fairer and more competitive by introducing preventive measures for large digital companies as gatekeepers on the European market. In particular, the regulation provides for several obligations and prohibitions against gatekeeping online platforms and strengthens the sanctioning powers of the European Commission, which will be assisted by an advisory committee and a high-level group. So, for example, gatekeepers must allow users to easily uninstall pre-installed software on their devices and easily unsubscribe from an essential platform service such as a cloud service. Gatekeepers will no longer be able to impose software such as internet browsers or default search engines or reuse users' personal data for the purpose of targeted advertising without their explicit consent.

Applicable from 2 May 2023, the companies concerned must report to the European Commission and ensure that they are compliant by March 2024 at the latest. The legislation gives the Commission the exclusive power to monitor compliance with their obligations, and imposes new sanctions, including a fine of up to 10% of the company's total global revenue from the previous financial year.

The adoption of this new legislation is a positive step towards regulating the practices of the dominant digital players on the European market. However, its effectiveness will depend on the means that the European Commission devotes to ensuring compliance with it. OVHcloud will pay particular attention to the forthcoming details regarding the teams tasked with monitoring gatekeepers' compliance.

1.6.1.6Other applicable regulations and initiatives

Telecommunications sector

OVHcloud entities are telecommunications operators in four (4) Member States: Belgium, France, Germany and Spain. OVHcloud is subject to specific obligations when providing telecommunications services. Because the EU and its Member States have been regulating the telecommunications sector for many years, there are a variety of different implementing measures, guidelines and authorities across the EU. OVHcloud entities are also telecommunications operators in the United Kingdom and Switzerland, which have their own telecommunications regulations. The United Kingdom also implemented the requirements of the European Electronic Communications Code into its national regulatory framework prior to Brexit.

The Directive (EU) 2018/1972 of 11 December 2018 established the European Electronic Communications Code. Although this directive has not yet been transposed in all Member States where OVHcloud acts as an operator, several other directives applicable in the telecommunications sectors, such as Directives 2002/19/EC, 2002/20/EC, 2002/21/EC and 2002/22/EC of the European Parliament and of the Council, have been substantially amended. Directive 2018/1972 was transposed into French law in May 2021(8). The key objective of this European Electronic Communications Code is to create a comprehensive set of updated rules to regulate electronic communications and protect EU citizens when they communicate through traditional or web-based services, encourage competition between telecommunications operators, and ensure that national regulatory authorities are protected against external intervention or political pressure.

Health sector

As a cloud service provider, OVHcloud is subject to obligations when the Group provides services to organisations in the health sector. For example, French law requires health data hosting providers (i.e., any person hosting personal health data collected in the course of prevention, diagnosis, care or social and medical monitoring activities on behalf of natural or legal persons having produced or collected such data or on behalf of the patients themselves) to comply with specific obligations. Such obligations include obtaining proper certification or receiving prior approval from public authorities as per the French Public Health Code, and entering into an agreement with customers in the health sector, setting out the mandatory provisions prescribed by Article L. 1111-8 of the French Public Health Code. OVHcloud is also subject to the requirements of other jurisdictions in which it operates, such as Italy, Poland, Germany and the United Kingdom.

In 2016, OVHcloud obtained the “health data host” accreditation and, since 2018, the Group has operated a management system that allows several of its cloud offerings to comply with the requirements of this accreditation. In 2019, OVHcloud obtained the French HDS (Hébergeur de données de santé – health data host) certification for its Hosted Private Cloud offering. In 2020, this certification was first extended to OVHcloud’s dedicated servers and then to OVHcloud’s Public Cloud offering and Trusted Exchange in 2021.

Financial sector 

Companies in the financial sector (including credit institutions and investment firms) may also be subject to industry-specific obligations that may reflect on OVHcloud in the context of the provision of its services. In particular, in 2019, the European Banking Authority (“EBA”) issued “Recommendations on outsourcing to cloud service providers” applicable to outsourcing arrangements. These recommendations create obligations with respect to information systems security and audit rights for the outsourcing banks, which they must impose on their cloud service providers when using their services. OVHcloud aims to offer contractual conditions applicable to financial service operators that ensure that customers are able to implement an outsourcing policy which is compliant with the EBA’s recommendations and with local European regulations.

Financial service operators may also require OVHcloud to comply with specific national regulations. For instance, OVHcloud may have to comply with French regulations such as those of France's banking and insurance supervisor, Autorité de contrôle prudentiel et de résolution (“ACPR”) on critical outsourced services such as banking operations. Companies outsourcing critical services must ensure that service providers guarantee the protection of confidential information, implement backup mechanisms in the event of significant difficulties affecting service continuity and provide the ACPR, in carrying out its duties, with access to critical outsourced information. With respect to internal procedures for managing information system security, the American Institute of Certified Public Accountants (“AICPA”) granted OVHcloud SOC I-II type 2 certifications.

With respect to hosting banking data and reducing card fraud, OVHcloud’s main Hosted Private Cloud offering is compliant with the Payment Card Industry Data Security Standard (“PCI DSS”). OVHcloud’s datacenters in France, Canada, the United Kingdom, Germany and Poland comply with PCI-DSS.

On 27 November 2022, the European Commission adopted a Digital Operational Resilience Act for the Financial Sector (“DORA”). Following a proposal by the 2020 European Commission, this regulation imposes a number of requirements on cloud outsourcing arrangements in the financial sector. The proposed regulation covers a broad range of regulated financial entities, including credit institutions (such as banks), central securities depositaries, insurance companies and certain fund managers, among others. It imposes a number of information and communications technology risk management requirements on these financial entities, some of which apply directly to outsourced cloud activities.

In particular, financial sector entities covered by the proposed regulation are required to take a number of steps to address risks in their relationships with third parties, such as cloud service providers, including ensuring that their cloud services contracts provide a full description of the services proposed with qualitative and quantitative performance targets, and include provisions governing integrity, security, personal data protection, recovery in case of failure, rights of inspection and audit, and termination provisions with clear exit strategies. The regulation proposes the approval of standardised contractual terms by the European Commission.

In addition, the regulation imposes a new oversight framework on critical third-party service providers (including cloud service providers), subjecting them to individual oversight plans adopted by the European financial regulatory bodies responsible for supervising banks, securities markets or insurance companies, depending on the sector primarily using the services of the relevant provider. The determination of which services are critical depends on their potential systemic impact, the dependence of financial entities on them for critical functions and the availability of alternatives. The oversight plan can impose requirements in areas such as security and quality, contractual terms, and subcontracting, with financial penalties imposed in case of non-compliance, up to 1% of the service provider's global revenue in the most recent year. The oversight bodies have broad inspection and auditing rights and investigative powers. The adopted regulation also prohibits financial entities from using a service provider from a country outside the EU for critical cloud functions.

Environmental and industrial risks

Many of OVHcloud’s datacenters are located in former industrial buildings, some of which are classified as presenting environmental or other risks under applicable French legislation. OVHcloud’s datacenters outside of France may also be classified as presenting environmental risks under local regulations. In order to comply with the applicable regulations, OVHcloud is sometimes required to submit applications and obtain operating licenses. OVHcloud may be required to take certain remedial measures as part of the application process.

Operating licenses are required in most countries where OVHcloud operates its datacenters. The regulations primarily concern air emissions, industrial waste management, water and effluent management, fire risk management and noise management.

1.6.2Legislation and regulations in the United States

OVHcloud has a subsidiary in the United States whose activities are completely separate from those of the other subsidiaries of the OVHcloud Group.

This subsidiary is also subject to US regulations applicable to cloud service providers at the local, state and federal levels. These regulations include those intended to enhance data privacy and security, as well as those that grant data access rights for national security purposes. In addition to state laws across the US that require notifying customers in the event of a data breach in which their personally identifiable information has been disclosed, the two main US regulations applicable to OVHcloud’s US subsidiary are the CLOUD Act (as defined below), which applies at the federal level, and the California Consumer Privacy Act, which applies at the state level in California.

A "Chinese wall" has been established to separate the activities of the US subsidiary from those of its other subsidiaries, preventing these regulations from applying to the non-US subsidiaries.

The Cloud Act 

The United States Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) is a US federal law, effective since March 2018, which amended the Stored Communications Act of 1986 to permit US law enforcement authorities to access electronic information held by businesses that are subject to US personal jurisdiction, including cloud service providers, in connection with a criminal investigation. US law enforcement authorities may access such electronic information regardless of whether it is stored inside or outside of the United States.

The CLOUD Act also allows the US government to enter into data-access agreements with foreign states through which the participating states’ law enforcement authorities can request information held by businesses subject to the partner country’s jurisdiction. As of the date of this Universal Registration Document, the US government has entered into bilateral agreements with the United Kingdom and Australia pursuant to which US law enforcement officers can obtain electronic information stored by cloud companies subject to UK and Australian jurisdiction. UK and Australian law enforcement officers can likewise obtain electronic information stored by cloud companies subject to US jurisdiction, such as OVHcloud’s US subsidiary. It should be noted that at the time of writing this Universal Registration Document, no date for the entry into force of the bilateral agreement between the US and Australia has been made public.

OVHcloud will closely monitor any new decisions from the European Commission with respect to the US-UK bilateral agreement and will implement any additional technical and organisational measures that may be required. Additionally, OVHcloud does not currently host any customer data in the UK, unless such customer expressly chooses a service located in OVHcloud’s UK datacenter. Furthermore, the ability of OVHcloud’s UK-based team to access European customers’ data in European datacenters is restricted and controlled.

The US government may enter into agreements similar to the US-UK bilateral agreement with other countries, which may allow the US law enforcement authorities to access electronic information held by Group subsidiaries that are subject to such partner state’s jurisdiction, and for the partner state government to access electronic information held by OVHcloud’s US subsidiary. In particular, on 25 September 2019, the European Union and the United States entered into negotiations on a future treaty to facilitate access to digital evidence.

California Consumer Privacy Act 

Since 1 January 2020, the California Consumer Privacy Act (the “CCPA”) has required businesses that process personal data of California residents to provide notices to these residents disclosing their privacy practices. The CCPA also grants customers resident in California the right to access or delete certain personal information collected by OVHcloud’s US subsidiary and gives them more control over the use and sale of their personal data. California residents who believe certain types of personal information have been used in violation of the CCPA would have the right to bring a legal claim against OVHcloud’s US subsidiary.

On 1 July 2023, the CCPA was amended by the entry into force of the California Privacy Rights Act (the "CPRA"), which, among other changes, expands customers' rights surrounding certain sensitive personal data and creates a state agency for the implementation and enforcement of the CCPA and CPRA.

Virginia Consumer Data Privacy Act 

Effective 1 January 2023, Virginia’s Consumer Data Privacy Act (the "CDPA") grants Virginia residents additional control over their personal data, including the right to delete certain personal data collected by businesses, such as OVHcloud's US subsidiary. They will also have the right to withhold their personal data from certain types of data processing.

1.7Group organisation

1.7.1Simplified organisational chart

Simplified organisational chart as of the date of this Universal Registration Document

The simplified organisational chart below shows the Company's legal structure and its consolidated subsidiaries as of the date of this Universal Registration Document. The percentages indicated below represent the percentages of share capital. There has been no significant change in capital ownership since 31 August 2024.

1.7.2Subsidiaries and equity interests

Main subsidiaries 

The Company's main direct and indirect subsidiaries at the date of this Universal Registration Document are described below:

• OVH SAS is a French simplified joint stock company (société par actions simplifiée) having its registered office located at 2, rue Kellermann, 59100 Roubaix, France, and registered with the Lille Métropole Trade and Companies Registry under number 424 761 419. The Company directly holds 100% of the share capital and voting rights of OVH SAS. OVH SAS’ main businesses include datacenter hosting activities, the provision of cloud services, manufacturing of computers and peripheral devices, marketing activities and research and development;
• OVH Infrastructures Canada Inc. is a Canadian joint stock company (société par actions) having its registered office located at 50, rue de l’Aluminerie, Beauharnois Québec J6N0C2, Canada, and registered with Canada’s business registries under number 1167756403. The Company indirectly holds 100% of the share capital and voting rights of OVH Infrastructures Canada Inc., through its holding company OVH Canada Inc. OVH Infrastructures Canada Inc.’s main business involves datacenter hosting activities;
• OVH Holding US Inc. is an American joint stock company, registered under number 5103215, having its registered office located at 2915 Ogletown Road, Newark, DE, 19713, United States. The Company holds 100% of the capital and voting rights of the companies OVH US LLC, Datacenter Vint Hill LLC, Datacenter West Coast LLC and OVH Data US LLC whose principal activity is datacenter hosting.

Acquisitions during past periods

ForePaaS 

On 21 April 2022, OVHcloud announced the acquisition of ForePaaS, the unified French platform specialising in “data analytics”, “machine learning” and artificial intelligence projects for companies. The ForePaaS teams' 23 employees and its founders have joined the Group’s workforce to jointly build a family of solutions, which will actively contribute to the rollout of OVHcloud’s growth acceleration strategy through the enhancement of its Platform-as-a-Service (PaaS) offering.

gridscale

On 4 September 2023, for FY2024, OVHcloud announced the acquisition of 100% of the German company gridscale specialised in hyperconverged infrastructures. This acquisition is a strategic milestone in accelerating the Group's geographical expansion by entering the high growth Edge Computing market.

Restructuring 

ForePaaS SAS was merged into OVH SAS with effect from 1 April 2024.

ForePaaS Inc., a subsidiary of ForePaaS SAS, was wound up on 30 August 2023.

BuyDRM was merged into NFA Group Inc. with effect from 6 October 2022.

Risk factors
and internal control

Central to its governance mechanism, OVHcloud's risk management system helps the Group achieve its strategic objectives while protecting its assets and reputation. It also helps to mobilise employees around a common approach to risk. OVHcloud is committed to regularly assessing risks and implementing internal controls and action plans to mitigate them.

2.1Risk factors /AFR/

2.1.1Risk management system

Risk management system

The risk management system aims to identify, analyse and manage the main risks to which the Group is exposed. It contributes to the control and security of its activities, the effectiveness of its operations and the efficient use of resources.

This system comprises a series of processes aiming to identify, assess and prioritise risks, prevent and control them, promote a risk management culture, and monitor action plans to limit risks. It draws on the skills of the Group's employees, particularly in internal audit and compliance, and on external expertise where required.

CSR risks are covered in Chapter 3 – Non-financial performance statement of this Universal Registration Document.

Risk mapping

In 2020, the Group drew up a risk map, which was updated in 2022 and 2023.

Carried out across the Group and with the involvement of top management from all the Group’s activities, the risk mapping process has made it possible to identify the main risks to which the Group is exposed and to assess their potential impact, taking into account their criticality and probability of occurrence. The Group's risk map also takes into account specific risk mapping exercises on topics such as cybersecurity and anti-corruption, and the monitoring of operational and emerging risks.

The most significant risks have been grouped into different families (strategy and markets, business, human resources, financial, regulatory and legal, information systems). For each risk, a description is provided of their causes and potential impact, as well as the actions taken to manage them.

Risk monitoring governance

Group management, the Board of Directors and the Audit Committee closely monitor risk management and define the most appropriate strategy.

One or more risk owners are appointed for each risk to complete the risk analysis, identify the actions and resources needed to mitigate the risk, and manage the corresponding action plans.

The relevance and progress of the action plans are monitored by members of the Group's Executive Committee, including the Chief Executive Officer, Chief Financial Officer and General Counsel, who review them on a quarterly basis. Risk mapping and action plans are presented annually to the Group’s Audit Committee, and more frequently upon request.

2.1.2Main risks identified

Summary table of the main risks

The risk factors described in this section are, at the date of this Universal Registration Document, those which the Group considers are likely to have a material adverse effect on OVHcloud, its business, financial position, results or outlook. The list of risks presented in this chapter is not exhaustive; other risks that are unknown or that OVHcloud does not currently consider to be material could have such an adverse effect.

2.1.2.1Risks related to OVHcloud’s strategy and markets

Risks related to international development

Description of the risk

As part of its growth strategy, OVHcloud is seeking to expand its revenue from other regions, including Europe (outside France), the United States and Asia (see Chapter 1 – Presentation of the Group, which describes the current breakdown of activities and development strategies).

OVHcloud may face significant challenges in its efforts to expand its international revenue. Outside its home market of France, OVHcloud has less brand recognition and does not benefit from the historical web hosting market leadership that it enjoys in France, reducing opportunities for cross-selling. Market dynamics and customer preferences in international markets are likely to be different from those of OVHcloud’s traditional markets and local policies of economic patriotism can make it difficult to access new territories. Some of the markets that OVHcloud targets (such as the United States) are dominated by hyperscalers, and OVHcloud's expansion in these markets will depend on its ability to market tailored products to priority customer segments.

Even if OVHcloud is able to expand internationally, managing international operations requires a more structured organisation and greater resources than managing operations in OVHcloud’s home market, which could increase OVHcloud’s operating expenses, even if there is a not a corresponding increase in revenue generated from these new markets.

When opening up physical infrastructures and operations internationally, adjustments must be made to ensure that operations are compliant with local rules. Certain internal processes must also be adapted and this can sometimes slow down expansion or reduce the profitability of local operations.

Lastly, OVHcloud could be faced with geopolitical tensions in certain countries or regions that would limit its ability to develop its commercial offering locally. Accordingly, OVHcloud might not meet its international expansion targets, and even if it does, there can be no assurance that the profitability of its expanded international operations will be satisfactory.

Management of the risk

The Group's international development strategy enables it to dilute country risk. To increase its capacity to develop in new regions, OVHcloud has developed several programmes and initiatives to limit the risks associated with its international expansion.

OVHcloud has created commercial clusters made up of local teams, who are experts in their regions with knowledge of local specificities, in order to define commercial or product offerings that are closely aligned with the expectations of local customers. Through this organisation, OVHcloud can also manage and anticipate any changes in the markets, both by the end customer and by local public authorities.

The Group has also set up GEOS, a programme dedicated to assessing and monitoring projects to open new datacenters. This programme involves all the teams concerned by such projects in order to anticipate potential operational and regulatory obstacles. OVHcloud followed this process to open a datacenter in India in March 2023. In 2024, OVHcloud launched the Local Zone programme to accelerate its international expansion, setting up a process for scaling up the opening of these Local Zones.

To ensure that the performance of its international operations is up to standard, OVHcloud is also continuing to roll out SAP and internal control, in order to harmonise its processes and centralise critical operations.

Risks related to acquisitions

Description of the risk

OVHcloud expects to make acquisitions in order to expand its service offering portfolio (particularly in the area of software platform services) and geographical footprint.

When OVHcloud makes acquisitions, the Group is exposed to the risk that they will not contribute to the implementation of its strategy, or that OVHcloud will receive an unsatisfactory return on its investment. There is also the risk that OVHcloud will have difficulties integrating and retaining new employees, new business systems and new technologies, or that the acquisition distracts management from OVHcloud’s other activities. It may also take longer than expected to reap the full benefits from these transactions and arrangements, such as increased revenue or enhanced efficiencies, or the benefits may ultimately be less significant than OVHcloud expected. Such events could adversely affect OVHcloud’s business, financial position and operating results.

Management of the risk

OVHcloud has strengthened the financial teams dedicated to acquisitions in order to improve the sourcing of potential acquisitions and structure the internal processes for approving targets, as was the case recently during the gridscale acquisition process. In order to limit the risk related to integrating acquisitions, dedicated teams from several departments are involved throughout the acquisition process to anticipate and monitor project developments. Regular reviews are conducted following the acquisition, in order to ensure that the integration process is running smoothly. OVHcloud has made several acquisitions in recent years, which has strengthened the processes while improving the expertise of teams to select and integrate the acquired companies and assets. For instance, the successful integration of ForePaaS, acquired in April 2022, has enabled ForePaaS and OVHcloud to deliver the product development as planned.

Risks related to product or service offerings in a competitive market

Description of the risk

The markets in which OVHcloud operates are rapidly evolving and highly competitive. In order to be competitive in these markets, OVHcloud must continually innovate and adapt its offerings to changing customer needs (see Chapter 1 – Presentation of the Group, which describes the strategy and the market).

OVHcloud believes the pace of innovation in cloud products and services is likely to continue to accelerate. Customers are increasingly basing their purchases of cloud offerings on their needs for new and upgraded features that are expected to represent a significant proportion of future market growth. The future success of OVHcloud depends on its ability to continue to innovate in response to these demands (which means continuing to invest in technologies, services and partnerships) and increasing customer adoption of its cloud offerings.

In addition, competition is intensifying in the markets in which OVHcloud operates. Many of OVHcloud’s competitors are international cloud companies, including the so-called “hyperscalers” (Amazon Web Services, Google Cloud Platform and Microsoft Azure), as well as other established cloud providers such as IBM Cloud and, in Asia, Alibaba Cloud. In Europe, OVHcloud also competes against cloud specialists such as Hetzner, Leaseweb and iomart, and other emerging cloud providers. As OVHcloud expands its offering of software platforms, the Group will also compete to a greater degree with other companies in these markets, such as Salesforce, Oracle, IBM and SAP. New competitors are likely to continue to enter the market as it evolves.

Many of OVHcloud’s competitors, particularly outside Europe and in the public cloud space, have greater brand awareness, larger customer bases, extremely aggressive business practices and greater financial, human and technical resources. These same competitors are likely to be able to respond more quickly than OVHcloud to new markets and developments in terms of technologies, standards, customer requirements and purchasing practices. The hyperscalers, in particular, are among the largest and best-known information technology companies in the world, with established relationships on a global, regional and local scale, and significant brand recognition. The public cloud market, which is dominated by the hyperscalers, is expected to be the fastest growing segment of the cloud market. If OVHcloud is unable to compete effectively against the hyperscalers, its growth prospects could be adversely affected.

In addition, if OVHcloud is unable to enhance its cloud offerings to keep pace with market developments, or if competitors emerge that are able to deliver competitive offerings at lower prices, more efficiently, more conveniently or more securely than OVHcloud’s cloud services, OVHcloud’s business, financial position and operating results could be adversely affected.

Management of the risk

OVHcloud positions itself against its competitors on the basis of various factors, including: price, performance, multi-cloud and hybrid cloud trends, experience and customer support, scalability, reliability, data sovereignty, security, sustainable development, energy efficiency and compliance with existing standards.

OVHcloud actively monitors market developments and customer practices. The Group is looking to expand into new market segments by broadening its offering in line with customer needs, for example in artificial intelligence, quantum computing, cold storage and healthcare data storage.

In order to continue to offer new solutions and maintain its positioning, OVHcloud has an open development strategy. For example, the Group can use open source software and acquire new technological bricks by integrating companies such as ForePaaS and gridscale, acquired in 2022 and 2023 respectively. OVHcloud also has internal teams to develop its product roadmap and the Group can forge partnerships with recognised players in their fields if it considers that the products meet the standards expected by its customers. During the 2024 financial year, OVHcloud invested €152 million in research and development, as detailed in Note 4.10 of Chapter 5 of this Universal Registration Document, and the Group strengthened its structure for overseeing the implementation of its roadmap.

OVHcloud also has differentiating factors such as an integrated industrial production tool and dedicated research and development teams that enable it to quickly adapt its manufacturing and supply needs to support product changes.

Risks related to the implications of climate change

Description of the risk

Due to its sector of activity and geographical scope, the Group could be exposed to climate change through various causes:

• occurrence of extreme natural disasters such as floods, earthquakes, extreme droughts, “giant” fires, landslides, cyclones or tsunamis;
• tightening of regulations on energy management (electricity), water use and product eco-design and building construction standards;
• occurrence of occasional or permanent shortages (water, electricity, etc.).

This risk is exacerbated by the acceleration of climate change. Large-scale or repetitive natural disasters could lead to exceptional situations of disruption of the external physical infrastructures and means of communication on which OVHcloud depends to carry out its business, and cause damage to the Group’s infrastructures. OVHcloud may thus temporarily be unable to carry out its services according to the conditions defined by its contracts, potentially leading to the payment of financial compensation or additional operating charges. For example, the multiplication of heat wave events could increase the operating cost of the Group’s cooling systems.

Climate change could also lead to shortages of raw materials, making them more expensive.

Climate change is also creating an increasingly complex regulatory environment in terms of environmental standards and social and environmental reporting.

These risks are described in more detail in Chapter 3 on non-financial performance.

Management of the risk

OVHcloud has strengthened its CSR teams, both in the Strategy Department and in the operational departments, in order to manage climate change risks. The Group has also strengthened its environmental reporting teams to prepare for new obligations, in particular the CSRD. OVHcloud complies with its environmental reporting obligations, as detailed in Chapter 3.

OVHcloud continually invests in its research and development for environmental innovations (reduction of energy consumption or reduction of the need for natural resources such as water), enabling it to achieve industry-leading power usage effectiveness ratings and has committed to increasing renewable energy use.

Risks related to natural disasters are taken into account when working on business continuity plans. Site audits and insurance systems are also in place to manage this type of risk. External studies were carried out in 2024 to map the level of exposure to natural hazards at each of the Group's sites. A summary of this work was presented to the risk monitoring governance body and action plans were drawn up for each site. OVHcloud continues to incorporate the following elements into its operations, through the “hyper-resilience” programme (see section on risks related to an incident on OVHcloud’s physical infrastructures).

2.1.2.2Risks related to OVHcloud’s business

Risks related to an incident on OVHcloud’s physical infrastructures

Description of the risk

Like any industrial activity, the production and operation of datacenters generates risks related to physical infrastructures. For example, OVHcloud is exposed to electrical, fire and building safety risks, which can have an impact on the service provided to customers and on operating costs.

OVHcloud's strategy is to repurpose existing industrial buildings in the area for its activities. This strategy enables it to both control construction costs and reduce its environmental footprint. Depending on the age of these buildings, the industry of the former occupant and the industries of neighbouring facilities, some of OVHcloud’s centres and facilities may have existing structural and environmental defects that may present safety and compliance risks or require OVHcloud to spend significant amounts on remedying the situation.

OVHcloud is required to obtain operating permits from competent local governmental authorities in order to commence operations. This administrative process requires significant ongoing oversight, which can lead to additional prevention and protection requests on top of the initially applicable legislation. To date, the Group has not been subject to any administrative sanctions resulting in the shutdown of its datacenters.

OVHcloud's datacenters could also be affected by destructive natural events that impact the Group's business (see section on climate change risk).

OVHcloud relies on access to sufficient and reliable electricity, water, internet, telecommunications and fibre optic networks to successfully operate its business. In addition, OVHcloud’s proprietary watercooling system for its servers requires it to have access to substantial volumes of water at its datacenters. Any service outage could result in OVHcloud not being able to provide customers with its cloud offerings at adequate performance levels, or at all. In addition, OVHcloud may be exposed to a risk of electricity shedding in certain countries that could lead to a temporary service outage. Any service outage could result in OVHcloud not being able to provide customers with its cloud offerings at adequate performance levels.

Lastly, OVHcloud has been, and may be in the future, subject to disputes in relation to the state of its facilities or nuisances (such as noise and heat) generated by such facilities, resulting in additional costs.

Although OVHcloud’s policy is to seek to remedy any risks that are identified, doing so could be costly and time-consuming, and failure to make necessary repairs and to complete any other required work could damage OVHcloud’s reputation, subject it to liability and disrupt its business.

Management of the risk

OVHcloud commissions environmental and safety audits at its existing sites, and before acquiring sites for datacenters. More generally, OVHcloud carries out reviews of facilities with its insurers in order to prevent potential risks in advance. In 2024, OVHcloud also launched the process of mapping risks by site.

Following the Strasbourg fire, OVHcloud implemented a “hyper resilience” plan in order, inter alia, to strengthen security standards in its datacenters based on market standards, beyond the regulatory standards and insurers’ recommendations.

The Group has developed operating and safety procedures for all its sites, and is developing mechanisms for evaluating and improving these rules. For example, the datacenters have 24/7 physical security, a highly regulated and controlled access policy, and dedicated anti-intrusion systems.

The Group also draws up business continuity plans in order to maintain operations. For example, OVHcloud has put in place several redundancy measures that can be activated in the event of power outages, such as multiple electricity delivery points in its datacenters or on-site generators. Thanks in particular to its watercooling model, OVHcloud is constantly trying to reduce its electricity and water consumption. In the same way, since watercooling is carried out in a closed circuit, OVHcloud consumes much less water for the operation of its datacenters than a traditional datacenter cooled by an air conditioning system. The sites also use redundant cooling systems.

Lastly, OVHcloud takes its sites’ surroundings into account by developing relationships with local authorities, neighbouring populations and security forces. In 2023, OVHcloud closed its Paris datacenter and migrated its services to another site, in order to minimise the risk of disputes with neighbouring populations and improve the security of its operations.

Risks related to Supply Chain

Description of the risk

OVHcloud could be exposed to the failure of a key supplier or to difficulties in sourcing key components. OVHcloud's servers use components from major manufacturers in a global market that is experiencing shortages and delays, although this risk has decreased compared to 2022 and 2023.

The Group could experience disruptions in its supply chains, for example related to a resurgence of COVID-19, geopolitical tensions, or climate change, which would impact server production and datacenter operations. Despite regular, high-level contacts, the size of OVHcloud on the global market limits its ability to sign comprehensive delivery agreements.

OVHcloud's supply risks also relate to the Group's ability to access the best-performing software solutions on the market, which are at least equivalent to those of its main competitors, particularly the hyperscalers. OVHcloud solutions rely on third-party software. If there are vulnerabilities in this underlying software, or if the software ceases to be available for OVHcloud, the Group could see its customers turn to competing offerings.

Management of the risk

Thanks to its vertically integrated model, OVHcloud can control the entire value chain. OVHcloud builds up safety stocks and may use several distribution channels in order to be able to withstand temporary disruptions, and has a well-organised purchasing organisation. In addition, OVHcloud has a recycling policy based on a logistics chain and can reuse some components and equipment. OVHcloud recovers the components from equipment considered to be at the end of its life, conducts tests on them and then reuses those that it believes could be used on another product range, generally with less demanding performance criteria.

Thanks to its model, OVHcloud can also plan and anticipate certain orders, guaranteeing the Company flexibility. Lastly, the purchasing teams continue to develop commercial relationships with OVHcloud’s suppliers in order to negotiate supply contracts at the global level, particularly for components enabling OVHcloud to generate growth in high-potential markets such as artificial intelligence.

In 2024, OVHcloud drew up a list of strategic suppliers and carried out risk analyses in relation to them, covering both the location of suppliers' production plants and contractual risks. The Group analyses the financial health of its main suppliers and the risk of economic dependence in order to prevent any potential imbalances. In 2024, tools were put in place to support these economic and environmental control processes for suppliers.

Risks related to the quality of service level provided to customers

Description of the risk

OVHcloud continually works to offer a wide range of services, the best customer experience and the highest quality customer support.

OVHcloud typically commits to its customers in its contracts that its platform will maintain a minimum level of availability. For example, OVHcloud undertakes to maintain a service level of 99.9% availability for the Premier offerings in the Hosted Private Cloud segment. In its Public Cloud offerings, OVHcloud commits to maximum recovery times in case of outages. If these outages are caused by a problem outside of OVHcloud’s control, it could be difficult for OVHcloud to meet its SLA commitments. Although OVHcloud considers that it has put in place adequate safeguard measures depending on the services subscribed, these may prove insufficient to prevent a service outage.

Additionally, OVHcloud may face costs associated with repairing such service disruption or retaining customers. All of the above consequences could have a negative impact on OVHcloud’s business, financial position and operating results.

Management of the risk

OVHcloud continually improves the quality of services provided to its customers and puts customer satisfaction at the heart of its policy. This strategy has proven successful, with OVHcloud’s net retention rate reaching 107% in 2024.

OVHcloud evaluates the experience provided to its customers through satisfaction surveys.

In addition, OVHcloud continually steps up its quality processes and systematically carries out analyses following any significant incidents it encounters, as part of its continuous improvement process.

In order to be able to intervene as quickly as possible in the event of a breakdown or in response to customer requests, OVHcloud has organised its technical support to be available 24 hours a day, seven days a week.

In the datacenters, operational teams are formed and trained to carry out continuous server installation and maintenance. The “Control Tower” and “NOC (Network Operating Centre)” teams provide centralised monitoring of the services offered and coordinate the handling of incidents. Lastly, the Group has also structured its continuity and crisis management plans so as to be able to mobilise critical resources internally.

2.1.2.3Human resources risks

Risks related to the recruitment, integration, development and retention of human resources

Description of the risk

In order to operate its business, it is important for OVHcloud to attract highly skilled and international personnel, particularly engineers with expertise in software development, coding and other highly specialised information technology functions. The marketplace is highly competitive and qualified IT personnel are in high demand, which may make OVHcloud’s recruitment and retention efforts challenging.

At 31 August 2024, OVHcloud employed almost 3,000 people, and could be faced with the departure of key people for its organisation, or a shortage of cutting-edge technical skills to respond to market developments.

If OVHcloud’s company culture changes or is perceived negatively, or if OVHcloud is unable to develop its employer brand or internal talent, the Group could experience difficulties attracting, integrating and retaining personnel. OVHcloud may not be able to achieve its commercial targets, and its business, revenue and financial results may suffer.

Management of the risk

OVHcloud, through its positioning as a European cloud leader and defender of European sovereignty and its growth profile, offers a unique value proposition for many recruits. In addition, the Group benefits from a broadening pool of potential new talent thanks to its continuous international development.

In order to limit recruitment difficulties, OVHcloud has a strong employer brand, which is developing in France and internationally, and an internal recruitment agency that can source candidates with the right skills at the right time. OVHcloud has set up an onboarding process that creates links between new recruits from their very first days at OVHcloud and helps ensure their buy-in for OVHcloud's corporate culture.

OVHcloud is particularly attentive to adapting working conditions, employee loyalty and the training offered. Human resources processes have been developed to support people within the Company, with monitoring of employee engagement, career development and continuous training programmes. OVHcloud has introduced measures to drive employee loyalty, including measures to improve working conditions and retain key people.

For the skills most at risk, a mapping of human resources tensions has been drawn up, in order to closely monitor the development of key people.

Safety risks related to physical and mental health

Description of the risk

OVHcloud is exposed to risks related to the safety of employees at its industrial facilities and offices. Risks faced by the Group include:

• physical risks that could lead to work-related accidents in its offices or at its operational sites;
• mental health risks, for example as a result of an excessive workload or a particularly stressful situation.

Management of the risk

The Group has created a “Quality, Environmental, Health and Safety” (QEHS) team dedicated to these topics. As well as offering personal protective equipment in its datacenters and stepping up its guidelines and internal controls, the Group is carrying out a workstation risk assessment at the majority of its sites, with the aim of setting up safe working standards for its employees. The Group continually strengthens its safety standards to provide a framework for all its sites. Internal and external audits are carried out to check that such standards are complied with.

The risk assessment also takes mental health risks into account, and the Company has implemented several measures such as psychosocial audits, mental health risk mapping and an alert tool. Employee surveys are carried out regularly in order to act on any weaknesses that may be identified.

2.1.2.4Financial risks

Risks related to liquidity

Description of the risk

Liquidity risk is the risk of OVHcloud not having the necessary funds to meet its commitments when they fall due. In a situation of stress on the credit market, the Group may not be able to obtain the financing or refinancing necessary to implement its growth plan, which could have a negative effect on OVHcloud’s business, operating results, outlook and/or financial position.

Management of the risk

In 2021, the Group entered into a new senior unsecured loan agreement for a total of €920 million (€500 million under a term loan and €420 million under a revolving credit facility). In November 2022, the Group further improved its liquidity by obtaining a €200 million loan from the European Investment Bank (EIB). At 31 August 2024, the cumulative amount of cash and the revolving credit facility totalled €461 million.

Thus, following these transactions and at the end of the 2024 financial year, OVHcloud’s net debt leverage reached 1.8x its adjusted EBITDA. This level is well below the existing covenants in the Group's credit agreements.

Risks related to inflation, foreign exchange rates and interest rates

Description of the risk

OVHcloud's profitability could be affected by a number of external factors, including inflation and changes in exchange and interest rates.

In an inflationary economic context, OVHcloud could suffer direct negative effects on its financial profile and decreasing margins. OVHcloud is particularly exposed to further increases in electricity and component costs. The Group may not be able to pass significant price increases on to its customers to cover the widespread increase in its cost base.

OVHcloud’s financial statements are presented in euros, while a portion of its income, expenses, assets and liabilities are denominated in other currencies, exposing OVHcloud’s operating results and financial position to foreign exchange risk. In the 2024 financial year, approximately 29% of OVHcloud’s revenue was generated in currencies other than the euro, primarily in Canadian and US dollars, and to a lesser extent in pounds sterling and Polish zloty. In addition, a significant portion of OVHcloud’s capital expenditure (mainly for server components) is incurred in US dollars. Unfavourable movements in exchange rates would nonetheless adversely impact OVHcloud's operating results. For example, without a hedging mechanism, an adverse change of 10% in exchange rates would have a negative impact of approximately €28 million on OVHcloud’s revenue.

Lastly, the Group has taken out loans bearing interest at variable rates, which exposes OVHcloud to the risk of a deterioration in its operating results if the interest rate increases and OVHcloud is not able to successfully hedge its exposure.

Management of the risk

In order to limit the risks posed by currency and interest rate fluctuations, OVHcloud uses simple and unstructured hedging instruments. Forward purchases of US dollars are regularly made to hedge future expenses in this currency over the next 12 months.

In addition, at 31 August 2024, close to 95% of the Group's debt was hedged at fixed rates in order to limit the risks associated with changes in interest rates.

In order to protect against the risk of inflation, the Group continues to improve its purchasing policy and logistics strategy in order to offset potential increases, for example by seeking to diversify and anticipate its supplies (see Risks related to Supply Chain). OVHcloud also has a proactive strategy regarding its electricity costs. As a result, the coverage rate is almost 95% for the 2025 calendar year.

Lastly, to reflect increases in certain structural costs, in 2024 the Group implemented gradual and moderate increases in selling prices, in line with the cloud industry.

Risks related to fraud

Description of the risk

OVHcloud could be the victim of external or internal fraud that could have a negative impact on the Company’s financial results, the quality of its services or its reputation. This potential fraud could be a wilful act, inappropriate use of the Group’s assets or failure to comply with laws or regulations, by an employee, business contact or customer.

Management of the risk

OVHcloud is implementing internal control procedures, which are reviewed by external auditors. Validation circuits have been set up to control and monitor transactions that may present risks (payments, credit notes, expense claims, stock management, etc.). The Internal Audit team systematically includes the risk of fraud in its audits and ensures that recommendations are implemented in the event of a risk of fraud. A team is also responsible for monitoring and anticipating potential customer payment fraud.

In addition, OVHcloud has set up an internal whistleblowing procedure that enables any Group employee to report, anonymously if they so wish, any inappropriate or illegal behaviour, including behaviour constituting fraud or attempted fraud.

Risks related to tax management

Description of the risk

Due to its international footprint and expansion, the Group is subject to complex and evolving tax legislation. OVHcloud determines the amount of taxes it is required to pay based on its interpretation of applicable treaties, laws and regulations in the jurisdictions in which it operates, which may be subject to different interpretations in the various countries in which it operates (in particular with respect to transfer pricing, sales taxes, VAT and similar taxes). The tax and social security regimes applied to OVHcloud’s business activities and past or future reorganisations are or may be interpreted by the relevant French or foreign authorities in a manner that is different from the assumptions used by OVHcloud in structuring such activities and transactions. OVHcloud therefore cannot guarantee that the competent tax authorities will agree with its interpretation of the applicable legislation in their respective jurisdictions. Furthermore, tax laws and regulations or other compulsory levies and their interpretation and application by the jurisdictions or authorities involved may change, in particular in the context of joint initiatives taken at international or EU level, which could increase the Group’s tax burden.

Moreover, several countries have implemented a tax on digital services, demonstrating the global trend of rapid and unpredictable changes in tax legislation (or a broader interpretation of existing legislation) applicable to certain of the Group’s operations. Because the scope of application of these taxes differs between countries, OVHcloud is not affected by all of them. New or revised regulations may subject the Group or its customers to additional sales, income and other taxes. OVHcloud cannot predict the effect of such initiatives. New taxes or changes to existing taxes could also increase the cost of doing business and the Group's internal costs.

Any of the abovementioned events could adversely affect the Group’s business, operating results, prospects and/or financial position.

Management of the risk

OVHcloud and its legal tax teams ensure that they comply with the tax laws in the jurisdictions in which the Group operates. OVHcloud can be assisted by an external consulting firm when necessary.

Tax policy

OVHcloud’s tax policy provides that the Group undertakes to apply the laws, regulations and tax treaties in force in all the countries in which it operates.

In line with its values and ethical principles, as well as its requirements in terms of social responsibility, the Group:

• conducts its operations in accordance with their economic reality;
• refuses any aggressive tax planning and the use of artificial structures located in “tax havens”;
• cooperates with local tax authorities during tax audits.

OVHcloud does not engage in any transactions with the aim of evading the payment of tax. The Group is in the process of compiling all of these actions and provisions into a formal tax policy.

2.1.2.5Legal and compliance risks

Risks related to failure to comply with certain laws and regulations and their developments

Overview of regulations applicable to the Group

The Group's activities are subject to various regulations in the countries in which it operates. The Group is thus subject to legislation that applies to any company (trade rules, intellectual property rights, personal data protection, tax rules, etc.), but also to regulations that are more specific to its stature and activity (stock market law, Sapin II law, electronic communications, cybersecurity, liability of technical intermediaries, data sovereignty, obligations to cooperate with the authorities, etc.). Some of these regulations have an impact on the Group's strategic ambitions, particularly in terms of digital sovereignty.

These regulations may also be subject to change. In particular, significant restructuring and expansion of the regulatory framework has been under way for several years in the digital sector, in which the Group operates.

For example, the following is a non-exhaustive list of European and international texts whose provisions could have an impact on OVHcloud’s operations:

• security and anti-terrorism regulations:
  • the 2016 European directive on measures for a high common level of security for networks and information systems across the European Union (the “EU”) (directive (EU) 2016/1148), transposed into French law on 26 February 2018, and imposing cybersecurity protection requirements,
  • the European Digital Operational Resilience Act (“DORA”) for the financial sector, which provides a framework for cloud outsourcing arrangements in the financial sector,
  • international economic sanctions imposed by the UN or the European Union, which may prohibit the Group from having any economic relationship with sanctioned persons;
• regulations in the field of electronic communications:
  • the draft “CSAM” (child sexual abuse material) regulation submitted by the European Commission in May 2022, which aims to better combat child abuse online and could give rise to new obligations for OVHcloud in this area, it being specified that OVHcloud is already subject to the 2004 French law on confidence in the digital economy,
  • the regulation on an internal market for digital services (commonly known as the “Digital Services Act” or DSA), adopted on 4 October 2022, which reinforces obligations in terms of how illegal or dangerous content is handled;
• regulations to improve competition in the digital sector:
  • the European regulation commonly known as the “Digital Markets Act” (DMA), which was adopted on 14 September 2022 and sets a binding framework in favour of European innovation, in particular through competition and interoperability rules for the major platforms considered to be “gatekeepers”; OVHcloud is not currently a gatekeeper, but could be in the future,
  • the European data regulation (“Data Act”), adopted on 11 January 2024, which aims to strengthen the single data market by improving competition in the cloud market. Several provisions of the regulation have been included in the French law to secure and regulate the digital environment (the “SREN” act) adopted on 21 May 2024;
• data regulations:
  • the European regulation known as the “Data Governance Act” (DGA), which was adopted in July 2022 and provides a framework for the use of data held by public authorities. As such authorities are customers of OVHcloud, it may be indirectly impacted,
  • the European General Data Protection Regulation (“GDPR”) of 27 April 2016, which governs the processing of personal data of EU residents. The GDPR affects both OVHcloud and its customers. In this context, transfers of personal data outside the EU, and in particular to the US, are particularly sensitive. After several years of such transfers being prohibited, on 10 July 2023 the European Commission adopted a new adequacy decision authorising personal data to flow freely from the EU to companies in the US; OVHcloud is closely monitoring this decision (which results from changes to US legislation following the European Court of Justice’s 16 July 2020 ruling that the American Privacy Shield did not offer a sufficient level of protection, and affirms that the US offers a comparable level of personal data protection to the GDPR).

Description of the risk

The Group must identify and adapt to the rules that apply to it, in order to comply with them and continue to develop its business. It must also detect any failures to comply so that they can be rectified quickly. The Group must also anticipate changes in these rules in order to adapt to them as effectively as possible.

Insufficient knowledge of local regulations, or a lack of methodology for monitoring changes in these regulations, would have a significant impact on the Group. It could jeopardise its ability to comply with the law, exposing it to operational and financial risks. It could also weaken its competitive position and damage its image.

In addition, certain non-European regulations with extraterritorial scope are likely to conflict with European legislation applicable to the Group, in particular personal data protection legislation. For example, the US CLOUD Act, which was signed into law in March 2018, allows US law enforcement to access information held or controlled by cloud service providers subject to US jurisdiction, even if that information is located outside the United States.

Management of the risk

OVHcloud’s internal organisation allows it to stay abreast of applicable regulations and any changes thereto, and therefore to anticipate and mitigate the risks related to failures to comply. This organisation relies, in particular, on the Legal Department, the Data Protection Officer (DPO) and the teams in charge of legal compliance, who are supported where necessary by local experts and actively monitor legislation. The public affairs team also plays an important role, identifying legislative processes that could affect the Group at an early stage and endeavouring to make the Group's constraints known so that they are taken into account in these processes. In addition, the Group commissions external audits to ensure compliance.

OVHcloud also ensures that it remains beyond the reach of non-European regulations with extraterritorial scope that are likely to conflict with European legislation, particularly with regard to personal data protection. To this end, OVHcloud has adopted various procedures. For example, data hosted by OVHcloud's European datacenters cannot be accessed by employees based outside the European Union or employed by its US subsidiary.

In addition, OVHcloud’s customer agreements include contractual provisions stipulating that customers are responsible for the regulatory compliance of their data and their activity. OVHcloud has no need to access the data entrusted to it by its customers, except in the limited cases in which the law requires it to do so in order to combat illegal content.

OVHcloud also has internal procedures for checking the identity of its customers and suppliers, in order to avoid entering into business relationships with people subject to international sanctions.

However, OVHcloud cannot be certain that its procedures or contractual protections will be fully effective, with the result that it may inadvertently breach certain regulations or identify changes in legislation too late. Similarly, the Group cannot guarantee that new laws or regulations would not jeopardise its operations. Any such breach could give rise to monetary penalties that could have a significant impact on the Group's financial position. In addition, any actual or reported violation of regulations could impact OVHcloud's reputation.

Specific focus on data sovereignty

As a European cloud service provider and thanks to the organisation it has set up, OVHcloud considers that it can offer European customers the assurance that the data entrusted to it are not accessible by foreign authorities and in particular US law enforcement authorities. In particular, OVHcloud believes that data stored on its servers (other than those of its US subsidiary) may not be obtained by US authorities under the CLOUD Act, unlike data stored on servers directly or indirectly controlled by competitors that are subject to US jurisdiction. This guarantee enables customers to limit their data protection and privacy compliance risk.

Surveys conducted by OVHcloud have shown that data sovereignty is becoming more significant for its customers' decision-makers, but that it remains less of a priority than other factors such as performance and price. Moreover, Group competitors could structure their operations so as to be able to provide assurances regarding the protection of data, in which case OVHcloud’s competitive advantage could be less significant than anticipated. For example, Microsoft and Orange have announced a partnership which aims to propose a data sovereign cloud solution that, if successful, could increase competitive pressure on OVHcloud.

In order to limit the risk related to the CLOUD Act, OVHcloud has strictly separated its US operations from the rest of the Group, with differentiated legal and technical organisations. For example, US employees do not have access to customer data located outside the datacenters based in the United States.

Moreover, OVHcloud’s customers may also become subject to new tax obligations. If OVHcloud’s customers are unable to comply with such regulations or if they determine that compliance is too costly, their businesses and financial position may be adversely affected, and they may choose to reduce or to eliminate activities that rely on OVHcloud’s services.

Risks related to intellectual property

Description of the risk

To safeguard its business, OVHcloud must protect its technology and image, in particular through trademarks, domain names, trade secrets, patents, copyrights, contractual restrictions and other intellectual property rights and confidentiality procedures. Despite OVHcloud’s efforts to implement these protections, they may not sufficiently protect OVHcloud’s business nor provide it with a competitive advantage for a variety of reasons, including:

• the failure of OVHcloud to obtain patents and other intellectual property rights for important innovations or to maintain appropriate confidentiality and other protective measures to establish and maintain its trade secrets;

• uncertainty and changes in legal standards relating to the validity, enforceability and scope of protection of intellectual property rights;
• potential invalidation of OVHcloud’s intellectual property rights through administrative processes or litigation;
• third-party commercial strategies consisting of launching unfounded but very costly disputes;
• any inability by OVHcloud to detect infringement or other misappropriation of its intellectual property rights by third parties; and
• other practical, resource or business limitations on its ability to enforce its rights.

In addition, the laws of certain countries may not provide the same level of protection as the laws in France on corporate proprietary information and rights, such as intellectual property, trade secrets and know-how. OVHcloud may also be exposed to material risks of illicit use or theft or unauthorised reverse engineering of its data and other intellectual property. Moreover, if OVHcloud is unable to prevent the disclosure of its trade secrets to third parties, or if its competitors independently develop any of its trade secrets, the Group may not be able to establish or maintain a competitive advantage in the market, which could seriously harm its business.

Litigation may be necessary to enforce OVHcloud’s intellectual property or proprietary rights, protect its trade secrets or determine the validity and scope of proprietary rights claimed by others. Any litigation, whether or not resolved in OVHcloud’s favour, could result in significant expenses for OVHcloud, divert the efforts of its technical and management personnel and result in counter claims with respect to infringement of intellectual property rights by OVHcloud.

Management of the risk

OVHcloud's internal organisation enables it to mitigate the risks related to the protection of its intellectual property rights or the infringement of these rights.

In this context, it has a legal team dedicated to the protection of its intangible assets, which relies on specialised law firms around the world. In addition, OVHcloud has implemented an ambitious patent filing strategy at the Group level and in several territories that is both defensive and proactive, and held 189 patent families at 31 August 2024. To ensure full and unencumbered use of its patents, the Group has also entered into immunity agreements, either indirectly via associations or directly with holders of other patents. Under the terms of these agreements, the patent holders undertake to hold OVHcloud harmless against any claims from third parties who may acquire their patents, for the entire duration of these patents. This ensures that the Group is not exposed to claims by third parties acting in bad faith who acquire patents at the end of their life at a low cost in order to file unfounded claims. The Group also uses service providers and tools to detect unauthorised use of its distinctive signs (brands, domain names) and its patents in several countries. In addition, OVHcloud bases most of its IT developments on open source licences in order to limit third-party claims, as described in Chapter 1, Section 1.5.6 of this Universal Registration Document.

Risks related to governance and related parties

Description of the risk

OVHcloud’s rapid and continuing growth, both in terms of revenue and geographical expansion, is making the management of the Group's operations and governance more complex. In this context, the Group may not have put in place the key elements of governance and control required to manage its operations and avoid potential conflicts of interest.

Management of the risk

OVHcloud has formalised its key elements of corporate governance (see Chapter 4 – Corporate governance).

In addition, at the proposal of the lead director and within the sphere of his mandate, an ad hoc committee was set up in summer 2024 to draw up recommendations for improving OVHcloud’s governance, focusing mainly on managing conflicts of interest and related activities. As a result of the work of this ad hoc committee, the Related Parties Committee was set up in July 2024. This new committee comprises the Chairman of the Board and at least three independent directors (including the lead director), and the Chief Executive Officer may be invited to attend its meetings. The Related Parties Committee may be asked by the Chairman, the lead director or the Chief Executive Officer to give an advisory opinion on situations of potential conflicts of interest for related activities. The operating procedures of this committee are set out in the Board of Directors' internal regulations (see Chapter 4 – Corporate governance).

It has also set up regular reviews of the key elements of its subsidiaries' governance, in parallel with the structuring of the Group's internal control system, which helps to harmonise practices and clarify the operational governance of its activities.

OVHcloud has entered into, and may continue to enter into, certain related-party agreements

Certain executives and/or shareholders may hold interests in companies that are also OVHcloud's business partners and may therefore be considered related parties. In particular, OVHcloud has entered into various agreements with companies controlled by Octave Klaba, founder of the Group and current Chairman of its Board of Directors, and members of Octave Klaba's family who are direct or indirect shareholders of the Group. The Klaba family currently controls the Group.

OVHcloud obtains metal components for the manufacturing of its servers from AixMétal, in the areas of research and development (such as prototype launches), mass production (such as for the production of servers) and the manufacture of finished or semi-finished products for datacenters. AixMétal is controlled by members of the Klaba family. The premises of OVHcloud’s server manufacturing facility, datacenter and headquarters located in Roubaix, France, are owned by companies controlled by the Klaba family and leased to OVHcloud.

Although OVHcloud believes that all such arrangements have been negotiated on an arm’s length basis and use commercially reasonable terms, the Group has not obtained proposals for these arrangements from unrelated parties. In addition, OVHcloud’s operational flexibility to modify or implement changes with respect to the description or pricing of services provided by related parties may be limited: if an agreement with a related party is terminated, there could be disruptions upon transition, and there can be no assurance that OVHcloud will be able to obtain the same products at the same or a lower cost. In particular, if OVHcloud experiences difficulties with the metal components supplied by AixMétal, it could be difficult and take a long time to find an alternative supplier able to produce similar components under equivalent conditions. Such a situation could impact OVHcloud's ability to manufacture and deploy new servers as rapidly as it has done in the past, potentially affecting its ability to meet the needs of its customers.

In addition, OVHcloud is the main cloud service provider for Shadow (representing approximately 2.3% of OVHcloud's FY2024 revenue) and Qwant (representing approximately 0.1% of OVHcloud's FY2024 revenue), which are controlled by members of the Klaba family. The revenue from contracts signed with Shadow and Qwant is significant for OVHcloud and, as for all of its customers, OVHcloud cannot guarantee that this revenue will be generated on a permanent basis beyond the contractual commitments in force. Similarly, the capital expenditure generated by these contracts is significant, and their premature interruption would affect the expected return on investment.

Related-party agreements are drawn up with the assistance of the Group's Legal, Finance and Purchasing Departments, which endeavour to ensure that the price, services and contractual terms covered by the agreements are comparable to prevailing market practices for equivalent business volumes.

OVHcloud assesses the notion of a routine transaction with regard to compliance with the corporate purpose of the company in question and the nature of the transaction. Repetition and/or habit constitute a presumption that the transaction is routine, but are not in themselves decisive. In this context, OVHcloud has drawn up a charter on routine and regulated agreements in order to clarify the methodology applied internally to classify the various agreements entered into between OVHcloud and its related parties. This charter details the procedure for regularly assessing routine agreements.

These agreements are therefore subject to the rules of approval provided for by the applicable French law, as well as to OVHcloud's internal rules of approval (approval by the Related Parties Committee, the Executive Committee and, where applicable, by the Board of Directors). Related-party agreements are also reviewed every six months by the Audit Committee.

However, it cannot be guaranteed that, individually or as a whole, these agreements have been entered into under conditions similar to those that OVHcloud could obtain from unrelated parties.

2.1.2.6Risks related to information systems

Risks related to the outage of an internal IT system or tool

Description of the risk

OVHcloud may be faced with internal or external service outages for various reasons, such as a malicious act, an infrastructure or application problem, an insufficient level of security or the loss of connection to the network.

Limitations in the performance of its infrastructure or network could therefore leave OVHcloud unable to operate its internal information system, resulting in a partial or total service outage for its customers. Business continuity and recovery plans may not be sufficient to ensure the expected level of service for customers and internal operations.

Despite OVHcloud’s ongoing testing of products and platforms, cloud offerings and internal systems could contain coding or configuration errors that can impact the functions, performance and security of its solutions and result in negative consequences. Detecting and correcting any errors can be time consuming and costly. Errors are likely to affect their ability to function properly, integrate or operate correctly. They are also likely to generate internal security breaches in OVHcloud’s software or platforms and could adversely affect the market penetration of its cloud offerings.

Management of the risk

OVHcloud has set up a regular review of its code and infrastructures by a team of IT auditors, which carries out access and penetration tests of its systems. The Group also follows rigorous processes for updating its applications in order to anticipate development risks.

The Group has put in place business continuity and recovery plans for its internal IT systems, incorporating redundancy for its critical systems. OVHcloud has a network redundancy system and performs regular backups. Cybersecurity measures are described in detail in the relevant risk section.

Although OVHcloud considers that it has implemented risk management measures, these may prove insufficient to prevent a service outage.

Risks related to cybersecurity

Description of the risk

As a digital company, OVHcloud is highly exposed to the risk of service outages caused by cyber attacks.

The occurrence of a large-scale cybersecurity incident could affect OVHcloud's internal systems or the operation of its servers and cause shutdowns or denials of service.

Because the techniques used to obtain unauthorised access to, or sabotage, IT systems change frequently, grow more complex over time and often are not recognised until launched against a target, OVHcloud may be unable to anticipate or implement adequate measures to prevent such techniques. In addition, OVHcloud might not immediately discover any security breach or loss of information.

Following such a discovery, OVHcloud might need to shut down systems and limit customer access to its services, which could adversely impact the Group’s revenue and operating costs.

OVHcloud could sustain significant damage to its brand and reputation if a cyber attack or other security incident were to allow unauthorised access to, or modification of, its customers’ data, other external data or its own data or IT systems, or if the services the Group provides to its customers were disrupted, or if OVHcloud’s servers were reported to have, or were perceived as having, security vulnerabilities.

Beyond its internal operations, OVHcloud has no direct control over its customers' cybersecurity and could be indirectly impacted by an attack on one of its customers.

OVHcloud uses software licensed from third parties to operate its servers and protect its IT systems. Although OVHcloud analyses the level of cybersecurity offered by these third-party software packages, the Group does not fully control the mechanisms used to maintain their security. If security systems provided by a third party were to fail to adequately protect OVHcloud’s systems or the data or systems of its customers, OVHcloud could suffer cyber attacks that would impact its revenue and business reputation, as set out above. In addition, if a different customer of a third-party security solution provider were to experience a cybersecurity incident, even if it is unrelated to OVHcloud’s operations, the confidence of OVHcloud’s customers could be adversely affected.

Management of the risk

OVHcloud has implemented several measures to limit cybersecurity risks, mapping its IT risks and managing them as part of the cybersecurity department’s continuous improvement process.

OVHcloud has defined a cybersecurity strategy and developed a set of tools and policies to ensure the highest possible level of protection and detection. OVHcloud's architecture and processes are designed to limit exposure in terms of systems.

This has resulted in several certifications, such as ISO 27001, SOC 1, SOC 2, SecNumCloud and PCI DSS. In addition, the Group is in regular contact with the French national cybersecurity agency (ANSSI) in order to anticipate new attacks or improve its existing processes. OVHcloud also carries out regular cyber attack simulation campaigns and awareness campaigns for its employees and executives. The results of these tests are detailed in Chapter 3 of this Universal Registration Document.

While OVHcloud seeks to take precautions to guard against cybersecurity incidents, those precautions might prove to be ineffective or fail to prevent major security breaches. In addition, OVHcloud may be vulnerable to new security breaches that have not yet been identified.

In any event, OVHcloud has also taken out a cyber insurance policy with a leading insurer to cover the effects of a possible cybersecurity incident. The implementation of this insurance coverage was subject to OVHcloud complying with binding specifications imposed by the insurer.

Risks related to data protection, loss or theft

Description of the risk

Many data protection and privacy regulations impose stringent requirements on OVHcloud’s customers, who must ensure the protection of their own customers’ data, including data stored on OVHcloud’s servers, as well as the protection of OVHcloud’s data.

In the event of an incident involving the loss or theft of data, OVHcloud could see its reputation and revenue severely impacted.

Moreover, ever more stringent regulations are being proposed that could have a significant impact on the technology companies that represent a significant portion of OVHcloud’s customer base. New regulations could have an impact on OVHcloud's operations and expenses.

Management of the risk

OVHcloud continually monitors data protection issues (see risks related to failure to comply with certain laws and regulations and their developments).

OVHcloud has implemented internal governance to ensure that data protection issues are systematically taken into account in its projects.

The Group has classified its data by level of risk in order to determine the measures necessary to limit the loss or theft of this data. IT access management processes are used to limit access to data based on authorisations.

Cybersecurity risk mitigation measures, described in the section on cybersecurity risk, help to reduce risks related to data loss, in particular through the availability of monitoring tools, or, for example, cybersecurity tests carried out internally and by external service providers.

2.2Insurance and risk coverage

2.2.1Insurance policy and organisation

The Group's Legal Department negotiates all insurance contracts centrally for the entire Group, excluding subsidiaries in the United States, which determine their own insurance policy and take out their own insurance policies.

Insurance policies are either taken out by the Group, on its own behalf and on behalf of its subsidiaries, or directly by its subsidiaries, through brokers mandated to negotiate with the main insurance companies to set up or renew the most appropriate guarantees for risk coverage requirements.

Insurance companies are selected on the basis of criteria such as the amount of premiums, the scope of coverage offered, the ability to set up integrated programmes such as master policies, the duration of the commitment, their availability to insure the risks in question in light of all their other commitments in the segment and market in question, and the ability to offer qualitative support in order to better understand risk management.

The Group's insurance policy aims to:

• adapt its insurance coverage each year, when renewing its policies, according to developments in the risks related to the growth of its usual activities and its steady increase in capital. To do so, the Group uses an external firm to appraise the assets of its largest sites;
• pursue an active prevention and protection policy at its industrial sites, in particular through its HYR prevention plan, designed to protect them against accidental fire risks. The Group has most of its industrial sites audited annually by its brokers’ and insurers’ prevention engineers;
• communicate to the insurance and reinsurance market at the roadshows organised by the Group, on the information detailed in the HYR prevention plan;
• set up awareness-raising sessions on fire risk, with a technical and insurance-based approach, for a wide range of operational staff;

• develop risk prevention, such as exposure to natural and environmental disasters, in order to enhance existing insurance coverage.

All insurance contracts were renewed at 1 January 2024, with the exception of a few contracts with expiry dates later in the year.

OVHcloud prefers to take out “master” policies in order to pool coverage within the Group. For regulatory or factual reasons, such as the size of a subsidiary, OVHcloud also uses local or “standalone” policies taken out directly by its subsidiaries.

The Group also has insurance policies taken out directly by the Group or through its subsidiaries, covering the liability of its executives, risks relating to all its offices, its car fleet, the use by its employees of their own vehicle for business trips, professional assignments, expatriate employees, construction work, installation of equipment or fittings in its datacenters or offices, the transportation of goods, rented accommodation made available to staff during occasional business trips to the head office, as well as the medical office of the doctor also working on behalf of OVHcloud.

Through its subsidiaries, the Group also has a number of insurance policies covering property damage, civil and employer liability and compensation for employees, offices and international datacenters.

2.2.2Property and casualty damage

The Group has property damage insurance covering its sites, facilities and equipment, whether owned by the Company or entrusted to it.

Following the Strasbourg fire in March 2021, it proved extremely difficult to negotiate the insurance contract underwritten in France and numerous conditions were imposed upon its renewal on 1 September 2021, which continued to apply when the contract was extended at 1 September 2022 and 1 January 2023.

The ongoing implementation of the prevention plan drawn up by the Group for its datacenters and associated sites within the established timeframe, has allowed it to satisfy insurers' expectations regarding the level of prevention, and lift the specific contractual conditions that were imposed following the fire.

On 1 July 2023, the Group took out a new 18-month property damage and additional operating expenses insurance programme comprising two insurance policies known as “lines”, providing sufficient cover and insuring all the capital of the Group's datacenters located in France, Germany, Belgium and the United Kingdom.

The first-line policy was taken out with the same insurer, AXA France IARD, plus a second insurer, RSA Luxembourg SA, for a total of 64% of the risk share, with six co-insurers sharing the remaining 36%.

The second-line policy was taken out with Zurich as lead insurer with a total of 50% of the risk share and seven co-insurers sharing the remaining 50% of the risk.

In particular, this programme covers risks resulting from fire, lightning, explosion, electrical, water damage, theft and natural events, as well as direct material damage to insured property of accidental origin, including buildings, furniture, equipment and/or rental risks, miscellaneous costs and losses resulting from material damage to insured property, the financial consequences of civil liability and additional operating costs.

The total guarantee limit for the programme has been raised to €400 million per claim and the basic excess has been reduced to €3 million, with lower excesses adapted to sites with lower insured values.

2.2.3Civil and cyber liability

This combined worldwide “information technology and communication civil liability and cyber enterprise risk management” programme, underwritten for all the Group's subsidiaries except those in the US, provides coverage for operating, product and professional civil liability, as well as the financial consequences related to cyber risks.

Coverage includes the financial consequences of the operational, product and professional liability.

This master programme is broken down into four insurance policies or “lines”, which provide the Company with sufficient guarantees in terms of “civil liability and cyber enterprise risk management” coverage, taken out with CNA, Chubb, AIG and Ergo, respectively. It was renewed with the same insurers, with an additional line taken out with AIG, on 1 January 2024 for a period of three years subject to automatic renewal.

The maximum amounts of compensation for the main risks under this programme increased and now stand at €25 million per insurance period for operating civil liability, €20 million per insurance period for professional civil liability and civil liability due to products, and €15 million per insurance period for losses due to cyber risk.

2.3Internal control system

2.3.1General internal control framework

2.3.1.1Definition and objectives of the internal control system

Based on the AMF reference framework, OVHcloud has set up an internal control system comprising a set of resources, policies, behaviours, procedures and appropriate actions designed to ensure:

• the application of instructions and guidelines set by management;
• the operation of internal processes to ensure the effectiveness and control of activities;
• the reliability of accounting and financial information;
• compliance with laws and regulations;
• the management of risks.

2.3.1.2Internal control governance

A number of players are involved in the internal control system:

Board of Directors and Audit Committee

Delegated by the Board of Directors, the Audit Committee is responsible for monitoring the preparation of financial information and the effectiveness of internal control, risk management and internal audit systems.

The Audit Committee reports to the Board of Directors on these aspects.

See Chapter 4 – Corporate governance for a detailed description of the tasks of the Board of Directors and the Audit Committee.

Senior Management

Senior Management is responsible for deploying the internal control system and overseeing risk mapping. To achieve this, Senior Management relies on the support of the Finance Department and the Audit, Internal Control and Risk Department.

Level 1 controls

The first line of control is made up of operations that formalise and implement operational processes to ensure control of day-to-day operations and their internal control.

Level 2 controls

Internal control is an integral part of each operational department’s mission. The management of the operational departments is responsible for checking that the Level 1 procedures and controls are being properly applied by carrying out Level 2 controls, for example via sampling and by implementing application controls and validation circuits. The management control function may also be responsible for carrying out Level 2 controls.

Lastly, the functional departments are responsible for defining the guidelines and controls to be applied by all the commercial and industrial entities and for managing the operational risks in their respective areas: for example, the Legal, Quality, Standards, Safety and Working Environment, Cybersecurity, Human Resources, Finance and Insurance Departments. These functional departments may also be called upon to verify that Level 1 rules have been applied correctly through Level 2 control campaigns.

With a view to strengthening its internal control and improving coordination, OVHcloud has set up an Audit, Internal Control and Risk Department, which reports to the Group's Finance Department. This department assists the operational and functional departments in setting up their Level 1 and 2 control systems. The Audit, Internal Control and Risk Department also carries out internal control campaigns based on the operational departments’ self-assessment of whether controls have been applied correctly. The Audit Committee monitors the rollout of the internal control system.

Level 3 controls

The third line of control is the Audit, Internal Control and Risk Department. On the basis of an annual audit plan, approved by Senior Management and the Audit Committee, audits are carried out in a fully independent manner and are the subject of an audit report which identifies any risks and the action plans needed to mitigate them.

The findings of internal audits are reported to the operational departments, as well as to Senior Management and the Audit Committee for the main findings, in order to provide reasonable assurance on the effectiveness of the internal control and risk management system.

Follow-up on action plans is presented to the Executive Committee and the Audit Committee twice a year. The Internal Audit department is also independently empowered to alert Senior Management and directors if necessary.

2.3.2Internal control system and environment

2.3.2.1Control environment

The aim of a control environment is to create a secure framework for OVHcloud, its employees and all its stakeholders. The internal control environment is based on a framework of values governing the behaviour and ethics of the Group’s employees and third parties. In order to disseminate these values, the Group has implemented the following charters and code of conduct:

• code of ethics and anti-corruption governing the rules of behaviour of employees and also of partners/suppliers;
• a whistleblowing platform for reporting any behaviour contrary to the ethics framework and any serious situation or fact observed within the Company or at its partners/suppliers, in complete confidence and confidentiality;
• OVHcloud values shared by all employees, including the obligation to act responsibly and ethically. These founding values help to foster a respectful corporate culture;
• IT, communication and security charters including all rules and best practices in terms of the physical and logistics security of the Group’s IT resources by users;
• stock market ethics charter, introduced in 2021, in accordance with AMF instructions, which defines the obligations of persons holding inside information.

In particular, the following departments contribute to internal control:

• the Group Legal Department, which advises and assists the operational departments and subsidiaries on material legal matters;
• the Group Tax Department, which advises and assists the operational departments and subsidiaries on material tax matters;
• the Group Financial Operations Department, which ensures the proper implementation of and compliance with reporting and preparation procedures for the consolidated financial statements;
• the Group Human Resources Department, which advises and ensures that internal practices comply with laws and regulations under employment law;
• the Group Operations Department, which carries out specific risk analyses and proposes action plans on security, safety and business continuity;
• the Audit, Internal Control and Risk Department, which sets the internal control framework and manages risk mapping.

Lastly, the Statutory Auditors are informed of the internal control system and the risks identified by the Group in the assessment.

2.3.2.2Control frameworks

Ethics and compliance

The Group pays strict attention to the compliance of its procedures and employee practices with applicable regulations. The Group has thus deployed ethics and anti-corruption codes with associated training. In addition, the Group raises awareness among its employees of whistleblowing, in particular as part of the measures put in place in accordance with the French law of 9 December 2016 on transparency, the fight against corruption and influence peddling and the modernisation of economic life (the so-called “Sapin II” law). A platform accessible at all times has been set up on which employees and any third parties (partners, suppliers, customers, etc.) can report any breach of the Group’s code of ethics that they may have observed: “ROGER” (Respect OVHcloud Guidelines and Ethical Rules). The ethics and business conduct system is described in Chapter 3 of this document.

Data protection

Under the supervision of its Data Protection Officer (DPO), the Group implements a rigorous personal data protection policy. A policy on the use of personal data has been defined, precisely describing the processing that OVHcloud may be required to carry out on data concerning customers, suppliers and partners, as well as the conditions of that processing.

Information systems security

Information security is the subject of a programme and commitments developed within OVHcloud’s information systems security policy (ISSP). The policy sets out principles for the application of information systems security, mainly:

• deployment of a large-scale, industrial approach to security;
• adaptation of safety systems to the different types of OVHcloud customers;
• provision of means and technologies to enable each customer to manage their own risks;
• ensuring support service information system security throughout all phases of its lifecycle;
• implementation of security management systems (ISMS) and privacy management systems (PIMS);
• safety management using a risk-based approach;
• demonstration of the level of security through certification, internal control and external audit;
• unified response to security incidents and personal data breaches;

• integration of security and privacy issues into product development; and
• safety assessment and implementation of a continuous improvement process.

The ISSP, under the responsibility of the Chief Information Systems Officer (CISO), is reviewed by the Executive Committee, which verifies that its content is consistent with the Group’s strategic targets. It is revised once a year. The ISSP applies to all Group companies, employees, suppliers, service providers, subcontractors and information system users, regardless of their status.

Under the responsibility of the CISO, OVHcloud’s security team is composed of four teams:

• security tools, in charge of developing and operating the tools supporting the security policy;
• operations security, responsible for ensuring the implementation of good security practices within operations and the implementation of formal security management processes, supporting the integration of security tools and the alignment of security arrangements within the Company;
• CERT, in charge of monitoring threat sources, identifying cyber attack tools and methods to anticipate them, and managing security incidents; and
• customer security, in charge of assisting the teams in contact with customers (support, sales, etc.) to manage security issues in the relationship.

OVHcloud ensures that employees are aware of the challenges of IT security and, more specifically, of cybersecurity. To this end, the Group regularly conducts cyber attack simulation campaigns (phishing) designed on the basis of sophisticated scenarios and performs external audits.

Quality, health and environment

Through its health and safety policy, OVHcloud oversees the implementation of measures to offer safe and healthy workspaces for all its employees and stakeholders, sites and products. The Group’s industrial risk management policy is based on two priorities: (i) prevention through audits carried out by external bodies at each of the sites, which result in reports with both human and material recommendations, and (ii) protection through the development of risk reduction plans, incorporating short- and medium-term investments as well as organisational or management actions.

Collection of rules and controls

The Audit, Internal Control and Risk Department is compiling a collection of procedures as they are created.

A collection of Level 2 controls is being compiled with the aim of rolling out a self-assessment process for the operational departments and monitoring continuous improvement actions.

2.3.2.3Internal control procedures relating to the preparation and processing of financial and accounting information

OVHcloud’s accounting and financial function is managed by the Group’s Finance Department, which reports directly to Senior Management.

The Group Finance Department’s responsibilities mainly cover the preparation of financial statements, management control, tax, financing and cash management, and participation in financial communication, purchases, internal control, internal audit and risk management.

The accounting rules and methods and IFRS standards in force within the Group are presented in the notes to the consolidated financial statements in this document. At the end of each reporting period, the Audit Committee verifies with the Finance Department and the Statutory Auditors that these rules, methods and standards have been applied consistently from one year to the next.

Each half-year, after review by the Audit Committee, the Board of Directors adopts the half-year and annual financial statements, which the Statutory Auditors are then asked to review.

Information systems

The purpose of the accounting and financial information systems deployed within the Group is to meet the requirements of compliance, security, reliability, availability and traceability of information.

OVHcloud is gradually rolling out SAP as the only information and management system for financial management and accounting data. Following the deployment in France and Canada, the Group finalised the roll out of SAP to all its subsidiaries in 2024. The use of a single tool ensures consistency in the processing, comparison and control of accounting and financial information. In addition, OVHcloud deployed the HFM financial consolidation tool in 2024.

In order to strengthen the internal control of the Group’s systems, the Organisation and Information Systems Department has strengthened the segregation of duties and improved access rights controls, particularly in critical systems such as SAP, through a formal annual review across the entire Group scope.

Financial communication

The Financial Communication and Investor Relations Department, under the supervision of the Chief Financial Officer, manages the Group’s financial communication.

The Group disseminates financial information by various means, in particular:

• press releases;
• the Universal Registration Document;
• half-year and annual results presentations.

The Group’s website has a dedicated Investors section which includes the aforementioned items as well as other regulatory or informational items.

The Statutory Auditors

As part of their audit of the financial statements, the Statutory Auditors make comments. When they deem appropriate, the Statutory Auditors report to management, at the appropriate level of responsibility, on internal control weaknesses identified during the audit that they deem of sufficient importance to merit its attention. The Statutory Auditors report any material weaknesses in internal control to the bodies mentioned in Article L. 823-16 of the French Commercial Code, at the time they deem appropriate, in writing.

As part of their ongoing engagement, the Statutory Auditors audit the annual and half-year financial statements of consolidated entities. The Group’s annual consolidated financial statements are prepared by the Financial Operations Department under the responsibility of the Group’s Chief Financial Officer. The Group’s Chief Executive Officer and Chief Financial Officer attest to the accuracy, reliability and fair presentation of the consolidated financial statements in a representation letter sent to the Statutory Auditors.

Non-financial
performance
statement /NFPS/ /AFR/

Business model

OVHcloud's business model is detailed in the introduction to this Universal Registration Document.

CSR approach

OVHcloud structured its CSR approach during the 2022 financial year. With nearly 3,000 employees at 31 August 2024 and a global industrial and commercial footprint, the Group is fully aware of its responsibility in a world where data have a major impact on private, social and professional lives on an economic, geopolitical, ethical and environmental level. They impact relationships between people and their use reflects a vision of the world and the type of society in which everyone wants to live. Driven by its ambition, “Leading the data revolution for a responsible future”, OVHcloud’s mission is to build an open and trusted cloud, enabling businesses and society to make the most of the data revolution while minimising its environmental impacts.

This vision and the related mission are reflected in a CSR policy, which is closely integrated into the Group’s strategy. This policy is based on three pillars of commitment, each of which in turn breaks down into three areas of action:

• Guaranteeing data sovereignty and freedom

OVHcloud is at the heart of the digital revolution, which opens the way to a multitude of opportunities in applications and technology. In this context, the Group offers its customers cloud solutions covering all their uses – supporting them in their digital transformation, enabling them to innovate by building cloud native applications or helping them leverage the power of data. In fulfilling this mission, the Group offers its customers the freedom to build their most ambitious projects, in a secure, compliant and sustainable cloud environment, according to three areas of action:

• defending data sovereignty, security and privacy;
• guaranteeing freedom of choice and reversibility;
• offering predictable and transparent pricing.

• Pioneering the sustainable cloud

At the forefront of the sustainable cloud, OVHcloud has integrated sustainability at the heart of its business model since its creation, aiming to minimise its environmental impact at every stage. OVHcloud’s environmental action is structured around three priorities:

• placing innovation at the heart of its industrial model;
• aligning OVHcloud with the Paris Agreement, which includes the major objective of continuing efforts to limit the increase in average global temperature to 1.5°C above pre-industrial levels;
• raising awareness among stakeholders of all the impacts of the cloud, in order to initiate a collective approach to reducing the environmental footprint.

• Driving collective progress of the cloud for the benefit of society

At OVHcloud, everything starts with people. Men and women are the Company's best assets: it is their talent that ensures its success. “Working together” is one of the Group's fundamental values. This collective aspect is extended to its ecosystem, and in the desire to see the European cloud segment progress. This third pillar of commitment breaks down into three areas of action:

• attracting and developing skills in a collective adventure within a diverse and inclusive Company;
• collaborating and developing coalitions with stakeholders in the European cloud ecosystem;
• promoting local anchoring and societal commitment by working on digital inclusion.

CSR governance

To manage its corporate social responsibility (CSR) ambitions, OVHcloud has set up a dedicated governance structure, closely associated with the management of the Group’s overall strategy.

The Board of Directors strives to promote the Company’s long-term value creation by considering the social and environmental challenges of its activities. In connection with the strategy defined, it regularly examines the opportunities and risks such as financial, legal, operational, social and environmental risks, including climate risk, as well as the measures taken as a result. The medium-term CSR priorities and targets were approved by the Board of Directors in 2022 and are reviewed annually by said Board. They are monitored by building on the work of its committees. In May 2024, an extraordinary strategy seminar attended by the independent directors was organised, at which a wide range of topics concerning governance and management were discussed, including the CSR policy, its application and the progress of related projects.

Established after the Group’s IPO in 2021, the Strategy and CSR Committee has the task of preparing the work and facilitating the decision-making process of the Board of Directors on strategic and CSR issues. In terms of CSR, it is notably responsible for:

• ensuring that matters relating to social and environmental responsibility (such as diversity and non-discrimination policies and compliance and ethics policies) are taken into account in the Group’s strategy and in its implementation;
• reviewing the non-financial performance statement on social and environmental matters provided for in Article L. 22-10-36 of the French Commercial Code (Code de commerce);
• examining the opinions expressed by investors, analysts and other third parties and, if applicable, the potential action plan drawn up by the Company to improve the points raised on social and environmental matters;
• reviewing and assessing the relevance of the Group’s social and environmental commitments and strategic directions on social and environmental matters, in light of the challenges specific to its activity and objectives, and monitoring their implementation.

The Audit Committee ensures the effectiveness of the risk monitoring and internal control system, including CSR risks and climate change risk, as well as the review and monitoring of the systems and procedures in place to ensure the dissemination and the application of policies and rules of best practice in terms of ethics, fraud and corruption and, more generally, compliance with regulations in force.

Lastly, the Appointments, Compensation and Governance Committee is responsible, among other duties, for the annual review of the Board of Directors’ diversity policy as well as monitoring the gender parity rate, age and diversity of skills.

The role and work of the Board of Directors and its committees are presented in Sections 4.1.5 and 4.1.6 of this Universal Registration Document.

The Strategy and CSR Department, which reports to the Chief Executive Officer, is responsible for the implementation of the Group’s major strategic directions, which it helps to define, as well as for the development and coordination of the CSR policy, with the aim of engaging the Company in a process of continuous improvement, of enhancing its commitments and of measuring the effects of the CSR programme. The Strategy and CSR Department reports to the Executive Committee on a regular basis on the progress of the CSR programme, its main initiatives and their updates.

The CSR programme commitments are drawn up and monitored by the CSR Steering Committee. Coordinated by the Strategy and CSR Department, it is composed of a central CSR team and operational department representatives involved in the implementation of the CSR action plan. The Committee meets weekly to define, monitor and adjust CSR action plans.

Open and regular exchanges with stakeholders

Materiality analysis and CSR risk assessment

OVHcloud developed a Group risk map in 2020. It has been updated twice: first in 2022 and again in 2023 (see Chapter 2 of this Universal Registration Document for a description of the Group's risk factors). In addition, the Group created its first materiality matrix in 2022, focusing on CSR issues. Its review in 2024 did not result in an update.

Materiality analysis

In 2022, OVHcloud put together its first materiality matrix by interviewing its external and internal stakeholders, in order to determine the Group's most material CSR issues, i.e., those that have or could have an impact on the Group’s ability to create or protect financial and non-financial value for itself and its stakeholders.

This exercise was carried out in four stages: identification of potential CSR issues, confrontation of these issues with external and internal stakeholders, consolidation of the results and, lastly, the main lessons learned from the analysis of these results.

Identification of issues

OVHcloud has defined a list of 24 potential CSR issues, subdivided into three categories: environment, business conduct and social/societal.

Stakeholder interviews

OVHcloud addressed this list of potential issues with its internal and external stakeholders during interviews, conducted in particular with its customers, suppliers, investors, representatives of its ecosystem (associations, NGOs, partners, etc.) as well as the Group's directors and managers, including the Executive Committee, in order to collect their point of view and expectations regarding each of the issues. The interviews were conducted by OVHcloud's teams, with the exception of investors, who were consulted through a perception study carried out by an external service provider. OVHcloud also consulted its employees (excluding the Executive Committee and other managers) through an online survey.

An interview guide has been drawn up to guide the various interviews. This guide was used as the basis for the online survey tool.

The main question concerned the rating of the issues according to the level of expectation for each of them, according to the following grid:

• 0: no expectation. OVHcloud does not have to particularly commit to this issue;
• 1: limited. Issue for which OVHcloud can implement some actions, without integrating them into its strategy;
• 2: important. OVHcloud should adopt a policy, targets and an action plan concerning this issue;
• 3: priority. This issue must be a major strategic priority for OVHcloud.

A total of 231 people were consulted, including:

• management (shown on the horizontal axis of the matrix):
  • the Chairman of the Board of Directors,
  • 18 management representatives including the Chief Executive Officer and the entire Executive Committee as well as the main regional managers;
• stakeholders (represented on the vertical axis of the matrix):
  • 34 external stakeholder representatives: customers, suppliers, public authorities, investors, members of the OVHcloud ecosystem (associations, partners, NGOs, etc.),
  • 178 employees surveyed.

Methodological biases

The voice of the public authorities was expressed by the person responsible for public affairs at OVHcloud.

For investors, the rating was carried out by transposing the 2022 “ESG Investors” perception study carried out by an external service provider to a similar rating grid and a slightly more limited list of issues.

Consolidation of results and formalisation of the matrix

The analysis of quantitative and qualitative data was carried out with the support of a CSR consulting firm, according to the following methodology:

• consolidation of results: for internal and external stakeholders, the average rating of the issues was established on the basis of an equal weighting of the results within each stakeholder category, then between the categories. For management, the ratings assigned by the Chairman and the Chief Executive Officer were given more weight than the responses of management representatives;
• formalisation of the matrix: the ratings thus obtained made it possible to place each issue on the horizontal axis (average allocated by management) and on the vertical axis (average allocated by internal and external stakeholders);
• analysis of the results: the key lessons are drawn from the compilation of the analysis (correlations, dispersions, ranking of issues, comparison according to stakeholders) of the results.

Strong alignment between management and stakeholders

* For the detailed wording of the issues, see the table in the section on identifying issues above.

Main lessons

• Overall, internal and external stakeholders are aligned on the most material issues, particularly those related to the Group’s core business, a sign of a good understanding between OVHcloud and its ecosystem. These are issues relating to data sovereignty, low-carbon trajectory, efficient energy management, cybersecurity and data protection, environmental labelling and carbon transparency, and securing strategic supplies.
• Three major issues stand out in particular, consistent with the Group’s vision and strategic directions:
  • data sovereignty;
  • low-carbon trajectory;
  • efficient energy management.
• Important issues are also aligned on more generic but fundamental issues for the Company's operation such as a responsible supply chain, eco-design, business ethics, responsible water management, attraction and retention of talent, reliability and customer trust, health, safety at work and employee well-being, diversity and inclusion, innovation and R&D for Green IT.
• Regarding deviations (which remain limited), we note that management places particular importance on the attraction of talent and customer trust, whereas stakeholders have strong expectations concerning continuity of service – in terms of cybersecurity and resilience to climate change – and environmental labelling.
• OVHcloud is clearly recognised for issues relating to the differentiation of its offering, linked to its value proposition: price transparency, eco-design, a responsible approach to resource management and, above all, data sovereignty. Nevertheless, expectations are very high regarding these issues, which rank among the most material.
• When asked about the issues on which OVHcloud needs to progress, stakeholders were generally less vocal than management. The most frequently mentioned issues were cybersecurity and data protection, environmental labelling, diversity and inclusion, talent attraction and retention and contribution to the digital transition and digital accessibility.

• Interactions with the Group's various stakeholders during the 2024 financial year confirm the main conclusions drawn from the analysis carried out in 2022.

CSR risk assessment

The Group’s risk mapping and materiality analysis have made it possible to fine-tune the Group’s list of CSR risks, as well as to reinforce the pillars of its CSR policy commitments. The final list of CSR risks, presented in the table below, was reviewed and approved by the Executive Committee.

Summary of performance indicators

3.1Guaranteeing data sovereignty and freedom

Leading European cloud services provider, OVHcloud, is at the heart of the digital revolution, which opens the way to a multitude of opportunities in terms of applications and technology. In this context, the Group offers its customers cloud solutions covering all their uses – supporting them in their digital transformation, enabling them to innovate by building cloud native applications or helping them leverage the power of data. In fulfilling this mission, the Group offers its customers the freedom to build their most ambitious projects in a secure, compliant and sustainable cloud environment. For OVHcloud, everyone must be able to control their data and be guaranteed that they are secure. Free choice and openness in terms of services and innovation are the foundation of the relationship of trust established with its customers and partners. This also involves a range of services offering the best price-performance ratio and transparent and predictable rates.

3.1.1Defending data sovereignty, security and privacy

OVHcloud’s activities focus on the computing capacity, storage, processing and transfer of its customers’ data, including personal data, as well as business-critical data. Data sovereignty, security and confidentiality form the basis of the Group’s value proposition and the foundation of the relationship of trust that unites it with its customers. OVHcloud ensures the highest level of data protection. This level of excellence is supported by an effective data governance system. The Group is also campaigning for a European cloud, guaranteeing the technological independence of Europe and the sovereignty of its data.

3.1.1.1Highest level of data protection

An absolute priority: ensuring security in the cloud

OVHcloud implements security measures at all its datacenters and processes to protect its customers worldwide.

Cybersecurity

OVHcloud considers cybersecurity to be a pillar of its development strategy. The Group's ability to protect its customers' data and processing workloads is a key factor in the trust they place in the Group. The Information Systems Security Policy (ISSP(1)) provides the cybersecurity reference framework for OVHcloud. It describes the context in which it was set up and its three basic principles:

• deployment of a large-scale, industrial approach to security. Security is an integral part of the product development cycle. The security team is constantly involved in deciding what security measures to adopt to prevent and mitigate risks. This approach is based on standardised security measures, architectures that are secure from the outset, and formal, tried-and-tested, highly automated processes. The standardised security measures are supplemented by additional measures in consideration of the specific features of each project. Lastly, OVHcloud operates a permanent threat analysis system based on continuous system monitoring, enabling it to systematically adapt its operational practices to immediate risks and to respond effectively to security incidents;
• positioning of OVHcloud as a trusted player within the ecosystem. As a global cloud provider, OVHcloud has a major responsibility in the fight against security threats. The Group deploys large-scale protection tools and automates the protection of its customers' systems against these threats. OVHcloud's security team and technical experts maintain strong operational relationships with security expert communities, authorities, software publishers and hardware manufacturers. This enables the Group to anticipate new threats and vulnerabilities, and mitigate the related risks. In addition, OVHcloud shares its innovations and knowledge with the security community and promotes responsible disclosure. Lastly, the Group's security systems are regularly assessed by trusted third parties on the basis of recognised audit standards;
• operating a trusted cloud for all. OVHcloud offers its solutions to all types of customer across all industries: startups, SMEs, large companies, public authorities and multinational companies. Every OVHcloud customer has its own approach to security, depending on its business sector and/or sovereignty requirements. OVHcloud ensures the security of the services provided and the underlying infrastructure, and offers its customers a high level of transparency regarding the accompanying security measures. OVHcloud is also committed to personal data protection, as a controller for its customers' data and as a personal data processor in cases where its customers are themselves data controllers. The information systems security policy supports this commitment by defining, implementing and improving security measures to protect hosted personal data.

Security management is organised based on internationally recognised standards that highlight these principles. The Group has obtained numerous national (SecNumCloud, ACN, ENS, C5)(2) and international (ISO 27001, ISO 27701, PCI DSS, SOC 2 type 2) certifications and certifications specific to certain segments (HDS, HIPAA and HITECH for health, EBA and ACPR PSEE for financial services), which meet the highest French, European and international data protection standards.

In addition, OVHcloud has internal procedures for information systems security and constantly raises its employees’ awareness of the risk of computer attacks, in particular by carrying out cyber attack simulations. The Group organises up to three campaigns per week, built from sophisticated scenarios inspired by real cases, tested on randomly chosen populations. Several indicators are observed, including the percentage of employees tested, the reporting rate and the compromise rate (percentage of employees on whom the phishing worked) and conversely, the success rate of simulation campaigns. It is the latter indicator that constitutes the benchmark performance indicator. In 2024, the success rate of cyber attack simulation campaigns was 87%, a slight decline compared to 2023, due to tougher test campaigns to prepare teams for more realistic scenarios. As the calculation of this key indicator does not take into account the complexity of campaigns, it does not fully reflect the reality of user awareness on a comparable basis from one year to the next.

Physical protection of sites

As the cloud relies on physical infrastructures, data security also involves securing OVHcloud’s sites, with particular attention paid to its datacenters, which house the servers on which the data are stored or transferred. These sites are particularly important to ensure the continuity of customers’ business. OVHcloud therefore implements a large number of measures to protect its sites, including:

• security and 24/7 surveillance;
• an anti-intrusion system;
• strict access control;
• regular contact with the authorities.

On the night of 9 to 10 March 2021, a fire broke out in one of the four OVHcloud datacenters in Strasbourg, France. Since then, the Group has launched a Hyper Resilience plan, aimed, in particular, at taking safety standards beyond regulatory standards and insurers’ recommendations.

The inauguration of the new datacenter in Strasbourg, SBG5, in September 2022, demonstrated the first concrete results of the Hyper Resilience plan. The result of a €30 million investment launched in April 2021, the site is the first of a new generation of hyper-resilient and more sustainable datacenters. Covering an area of 1,700 sq.m., SBG5 has a total of 19 isolated rooms with masonry that compartmentalises the different segments in order to provide two hours of fire resistance.

Press release: https://corporate.ovhcloud.com/en-gb/newsroom/news/SBG5-opening/

In accordance with its commitments, the Group has launched a new datacenter dedicated to raw data backups (snapshots) and remotely situated from service operating sites. Initially deployed for French customers, the Group plans to roll out this service more generally in order to extend it to all its solutions and locations.

Personal data protection and data sovereignty

OVHcloud processes a very large amount of personal data every day, both on behalf of its customers, through its cloud products and services, and on its own behalf.

OVHcloud's top priorities are data security, the transparent and proportionate use of the Group's customer information, and the protection of customer data from foreign laws with extraterritorial application.

OVHcloud has adopted a personal data processing policy that complies with the strictest regulations and applies to all its entities and employees. The policy guarantees customers that their data are secure and ensures compliance with the GDPR and all applicable national legislation, such as the UK Data Protection Act, the Australian Data Protection Act and Quebec's Law 25. It is implemented under the supervision of the Data Protection Officer (DPO), whose role is described in Chapter 2 of this Universal Registration Document.

Main features of OVHcloud's personal data processing policy

• Data governance

The following data protection committees and workshops are held on a regular basis to ensure compliance with applicable laws and to monitor any measures these laws may require:

• the Internal Project Review Committee, whose purpose is to review project relevance and compliance with the principle of privacy by design by taking into account technical, IT security and personal data processing requirements (50 projects reviewed during the 2024 financial year);
• ad hoc committees to manage projects involving new tools or services for customers;
• monthly monitoring committees between the DPO and key data protection players, such as the Chief Information Systems Officer (CISO), customer service staff and representatives of the Information Systems Department.
• Team training and awareness-raising

Group employees are given mandatory training in data protection as soon as they join OVHcloud, regardless of the Group subsidiary for which they work.

The training takes place in two stages: (i) during onboarding week, attended by all new employees, including members of the Executive Committee, and (ii) through the compulsory e-learning programme accessible via the Group's e-learning platform.

• Compliance documentation and procedures

OVHcloud documents compliance through its data processing records and impact assessments.

To facilitate the management of this documentation, OVHcloud has invested in a data governance tool that centralises all key data protection information.

In addition, OVHcloud has a set of procedures designed to ensure compliance with data protection principles. These include:

• a policy for handling requests to exercise rights;
• a personal data storage policy;
• a policy for managing security incidents (data breaches);
• a policy for managing data retrieval requests;
• a policy for managing authorisations to travel with OVHcloud equipment outside the European Union.

• Rights of data subjects

OVHcloud has made an online form available on its website to enable data subjects to exercise their rights. The form ensures that requests are traceable and receive a response within the appropriate time frame.

Requests are handled by a dedicated five-person team within the Group customer service division, who respond to such requests on a daily basis.

• Data breaches

Data security is central to OVHcloud's business. The Group has put in place a series of measures designed to prevent data breaches.

In addition, the DPO's and CISO's teams work closely together to ensure that IT incidents are properly addressed and to prevent any personal data breaches.

OVHcloud also keeps records of data incidents and breaches in accordance with the GDPR and local legislation such as Quebec's Law 25.

• Protection against foreign interference

OVHcloud implements technical and organisational measures to protect data hosted by its European customers within the European Union against interference from non-European authorities. From a technical perspective, neither the infrastructure hosting this data nor any personal data relating to customers can be accessed by OVHcloud entities or third-party partners located in third countries that do not guarantee the same level of data protection as the European Union.

For this reason, the Group's US entities are not involved in the services provided to OVHcloud's European customers and do not have the technical ability to access the data these customers host in OVHcloud's European datacenters. As a result, the US entities have no control over the data stored in these datacenters and cannot comply with data requests from the US authorities.

Only entities located within the European Union or in countries whose level of protection has been the subject of an adequacy decision by the European Commission, in particular Canada, may, under the terms of service in force, take part in the provision of services to OVHcloud's European customers and perform technical work on the infrastructure hosting these customers' data.

3.1.1.2Ethical data processing

Ethical data processing has always been at the heart of OVHcloud's business model. It involves processing users' data in such a way as to guarantee privacy, and is demonstrated through four commitments:

In order to carry out these various projects and commitments, OVHcloud has set up several bodies enabling federated data governance:

• the Data Coordination Committee guarantees strict control of the quality of the data and its consistency by reinforcing ISO 27001 and ISO 27701 standards;
• the Sovereignty working group brings together various OVHcloud players to protect customer data from international players.

3.1.1.3Campaigning for a European cloud

OVHcloud defends a European open cloud model, which guarantees the protection of the data of citizens and organisations and which ensures Europe’s digital sovereignty, a key component of the continent's strategic independence. To this end, OVHcloud shares its vision and proposals with political and institutional participants in public decision-making, either directly with these players or in conjunction with representative associations, through its ecosystem of partners or as part of public events.

OVHcloud advocacy

OVHcloud intends to fully assume its role as the European cloud leader. Spearheading initiatives on a French, European and international scale, the Group is proactively campaigning for the development of an ecosystem of European cloud providers capable of meeting the needs of users.

Digital sovereignty and a level playing field in the European cloud market are fundamental to guaranteeing freedom of choice for cloud service users. OVHcloud works on several fronts to raise awareness of the issues surrounding data processing – and the importance for organisations of controlling their most sensitive data – and cloud interoperability, for example. Its initiatives include participation in trade fairs, round tables, debates, keynotes and discussions with representatives of national, European and international institutions, as well as the organisation of ad hoc events.

OVHcloud's actions within its ecosystem

The European cloud model championed by the Group implies a European vision of personal data protection, and consequently a commitment at the level of the ecosystem, on both a European and a national scale.

• Creation of the Trusted Tech Strategic Sector Committee(4)

In October 2022, Michel Paulin, then Chief Executive Officer of OVHcloud, was tasked by the French government with structuring and consolidating the French trusted tech sector, in which the cloud plays a central role.

• Founding member of Gaia-X

OVHcloud participated in the creation of Gaia-X(5), a European initiative launched in 2020 whose objective is to build a federated, open, secure and transparent digital ecosystem. It aims to enable users to benefit from cloud services that meet their needs, both technically and legally, and offer them appropriate guarantees, in particular in terms of data protection, interoperability, security or immunity to extraterritorial laws. As part of Gaia-X, OVHcloud is promoting the introduction of a label for cloud services guaranteeing users an appropriate level of data protection. In 2023, OVHcloud was re-elected to Gaia-X's Board of Directors for two years.

• Founding member of the European Alliance for Industrial Data, Edge and Cloud

OVHcloud is also a founding member of the European Alliance for Industrial Data, Edge and Cloud(6), an initiative launched by the European Commission, which mobilises 57 European industrial players to strengthen Europe’s ability to develop its own cloud and edge technology, taking into account the challenges of sovereignty and sustainable development. OVHcloud took part in the Alliance's general meetings and contributed to deliverables.

Building on all these commitments, the Group, alongside its ecosystem, supports legislative projects and initiatives that are able to support European digital sovereignty and the establishment of a level playing field for the cloud market, such as in France with the bill to secure and regulate the digital environment, and in Europe with the Digital Markets Act (DMA), the Data Act and the development of a European cybersecurity scheme for the certification of cloud services, known as EUCS. The Group also backs ongoing investigations worldwide into restrictive practices in the cloud market, as recently identified by the French Competition Authority and many other countries including the Netherlands, Spain and the United Kingdom.

3.1.2Guaranteeing freedom of choice and reversibility

In terms of the cloud, there are a number of factors that can hinder, or on the contrary promote, the freedom for customers to create and undertake projects. OVHcloud’s best asset lies in its open approach, based on co-construction and the foundation of the relationship of trust established with its customers. This openness is defined by several commitments: offering reversibility and interoperability, working and campaigning for open technologies, as well as taking a collective approach to innovation.

3.1.2.1Reversibility and interoperability

OVHcloud offers its customers the option of deploying their technologies and services anywhere, without technological lock-in and without egress fees for the repatriation of data that could hinder the customers' freedom to cancel a service. OVHcloud offers its customers complete reversibility and flexibility, allowing them to take advantage of the services that best meet their needs. Reversibility is one of OVHcloud’s Cloud S.M.A.R.T. commitments (see Section 3.1.2.3 of this Universal Registration Document), and follows principles such as offering an open and standard environment, where customers have extensive control over their systems and data, and detailed documentation to facilitate inbound and outbound migration.

The Group also works to ensure that its technologies are interoperable, i.e., able to work with the technologies of other cloud providers, thus maximising agility and efficiency for its customers.

3.1.2.2Working for open source

In order to perpetuate these commitments and not to limit either its future approaches nor those of its customers, OVHcloud continually ensures that its innovations are open, in addition to being reversible and interoperable. For the Group, it is essential that the entire sector progresses, by sharing and transferring knowledge as well as capitalising on past developments.

OVHcloud has developed many open source technologies, such as CDS or Bastion solutions, with the code being made available on open collaborative platforms such as GitHub. In order to widen access to open source technologies, the Group offers many of them as an OVHcloud service. Having an accessible source code, which can be modified and integrated by other developers, promotes continuous improvement and innovation, in a context of collaborative innovation, and also increases the security of the software concerned.

OVHcloud is a member of the Open Invention Network (OIN(7)) in order to group Linux patents with other technological players. The aim is to protect the open source operating system against any legal action. OVHcloud grants licenses on its patents, free of charge, in the same way as each of the other members. By sharing all of its software patents, through its Patent Pledge, OVHcloud further defends open source values and the protection of a common heritage.

The Group also carries out sponsorship initiatives for structures such as OpenInfra, the Cloud Native Computing Foundation (CNCF), and LetsEncrypt. OVHcloud also encourages its employees to contribute to open source solutions, both in the writing of the code and in their promotion, and to prioritise their use when they mature.

In accordance with its commitment to a reversible cloud with no vendor lock-in, OVHcloud has chosen open-source components for NAS-HA, its managed file storage service.

Open source is about more than just software. As part of the 2024 Open Compute Project EMEA Regional Summit, OVHcloud published two white papers: one on a manual control valve, and the other on a three ball flow meter. These examples show how OVHcloud openly shares its open-source developments, contributing to datacenter energy efficiency.

3.1.2.3Innovation & co-construction

Reflecting its values of openness and transparency, innovation at OVHcloud is part of a co-construction approach within an ecosystem of partners, based on a vision centred on the S.M.A.R.T. cloud: Simple, Multilocal, Accessible, Reversible and Transparent.

This collaborative approach to innovation materialised through several partnerships:

• OVHcloud, Davidson consulting, Inria (Institut national de recherche en sciences et technologies du numérique) and Orange joined forces for the “DISTILLER” research programme (recommenDer servIce for SusTaInabLe cloud nativE softwaRe) to reduce the environmental impact of cloud applications. This project aims to answer questions such as how can a new, sustainable and energy efficient cloud native software be developed? Which programming languages, libraries, frameworks and cloud infrastructures should be taken into consideration for each project?
• A technology partnership between the Greater Paris University Hospitals (Assistance publique – Hôpitaux de Paris, AP-HP) and OVHcloud with regard to the healthcare data warehouses: Its aim is to accelerate the development of the AP-HP's healthcare data warehouse, launched in 2016, to enable studies and research based on healthcare data.
• HFactory and OVHcloud continued their partnership to advance Data Science and AI skilling.
• OVHcloud partnered with Speechbrain and Mila to accelerate research in neural speech processing.

In 2015, the Group also developed a startup programme to help future entrepreneurs create their business, with a goal of supporting 1,000 startup projects every year as from 2023. The programme offers both funding in public cloud credits and support for a period of 12 months.

Since 2021, OVHcloud has also provided support for the emerging quantum ecosystem via its R&D branch and its startup programme:

• in the 2021 financial year, OVHcloud launched a startup programme dedicated to quantum startups;
• in the 2022 financial year, OVHcloud partnered with Atos in the field of quantum computing and acquired Atos' QLM quantum emulator, making it available as a service through OVHcloud offers. Furthermore, OVHcloud co-founded the France Quantum event with Startup Inside, financed the Quantum Lab and provided Perceval, the first notebook-format software emulator, with Quandela;
• in 2023, OVHcloud purchased its first quantum machine, the MosaiQ computer designed by French company Quandela, to support its research and development efforts in the field of quantum computing. The Group's goal is to provide its research and development department with the tools needed to experiment with a Quantum Processing Unit (QPU) based machine for various use cases;
• provision of new emulator Callisto by startup C12, the third quantum emulator accessible via a notebook after Atos' MyQLM and Quandela's Perceval to facilitate quantum computing;
• inauguration of the first Maison du Quantique in France on 20 October 2023, in collaboration with key players in the French quantum ecosystem and Le Lab Quantique;
• in 2024, OVHcloud will bring three additional quantum software emulators online: Pasqal's Pulser, Alice & Bob's Felice and iBM's Qiskit, bringing the total to six notebook emulators.

3.1.3Giving access to the best aspects of the cloud to as many people as possible in complete transparency

OVHcloud is convinced that the cloud can be an opportunity for companies to achieve better technological performance while maintaining an efficient cost structure. In addition, OVHcloud's services offer the advantage of delivering one of the best performances in the industry in terms of carbon footprint.

Offering a service to accelerate digital performance with the best price-performance ratio, the lowest carbon footprint and predictable prices has been at the heart of the Group’s value proposition since its inception.

3.1.3.1Best price/performance ratio

OVHcloud offers one of the best price/performance ratios on the market. Since its creation, the Group has set out to provide its customers with the benefits of its vertically integrated model and its innovations such as watercooling, with the aim of providing them with the benefits of the flexibility of the cloud while controlling their expenses. The combination of high performance and attractive pricing has been recognised by customers as a key differentiating factor (see Section 1.5.4 of this Universal Registration Document for a detailed description of this differentiating factor).

3.1.3.2Price predictability and transparency

The migration of companies to the cloud is driven by multiple benefits, such as increased agility and scalability, and optimised IT investments. Today, cloud products and services have become a major budgetary item that companies are seeking to better control. To this end, it is particularly important to understand the structure of costs related to the use of the cloud and to be able to anticipate them.

In a spirit of openness, OVHcloud advocates transparency and defends a predictable and “all-inclusive” cloud pricing model in order to simplify the budgeting of cloud costs for users. This is reflected in particular by:

• the inclusion of inbound and outbound data transfer, which facilitates outbound traffic budgeting;
• a fixed price for storage and bandwidth, regardless of the volume and frequency of access;
• no additional fees for API (application programming interface) calls.

3.2Pioneering the sustainable cloud

At the forefront of the sustainable cloud, OVHcloud has integrated sustainability at the heart of its business model since its creation, by developing industrial innovations to limit its environmental impact. During the 2024 financial year, OVHcloud pursued its climate performance trajectory by fine tuning its existing environmental objectives. Accordingly, the quantified objectives presented by the Group this year reflect its ongoing commitment in favour of sustainable and responsible practices.

OVHcloud’s environmental action is structured around three pillars:

• innovation, at the heart of its industrial model;
• implementation of the Paris Agreement;
• communication and awareness-raising on all the impacts of the cloud, in order to guide consumption choices.
• The Paris Agreement, adopted in 2015, aims to limit the global average temperature increase to 1.5°C above pre-industrial levels. The parties to the Agreement commit to reducing their greenhouse gas emissions and strengthening their resilience to climate change. In this context, OVHcloud has been committed since 2023 to a process following the Science Based Target initiative (SBTi), an international benchmark that helps organisations to align their decarbonisation strategy with the pathway defined by the Paris Agreement.

Environmental performance indicators and key figures

To measure its energy and environmental performance, OVHcloud monitors four key indicators:

• PUE (Power Usage Effectiveness), which measures the energy efficiency of the Group’s datacenters: it is the ratio between the total energy used and the electricity used to power the servers;
• WUE (Water Usage Effectiveness), which measures the efficiency of water use: it is the ratio between the water consumption of cooling systems in litres and the electricity used to power the servers;
• CUE (Carbon Usage Effectiveness), which measures the carbon intensity of the datacenters, taking into account the characteristics of the energy source: this is the ratio between greenhouse gas emissions from scopes 1 and 2 and the electricity used to power servers;
• REF (Renewable Energy Factor), which measures the proportion of renewable energy consumed by the datacenters compared to their total consumption.
• GHG (Green House Gas) emissions are measured in kilograms or tonnes of carbon dioxide(8). OVHcloud changed its methodology for measuring greenhouse gas emissions to adopt the GHG Protocol, in preparation for its SBTi process. Two accounting methods are implemented in parallel: the location-based approach, which takes into account the average emission intensity of the local electricity grid where the energy consuming company is located, and the market-based approach, which takes into account the energy sourcing choices made by the company, including Energy Attributes Certificates (EACs), which are official and traceable instruments for certifying the renewable origin of a given quantity of electricity.
• In 2023, the scope of measurement for PUE and WUE had changed compared with 2022. It remained constant in 2024. In addition, as part of its ongoing pursuit of transparency, the Group has expanded its list of monitored performance indicators.
•  

3.2.1Placing innovation at the heart of OVHcloud’s industrial model

OVHcloud is a global provider of digital infrastructures, which operates its datacenters and designs and assembles its own servers. This vertically integrated model has allowed the Group to optimise its industrial process by integrating innovations at scale for 20 years, such as the proprietary watercooling technology in its datacenters, or by applying the principles of circularity and resource efficiency. This allows for a better management of environmental impacts at each level of the value chain. OVHcloud is determined to continue to innovate and develop its industrial model to encourage sustainability.

3.2.1.1Adopting a circular approach thanks to a single integrated model

OVHcloud’s circular approach is fully embodied in its integrated industrial model, through which the Group operates its own datacenters and manufactures its servers. This approach is unique on the market. Since its inception, OVHcloud has been committed to reducing its environmental impact at each stage of the server lifecycle, through the design and construction of its datacenters and servers, the recycling of components and extending the lifespan of its hardware.

Illustration of OVHcloud’s integrated industrial model.

A complete process to optimise the lifespan of a component

In line with the optimisation and management of its server lifecycle, OVHcloud set up a reverse supply chain in 2009, which optimises the lifespan of its servers.

• Design. OVHcloud designs and manufactures its own servers at its two sites in Croix (France) and Beauharnois (Canada). Servers are designed to be entirely dismantled. They are equipped with dedicated components, selected to be easily reused, recycled and repaired.
• Reuse. The Group manages to extend the lifespan of its infrastructures, servers and components by reusing them. 100% of servers are disassembled after use and their components are rigorously tested to give them a second life, either in a circuit or through external recycling and recovery. The use of refurbished components in the Group's servers extends their lifespan to an average of almost five years (and up to nine years). This enables some of the carbon emissions from their manufacture to be avoided. In 2024, the reused components ratio was 27%, compared to 36% in 2023 and 25% in 2022. 2024 saw the launch of new ranges, for which the purchase of new components is unavoidable, hence reducing the reused components ratio.

This circular approach extends to the choice and location of datacenters, by opting for the redevelopment of a former brownfield site rather than the construction of new buildings. At 31 August 2024, 26 of the 30 datacenters fully operated by OVHcloud were refurbished buildings. Equipped with OVHcloud's own infrastructure, these sites are also designed to have a longer lifespan.

A standardised and uniform waste management process

In line with the target of zero waste to landfill from production centres, OVHcloud finished unifying and standardising its waste accounting methodology during the 2024 financial year. This methodology, which is now applied at 100% of the Group's sites, is used to define the types of waste (cardboard, plastic, wood, WEEE, CIW, etc.) and their destination (recycling, energy recovery, landfill) completely and accurately.

In 2024, 846 metric tonnes of waste was produced, 12% of which was sent to landfill.

In order to significantly reduce this proportion, OVHcloud is taking action in several areas:

• aligning sorting across all Group sites with best practices, in particular by introducing sorting options at all sites;
• managing or changing service providers to optimise waste processing;
• partnering with a company specialising in the recycling of WEEE (TN Industrie), with a view to upgrading non-repairable and non-reusable electronic boards and, ultimately, recovering precious and strategic metals;
• taking recyclability into account when restoring existing sites. In this respect, the restoration of the P19 site in Paris went well beyond state of the art standards, with a waste recovery rate of 95.3% (French regulations impose a rate of 70%).

As a result of these efforts, the Group's landfill rate was virtually halved, from 20% in 2023 to 12% in 2024. It should be noted that 8% of this 12% is attributable to the Beauharnois site. The search for local recycling channels will continue throughout 2025 in order for the Group to achieve its target.

OVHcloud also encourages its suppliers, through its supplier Code of Conduct, to reduce their waste and implement more recycling and reuse.

The integrated industrial model, a factor of autonomy and resilience

Crises such as the COVID-19 pandemic and the Russia-Ukraine conflict have highlighted the vulnerabilities of supply chains and dependencies in terms of access to resources. Faced with these external factors, OVHcloud's integrated industrial model is an asset. It allows optimal control of its supply chain, thus reinforcing its autonomy and resilience capacity, while offering its customers incomparable guarantees in terms of service continuity. The Group is able to choose and check all of its components, thereby guaranteeing quality down to the smallest components, while achieving economies of scale. The circular approach provides agility in server design and the possibility of adjusting to supply tensions, by adapting product classifications according to the availability of components from suppliers, but also internally (reuse of refurbished components).

3.2.1.2Innovating with a view to achieving resource efficiency

OVHcloud has been innovating industrially for 20 years by developing proprietary solutions with a view to achieving resource efficiency. The Group places the optimisation of resource management, particularly energy and water, at the heart of its strategy. This conviction was developed very early, well before the current crises (energy crisis in Europe, increase in water-stressed areas, etc.).

Continuous innovation for cutting-edge environmental performances

OVHcloud is a pioneer in optimising datacenter water consumption. In 2023, the Group celebrated 20 years of innovation in its datacenters thanks to its proprietary watercooling technology for cooling servers with water. OVHcloud uses this technology on a large scale, eliminating the need for air conditioning in server rooms, with significant benefits in terms of costs and reduced environmental impacts. Direct watercooling removes heat from the most energy intensive components, such as processors (CPU, CGU), and the air (which is then cooled inside the rack using water through a heat exchanger) removes heat from other components. The heated water is then cooled using dry cooling towers. OVHcloud stands out with its closed circuit system that reduces the leakage of fluid, and by the use of dry coolers and the absence of air conditioning in the server rooms. In addition to being very efficient in terms of water and energy consumption, OVHcloud’s watercooling technology has relatively low maintenance costs.

During the 2023 financial year, OVHcloud reached a new milestone in terms of innovation with the presentation of a new generation of liquid cooling technology, Hybrid Immersion Liquid Cooling. As its name suggests, it is a hybrid solution, combining the best of watercooling and immersion cooling (complete immersion of the server in a dielectric fluid) technology. It consists of a watercooling system directly on the chip and a single-phase passive natural immersion cooling system:

• Watercooling: cooling of a heat sink through water blocks placed on the processors (CPU, GPU) with the same solution used in all OVHcloud servers and a proprietary serpentine convection coil connected to a pumping substation (PSS) and a dry cooler to evacuate heat outside the DC;
• Immersion cooling: the fluid is contained in a tank and cools all IT equipment in the server, not just the processors; the fluid replaces the air circulating in OVHcloud servers, thus enhancing the efficiency of any component not cooled by OVHcloud watercooling systems.

This hybrid design, for which 16 patent applications have been filed, differs from pure immersion cooling solutions and offers several advantages in terms of energy consumption and efficiency:

• the new passive rack design, with no pumps or fans, resulting in zero cooling electrical consumption at rack level;
• the ability to operate high-power racks with a datacenter inlet temperature of up to 45°C, allowing for different cooling loads for different climatic conditions;
• minimal power consumption by the cooling infrastructure at DC level, even less than for water-cooled servers;
• greater capacity to recapture fatal heat, opening up heat recovery opportunities.

All in all, this technology will improve the Group's energy efficiency indicators.

Constant focus on water conservation

Since developing its unique server watercooling technology, OVHcloud has taken particular care to preserve this natural resource.

• The circuits that collect the heat emitted by IT equipment are closed loops.
• The physico-chemical state of the circulating water (pH, hardness, purity, absence of micro-organisms) is maintained over time by measurement systems and, where necessary, occasional treatment.
• The heat collected is transported outside the buildings to be dissipated into the ambient air via "dry" water/air exchangers.

When outside temperatures are high (>27°C), the air temperature needs to be lowered to ensure that heat is properly transferred. The system used is an open water misting circuit with heat exchangers. This process causes water droplets to evaporate naturally, lowering the temperature of the air circulating through the heat exchangers. The performance of water use is measured using a standardised indicator, WUE, as outlined in the environmental performance indicators.

Despite consuming moderate amounts of water, OVHcloud is aware of the issue of water stress and is continuing its development efforts to limit consumption. It has two main areas of focus:

• the installation of cooling pads with water recycling tanks on dry heat exchangers to reuse unevaporated water mist and therefore limit water consumption. This system, which has now been fully installed at the SBG5 (Strasbourg) datacenter and partially at the GRA3 (Gravelines) and SBG3 (Strasbourg) datacenters, is now being deployed massively;
• the overhaul of cooling systems (5th generation) with an increase in the temperature of the water loops and a reduction in the air flow rate through the exchangers in order to reduce the operating ranges of the misting system and also the volume of water required.

Following positive feedback on the operation of the latest-generation cooling systems deployed at Strasbourg 5 in particular, OVHcloud has set itself the target of achieving 0.32 L/kWh of Group WUE by 2025 by speeding up retrofitting for the most water-intensive equipment (systems) in the Group's datacenters.

Transparency and certification of energy and environmental performance indicators

As a designer and operator of datacenters, the Group considers energy as one of its main items of expenditure and environmental impact. OVHcloud has made energy performance a priority.

This commitment is materialised through an energy management system, compliant with the ISO 50001 standard, which aims to optimise energy management in datacenters. In 2021, OVHcloud obtained ISO 50001 certification for its datacenters in France, which was confirmed following audits carried out during the 2023 financial year. During the 2024 financial year, OVHcloud extended the energy management system and certification to all its European datacenters. Furthermore, in 2024, OVHcloud obtained ISO 14001 certification for its Gravelines datacenter. This certification is being extended to the French datacenters.

Consequently, OVHcloud formalised its participation in the European Commission's Code of Conduct on Data Centre Energy Efficiency for all its European datacenters (Gravelines, Strasbourg, Roubaix, Limburg, Erith, Warsaw). The Code of Conduct is an initiative by the European Commission in response to the increase in energy consumption in datacenters and the need to reduce the impact on the environment, the economy and energy security. Its aim is to efficiently reduce energy consumption, without hindering the critical role played by datacenters. The Code lists more than 100 best practices that cloud service providers commit to respecting. It is updated and published annually. In accordance with the Taxonomy Regulation, the implementation of these practices was audited by an independent third party, who issued a certificate of compliance on 13 October 2023 (see Section 3.4 of this Universal Registration Document for further details on the Taxonomy).

It should be noted that the Group has integrated its North American datacenters (Beauharnois, Vint Hill, Hillsboro) into this Code of Conduct.

Summary of the four environmental performance indicators

• PUE for the 2024 financial year was 1.26, following business growth in the Group's most recent and most efficient datacenters.
• WUE for the 2024 financial year was 0.37 L/kWh IT(9), higher than the 2023 figure, reflecting the greater use of evaporative cooling as a result of climatic conditions prevailing during the summer. It is important to highlight that the WUE, currently measured as category 1 according to ISO 30134-9, overestimates reality. This measurement does not deduct the amount of water returned to the natural environment from upstream water consumption.
• CUE reached 0.16 tCO2e/MWh IT in 2024, an improvement on the 2023 level, thanks to a reduction in scope 2 induced emissions in relation to energy consumption.
• REF rose by 1 point to 92%, reflecting the inclusion of renewable energy, which OVHcloud uses in Hillsboro (Oregon).

In an ongoing effort to improve transparency, OVHcloud is now making the full results for each site available for each of these indicators.

3.2.2Bringing OVHcloud in line with the Paris Agreement

The Group has made a collective commitment to controlling its greenhouse gas emissions(10).

3.2.2.1Climate strategy

OVHcloud is putting carbon neutrality at the heart of its ambitions, by focusing on three main priorities:

• Area 1: Reduction of compressible emissions to their maximum by 2030 (see Section 3.2.2.3 of this Universal Registration Document).
• Area 2: Involvement of the ecosystem: partners, customers, suppliers and employees in a process to reduce their carbon footprint.
• Area 3: Contribution to increasing carbon sinks for all residual emissions.

3.2.2.2Carbon footprint

In order to manage its climate strategy (and precisely define its targets and their progress), OVHcloud has been carrying out its carbon footprint assessment on scopes 1, 2 and 3 since 2017.

OVHcloud changed its methodology for measuring GHG emissions by adopting the GHG Protocol, in preparation for its SBTi process. SBTi's assessment of the emissions reduction target was completed in October 2024. The following retroactive changes have been applied to previous years' carbon footprints:

• allocation of past emissions due to the gridscale infrastructure acquired by the Group in 2023;
• reallocation of emissions due to energy consumption in shared datacenters within the Group's scope 2;
• allocation of emissions due to telecom operations (VoIP, Xdsl, Fiber);
• elimination of depreciation charged to buildings constructed. Emissions associated with the construction are now accounted for in the year of construction;
• inclusion of various emissions (employee meals, public transport, water for tertiary buildings);
• use of Energy Attribute Certificates (EAC) to calculate market-based emissions from 2023 for the following sites: Roubaix, Gravelines, Strasbourg, Limburg, Warsaw, Erith and Beaharnois. These EACs may be Guarantees of Origin (GO), Renewable Energy Credits/Certificates (RECs), Renewable Energy Certificates (REC), or Renewable Energy Guarantees of Origin (REGO).

Full 2024 carbon footprint

Comments on the Group's carbon footprint

Scope 1

The Group recorded more emissions linked to hydrofluocarbon (HFC) leaks.

The other categories have remained relatively stable.

Scope 2

• Location-based emissions: the improvement in the emission factor of the French electricity mix resulted in a slight reduction in emissions, despite an increase in the Group's energy consumption.
• Market-based emissions: unlike location-based emissions, market-based emissions are increasing due to the rise in energy consumption within the Group, particularly in areas where the Company does not yet have access to renewable sources of electricity.

Scope 3

• Category 2 (capital goods): 2023 was marked by the purchase of a relatively low quantity of new hardware components, and a rise in reused components, greatly reducing category 2 scope 3 carbon footprints compared with 2022. In 2024, purchases of components returned to a more traditional level, resulting in a rise in emissions recorded in this same category.
• Category 3 (fuel and energy-related activities): energy-related emissions excluding direct emissions from production, are trending upwards, due to the growth in the Group's energy consumption. It should be noted that the calculation of life cycle emissions is higher for market-based emissions, mainly due to the fact that OVHcloud has a significant energy activity in France, and that French location-based emissions are drawn down by the extremely low carbon footprint of nuclear power. In addition, a negligible percentage of biomass, for which the life cycle carbon footprint is not negligible, has been reported as market-based emissions.
• Category 4 (upstream transportation and distribution): for emissions linked to transport, OVHcloud set about obtaining primary data from its freight forwarders in 2024. It appears that the calculation methods used up to now (calculating mass and distance travelled, according to transport mode and associated emissions factors) were overestimated when compared with primary data received directly from our carriers this year.
• Category 8 (upstream leased assets): a significant increase has been observed, corresponding in particular to the quantification of emissions from the backbone of the OVHcloud network. The expansion of network capacity, particularly abroad, is driving this trend. A large proportion of the emissions linked to network transit are attributable to the highly carbon-intensive energy produced to supply the network.

The other categories have remained relatively stable.

3.2.2.3Climate roadmap

Controlling carbon emissions in the very short term – 2025

OVHcloud has been gradually reducing its scope 1 and 2 emissions by purchasing renewable and low-carbon energy since 2022.

The Group's Renewable Energy Factor (REF) is 92%. Only Vint Hill, with its datacenter located in Virginia, was not powered by low-carbon energy in 2024. It will be in 2025 to meet very short-term targets.

The purchase of renewable and low-carbon electricity will enable the Group to achieve the target of reducing scope 1 and 2 greenhouse gas emissions by 73.4% by 2025 compared with 2022, in line with the short-term strategy described below.

Controlling carbon emissions in the short term – 2030

In 2024, OVHcloud formalised its short-term strategy to reduce greenhouse gas emissions by 2030. This formalisation has resulted in:

• a written commitment by management, in the form of an SBTi commitment letter, to quantify and submit a short-term (2030) target;

• a GHG emissions control plan, consisting of:
  • modelling the emissions trajectory up to 2030,
  • identifying and quantifying the decarbonisation levers to be put in place,
  • checking the technical and economic feasibility of the plan and its compliance with the SBTi standard;
• submitting the GHG emissions control plan to the SBTi;
• the SBTi's assessment of the conformity of this plan.

Commitment to the Science Based Target (SBTi) initiative

• Target 1: OVHcloud undertakes to reduce its scope 1 and 2 GHG emissions by 73.4% by 2030, compared to the 2022 baseline year.
• Target 2: OVHcloud undertakes to reduce its scope 3 GHG emissions by 52% per million euros of added value within the same timeframe.

The SBTi's target approval team ranked the ambition of OVHcloud's scope 1 and 2 targets and determined that they were consistent with a 1.5°C pathway. The SBTi welcomes the ambitious 1.5°C-aligned target, which is currently the most ambitious target through the SBTi process.

Target 1 action plan

• Scope 1
  • Reducing the quantity of refrigerants installed by installing more watercooling systems in addition to those in the server rooms (energy rooms, network equipment) or by using more environmentally friendly HFC (hydrofluorocarbon) fluids with lower GWP (global warming potential).
  • Recovering wasted heat which will eliminate the need for a boiler to heat the offices of the Limburg datacenter.
  • Gradually replacing domestic heating oil (derived from fossil fuels) with HVO (hydrotreated vegetable oil) derived from biomass residues.
• Scope 2
  • Implementing a programme to reduce energy consumption (through more efficient cooling systems, the elimination of waste and rationalisation of virtualised infrastructures), leading to full-year energy savings of 5.2 GWh in 2023.
  • Implementing the energy performance plan with the DREAL(11) at the Gravelines site.
  • Increasing the proportion of renewable energies in the Group's energy purchases.

OVHcloud is also continuing to innovate in the integrated design of its servers and associated cooling systems. Consequently, cooling systems that are more efficient in terms of energy and water consumption are now being deployed (4th and 5th generation watercooling).

In addition, one of the areas of work that will significantly improve GHG emissions in the coming years is the optimisation of OVHcloud’s energy mix. The Group relies, among other things, on renewable energy purchase agreements such as Corporate Power Purchase Agreements (CPPA), which will help the Group to achieve its target of 100% low-carbon energy by 2025 (renewable, nuclear and hydroelectric).

The Group has signed two such agreements, effective from 1 January 2025:

• a CPPA in France, covering around 40 GWh of consumption per year;
• a solar CPPA in Germany, covering around 30 GWh of consumption per year.

Target 2 action plan

The main carbon emissions item concerns the manufacture of server components, with two main levers of action for OVHcloud: the reuse of components (see above), thanks to its circular approach to the production chain, and the implementation of a sustainable supply chain with suppliers (improvement of the carbon footprint of new components).

OVHcloud is also working to optimise its freight to reduce its emissions as part of the Fret 21 initiative. The aim of this initiative is to encourage companies acting as contract givers to better integrate the environmental impact of transport into their sustainable development strategy. Each company wishing to take part signs an agreement with the French Agency for Ecological Transition (ADEME), in which it sets a target for reducing CO2 emissions and undertakes to implement actions to achieve it. The aim is to achieve a reduction of 28% in CO2 emissions in the transport segment by 2030. The corresponding projects at OVHcloud relate to:

• anticipating the needs of its logistics chain;
• optimising logistics networks;
• selecting freight suppliers according to their environmental targets;
• arbitrating emergency freight according to the carbon impact.

The other scope 3 items are also impacted: circularity applied to buildings, with the reuse of existing buildings rather than the construction of new datacenters, Green IT initiatives and work on employee mobility. In terms of Green IT, a number of actions were taken during the 2023 financial year, including improving calls for tender with the systematic inclusion of environmental criteria to select IT suppliers, the introduction of a Cleaning Day to extend the lifespan of computers by six months, and actions to raise employee awareness (Green IT week).

Quantifying emissions avoided with move-to-cloud

OVHcloud is taking an active part in the Net Zero Initiative (NZI) for IT with its partner Carbone 4, with the aim of outlining the methodology for calculating emissions avoided by move-to-cloud.

Active participation in carbon avoidance and sequestration projects

In preparation for the post-2030 period, and the long-term pathway to 2050, OVHcloud supported carbon offsetting projects in collaboration with Terraterre: implementation of low carbon projects as defined under Decree no. 2018-1043 and French government order of 28 November 2018 in the agricultural sector. The agreement applies to projects on eight farms in France to achieve a 1,848 tCO2eq. reduction.

OVHcloud has also supported reforestation projects alongside STOCKCO2 in various regions of France. The amount of carbon ultimately offset through these projects is estimated at 3,580 tCO2eq.

Circular economy and waste management

Dedicated initiatives are also implemented on the subject of waste, to ensure the target of zero waste to landfill from production centres by 2025 is achieved, regarding waste from OVHcloud's processes. This commitment to responsible waste management has also been incorporated into the Supplier Code of Conduct. In addition to this upstream part of the chain, OVHcloud proactively contributes to reducing its waste through internal traceability of waste, reuse and limitation of packaging, participation in ecosystem projects such as CEDaCI (Circular Economy for the Data Centre Industry) – a multidisciplinary network of players working for the circular economy in the datacenter segment. OVHcloud will also endeavour to apply this commitment to its future locations, according to the possibilities offered by local waste reprocessing channels.

OVHcloud has drawn up a roadmap to formalise its environmental strategy targets, which is summarised in the tables below:

Reduce scope 1 and 2 emissions by 73.4% by 2025 (compared to 2022)

Maintain the target of reducing scope 1 and 2 GHG emissions by 73.4% by 2030 (compared to 2022)

Reduce scope 3 emissions by 52% per unit of value added by 2030 (compared to 2022)

100% low-carbon energy by 2025

Zero waste to landfill by 2025(1)

3.2.3Communicating and raising awareness on the total impact of the cloud to guide consumption choices

The Group intends to mobilise its stakeholders to provide a collective response to the challenge of the environmental impact of cloud technologies. OVHcloud is developing a new environmental labelling tool to help its customers minimise their impact through their consumption choices. The Group also capitalises on education and undertakes collective actions to influence practices and promote best practices.

3.2.3.1Environmental labelling, a lever for transforming uses

Environmental labelling is a powerful tool for users to measure the impact of the products and services they consume. OVHcloud has developed a "carbon calculator" to give customers a better understanding of their cloud infrastructure's carbon footprint and help them with their environmental transition and consumption choices. This tool is the result of a rigorous design process of developing a reliable, robust and exhaustive methodology, as well as rapid IT development. The methodology, which was audited and certified by an independent consulting firm specialising in sustainable IT, is based on the principles of Life Cycle Analysis (LCA), reference databases for environmental impact factors, such as the ADEME Base IMPACTS® 3.0, and the first recommendations of ADEME's Product Category Rules for digital services. To enhance the reliability of its solutions' environmental labelling, OVHcloud has worked in collaboration with its main suppliers, the academic world (Inria) and associations (Boavizta) to improve its knowledge about the carbon footprint of their activities. The Group now has more precise data on the supply of access to energy, specifying if they are "location-based" or "market-based", and a significant proportion of its components, taking into account any retrofitting.

OVHcloud launched the first version of its carbon calculator in July 2023 for the Bare Metal range, which estimated the carbon impact of more than 300,000 servers. The first enhancement for Hosted Private Cloud customers took place in the first quarter of the 2024 financial year. Barely three months after it was made available to customers, OVHcloud's carbon calculator was awarded the Green Trophy at The Big Green forum, an event dedicated to CSR. The award recognises the technical sophistication of the calculator's methodology and its comprehensiveness. OVHcloud is the first company to provide such comprehensive environmental information to its customers. Since then, the tool has been enhanced with more precise calculation elements, thanks to the dual display of emissions linked to the use phase (market-based and location-based) and also to the manufacturing phase, thanks to the inclusion of component reconditioning.

Accessible to customers directly from their OVHcloud space, the tool integrates the estimated power consumption of servers based on the monitoring of OVHcloud datacenters. It then maps them to their carbon emissions equivalent, taking into account cooling and network systems as well as transport, manufacturing, end-of-life and waste management, to provide a complete picture of the current carbon footprint. The results for cloud usage, which each user can download, are broken down into three emission categories:

• the manufacturing phase: upstream greenhouse gas emissions linked to the purchase and assembly of components;
• the use phase: electricity-related emissions;
• ancillary emissions: other indirect emissions such as freight and the impact of employees – known as "operations".

Since it went online, the tool has generated more than 500 downloads per month, enabling more than 5,500 customers to track their greenhouse gas emissions.

OVHcloud's approach could have a two-fold ripple effect by establishing best practices in the supply chain.

3.2.3.2Raising awareness of environmental impacts: from education to collective action

Actions taken internally at OVHcloud

OVHcloud has set up initiatives to raise awareness of environmental issues among its employees:

• participation in the in-house Climate Fresk. The Fresk, run by OVHcloud's environmental team, helps company employees to better understand the issues surrounding climate change. In 2024, more than 280 employees attended the training course;
• ISO 50001 energy management awareness training attended by more than 250 datacenter employees. The aim is to have trained 80% of datacenter employees by the end of the 2024 calendar year.

Collective action with the ecosystem

OVHcloud is a driving force within its ecosystem and increases educational and awareness-raising actions around the environmental challenges of the sector. The Group intends to respond to the requests of its stakeholders and communicate on these issues in a transparent, educational and responsible manner.

In this respect, OVHcloud took part in the following events:

• the sponsorship ceremony for the class of 2026 at Telecom Paris, with a presentation on the environmental challenges of digital technology, OVHcloud's environmental policy and its results;
• The Big Green, with the presentation of the carbon calculator for which the 2023 Green Trophy was awarded;
• the GreenTech Forum in November 2023, with a round table discussion with Christian Dior, APL Data Center and the CEA on how to reduce the environmental footprint of the datacenters;
• the CNRS (French National Centre for Scientific Research) conferences on eco-responsible computer science, with a presentation of the technological levers implemented by OVHcloud to reduce the environmental impact of cloud services;
• the ARCEP workshop in November 2023, with participation in the review of the General Policy Framework for the Ecodesign of DIGITAL Services;
• the TechArena conference in Stockholm in February 2024, with a round table discussion on environmental case studies with Coca-Cola, Polestar and The Swedish Export Credit Agency;
• "Artificial Intelligence and the Environment" organised by Numeum, the G9 Institute and Planet Tech care in March 2024 with a presentation on the environmental impact of artificial intelligence as observed by OVHcloud and the role of datacenters in the energy crisis;
• ChangeNow in March 2024 with participation in the round table with Sopra Steria and EDF on the environmental and societal impact of digital technology and the levers to minimise it;
• presentation at EDHEC in April 2024 as part of the “CSR Strategy” training for managers on the Group’s CSR governance, climate roadmap, and concrete actions;
• BankTech Day in June 2024 with a round table discussion on how to reduce the environmental footprint of the datacenters.

In addition, the following partnership initiatives remain in place:

• a four-year research partnership started in 2021 with Inria to improve how the environmental impact of the Group's infrastructures are assessed (research thesis conducted in the OVHcloud experimental datacenter, with the aim of modifying the hPUE and vPUE) and suggesting best practices for end users to reduce their environmental footprint;
• a co-development project with Davidson Consulting, Inria and Orange on the DISTILLER research programme, launched in March 2022 and aimed at reducing the environmental impact of cloud applications. At the end of this three-year project, the DISTILLER recommendation system will be able to provide all the indications necessary for the design, production and configuration of more sustainable cloud applications to Product Owners, engineers and developers, while taking all the constraints specific to this type of project into account (performance, flexibility, confidentiality). To achieve this ambitious target, DISTILLER plans to study cloud-native applications and their configuration in order to extract all the existing variations to analytically set out, based on the measurements in production, a sustainability indicator on which the recommendations system for sustainable software components will be based;
• contribution as "Cloud Provider" representative to the NZI4IT (Net Zero Initiative for IT) dimension of the Net Zero Initiative project developed by Carbone 4, which seeks to estimate the emissions avoided in the digital sector.

OVHcloud is participating in the European Code of Conduct on Data Centre Energy Efficiency for all the datacenters it operates. It is also working alongside public authorities around the world to share its expertise on ways to reduce the environmental footprint of datacenters. In particular, the Group responds to requests from regulatory authorities and those involved in drawing up public policies to explain its model at meetings and site visits. These actions fall within the framework of regulations currently being drawn up, such as the revision of the EU energy efficiency directive.

OVHcloud also demonstrates its commitment through its involvement in a number of trade associations bringing together other cloud providers. This is the case in France with its involvement in France Datacenter and Numeum, in Germany with Bitkom and at the European level via the Climate Neutral Data Centre Pact, of which the Group is a signatory and founding member (2021).

3.3Collectively advancing the cloud for the benefit of society

At OVHcloud, everything starts with people. Men and women are the Company's best assets: it is their talent that ensures its success. “Working together” is one of the Group's fundamental values. This collective aspect is extended to its ecosystem, and in the desire to see the European cloud segment progress. Aware of its impact and its responsibility, OVHcloud intends to make digital technology a driver for socio-economic development.

In order to maintain the reliability and comparability of the indicators set out below, the Group has not included Gridscale, which was acquired on 4 September 2023 and is currently being included for CSR reporting purposes. Once it has been included, the Group can guarantee that its social responsibility approach is comprehensive.

3.3.1Collectively attracting and developing talent within a diverse and inclusive company

Headcount(1), employment and engagement – Performance indicators and key figures

In a highly competitive job market despite the tense international environment, attracting and developing new skills remains a priority for OVHcloud.

The Group continued to hire during the 2024 financial year. As a result, 437 people embarked on the OVHcloud adventure, representing a net increase in headcount of more than 1% over the past year, primarily outside of France, which increased the number of employees on permanent contracts in the Group's workforce. In two years, the Group's total headcount has grown by more than 4%.

In addition to recruitment, talent retention is a second key issue in order to capitalise on knowledge and enable the overall skills development of the teams. The benchmark performance indicator for monitoring talent retention is the loyalty rate, which measures the rate of employees present in the Group one year after their arrival. This rate continued to improve, reaching 81% in 2024.

The Group also monitors the rate of voluntary departures, which measures staff turnover. In 2024, this rate amounted to 9.20%, a one-point improvement on 2023 (which was already a year-on-year improvement of over 4 points). The aim is to maintain the voluntary departure rate at 15% or less (which is considered to be the industry average). In addition, the average length of service for voluntary departures has stabilised at over three years since the 2021 financial year (3.4 years in the 2024 financial year).

Lastly, OVHcloud regularly measures the level of engagement of its employees based on the results of internal surveys conducted each year via a survey software (Peakon). The engagement scores for the 2024 financial year were 7.2/10 in the December survey and 7.3/10 in the June survey. The response rates were 84% and 86% (similar to last year), respectively, further testifying to the level of employee engagement. The employee engagement score is a key performance indicator that was included in the annual variable compensation of executive corporate officers (for 15%) and members of the Executive Committee (for 9%) in 2024.

3.3.1.1Passion and commitment at the heart of the corporate culture

OVHcloud is distinguished by its flagship commitments, particularly in support of data sovereignty, and by a strong corporate culture, backed by common values that guide each of the Group’s actions:

• Trust: trust commits OVHcloud to its ecosystem and enables its employees to express their talent.
• Working together: OVHcloud has a profound belief that individual success only serves collective success. The collective dimension is essential for exploring and building the cloud of tomorrow and to achieve this, each person is important and makes a contribution at their own level.
• Passion: the passion for technology and adventure is essential at OVHcloud, it promotes innovation and surpassing oneself.
• Disruption: OVHcloud is constantly seeking to simplify its processes and organisations in order to be more efficient and reduce costs. Thinking differently is encouraged by the Group to create ever more value for customers and the ecosystem.
• Responsibility: OVHcloud takes its responsibilities seriously. The Group is aware that each innovation can be positive or negative depending on how it is used.

3.3.1.2Building a working environment conducive to talent development

The OVHcloud employer brand is the core of its employee value proposition and aims to attract and retain talent.

An employer brand based on four pillars

The OVHcloud employer brand is built around four pillars that echo the Group’s values:

• “At OVHcloud, everything starts with people”: people are at the heart of the Group’s DNA, which is why OVHcloud has developed services and benefits to improve the quality of life at work for all. From concierge services to company daycare, from contracted remote working to collaborative spaces, everything is done to ensure that everyone finds their place, at their own pace and in accordance with their values.
• “Innovate in total freedom”: an OVHcloud expert is one who has acquired cutting-edge skills while maintaining the desire to explore, break new ground and innovate. OVHcloud recruits passionate and exciting people who want to do and share. Designing the cloud of tomorrow is a question of disruption. To this end, the Group needs everyone's input.
• “Growing and fulfilling”: moving in step with technology and thinking outside the box is what characterises OVHcloud. Change position or profession, there is no ready-made trajectory at OVHcloud. The aim is to offer everyone the opportunity to take an interest in a new field, to extend their skills and think about their new expertise through the prism of their experience.
• “Building the world of tomorrow together”: as a major cloud player, the Group believes we all have a role to play in the industrial transformation of the sector, and more broadly in the changes impacting our world. Providing an open, sustainable and people-centric cloud means working hand in hand for collective progress.

A stronger employer brand thanks to its new Ambassadors programme

With all business units represented and women representing almost 30% of employees by 2024, the ambassador programme is helping to boost OVHcloud's image, thanks to its dynamic community. Our ambassadors participated in over 35 physical events (conferences, school events, trade fairs, tech events and job fairs).

The Careers site, the first version of which went online in 2022, was overhauled in 2024 with the addition of a page dedicated to diversity, equity and inclusion. While it has helped to highlight and promote the OVHcloud employer brand, it will be modernised in 2025 and will provide more content to meet the expectations of prospective employees.

Continuous investment in skills development

Training – Key figures

Aware of the importance of cultivating its human capital, OVHcloud trained 75% of its workforce in 2024. In the 2024 financial year, 2,200 employees attended at least one training course, i.e., almost 250 more employees trained compared to the prior year.

Not only is OVHcloud continuing to strengthen the key skills needed to support the Company's growth, such as management, safety and technical skills, but, in 2024, the Group also offered more cross-functional (Other) training to develop the career prospects of its employees and its commitment to compliance topics by increasing the number of employees trained from 3% to 18%.

OVHcloud confirms its desire to encourage the development of skills in all areas and become a learning organisation. The Company therefore continues to invest in the following areas, which are considered essential to achieving its strategic ambitions:

• supporting managers in their role, based on an ambitious programme aimed at all managers and tailored to their position in the Group's organisational structure. The aim is to train all new managers, 70% of middle managers and 100% of advanced managers in two years in line with OVHcloud's leadership module. More than 400 managers attended at least one training course in the 2024 financial year;
• reinforcing the acquisition of cross-functional skills to develop employability and meet our compliance commitments. For example, nearly 300 employees received training on the Climate Fresk, i.e., almost 10% of the workforce;
• continuing to invest significantly in technical skills to support growth through training on products, technology and operations, and offering the possibility to certify these skills;
• developing a strong culture of safety and resilience to support the opening of new datacenters around the world;
• language courses, to enhance OVHcloud's international positioning.

To support its training policy and reinforce its role as a learning organisation, OVHcloud has made a major change to its Learning Management System (LMS) and now has a dedicated skills development solution to speed up the roll-out of training initiatives. With almost 86% of employees having connected at least once to the new LMS and more than 115,000 visits in 2024, OVHcloud is making it easier for its employees to access training.

OVHcloud is also looking to familiarise its employees with the challenges of the future by offering awareness-raising webinars throughout the year in areas such as artificial intelligence, soft skills and cybersecurity. The webinars on artificial intelligence, for example, were attended by over 600 participants.

Workplace health, safety and well-being as a top priority

Safety at work is a central priority for OVHcloud and is a key performance indicator of the CSR policy. In order to promote the prevention of health and safety risks, the Group has defined three major priorities:

• reducing the number of work-related accidents;
• complying with legal health, safety and environment (HSE) requirements and other requirements applicable in all countries;
• implementing all satisfactory measures to protect the health and physical integrity of the Group’s employees, customers and local communities and protecting the environment.

To achieve this, the following measures were implemented:

• involving the entire management line in the commitment to its health, risk prevention and environment policy;
• anticipating risks upstream in the product design phase;
• empowering all employees to maintain a healthy and safe workplace;
• developing a culture of professionalism, discipline and respect for the rules among all employees;
• ensuring the deployment of the “Be Smart, Be Safe!” Health and Safety Programme.

Workplace safety – Key figures

During the 2024 financial year, the total number of accidents fell again, both in terms of the number of accidents and their severity.

This was made possible by a number of actions taken during the 2024 financial year:

• review by OVHcloud of part of its golden rules in terms of safety as part of its #StaySafe approach. The golden rules deal with:
  • the working environment,
  • work permits,
  • fire prevention and evacuation; and
• ongoing compliance with its other golden rules:
  • shared vigilance and cooperation,
  • pedestrian traffic,
  • movement of machines,
  • personal and collective protective equipment,
  • work at a height,
  • energy and reporting,
  • movements and postures.

The #StaySafe approach embodies a mindset to be adopted in order to identify and avoid dangers. It follows four steps:

• survey the work environment and identify hazards;
• analyse the consequences of hazards and anticipate the necessary individual and/or collective protection measures;
• foster reliability by implementing prevention measures with the help of the health and safety department, contractors and managers;
• execute the work once all the safety conditions have been met.

In the 2024 financial year, the Group continued to invest in training its technical teams with the aim of strengthening its safety culture. Training of on-site managers has been rolled out to part of the workforce. In 2024, the safety champions took action to improve safety at their respective sites. at each site among volunteers, to liaise with the technical teams to improve the safety culture. Lastly, the Group organised internal awareness-raising events such as World Safety Week, which is held each year at all OVHcloud sites and to which all employees and permanent employees are invited.

In addition, OVHcloud is committed to employee health, with a focus on prevention.

• Since 2016, the Roubaix site has had a dedicated medical centre with various health professionals (general practitioner, osteopath, dietitian, physiotherapist, optician, etc.) available to employees.

• Awareness-raising conferences led by health specialists and open to all employees are regularly organised on various subjects (conferences on psychosocial risks).

OVHcloud will continue its commitment to prevention in 2025. The priorities are as follows:

• The month of October 2024 is dedicated to the fight against cancers that affect women: as part of Pink October, OVHcloud will continue to raise awareness of breast cancer by organising workshops led by midwives or nurses to its employees in France and an awareness-raising conference for all employees in France and internationally.
• The month of November 2024 is dedicated to the fight against cancers that affect men: as part of Movember, the Group will be organising workshops led by urologists to its employees in France and an awareness-raising conference for all employees in France and internationally.
• The prevention of musculoskeletal disorders (MSD): the Group will be organising workshops in France to prevent occupational risks in terms of movements and postures, as well as a conference on adapting workstations for remote working and manual jobs for all employees in France and internationally.
• Melanoma prevention: the Group is planning to organise dermatological screening days at its sites in France.

The Group also implements different measures:

• medical teleconsultation with Angel in France and Dialogue in Canada;
• initiatives to promote regular sports activities (gyms, activities for coaches, support for sports assessments);
• psychological, social and legal assistance with Qualisocial and Dialogue in Canada.

To promote quality of life at work, OVHcloud also actively offers parenthood initiatives. As a result, a position of parenting advisor, responsible for supporting, advising and guiding all parents and future parents has been created. In addition to the crèche located at the Company's premises in Roubaix for the past decade, a nationwide partnership with Babilou(12) and an OVHcloud parenting handbook, specific support is provided when a child arrives. This includes support in announcing the arrival of a child, preparation for maternity, adoption or parental leave, support when returning to the Company with a dedicated re-boarding process, support in finding childcare, etc. Conferences and workshops are also offered on a regular basis.

A recognised human resources policy

The Group has received several awards in recognition of its efforts in recent years:

• the Compensation & Benefits Trophy awarded by the ORAS(13) club in December 2021 for the Group's employee well-being programme;
• the gold prize at the Human Capital Leaders' Victories on the quality of work life theme in May 2022;
• the Wellbeing Leader Certificate from the Polish Wellbeing Institute in 2021 and 2022, also in recognition of the Group's quality of life at work policy.

Further recognition received during the 2024 financial year included:

• for the fourth consecutive year, the HappyIndex®Trainees & HappyIndex®Trainees Alternance 2023-2024 label, which rewards companies that take care of their interns and apprentices;
• in Germany, recognition as Top Company 2023 by Kununu for the third year running;
• ranking second in the 2024 LinkedIn Top Companies list (in the midsize companies with between 250 and 5,000 employees category);
• the International Employee Share Ownership Trophy awarded by the ORAS club in December 2023.

3.3.1.3Providing a diverse and inclusive work environment

Diversity and inclusion – Performance indicators and key figures

Convinced that everyone has a role to play in facing the biggest societal challenges of our time, OVHcloud wishes to support its employees in their life journey, so that everyone can grow and develop in a caring environment. With this in mind, the Group is committed to combating all forms of discrimination and to offering a working environment that respects differences and allows everyone to fully express their talents. OVHcloud has structured its diversity, equity and inclusion policy in 2022 and intends to strengthen it during the 2025 financial year. An internal charter exemplifies this policy. It is shared via the Company's intranet and is available to all Group employees.

• Diversity and collective intelligence are key drivers for innovating and achieving excellence. Globalisation of the teams is one component. In 2024, more than 60 nationalities were represented within the Group.
• The proportion of women in teams, which is a major issue for tech businesses, is a key priority and a performance indicator for the Group’s CSR policy. A gender equality action plan is drawn up and reviewed regularly with employee representatives in France. The plan addresses the issues of recruitment, professional development, compensation and work-life balance. In recent years, the proportion of women in the Group’s workforce has steadily increased. In the 2024 financial year, the proportion of women in the total workforce increased by one point to reach 23%. The proportion of women in management has improved by three points since 2022 to 23%. The rate for the Executive Committee remained largely unchanged throughout the 2024 financial year, at 33%.
• Throughout the year, a number of initiatives were put in place to inform in-house teams about diversity and inclusion issues. Notably, in January 2024, OVHcloud joined the #StOpE initiative, aimed at combating everyday sexism on a long-term basis. It also marked the start of a series of initiatives to raise awareness on the challenges and benefits of an "inclusive company", by breaking down stereotypes, prejudices and unconscious biases. The aim of these initiatives was to provide a better understanding of the main forms of discrimination while offering concrete strategies for breaking down stereotypes in everyday life.
• Facilitating access to employment for people with disabilities and in collaboration with the adapted employment sector is a second important area of initiatives to promote diversity and inclusion. Through a worldwide disability policy, OVHcloud has provided the resources and means necessary to guarantee an inclusive organisation, with designated disability contact persons who implement the policy locally. All recruiters are trained in diversity issues and employees are made aware of the related challenges. Job offers are also published on the AGEFIPH (French agency promoting the employment of disabled people – Association de gestion du fonds pour l'insertion professionnelle des personnes handicapées) website.

3.3.1.4Maintaining quality social dialogue over time

OVHcloud attaches great importance to social dialogue, a guarantee of involvement and collective performance, and maintains high-quality relationships with its employees and their representatives. This includes negotiation, consultation and exchanges of information between management, employees and their representatives. The topics covered by social dialogue are health and safety, working hours, compensation, training and quality of life at work.

Around the world:

• the proportion of employees represented by trade unions or employee representatives in 2024 was 69.60%;
• the proportion of employees covered by a collective bargaining agreement in 2024 was 74.94%.

In France, employee representation is organised within an economic and social unit (unité économique et sociale) covering the French companies. The membership of the Social and Economic Committee (Comité Social et Economique – SEC) (Social and Economic Committee of the economic and social unit) was renewed at the end of 2023 and it is now composed of 43 members (incumbent and alternates combined). Three representative trade unions appointed representatives, opening up the possibility of negotiating collective bargaining agreements.

In 2024, two collective bargaining agreements were signed, one on salaries and the other on social dialogue. The agreement on social dialogue demonstrates the Company's commitment through the resources allocated to employee representatives (additional time allowances for these duties, creation of a committee dedicated to environmental issues and strategic directions, allocation of a budget for the training and travel needs of employee representatives, appointment of local representatives at all sites, etc.). With regard to employee representation on management bodies, two directors representing employees have sat on the Board of Directors since 2022.

Lastly, as mentioned above, as a company that is in touch with its employees, OVHcloud has been conducting internal opinion surveys (OVHcloud Spirit) among all its employees worldwide since 2019. The survey is conducted every six months to obtain opinions and expectations about the Company on a range of topics such as engagement, diversity and inclusion, talent development, working conditions, recognition, etc.

3.3.1.5Involving employees in the Company’s results

Employee shareholding

For OVHcloud, “working together” also means involving employees as much as possible in Company’s results. On the occasion of its IPO on Euronext Paris on 15 October 2021, the Group set up its first collective employee shareholding plan, open to more than 2,000 employees in France and abroad. 97.8% of eligible employees at that date became shareholders of OVHcloud (77.6% having invested voluntarily). In 2021, the Group was awarded the FAS Grand Prize(14), which showcases companies that develop the best practices in employee share ownership.

In 2022, the Group allowed all its employees to invest all or part of their share of the proceeds of the incentive plan in OVHcloud shares (via the FCPE mutual fund or directly depending on the country) and to benefit from a matching contribution from the Group, without increasing its capital. For this long-term approach, the Company was awarded the International Employee Share Ownership Trophy by the ORAS(15) club in December 2023. In 2023, around 70% of eligible employees decided to invest their incentive bonus (the same order of magnitude as the previous year).

In 2024, 0.6% of the share capital was held by employees through the FCPE mutual fund.

Profit-sharing agreements

In France, a mandatory profit-sharing agreement (accord de participation) applies at the level of the social and economic unit, which provides for the distribution between eligible employees of a share of the profit of such companies, parties to the social and economic unit, calculated based on the statutory formula. The profit share is distributed on a pro rata basis according to the employee’s effective presence during the period.

Global incentive plan

An incentive agreement was signed with the Social and Economic Committee in 2022, applicable until 2024. It concerns all employees at the global level with at least three months of seniority. The performance indicators used to calculate the share of profits attributable to eligible employees include, as in the previous plan, indicators relating to adjusted EBITDA and revenue growth, to which two CSR criteria are added: energy efficiency (via PUE or Power Usage Effectiveness) and employee retention. Under the plan, profit is distributed on a pro rata basis according to the share of the country's payroll in the Group total; at the country level, profit is distributed exclusively on a pro rata basis according to each employee's effective presence during the financial year.

An amendment to this agreement was signed in 2024, increasing the weighting of CSR indicators to 60% (30% for energy efficiency and 30% for employee retention).

Employee savings plans and similar plans

In France, the social and economic unit provides:

• a Group Savings Plan (plan d’épargne groupe), which allows eligible employees to invest their savings, including payments under the profit-sharing agreement and the global incentive plan, in diversified investment funds and to benefit from certain social and tax advantages in exchange for a lock-up period, generally of five years;
• a Time Savings Account (compte épargne-temps – CET), which allows eligible employees to save unused rest days (certain holidays, RTT, etc.) or part of their thirteenth month converted into days. They can then take these days at any time, ask to be paid for them or transfer them to another scheme to prepare for their retirement;
• a Group Retirement Savings Plan (plan d'épargne retraite collectif – PERCO) which allows eligible employees to invest the payments under the profit-sharing agreement and the global incentive plan in diversified investment funds for their retirement. This scheme allows employees to benefit from certain social and tax advantages as consideration for a lock-up period until retirement. It is also a way for employees to prepare for their retirement by making voluntary payments or by transferring days from their CET to the PERCO (up to ten days per year). This transfer is then matched by their employer.

Recognition plan

In 2024, an international employee retention plan was launched in all the Group's countries. Employees with five years of seniority were all awarded the same number of points (known as Kudos). The number of Kudos was the same, whatever the country of the employee, only its value varied according to the purchasing power parity. The Kudos can be converted into cash, gift cards, OVHcloud shares or a mixture of the three options, as desired.

3.3.2Collaborating and joining forces with stakeholders in the European cloud ecosystem

Operating as an ecosystem is part of the Group’s DNA. OVHcloud intends to capitalise on its role as a leader to grow the European cloud sector, develop champions and thus continue to defend European digital sovereignty in a highly competitive environment.

3.3.2.1Developing an ecosystem of partners sharing the same values

From its inception, OVHcloud has sought to play a leading role in building an open and evolving ecosystem of like-minded partners, fostering innovation and promoting European digital independence. Through this mutually beneficial approach, OVHcloud has surrounded itself with a wide range of technical and commercial specialists, who work in related segments to develop and offer the most appropriate solutions to the needs of customers. Being deeply committed to open source communities allows OVHcloud to speed up the development of its own solutions, while remaining on top of its customers’ expectations.

The OVHcloud ecosystem is structured around three main programmes designed to build virtuous partnerships with digital services companies (Managed Services Providers, System Integrators, IT consultants), software publishers and startups. All members of this ecosystem can benefit from the OVHcloud marketplace.

• The partner programme brings together more than 1,300 partners across 72 countries. These partners are specialists who combine their expertise with OVHcloud infrastructure to create high value-added solutions and services for their own customers. The aim of the programme is to make tools and content available to these partners, enabling them to ramp up their OVHcloud technology skills while forging a special mutual relationship. Through this programme, OVHcloud has awarded more than 3,500 certifications to its partners, helping to boost their value proposition to end customers and accelerate their growth.
• OVHcloud's ISV (Independent Software Vendors) programme, known as open trusted cloud, brings together an ecosystem of software publishers to co-construct a software, SaaS and PaaS offering to meet the innovation, sustainability and sovereignty needs of tomorrow's industry. With a new value proposition, based on a collaborative approach and the three pillars of innovation, sustainability and sovereignty, the number of programme members has doubled in a year. The programme currently has 130 members in 13 countries, who offer their solutions on OVHcloud's open, reversible and reliable cloud.
• The startup programme brings together just over 1,000 startups and scale ups per year, nearly two-thirds of which are international. Since May 2022, OVHcloud has offered mentoring support, available worldwide as part of this programme. OVHcloud employees therefore provide startups with their expertise and experience to help them develop their business. When entrepreneurs create a business, they focus on the essentials to ensure a successful startup and do not always have the time, the means or the skills to develop other aspects that may help them stand out from other businesses. The aim of the startup programme is to offer startups a choice of mentors who cover the different areas they would like to work on for their development: marketing, communication, social networks along with business strategies, artificial intelligence, server infrastructure, CSR, human resources and many other areas. Each startup receives six hours of personalised support on the chosen topic from their mentor over three months.

3.3.2.2Collaborating with suppliers in a responsible purchasing approach

The supply chain and, more specifically, the purchasing department play an essential role in OVHcloud’s CSR policy, which ensures that it is part of a responsible approach.

Responsible purchasing policy

OVHcloud firmly integrates CSR principles at the heart of its supply chain through a responsible purchasing policy, adopted in February 2024. Guided by environmental sustainability, ethics and social responsibility, this policy steers the decisions and actions of the Purchasing Department. It aims to ensure that every purchasing decision makes a positive contribution to the Company's environmental, social and ethical targets, while strengthening relationships with suppliers committed to this approach.

Risk mapping and supplier assessment

In 2023, OVHcloud strengthened its CSR strategy by identifying the risks associated with its purchases across its entire supplier database, with the aim of carrying out an in-depth assessment of 25 strategic and critical suppliers selected in partnership with EcoVadis, a platform recognised for its expertise in CSR performance. Two separate approaches were used: the assessment of suppliers using DocScand, an AI solution for identifying risks, and a detailed assessment of their performance on environmental, social, human rights, ethical and responsible purchasing criteria. In addition, EcoVadis trained the purchasing teams on CSR issues and the use of the collaborative tool, thus reinforcing their ability to communicate effectively with suppliers on these issues.

The Purchasing Department also introduced an assessment process that includes CSR criteria in consultations. Through this approach, areas for improvement can be identified upfront, and where appropriate, specific action plans can be drawn up in collaboration with the chosen supplier.

In order to promote best practices within its value chain, OVHcloud assesses its strategic suppliers each year based on seven criteria (safety, technology, quality, responsiveness, delivery, costs and the environment) and rewards the best performers. In 2024, five strategic suppliers were rewarded in this way.

Suppliers committed to a responsible approach by applying the principles of the Supplier Code of Conduct

The Group has drawn up a Supplier Code of Conduct, whereby suppliers undertake to adopt a responsible and comprehensive approach to compliance issues. The code is based on the United Nations Guiding Principles on Business and Human Rights and the International Labour Organization conventions. It covers the following topics:

• human rights;
• fair and safe working conditions;
• ethics (corruption, fraud, money laundering, financing of illicit activities, etc.);
• the environment;
• an anti-corruption whistleblowing procedure (see Section 3.3.2.3 of this Universal Registration Document).

OVHcloud asks new and newly listed suppliers to sign the Code of Conduct. Other suppliers are encouraged to sign it and comply with its terms.

At 31 August 2024, OVHcloud had 2,534 active suppliers, 71.23% of which had signed the Supplier Code of Conduct(16), an improvement of 2.73 percentage points compared with the 2023 financial year. In absolute terms, this represents 1,805 certified suppliers compared with 1,640 the previous year, an increase of almost 10%. This progress is the result of an active awareness-raising campaign conducted by OVHcloud among suppliers that had not yet signed the Code of Conduct, with a particular focus on strategic and potentially high-risk suppliers.

Assessing the carbon footprint of our suppliers

OVHcloud is seeking to enhance its understanding of its activities' carbon footprint. To this end, the Purchasing Department, in collaboration with the Environment Department, exchanged information with its suppliers on their CSR commitments on a regular basis. These discussions enabled OVHcloud to gather information on around 50 emission factors associated with the manufacturing of hardware components purchased from eight strategic suppliers. This data was used to fine-tune carbon footprint calculations in OVHcloud's carbon calculator and for its carbon footprint.

Favouring local suppliers

Lastly, OVHcloud’s responsible purchasing approach is reflected in its desire to favour local suppliers when possible. In particular, the Group can work with suppliers participating in the startup programme if the service they offer is relevant to its needs. This is the case for Moffi, for example, whose office reservation tool has been rolled out Group-wide.

Encouraging the use of service providers that employ people with disabilities

OVHcloud favours suppliers from the protected and adapted work sectors, as well as adapted companies, in its supply chain. It currently works with four companies in different sectors, thereby giving priority to companies run by people with disabilities wherever possible. This initiative aims to integrate their services into its activities to promote diversity and inclusion. Workshops and webinars carried out in conjunction with Malakoff Humanis, contributing towards the AGEFIPH, have also strengthened these inclusive purchasing practices.

3.3.2.3Ethics and business conduct

A prerequisite: strict compliance with laws and regulations

Operating in a buoyant market that is open to the world, OVHcloud is constantly vigilant and makes a point of conducting its business in strict compliance with all applicable laws and regulations. As OVHcloud is a French group, it refers primarily – but not exclusively – to French compliance legislation. Due to its international presence, OVHcloud must also comply with the local legislation and regulations of the countries in which it operates. In any event, OVHcloud applies the strictest legislation and regulations.

Management bodies strongly committed to the Group's Compliance Programme

As the cornerstone of the Group's Compliance Programme, OVHcloud's management bodies have demonstrated their commitment to a Compliance Programme that lives up to the Group's ambitions and the requirements of its internal and external stakeholders, in particular by strengthening the team dedicated to the Programme.

The Group is also committed to using the best performing techniques and mechanisms to manage risk. It is progressively installing tools and technologies that will enable it to monitor the fight against unethical behaviour more effectively. During the 2024 financial year, the Group launched the Witik tool, which has a dual purpose: to manage the declaration of gifts and invitations received/offered in accordance with the thresholds set out in the policy, and to manage conflicts of interest. These tools contribute to several Compliance Programme pillars, particularly in terms of preventing and combating corruption and influence peddling, as well as in the context of complying with international sanctions. They are also tools that enable the Programme to be implemented on an operational, day-to-day basis.

Diagnosis and prevention mechanisms tailored to risks

The Group has determined its compliance priorities on the basis of the legal and regulatory provisions that govern it, while taking into account its own specific characteristics and the risks inherent in its business environment.

By mapping the risk of corruption and influence peddling, the Group has obtained a precise overview of the risks to which it is exposed, and been able to determine actions and measures to mitigate and manage these risks, which form part of the Group's action plan.

Both Senior Management and the Group's Board of Directors and Audit Committee pay particular attention to compliance matters.

On an operational level, the compliance function, which covers ethics and compliance, is carried out by an in-house team under the responsibility of the officer in charge of this function. Fortnightly reviews are organised with a member of the Group Executive Committee. All internal policies are approved by the Group Executive Committee.

Firm principles: Group-wide code of ethics and zero-tolerance policy

The Group's compliance policy is set out in its code of ethics. It covers the main topics of the Compliance Programme and practices to guide internal stakeholders. In particular, it affirms the zero-tolerance principle as regards any form of corruption or influence peddling.

The Group strives to ensure that the ecosystem in which it operates complies with the same standards that it applies to itself. It is with this in mind that each supplier is asked to sign the supplier Code of Conduct (see above for more details). In addition to suppliers, the code is intended to apply to other Group stakeholders, such as partners, intermediaries and beneficiaries.

Procedures and mechanisms covering the Group's real and operational risks

As part of its compliance policy, the Group strives to formalise its compliance mechanisms and best practices by adopting or strengthening its internal procedures.

An empowering gifts and invitations policy

The policy on gifts and invitations was updated in 2023 in order to tighten control over one of the main risks of corruption and influence peddling. Following this, during the 2024 financial year, the Group set up awareness-raising initiatives for employees (training, communications). The policy, which is based on the Witik management tool, enables employees to declare gifts or invitations received/offered independently. The validation process also strengthens the active role of management. This innovative approach allows employees to reflect on the motivations behind the gift or invitation.

A procedure for preventing and managing conflicts of interest

With its position as European cloud leader, the Group operates in a sector with a great deal of interaction and solid growth prospects in a large number of sectors. This situation can lead to conflicts of interest. As a result, the Group has introduced a procedure for reporting situations of conflict or non-conflict of interest. It was drawn up as part of a new policy that will apply to all internal stakeholders. Particular attention has been paid to certain categories of people who are considered to be more exposed to risks due to the nature of their duties and functions.

A procedure for assessing third parties (due diligence)

The Group and its top management are committed to a global approach to compliance and ethics in the conduct of their business and their interactions with external stakeholders. With this in mind, the Group adopted this policy in order to put in place a due diligence process that consists of carrying out a risk analysis of third parties with whom it has or wishes to have a business relationship. Based on its corruption and influence peddling risk map, the procedure ensures better risk control and fosters a better business environment for OVHcloud as an international listed Group.

Ethics and compliance training and awareness-raising in our ecosystem

Employee training and awareness-raising

The training taken by all Group employees (regardless of position or level of responsibility), along with the Ethics Charter, represent the first two points of contact that employees have with the Compliance Programme. The Group presents a compulsory e-learning module during the onboarding weeks for new employees. They then have six months to follow and validate the module by completing the questionnaire. A minimum pass mark has been set to ensure that key concepts have been understood. It must be followed every three years.

The topics covered by the training include the main points of the Compliance Programme, such as the fight against corruption, fraud, influence peddling, conflicts of interest, international sanctions and compliance with competition law. The module is designed to take an upbeat, engaging approach to learning and is available in English and French.

The pass rate was 79% in the 2024 financial year, with a much higher participation rate than in the 2023 financial year (59%). This rate has risen as a result of the various campaigns and awareness-raising initiatives carried out.

The in-house team has also stepped up its efforts to raise awareness among managers through distance learning and electronic communications (emails). In future, the Group intends to step up its various awareness-raising initiatives for all employees and those most at risk.

Awareness-raising among external stakeholders: suppliers and partners

The Group also continues to raise awareness among its external stakeholders: suppliers, intermediaries and partners. The preferred method is the compulsory signing of the Supplier Code of Conduct, as well as the inclusion of compliance clauses in contracts with third parties. The compliance teams can also be contacted during the negotiation phases to inform potential new suppliers, partners and intermediaries, all over the world, about the Group's compliance requirements.

A whistleblowing system accessible to all for reporting breaches of the code of ethics

OVHcloud has set up a whistleblowing platform called "ROGER", an acronym for "Respect OVHcloud Guidelines & Ethical Rules", which allows users to report any fact or behaviour deemed illegal, unethical and/or dangerous.

From its inception, the Group's whistleblowing platform was designed to be open, respectful of confidentiality and accessible to both internal stakeholders (OVHcloud employees, external and temporary staff) and external stakeholders (suppliers, service providers, etc.).

All whistleblowing reports are forwarded to contact persons designated by the management body, who strictly respect whistleblower confidentiality. To protect the latter, incidents can be reported anonymously.

Furthermore, the system puts whistleblowers in touch with contact persons with different profiles, who are physically present at three of the Group's sites in France and internationally. The whistleblowing platform is available in the three languages most commonly spoken at OVHcloud: French, English and Polish.

Developing and maintaining ethical and responsible relationships with third parties

The Group has set up a system for assessing the integrity of its third parties in order to:

• comply with the legal provisions of the Sapin II Act of 9 December 2016;
• take into account the lessons learned from the corruption and influence peddling risk map that has been drawn up;
• avoid the risk of incurring international sanctions;
• avoid entering into relationships with third parties that do not adhere to the Group's standards.

These assessments are undertaken by OVHcloud to ensure the integrity of its third parties and that no regulations prohibit it from entering into relationships with them. They are carried out according to the risks that a relationship could represent, depending on the characteristics of each third party and on the basis of objective criteria such as the business sector, the countries involved, financial considerations, etc. The Group carries out its assessments at regular intervals that vary according to the degree of risk represented by each third party, so as to be able to incorporate any changes in their profile. In addition, the Group systematically asks its third parties to inform it of any changes that may occur within their organisation (change of beneficial owner, criminal conviction, change in compliance policy, etc.). This commitment is set out in the due diligence policy mentioned above.

Compliance Programme monitoring, evaluation and updates

The compliance teams continually adapt the Compliance Programme to reflect the Group's reality, in particular via updates. The various monitoring and development activities enable action plans to be put in place to enhance the Programme's effectiveness.

Compliance with the rules of professional conduct, transparency and business ethics

Beyond corruption and influence peddling, the Group's compliance teams ensure that the general rules governing professional conduct, transparency and business ethics are followed.

• Particular attention has been paid in recent years to compliance with obligations relating to international sanctions, embargoes and export control regulations. The Group has therefore developed control mechanisms and rules while communicating best practices internally to prevent or identify any situation that might contravene the regulations that govern OVHcloud.
• Respect for human rights is the foundation of OVHcloud's ethics policy and is highlighted in the documents sent to internal and external stakeholders. Third-party assessment procedures are also undertaken with this in mind, in order to prevent and avoid any behaviour or practice that would be contrary to fundamental rights.
• The Group comes into contact with public decision-makers and officials of different ranks for various reasons. It strives to be as transparent as possible in its dealings with public authorities, particularly in France and Europe, and complies with all laws and regulations on interest representation.

Transparent and constructive interactions with institutional players

As the European cloud leader, OVHcloud comes into contact with public decision-makers, agencies and officials of different ranks for various reasons. The Group is particularly attentive to the laws and regulations of the countries in which it operates, and for this reason wishes to maintain regular dialogue with the authorities(17)(18)(19). The aim of these interactions is to contribute constructively to better knowledge and understanding of the sector in which it operates. Where relevant, they enable the Group to take part in the dialogue that accompanies the drafting of regulations in the countries in which it operates, to provide technical expertise on the impact and practical scope of existing or proposed regulations.

The positions adopted by OVHcloud are intended to help the various institutional players, particularly members of government, members of parliament, central government and local authorities, to make public decisions. They strive to reflect the challenges faced by the industry in which the Group operates, while taking public interest into account.

With this in mind, the Group aims for utmost transparency in its dealings with institutional players, and compliance with all laws and regulations on the representation of interests in the countries in which it operates.

All its dealings with institutional players are in line with the Company's commitments in terms of ethics and compliance, and more specifically the fight against active or passive corruption. 

In this respect, OVHcloud asks its employees to respect the Group's gift and entertainment policy (Group Gift and Entertainment Policy), as well as its procedure relating to the prevention and management of conflicts of interest.

Lastly, OVHcloud refrains from financing any political activities, including in countries where such financing is authorised and regulated by law.

Alignment with the Paris Climate Agreement objectives

OVHcloud's lobbying activities are carried out in line with the Group's strategic commitments, in particular its commitment to the SBTi approach, which formalises the alignment of its greenhouse gas emission reduction targets with the Paris Climate Agreement.

3.3.3Promoting local presence and societal commitment

In a context of the digitisation of professions and companies, OVHcloud pays particular attention to integration through digital technology and the need to involve as many people as possible in this transition. As the European cloud leader, the Group also monitors the socio-economic impact of its business on the regions.

3.3.3.1Promoting digital inclusion

In the era of the digital transition, the democratisation of tech professions is a societal challenge. OVHcloud acts in favour of digital inclusion with two areas of focus:

• accessibility of tech to women;
• professional inclusion of disadvantaged people.

The Group hopes to be able to contribute to the development of a talent pool in all regions.

Operating in two segments (industry and digital) in which men are over-represented, OVHcloud works on a daily basis to promote the representation of women. For example, the Group works in schools to promote careers in tech among young women. It also supports associations such as DesCodeuses, Force Femmes and Femmes Ingénieures to facilitate access to training and employment for women from priority neighbourhoods in this sector. The Group has also partnered with 50inTech(20), an online community connecting female talent with companies and promoting female-led entrepreneurship. 50inTech showcases OVHcloud as an inclusive company for women because of its gender score, supports the Group in its approach to attract female talent and promotes OVHcloud's women employees. Over the past three years, OVHcloud's gender score has risen steadily, from 63 in 2022 to 70 in 2024.

The Group also works on professional integration through digital technology, in particular through training and integration initiatives for people disconnected from employment, through skills sponsorship or donating PCs. OVHcloud has organised several webinars at Ada Tech School and regularly conducts mock interviews to help these individuals succeed. OVHcloud has also launched a new partnership with Z – Code pour l'emploi, to help young people disconnected from employment in the Lille area. Alongside the French National Agency for Adult Vocational Training, OVHcloud trains and hires interns through Plombiers du numérique (digital plumbers(21)), a project for the professional integration of unskilled young people. OVHcloud welcomed the first cohort to its Roubaix datacenter in 2020 and continues to train around 20 people each year. The Group is also a partner of Rocket School, a free school that recruits on the basis of personality (without qualification requirements), has been training in commerce and digital marketing since 2018, and has had an office in Lille since 2021. Through this partnership, OVHcloud welcomes work-study students who may be hired in the long term. As part of this, and in collaboration with the Hauts-de-France academic region, the Group is taking part in webinars and workshops aimed at teaching staff, with the purpose of better representing digital careers and facilitating access to them.

Lastly, on the issue of the integration of people with disabilities, OVHcloud works with associations, including ARRE France handicap, Mouton à 5 pattes, which works for the professional integration of young people with autism and Compethance, an adapted digital services company.

3.3.3.2Local presence and socio-economic impact

Created in Roubaix in 1999, OVHcloud quickly grew internationally and has developed a global footprint with 43 datacenters currently located in nine countries. Geographical expansion is one of the central pillars of the Group’s growth strategy.

OVHcloud’s implementation strategy is multi-local. It adapts the Group’s methods to local cultures and respects their practices.

The Group also attaches great importance to favouring local companies to support it in its locations and, therefore, to having an impact on the local economy.

More broadly, OVHcloud is committed to having a positive impact in the regions where it operates and in collaboration with stakeholders.

Through its tax policy, the Group contributes to the development of the regions in which it operates. OVHcloud’s tax policy ensures that the Group applies the laws, regulations and tax treaties in force in all countries in which it operates. The Group’s values and ethical principles as well as its requirements in terms of social responsibility lead it to:

• conduct its operations in accordance with their economic reality;
• refuse any aggressive tax planning and the use of artificial structures located in “tax havens”;
• cooperate with local tax authorities during tax audits.

None of the transactions carried out by OVHcloud aims to evade the payment of tax. The Group is in the process of compiling all of these actions and provisions into a formal tax policy.

The Roubaix example demonstrates the Group’s desire to have positive impacts on the regions and local communities. True to its origins, the Group has never left Roubaix. In 2004, OVHcloud acquired a brownfield site, which has become its headquarters. The Hauts-de-France region was also the first region to host OVHcloud datacenters.

Lastly, with a view to strengthening our societal commitment, a partnership project in support of the National Guard is under way.

3.4Application of the European Taxonomy to the Group’s activities

Classification of activities according to the European regulatory framework to define environmentally sustainable economic activities (Green Taxonomy)

General context

The Taxonomy Regulation is a key element of the European Commission’s action plan aimed at redirecting capital flows towards a more sustainable economy. It represents an important step towards achieving carbon neutrality by 2050, in line with the EU’s objectives, as the Taxonomy is a classification system for environmentally sustainable economic activities.

The section below presents, as a non-financial parent company, the proportion of the Group’s revenue (turnover), capital expenditure (capex) and operating expenses (opex) for the 2024 financial year, associated with economic activities eligible for the Taxonomy in accordance with Article 8 of the Taxonomy Regulation and Article 10 (2) of the Delegated Act supplementing Article 8 of the Taxonomy Regulation.

For the 2024 financial year, OVHcloud was required to disclose the alignment of the Group’s activities under the two climate change objectives and just the proportion of its activities that were eligible under the following objectives: sustainable use and protection of water and marine resources ("WTR"), transition to a circular economy ("CE"), pollution prevention and control ("PPC") and protection and restoration of biodiversity and ecosystems ("BIO").

OVHcloud has analysed the technical criteria for the activities presented below in accordance with Regulation (EU) 2021/2139 as amended by Regulation (EU) 2023/2485 and has taken into account the various interpretations and frequently asked questions (FAQs) published by the European Commission, in particular, those dated 19 December 2022.

Summary of European Taxonomy indicators

On the basis of the analyses carried out, a significant proportion of the Group's activities is eligible for the Taxonomy under Activity 8.1 Data processing, hosting and related activities described in Annex I of the Delegated Act on the climate change mitigation (“CCM”) target and CE activity 5.5 Product-as-a-service and other circular use- and result-oriented service models.

The eligible and aligned proportions under Activity CCM 8.1 Data processing, hosting and related activities of the three financial indicators required by the text – revenue, capex and opex – are presented below on the basis of consolidated IFRS data for the financial year ended 31 August 2024.

Table 1 – Proportion of economic activities eligible and not eligible for the Taxonomy in the Group’s revenue, capex and opex

The proportion of revenue eligible for the Group's datacenter activities (CCM 8.1) increased by one point compared with the previous financial year, while those for capex and opex fell by 16 and 19 points respectively. This decrease is the result of OVHcloud's ongoing and proactive pursuit of improving the granularity of its capex and opex analysis.

In particular, this results in increased alignment of revenue and capex, with the datacenters aligned in the 2024 financial year unchanged from the previous financial year.

Determination of OVHcloud's economic activities eligible for the European Taxonomy

The term “economic activity eligible for the Taxonomy” refers to any economic activity described in the delegated acts supplementing the Taxonomy Regulation, whether or not it meets some or all of the technical review criteria set out in these delegated acts.

In order to carry out its analysis, the Group took into account all of the delegated acts describing the Taxonomy activities, namely:

• the "Climate Delegated Act” (EU 2021/2039) published in April 2021 specifying the technical environmental screening criteria for the first two climate objectives; and
• the "Environment Delegated Act” (EU 2023/2486) published in June 2023, which sets out the economic activities relating to the four other environmental objectives.

The Group’s eligible economic activities have been analysed on the basis of OVHcloud’s service offerings (as detailed in Chapter 1 of this Universal Registration Document) and have been assigned to the following economic activities, in accordance with the six environmental objectives of the Taxonomy.

An the beginning of the 2023 financial year, a significant proportion of the Group’s activities was considered eligible under Activity 8.1 Data processing, hosting and related activities for the climate change mitigation target. Offerings based mainly on services for the provision of storage capacity (“hosting”) meet the description of this activity. The following offerings are therefore considered eligible:

• Private Cloud offerings (Bare Metal Cloud and Hosted Private Cloud) in their entirety, corresponding to offers for the provision of either dedicated physical servers or cloud capacities running on dedicated physical servers (see Section 1.3.1.1 of this Universal Registration Document for more details on the solutions proposed by the Group).
• Public Cloud offerings in their entirety (see Section 1.3.1.2 of this Universal Registration Document for more details on the solutions offered by the Group). The PaaS and SaaS solutions offered by OVHcloud and hosted directly on the Group’s infrastructures are considered eligible insofar as OVHcloud has control over the physical equipment and can act on its energy efficiency.
• “Web Cloud & Other” offerings only for the “Web hosting” and “Services” part, corresponding to the hosting of customer websites on the Group’s physical servers and the assistance necessary for the proper functioning of the equipment and compliance with the Group’s commitments under all of its offerings (see Section 1.3.1.3 of this Universal Registration Document for more details on the solutions proposed by the Group). Offerings or solutions relating to domain names, telephony and connectivity are not considered eligible to date because they are not directly related to the physical servers.

In general, all the solutions offered by OVHcloud, hosted directly on physical servers belonging to the Group or directly controlled by the Group, were deemed eligible for the European Taxonomy under Activity 8.1 of the climate change mitigation target.

When considering the climate change adaptation objective ("CCA"), CCA Activity 8.1 Data processing, hosting and related activities is not considered to be an enabling activity by Annex II of the Climate Delegated Act. For this reason, OVHcloud cannot consider the revenue relating to this activity as eligible, as set out in the Eligibility FAQ of 2 February 2022.

In analysing the activities under the transition to a circular economy objective, the Group identified activity CE 5.5 Product-as-a-service and other circular use- and result-oriented service models which consists of providing customers with access to products by means of service models. OVHcloud provides its customers with access to computer servers, which they can use. OVHcloud’s offerings eligible under Activity CCM 8.1 are therefore also eligible under CE 5.5.

In addition, OVHcloud designs and manufactures its own servers at its two sites in Croix (France) and Beauharnois (Canada) for its own use, as described in section 3.2.1.1 of this Universal Registration Document. The Group has therefore included CE 1.2 Manufacture of electrical and electronic equipment in its eligibility analysis. However, in the case of the manufacture of servers that the Group uses solely for its offerings, the capex relating to the manufacturing activity is taken into account and eligible under CE 5.5 Product-as-a-service and other circular use- and result-oriented service models.

OVHcloud has not identified any eligible activities linked to the objectives of sustainable use and protection of water and marine resources, pollution prevention and control, or the prevention and restoration of biodiversity and ecosystems.

The table below summarises for which environmental target the activities are considered eligible:

Determination of OVHcloud's economic activities aligned with the European Taxonomy

Unlike eligibility, which is solely based on the description of the activities, alignment takes into account the substantial contribution criteria, the "do no significant harm" principle and the minimum safeguards. For the financial year ended 31 August 2024, the alignment analysis concerns only the first two climate objectives, in accordance with the Taxonomy Regulation.

With regard to Activity 8.1 ‒ Data processing, hosting and related activities, the Group has analysed its alignment with objective 1 ‒ climate change mitigation (CCM) and objective 2 – climate change adaptation (CCA).

Substantial contribution criteria

The Group has analysed the three cumulative substantial contribution criteria for Activity 8.1 Data processing, hosting and related activities with respect to the mitigation objective as follows:

Do no significant harm ("DNSH")

In order to validate the alignment of its datacenters with Activity 8.1 of the climate change mitigation objective, OVHcloud then ensured compliance with the DNSH criteria for all its datacenters meeting the substantial contribution criteria (see details above).

Minimum safeguards applicable to all the Group’s Taxonomy-eligible activities

Lastly, OVHcloud has ensured that the minimum safeguards have been met. The Group has a set of policies and processes in place to ensure that it meets the Taxonomy requirements in the areas of:

• human rights and labour law (see Section 3.3.1 – Collectively attracting and developing talent within a diverse and inclusive company, Section 3.3.2.2 – Collaborating with suppliers in a responsible purchasing approach, and Section 3.3.2.3 – Ethics and business conduct);
• competition (see Section 3.3.2.3 – Ethics and business conduct);
• corruption (see Section 3.3.2.2 – Collaborating with suppliers in a responsible purchasing approach, and Section 3.3.2.3 – Ethics and business conduct);
• tax (see Section 2.1.2.4 – Financial risks and Section 3.3.3.2 – Local presence and socio-economic impact).

The Group has put in place procedures for identifying, analysing, monitoring, evaluating and updating all the pillars.

The Group asks its suppliers to sign the supplier Code of Conduct, which provides that human rights, and in particular the principles set out in the Universal Declaration of Human Rights, must be respected. The Group continues to analyse human rights across its entire value chain.

OVHcloud complies with the provisions of the Sapin II Act of 9 December 2016.

Lastly, the Group has not been convicted for material breaches of any of the various aspects of the minimum safeguards.

Methodology for evaluating European Taxonomy indicators

The scope considered for the estimation of the three indicators is the Group consolidated scope as defined in Note 5.5. to the 2024 consolidated financial statements presented in Chapter 5 of this Universal Registration Document.

Eligible and aligned revenue

The proportion of economic activities eligible for the Taxonomy in OVHcloud's consolidated revenue was obtained by dividing the share of revenue generated by the sale of services associated with economic activities eligible for the Taxonomy (numerator) by the net revenue (denominator), in each case for the financial year from 1 September 2023 to 31 August 2024.

Denominator

The denominator of the revenue indicator is based on OVHcloud's consolidated revenue, in accordance with IAS 1.82 (a) (see Note 4.3. to the 2024 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

Numerator

The numerator of the indicator is defined as the proportion of net revenue generated by services associated with the economic activities eligible for the Taxonomy, as described above in the paragraph “Determination of OVHcloud's economic activities eligible for the European Taxonomy” in this section. This share was estimated on the basis of OVHcloud's management reports including the level of detail necessary for direct reading.

The aligned revenue corresponds to the revenue generated by the datacenters that have been audited by the independent third party and certified as compliant with the Code of Conduct. On the basis of the revenue generated by these datacenters, the Group has applied the allocation key described in the previous section, "Substantial contribution criteria", in order to retain only the revenue generated by watercooled servers.

At 31 August 2024, the proportion of eligible and aligned revenue was 89% and 66%, respectively, as shown in the table below:

For activities identified under multiple environmental objectives in the Taxonomy, the breakdown is as follows:

Eligible capital expenditure (capex)

The capex indicator is calculated by dividing capex eligible for the Taxonomy (numerator) by total capex (denominator).

Denominator

Total capex (the denominator) includes acquisitions of property, plant and equipment and intangible assets during the financial year, before depreciation/amortisation and before any remeasurement, including remeasurements resulting from revaluations and impairments excluding changes in fair value. It includes acquisitions of property, plant and equipment (IAS 16), intangible assets (IAS 38), right-of-use assets (IFRS 16), as well as additions resulting from business combinations (see Notes 4.10, 4.11 and 4.23 to the 2024 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

The table below shows the reconciliation of total Taxonomy capex in the Group's consolidated financial statements:

Numerator

The numerator consists solely of capex related to assets or processes essential to the performance of the economic activities eligible for the Taxonomy (“category a”), which represent almost all of the capex for the financial year.

As capex is not currently monitored by service offering in the Group’s reports, a detailed analysis by type of asset was carried out and led to the following capex being considered essential for the execution of eligible economic activities:

• the alignment of all capex relating to infrastructures (hardware) and their operation (fibre, network, IP addresses, components, maintenance) was determined using an allocation key based on the ratio of servers operated for an eligible economic activity to the total number of servers operated by the Group;
• the eligible proportion of capitalised R&D costs was estimated at the level of each project, in order to obtain more relevant information in terms of granularity:
  • 100% of capitalised R&D costs relating to infrastructure efficiency improvement projects (equipment or software) were considered eligible as they were related to eligible economic activities;
  • capitalised R&D costs not related to projects involving eligible activities were considered ineligible;
• the eligible proportion of right-of-use assets (IFRS 16) was determined at the level of each datacenter, using an allocation based on the ratio of servers operated for an eligible economic activity to the number of servers hosted in the datacenter.

In order to determine the aligned proportion of this eligible capex, the Group used an allocation key based on the alignment percentage of each datacenter, weighted by the number of servers hosted in each datacenter. This allocation key has only been used for eligible capex relating to infrastructures (hardware) and their operation (fibre, network, IP addresses, components, maintenance).

At 31 August 2024, the proportions of eligible and aligned capex stood at 83% and 50%, respectively, as shown in the table below:

For activities identified under multiple environmental objectives in the Taxonomy, the breakdown is as follows:

Eligible operating expenses (opex)

The indicator relating to opex is calculated by dividing opex eligible for the Taxonomy (numerator) by total opex (denominator).

Denominator

Total opex as defined by the Taxonomy refers to non-capitalised costs related to research and development, building renovation measures, short-term leases, maintenance and repairs, and all other direct expenses related to the daily use of property, plant and equipment.

Thus, total opex as defined by the Taxonomy represents approximately 31% of the Group's total opex, compared with 33% the previous year, amounting to €119.6 million and corresponding to the sum of personnel expenses, operating expenses, depreciation and amortisation and other non-recurring operating expenses (see Notes 4.4, 4.5, 4.6 and 4.7 to the 2024 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

Numerator

As the Group's opex is monitored by segment but not on a granular level by service offering, allocation keys were used to identify the proportion of economic activities eligible for the Taxonomy in opex:

• maintenance and repair costs, as well as rental contract costs, have been allocated to the number of servers used in an eligible economic activity, based on the number of servers hosted in the datacenter;
• the proportion of eligible non-capitalised R&D costs has been estimated at the level of each project, in order to obtain information at a more granular level:
  • 100% of non-capitalised R&D costs relating to projects to improve infrastructure efficiency (equipment or software) were considered eligible, as they related to eligible economic activities,
  • non-capitalised R&D costs not relating to projects involving eligible activities (projects relating to support functions and projects relating to telephony, connectivity and domain names) were considered ineligible.

In order to determine the aligned portion of this eligible opex, the Group used an allocation key based on the alignment percentage of each datacenter, weighted by the number of servers hosted in each datacenter. This allocation key was only used for eligible opex.

At 31 August 2024, the proportions of eligible and aligned opex amounted to 59% and 42%, respectively, as shown in the table below: