Presentation of the Group

1.1History

OVHcloud’s position as the leading European cloud provider traces its roots to its founding in 1999 as an internet hosting company in France. Over the past 26 years, OVHcloud has developed significantly, initially by expanding its infrastructure and growing its presence within Europe, and then by diversifying its cloud offerings and expanding its operations globally.

Key developments

1.2The cloud computing market

1.2.1Cloud computing

Cloud computing means providing users with storage, computing and network resources on demand. Cloud resources are located in datacenters that house servers and equipment used to process, store and transmit data. Users of cloud computing services can access stored data and instruct processing units to perform computing functions automatically, without the need for human interaction, minimising the computing and storage capacities needed on their devices (such as personal computers, tablets and mobile phones). Wherever they are located, as long as they have an internet connection, users are able to access IT services through the cloud.

Businesses can establish and operate their own datacenters using internal IT staff, or they can outsource some or all functions to cloud service providers such as OVHcloud. For many businesses, the time and financial investment required makes proprietary cloud computing less attractive than outsourcing, which means paying only for the resources they actually use. Additionally, it can be difficult for businesses that are not specialised in IT services to innovate at the requisite levels in order to ensure that their cloud infrastructure provides them with adequate services and protections, such as data security. Internal IT systems also might not be sufficiently scalable to meet peak-load demands (unless businesses maintain costly excess capacity).

Servers maintained in datacenters can be used for multiple functions, each of which is accessed through a “virtual machine” created on the server. The virtual machines are operated and separated from one another through a software platform known as a “virtualisation stack.” Each virtual machine can have its own operating system that permits users to develop and run applications. Through a function known as a “hypervisor,” the server’s capacity is allocated to the virtual machines in accordance with the demands of users. Furthermore, software applications have been written to be bundled in “containers” that run directly on the operating system of the server itself, coordinated through platforms known as “orchestration” systems, which generally take up less space and can provide better performance than hypervisor-based virtualisation stacks.

The ability to create multiple virtual machines in each server or to deploy container-based systems allows a cloud service provider to allocate its capacity among multiple user groups or customers in a secure manner. Service providers can dedicate a server to a single customer (a “Private Cloud” system), allocating the server’s capacity among user groups authorised by the customer. Alternatively, a server can be shared among multiple customers (a “Public Cloud” system). Private Cloud customers generally pay monthly charges for dedicated capacity, whether or not they use that capacity. Public Cloud customers generally pay for the capacity they actually use.

In order to optimise the cost of cloud services, many businesses are deploying “hybrid cloud” strategies, in which they combine on-premises or outsourced Private Cloud capacity for their most sensitive functions and data, with Public Cloud capacity for their less sensitive needs. Customers are also deploying “multi-cloud” strategies, purchasing cloud services from several providers. To meet the growing demand for hybrid cloud and multi-cloud services, a cloud provider must offer packages that allow the various solutions to function as an integrated whole.

Cloud computing encompasses a range of services that include providing access to infrastructure (Infrastructure-as-a-Service or “IaaS”), selecting and operating platforms such as operating systems, virtualisation stacks and security systems (Platform-as-a-Service or “PaaS”), and offering applications that are developed and can function on cloud platforms (Software-as-a-Service or “SaaS”). These features are illustrated in the following graphic:

The cloud solutions market also includes Web services targeted mainly at individuals and small and medium-sized businesses. The Web Cloud market largely consists of web and domain hosting, including leasing servers for websites, selling secondary services (such as software packages) and domain name registration, renewal and transfer services.

1.2.2A large and fast-growing market(1)

1.2.2.1Overview of the cloud market

Market size in 2025

OVHcloud holds leading positions in Europe, based on revenue, in Private Cloud services. OVHcloud is also recognised by IDC and Forrester for the strength of its Public and Private Cloud offerings.

The estimated potential growth figures are necessarily subject to uncertainty, and actual growth may prove to be different (possibly significantly so) from the figures below.

In 2025, the global market for IaaS and PaaS cloud offerings was estimated at approximately €401-425 billion. This includes an IaaS market of an estimated €215-229 billion and a PaaS market estimated at €186-196 billion.

The IaaS market includes an estimated amount of €30.5-34.5 billion in 2025 for Private Cloud services (including Bare Metal Cloud) and the rest for the Public Cloud.

Segments linked to public services, health, financial services, professional services and telecommunications are particularly sensitive to data sovereignty. Data sovereignty encompasses, more specifically, the importance of providing customers with assurance that cloud providers have full control over the management and localisation of their data.

The European data sovereignty market was worth over €10 billion in 2025, representing around 15% of the total European market, and is expected to grow by 76% a year over the 2022-2027 period(2).

For several years, OVHcloud has been developing a trusted offering that complies with European Union Member States’ security standards. OVHcloud has been SecNumCloud-certified by ANSSI (the French cybersecurity service providing protection against non-European laws) in France since 2021. The label was reissued for three years in December 2023. OVHcloud built its Hosted Private Cloud powered by VMware offering on this basis in 2021. In addition, in 2025, the new Bare Metal Pod offering (stand-alone rack of servers dedicated to each customer) is now SecNumCloud 3.2 certified by ANSSI. In Europe, the Group has had several of its products certified by trusted standard-setters in Italy (ACN), Spain (ENS) and Germany (C5), for example.

1.2.2.2Private and Public Cloud market trends

OVHcloud believes the cloud market’s strong growth trend should continue in the coming years because the market benefits from the following robust structural levers:

• the “Move to Cloud” dynamic for most companies and users;
• the rise of multi-cloud (having several cloud providers) and hybrid cloud (having several types of cloud) solutions;
• strong demand for artificial intelligence;
• the growing importance of data sovereignty;
• the increasing number of customers seeking affordable cloud solutions.

The global IaaS and PaaS markets are set to grow at a compound annual rate of around 20% between 2024 and 2027.

OVHcloud believes the market’s growth has been and should continue to be driven by a steady increase in corporate IT spending, and a continued trend towards outsourcing, particularly with respect to cloud-related IT spending.

Although OVHcloud predicts sharp growth in each market segment, the growth rate may vary significantly by segment, driven by specific usages and customer requirements:

• Public Cloud is expected to be the most dynamic segment, with annual global growth of over 20% from 2024 to 2027, driven by high scalability and the wide range of potential uses of Public Cloud services;
• Private Cloud is also expected to grow substantially, as businesses seek to combine outsourcing and data privacy needs. OVHcloud believes this growth will be fuelled by a continued trend for outsourcing, the development of hybrid cloud and multi-cloud solutions, and an increasing need for dedicated, secure solutions with robust data privacy protections, which are more difficult to guarantee on the Public Cloud.

The PaaS market is expected to grow at a rate of more than 20%, driven in particular by artificial intelligence and database management.

The cloud services market is also evolving rapidly, changing some of the main factors driving market growth, particularly for business customers. While overall growth reflects a need to store and process ever-increasing amounts of data, OVHcloud believes the market is placing a greater emphasis on topics such as data sovereignty, data security and the environmental impact of datacenter management.

1.2.2.3The Web Cloud services market

The global web and domain hosting market was estimated to be worth around €6.5 billion in 2025. OVHcloud operates in the Web Cloud market through website hosting and domain name registration, as well as through the provision of internet access services and voice over internet protocol solutions.

Europe’s Web Cloud market is more mature than the Private and Public Cloud market. OVHcloud expects the web and domain hosting market in Europe to continue to grow in the coming years, though perhaps at a slightly slower rate than previously.

OVHcloud believes future market growth will be driven by the fact that a web presence is seen as critical for many businesses, as well as opportunities for both cross-selling and upselling of additional services to existing Web Cloud users.

1.2.3A European cloud leader

The global Private Cloud market is fragmented, with the top five players representing less than half of the market. OVHcloud believes it is one of the two main providers of Private Cloud services in continental Europe, along with IBM Cloud. 

In the recent Blueprint 2025-2026 study, Exaegis – an audit and rating firm that specialises in rating digital suppliers – recognised OVHcloud as a Leader in Trusted Cloud Solutions. The Blueprint® Trusted Cloud Solutions study is an essential decision-making tool for French executives and IT managers alike. This recognition rewards the collective commitment of OVHcloud teams to a sovereign, secure and sustainable cloud.

The Public Cloud market is dominated by the so-called hyperscalers, Amazon Web Services, Microsoft Azure and Google Cloud Platform, which together represented approximately 70% of the worldwide Public Cloud market in March 2024.

Based on customer feedback, OVHcloud believes the key factors driving the selection of a cloud services provider include the price/performance ratio, continuity and reliability of service, technical performance, data security/sovereignty and datacenter location. The price/performance ratio is the most significant criterion in the Bare Metal Cloud segment, while continuity and reliability of service are of approximately equal importance with price/performance in the Hosted Private Cloud segment, and represent the most important factor in the Public Cloud segment. In the Public Cloud segment, the choice of supplier also takes into account the reversibility and flexibility provided by the use of open source technologies and the pay-per-use model, respectively.

OVHcloud currently has PaaS offerings in areas such as storage, data management and artificial intelligence integrated with its IaaS offerings, and is in the process of expanding its presence in the PaaS market. As part of its growth strategy, OVHcloud plans to continue expanding the PaaS components of its offerings and to continue its development in the field of artificial intelligence. Thanks to the complementary nature of these PaaS offerings and its extensive IaaS catalogue, OVHcloud is able to offer an attractive alternative to its customer base comprising large companies and technology companies. 

1.3Business

1.3.1A comprehensive range of solutions

1.3.1.1Private Cloud

OVHcloud provides two main Private Cloud offerings: Bare Metal and Hosted Private Cloud.

Bare Metal Cloud

OVHcloud’s Bare Metal Cloud service provides dedicated physical servers to customers, who have full control over the server, including the choice of operating system. The Bare Metal Cloud allows them to have a similar experience to the one they would have with on-premises solutions managed by their internal teams, while taking advantage of the benefits offered by outsourcing.

OVHcloud’s main Bare Metal Cloud offering consists of high-end servers and mid-to-high-level services. OVHcloud also has a lower-priced offering marketed as part of the “Eco” range, which uses refurbished servers that provide quality services at a reduced cost, while improving environmental efficiency.

Bare Metal Cloud services provide business customers with high-level computing power and strict service level agreements in a secure environment appropriate for sensitive data applications. The server can be customised to meet customer requirements and can be operated without allocating the server’s capacity to virtual machines through a hypervisor, allowing the customer to use the server’s full capacity. Any unused capacity can be deployed within minutes, although the total capacity is limited by that of the dedicated server.

Bare Metal Cloud customers pay monthly fees that depend on the performance levels they select. They may also choose options (such as server customisation or data backup) for additional fees.

The main uses of Bare Metal Cloud services include the computation of complex data, low latency operations, streaming, online gaming and critical business applications such as ERP and CRM.

In 2025, OVHcloud launched Bare Metal Pod, a sovereign infrastructure that is SecNumCloud 3.2 certified by ANSSI and dedicated to offering the power of the cloud combined with the physical isolation of Bare Metal servers, designed to host critical or sensitive environments.

Hosted Private Cloud

OVHcloud offers Hosted Private Cloud services to its business customers, providing servers fully managed by OVHcloud, including the operating system and the virtualisation layer, in partnership with VMware or Nutanix offerings.

1. VM: virtual machine.

OVHcloud’s Hosted Private Cloud services provide customers with private access to servers that can be customised to satisfy their specific requirements. They meet the needs of customers seeking isolation and security, scalable resources and resilience.

The main uses for Hosted Private Cloud services include deployment in hybrid cloud strategies, media encoding, big data analytics and disaster recovery, as well as the storage and processing of sensitive data in key sectors such as healthcare, finance and the public sector.

Since 2021, OVHcloud has been offering SecNumCloud-certified Hosted Private Cloud services. SecNumCloud certification gives customers the assurance of choosing solutions that comply with the highest ANSSI security standards, as well as the guarantee of having solutions tailored to the sensitive data of public authorities and businesses.

On-Prem Cloud Platform

In 2025, OVHcloud launched On-Prem Cloud Platform, a ready-to-use on-premises cloud platform. The launch was marked by the signing of a commercial contract with DEEP. On 31 March 2025, DEEP, part of POST Group, the leader in telecoms and ICT, postal and postal financial services in Luxembourg, and OVHcloud signed a strategic partnership to develop a sovereign cloud in Luxembourg. The DEEP Sovereign Cloud will be based on OVHcloud's On-Prem Cloud Platform (OPCP): an integrated cloud platform (hardware and software), which will be hosted and operated autonomously by DEEP in its own Tier IV certified data centres in Luxembourg, in an offline mode.

1.3.1.2Public Cloud

OVHcloud offers Public Cloud solutions based on open source technologies such as OpenStack (a platform for deploying processing, storage and networking resources) and Kubernetes (a container orchestration platform that has become a market benchmark). The use of these standard platforms provides customers with easy data transfer capability and deliberately transparent access to source code, facilitating reversibility and eliminating “vendor lock-in”. This feature of the OVHcloud offering is particularly attractive for customers looking to deploy multi-cloud strategies.

Public Cloud solutions provide users with virtually unlimited computing capacity, with the only constraint being the demands of other users and the total installed capacity of the cloud provider. It is possible to deploy new Public Cloud instances automatically and in seconds. As the Public Cloud service is based on shared servers, customisation options are defined by OVHcloud. The flexibility of the hardware architecture offers high service levels.

Public Cloud customers pay usage fees for the capacity they actually use. The OVHcloud model offers much more predictability than models used by hyperscalers and many other competitors. In particular, unlike hyperscalers, OVHcloud does not charge additional fees for outgoing data transfers or API calls, except for block and archive storage, and for services located in Asia-Pacific.

The Group’s Public Cloud offering provides three core cloud computing services: computer performance, storage and network capabilities.

Customers of OVHcloud’s Public Cloud solutions can choose fully scalable Public Cloud services on virtual machines that are hosted on shared servers and networks.

OVHcloud’s Public Cloud service is attractive for customers seeking highly scalable resources, with significant peak management demands across multiple access locations, and a high degree of resilience. This service is used for applications with high-demand bursts and services that use large volumes of data, such as video and music streaming.

OVHcloud’s Public Cloud customers can also choose from a number of on-demand (SaaS) software running on OVHcloud’s Public Cloud servers. In particular, OVHcloud offers its customers access to Microsoft Exchange messaging and calendar solutions, SharePoint data storage and management solutions, and the Office365 business software suite.

As of this year, OVHcloud offers Public Cloud products in the 3-AZ Paris region. This region offers businesses and organisations a presence in three geographically close datacenters (AZ or Availability Zones) so that they can benefit from high resilience and low latency between the three datacenters.

1. VM: virtual machine.

Virtual private servers

OVHcloud also offers a virtual private server option, providing IT capabilities located on shared servers, but with virtual machines isolated through the use of virtual private networks.

The virtual private server option is attractive to customers seeking tailored resources, particularly for short-term operations with volatile workloads and server demand. Virtual private server solutions are used primarily for applications testing and other one-time projects, the management of short-term peak loads and backup functions.

1. VM: virtual machine.

Platform-as-a-Service (PaaS)

As part of its growth strategy, OVHcloud is developing and implementing a comprehensive PaaS offering, overlaying its Private Cloud and Public Cloud IaaS products. In addition to developing products in-house, OVHcloud has announced several partnerships and acquisitions in order to accelerate its development plan, enabling it to offer more than 80 IaaS and PaaS solutions to its customers by the end of the 2024 financial year, mainly in the following areas:

• Storage. OVHcloud now offers its customers a comprehensive portfolio of storage solutions such as Object Storage S3 (High Performance and Standard), Block Storage, File Storage, Snapshot & Backup and Archive;
• Database-as-a-Service. Data management software allows users to manage their databases to enable queries and updates. It includes programmes that execute queries on data and provide visual representation of the data in formats such as spreadsheets, enabling users to build applications faster and automate database management. OVHcloud announced a partnership with MongoDB in April 2021 and a partnership with Aiven in July 2021 to make several types of database available on the OVHcloud infrastructure;
• AI, Machine Learning & Analytics. Artificial intelligence and analytics solutions include tools and services that support data analysis and presentation. OVHcloud is particularly advanced in high-performance computing solutions for artificial intelligence and machine learning, and intends to continue its development in this area. In April 2022, OVHcloud announced the acquisition of ForePaaS, a company specialising in analytics. Over the last two years, OVHcloud has strengthened its artificial intelligence product offering, including AI Notebook, AI Deploy, AI Training, AI App Builder and AI Endpoint, a platform that uses an application programming interface (API) to provide easy access to numerous pre-trained artificial intelligence models (LLM, voice, image, etc.) for rapid integration into applications;
• Security & Encryption. OVHcloud is expanding its offering of identity access management and encryption solutions, including end-to-end encryption that secures customer data in all states. In July 2021, OVHcloud announced the acquisition of BuyDRM, a US company specialising in this area;
• Application platforms. Application platforms are back-end server software solutions that provide developers with a runtime and development environment.

1.3.1.3Web Cloud and Other

OVHcloud has offered Web Cloud services since its founding in 1999. With its leading position in the French market and strong positions elsewhere in Europe, the Web Cloud offering provides a stable, recurring revenue base and regular growth.

OVHcloud offers three principal solutions to Web Cloud customers:

• Web hosting and domain names. This includes the leasing of capacity on servers, allowing customers to connect their websites to the internet, as well as domain name registration, renewal and transfers. Customers can choose basic packages offering just one or a few websites, or packages targeted at professionals and developers that wish to host multiple websites, together with email addresses and storage options. OVHcloud offers its customers additional services, such as Secure Socket Layer (SSL) certificates, which enable secure connections between a web server and a browser;
• Telephony and connectivity. Customers can purchase VoIP (Voice over IP) systems for use as switchboards and interactive voice response systems. OVHcloud also offers customers internet access through ADSL and fibre networks, with basic and professional packages;
• Support and services. OVHcloud offers its customers additional levels of support and services, including a range of support, expertise and online services. There are two levels of support offering: i) Business, which corresponds to the level suitable for production environments, or ii) Enterprise, which offers a key account experience for critical production environments. Additional services are proposed in the Professional Services offering, which provides access to technical support and advice during infrastructure migration or IT architecture changes.

OVHcloud’s main customers in the Web Cloud segment are small and medium-sized businesses, as well as certain individual customers and entrepreneurs. Web Cloud customers generally seek secure and reliable web and communications services to establish their web presence, and to digitise business functions.

1.3.2Customer segmentation

OVHcloud serves approximately 1.6 million customers, including large corporates, public entities, small and medium-sized businesses, and a wide range of individual customers.

The customer base is highly diversified, with the top 50 customers representing approximately 11% of FY2025 revenue, and the top 500 customers approximately 26%.

In order to understand and respond as effectively as possible to the needs of these customers, OVHcloud’s sales strategy is based on three sales channels, each with its own sales strategy: Digital Starters, Digital Scalers and Corporate.

Digital Starters

Historically, OVHcloud has occupied a strong position with Digital Starters, whether or not they specialise in technology. The Digital Starters sales channel targets customers with a digital channel and less than €25,000 in ARR (annual recurring revenue). OVHcloud offers these customers solutions with the best performance/price ratio and that are fast and flexible thanks to a fully digital pathway, with no direct human contact.

OVHcloud’s customers subscribe to OVHcloud products and services through digital marketing channels, attracted by rapid access to services and the ability to select from a broad range of solutions that can be customised on OVHcloud’s website to address their requirements. The customer’s experience on the site is carefully structured and, after the sale, high-potential customers are identified to capitalise on up-sell and cross-sell opportunities.

The sales strategy for this channel is particularly effective for penetrating new geographical regions, as it allows OVHcloud to gradually progress in new markets, with a limited financial commitment, before expanding with local physical sales teams.

The Digital Starters channel accounts for around 53% of 2025 revenue and has achieved a compound annual growth rate (CAGR) of 4.6% over the last three years.

Digital Scalers

The Digital Scalers channel targets customers with a digital strategy and more than €25,000 in ARR (annual recurring revenue).

These customers, mostly fast-growing digital players, are looking for secure high-performance cloud solutions.  In response to their advanced technical needs and strong capacity for innovation, OVHcloud offers Digital Scalers tailored support to enhance their performance, led by dedicated account managers throughout the full customer life cycle.

To further support these innovative customers, OVHcloud has also developed specific programmes, such as a dedicated programme for startups and the Open Trusted Cloud initiative.

The Digital Scalers channel accounts for around 28% of 2025 revenue and has achieved a compound annual growth rate (CAGR) of 20.8% over the last three years.

Corporate

OVHcloud's Corporate strategy combines direct and indirect sales to meet the needs of large corporates, SMEs and public entities for their cloud migration projects. 

This channel is supported by an internal sales team and extensive network of over 1,300 integrator partners - including major players such as Accenture and Capgemini. The channel mainly targets public sector companies and medium-sized and large traditional companies which are not, by nature, digital businesses, and which are looking for performance, security, sovereignty and enhanced support in their digital transformation. 

This model is particularly well suited to procurement and highly regulated sectors such as healthcare and finance. As the European leader in data sovereignty, OVHcloud meets the most stringent compliance requirements:

• SecNumCloud-certified solutions that comply with ANSSI standards for the public sector;
• HDS certifications for processing medical data in France and HIPAA certifications for the United States.

In total, the Corporate channel accounts for around 19% of 2025 revenue and has achieved a compound annual growth rate (CAGR) of 12.0% over the last three years.

1.3.3Geographical footprint

OVHcloud has developed a global footprint with a strong customer base in Europe, the United States and Asia. Geographical expansion is a significant part of OVHcloud’s growth strategy.

In 2025, OVHcloud generated 48.0% of its revenue from customers located in France, 29.2% from customers located elsewhere in Europe, and 22.8% from customers located in the Rest of the World.

As part of its geographical expansion strategy, OVHcloud has established geographical groupings in clusters based on common features such as languages and cloud usage trends. 

The sales clusters operate on the basis of a strategy that combines global efficiency and local service. In its clusters, OVHcloud offers services such as local language e-commerce sites and support, and dedicated partner and startup programmes, as well as local sales staff attuned to trends in the markets they serve.

1.4Strategy and targets

1.4.1A strategy built around four pillars

Since 2021 and its IPO, OVHcloud has been deploying its strategic roadmap. The Group has succeeded in:

• developing key customer segments with average ARPAC(3) growth of 60% between 2021 and 2025;
• addressing a broader market by currently offering customers over 40 Public Cloud products;
• extending its geographical footprint with the opening of 11 new datacenters since 2021, to reach 44 datacenters by the end of FY2025;
• investing in internal development with cumulative growth capex of around €1,100 million between 2021 and 2025, and external growth opportunities, with three acquisitions since 2021 (BuyDRM in security, ForePaaS in data management, and gridscale, to open Local Zones with minimum capital intensity).

Following these significant investments, OVHcloud introduced a new plan centred around four strategic pillars: (i) Be the data sovereignty reference, (ii) Innovate for next tech revolutions, (iii) Deliver sustainable and profitable growth, and (iv) Maximise cash generation.

Be the data sovereignty reference

OVHcloud already benefits from a structural advantage in that it is not subject to extraterritorial laws, and has developed a successful strategy of certifications with national and international regulators.

In the coming years, the Group will continue to expand its range of certified products, in particular with plans to extend SecNumCloud certification in France to its Public Cloud by end-2025. In addition, this year OVHcloud launched Bare Metal Pod, a sovereign infrastructure that is SecNumCloud 3.2 certified by ANSSI and dedicated to offering the power of the cloud combined with the physical isolation of bare metal servers, designed to host critical or sensitive environments.

In addition, specific services are currently being developed to respond even more precisely to the needs of certain verticals, in particular the public sector and healthcare.

Innovate for next tech revolutions

Innovation is at the heart of OVHcloud’s DNA, and the Group will continue to invest to innovate and prepare for the upcoming technological revolutions, such as artificial intelligence – which is already underway – and quantum computing in the medium term.

With regard to artificial intelligence, OVHcloud is continuing to strengthen its offering, in particular by developing AI solutions that guarantee customer data confidentiality and data sovereignty. OVHcloud offers its customers a broad portfolio of NVIDIA Tensor Core GPUs (H100, A100, L4, L40S) accessible in the Public Cloud and top-of-the line AI models integrating the latest open-source LLMs, like Mistral 8x22B or Llama3, which are notably available on the shelf via the OVHcloud AI Endpoints serverless solution. AI is opening up new opportunities and is at the heart of a revolution, creating extremely high stakes, especially in terms of intellectual property and data confidentiality.

OVHcloud is also ahead of the curve on quantum computing, which will be one of the next technological revolutions of the 21st century. OVHcloud is the only European cloud provider to offer its customers five quantum notebooks and one quantum emulator. The Group supports 14 leading quantum startups and owns one Quandela photonic computer.

Furthermore, in September 2025, OVHcloud became the first global player to strengthen website access security using a quantum computer. In association with Quandela, the Group has introduced quantum entropy-enhanced SSL certificates, improving the random generation of encryption keys.

Deliver sustainable and profitable growth and maximise cash generation

Since 2021, OVHcloud has opened more than eleven new datacenters, invested significantly in the development of new products and set up a programme to improve the resilience of its infrastructure.

Over the next few years, OVHcloud plans to optimise the utilisation rate of its datacenters, which stood at 66% at 31 August 2025 (up six points compared to 2024), improve inventory management and stabilise investments in new products in absolute value terms.

Lastly, the Group expects to reduce one-off investments (hyper-resilience plan, IPv4 purchases and improvement of inventories linked to supply chain tensions) between now and 2026.

OVHcloud has increased its unlevered free cash flow by a factor of 2.3 to €57.6 million in FY2025 compared with FY2024. The Group aims to generate free cash flow as from 2026.

1.4.2A plan based on three growth drivers

The development plan is based on three growth drivers:

1. Products:
   • address a larger market, in particular by developing an ever-expanding range of PaaS products;
   • offer artificial intelligence solutions that respect customer data privacy;
   • expand the range of data sovereignty certified products.
2. Customers:
   • drive the acquisition of new customers, particularly through the Digital Starters channel;
   • support customer growth by continuing to develop the Digital Scalers channel;
   • leverage partners to strengthen the sales channel in order to meet the growing needs of Corporate customers for the sovereign cloud.
3. Geographies:
   • improve the occupancy rates of existing datacenters around the world;
   • deploy new locations with lower capital intensity.

1.4.32026 financial targets

After a period of major investment, OVHcloud is targeting the following financial guidance for 2026:

• organic revenue growth of between 5% and 7% compared to FY2025;
• an improved adjusted EBITDA margin compared to FY2025;
• capex representing between 30% to 32% of revenue;
• positive levered free cash flow.

1.5OVHcloud’s competitive advantages

1.5.1Data sovereignty champion with a global presence

OVHcloud is the European Cloud leader and the only non-US or non-Chinese player among the ten largest global cloud service providers(4). It is the only major player of its size that is not subject to extraterritorial laws.

In addition to its structural differentiator, OVHcloud has developed a very large number of certifications worldwide in order to comply with various national and international regulations.

1.5.2Predictable and transparent pricing

OVHcloud offers predictable and transparent prices, i.e., easy to understand with no hidden costs, and no economic lock-in (without egress fees) or technological lock-in. Prices advertised to customers include network costs, which are often one of the main unexpected variables in their monthly bills.

1.5.3An integrated industrial model that is proving its economic efficiency

OVHcloud has developed a fully integrated industrial model that enables it to be more economically efficient. The Group acquires electronic components, assembles servers, operates datacenters and develops its cloud technology (in-house or open-source). This integrated model ensures efficiency throughout the chain and limits the margins of intermediaries, while allowing the implementation of cutting-edge technologies such as watercooling.

In addition, thanks to this sustainable model, OVHcloud can recycle its servers, giving them a second and third commercial life with a retrofit. The model also enables us to customise our offering to customers and therefore to propose a particularly wide range of products.

OVHcloud has two dedicated production sites – in France and in Canada – for assembling different hardware components into servers. Once the various components have been assembled, they are transported to the datacenter and customised as necessary prior to delivery to the customer.

Since OVHcloud manufactures its servers in-house, the Group is not dependent on a third-party manufacturer, which reduces the risk of supply chain disruption.

In addition, by owning and operating its datacenters, OVHcloud has more control over each stage of the production process, which, in turn, provides its customers with more opportunities for customisation. With datacenters spread over 18 sites in ten countries around the world, OVHcloud is able to deliver servers to its customers within a short time frame: at OVHcloud’s European and North American sites, it takes approximately 14 days from server production to delivery. OVHcloud’s datacenters are generally housed in former industrial buildings, which has provided a cost advantage and has reduced its environmental impact through the repurposing of existing resources.

Used for over 20 years, OVHcloud’s watercooling technology combines watercooled servers with air-cooled datacenters, thereby removing the need for air conditioning, which has significant environmental and cost benefits. It uses direct watercooling to remove the heat from CPUs, and air – which is then cooled inside the rack using water through a heat exchanger – to remove the heat from other components. The heated water is then cooled using dry cooling towers. In addition to being highly energy and water efficient, OVHcloud’s watercooling technology also has relatively low maintenance costs.

1.5.4One of the best performance/price ratios in the industry

Thanks to its integrated model, OVHcloud is able to offer one of the best performance/price ratios in the cloud industry. 

1.5.5A sustainable cloud

Complete control of the value chain means that OVHcloud is, by design, a pioneer of the sustainable cloud. Its watercooling technology means it consumes less electricity and less water. In addition to the economic benefits, the Group has some of the best environmental ratios (audited) in the industry, with a PUE (Power Usage Effectiveness) of 1.24 and a WUE (Water Usage Effectiveness) of 0.34 L/kWh in 2025.

Patents

In order to support its research and development initiatives, OVHcloud is proactive about seeking the patents necessary to protect its intellectual property. At 31 August 2025, OVHcloud held 223 patent families, which can be broadly grouped into the following categories:

• Software. Software patents cover software-related technologies that are used in the context of installing, deploying, configuring, operating, monitoring and maintaining servers and equipment operated in datacenters. These software-related technologies cover a wide variety of fields, such as network orchestration, storage configuration and management, power supply management, health monitoring, artificial intelligence techniques used in the context of operating datacenters and higher level software applications, such as web applications. They comprise the largest percentage of OVHcloud’s portfolio: at 31 August 2025, these represented approximately 35% of patents;
• Cooling. Cooling patents cover technologies relating to systems and methods for extracting heat from electronic components, in particular from servers operating in racks stacked in datacenters. The technologies covered span from extracting thermal energy from the electronic components to rejecting extracted thermal energy into an outside environment. This category includes air cooling, liquid cooling and immersive cooling. At 31 August 2025, these represented approximately 41% of OVHcloud’s portfolio of patents;
• Electronic. Electronic patents cover technologies relating to electronic components facilitating the deployment and operation of servers in datacenters. These electronic components provide functionalities such as data exchange interfaces, power supply and/or cooling control. These patents represented approximately 12% of OVHcloud’s portfolio of patents at 31 August 2025;
• Mechanical. These patents, which represented approximately 12% of OVHcloud’s patent portfolio at 31 August 2025, cover technologies relating to the structural design of racks, support for racks, tools to be used for rack installation and structural components for heat exchangers.

1.5.6Values fostering a collaborative, entrepreneurial culture

OVHcloud was founded in 1999 by Octave Klaba, its current Chairman, who developed the business from its origins as a web hosting group to its current position as a leading cloud provider. The members of the senior management team have extensive experience in some of the most dynamic growth businesses, providing the Group with a solid and experienced leadership team that is well positioned to drive the achievement of OVHcloud’s strategic growth plan. 

At the end of August 2025, the Group employed almost 3,000 people in 15 different countries, representing more than 60 nationalities. Employee opinion surveys show a very high level of commitment, with a score of 7.2 and a decrease in the voluntary departure rate, which stood at 7.9% for 2025.

1.6Legislative and regulatory environment

1.6.1Legislation and regulations in the European Union

As a French cloud service provider, OVHcloud is subject to European regulations across a wide number of areas, including information technology (“IT”) services, cybersecurity, online content moderation and data protection. OVHcloud may also be subject to sectoral regulatory regimes applicable to certain customers and generally applicable regulations such as contract laws and consumer protection policies.

1.6.1.1Cybersecurity

OVHcloud is subject to European regulations aimed at strengthening cybersecurity across the European Union (the “EU”). Transposed into French law on 26 February 2018, Directive (EU) 2016/1148 of 9 July 2016 established requirements for cloud service providers with respect to network and information systems security. The French law(5) transposing Directive (EU) 2016/1148 classifies cloud service providers as digital service providers. As a digital service provider, OVHcloud must guarantee a level of information security adapted to the relevant risks and adopt appropriate organisational and technical measures. Any security incident having a significant impact on the provision of services must be declared to the French National Cybersecurity Agency (“ANSSI”). The French Prime Minister may also open investigations upon receiving information of non-compliance by the digital service provider with security obligations. Fines for non-compliance with security obligations range from €50,000 to €100,000.

The ANSSI has adopted security standards for cloud service providers(6). In particular, cloud companies must set up a security policy for information relating to the service and carry out a risk assessment covering the entire service. If applicable security standards are met, the ANSSI grants the “SecNumCloud” label certifying an enhanced level of security for the storage of sensitive information. In October 2022, the ANSSI extended OVHcloud’s “SecNumCloud” security visa for its Hosted Private Cloud until December 2023. For the protection of critical information systems, the ANSSI recommends that operators of essential services (e.g., gas supply companies, airline carriers, health institutions, banks) use security products and services with an ANSSI security visa.

The role of the European Union Agency for Cybersecurity (the “ENISA”) was strengthened by Regulation (EU) 2019/881 of 17 April 2019 (the “Cybersecurity Act”). The ENISA is tasked with establishing and maintaining a European-wide cybersecurity certification scheme applicable to cloud service providers, including a comprehensive set of rules, technical requirements, standards and procedures. In July 2020, the ENISA published a proposal that would enable cloud service providers to obtain certifications across the EU attesting to the level of security of their services.

In September 2022, the European Commission unveiled its proposed Cyber Resilience Act (“CRA”). This proposal fixes a series of general and organisational cybersecurity requirements for products containing digital elements (for example: software, hardware products, data processing). It aims to adopt a common base within the European Union to limit cyberattacks. The CRA applies differently to supply chain players: manufacturers, importers and distributors. The text is awaiting examination by the European Parliament and then by the Council of the European Union; during this procedure, which may take up to two years, the current text will most likely undergo certain changes. It is therefore still too early to comment on the impacts this text may have on OVHcloud.

1.6.1.2Data protection

As a provider of cloud and telecommunications services, OVHcloud processes, stores and transmits a substantial amount of personal data. As a result, OVHcloud must comply with a number of European regulations and national laws relating to personal data protection.

European Union – the General Data Protection Regulation (GDPR)

A cornerstone of personal data protection in the European Union since it came into force in May 2018, the GDPR has three main objectives: (i) to establish rules relating to the protection of individuals with regard to the processing of their personal data as well as rules relating to the free movement of such data, (ii) to strengthen the application of the regulation by providing a unified legal framework for organisations processing personal data, and finally (iii) to strengthen the responsibility of parties processing personal data (data controllers and processors) by requiring that processing and the tools/applications used be documented.

The GDPR places organisations under strict obligations in terms of information and transparency with regard to the personal data processing they carry out on their own behalf or on behalf of others.

It also confers a number of rights on data subjects with regard to the processing of their personal data, such as the right of access, the right to rectification and the right to erasure (“right to be forgotten”), giving them greater control over the use of their personal data.

The GDPR also requires organisations to implement appropriate technical and organisational security measures for the processing of personal data as soon as a new product or service is designed, in order to ensure that personal data security and confidentiality requirements are met (“Privacy by design”).

Lastly, the GDPR requires organisations responsible for processing personal data to notify the supervisory authority of any breach that is likely to result in a risk to the rights and freedoms of natural persons and data subjects.

Canada, Province of Quebec – An Act to modernise legislative provisions as regards the protection of personal information

Passed on 22 September 2021, the act to modernise legislative provisions as regards the protection of personal information, known as “Act 25”, makes major changes to the act respecting the protection of personal information in the private sector (“ARPPIPS”), giving citizens greater control over their personal data and making organisations more accountable for the way they manage this information. This act establishes new obligations and transparency rules for Quebec companies, such as the appointment of a Data Protection Officer, in order to establish governance policies and practices regarding personal information, conduct privacy impact assessments (PIAs), and respect the new rights granted to individuals with regard to their personal data, in particular the right to require that such information cease to be disseminated, or that it be re-indexed or de-indexed (the right to be forgotten) before being communicated outside Quebec, and ensure that technological products and services offered to the public have settings that provide the highest level of confidentiality by default.

The new responsibilities and requirements applicable to organisations processing personal data came into force progressively in September 2022, 2023 and 2024.

Compliance tools

In order to ensure compliance with applicable data protection regulations, OVHcloud has implemented a personal data management system based on the ISO 27701 standard.

OVHcloud also relies on the Cloud Infrastructure Service Providers in Europe (CISPE) Code of Conduct, with its certified Bare Metal Cloud and Hosted Private Cloud powered by VMWare offerings, to ensure and demonstrate the compliance of its IaaS activities.

1.6.1.3Free movement of non-personal data

Regulation (EU) 2018/1807 of 14 November 2018 (“Regulation on the free flow of non-personal data”) aims to ensure the free flow of non-personal data between EU Member States (the “Member States”) and IT systems in the EU. Non-personal data is either (i) data not linked to identified or identifiable natural persons, or (ii) anonymised personal data. This regulation enables the storage and processing of non-personal data anywhere in the EU, prohibits data localisation and ensures the availability of data for regulatory control.

The Regulation on the free flow of non-personal data also provides that the European Commission must encourage the development of self-regulatory codes of conduct to facilitate portability between service providers. To that end, OVHcloud participated in the drafting of two voluntary codes of conduct on switching cloud service providers and data portability through the working group on switching cloud providers and porting data (“SWIPO”). Published in July 2020, the codes of conduct for Infrastructure-as-a-Service (IaaS) and Software-as-a-Service (SaaS) provide guidance for cloud service providers and customers on switching cloud provider and porting non-personal data. The adoption of such codes of conduct aims to reduce the risks of vendor lock-in (i.e., situations where customers are dependent on a particular provider due to significant switching costs) by cloud service providers. It also provides guidance for customers on the transfer of non-personal data.

1.6.1.4Online content moderation

As a hosting service provider, OVHcloud must comply with a number of laws on content moderation, including those moderating terrorist content, child sexual abuse material and the infringement of intellectual property rights.

European legislation on digital services (Digital Services Act, “DSA”)

Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (“Digital Services Act”) entered into force on 18 November 2022. This new framework aims to harmonise the rules applicable in the different Member States of the European Union and replaces the framework adopted in 2000 with regard to liability of intermediaries in relation to illegal content while maintaining the fundamental principles of freedom of expression and freedom to provide services.

The regulation also establishes new obligations of due diligence and transparency for hosting services such as OVHcloud, both vis-à-vis the authorities and users, particularly on the processing of reports of illegal content. It also increases the level of penalties that can be imposed in the event of a breach of the obligations established by the regulation, with fines of up to 6% of the intermediary service provider’s global annual revenue. A certain number of measures are applicable on a deferred basis over the next two years and involve the adoption of texts at the national level. OVHcloud will carefully monitor their publication in order to comply with its obligations.

1.6.1.5Fight against anti-competitive practices on digital markets

European legislation on digital markets (Digital Markets Act, “DMA”)

Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (“Digital Markets Act”) aims to make the digital sector fairer and more competitive by introducing preventive measures for large digital companies as gatekeepers on the European market. In particular, the regulation provides for several obligations and prohibitions against gatekeeping online platforms and strengthens the sanctioning powers of the European Commission, which will be assisted by an advisory committee and a high-level group. So, for example, gatekeepers must allow users to easily uninstall pre-installed software on their devices and easily unsubscribe from an essential platform service such as a cloud service. Gatekeepers will no longer be able to impose software such as internet browsers or default search engines or reuse users’ personal data for the purpose of targeted advertising without their explicit consent.

Applicable from 2 May 2023, the companies concerned must report to the European Commission and ensure that they are compliant by March 2024 at the latest. The legislation gives the Commission the exclusive power to monitor compliance with their obligations, and imposes new sanctions, including a fine of up to 10% of the company’s total global revenue from the previous financial year.

The adoption of this new legislation is a positive step towards regulating the practices of the dominant digital players on the European market. However, its effectiveness will depend on the means that the European Commission devotes to ensuring compliance with it. OVHcloud will pay particular attention to the forthcoming details regarding the teams tasked with monitoring gatekeepers' compliance.

1.6.1.6Other applicable regulations and initiatives

Telecommunications sector

OVHcloud entities are telecommunications operators in four (4) Member States: Belgium, France, Germany and Spain. OVHcloud is subject to specific obligations when providing telecommunications services. Because the EU and its Member States have been regulating the telecommunications sector for many years, there are a variety of different implementing measures, guidelines and authorities across the EU. OVHcloud entities are also telecommunications operators in the United Kingdom and Switzerland, which have their own telecommunications regulations. The United Kingdom also implemented the requirements of the European Electronic Communications Code into its national regulatory framework prior to Brexit.

The Directive (EU) 2018/1972 of 11 December 2018 established the European Electronic Communications Code. Although this directive has not yet been transposed in all Member States where OVHcloud acts as an operator, several other directives applicable in the telecommunications sectors, such as Directives 2002/19/EC, 2002/20/EC, 2002/21/EC and 2002/22/EC of the European Parliament and of the Council, have been substantially amended. Directive 2018/1972 was transposed into French law in May 2021(7). The key objective of this European Electronic Communications Code is to create a comprehensive set of updated rules to regulate electronic communications and protect EU citizens when they communicate through traditional or web-based services, encourage competition between telecommunications operators, and ensure that national regulatory authorities are protected against external intervention or political pressure.

Health sector

As a cloud service provider, OVHcloud is subject to obligations when the Group provides services to organisations in the health sector. For example, French law requires health data hosting providers (i.e., any person hosting personal health data collected in the course of prevention, diagnosis, care or social and medical monitoring activities on behalf of natural or legal persons having produced or collected such data or on behalf of the patients themselves) to comply with specific obligations. Such obligations include obtaining proper certification or receiving prior approval from public authorities as per the French Public Health Code, and entering into an agreement with customers in the health sector, setting out the mandatory provisions prescribed by Article L. 1111-8 of the French Public Health Code. OVHcloud is also subject to the requirements of other jurisdictions in which it operates, such as Italy, Poland, Germany and the United Kingdom.

In 2016, OVHcloud obtained the “health data host” accreditation and, since 2018, the Group has operated a management system that allows several of its cloud offerings to comply with the requirements of this accreditation. In 2019, OVHcloud obtained the French HDS (hébergeur de données de santé – health data host) certification for its Hosted Private Cloud offering. In 2020, this certification was first extended to OVHcloud’s dedicated servers and then to OVHcloud’s Public Cloud offering and Trusted Exchange in 2021.

Financial sector

Companies in the financial sector (including credit institutions and investment firms) may also be subject to industry-specific obligations that may reflect on OVHcloud in the context of the provision of its services. In particular, in 2019, the European Banking Authority (“EBA”) issued “Recommendations on outsourcing to cloud service providers” applicable to outsourcing arrangements. These recommendations create obligations with respect to information systems security and audit rights for the outsourcing banks, which they must impose on their cloud service providers when using their services. OVHcloud aims to offer contractual conditions applicable to financial service operators that ensure that customers are able to implement an outsourcing policy which is compliant with the EBA’s recommendations and with local European regulations.

Financial service operators may also require OVHcloud to comply with specific national regulations. For instance, OVHcloud may have to comply with French regulations such as those of France’s banking and insurance supervisor, Autorité de contrôle prudentiel et de résolution (“ACPR”) on critical outsourced services such as banking operations. Companies outsourcing critical services must ensure that service providers guarantee the protection of confidential information, implement backup mechanisms in the event of significant difficulties affecting service continuity and provide the ACPR, in carrying out its duties, with access to critical outsourced information. With respect to internal procedures for managing information system security, the American Institute of Certified Public Accountants (“AICPA”) granted OVHcloud SOC I-II type 2 certifications.

With respect to hosting banking data and reducing card fraud, OVHcloud’s main Hosted Private Cloud offering is compliant with the Payment Card Industry Data Security Standard (“PCI DSS”). OVHcloud’s datacenters in France, Canada, the United Kingdom, Germany and Poland comply with PCI-DSS.

On 27 November 2022, the European Commission adopted a Digital Operational Resilience Act for the Financial Sector (“DORA”). Following a proposal by the 2020 European Commission, this regulation imposes a number of requirements on cloud outsourcing arrangements in the financial sector. The proposed regulation covers a broad range of regulated financial entities, including credit institutions (such as banks), central securities depositaries, insurance companies and certain fund managers, among others. It imposes a number of information and communications technology risk management requirements on these financial entities, some of which apply directly to outsourced cloud activities.

In particular, financial sector entities covered by the proposed regulation are required to take a number of steps to address risks in their relationships with third parties, such as cloud service providers, including ensuring that their cloud services contracts provide a full description of the services proposed with qualitative and quantitative performance targets, and include provisions governing integrity, security, personal data protection, recovery in case of failure, rights of inspection and audit, and termination provisions with clear exit strategies. The regulation proposes the approval of standardised contractual terms by the European Commission.

In addition, the regulation imposes a new oversight framework on critical third-party service providers (including cloud service providers), subjecting them to individual oversight plans adopted by the European financial regulatory bodies responsible for supervising banks, securities markets or insurance companies, depending on the sector primarily using the services of the relevant provider. The determination of which services are critical depends on their potential systemic impact, the dependence of financial entities on them for critical functions and the availability of alternatives. The oversight plan can impose requirements in areas such as security and quality, contractual terms, and subcontracting, with financial penalties imposed in case of non-compliance, up to 1% of the service provider’s global revenue in the most recent year. The oversight bodies have broad inspection and auditing rights and investigative powers. The adopted regulation also prohibits financial entities from using a service provider from a country outside the EU for critical cloud functions.

Environmental and industrial risks

Many of OVHcloud’s datacenters are located in former industrial buildings, some of which are classified as presenting environmental or other risks under applicable French legislation. OVHcloud’s datacenters outside of France may also be classified as presenting environmental risks under local regulations. In order to comply with applicable regulations, OVHcloud is sometimes required to submit applications and obtain operating licenses. OVHcloud may be required to take certain remedial measures as part of the application process.

Operating licenses are required in most countries where OVHcloud operates its datacenters. The regulations primarily concern air emissions, industrial waste management, water and effluent management, fire risk management and noise management.

1.6.2Legislation and regulations in the United States

OVHcloud has a subsidiary in the United States whose activities are completely separate from those of the other subsidiaries of the OVHcloud Group.

This subsidiary is also subject to US regulations applicable to cloud service providers at the local, state and federal levels. These regulations include those intended to enhance data privacy and security, as well as those that grant data access rights for national security purposes. In addition to state laws across the US that require notifying customers in the event of a data breach in which their personally identifiable information has been disclosed, the two main US regulations applicable to OVHcloud’s US subsidiary are the CLOUD Act (as defined below), which applies at the federal level, and the California Consumer Privacy Act, which applies at the state level in California.

A “Chinese wall” has been established to separate the activities of the US subsidiary from those of its other subsidiaries, preventing these regulations from applying to the non-US subsidiaries.

The Cloud Act

The United States Clarifying Lawful Overseas Use of Data Act (the “Cloud Act”) is a US federal law, effective since March 2018, which amended the Stored Communications Act of 1986 to permit US law enforcement authorities to access electronic information held by businesses that are subject to US personal jurisdiction, including cloud service providers, in connection with a criminal investigation. US law enforcement authorities may access such electronic information regardless of whether it is stored inside or outside of the United States.

The CLOUD Act also allows the US government to enter into data-access agreements with foreign states through which the participating states’ law enforcement authorities can request information held by businesses subject to the partner country’s jurisdiction. As of the date of this Universal Registration Document, the US government has entered into bilateral agreements with the United Kingdom and Australia pursuant to which US law enforcement officers can obtain electronic information stored by cloud companies subject to UK and Australian jurisdiction. UK and Australian law enforcement officers can likewise obtain electronic information stored by cloud companies subject to US jurisdiction, such as OVHcloud’s US subsidiary. It should be noted that at the time of writing this Universal Registration Document, no date for the entry into force of the bilateral agreement between the US and Australia has been made public.

OVHcloud will closely monitor any new decisions from the European Commission with respect to the US-UK bilateral agreement and will implement any additional technical and organisational measures that may be required. Additionally, OVHcloud does not currently host any customer data in the UK, unless such customer expressly chooses a service located in OVHcloud’s UK datacenter. Furthermore, the ability of OVHcloud’s UK-based team to access European customers’ data in European datacenters is restricted and controlled.

The US government may enter into agreements similar to the US-UK bilateral agreement with other countries, which may allow the US law enforcement authorities to access electronic information held by Group subsidiaries that are subject to such partner state’s jurisdiction, and for the partner state government to access electronic information held by OVHcloud’s US subsidiary. In particular, on 25 September 2019, the European Union and the United States entered into negotiations on a future treaty to facilitate access to digital evidence.

California Consumer Privacy Act

Since 1 January 2020, the California Consumer Privacy Act (the “CCPA”) has required businesses that process personal data of California residents to provide notices to these residents disclosing their privacy practices. The CCPA also grants customers resident in California the right to access or delete certain personal information collected by OVHcloud’s US subsidiary and gives them more control over the use and sale of their personal data. California residents who believe certain types of personal information have been used in violation of the CCPA would have the right to bring a legal claim against OVHcloud’s US subsidiary.

On 1 July 2023, the CCPA was amended by the entry into force of the California Privacy Rights Act (the “CPRA”), which, among other changes, expands customers’ rights surrounding certain sensitive personal data and creates a state agency for the implementation and enforcement of the CCPA and CPRA.

Virginia Consumer Data Privacy Act

Effective 1 January 2023, Virginia’s Consumer Data Privacy Act (the “CDPA”) grants Virginia residents additional control over their personal data, including the right to delete certain personal data collected by businesses, such as OVHcloud’s US subsidiary. They will also have the right to withhold their personal data from certain types of data processing.

1.7Group organisation

1.7.1Simplified organisational chart

Simplified organisational chart as of the date of this Universal Registration Document

The simplified organisational chart below shows the Company’s legal structure and its consolidated subsidiaries as of the date of this Universal Registration Document. The percentages indicated below represent the percentages of share capital. There has been no significant change in capital ownership since 31 August 2024.

1.7.2Subsidiaries and equity interests

Main subsidiaries

The Company’s main direct and indirect subsidiaries at the date of this Universal Registration Document are described below:

• OVH SAS is a French simplified joint stock company (société par actions simplifiée) having its registered office located at 2, rue Kellermann, 59100 Roubaix, France, and registered with the Lille Métropole Trade and Companies Registry under number 424 761 419. The Company directly holds 100% of the share capital and voting rights of OVH SAS. OVH SAS’ main businesses include datacenter hosting activities, the provision of cloud services, manufacturing of computers and peripheral devices, marketing activities and research and development;
• OVH Infrastructures Canada Inc. is a Canadian joint stock company (société par actions) having its registered office located at 50, rue de l’Aluminerie, Beauharnois Québec J6N0C2, Canada, and registered with Canada’s business registries under number 1167756403. The Company indirectly holds 100% of the share capital and voting rights of OVH Infrastructures Canada Inc., through its holding company OVH Canada Inc. OVH Infrastructures Canada Inc.’s main business involves datacenter hosting activities;
• OVH Holding US Inc. is an American joint stock company, registered under number 5103215, having its registered office located at 2915 Ogletown Road, Newark, DE, 19713, United States. The Company holds 100% of the capital and voting rights of the companies OVH US LLC, Datacenter Vint Hill LLC, Datacenter West Coast LLC and OVH Data US LLC whose principal activity is datacenter hosting.

Acquisitions during past periods

ForePaaS

On 21 April 2022, OVHcloud announced the acquisition of ForePaaS, the unified French platform specialising in “data analytics”, “machine learning” and artificial intelligence projects for companies. The ForePaaS teams’ 23 employees and its founders have joined the Group’s workforce to jointly build a family of solutions, which will actively contribute to the rollout of OVHcloud’s growth acceleration strategy through the enhancement of its Platform-as-a-Service (PaaS) offering.

gridscale

On 4 September 2023, for FY2024, OVHcloud announced the acquisition of 100% of the German company gridscale specialised in hyperconverged infrastructures. This acquisition is a strategic milestone in accelerating the Group’s geographical expansion by entering the high growth Edge Computing market.

Restructuring 

ForePaaS SAS was merged into OVH SAS with effect from 1 April 2024.

ForePaaS Inc., a subsidiary of ForePaaS SAS, was wound up on 30 August 2023.

BuyDRM was merged into NFA Group Inc. with effect from 6 October 2022.

Risk factors
and internal control

Central to its governance mechanism, OVHcloud's risk management system helps the Group achieve its strategic objectives while protecting its assets and reputation. It also helps to mobilise employees around a common approach to risk. OVHcloud is committed to regularly assessing risks and implementing internal controls and action plans to mitigate them.

2.1Risk factors /AFR/

2.1.1Risk management system   

Risk management system

The risk management system aims to identify, analyse and manage the main risks to which the Group is exposed. It contributes to the control and security of its activities, the effectiveness of its operations and the efficient use of resources.

This system comprises a series of processes aiming to identify, assess and prioritise risks, prevent and control them, promote a risk management culture, and monitor action plans to limit risks. It draws on the skills of the Group's employees, particularly in internal audit and compliance, and on external expertise where required.

CSR risks are covered in Chapter 3 – Sustainability Statement, which includes new CSRD-related requirements, of this Universal Registration Document.

Risk mapping

In 2020, the Group drew up a risk map, which was updated in 2022 and 2023. In 2025, risk mapping was revised with the new Chief Executive Officer, as part of the risk monitoring governance process. Certain risk levels and designations were adjusted.

Carried out across the Group and with the involvement of top management from all the Group's activities, the risk mapping process has made it possible to identify the main risks to which the Group is exposed and to assess their potential impact, taking into account their criticality and probability of occurrence. The Group's risk map also takes into account specific risk mapping exercises on topics such as cybersecurity and anti-corruption, and the monitoring of operational and emerging risks.

The most significant risks have been grouped into different families (strategy and markets, business, human resources, financial, regulatory and legal, information systems). For each risk, a description is provided of their causes and potential impact, as well as the actions taken to manage them.

Risk monitoring governance

Group management, the Board of Directors and the Audit Committee closely monitor risk management and define the most appropriate strategy.

One or more risk owners are appointed for each risk to complete the risk analysis, identify the actions and resources needed to mitigate the risk, and manage the corresponding action plans.

The relevance and progress of the action plans are monitored by members of the Group's Executive Committee, including the Chief Executive Officer, Chief Financial Officer and General Counsel, who review them on a quarterly basis. Risk mapping and action plans are presented annually to the Group's Audit Committee, and more frequently upon request.

2.1.2Main risks identified

Summary table of the main risks

The risk factors described in this section are, at the date of this Universal Registration Document, those which the Group considers are likely to have a material adverse effect on OVHcloud, its business, financial position, results or outlook. The list of risks presented in this chapter is not exhaustive; other risks that are unknown or that OVHcloud does not currently consider to be material could have such an adverse effect.

The risk categories are not presented in order of importance. However, within each category, the risks are presented according to a decreasing level of risk based on the assessment carried out for FY2025.

2.1.2.1Risks related to OVHcloud's strategy and markets

Risks related to international development

Description of the risk

As part of its growth strategy, OVHcloud is seeking to expand its revenue from other regions, including Europe (outside France), the United States and Asia (see Chapter 1 – Presentation of the Group, which describes the current breakdown of activities and development strategies).

OVHcloud may face significant challenges in its efforts to expand its international revenue. Outside its home market of France, OVHcloud has less brand recognition and does not benefit from the historical web hosting market leadership that it enjoys in France, reducing opportunities for cross-selling. Market dynamics and customer preferences in international markets are likely to be different from those of OVHcloud's traditional markets and local policies of economic patriotism can make it difficult to access new territories. Some of the markets that OVHcloud targets (such as the United States) are dominated by hyperscalers, and OVHcloud's expansion in these markets will depend on its ability to market tailored products to priority customer segments.

Even if OVHcloud is able to expand internationally, managing international operations requires a more structured organisation and greater resources than managing operations in OVHcloud's home market, which could increase OVHcloud's operating expenses, even if there is a not a corresponding increase in revenue generated from these new markets.

When opening up physical infrastructures and operations internationally, adjustments must be made to ensure that operations are compliant with local rules. Certain internal processes must also be adapted and this can sometimes slow down expansion or reduce the profitability of local operations. In addition, international expansion may be affected by local measures, such as customs duties, which could affect the ability to operate or the profitability of operations.

Lastly, OVHcloud could be faced with geopolitical tensions in certain countries or regions that would limit its ability to develop its commercial offering locally. Accordingly, OVHcloud might not meet its international expansion targets, and even if it does, there can be no assurance that the profitability of its expanded international operations will be satisfactory.

Management of the risk

The Group's international development strategy enables it to dilute country risk. To increase its capacity to develop in new regions, OVHcloud has developed several programmes and initiatives to limit the risks associated with its international expansion.

OVHcloud has created commercial clusters made up of local teams, who are experts in their regions with knowledge of local specificities, in order to define commercial or product offerings that are closely aligned with the expectations of local customers. Through this organisation, OVHcloud can also manage and anticipate any market changes, both by the end customer and by local public authorities. The existence of two production plants, in France and Canada, also dilutes the risk of customs measures.

The Group has also set up GEOS, a programme dedicated to assessing and monitoring projects to open new datacenters. This programme involves all the teams concerned by such projects in order to anticipate potential operational and regulatory obstacles. OVHcloud followed this process to open a datacenter in India in March 2023. In 2024, OVHcloud launched the Local Zone programme to accelerate its international expansion, setting up a process for scaling up the opening of these Local Zones (31 openings to be completed by the end of FY2025). In 2025, the Group announced the opening of a 3-AZ datacenter in Milan, Italy.

To ensure that the performance of its international operations is up to standard, OVHcloud is also continuing to roll out SAP and internal control, in order to harmonise its processes and centralise critical operations.

Risks related to acquisitions

Description of the risk

OVHcloud expects to make acquisitions in order to expand its service offering portfolio (particularly in the area of software platform services) and geographical footprint.

When OVHcloud makes acquisitions, the Group is exposed to the risk that they will not contribute to the implementation of its strategy, or that OVHcloud will receive an unsatisfactory return on its investment. There is also the risk that OVHcloud will have difficulties integrating and retaining new employees, new business systems and new technologies, or that the acquisition distracts management from OVHcloud's other activities. It may also take longer than expected to reap the full benefits from these transactions and arrangements, such as increased revenue or enhanced efficiencies, or the benefits may ultimately be less significant than OVHcloud expected. Such events could adversely affect OVHcloud's business, financial position and operating results.

Management of the risk

OVHcloud has strengthened the financial teams dedicated to acquisitions in order to improve the sourcing of potential acquisitions and structure the internal processes for approving targets, as was the case recently during the gridscale acquisition process. In order to limit the risk related to integrating acquisitions, dedicated teams from several departments are involved throughout the acquisition process to anticipate and monitor project developments. Regular reviews are conducted following the acquisition, in order to ensure that the integration process is running smoothly. OVHcloud has made several acquisitions in recent years, notably API.video in 2025, which has strengthened the processes while improving the expertise of teams to select and integrate the acquired companies and assets.

Risks related to product or service offerings in a competitive market

Description of the risk

The markets in which OVHcloud operates are rapidly evolving and highly competitive. In order to be competitive in these markets, OVHcloud must continually innovate and adapt its offerings to changing customer needs (see Chapter 1 – Presentation of the Group, which describes the strategy and the market).

OVHcloud believes the pace of innovation in cloud products and services should continue to accelerate, particularly in regard to artificial intelligence (AI). Customers are increasingly basing their purchases of cloud offerings on their needs for new and upgraded features that are expected to represent a significant proportion of future market growth. The future success of OVHcloud depends on its ability to continue to innovate in response to these demands and increasing customer adoption of its cloud offerings.

In addition, competition is intensifying in the markets in which OVHcloud operates. Many of OVHcloud's competitors are international cloud companies, including the so-called "hyperscalers" (Amazon Web Services, Google Cloud Platform and Microsoft Azure), as well as other established cloud providers such as IBM Cloud and, in Asia, Alibaba Cloud. In Europe, OVHcloud also competes against cloud specialists such as Hetzner, Leaseweb and iomart, and other emerging cloud providers. As OVHcloud expands its offering of software platforms, the Group will also compete to a greater degree with other companies in these markets, such as Salesforce, Oracle, IBM and SAP. New competitors are likely to continue to enter the market as it evolves.

Many of OVHcloud's competitors, particularly outside Europe and in the public cloud space, have greater brand awareness, larger customer bases, extremely aggressive business practices and greater financial, human and technical resources. These same competitors are likely to be able to respond more quickly than OVHcloud to new markets and developments in terms of technologies, standards, customer requirements and purchasing practices. The hyperscalers, in particular, are among the largest and best-known information technology companies in the world, with established relationships on a global, regional and local scale, and significant brand recognition. If OVHcloud is unable to compete effectively against the hyperscalers, its growth prospects could be adversely affected.

In addition, if OVHcloud is unable to enhance its cloud offerings to keep pace with market developments, or if competitors emerge that are able to deliver competitive offerings at lower prices, more efficiently, more conveniently or more securely than OVHcloud's cloud services, OVHcloud's business, financial position and operating results could be adversely affected.

Management of the risk

OVHcloud positions itself against its competitors on the basis of various factors, including: price, performance, multi-cloud and hybrid cloud trends, experience and customer support, scalability, reliability, data sovereignty, security, sustainable development, energy efficiency and compliance with existing standards.

OVHcloud actively monitors market developments and customer practices. The Group is looking to expand into new market segments by broadening its offering in line with customer needs, for example in artificial intelligence, quantum computing, cold storage and healthcare data storage.

In order to continue to offer new solutions and maintain its positioning, OVHcloud has an open development strategy. For example, the Group can use open source software and acquire new technological bricks by integrating companies such as ForePaaS and gridscale, acquired in 2022 and 2023 respectively. OVHcloud also has internal teams to develop its product roadmap and the Group can forge partnerships with recognised players in their fields if it considers that the products meet the standards expected by its customers. During the 2025 financial year, OVHcloud invested €163 million in research and development, as detailed in Note 4.10 of Chapter 5 of this Universal Registration Document, and the Group strengthened the structure for overseeing the implementation of its roadmap.

OVHcloud also has differentiating factors such as an integrated industrial production tool and dedicated research and development teams that enable it to quickly adapt its manufacturing and supply needs to support product changes.

Risks related to CSR matters

Description of the risk

Due to its business sector, geographical reach, and regulatory changes, the Group is exposed to increasingly significant CSR issues.

OVHcloud's physical sites could be exposed to climate change through various causes:

• occurrence of extreme natural disasters such as floods, earthquakes, extreme droughts, "giant" fires, landslides, cyclones or tsunamis;
• tightening of regulations on energy management (electricity), water use and product eco-design and building construction standards;
• occurrence of occasional or permanent shortages (water, electricity, etc.).

This risk is exacerbated by the acceleration of climate change. Large-scale or repetitive natural disasters could lead to exceptional situations of disruption to the external physical infrastructures and means of communication on which OVHcloud depends to carry out its business, and cause damage to the Group's infrastructures. OVHcloud may thus temporarily be unable to carry out its services according to the conditions defined by its contracts, potentially leading to the payment of financial compensation or additional operating charges. For example, the multiplication of heatwave events could increase the operating cost of the Group's cooling systems.

Climate change could also lead to shortages of raw materials, making them more expensive.

Climate change is also creating an increasingly complex regulatory environment in terms of environmental standards and social and environmental reporting, particularly with the implementation of the CSRD. Risks related to CSR issues are described in more detail in Chapter 3 – Sustainability Statement.

Management of the risk

OVHcloud has strengthened its CSR teams, both in the Strategy Department and in the operational departments, in order to manage CSR challenges. The Group has also strengthened its environmental reporting teams to comply with CSRD obligations, with the publication of its first sustainability report, which mobilised all CSR stakeholders, measured key indicators and implemented actions and targets.

OVHcloud continually invests in its research and development for environmental innovations (reduction of energy consumption or reduction of the need for natural resources such as water), enabling it to achieve industry-leading power usage effectiveness ratings and has committed to increasing renewable energy use.

Risks related to natural disasters are taken into account when working on business continuity plans. Site audits and insurance systems are also in place to manage this type of risk. External studies were carried out to map the level of exposure to natural hazards at each of the Group's sites. A summary of this work was presented to the risk monitoring governance body and action plans were drawn up for each site. OVHcloud continues to incorporate the following elements into its operations, through the "hyper-resilience" programme (see “Risks related to an incident on OVHcloud's physical infrastructures”).

2.1.2.2Risks related to OVHcloud's business

Risks related to an incident on OVHcloud's physical infrastructures

Description of the risk

Like any industrial activity, the production and operation of datacenters generates risks related to physical infrastructures. For example, OVHcloud is exposed to electrical, fire and building safety risks, which can have an impact on the service provided to customers and on operating costs.

OVHcloud's strategy is to repurpose existing industrial buildings in the area for its activities. This strategy enables it to both control construction costs and reduce its environmental footprint. Depending on the age of these buildings, the industry of the former occupant and the industries of neighbouring facilities, some of OVHcloud's centres and facilities may have existing structural and environmental defects that may present safety and compliance risks or require OVHcloud to spend significant amounts on remedying the situation.

OVHcloud is required to obtain operating permits from competent local governmental authorities in order to commence operations. This administrative process requires significant ongoing oversight, which can lead to additional prevention and protection requests on top of the initially applicable legislation. To date, the Group has not been subject to any administrative sanctions resulting in the shutdown of its datacenters.

OVHcloud's datacenters could also be affected by destructive natural events that impact the Group's business (see “Risks related to CSR matters”).

OVHcloud relies on access to sufficient and reliable electricity, water, internet, telecommunications and fibre optic networks to successfully operate its business. In addition, OVHcloud's proprietary watercooling system for its servers requires it to have access to supplies of water at its datacenters. Any service outage could result in OVHcloud not being able to provide customers with its cloud offerings at adequate performance levels, or at all. In addition, OVHcloud may be exposed to a risk of electricity shedding in certain countries that could lead to a temporary service outage. Any service outage could result in OVHcloud not being able to provide customers with its cloud offerings at adequate performance levels.

Lastly, OVHcloud has been, and may be in the future, subject to disputes in relation to the state of its facilities or nuisances (such as noise and heat) generated by such facilities, resulting in additional costs.

Although OVHcloud's policy is to seek to remedy any risks that are identified, doing so could be costly and time-consuming, and failure to make necessary repairs and to complete any other required work could damage OVHcloud's reputation, subject it to liability and disrupt its business.

Management of the risk

OVHcloud commissions environmental and safety audits at its existing sites, and before acquiring sites for datacenters. More generally, OVHcloud carries out reviews of facilities with its insurers in order to prevent potential risks in advance. In 2025, OVHcloud also continued the process of mapping risks by site.

Following the Strasbourg fire, OVHcloud implemented a "hyper resilience" plan in order, inter alia, to strengthen security standards in its datacenters based on market standards, beyond the regulatory standards and insurers' recommendations.

The Group has developed operating and safety procedures for all its sites, and is developing mechanisms for evaluating and improving these rules. For example, the datacenters have 24/7 physical security, a highly regulated and controlled access policy, and dedicated anti-intrusion systems.

The Group also draws up business continuity plans in order to maintain operations. OVHcloud has put in place several redundancy measures that can be activated in the event of power outages, such as multiple electricity delivery points in its datacenters or on-site generators. Thanks in particular to its watercooling model, OVHcloud is constantly trying to reduce its electricity and water consumption. In the same way, since watercooling is carried out in a closed circuit, OVHcloud consumes much less water for the operation of its datacenters than a traditional datacenter cooled by an air conditioning system.

Lastly, OVHcloud takes its sites' surroundings into account by developing relationships with local authorities, neighbouring populations and security forces. In 2023, OVHcloud closed its Paris datacenter and migrated its services to another site, in order to minimise the risk of disputes with neighbouring populations and improve the security of its operations.

Risks related to Supply Chain

Description of the risk

OVHcloud could be exposed to the failure of a key supplier or to difficulties in sourcing key components. OVHcloud's servers use components from major manufacturers in a global market that is experiencing shortages and delays, although this risk has decreased compared to 2022 and 2023.

The Group could experience disruptions in its supply chains, for example related to a resurgence of COVID-19, geopolitical tensions, or climate change, or even due to custom measures, which would impact server production and datacenter operations. Despite regular, high-level contacts, the size of OVHcloud on the global market limits its ability to sign comprehensive delivery agreements.

OVHcloud's supply risks also relate to the Group's ability to access the best-performing software solutions on the market, which are at least equivalent to those of its main competitors, particularly the hyperscalers. OVHcloud solutions rely on third-party software. If there are vulnerabilities in this underlying software, or if the software ceases to be available to OVHcloud, the Group could see its customers turn to competing offerings.

Management of the risk

Thanks to its vertically integrated model, OVHcloud can control the entire value chain. OVHcloud builds up safety stocks and may use several distribution channels in order to be able to withstand temporary disruptions, or customs measures that could impact its production and operating costs. For example, in 2025, the Group carried out impact assessments linked to changes in customs regulations and geopolitical tensions, and worked with its suppliers to adapt the countries of origin of its components in order to reduce the risk of disruption and cost inflation.

In addition, OVHcloud has a recycling policy based on a logistics chain and can reuse some components and equipment. OVHcloud recovers the components from equipment considered to be at the end of its life, conducts tests on them and then reuses those that it believes could be used on another product range, generally with less demanding performance criteria.

Thanks to its model, OVHcloud can also plan and anticipate certain orders, guaranteeing the Company flexibility. Lastly, the purchasing teams continue to develop commercial relationships with OVHcloud’s suppliers in order to negotiate supply contracts at the global level, particularly for components enabling OVHcloud to generate growth in high-potential markets such as artificial intelligence.

In 2024, OVHcloud drew up a list of strategic suppliers and carried out risk analyses in relation to them, covering both the location of suppliers' production plants and contractual risks. The Group analyses the financial health of its main suppliers and the risk of economic dependence in order to prevent any potential imbalances. In 2025, tools to support these economic and environmental control processes for suppliers were further improved.

Risks related to the quality of service level provided to customers

Description of the risk

OVHcloud continually works to offer a wide range of services, the best customer experience and the highest quality customer support.

OVHcloud typically commits to its customers in its contracts that its platform will maintain a minimum level of availability. For example, OVHcloud undertakes to maintain a service level of 99.9% availability for the Premier offerings in the Hosted Private Cloud segment. In its Public Cloud offerings, OVHcloud commits to maximum recovery times in case of outages. If these outages are caused by a problem outside of OVHcloud's control, it could be difficult for OVHcloud to meet its SLA commitments. Although OVHcloud considers that it has put in place adequate safeguard measures depending on the services subscribed, these may prove insufficient to prevent a service outage.

Additionally, OVHcloud may face costs associated with repairing such service disruption or retaining customers. All of the above consequences could have a negative impact on OVHcloud's business, financial position and operating results.

Management of the risk

OVHcloud continually improves the quality of services provided to its customers and puts customer satisfaction at the heart of its policy. This strategy has proven successful, with OVHcloud's net retention rate reaching 105% in 2025.

OVHcloud evaluates the experience provided to its customers through satisfaction surveys.

In addition, OVHcloud continually steps up its quality processes and systematically carries out analyses following any significant incidents it encounters, as part of its continuous improvement process.

In order to be able to intervene as quickly as possible in the event of a breakdown or in response to customer requests, OVHcloud has organised its technical support to be available 24 hours a day, seven days a week.

In the datacenters, operational teams are formed and trained to carry out continuous server installation and maintenance. The "Control Tower" and "NOC (Network Operating Centre)" teams provide centralised monitoring of the services offered and coordinate the handling of incidents. Lastly, the Group has also structured its continuity and crisis management plans so as to be able to mobilise critical resources internally.

2.1.2.3Human resources risks

Risks related to the recruitment, integration, development and retention of human resources

Description of the risk

In order to operate its business, it is important for OVHcloud to attract highly skilled and international personnel, particularly engineers with expertise in software development, coding and artificial intelligence. The marketplace is highly competitive and qualified IT personnel are in high demand, which may make OVHcloud's recruitment and retention efforts challenging.

At 31 August 2025, OVHcloud employed almost 3,000 people, and could be faced with the departure of key people within its organisation, or a shortage of cutting-edge technical skills to respond to market developments.

If OVHcloud's company culture changes or is perceived negatively, or if OVHcloud is unable to develop its employer brand or internal talent, the Group could experience difficulties attracting, integrating and retaining personnel. OVHcloud may not be able to achieve its commercial targets, and its business, revenue and financial results may suffer.

Management of the risk

OVHcloud, through its positioning as a European cloud leader and defender of European sovereignty and its growth profile, offers a unique value proposition for many recruits. In addition, the Group benefits from a broadening pool of potential new talent thanks to its continuous international development.

In order to limit recruitment difficulties, OVHcloud has a strong employer brand, which is developing in France and internationally, and an internal recruitment agency that can source candidates with the right skills at the right time. OVHcloud has set up an onboarding process that creates links between new recruits from their very first days at OVHcloud and helps ensure their buy-in for OVHcloud's corporate culture.

OVHcloud is particularly attentive to adapting working conditions, employee loyalty and the training offered. Human resources processes have been developed to support people within the Company, with monitoring of employee engagement, career development and continuous training programmes, particularly concerning artificial intelligence. OVHcloud has introduced measures to drive employee loyalty, including measures to improve working conditions and retain key people.

For the skills most at risk, a mapping of human resources tensions has been drawn up, in order to closely monitor the development of key people.

Safety risks related to physical and mental health

Description of the risk

OVHcloud is exposed to risks related to the safety of employees at its industrial facilities and offices. Risks faced by the Group include:

• physical risks that could lead to work-related accidents in its offices or at its operational sites;
• mental health risks, for example as a result of an excessive workload or a particularly stressful situation.

Management of the risk

The Group has created a "Quality, Environmental, Health and Safety" (QEHS) team dedicated to these topics. As well as offering personal protective equipment in its datacenters and stepping up its guidelines and internal controls, the Group is carrying out a workstation risk assessment at the majority of its sites, with the aim of setting up safe working standards for its employees. The Group continually strengthens its safety standards for all its sites. Internal and external audits are carried out to check that such standards are complied with.

The risk assessment also takes mental health risks into account, and the Company has implemented several measures such as psychosocial audits, mental health risk mapping and an alert tool. Employee surveys are carried out regularly in order to act on any weaknesses that may be identified.

2.1.2.4Financial risks

Risks related to liquidity

Description of the risk

Liquidity risk is the risk of OVHcloud not having the necessary funds to meet its commitments when they fall due. In a situation of stress on the credit market, the Group may not be able to obtain the financing or refinancing necessary to implement its growth plan, which could have a negative effect on OVHcloud's business, operating results, outlook and/or financial position.

Management of the risk

The Group ensures it has sufficient liquidity to meet its financial commitments and finance its development plan. In 2025, following the global refinancing of its debt, OVHcloud strengthened its financial structure, in particular through an inaugural €500 million senior bond issue at a fixed rate of 4.75% maturing in 2031 and a €450 million green loan maturing in 2030. These transactions enabled the Group to extend the average maturity of its debt and diversify its sources of financing.

In addition, OVHcloud has an undrawn multi-purpose credit facility for €200 million maturing in 2030, which provides additional flexibility to cover its liquidity needs.

Thus, following these transactions and at the end of the 2025 financial year, OVHcloud’s net debt leverage reached 2.7x its adjusted EBITDA. This level is well below the existing covenants in the Group’s credit agreements and in line with Group policy.

Risks related to inflation, foreign exchange rates and interest rates

Description of the risk

OVHcloud's profitability could be affected by a number of external factors, including inflation and changes in exchange and interest rates.

In an inflationary economic context, OVHcloud could suffer direct negative effects on its financial profile and decreasing margins. OVHcloud is particularly exposed to further increases in electricity and component costs. The Group may not be able to pass significant price increases on to its customers to cover the widespread increase in its cost base.

OVHcloud's financial statements are presented in euros, while a portion of its income, expenses, assets and liabilities are denominated in other currencies, exposing OVHcloud's operating results and financial position to foreign exchange risk. In FY2025, approximately 30% of OVHcloud's revenue was generated in currencies other than the euro, primarily in US dollars, and to a lesser extent in Canadian dollars, in pound sterling and Polish zloty. In addition, a significant portion of OVHcloud's capital expenditure (mainly for server components) is incurred in US dollars. Unfavourable movements in exchange rates would nonetheless adversely impact OVHcloud's operating results. For example, without a hedging mechanism, an adverse change of 10% in exchange rates would have a negative impact of approximately €29 million on OVHcloud's revenue.

Lastly, the Group has taken out loans bearing interest at variable rates, which exposes OVHcloud to the risk of a deterioration in its operating results if the interest rate increases and OVHcloud is not able to successfully hedge its exposure.

Management of the risk

In order to limit the risks posed by currency and interest rate fluctuations, OVHcloud uses hedging instruments. For example, forward purchases of US dollars are regularly made to hedge future expenses in this currency over the next 12 months.

In addition, at 31 August 2025, all of the Group's debt was hedged at fixed rates in order to limit the risks associated with changes in interest rates.

In order to protect against the risk of inflation, the Group continues to improve its purchasing policy and logistics strategy in order to offset potential increases, for example by seeking to diversify and anticipate its supplies (see “Risks related to Supply Chain”). OVHcloud also has a proactive strategy regarding its electricity costs. As a result, the coverage rate is almost 95% for the 2025 calendar year.

Risks related to fraud

Description of the risk

OVHcloud could be the victim of external or internal fraud that could have a negative impact on the Company's financial results, the quality of its services or its reputation. This potential fraud could be a wilful act, inappropriate use of the Group's assets or failure to comply with laws or regulations, by an employee, business contact or customer.

Management of the risk

OVHcloud is implementing internal control procedures, which are reviewed by external auditors. Validation circuits have been set up to control and monitor transactions that may present risks (payments, credit notes, expense claims, stock management, etc.). The Internal Audit team systematically includes the risk of fraud in its audits and ensures that recommendations are implemented in the event of a risk of fraud. Information was also shared internally on new fraud risks linked to artificial intelligence.

With regard to customer fraud, a team is responsible for monitoring and anticipating potential customer payment fraud and misuse of OVHcloud services.

Lastly, OVHcloud has set up an internal whistleblowing procedure that enables any Group employee or external employee, to report, anonymously if they so wish, any inappropriate or illegal behaviour, including behaviour constituting fraud or attempted fraud.

Risks related to tax management

Description of the risk

Due to its international footprint and expansion, the Group is subject to complex and evolving tax legislation. OVHcloud determines the amount of taxes it is required to pay based on its interpretation of applicable treaties, laws and regulations in the jurisdictions in which it operates, which may be subject to different interpretations in the various countries in which it operates (in particular with respect to transfer pricing, sales taxes, VAT and similar taxes). The tax and social security regimes applied to OVHcloud's business activities and past or future reorganisations are or may be interpreted by the relevant French or foreign authorities in a manner that is different from the assumptions used by OVHcloud in structuring such activities and transactions. OVHcloud therefore cannot guarantee that the competent tax authorities will agree with its interpretation of the applicable legislation in their respective jurisdictions. Furthermore, tax laws and regulations or other compulsory levies and their interpretation and application by the jurisdictions or authorities involved may change, in particular in the context of joint initiatives taken at international or EU level, which could increase the Group's tax burden.

Moreover, several countries have implemented a tax on digital services, demonstrating the global trend of rapid and unpredictable changes in tax legislation (or a broader interpretation of existing legislation) applicable to certain of the Group's operations. Because the scope of application of these taxes differs between countries, OVHcloud is not affected by all of them. New or revised regulations may subject the Group or its customers to additional taxes. OVHcloud cannot predict the effect of such initiatives. New taxes or changes to existing taxes could also increase the cost of doing business and the Group's internal costs.

Any of the above-mentioned events could adversely affect the Group's business, operating results, prospects and/or financial position.

Management of the risk

OVHcloud and its legal tax teams ensure that they comply with the tax laws in the jurisdictions in which the Group operates. OVHcloud can be assisted by an external consulting firm when necessary.

Tax policy

OVHcloud's tax policy provides that the Group undertakes to apply the laws, regulations and tax treaties in force in all the countries in which it operates.

In line with its values and ethical principles, as well as its requirements in terms of social responsibility, the Group:

• conducts its operations in accordance with their economic reality;
• refuses any artificial transfer of profits and value created by its activities to low-tax countries;
• ensures that all transactions between Group companies are carried out at the market price, i.e., the "arm's length price";
• refuses any aggressive tax planning and the use of artificial structures located in "tax havens";
• cooperates with local tax authorities during tax audits.

OVHcloud does not engage in any transactions with the aim of evading the payment of tax. The Group is in the process of compiling all of these actions and provisions into a formal tax policy.

2.1.2.5Legal and compliance risks

Risks related to failure to comply with certain laws and regulations and their developments

Overview of regulations applicable to the Group

The Group's activities are subject to various regulations in the countries in which it operates. The Group is thus subject to legislation that applies to any company (trade rules, intellectual property rights, personal data protection, tax rules, etc.), but also to regulations that are more specific to its stature and activity (stock market law, Sapin II law, electronic communications, cybersecurity, liability of technical intermediaries, data sovereignty, obligations to cooperate with the authorities, etc.). Some of these regulations have an impact on the Group's strategic ambitions, particularly in terms of digital sovereignty.

These regulations may also be subject to change. In particular, significant restructuring and expansion of the regulatory framework has been under way for several years in the digital sector in which the Group operates.

For example, the following is a non-exhaustive list of European and international texts whose provisions could have an impact on OVHcloud's operations:

• security and anti-terrorism regulations:
  • the 2016 European directive on measures for a high common level of security for networks and information systems across the European Union (the "EU") (directive (EU) 2016/1148), transposed into French law on 26 February 2018, and imposing cybersecurity protection requirements,
  • the European Digital Operational Resilience Act ("DORA") for the financial sector, which provides a framework for cloud outsourcing arrangements in the financial sector,
  • international economic sanctions imposed by the UN or the European Union, which may prohibit the Group from having any economic relationship with sanctioned persons;
• regulations in the field of electronic communications:
  • the draft "CSAM" (child sexual abuse material) regulation submitted by the European Commission in May 2022, which aims to better combat child abuse online and could give rise to new obligations for OVHcloud in this area, it being specified that OVHcloud is already subject to the 2004 French law on confidence in the digital economy,
  • the regulation on an internal market for digital services (commonly known as the "Digital Services Act" or DSA), adopted on 4 October 2022, which reinforces obligations in terms of how illegal or dangerous content is handled;
• regulations to improve competition in the digital sector:
  • the European regulation commonly known as the “Digital Markets Act” (DMA), which was adopted on 14 September 2022 and sets a binding framework in favour of European innovation, in particular through competition and interoperability rules for the major platforms considered to be “gatekeepers”; OVHcloud is not currently a gatekeeper, but could be in the future,
  • the European data regulation ("Data Act"), adopted on 11 January 2024, which aims to strengthen the single data market by improving competition in the cloud market. Several provisions of the regulation have been included in the French law to secure and regulate the digital environment (the "SREN" act) adopted on 21 May 2024;

• data regulations:
  • the European regulation known as the "Data Governance Act" (DGA), which was adopted in July 2022 and provides a framework for the use of data held by public authorities. As such authorities are customers of OVHcloud, it may be indirectly impacted,
  • the European General Data Protection Regulation ("GDPR") of 27 April 2016, which governs the processing of personal data of EU residents. The GDPR affects both OVHcloud and its customers;

• regulations in the field of artificial intelligence:
  • the European regulation on artificial intelligence, known as the "AI Act", adopted on 13 June 2024, which sets the framework for the development, marketing, commissioning and use of artificial intelligence systems in the European Union. The aim of this regulation is to promote the adoption of artificial intelligence (AI) within the EU, while guaranteeing the safety of goods and people, the protection of the EU's founding principles, in particular the protection of people's fundamental rights (such as the protection of privacy and personal data, non-discrimination, transparency and accountability) and respect for European democratic values. The regulation has gradually been coming into force since 2 February 2025. It will apply in full from 2 August 2027.

Description of the risk

The Group must identify and adapt to the rules that apply to it, in order to comply with them and continue to develop its business. It must also detect any failures to comply so that they can be rectified quickly. The Group must also anticipate changes in these rules in order to adapt to them as effectively as possible.

Insufficient knowledge of local regulations, or a lack of methodology for monitoring changes in these regulations, would have a significant impact on the Group. It could jeopardise its ability to comply with the law, exposing it to operational and financial risks. It could also weaken its competitive position and damage its image.

In addition, certain non-European regulations with extraterritorial scope are likely to conflict with European legislation applicable to the Group, in particular personal data protection legislation. For example, the US “CLOUD Act”, which was signed into law in March 2018, allows US law enforcement to access information held or controlled by cloud service providers subject to US jurisdiction, even if that information is located outside the United States.

Management of the risk

OVHcloud's internal organisation allows it to stay abreast of applicable regulations and any changes thereto, and therefore to anticipate and mitigate the risks related to failures to comply. This organisation relies, in particular, on the Legal Department, the Data Protection Officer (DPO) and the teams in charge of legal compliance, who are supported where necessary by local experts and actively monitor legislation. The public affairs team also plays an important role, identifying legislative processes that could affect the Group at an early stage and endeavouring to make the Group's constraints known so that they are taken into account in these processes. In addition, the Group commissions external audits to ensure compliance.

OVHcloud also ensures that it remains beyond the reach of non-European regulations with extraterritorial scope that are likely to conflict with European legislation, particularly with regard to personal data protection. To this end, OVHcloud has adopted various procedures. For example, data hosted by OVHcloud's European datacenters cannot be accessed by employees based outside the European Union or employed by its US subsidiary.

In addition, OVHcloud's customer agreements include contractual provisions stipulating that customers are responsible for the regulatory compliance of their data and their activity. OVHcloud has no need to access the data entrusted to it by its customers, except in the limited cases in which the law requires it to do so in order to combat illegal content.

OVHcloud also has internal procedures for checking the identity of its customers and suppliers, in order to avoid entering into business relationships with people subject to international sanctions.

However, OVHcloud cannot be certain that its procedures or contractual protections will be fully effective, with the result that it may inadvertently breach certain regulations or identify changes in legislation too late. Similarly, the Group cannot guarantee that new laws or regulations would not jeopardise its operations. Any such breach could give rise to monetary penalties that could have a significant impact on the Group's financial position. In addition, any actual or reported violation of regulations could impact OVHcloud's reputation.

Specific focus on data sovereignty

As a European cloud service provider and thanks to the organisation it has set up, OVHcloud considers that it can offer European customers the assurance that the data entrusted to it are not accessible by foreign authorities and in particular US law enforcement authorities. In particular, OVHcloud believes that data stored on its servers (other than those of its US subsidiary) may not be obtained by US authorities under the CLOUD Act, unlike data stored on servers directly or indirectly controlled by competitors that are subject to US jurisdiction. This guarantee enables customers to limit their data protection and privacy compliance risk.

Surveys conducted by OVHcloud have shown that data sovereignty is becoming more significant for its customers' decision-makers, but that it remains less of a priority than other factors such as performance and price. Moreover, Group competitors could structure their operations so as to be able to provide assurances regarding the protection of data, in which case OVHcloud's competitive advantage could be less significant than anticipated. For example, Microsoft and Orange have announced a partnership which aims to propose a data sovereign cloud solution that, if successful, could increase competitive pressure on OVHcloud.

In order to limit the risk related to the CLOUD Act, OVHcloud has strictly separated its US operations from the rest of the Group, with differentiated legal and technical organisations. For example, US employees do not have access to customer data located outside the datacenters based in the United States.

Moreover, OVHcloud's customers may also become subject to new tax obligations. If OVHcloud's customers are unable to comply with such regulations or if they determine that compliance is too costly, their businesses and financial position may be adversely affected, and they may choose to reduce or to eliminate activities that rely on OVHcloud's services.

Risks related to intellectual property

Description of the risk

To safeguard its business, OVHcloud must protect its technology and image, in particular through trademarks, domain names, trade secrets, patents, copyrights, contractual restrictions and other intellectual property rights and confidentiality procedures. Despite OVHcloud's efforts to implement these protections, they may not sufficiently protect OVHcloud's business nor provide it with a competitive advantage for a variety of reasons, including:

• the failure of OVHcloud to obtain patents and other intellectual property rights for important innovations or to maintain appropriate confidentiality and other protective measures to establish and maintain its trade secrets;
• uncertainty and changes in legal standards relating to the validity, enforceability and scope of protection of intellectual property rights;
• potential invalidation of OVHcloud's intellectual property rights through administrative processes or litigation;
• third-party commercial strategies consisting of launching unfounded but very costly disputes;
• any inability by OVHcloud to detect infringement or other misappropriation of its intellectual property rights by third parties; and
• other practical, resource or business limitations on its ability to enforce its rights.

In addition, the laws of certain countries may not provide the same level of protection as the laws in France on corporate proprietary information and rights, such as intellectual property, trade secrets and know-how. OVHcloud may also be exposed to material risks of illicit use or theft or unauthorised reverse engineering of its data and other intellectual property. Moreover, if OVHcloud is unable to prevent the disclosure of its trade secrets to third parties, or if its competitors independently develop any of its trade secrets, the Group may not be able to establish or maintain a competitive advantage in the market, which could seriously harm its business.

Litigation may be necessary to enforce OVHcloud's intellectual property or proprietary rights, protect its trade secrets or determine the validity and scope of proprietary rights claimed by others. Any litigation, whether or not resolved in OVHcloud's favour, could result in significant expenses for OVHcloud, divert the efforts of its technical and management personnel and result in counter claims with respect to infringement of intellectual property rights by OVHcloud.

Management of the risk

OVHcloud's internal organisation enables it to mitigate the risks related to the protection of its intellectual property rights or the infringement of these rights.

In this context, it has a legal team dedicated to the protection of its intangible assets, which relies on specialised law firms around the world. In addition, OVHcloud has implemented an ambitious patent filing strategy at the Group level and in several territories that is both defensive and proactive, and held 210 patent families at 31 August 2025. To ensure full and unencumbered use of its patents, the Group has also entered into immunity agreements, either indirectly via associations or directly with holders of other patents. Under the terms of these agreements, the patent holders undertake to hold OVHcloud harmless against any claims from third parties who may acquire their patents, for the entire duration of these patents. This ensures that the Group is not exposed to claims by third parties acting in bad faith who acquire patents at the end of their life at a low cost in order to file unfounded claims.

Risks related to governance and related parties

Description of the risk

OVHcloud's rapid and continuing growth, both in terms of revenue and geographical expansion, is making the management of the Group's operations and governance more complex. In this context, the Group may not have put in place the key elements of governance and control required to manage its operations and avoid potential conflicts of interest.

Management of the risk

OVHcloud has formalised its key elements of corporate governance (see Chapter 4 – Corporate governance).

In addition, a new committee called the Related Parties Committee was set up in July 2024. It comprises the Chairman of the Board and at least three independent directors (including the lead director), and the Chief Executive Officer may be invited to attend its meetings. The Related Parties Committee may be asked by the Chairman, the lead director or the Chief Executive Officer to give an advisory opinion on situations of potential conflicts of interest for related activities. The operating procedures of this committee are set out in the Board of Directors' internal regulations (see Chapter 4 – Corporate governance).

It has also set up regular reviews of the key elements of its subsidiaries' governance, in parallel with the structuring of the Group's internal control system, which helps to harmonise practices and clarify the operational governance of its activities.

OVHcloud has entered into, and may continue to enter into, certain related-party agreements

Certain executives and/or shareholders may hold interests in companies that are also OVHcloud's business partners and may therefore be considered related parties. In particular, OVHcloud has entered into various agreements with companies controlled by Octave Klaba, founder of the Group and current Chairman of its Board of Directors, and members of Octave Klaba's family who are direct or indirect shareholders of the Group. The Klaba family currently controls the Group.

OVHcloud obtains metal components for the manufacturing of its servers from AixMétal, in the areas of research and development (such as prototype launches), mass production (such as for the production of servers) and the manufacture of finished or semi-finished products for datacenters. AixMétal is controlled by members of the Klaba family. The premises of OVHcloud's server manufacturing facility, datacenter and headquarters located in Roubaix, France, are owned by companies controlled by the Klaba family and leased to OVHcloud.

Although OVHcloud believes that all such arrangements have been negotiated on an arm's length basis and use commercially reasonable terms, the Group has not obtained proposals for these arrangements from unrelated parties. In addition, OVHcloud's operational flexibility to modify or implement changes with respect to the description or pricing of services provided by related parties may be limited: if an agreement with a related party is terminated, there could be disruptions upon transition, and there can be no assurance that OVHcloud will be able to obtain the same products at the same or a lower cost. In particular, if OVHcloud experiences difficulties with the metal components supplied by AixMétal, it could be difficult and take a long time to find an alternative supplier able to produce similar components under equivalent conditions. Such a situation could impact OVHcloud's ability to manufacture and deploy new servers as rapidly as it has done in the past, potentially affecting its ability to meet the needs of its customers.

In addition, OVHcloud is the main cloud service provider for Shadow (representing approximately 1.9% of OVHcloud's FY2025 revenue) and Qwant (representing approximately 0.1% of OVHcloud's FY2025 revenue), which are controlled by members of the Klaba family. The revenue from contracts signed with Shadow and Qwant is significant for OVHcloud and, as for all of its customers, OVHcloud cannot guarantee that this revenue will be generated on a permanent basis beyond the contractual commitments in force. Similarly, the capital expenditure generated by these contracts is significant, and their premature interruption would affect the expected return on investment.

Related-party agreements are drawn up with the assistance of the Group's Legal, Finance and Purchasing Departments, which endeavour to ensure that the price, services and contractual terms covered by the agreements are comparable to prevailing market practices for equivalent business volumes.

OVHcloud assesses the notion of a routine transaction with regard to compliance with the corporate purpose of the company in question and the nature of the transaction. Repetition and/or habit constitute a presumption that the transaction is routine, but are not in themselves decisive. In this context, OVHcloud has drawn up a charter on routine and regulated agreements in order to clarify the methodology applied internally to classify the various agreements entered into between OVHcloud and its related parties. This charter details the procedure for regularly assessing routine agreements.

These agreements are therefore subject to the rules of approval provided for by the applicable French law, as well as to OVHcloud's internal rules of approval (approval by the Related Parties Committee, the Executive Committee and, where applicable, by the Board of Directors). Related-party agreements are also reviewed every six months by the Audit Committee.

However, it cannot be guaranteed that, individually or as a whole, these agreements have been entered into under conditions similar to those that OVHcloud could obtain from unrelated parties.

2.1.2.6Risks related to information systems

Risks related to the outage of an internal IT system or tool

Description of the risk

OVHcloud may be faced with internal or external service outages for various reasons, such as a malicious act, an infrastructure or application problem, an insufficient level of security or the loss of connection to the network.

Limitations in the performance of its infrastructure or network could therefore leave OVHcloud unable to operate its internal information system, resulting in a partial or total service outage for its customers. Business continuity and recovery plans may not be sufficient to ensure the expected level of service for customers and internal operations.

Despite OVHcloud's ongoing testing of products and platforms, cloud offerings and internal systems could contain coding or configuration errors that can impact the functions, performance and security of its solutions and result in negative consequences. Detecting and correcting any errors can be time-consuming and costly. Errors are likely to affect their ability to function properly, integrate or operate correctly. They are also likely to generate internal security breaches in OVHcloud's software or platforms and could adversely affect the market penetration of its cloud offerings.

Management of the risk

OVHcloud has set up a regular review of its code and infrastructures by a team of IT auditors, which carries out access and penetration tests of its systems. The Group also follows rigorous processes for updating its applications in order to anticipate development risks.

The Group has put in place business continuity and recovery plans for its internal IT systems, incorporating redundancy for its critical systems. OVHcloud has a network redundancy system and performs regular backups. Cybersecurity measures are described in detail in the relevant risk section.

Although OVHcloud considers that it has implemented risk management measures, these may prove insufficient to prevent a service outage.

Risks related to cybersecurity

Description of the risk

As a digital company, OVHcloud is highly exposed to the risk of service outages caused by cyber attacks.

The occurrence of a large-scale cybersecurity incident could affect OVHcloud's internal systems or the operation of its servers and cause shutdowns or denials of service.

Because the techniques used to obtain unauthorised access to, or sabotage, IT systems change frequently, grow more complex over time and often are not recognised until launched against a target, OVHcloud may be unable to anticipate or implement adequate measures to prevent such techniques. In addition, OVHcloud might not immediately discover any security breach or loss of information.

Following such a discovery, OVHcloud might need to shut down systems and limit customer access to its services, which could adversely impact the Group's revenue and operating costs.

OVHcloud could sustain significant damage to its brand and reputation if a cyber attack or other security incident were to allow unauthorised access to, or modification of, its customers' data, other external data or its own data or IT systems, or if the services the Group provides to its customers were disrupted, or if OVHcloud's servers were reported to have, or were perceived as having, security vulnerabilities.

Beyond its internal operations, OVHcloud has no direct control over its customers' cybersecurity and could be indirectly impacted by an attack on one of its customers.

OVHcloud uses software licensed from third parties to operate its servers and protect its IT systems. Although OVHcloud analyses the level of cybersecurity offered by these third-party software packages, the Group does not fully control the mechanisms used to maintain their security. If security systems provided by a third party were to fail to adequately protect OVHcloud's systems or the data or systems of its customers, OVHcloud could suffer cyber attacks that would impact its revenue and business reputation, as set out above. In addition, if a different customer of a third-party security solution provider were to experience a cybersecurity incident, even if it is unrelated to OVHcloud's operations, the confidence of OVHcloud's customers could be adversely affected.

Management of the risk

OVHcloud has implemented several measures to limit cybersecurity risks, mapping its IT risks and managing them as part of the cybersecurity department's continuous improvement process.

OVHcloud has defined a cybersecurity strategy and developed a set of tools and policies to ensure the highest possible level of protection and detection. OVHcloud's architecture and processes are designed to limit exposure in terms of systems.

This has resulted in several certifications, such as ISO 27001, SOC 1, SOC 2, SecNumCloud and PCI DSS. In addition, the Group is in regular contact with the French national cybersecurity agency (ANSSI) in order to anticipate new attacks or improve its existing processes. OVHcloud also carries out regular cyber attack simulation campaigns and awareness campaigns for its employees and executives. The results of these tests are detailed in Chapter 3 of this Universal Registration Document.

While OVHcloud seeks to take precautions to guard against cybersecurity incidents, those precautions might prove to be ineffective or fail to prevent major security breaches. In addition, OVHcloud may be vulnerable to new security breaches that have not yet been identified.

In any event, OVHcloud has also taken out a cyber insurance policy with a leading insurer to cover the effects of a possible cybersecurity incident. The implementation of this insurance coverage was subject to OVHcloud complying with binding specifications imposed by the insurer.

Risks related to data protection, loss or theft

Description of the risk

Many data protection and privacy regulations impose stringent requirements on OVHcloud's customers, who must ensure the protection of their own customers' data, including data stored on OVHcloud's servers, as well as the protection of OVHcloud's data.

In the event of an incident involving the loss or theft of data, OVHcloud could see its reputation and revenue severely impacted.

Moreover, ever more stringent regulations are being proposed that could have a significant impact on the technology companies that represent a significant portion of OVHcloud's customer base. New regulations could have an impact on OVHcloud's operations and expenses.

Management of the risk

OVHcloud continually monitors data protection issues (see “Risks related to failure to comply with certain laws and regulations and their developments”).

OVHcloud has implemented internal governance to ensure that data protection issues are systematically taken into account in its projects.

The Group classifies its data by level of risk in order to determine the measures necessary to limit the loss or theft of this data. IT access management processes are used to limit access to data based on authorisations. Finally, the Group is also working on an overall assessment of the risks associated with artificial intelligence on its data. Internal regulations on the use of generative artificial intelligence to ensure the protection of internal data were issued in 2025.

Cybersecurity risk mitigation measures, described in the section “Risks related to cybersecurity”, help to reduce risks related to data loss, in particular through the availability of monitoring tools, or, for example, cybersecurity tests carried out internally and by external service providers.

2.2Insurance and risk coverage

2.2.1Insurance policy

The Group's insurance policy aims to protect its employees, assets, customers and shareholders against the financial consequences of major events.

Its purpose is to ensure business continuity and the operational resilience of the services provided to customers, to reduce the Group's financial exposure in the event of an incident and to strengthen the confidence of all its stakeholders.

It complements the risk prevention and control systems put in place by the Group, such as:

• an active prevention and protection policy at its industrial sites, in particular through its “Hyper Resilience” (HYR) prevention plan, designed to protect them against fire risks. The Group has most of its industrial sites audited annually by its brokers' and insurers' prevention engineers;
• awareness-raising sessions on fire risk, with a technical and insurance-based approach, for a wide range of operational staff;
• the development of risk prevention, such as exposure to natural and environmental disasters, therefore enhancing existing insurance coverage.

The insurance policy is part of the Group's overall strategy, taking into account the specific features of its business sector, its growth and its strong international presence.

To ensure that the insurance programme is relevant and appropriate, the Legal Department works constantly to identify risks that could be covered by insurance, in conjunction with all the Departments (Finance, Resilience and QSE, IT, Human Resources, etc.). These risks include:

• all infrastructure-related damage (fire, explosion, natural events, etc.);
• cyber risks (damage, theft, extortion, phone hacking, etc.);
• professional civil liability and operational liability risks;
• liability risks for executive corporate officers and non-executive officers;
• risks related to the safety of employees;
• risks related to business trips;
• risks related to the transportation of goods.

2.2.2Operational monitoring, management and optimisation of the insurance system 

The operational management of the various insurance programmes is carried out by the Group's Legal Department.

It is based on centralised monitoring and negotiation of all the Group's insurance policies, with the exception of subsidiaries based in the United States, which determine their own internal policy and take out their own separate insurance policies.

The Group's international reach led to the introduction of structured insurance programmes with the aim of providing uniform coverage that is also adapted to all entities in the Group.

As a result, these programmes are built around master policies, underwritten by the Group for all its entities and supplemented by local policies that are reintegrated or underwritten autonomously and directly by the subsidiaries themselves, thereby enabling them to meet the regulatory requirements of certain regions.

These international insurance programmes require the support of intermediaries with a high degree of maturity in these areas. Renowned brokers are mandated to negotiate with the main insurance companies for the introduction or renewal of cover that is best suited to the risks involved.

The Group applies strict criteria when selecting insurance companies to partner with. They must be financially sound, as attested by recognised rating agencies. The Group's geographical presence means that particular attention must be paid to the ability of insurance companies to operate in an international context and to issue insurance programmes made up of master policies and reintegrated local policies. Their expertise in the field of technological and cyber risks, as well as their ability to propose contractual clauses and cover adapted to the specific features of the Group's activities, are decisive criteria in the choice of insurers.

Optimising the insurance system is essential to safeguarding the Group's interests, and includes in particular:

• regular competition between insurers to improve financial terms and conditions and the quality of their cover and support;
• the adaptation of its insurance coverage each year, when renewing policies, according to developments in the risks related to the growth of its usual activities and its steady increase in capital. To do so, the Group uses an external firm to appraise the assets of its largest sites;
• communication with the insurance and reinsurance market at the roadshows organised by the Group, on the information detailed in the HYR prevention plan;
• monitoring claims and analysing feedback to improve prevention and protection systems.

2.2.3Structure and coverage of the insurance programme 

Insurance contracts were renewed at 1 January 2025, with the exception of a few contracts with expiry dates later in the year.

OVHcloud prefers to take out "master" policies in order to pool coverage within the Group. For regulatory or factual reasons, such as the size of a subsidiary, OVHcloud also uses local or "standalone" policies taken out directly by its subsidiaries.

The insurance programme is built around a number of complementary cover options, including:

Property damage insurance

Property damage insurance, which covers the sites, facilities and equipment owned by the Group or entrusted to it, against major events and guarantees continuity of service.

• Following the Strasbourg fire in March 2021, it proved extremely difficult to negotiate the insurance contract underwritten in France and numerous conditions were imposed upon its renewal on 1 September 2021, which continued to apply when the contract was extended at 1 September 2022 and 1 January 2023;
• The completion of the HYR prevention plan, which was underway at the time of the renewals on 1 July 2023 and 1 January 2025, enabled the specific contractual conditions that had been imposed following the fire to be lifted;
• The completion of the HYR prevention plan, drawn up by the Group for its datacenters and associated sites according to schedule, has largely convinced insurers of the level of prevention expected and has made it possible to obtain optimum coverage conditions, while observing a reduction in the amount of the insurance premium of around 59% for FY2026 compared with the premium paid for FY2025;
• On 1 January 2026, the Group will take out a new 24-month insurance programme on property damage and additional operating expenses, comprising a two-line master policy with an insurance capacity of up to €500 million per claim, corresponding to the maximum possible loss (MPL). The master policy will cover all the Group's datacenter assets in France, Germany, Belgium, the United Kingdom, Italy and Australia;
• This programme covers, in particular, risks related to fire, lightning, explosion, electrical, water damage, theft and natural disasters, resulting in direct material damage to insured property, including buildings, furniture, equipment and/or furniture and equipment rental risks. Miscellaneous costs and losses resulting from insured property damage, the financial consequences of civil liability and additional operating costs are also covered.

Civil liability and cyber insurance

This combined worldwide "information technology and communication civil liability and cyber enterprise risk management" programme, underwritten for all the Group's subsidiaries except those in the US, provides coverage for operating, product and professional civil liability, as well as coverage against the financial consequences related to cyber risks.

This master policy, underwritten by CNA, SOMPO and AIG, is made up of four lines providing sufficient coverage for civil liability and cyber enterprise risk management. It was renewed on 1 January 2025 for a period of two years and is subject to automatic renewal.

The maximum amounts of compensation for the main risks under this programme have increased and now stand at €25 million per claim and per insurance period for civil liability, and €20 million per claim and per insurance period for professional civil liability and cyber risks.

Directors' and officers' liability insurance (D&O)

This master policy protects corporate officers against the financial consequences related to their liability in the performance of their duties.

In addition to these international and local systems, the Group maintains a portfolio of specific insurance policies covering all its operational and support activities.

These include multi-risk office policies to protect premises and equipment, as well as policies to cover risks associated with employees' business travel and professional assignments.

The Group also has insurance policies tailored to the transport of goods.

This set of policies, combined with master policies, local reintegrated policies and standalone policies, provides extensive and consistent coverage, protecting the Group's resources, teams and activities effectively and in line with its risk management policy.

2.3Internal control system

2.3.1General internal control framework

2.3.1.1Definition and objectives of the internal control system

Based on the AMF reference framework, OVHcloud has set up an internal control system comprising a set of resources, policies, behaviours, procedures and appropriate actions designed to ensure:

• the application of instructions and guidelines set by management;
• the operation of internal processes to ensure the effectiveness and control of activities;
• the reliability of accounting and financial information;
• compliance with laws and regulations;
• the management of risks.

2.3.1.2Internal control governance

A number of players are involved in the internal control system.

Board of Directors and Audit Committee

Delegated by the Board of Directors, the Audit Committee is responsible for monitoring the preparation of financial information and the effectiveness of internal control, risk management and internal audit systems.

The Audit Committee reports to the Board of Directors on these aspects.

See Section 4.1 – Governance overview for a detailed description of the tasks of the Board of Directors and the Audit Committee.

Senior Management

Senior Management is responsible for deploying the internal control system and overseeing risk mapping. To achieve this, Senior Management relies on the support of the Finance Department and the Audit, Internal Control and Risk Department.

Level 1 controls

The first line of control is made up of operations that formalise and implement operational processes to ensure the control of day-to-day operations and their internal control.

Level 2 controls

Internal control is an integral part of each operational department's mission. The management of the operational departments is responsible for checking that the Level 1 procedures and controls are being properly applied by carrying out Level 2 controls, for example via sampling and by implementing application controls and validation circuits. The management control function may also be responsible for carrying out Level 2 controls.

Lastly, the functional departments are responsible for defining the guidelines and controls to be applied by all the commercial and industrial entities and for managing the operational risks in their respective areas: for example, the Legal, Quality, Standards, Safety and Working Environment, Cybersecurity, Human Resources, Finance and Insurance Departments. These functional departments may also be called upon to verify that Level 1 rules have been applied correctly through Level 2 control campaigns.

With a view to strengthening its internal control and improving coordination, OVHcloud has set up an Audit, Internal Control and Risk Department, which reports to the Group's Finance Department. This department assists the operational and functional departments in setting up their Level 1 and 2 control systems. The Audit, Internal Control and Risk Department also carries out internal control campaigns based on the operational departments' self-assessment of whether controls have been applied correctly. The Audit Committee monitors the rollout of the internal control system.

Level 3 controls

The third line of control is the Audit, Internal Control and Risk Department. On the basis of an annual audit plan, approved by Senior Management and the Audit Committee, audits are carried out in a fully independent manner and are the subject of an audit report which identifies any risks and the action plans needed to mitigate them.

The findings of internal audits are reported to the operational departments, as well as to Senior Management and the Audit Committee for the main findings, in order to provide reasonable assurance on the effectiveness of the internal control and risk management system.

Follow-up on action plans is presented to the Executive Committee and the Audit Committee twice a year. The Internal Audit department is also independently empowered to alert Senior Management and directors if necessary.

2.3.2Internal control system and environment

2.3.2.1Control environment

The aim of a control environment is to create a secure framework for OVHcloud, its employees and all its stakeholders. The internal control environment is based on a framework of values governing the behaviour and ethics of the Group's employees and third parties. In order to disseminate these values, the Group has implemented the following charters and code of conduct:

• code of ethics and anti-corruption governing the rules of behaviour of employees and also of partners/suppliers;
• a whistleblowing platform for reporting any behaviour contrary to the ethics framework and any serious situation or fact observed within the Company or at its partners/suppliers, in complete confidence and confidentiality;
• OVHcloud values shared by all employees, including the obligation to act responsibly and ethically. These founding values help to foster a respectful corporate culture;
• IT, communication and security charters including all rules and best practices in terms of the physical and logistics security of the Group's IT resources by users;
• stock market ethics charter, introduced in 2021, in accordance with AMF instructions, which defines the obligations of persons holding inside information.

In particular, the following departments contribute to internal control:

• the Group Legal Department, which advises and assists the operational departments and subsidiaries on material legal matters;
• the Group Tax Department, which advises and assists the operational departments and subsidiaries on material tax matters;
• the Group Financial Operations Department, which ensures the proper implementation of and compliance with reporting and preparation procedures for the consolidated financial statements;
• the Group Human Resources Department, which advises and ensures that internal practices comply with laws and regulations under employment law;
• the Group Operations Department, which carries out specific risk analyses and proposes action plans on security, safety and business continuity;
• the Audit, Internal Control and Risk Department, which continually adds to the internal control framework, leads the self-assessment of internal control by all of the Group's Departments, and manages risk mapping.

Lastly, the Statutory Auditors are informed of the internal control system and the risks identified by the Group in the assessment.

2.3.2.2Control frameworks

Ethics and compliance

The Group pays strict attention to the compliance of its procedures and employee practices with applicable regulations. The Group has thus deployed ethics and anti-corruption codes with associated training. In addition, the Group raises awareness among its employees of whistleblowing, in particular as part of the measures put in place in accordance with the French law of 9 December 2016 on transparency, the fight against corruption and influence peddling and the modernisation of economic life (the so-called "Sapin II" law). A platform accessible at all times has been set up on which employees and any third parties (partners, suppliers, customers, etc.) can report any breach of the Group's code of ethics that they may have observed. The ethics and business conduct system is described in Chapter 3 of this document.

Data protection

Under the supervision of its Data Protection Officer (DPO), the Group implements a rigorous personal data protection policy. A policy on the use of personal data has been defined, precisely describing the processing that OVHcloud may be required to carry out on data concerning customers, suppliers and partners, as well as the conditions of that processing.

Information systems security

Information security is the subject of a programme and commitments developed within OVHcloud's information systems security policy (ISSP). The policy sets out principles for the application of information systems security, mainly:

• deployment of a large-scale, industrial approach to security;
• adaptation of safety systems to the different types of OVHcloud customers;
• provision of means and technologies to enable each customer to manage their own risks;
• ensuring support service information system security throughout all phases of its lifecycle;
• implementation of security management systems (ISMS) and privacy management systems (PIMS);
• safety management using a risk-based approach;
• demonstration of the level of security through certification, internal control and external audit;
• unified response to security incidents and personal data breaches;

• integration of security and privacy issues into product development; and
• safety assessment and implementation of a continuous improvement process.

The ISSP, under the responsibility of the Chief Information Systems Officer (CISO), is reviewed by the Executive Committee, which verifies that its content is consistent with the Group's strategic targets. It is revised once a year. The ISSP applies to all Group companies, employees, suppliers, service providers, subcontractors and information system users, regardless of their status.

Under the responsibility of the CISO, OVHcloud's security team is composed of four teams:

• security tools, in charge of developing and operating the tools supporting the security policy;
• operations security, responsible for ensuring the implementation of good security practices within operations and the implementation of formal security management processes, supporting the integration of security tools and the alignment of security arrangements within the Company;
• CERT, in charge of monitoring threat sources, identifying cyber attack tools and methods to anticipate them, and managing security incidents; and
• customer security, in charge of assisting the teams in contact with customers (support, sales, etc.) to manage security issues in the relationship.

OVHcloud ensures that employees are aware of the challenges of IT security and, more specifically, of cybersecurity. To this end, the Group regularly conducts cyber attack simulation campaigns (phishing) designed on the basis of sophisticated scenarios and performs external audits.

Quality, health and environment

Through its health and safety policy, OVHcloud oversees the implementation of measures to offer safe and healthy workspaces for all its employees and stakeholders, sites and products. The Group's industrial risk management policy is based on two main areas: (i) prevention through audits carried out by external bodies at each of the sites, which result in reports with both human and material recommendations, and (ii) protection through the development of risk reduction plans, incorporating short- and medium-term investments as well as organisational or management actions.

Collection of rules and controls

The Audit, Internal Control and Risk Department is compiling a collection of procedures as they are created. In 2025, a self-assessment process was launched to ask management to confirm that the Group's main controls had been properly carried out, and to provide proof of control. This approach is part of a continuous improvement process for Group internal control.

2.3.2.3Internal control procedures relating to the preparation and processing of financial and accounting information

OVHcloud's accounting and financial function is managed by the Group's Finance Department, which reports directly to Senior Management.

The Group Finance Department’s responsibilities mainly cover the preparation of financial statements, management control, tax, financing and cash management, and participation in financial communication, purchases, internal control, internal audit and risk management.

The accounting rules and methods and IFRS standards in force within the Group are presented in the notes to the consolidated financial statements in this document. At the end of each reporting period, the Audit Committee verifies with the Finance Department and the Statutory Auditors that these rules, methods and standards have been applied consistently from one year to the next.

Each half-year, after review by the Audit Committee, the Board of Directors adopts the financial statements for the period, which the Statutory Auditors are then asked to review.

Information systems

The purpose of the accounting and financial information systems deployed within the Group is to meet the requirements of compliance, security, reliability, availability and traceability of information.

OVHcloud has completed the roll out of SAP as the only information and management system for financial management and accounting data. The use of a single tool ensures consistency in the processing, comparison and control of accounting and financial information. In addition, OVHcloud deployed the HFM financial consolidation tool in 2024.

In order to strengthen the internal control of the Group's systems, the Organisation and Information Systems Department has strengthened the segregation of duties and improved access rights controls, particularly in critical systems such as SAP, through a formal annual review across the entire Group scope.

Financial communication

The Financial Communication and Investor Relations Department, under the supervision of the Chief Financial Officer, manages the Group's financial communication.

The Group disseminates financial information by various means, in particular:

• press releases;
• the Universal Registration Document;
• half-year and annual results presentations.

The Group's website has a dedicated Investors section which includes the aforementioned items as well as other regulatory or informational items.

The Statutory Auditors

As part of their audit of the financial statements, the Statutory Auditors make comments. When they deem appropriate, the Statutory Auditors report to management, at the appropriate level of responsibility, on internal control weaknesses identified during the audit that they deem of sufficient importance to merit its attention. The Statutory Auditors report any material weaknesses in internal control to the bodies mentioned in Article L. 823-16 of the French Commercial Code, at the time they deem appropriate, in writing.

As part of their ongoing engagement, the Statutory Auditors audit the annual and half-year financial statements of consolidated entities. The Group's annual consolidated financial statements are prepared by the Financial Operations Department under the responsibility of the Group's Chief Financial Officer. The Group's Chief Executive Officer and Chief Financial Officer attest to the accuracy, reliability and fair presentation of the consolidated financial statements in a representation letter sent to the Statutory Auditors.

Sustainability Statement

3.1ESRS 2 – General information

3.1.1Basis for preparation

3.1.1.1BP-1 – General basis for preparation of sustainability statements

This sustainability statement for the 2025 financial year has been drawn up in accordance with the European Union Corporate Sustainability Reporting Directive (CSRD – directive 022/2464), as transposed into French law by Order no. 2023-1142 of 6 December 2023, and in accordance with the EU Taxonomy Regulation on sustainable activities (Regulation (EU) 2020/852) which establishes a classification system to identify environmentally sustainable activities.

This year, OVHcloud is presenting its annual sustainability information for the consolidated Group in accordance with the European Sustainability Reporting Standards (ESRS), as required by the CSRD.

The same scope of consolidation is used as for OVHcloud's consolidated financial statements. Exclusions from this scope will be specified in the relevant section, where applicable.

Sustainability matters have also been analysed across the Group's upstream and downstream value chains, as have policy and action plans where applicable.

The sustainability statement covers all of OVHcloud's operations, covering the Group's upstream and downstream value chains. The policies, actions and targets are applied throughout the value chain in question, in order to address the impacts, risks and opportunities (IROs) that have been determined as material under the double materiality analysis.

This first report has been drawn up to the best of our understanding of ESRS requirements. This first financial year of applying the directive and materiality analysis is marked by uncertainties over the interpretation of the requirements, the absence of established processes and comparative data, in a few rare cases, as well as a number of difficulties in collecting data, particularly within the value chain.

OVHcloud has not used the option to omit specific information corresponding to intellectual property, know-how or the results of innovation.

3.1.1.2BP-2 – Disclosures in relation to specific circumstances

Time horizons

Unless otherwise specified, the terms "short-", "medium-" and "long-" term used in the analysis are used as defined by ESRS 1. As the reporting period for this analysis starts at end-2024, short-, medium- and long-term are defined as one year or less (2025), two to five years (2026 to 2029) and more than five years (2030 and beyond) respectively.

Use of estimates

In some cases, the Group has used estimates, particularly when obtaining information on the value chain in the case of greenhouse gas (GHG) emissions, or has made interpretations, particularly for the metrics requested for resource inflows, which cannot be measured comprehensively. These estimates are described in the methodological note in Section 3.2.5 – Methodological note for assessing the environmental footprint.

Included by reference

3.1.2Governance

3.1.2.1GOV-1 – The role of the administrative, management and supervisory bodies

The roles and membership of the various administrative, management and supervisory bodies with regard to sustainability are summarised in the following diagram and described below.

It should be noted that the Board of Directors, on the recommendation of the Appointments, Compensation and Governance Committee, has decided to combine the functions of Chairman of the Board of Directors and Chief Executive Officer. It appointed Octave Klaba Chairman and Chief Executive Officer of the Group from 20 October 2025, meaning that Octave Klaba holds the position of both Chairman of the Board of Directors and Chief Executive Officer.

Membership of the Board of Directors and its committees

The information required by paragraphs 20 and 21 of ESRS 2 is incorporated by reference in Section 4.1.2.2 – Detailed presentation of the members of the Board of Directors in this Universal Registration Document (URD) and in Section 4.1.12 – Duties, operation and work of the committees.

The Board of Directors

The Group's Board of Directors comprises ten directors (40% women, four independent directors, two directors representing employees and one non-voting member).

The Board of Directors applies a diversity policy, which is reviewed regularly, regarding membership of the Board of Directors and Board committees. This policy aims to promote gender parity, diversity of skills, nationalities, independence and international experience.

The Board of Directors is responsible for ensuring that the Group's strategy takes into account social, environmental and climate matters. It regularly assesses the risks and opportunities associated with these topics, in particular climate risks, and ensures that the executive officers take the appropriate measures. The responsibilities of the Board of Directors and its members in relation to these topics are set out in the internal regulations of the Board of Directors. They are also monitored through regular assessments of the Board’s operations and the operations of its committees.

The Board of Directors implements a system to prevent and detect corruption and influence peddling.

A range of awareness-raising initiatives and mechanisms to refine skills have been put in place for Board of Directors members, in particular through meetings with economic and political leaders and visits to operating sites, including discussions with operational teams. The aim of these measures is to allow Board members to better understand OVHcloud's businesses and the environmental and social matters specific to the Group's activities.

Strategy and CSR Committee (SCSR)

The Strategy and CSR Committee is composed of five members (40% women and three independent directors). This Committee plays a central role in integrating sustainability matters into the Group's strategy. It meets at least four times a year to examine the Group's commitments and strategic directions on CSR matters, monitor their implementation and prepare the work of the Board of Directors on these topics.

It ensures that matters relating to compliance and ethics policies are taken into account in the Group’s strategy and in its implementation.

The Strategy and CSR Committee ensures that the Group's climate strategy is underpinned by specific objectives defined for different time horizons. It reviews annual results and may be consulted on the presentation of this strategy to the General Shareholders' Meeting. The Committee also pays close attention to the opinions expressed by investors and stakeholders, and may propose action plans in response to social or environmental concerns.

In order to carry out its duties, the Strategy and CSR Committee may meet with members of Senior Management or employees of the Group with relevant expertise, and may call on external experts if necessary. Despite not being a member of the Committee, the Chief Executive Officer takes part in its work. The Chairman of the Board of Directors is a member of the Strategy and CSR Committee.

Appointments, Compensation and Governance Committee (ACG)

The Appointments, Compensation and Governance Committee is composed of four members (50% women and two independent directors). This Committee helps the Board to determine the composition of the Group's management bodies, and to draw up and assess compensation policies. It also plays an important role in overseeing CSR governance.

The Appointments, Compensation and Governance Committee carries out an annual review of the Board of Directors’ diversity policy and monitors metrics linked to gender parity, age and diversity of skills. It also monitors the gender and wage equality policy and assesses the independence of the members of the Board of Directors on an annual basis. Regarding compensation, the Committee proposes to the Board the compensation conditions for the Chairman and Chief Executive Officer and the other executive corporate officers, and ensures that non-financial criteria linked to CSR performance are integrated into said conditions.

Finally, the Appointments, Compensation and Governance Committee helps to identify emerging trends in governance and sustainability, and ensures that the Group is in a position to respond proactively to these trends, in line with the matters specific to its activities.

Audit Committee

The Audit Committee is composed of three members (two-thirds independent directors and two-thirds women). The Committee’s main duties include monitoring the financial and sustainability reporting process. It also monitors the effectiveness of internal control, internal audit and risk management systems relating to these two processes.

The Audit Committee monitors the work of the Statutory Auditors, including work relating to the certification of sustainability information, and ensures that the systems and procedures in place guarantee the application of policies on compliance, ethics and the fight against corruption and fraud. As such, it plays a cross-functional role in monitoring non-financial risks, directly linked to the transparency requirements set out by the CSRD.

Risk Monitoring Governance

An internal Risk Monitoring Committee, comprising dedicated members of the Executive Committee, is specifically focused on the CSRD. The members of this Committee include the Chief Executive Officer and the Chief Financial, Legal, Sales, Human Resources, Industrial, Strategy, Audit, Internal Control and Non-Financial Control Officers. Diversity within the Executive Committee is set out in Section 3.3.2.9.2 under the table “Gender distribution in numbers and percentages at top management level” of this Universal Registration Document. 

The Committee is responsible for approving the material matters and IROs (Impacts, Risks and Opportunities) specific to the Group, supervising the double materiality assessment and approving the deliverables resulting from this assessment. It also decides on the main subsequent strategic directions as part of the implementation of regulatory requirements. All members are made aware of the materiality of CSR matters for the Group, its environment and its value chain, which guarantees collective and informed supervision of these topics.

3.1.2.2GOV-2 – Information provided to administrative, management and supervisory bodies

The information provided to the administrative bodies is described in Section 4.1.9 – Powers, duties, operation and work of the Board of Directors of the URD. This includes sustainability information.

The Chairman and Chief Executive Officer keeps the Board of Directors informed of CSR and sustainable development initiatives.

Interaction between the Board of Directors,  Committees and working groups on the following topics: material impacts, risks and opportunities (IROs) and monitoring of policies, actions, measures and objectives

The Board of Directors, Committees and working groups interact closely to monitor and implement policies, actions, measures and objectives related to sustainability matters. The Board of Directors regularly assesses the main risks and associated management measures, while the Strategy and CSR Committee ensures that sustainability matters are integrated into the Group's strategy. The Strategy and CSR Department helps to define the Group’s major strategic directions and coordinates the CSR policy, with a view to enhancing its commitments and measuring the effects of the CSR programme.

The CSR Steering Committee also participates in this work. It is responsible for defining, monitoring and adjusting CSR action plans. This committee is composed of representatives from the operational departments involved in implementing the CSR action plan, including the Strategy, Environment, Human Resources, Finance, Purchasing, Legal, Public Affairs, Communication, Audit and Internal Control Departments. The CSR Steering Committee meets twice a month to monitor progress, identify challenges and adjust action plans to ensure that objectives are achieved. This collaborative approach ensures that the actions taken regarding sustainability matters are coherent and effective, and that the various operational departments are involved in implementing the CSR programme.

By working together, the Board of Directors, committees and working groups, as well as the CSR Steering Committee, ensure that the actions taken regarding sustainability matters are consistent and effective. The Audit Committees and the risk monitoring governance body also ensure the effectiveness of the risk monitoring and internal control system, which includes CSR risks to which the CSRD is related. These entities interact regularly to ensure that CSR policies and action plans are implemented effectively.

IROs taken into account by the Board of Directors and its committees in overseeing strategy, major decisions and the risk management process

During the period, the Board of Directors and its committees reviewed the material IROs. They meet regularly with the heads of the CSR, Legal and Human Resources Departments. The Executive Committee examines the reports and proposals of the CSR programme.

The table below sets out an indicative list of the IROs that were considered during the 2025 financial year:

3.1.2.3GOV-3 – Integration of sustainability-related performance in incentive schemes

The compensation of the Chairman and Chief Executive Officer includes a fixed portion and an annual variable portion, the latter being based on performance criteria set by the Board of Directors, after consulting the Appointments, Compensation and Governance Committee, these criteria being reviewed by the Board of Directors annually.

Among these performance criteria, two are linked to ESG performance:

• Power Usage Effectiveness (PUE). This indicator represents 10% of variable compensation. It is triggered at a 100% achievement rate (PUE under 1.26) and is capped at 100% in the event of outperformance;
• employee commitment, a criterion measured on the basis of surveys carried out using a survey software (OVHcloud Spirit). This indicator represents 15% of variable compensation. It is triggered from a score of 7/10 (25% achievement rate) and increases on a linear basis to 7.3/10, corresponding to a 100% achievement rate, i.e., 7.1/10 corresponds to a 50% achievement rate and 7.2/10 corresponds to a 75% achievement rate. It is capped at 100% in the event of outperformance.

The incentive schemes are described in more detail in Section 4.5.2 – Compensation and benefits paid to executive corporate officers and non-executive officers.

3.1.2.4GOV-4 – Statement on due diligence

The table below sets out the key elements of due diligence (in terms of impact on people and the environment) linked to the sections of OVHcloud's sustainability report in which we can identify them:

3.1.2.5GOV-5 – Risk management and internal controls over sustainability reporting

3.1.2.5.1General principles of the risk management and internal control system

The risk management and internal control system for sustainability information is part of OVHcloud's overall system.

Integrated risk management system

The Group has put in place procedures for identifying and managing risks through its risk mapping described in Chapter 2 of the URD, Risk factors and internal control.

In order to link the Group's risk mapping to its work on sustainability, the overall risk, initially entitled "Risks related to the implications of climate change", was modified in 2025 to include sustainability reporting matters. It is now called “Risks related to CSR matters” and the level of risk, based on criticality and probability of occurrence, has been reassessed.

In addition, the Audit, Internal Control and Risk Department has been part of the steering team for the introduction of the sustainability report. The risk and internal control approach has therefore been systematically taken into account at every stage of the project.

Regular communication with management bodies

The Group's governance bodies oversaw the implementation of sustainability reporting and were involved at key stages of the project.

The Audit Committee, as delegated by the Board of Directors, was consulted, and, through regular presentations, approved the overall roll-out of sustainability reporting, including the main stages of the project, the choice of Statutory Auditors, the Group's material matters and IROs, the materiality matrix and the sustainability statement itself.

The Executive Committee was also consulted via the risk monitoring governance body. Given the challenges involved in setting up the first sustainability statement and the collective effort required, "Risks related to CSR matters" has been classed as a major risk and has therefore been included in the risk monitoring governance described in Chapter 2 – Risk factors and internal control of the URD. In terms of CSRD, the membership of this governance body is described earlier in this document.

The following key elements of the project were presented to the risk monitoring governance body and the Audit Committee during the 2025 financial year:

• presentation of the steering system for the sustainability reporting project;
• summary of the double materiality work for the approval of executives, including the Chief Executive Officer and the Chief Financial Officer;
• main risks associated with sustainability reporting and the internal control system;
• draft sustainability statement.

3.1.2.5.2Approach to assessing the risks related to sustainability information

A risk assessment specific to the sustainability statement was carried out. This assessment covers CSR strategy, project steering, standards and their interpretation, data production and the preparation of this statement.

The risk assessment methodology used is identical to that used for the overall risk mapping, with identified risks assessed both on their potential impact and their probability of occurrence. Assertions are used in the audit to ensure that the risk assessment covers completeness, accuracy, classification and presentation, occurrence and rights and obligations.

3.1.2.5.3Main risks identified and internal control strategy to cover risks

Risks related to the first-time publication of the sustainability statement

The main risk identified relates to the completeness, reliability and documentation of data. As this is the first year of publishing the sustainability statement, OVHcloud has to produce a range of quantitative and qualitative data, some of which is new, produced manually and potentially based on estimates or third-party data. The Group must also set up a system for documenting and archiving data so that the information produced can be substantiated, and so that all of its disclosures can be validated by the Statutory Auditors.

Internal control strategy for managing risks

The internal control strategy for sustainability reporting is based on the overall internal control system described in Chapter 2 – Risk factors and internal control of the URD.

The Group has set up an internal control system to reduce the risk associated with the reliability, completeness and documentation of sustainability data. The structure of the system is described below:

• a steering framework consisting of centralised project documentation: double materiality assessment, gap analysis with standards, structure of the sustainability statement, formal progress monitoring, and project governance;
• documentation of each datapoint in order to explain and justify all sustainability reporting, including the absence or postponement of disclosures;
• a data collection and archiving process.

Based on the AMF (Autorité des marchés financiers) reference framework already applied to other internal control issues, OVHcloud has also structured three levels of control:

• First line of control: operational staff in charge of producing information for the statement draw up "indicator sheets" for quantitative information and draw up qualitative information on the basis of policies, procedures and other factual and tangible data;
• Second line of control:
  • the person responsible for each reporting scope formally validates the data produced by operational staff, using a range of possible controls: checking the scope, checking consistency, proofreading, ensuring consistency between reporting data,
  • the overall sustainability reporting steering team also carries out a review of each item of information produced and ensures that each piece of data is documented;
• Third line of control: the Audit, Internal Control and Risk Management Department carries out the following controls:
  • review from a risk perspective: overall review of sustainability reporting to ensure that the information produced is consistent with the Group's strategy and overall risk monitoring,
  • audit of a sample of sustainability reporting, in conjunction with the work carried out by the Statutory Auditors, in order to provide assurance to management on the level of compliance with the internal control framework.

Together, the elements of the control system enable OVHcloud to reduce its exposure to the risks identified.

3.1.3Strategy

3.1.3.1SBM-1 – Strategy, business model and value chain

The Group's strategy is described in detail in Chapter 1 of the URD, Presentation of the Group.

3.1.3.1.1Elements of the general strategy that may affect sustainability matters

Global workforce

OVHcloud now employs more than 3,000 people. The workforce is described in Section 3.3.2 – ESRS S1 – Own workforce of this document. Worldwide, OVHcloud has 44 datacenters and two assembly plants in ten countries.

Description of the Group's general strategy

OVHcloud offers a range of cloud solutions for its customers, including:

Private Cloud

The Private Cloud segment offers services and solutions that are hosted on resources dedicated to customers. This service offer mainly consists of:

• Bare Metal Cloud: dedicated solution administered entirely by the customer according to their needs and without constraints because they are the only user. The uses of a Bare Metal solution are multiple: big data, machine learning, hosting of websites and web applications, storage and backup, infrastructure virtualisation, server clusters, business applications (CRM, ERP) and online game hosting.
• Hosted Private Cloud: dedicated solution managed by the OVHcloud teams, integrating cutting-edge virtualisation and security technology that enables a technological continuum with our customers' environments. The Hosted Private Cloud offer is particularly suitable for hosting sensitive strategic data such as health or financial data.

Public Cloud

The Public Cloud segment offers a range of cloud solutions that are billed per use, based on open standards (OpenStack, Kubernetes, Object Storage, Database-as-a-Service and open virtualisation technology). Resources, such as computing power or storage, as well as the physical infrastructure that provides them, are pooled and flexible, meaning they are shared between the users of the cloud services provider and are adaptable to customer needs and instantly deployable on a large scale. These solutions are typically used for applications that can experience peaks in demand such as e-commerce, and heavily demanding applications such as video streaming, music streaming, application testing and development as well as database management covered by specific offerings.

Web Cloud & Other

OVHcloud offers its customers peripheral solutions allowing the creation and hosting of online websites such as the search for and renewal of domain names, or the creation of a site or an online store. OVHcloud also offers collaboration solutions such as professional messaging, telecommunication and texting.

Markets and geographical presence

OVHcloud has developed a global footprint with a significant customer base in Europe, the United States and Asia.

The table below shows revenue by geographic area:

The Group’s average headcount is described in Section 3.3.2 – ESRS S1 – Own workforce.

3.1.3.1.2Aspects of the overall strategy linked to sustainability matters

Value chain

The value chain, determined through a study of the Group's activities and relationships, is set out below:

Description of the Group's sustainability strategy

OVHcloud's CSR strategy is based on three pillars:

• guaranteeing data sovereignty and freedom;
• pioneering the sustainable cloud;
• driving collective progress of the cloud for the benefit of society.

Driven by a desire to act responsibly towards society and the environment, the Group has set out these three fundamental pillars in its CSR policy, which can be viewed on the Group's website (https://corporate.ovhcloud.com/en-gb/sustainability/environment/). The Group's CSR policy covers all its activities and geographical regions.

Guaranteeing data sovereignty and freedom

Leading European cloud services provider, OVHcloud is at the heart of the digital revolution, which opens the way to a multitude of opportunities in terms of applications and technology. In this context, the Group offers its customers cloud solutions covering all their uses – supporting them in their digital transformation, enabling them to innovate by building cloud native applications or helping them leverage the power of data. In fulfilling this mission, the Group offers its customers the freedom to build their most ambitious projects in a secure, compliant and sustainable cloud environment. For OVHcloud, everyone must be able to control their data and be guaranteed that they are secure. Free choice and openness in terms of services and innovation are the foundation of the relationship of trust established with its customers and partners.

Pioneering the sustainable cloud

OVHcloud has integrated the environment at the heart of its business model since its creation, by developing industrial innovations to limit its environmental impact. OVHcloud is pursuing its climate performance trajectory by fine tuning its existing environmental objectives. Accordingly, the quantified objectives presented by the Group this year reflect its ongoing commitment in favour of sustainable and responsible practices. The Group's targets were accepted in 2024 by the Science Based Targets Initiative (SBTi), an independent organisation that assesses and approves companies' GHG emissions reduction targets based on science and the recommendations of the Intergovernmental Panel on Climate Change (IPCC). This SBTi acceptance means that the Group's GHG emissions reduction targets are aligned with scientific recommendations to limit global warming to 1.5°C above pre-industrial levels, as set out in the Paris Climate Agreement.

In addition, OVHcloud is stepping up initiatives to reduce its impact by adopting sustainable practices at every level of its value chain. This includes using renewable energy, optimising water and electricity consumption in its datacenters, and reusing components and recovering industrial waste to minimise its landfill rate.

Driving collective progress of the cloud for the benefit of society

In social and societal terms, the Group aims to provide a safe, inclusive and fulfilling working environment by fighting discrimination and promoting diversity and equal opportunities. This means eliminating discrimination, harassment and sexism in the workplace, increasing the proportion of women in management positions and ensuring an inclusive employee experience. OVHcloud is also committed to acting ethically and complying with applicable laws and regulations, guaranteeing zero tolerance of corruption and influence peddling. Finally, OVHcloud prioritises health and safety at work and is committed to ensuring a safe and healthy workplace for its employees, complying with regulatory requirements and implementing measures to protect the health and physical integrity of its employees, customers and local communities. The targets and actions defined within this framework aim to promote a culture of responsibility and sustainability within the Group, fostering a positive working environment and helping to create a more sustainable future.

3.1.3.2SBM-2 – Interests and views of stakeholders

OVHcloud maintains a structured, regular and tailored dialogue with its stakeholders, with the aim of integrating their expectations into its strategy and business model.

• Customer dialogue takes several forms: monthly operational committees led by account managers and TAMs (Technical Account Managers), annual strategy committees involving members of the Executive Committee, sponsors for the Group’s main customers and management representatives of its main customers. On an ad hoc basis, targeted presentations are given by experts (Customer Success Managers, Solutions Architects) to facilitate the understanding, adoption and improvement of solutions. The Group also organises events such as the OVHcloud Summit and OVHcloud Engage, to promote co-innovation with its technological ecosystem. Consumer interests and views are also gathered through more operational channels, as described in Section 3.3.4 – ESRS S4 – Customers and end-users.
• Dialogue with suppliers is based on a partnership approach focused on overall performance and sustainability. Quarterly monitoring meetings bring together purchasing, products, quality and supply chain departments and strategic suppliers. Regular assessments are carried out according to seven criteria, including environmental impact. The Group also organises meetings with international suppliers to present roadmaps and strengthen ties. Major suppliers are also involved in key events such as the Summit.
• Employee input is actively sought through half-yearly engagement surveys, a whistleblowing system, themed workshops (diversity, management), structured social dialogue with social partners, and regular interaction with senior management via a monthly videoconference and on-site visits. These interactions are described in more detail in Section 3.3.2 – ESRS S1 – Own workforce
• Dialogue with shareholders and investors is based on rigorous transparency and direct contact. Management holds conference calls when it publishes its financial results, takes part in roadshows and conferences, and met more than 200 institutional investors during the 2025 financial year. This dialogue is also continued at the Annual General Meeting.
• OVHcloud maintains an active relationship with public authorities on key issues such as digital sovereignty, the competitiveness of the cloud and the environmental impact of infrastructures. The Group conducts these exchanges directly or via industry associations, and regularly organises visits to its sites (datacenters, plants) for public decision-makers to raise awareness of its operational challenges.
• OVHcloud maintains relationships with civil society through partners such as charities or organisations working on social and societal issues including disability, women's rights and access to careers in technology. These interactions are managed by the teams responsible for the various projects.
• Finally, OVHcloud is a major player in the technology community, committed to contributing to advancing technology and promoting innovation. The Group is active in open source communities, technology events and training initiatives. It shares its knowledge and experience to improve the technologies that are shaping the future of digital.

In 2022, OVHcloud carried out its first materiality analysis incorporating the opinions of internal and external stakeholders. These topics have been used to develop the Group's CSR strategy, which is now integrated into its strategy and business model. Today, these interactions continue to impact the Group's strategy as it takes into account internal and external expectations on environmental, social and societal issues, as well as governance.

3.1.3.3SBM-3 – Material impacts, risks and opportunities and their interaction with strategy and business model

The tables below detail the material IROs identified by the Group in the double materiality assessment carried out during the 2025 financial year, at Group level. All IROs are covered by the ESRS disclosure requirements. The assessment methods are described in Section 3.1.4.1 – IRO-1 – Description of the processes to identify and assess material impacts, risks and opportunities.

To carry out its double materiality assessment, OVHcloud analysed all of the ESRS themes, taking into account its entire business model (own operations and upstream and downstream value chains as described above).

OVHcloud is a French cloud service provider with an international presence, combining an industrial server assembly business with a datacenter business, enabling its end customers to store data and access cutting-edge services and technological solutions. Its activity can have actual and potential impacts on both the environment and on society. Conversely, environmental and social developments can impact the Group through financial risks and opportunities.

OVHcloud endeavours to regularly monitor and analyse topics and trends likely to have an impact on its business in the short, medium and long term, and to monitor its positive and negative environmental and social impact over the same time horizons.

As described in Section 3.1.2 – Governance, sustainability matters, whether environmental, social or governance-related, are all taken into account in the Group's strategic decisions. The material IROs are presented and integrated by management bodies and directly influence the development of the Group's strategy, in order to limit risks and capitalise on opportunities that may arise as a result of the Group’s environmental and social actions.

In accordance with the CSRD, the material risks identified in the double materiality assessment are analysed without taking into account existing mitigation measures. To date, the Group does not expect the risks identified to have a material impact on its financial statements. Management also incorporates climate and environmental matters into its accounting judgements. Doing so has not resulted in any changes being made to key assumptions or the recognition of any environmental liabilities.

The table below shows the material IROs identified in the double materiality assessment, their position in the business model and the Group’s strategic responses to each of them:

Environment

Social and societal

Governance

3.1.4Impact, risk and opportunity (IRO) management

3.1.4.1IRO-1 – Description of the processes to identify and assess material impacts, risks and opportunities

Process for determining material matters

OVHcloud launched its double materiality assessment process at the start of the 2025 financial year, in accordance with the guidelines laid down by EFRAG (European Financial Reporting Advisory Group, May 2024 version), with the support of a specialised external firm.

The double materiality assessment was carried out following a specific process established internally by OVHcloud and in application of the rules defined by ESRS 1. The Group has taken into account the list of sustainability topics addressed by the ESRS 1 standard, Annex A, AR 16, down to the level of granularity of the sub-sub-topics as defined by the standard. Certain sub-topics have been excluded because they are not relevant to the Group's activity (animal welfare, extraction of marine resources, ecosystem services). Others, not covered by the ESRS 1 framework but relevant to OVHcloud's activity, have been identified (cybersecurity, data sovereignty and digital access).

The topics and sub-topics have been identified taking into account the Group's business through an in-depth study of the URD, internal documentation and interactions on specific and complex business topics while respecting the regulatory framework of EFRAG, the Global Reporting Initiative (GRI) and the Sustainability Accounting Standards Board (SASB). This has been applied to the Group's value chain, taking into account all of the Group's locations. 20 matters emerged from this first stage of analysis. They are consistent with the 24 matters identified in the previous materiality matrix. All the topics were covered. New matters linked to the ESRS framework have been added to this study: environmental pollution, biodiversity and ecosystems, working conditions and respect for the fundamental rights of workers in the value chain.

Process for determining IROs

Each matter has been broken down into impacts, risks and opportunities, based on a holistic approach to the cloud business and a study of the relevant topics for players in the sector. The nature of the Group's activities, its business relationships and its geographical presence have been taken into account.

The IROs have been detailed through a review of previous non-financial performance statements, internal documentation, sector research and sector issues.

An initial validation phase was launched to allow the panel of experts to assess their relevance and accuracy. They were then partly reformulated to better reflect the Group's activity. 140 IROs were studied and then validated or reformulated to arrive at a set of 134 IROs used for the final assessment (74 impacts and 60 risks and opportunities).

Consultation with external stakeholders

OVHcloud has not directly involved any external stakeholder in the double materiality analysis. This choice was justified by the short timescale for adoption of the standard and its analysis, and by the fact that stakeholder input in 2022 was still considered relevant (see 2024 URD – 3. Materiality analysis and CSR risk assessment). The Group has opted for the "expert" approach, mobilising in-house specialists in each topic to carry out the IRO assessment.

Evaluation of IROs

A project team has been appointed to lead the roll-out of the CSRD, comprising the Strategy, Non-Financial Control and Audit and Internal Control Departments.

• The IROs were analysed and assessed by a dedicated panel of experts:
  • considering the impact of the Group's activities and its value chain on society and the environment;
  • considering the impact of society and the environment on the Group's risks and opportunities. As part of the financial assessment, dependencies on raw materials and human resources were taken into account in the formulation, rating and justification of the IROs;
  • in terms of actual or potential impacts, in accordance with ESRS 1. Regarding the probability of occurrence criterion, the actual impacts were immediately rated as "certain".
• This assessment was carried out taking into account the nature of the Group's activities:
  • on its upstream value chain: the assessment considers direct suppliers as well as the activities of raw material suppliers located in regions such as Asia or Africa;
  • on its own operations: the Group considered all its entities and adapted the scope and activities concerned according to their relevance to the topics analysed;
  • on its downstream value chain: the Group considered its entire downstream value chain in all its diversity.

This approach resulted in a relevant and targeted view of the sustainability matters facing the Group's business and its environment.

The IRO assessment was carried out on a gross basis, which means that the impacts, risks and opportunities were assessed without taking into account the prevention, remediation and mitigation measures implemented.

The criteria used to rate impacts are based on the principles defined by the United Nations Guiding Principles on Business and Human Rights and the Organisation for Economic Co-operation and Development (OECD) Guidelines for Multinational Enterprises.

Positive and negative impacts

In the impact materiality assessment, impacts were described as either 'positive' or 'negative', but never both. Negative impacts are actual or potential effects generated by the Group’s operations or value chain that could cause harm to the environment, human rights or other stakeholders. Conversely, positive impacts refer to the intentional or structural contributions made by the Group to resolve sustainability matters, such as the climate transition or social inclusion.

Process for rating IROs

The materiality score was determined as follows:

• impact materiality = severity x likelihood x long-term severity;
• financial materiality = short- or medium-term financial impact x probability x long-term severity.

Impact materiality

In accordance with ESRS 1, for impact materiality, OVHcloud assessed the severity score by multiplying three criteria: scale, scope and reversibility.

Criteria weightings (coefficient 1.5) were applied to:

• impact “scale”:
• this methodological choice is explained by the estimation of the scale, which has been the subject of particular attention by the OVHcloud teams (particularly in relation to the “scope”, which is more difficult to estimate with regard to the value chain and the location of activities);
• impact “reversibility”:
• this methodological choice is explained by the heightened seriousness of an impact that cannot be reversed, whatever its scale or scope. This principle is based on the guiding principles of the OECD and the United Nations, and has been taken up by the ESRS Application Guide of the French Accounting Standards Authority (Autorité des Normes Comptables).

To calculate the final scores, a rating from 0 to 4 (4 being the most severe) was assigned according to a criticality scale from the weakest or most restricted to the most serious or extensive. Each rating was based on the expertise of the contributors, available studies and an assessment of the associated societal impacts. The assessments may be reviewed at a later date in the event of material changes in the Group and its practices.

Likelihood has only been assessed for potential impacts. It has been assessed using ratings on a scale of 2.5 to 4 (2.5 being 'unlikely' and 4 being 'very likely or certain') for impact materiality and financial materiality in order to keep the emphasis on impact severity and the short- to medium-term financial effects of risks and opportunities.

A long-term severity weighting has been applied to each IRO to take into account changes in impact severity and financial scale over the long term.

The time horizons are those described in Section 3.1.1.2 of this document, BP-2 – Disclosures in relation to specific circumstances.

Financial materiality

In order to assess financial materiality, OVHcloud defined the risks and opportunities that the Group could encounter as a result of the impacts defined in the assessment, alongside dependencies and various external risks (climate-related hazards, changes in regulations, etc.). These were scored on a scale of 0 to 4 (with 4 being the most severe) assessing the extent of the financial impact on items such as EBITDA (Earnings before interest, taxes, depreciation and amortisation) or cash impact. Probability of occurrence is also rated from 2.5 to 4 in order to keep the focus on the financial effects assessed. Everything was weighted by long-term severity. The evaluation is based on a qualitative and quantitative assessment carried out jointly by experts from the Finance Department and the panel of experts on the Group’s ESG topics.

Methodological details

The score for each IRO was calculated using an average of the criteria on a scale of 0 to 4. Materiality thresholds were defined: 2.75 for impact materiality and 2.25 for financial materiality. IROs with a score that is strictly greater than or equal to these thresholds are considered material. At the end of this work, 48 IROs were determined as material: 26 impacts and 22 financial risks and opportunities.

Links with internal control procedures

The Risk and Internal Control Department participated in each stage of the double materiality assessment. Particular attention was paid to ensuring consistency between the results of the double materiality assessment and the overall risk map.

3.1.4.2IRO-2 – Disclosure Requirements in ESRS covered by the undertaking’s sustainability statement

The cross-reference table can be consulted in Section 3.7 – Appendices of this document.

3.2Environment

3.2.1ESRS E1 – Climate change

At the forefront of the sustainable cloud, since its creation, OVHcloud has integrated sustainability at the heart of its business model by developing industrial innovations to limit its environmental impact. During the 2025 financial year, OVHcloud pursued its climate performance trajectory. On the strength of its commitment to the SBTi, OVHcloud is making climate change mitigation an important part of its Group strategy.

3.2.1.1GOV-3 – Integration of ESG-related performance in executive compensation

OVHcloud has included environmental criteria directly linked to the achievement of its ESG objectives into executive variable compensation (see Sections 3.1.2.3 – GOV-3 – Integration of sustainability-related performance in incentive schemes and 4.5 – Compensation and benefits in Chapter 4 of the URD).

3.2.1.2SBM-3 – Material IROs and their integration into strategy and business models

The table below lists the IROs related to climate change that OVHcloud estimated as material during the double materiality assessment:

Among the risks identified in the double materiality assessment:

• two physical risks:
  • extreme physical or climatic event causing disruption (or even interruption) to the Group's growth due to a supply shortage in the upstream value chain,
  • extreme physical or climatic event (excluding access to water) causing disruption (or even interruption) to datacenter operations, resulting in reputational damage, loss of revenue and increased costs (penalties, infrastructure repairs);
• one transition risk:
  • reinforcement of local regulations on climate change adaptation, generating costs (e.g., investment in infrastructure adaptation).

In its assessment, OVHcloud takes into account the environmental realities associated with its business model, including external requirements to reduce greenhouse gas emissions and how climate change-related risks affect its business and its value chain. The risks associated with climate change include natural disasters and extreme climatic events, as well as the tightening of regulations governing companies as they adapt to climate change. In this context, a climate risk assessment was carried out based on the analysis of climate risk scenarios described below.

Analysis of climate risk scenarios for OVHcloud

In 2024, OVHcloud carried out a climate risk analysis across all its industrial sites (datacenters and assembly centres), as well as the Roubaix and Croix offices (they share buildings with industrial sites).

The latter, carried out by an external body, uses a climate risk analysis to assess the physical risks for four climate change scenarios mentioned by the IPCC (Intergovernmental Panel on Climate Change), as well as the regional loss experience over four different time horizons (2030, 2040, 2050, 2100), according to which risks may vary (for example, the frequency of heatwaves increasing from 2030, and marine submersion in 2100). The four scenarios, known as SSPs (Shared Socio-economic Pathways), are as follows, ranging from the least risky to the most risky:

• Scenario SSP1-2.6: the scenario describes a future focused on sustainable development, with a global transition to clean energy, reinforced governance and low-carbon lifestyles. CO₂ emissions are falling, limiting warming to around 1.8°C by 2100 compared with the pre-industrial era. This scenario significantly reduces the intensity and frequency of extreme weather events compared with warmer trajectories, while remaining in line with the Paris Agreement.
• Scenario SSP2-4.5: this scenario extends current socio-economic trends, with moderate growth, slow technological progress and persistent inequalities. CO₂ emissions are expected to remain stable until 2050 and then decline, leading to an average global warming of around +2.7 C by 2100 compared with the pre-industrial era. The challenges are medium to high in terms of mitigation and adaptation.
• Scenario SSP3-7.0: a scenario marked by a resurgence of nationalism, low investment in education and technology, and slow and unequal economic growth. In this scenario, GHG emissions are set to double between now and 2100, leading to global warming of around +3.6 C to +4.6 C. The challenges for mitigation and adaptation are very high.
• Scenario SSP5-8.5: intensification of energy-intensive lifestyles, fuelled by massive use of fossil fuels, while benefiting from strong growth and technological progress. In this scenario, CO₂ emissions are already set to double around 2050, and could triple by the end of the century, with global warming reaching around +4.4 C by 2100 (between +3.3 C and +5.7 C depending on the model). Despite high adaptive capacity, the absence of climate policies makes this scenario very risky.

Potential expected effects of the physical risks associated with climate change

Depending on the scenarios, their time horizon and their severity, the potential exposure to physical risks would be the following:

• regarding extreme natural disasters: an increase in events such as floods, droughts, forest fires, cyclones and tsunamis, which can damage infrastructure and disrupt operations;
• regarding resource shortages: risks of occasional or permanent shortages impacting operations and, consequently, a potential tightening of regulations (stricter standards on energy management, water use and eco-design).

These climatic impacts can subsequently lead to potential financial risks such as:

• increased investment: the regulatory environment becomes more complex in terms of environmental standards and compliance, requiring additional resources to ensure compliance;
• increased operating costs: for example, heat waves can increase the operating costs of cooling systems. This phenomenon also impacts the sites as regards maintaining good working conditions for the Group's employees;
• disruption of services: inability to provide services in accordance with contractual conditions, resulting in financial compensation or additional costs;
• shortages of raw materials: climate change may cause shortages, making raw materials more expensive.

3.2.1.3IRO-1 – Description of the processes to identify and assess material IROs

OVHcloud identified climate-related material IROs as part of its double materiality assessment, as described above.

As part of its assessment and evaluation of physical risks, the Group relied on historical data, mainly on optimistic and sometimes more pessimistic scenarios, which predict an increase in the frequency and intensity of extreme weather events such as floods, droughts, forest fires, cyclones, etc., that could damage physical infrastructures and disrupt the Group's operations or have a negative impact on its value chain. Scenario SSP1-2.6 was also taken into account in the context of a financial risk generated by the strengthening of environmental regulations causing additional costs.

For the purposes of climate change mitigation, the SSP1 and SSP2 scenarios were considered. Materiality was established by taking into account the level of GHG emissions as they currently stand, without any means of remediation and with a business-as-usual approach. As a topical issue, the environmental impact of datacenters and their emissions is inevitably a key topic for the Group.

With regard to energy, due to the impact of datacenters on energy appropriation – particularly with the growth of generative AI (artificial intelligence) – the Group identified two negative impacts both for its own operations and for its value chain.

3.2.1.4E1-1 – Transition plan

3.2.1.4.1Mitigation plan

OVHcloud is putting GHG emissions reduction at the heart of its ambitions, by focusing on three main priorities:

• reduction of compressible emissions by 2030;
• involvement of the ecosystem: partners, customers, suppliers and employees in a process to reduce their carbon footprint;
• contribution to increasing carbon sinks for all residual emissions.

OVHcloud developed a short-term strategy leading to the objectives described above. These objectives have been developed by incorporating the resources required to achieve them into the Group’s business plan.

Basis of analysis

The carbon footprint established in 2022 (baseline year) was verified by an external body.

OVHcloud has been committed since 2023 to a process following the SBTi, an international benchmark that helps organisations to align their decarbonisation strategy with the pathway defined by the Paris Agreement.

The SBTi deemed OVHcloud's two near-term objectives, established according to a specific sectoral pathway (softwares & services), as being compatible with the 1.5°C global objective.

The reduction in compressible emissions is reflected in the near-term commitments made and validated by the SBTi at the end of 2024.

The main reduction objectives are presented below:

Exclusion or non-exclusion of the EU Paris-aligned Benchmarks

OVHcloud is not engaged in activities meeting the exclusion criteria of Articles 12.1 (1) and 12.2 (2) of Commission Delegated Regulation (EU) 2020/1818 of 17 July 2020.

Locked-in emissions

OVHcloud has no locked-in emissions, as the Company's assets are mainly powered by electricity grids.

Explanation of decarbonisation levers and action plan

The main decarbonisation levers are as follows:

• decarbonising the energy mix and improving energy efficiency (scopes 1 and 2);
• purchasing more efficient equipment and implementation of circularity (scope 3).

An exhaustive list of decarbonisation levers and their implementation is presented in Section 3.2.1.6 – E1-3/E4 Actions and targets in relation to climate change policies.

Approval of the plan by the administrative, management and supervisory bodies

The near-term commitments and Group CSR policy were approved by the Group's Executive Committee and Senior Management, signatories of the SBTi commitment letter.

3.2.1.4.2Adaptation plan

In terms of adaptation, OVHcloud has prioritised adaptation to physical risks that could lead to business interruption.

These initiatives are part of a proactive approach to adapting to the impacts of climate change, thereby ensuring the sustainability of OVHcloud's infrastructure and services.

The Group implemented the “hyper resilience” program, aimed at strengthening physical security and continuity of services in the face of extreme events. This programme includes the construction of datacenters that meet enhanced security standards.

In addition, through the analysis of climate scenarios, specific action plans for each site were drawn up and presented to the risk monitoring governance body. Measures were taken to mitigate the prevailing risks in order to limit the risk of business interruption or service interruptions (hail, storms, cold weather, flooding, etc.) at the various locations where the Group's infrastructures are located. The Group also carries out risk analyses before acquiring new sites.

The Group is still studying medium- and long-term priorities for reducing its exposure to the risks quantified in the various scenarios.

3.2.1.5E1-2 – Policies related to climate change mitigation and adaptation

OVHcloud launched its approach to climate change in 2022, fine-tuning its objectives and structuring its approach by mobilising various players in the Group and its value chain. With this in mind, various Group departments are supporting this transition by developing committed policies.

The CSR policy covers all Group entities with regard to environmental topics and defines environmental targets.

The Supplier Code of Conduct and the sustainable procurement policy reinforce this approach by incorporating climate change-related criteria. The Purchasing Department requires its suppliers to reduce their GHG emissions, by prioritising low-carbon solutions and raising their employees' awareness of climate matters, and to provide OVHcloud with the necessary data to calculate its own carbon emissions accurately and within a reasonable timeframe. It also requires its suppliers to commit to improving their energy efficiency.

3.2.1.6E1-3/E1-4 – Actions and targets related to climate change policies

The table below summarises OVHcloud's actions and targets in relation to climate change:

Improve energy efficiency

Constant attention is paid to energy efficiency, particularly watercooling which is the foundation and cornerstone of the cooling technologies rolled out for over 20 years and used on a large scale. This technology eliminates the need for air conditioning in server rooms, with significant benefits in terms of cost management and reduced environmental impacts.

Direct watercooling removes heat from the most energy intensive components, such as processors (CPU, CGU), and the air (which is then cooled inside the rack using water through a heat exchanger) and removes heat from other components. The heated water is then cooled using dry cooling towers. OVHcloud stands out with its closed circuit system that reduces the leakage of fluid, and by the use of dry coolers and the absence of air conditioning in the server rooms. In addition to being very efficient in terms of water and energy consumption, OVHcloud’s watercooling technology has relatively low maintenance costs.

The deployment of the latest-generation cooling systems (5th generation) continued in 2025, enabling the infrastructure to be operated at higher water temperature regimes, with higher efficiency (partial PUE of 1.06).

The roll out of new electrical units is being accompanied by the installation of more efficient equipment (high-yield UPS or inverters, busbars).

The plan to modernise the oldest datacenters, such as RBX1 (Roubaix 1), is currently underway. This upgrade will improve the Group's energy efficiency, as the older datacenters are less energy-efficient than newer ones.

Remaining within the framework of eliminating waste, the Company's own datacenters are implementing optimised settings in rooms that are still air-conditioned (network rooms, technical rooms or battery rooms). Servers not in use are switched off to avoid unnecessary energy consumption.

Implementation of the energy performance plan, in conjunction with the French Regional Department for the Environment, Planning and Housing (DREAL – Direction Régionale de l'Environnement, de l'Aménagement et du Logement), is ongoing at Gravelines, while studies into waste heat recovery are being carried out at the Roubaix and Strasbourg sites.

A fraction of this waste heat from the IT servers is already being reused internally to:

• heat offices at the Limburg site (Germany), saving around 100,000 kWh of gas;
• preheat the Roubaix generators.

Energy performance can be assessed according to the processes implemented within the Group. The Group is constantly making strides in its energy performance, as demonstrated by obtaining ISO 50001 certification for improving energy performance and by the continuous improvement of the PUE energy performance metric. This metric stood at 1.24 at the end of FY2025 (compared with 1.26 at the end of FY2024).

This year, OVHcloud extended ISO 50001 certification to its European datacenters Erith (UK), Limburg (Germany) and Ożarów (Poland), in addition to the French datacenters, which already received the certification in previous years.

OVHcloud also contributes to the EU Code of Conduct on Energy Efficiency, with all its own operated datacenters now registered, including those in North America.

The PUE results are given below:

The IT energy consumption (consumption of electricity by IT systems) of directly operated datacenters was measured in all datacenters with the exception of the first Beauharnois datacenters (BHS). The Group deemed that this represented a relevant and representative panel. The coverage rate will naturally increase to 100% as the first BHS datacenters are upgraded in the future.

Draw up contracts regarding the supply of renewable electricity

The supply of renewable energy is a target in its own right for OVHcloud. For its directly held datacenters, the Group set itself the target of achieving 100% renewable electricity supply by 2025.

A number of Corporate Power Purchase Agreements (CPPAs) were signed to this end, including:

• in France, for 40 GWh/year, in production since 1 January 2025;
• in Germany, for 25 GWh/year, in production since 1 January 2025;
• in Poland, for 5 GWh/year, which will come into production in 2026.

OVHcloud will set up other CPPAs to guarantee its supply of low-carbon and renewable electricity.

Energy Attribute Certificates (EACs) are also acquired in the various countries in which OVHcloud operates its datacenters.

In addition to electricity, OVHcloud's datacenters consume domestic heating oil on a small scale. This heating oil is used to produce electricity as a last resort, via the emergency generators installed in the datacenters.

Domestic fuel consumption, although low, is as a result of maintenance and shutdown tests (except in the event of a power cut).

OVHcloud is gradually replacing the fossil fuel (domestic heating oil) used by its generators with HVO fuel, derived from organic waste and residues (which do not compete with food crops).

The Roubaix, Gravelines, Strasbourg and Erith datacenters are now equipped with HVO fuel.

The REF results are detailed below:

Reduce scope 1 and 2 GHG emissions

The reduction in scope 1 and 2 GHG emissions was essentially driven by the topics covered in the two previous paragraphs:

• improve energy efficiency;
• supply renewable and low-carbon energy.

Another source of GHG emissions comes from the use of refrigerants (HFCs) in datacenters. Fugitive emissions, caused by accidental leaks in air conditioning systems, are the cause.

The majority of refrigerants installed in OVHcloud's directly operated datacenters are at its oldest datacenter, RBX1. This datacenter will be upgraded over the coming years, and will be equipped with the watercooling technologies now present in the latest datacenters. This will not only improve energy performance, but also eliminate the use of HFCs, thereby eliminating the risk of leakage at the source of the problem.

More generally, particular attention is paid to complying with the Kyoto Protocol and the Kigali Amendment: using fewer and better quality HFCs (i.e., with lower global warming powers). Since 2011, the server rooms operated in OVHcloud's own datacenters have had no direct cooling, and do not rely on HFCs. Since 2020, the UPS rooms have also been cooled using watercooling. Only the battery rooms and network rooms are currently air-conditioned in OVHcloud datacenters, i.e., less than 5% of the heat to be evacuated from said datacenters.

The list of actions contributing to the reduction of scope 1 and 2 emissions is summarised below:

Monitoring of short-term target 1 (tCO2e)

Reduce scope 3 GHG emissions

As the Group's largest source of emissions in the 2022 baseline year – with more than 62,700 tCO2e – the purchase of IT components is the main item on which OVHcloud is taking action.

The carbon footprint of IT components was calculated based on data from comparative studies carried out by an independent third-party expert in sustainable IT and Green IT.

OVHcloud has since set up a process for collecting primary data from its suppliers in order to better identify these component purchases.

In 2025, the Group obtained the emission factor for 64% of its IT components from its suppliers (as a percentage of functional units).

Collecting primary data from suppliers facilitates decision-making for component purchases.

Another way of avoiding waste is to implement the circular economy for buildings and IT components. Although this part is detailed in Section 3.2.3 – ESRS E5 – Resource use and circular economy, positive external factors also contribute to OVHcloud’s carbon footprint. The rate of reused components is a good indicator for quantifying avoided emissions, since a reused component is a component that has not been purchased.

With regard to in-house equipment needed by employees, OVHcloud implemented voluntary actions, such as awareness-raising, preventive maintenance and repairs, with the aim of extending their lifespan. At 31 August 2025, around 40% of laptops given to employees were over three years old, and 65% of smartphones were more than two years old.

With regard to employee commuting, the Group introduced measures to promote soft mobility, rewarding employees who cycle or take public transport to work.

The list of actions contributing to the reduction of scope 3 GHG emissions is summarised below:

Monitoring of short-term target 2 (tCO2e/million euros)

Improve environmental transparency

Environmental labelling is a powerful tool for users to measure the impact of the products and services consumed. OVHcloud has developed a “carbon calculator”, now referred to as the Impact Tracker, to give customers a better understanding of their cloud infrastructure’s carbon footprint, and help them with their environmental transition and consumption choices. Its name change follows OVHcloud’s research work to make this tool multi-criteria (see Section 3.2.2 – ESRS E3 – Water and marine resources and Section 3.2.3 – ESRS E5 – Resource use and circular economy).

This tool is the result of a rigorous design process of developing a reliable, robust and exhaustive methodology, as well as rapid IT development. The methodology, which was audited and certified by an independent consulting firm specialising in sustainable IT, is based on LCA (life cycle analysis) principles, reference databases for environmental impact factors, such as the French Agency for Ecological Transition (Agence de l'environnement et de la maîtrise de l'énergie – ADEME) Base IMPACTS® 3.0, and the first recommendations of ADEME’s Product Category Rules for digital services. To enhance the reliability of its solutions' environmental labelling, OVHcloud has worked in collaboration with its main suppliers, the academic world (Inria) and associations (Boavizta) to improve its knowledge about the carbon footprint of their activities. The Group now has more precise data on the supply of access to energy, specifying if they are "location-based" or "market-based", and a significant proportion of its components, taking into account any retrofitting.

OVHcloud launched the first version of its carbon calculator in July 2023 for the Bare Metal Cloud range. The first enhancement for Hosted Private Cloud customers took place in the first quarter of the 2024 financial year. Barely three months after it was made available to customers, OVHcloud's carbon calculator was awarded the Green Trophy at The Big Green forum, an event dedicated to CSR. The award recognises the technical sophistication of the calculator's methodology and its comprehensiveness. OVHcloud is the first company to provide such comprehensive environmental information to its customers. Since then, the tool has been enhanced with more precise calculation elements, thanks to the dual display of emissions linked to the use phase (market-based and location-based) and also to the manufacturing phase, thanks to the inclusion of component reconditioning.

Following the production launch of the tool in 2023, and its subsequent update in 2024, OVHcloud decided to extend the portfolio of products covered by the tool. In 2025, the Public Cloud sector integrated the tool through compute and storage products. This sector represents a growing share of the Group’s revenue and a methodological challenge for the extension of the tool (the physical layer of the infrastructures is totally abstract/invisible for public cloud customers).

Accessible to customers directly from their OVHcloud space, the tool integrates the estimated power consumption of servers based on the monitoring of OVHcloud datacenters. It then maps them to their carbon emissions equivalent, taking into account cooling and network systems as well as transport, manufacturing, end-of-life and waste management, to provide a complete picture of the current carbon footprint. The results for cloud usage, which each user can download, are broken down into three emission categories:

• the manufacturing phase: upstream GHG emissions linked to the purchase and assembly of components;
• the use phase: electricity-related emissions;
• ancillary emissions: other indirect emissions such as freight and the impact of employees – known as "operations".

Below is an example of a document produced by Impact Tracker

Since it went online, the tool has generated an average of around 500 downloads per month.

OVHcloud’s aim is to establish best practices in the supply chain by ripple effect, and in particular, data-driven decision making.

3.2.1.7E1-5 – Energy consumption and mix

The table below shows the energy consumption of OVHcloud's own datacenters. This is expressed in GWh and by type of energy:

The total energy consumption of the datacenters not operated by OVHcloud is estimated at 28 GWh.

3.2.1.8E1-6 – Gross scopes 1, 2 and 3 GHG emissions

The table below shows OVHcloud’s GHG emissions statistics for each of scopes 1, 2 and 3. The year 2022 is also presented as a baseline year. It should be noted that the Group measures its GHG emissions in accordance with the GHG Protocol.

Additional metrics

Analysis of changes

Scope 1

• Scope 1 emissions amounted to 1,325 tCO2e in FY2025. Emissions have fallen since 2024 and are stable compared with 2022.
• Fugitive emissions (unintentional gas emissions) related to refrigerant (HFC) leaks are returning to 2022 and 2023 levels.
• Emissions from the vehicle fleet are stable.
• Emissions linked to the operation of emergency generators are increasing as the Group grows. These are mainly used for testing and maintenance. To date, HVO fuel has not been accounted for.

Scope 2

• Location-based: despite the increase in the Group's electricity consumption, emissions are falling due to the improved performance of France's nuclear power plants since 2024, offsetting emissions linked to growth in areas with more carbon-intensive electricity. Scope 2 location-based emissions amounted to 58,087 tCO2e.
• Market-based: purchases of EACs for the Vint Hill site in Virginia resulted in emissions reductions, compared to 2024. All the other datacenters were covered in previous years. Residual emissions, which are not covered by EACs, are due to energy consumption by datacenters that are not operated directly by the OVHcloud Group, in shared datacenters or Local Zones. Scope 2 market-based emissions amounted to 9,981 tCO2e.

Scope 3

• Category 1 (Purchased goods and services): emissions increased due to greater use of outsourced services.
• Category 2 (Capital goods): emissions decreased thanks to a purchasing policy that accounts for the carbon footprint of the IT equipment used by the manufacturers to construct the servers.
• Category 3 (Fuel and energy-related activities): location-based emissions decreased due to the increased performance of France’s nuclear power plants since 2024. Market-based emissions increased due to greater use of biomass for energy at Vint Hill.
• Category 4 (Upstream transportation and distribution): the increase in emissions is explained by the greater use of air freight this year. The Group is currently working to limit this practice by favouring sea freight, particularly for transfers between the Croix and Beauharnois sites.
• Category 8 (Upstream leased assets): emissions decreased, mainly due to a more accurate quantification of the impacts relating to the backbone of the OVHcloud network. Previously, OVHcloud extrapolated the results of a study revised in 2021 ("Report: evaluation of the carbon footprint of the transmission of a gigabyte of data on the RENATER network") and applied them to the backbone of its own network.
• This year, OVHcloud developed a new methodology, assessing the impacts associated with POPs (“Point of Presence” leases) throughout the lifecycle, terrestrial links (optical fibres) and undersea telecommunications cables separately.
• The following blog page details the methodology used: https://blog.ovhcloud.com/ovhcloud-backbone-network-environmental-impact-assessment-methodology/
• Emissions due to electricity consumption by leased offices, recorded in this category, remain stable.
• Category 11 (Use of sold products): emissions are falling thanks to the improved performance of France's nuclear power plants since 2024, reducing emissions linked to the use of products by our customers: switchboards, VOiP (Voice Over Internet Protocol), modems.

The other categories are stable.

Overall, scope 3 emissions were down by more than 9% on the base year, and by 36% in GEVA.

3.2.2ESRS E3 – Water and marine resources

3.2.2.1IRO-1 – Description of the processes to identify and assess material IROs

The material IROs regarding water are as follows:

Water use is an essential part of OVHcloud’s activities. The watercooling technology developed by the Group helps to reduce its environmental impact thanks to its watercooling system.

• The main OVHcloud processes that have an impact on freshwater are:
  • water withdrawals for all activities;
  • consumption for cooling server rooms (watercooling), particularly when outside temperatures are high (>27°C), OVHcloud uses evaporative cooling, which consists of humidifying air to improve the efficiency of heat exchange.

Stored and recycled water was not identified as having a material impact. The water stored at OVHcloud, which does not represent a significant amount, comes from sprinkler tanks (automatic extinguishing system), as well as cooling circuits which do not involve stored water (see Section 3.2.2.4 – E3-4 – Water-related metrics).

As part of its double materiality assessment, OVHcloud studied the impacts and/or risks of its water use, particularly in its server rooms and in the upstream value chain supplying its production process.

• Three IROs were identified as material:
  • two negative impacts linked to water appropriation on the Group’s own operations and on the upstream value chain (physical risk);
  • a risk linked to the tightening of regulations (transition risk) which could lead to restrictive measures on water withdrawal.

The Group is therefore dependent on the availability of freshwater resources and relevant ecosystem services.

In the upstream value chain, the impact on water resources is mainly linked to the extraction of raw materials and the transformation processes used to manufacture components. Dependence on water is also significant in the energy production sector.

3.2.2.2E3-1 – Policies related to water and marine resources

OVHcloud’s CSR policy governs the use of water in all OVHcloud consolidated entities (see Section 3.2.5 – Methodological note for assessing the environmental footprint).

The CSR policy sets out the objectives of reducing water consumption in datacenters and facilities by using and developing efficient cooling systems that limit water consumption. Studies are underway to quantify the use of water in the value chain.

Entities in water stressed areas

The Group identifies sites located in water stressed areas. The risk of water stress is assessed by the Group’s Environmental Department. This assessment is based on the World Resources Institute (WRI) Aqueduct Water Risk Atlas, which provides a framework for measuring and mapping water risks. The Group uses categories 3 and 4 (corresponding to high and very high stressed areas) to identify its entities situated in water stressed areas.

According to this benchmark, the Group has three industrial sites located in water stressed areas (Roubaix, Erith (United Kingdom), Vint Hill (United States – Virginia)). These sites are governed by OVHcloud’s CSR policy on water, which aims to improve and optimise the use of freshwater resources. The water consumption associated with these sites is presented in Section 3.2.2.4 – E3-4 – Water-related metrics.

3.2.2.3E3-2/E3-3 – Actions and objectives related to water and marine resources

Innovate in watercooling

OVHcloud is a pioneer in optimising datacenter water consumption. In 2023, the Group celebrated 20 years of innovation in its datacenters thanks to its proprietary watercooling technology for cooling servers with water.

In FY2025, particular attention was paid to increasing the temperature difference (Delta T) between the hot and cool plates of the watercooling loops. There are many advantages to operating at higher temperatures:

• a smaller footprint (in sq.m/kWh) for the datacenter, thanks to fewer dry coolers;
• a lower overall carbon footprint;
• a better energy performance metric (partial PUE), PUE restricted to the targeted sub-system;
• an improved WUE (Water Usage Effectiveness);
• lower investment and operating costs.

The Research and Development Department is currently working on smart and automated systems to achieve these objectives.

Deploy more efficient water use systems

In 2025, OVHcloud deployed new cooling systems in its newest Roubaix datacenter, RBX10. OVHcloud also made improvements to its existing systems in Beauharnois (BHS8) and Roubaix (RBX8).

These improvements consisted in transitioning towards a cooling technology using wet media with a water recycling tank on air heaters.

In addition, the operating points of all the datacenter air heaters were adjusted to guarantee optimised air heater settings.

As a result of these adjustments, the Group’s WUE for 2025 was reduced to 0.34 L/kWh (compared to 0.37 L/kWh for 2024).

The Group will accelerate the roll out of new, more efficient cooling systems in order to reduce WUE over the coming years.

At the Roubaix site, civil engineering work was carried out to create buffer tanks. These buffer tanks serve several purposes:

• separate networks (wastewater and rainwater) for compliance reasons;
• buffer rainwater to avoid overloading the downstream wastewater treatment plant (in the event of a record rainfall, to prevent it reaching saturation point);
• completely isolate the site’s effluents (in the event of an accidental spill or fire extinguishing water, for example) to prevent it from ending up in the natural environment.

This work is part of the Group’s hyper resilience plan.

Identify the water footprint of the Group’s value chain

From FY2026, OVHcloud will implement information collection measures to estimate the water footprint of products and services purchased, in order to better identify and assess its upstream value chain.

Improve environmental transparency

Following the development and availability of the Impact Tracker (see Section 3.2.1 – ESRS E1 – Climate change), as environmental impact is multi-criteria, OVHcloud wanted to extend this quantification to other criteria such as water or abiotic resources. Impacts on the marine environment are considered material in the double materiality assessment given the technology used by the Group (watercooling).

Given the complexity of the issue, as water consumption upstream in the value chain is difficult to quantify, OVHcloud commissioned a consultancy firm specialised in reducing the environmental impact of digital services to provide methodological assistance.

Reliable data was obtained from reference databases such as ResilioDB, which was also used as part of the PCR (Product Category Rule) Cloud & Datacenters pilot case study conducted by ADEME.

The aim for OVHcloud is to quantify how the use of cloud services contributes to water scarcity, to establish best practices in the supply chain by ripple effect, and in particular data-driven decision making.

The concept of "contribution to water scarcity" incorporates spatial and temporal notions, depending on the areas and periods of consumption.

The extension of the Impact Tracker tool to cover the water footprint should be available in 2026.

3.2.2.4E3-4 – Water-related metrics

These metrics apply to datacenters directly operated by the Group, with the exception of BHS1-7 at the Beauharnois site (see Section 3.2.5 – Methodological note for assessing the environmental footprint)

OVHcloud does not have any measurements for the water that returns to the watershed, so OVHcloud considers that all withdrawn water is consumed.

OVHcloud does not store water, with the exception of certain fire-fighting systems (water is then stored in tanks with volumes of around 100 cu.m. This water is only intended to be used in the case of fire).

OVHcloud uses water in the closed cooling circuits to transport heat from the servers to the outside world (the water circulates in the closed circuit, the volume of which does not exceed 10 cu.m; this water is only replaced when the physico-chemical parameters are damaged).

The quantity of water stored is non material. Water withdrawals, whether "stored" or not, are included in the total water withdrawal metric.

3.2.3ESRS E5 – Resource use and circular economy

3.2.3.1IRO-1 – Processes to identify material IROs

The Group is exposed to a number of significant risks associated with the use of components in its production chain that are derived from non-renewable raw materials (such as metals and rare earths and minerals). The gradual scarcity of these resources, accentuated by growing world demand, is leading to tensions on the markets, which could result in shortages, production interruptions or an increase in measures to protect these resources.

• In this context, OVHcloud identified:
  • a negative impact on the use of raw materials contributing to the depletion of resources;
  • two risks relating to resource scarcity causing potential business disruption in our own operations or in the value chain;
  • an opportunity linked to the reuse of materials and components.

These material IROs are shown below:

3.2.3.2E5-1 – Policies related to resource use and circular economy

The commitments regarding the use of OVHcloud resources can be found in the CSR policy.

With regard to the use of resources, the policy explains how the Group is adopting an integrated circular economy strategy aimed at reducing its environmental footprint by extending the lifespan of its equipment. The Group has full control over its production chain and has defined its approach to the reuse of components in this document.

This circular approach also applies to the reuse of components and the renovation of buildings. Historically, OVHcloud has installed its datacenters in former brownfield sites that the Group restores and rehabilitates.

Lastly, the Group is committed to the issue of outgoing resources, demonstrating its commitment to the sustainable use of resources with a view to circularity.

3.2.3.3E5-2/E5-3 – Actions and objectives related to resource use and the circular economy

All the actions and targets implemented by OVHcloud are summarised in the table below:

Take a circular approach to buildings

Buildings – particularly industrial buildings – are the first physical and material layer of the Group and of the intangible services provided by OVHcloud, (production of IT servers and datacenters), and are mainly subject to a circular approach.

The table below lists the datacenters directly held by OVHcloud and their origins:

Roubaix, France: OVHcloud’s first site in chronological order, this former textile, chemical and metallurgical industrial site was transformed into a datacenter campus. It is also the OVHcloud headquarters.

Beauharnois, Canada: formerly a Rio Tinto aluminium plant, this site assembles all the servers for North America. Powered by green energy from the nearby Hydro-Québec plant, it can produce up to 1,000 servers a week, including OVHcloud’s customised watercooling system.

Gravelines, France: formerly a can production site for Rexam, in 2013, it was transformed into one of OVHcloud’s largest datacenters, housing a highly secure SecNumCloud zone.

Limburg an der Lahn, Germany: located near Frankfurt, this site was once a printing works. Opened in 2016, it became OVHcloud’s 21st datacenter and has since been expanded.

Erith, UK: this site, opened by OVHcloud in 2016, was originally a Mercury Communications switching centre subsequently acquired by One2One/T-Mobile.

Ożarów Mazowiecki, Poland: located near Warsaw, this former logistics warehouse became OVHcloud’s first datacenter outside the French-speaking area in 2016.

Vint Hill, United States: the site has a long military history and was used as an NSA (National Security Agency) facility back in 1942. It is now home to an OVHcloud datacenter.

Hillsboro, United States: inaugurated in 2017, this building was long used as an electronic piano factory before being converted into a datacenter.

Croix, France: formerly a hygiene products factory, this European facility is home to a skilled workforce that assembles servers and is assisted with the help of laser machines to automatically cut and bend parts. OVHcloud has built a small datacenter here for magnetic tapes.

Milan, Italy: in 2025, OVHcloud announced the opening of a new datacenter near Milan. Like the buildings mentioned above, the building has a long history in the telecommunications sector.

OVHcloud is also preparing to renovate its own buildings. Over the next few years, the RBX1 site, the first datacenter on the Roubaix campus, will be modernised to accommodate the best technologies available.

Objective linked to the circular approach

OVHcloud's target for monitoring resource use is the building reuse rate or brownfield rate. This rate is defined by the number of non-new buildings divided by the total number of buildings among OVHcloud’s own datacenters.

OVHcloud is aiming for a rate of 90% of reused buildings, among its own datacenters, with the construction of new buildings being the exception rather than the rule, thus demonstrating its ability to adapt and be agile in rolling out datacenters. This rate was 87% in 2025 (27 non-new buildings out of a total of 31 buildings).

Vertical integration and a circular, resilient approach to IT server production

OVHcloud is a global provider of digital infrastructures, which operates its datacenters and designs and assembles its own servers. This vertically integrated model has allowed the Group to optimise its industrial process by integrating innovations at scale (strengthening existing capacities) for over 20 years, such as the proprietary watercooling technology in its datacenters, or by applying the principles of circularity and resource efficiency. This allows for a better management of environmental impacts at each level of the value chain. OVHcloud is determined to continue to innovate and develop its industrial model to encourage sustainability.

Crises such as the COVID-19 pandemic and the Russia-Ukraine conflict have highlighted the vulnerabilities of supply chains and dependencies in terms of access to resources. Faced with these external factors, OVHcloud's integrated industrial model is confirmed to be an asset. It allows optimal control of its supply chain, thus reinforcing its autonomy and resilience capacity, while offering its customers incomparable guarantees in terms of service continuity. The Group is able to choose and check all of its components, thereby guaranteeing quality down to the smallest components, while achieving economies of scale and recycling internally.

OVHcloud’s circular approach is fully embodied in its integrated industrial model, through which the Group operates its own datacenters and manufactures its servers. This approach is unique on the market. Since its inception, OVHcloud has been committed to reducing its environmental impact at each stage of the server life cycle, through the design and construction of its datacenters and servers, the recycling of components and extending the lifespan of its hardware.

In line with the optimisation and management of its server life cycle, OVHcloud set up a reverse supply chain in 2009, which optimises the lifespan of its servers.

• Design: OVHcloud designs and manufactures its own servers at its two sites in Croix (France) and Beauharnois (Canada). Servers are designed to be entirely dismantled. They are equipped with dedicated components, selected to be easily reused.
• Reuse: the Group manages to extend the lifespan of its infrastructures, servers and components by reusing them. 100% of servers are disassembled after use and their components are rigorously tested to give them a second life, either in a circuit or through external recycling and recovery. The use of refurbished components in the Group’s servers extends their lifespan to an average of almost five years (and up to nine years), avoiding part of the carbon emissions linked to their manufacture. In 2025, the reused components rate was 17%, compared to 27% in 2024. This relatively low rate is mainly due to the launch of new ranges in the 2025 financial year, which require more new components.

The industrial circular approach provides agility in server design and the possibility of adjusting to supply tensions, by adapting product classifications according to the availability of components from suppliers and internally thanks to the reuse of refurbished components.

The circular approach adopted by the Group is also reflected in its desire to extend the lifespan of IT equipment. In 2007, OVHcloud created a range of machines at reduced prices, guaranteeing a new commercial life for servers. In 2025, the eco ranges (Kimsufi, SoYouStart, Rise) accounted for more than 100,000 servers delivered to the Group’s customers, representing around a quarter of installed servers.

Objective linked to resource use

OVHcloud’s target for the use of resources relates to the reuse rate of IT components.

It is defined by the amount of second-life IT components for the annual production of IT servers divided by the total quantity of IT components for the annual production of IT servers.

OVHcloud aims to maintain this rate at 25% or more. This rate is, however, subject to change depending on the Company’s component requirements.

Manage output and waste

In 2024, the Group took stock of its waste in order to accurately classify waste and optimise its treatment: the quantity of waste produced represented a mass of 846 tonnes in 2024, 12% of which was sent to landfill. In 2025, the Group generated 701 tonnes of waste, 10% of which was sent to landfill.

OVHcloud is aiming for zero landfill waste from its own industrial sites.

In order to significantly reduce this proportion, OVHcloud is taking action in several areas:

• aligning sorting across all Group sites with best practices, in particular by introducing sorting options at all sites;
• managing or changing service providers to improve waste processing;
• partnering with companies specialised in the recycling of electronic waste (TN Industrie in France, Quantum Recycling in Canada), with a view to upgrading non-repairable and non-reusable electronic boards and, recovering precious and strategic metals;
• ongoing search for partnerships with recycling companies.

In terms of output, close attention is paid to IT components:

• components in good condition are valued on the secondary market for reuse. In this respect, they are not considered to be waste;
• components that cannot be repaired or reused are sold for the purpose of reusing materials, and are therefore considered to be waste.

The weight of components valued on the secondary market (for reuse) is estimated at 27 tonnes for FY2025.

The weight of components sold for recycling (for material recovery) is 21 tonnes for 2025.

Improve environmental transparency

Following the development and availability of the Impact Tracker (see Section 3.2.1 – ESRS E1 – Climate change), OVHcloud wanted to extend this quantification to other environmental criteria including mineral resources.

Given the complexity and depth of the topic, as the use of minerals upstream in the value chain is difficult to quantify, OVHcloud commissioned a consultancy firm to provide methodological assistance.

Reliable data was obtained from reference databases such as ResilioDB, which was also used as part of the PCR Cloud & Datacenters pilot case study conducted by ADEME.

The aim for OVHcloud is to quantify the extraction and use of mineral resources through the use of cloud services, and to establish best practices in the supply chain by ripple effect, and, in particular, data-driven decision-making.

The extraction and use of mineral resources is measured in kgSbeq (kilograms of antimony equivalent: a metric that measures the quantity of mineral and metallic resources removed from nature as if they were antimony).

The extension of the Impact Tracker tool to cover mineral resources should be available to the Group’s customers in 2026.

3.2.3.4E5-4 – Metrics related to resource inflows

Description of resource inflows

OVHcloud is a digital service provider and does not sell any hardware products on the market.

Similarly, OVHcloud does not transform raw materials but assembles semi-finished products, so it is complex to express incoming resources in the form of quantified raw materials.

For resources in 2025, OVHcloud therefore focused on IT components, the heart of its industrial activity.

• The flow of resources is illustrated as follows:

• The resources covered in the diagram are the main IT components:

• CPU (central processing unit);
• RAM (random access memory);
• Electronic cards;
• HDD (hard disk drive);
• SSD (solid state drive);
• PSU (power supply unit).

3.2.4European Taxonomy

Classification of activities according to the European regulatory framework to define environmentally sustainable economic activities (Green Taxonomy)

General context

The Taxonomy Regulation is a key element of the European Commission’s action plan aimed at redirecting capital flows towards a more sustainable economy. It represents an important step towards achieving carbon neutrality by 2050, in line with the EU’s objectives, as the Taxonomy is a classification system for environmentally sustainable economic activities.

The section below presents, as a non-financial parent company, the proportion of the Group’s revenue (turnover), capital expenditure (capex) and operating expenses (opex) for the financial year ended 31 August 2025, associated with economic activities eligible for the Taxonomy in accordance with Article 8 of the Taxonomy Regulation and Article 10 (2) of the Delegated Act supplementing Article 8 of the Taxonomy Regulation.

For the 2025 financial year, OVHcloud was required to disclose the alignment of the Group’s activities under the six environmental objectives with the following targets: climate change mitigation (“CCM”), climate change adaptation (“CCA”), sustainable use and protection of water and marine resources (“WTR”), transition to a circular economy (“CE”), pollution prevention and control (“PPC”) and protection and restoration of biodiversity and ecosystems (“BIO”).

OVHcloud has analysed the technical criteria of the activities presented below according to EU regulation 2021/2139 amended by EU regulations 2023/2485 and (EU) 2023/2486 dedicated to the four environmental objectives. The Group has taken account of the various interpretations and frequently asked questions (FAQs) published by the European Commission, in particular those dated 19 December 2022 and 28 November 2024.

Summary of European Taxonomy indicators

On the basis of the analyses carried out, a significant proportion of the Group's activities is eligible for the Taxonomy under Activity 8.1 “Data processing, hosting and related activities” described in Annex I of the Delegated Act on the climate change mitigation (“CCM”) target and Activity CE 5.5“Product-as-a-service and other circular use- and result-oriented service models contributing to the objective of transitioning towards a circular economy”

The eligible and aligned proportions under Activity CCM 8.1 “Data processing, hosting and related activities” of the three financial indicators required by the text – revenue, capex and opex – are presented below on the basis of consolidated IFRS data for the financial year ended 31 August 2025.

Table 1 – Proportion of economic activities eligible and aligned for the Taxonomy in the Group’s revenue, capex and opex – Activity CCM 8.1

The proportion of revenue eligible for the Group's datacenter activities (CCM 8.1) increased by one point compared with the previous financial year and those for capex and opex climbed by 4 and 3 points respectively.

The alignment of revenue, capex and opex improved by 1, 4 and 3 points respectively. The datacenters aligned in the 2025 financial year remain the same as those in the previous financial year.

Since the same servers were used in both instances, the eligibility of Activity CE 5.5 "Product-as-a-service and other circular use- and result-oriented service models" is identical to that of Activity CCM 8.1.

No alignment was validated for this financial year, notably due to the complexity of the DNSH 5 pollution-related validation criteria.

Determination of OVHcloud's economic activities eligible for the European Taxonomy

The term “economic activity eligible for the Taxonomy” refers to any economic activity described in the delegated acts supplementing the Taxonomy Regulation, whether or not it meets some or all of the technical review criteria set out in these delegated acts.

In order to carry out its analysis, the Group took into account all of the delegated acts describing the Taxonomy activities, namely:

• the "Climate Delegated Act" (EU 2021/2039) published in April 2021, specifying the technical environmental screening criteria for the first two climate objectives; and
• the "Environment Delegated Act" (EU 2023/2486) published in June 2023, which sets out the economic activities relating to the four other environmental objectives.

The Group’s eligible economic activities have been analysed on the basis of OVHcloud’s service offerings (as detailed in Chapter 1 of this Universal Registration Document) and have been assigned to the following economic activities, in accordance with the six environmental objectives of the Taxonomy.

At the beginning of previous financial years, a significant proportion of the Group’s activities was considered eligible under Activity 8.1 “Data processing, hosting and related activities” for the climate change mitigation target. Offerings based mainly on services for the provision of storage capacity (“hosting”) meet the description of this activity. The following offerings are therefore considered eligible:

• Private Cloud offerings (Bare Metal Cloud and Hosted Private Cloud) in their entirety, corresponding to offers for the provision of either dedicated physical servers or cloud capacities running on dedicated physical servers (see Section 1.3.1.1 of this Universal Registration Document for more details on the solutions proposed by the Group);
• Public Cloud offerings in their entirety (see Section 1.3.1.2 of this Universal Registration Document for more details on the solutions offered by the Group). The PaaS and SaaS solutions offered by OVHcloud and hosted directly on the Group’s infrastructures are considered eligible insofar as OVHcloud has control over the physical equipment and can act on its energy efficiency;
• “Web Cloud & Other” offerings only for the “Web hosting” and “Services” part, corresponding to the hosting of customer websites on the Group’s physical servers and the assistance necessary for the proper functioning of the equipment and compliance with the Group’s commitments under all of its offerings (see Section 1.3.1.3 of this Universal Registration Document for more details on the solutions proposed by the Group). Offerings or solutions relating to domain names, telephony and connectivity are not considered eligible to date because they are not directly related to the physical servers.

In general, all the solutions offered by OVHcloud, hosted directly on physical servers belonging to the Group or directly controlled by the Group, were deemed eligible for the European Taxonomy under Activity 8.1 of the climate change mitigation target.

When considering the climate change adaptation objective ("CCA"), CCA Activity 8.1 “Data processing, hosting and related activities” is not considered to be an enabling activity by Annex II of the Climate Delegated Act. For this reason, OVHcloud cannot consider the revenue relating to this activity as eligible, as set out in the Eligibility FAQ of 2 February 2022.

Under the transition to a circular economy objective, the Group is eligible for Activity CE 5.5 “Product-as-a-service and other circular use- and result-oriented service models.” This consists of providing customers with access to products by means of service models. OVHcloud provides its customers with access to computer servers, which they can use. OVHcloud’s offerings eligible under Activity CCM 8.1 are therefore also eligible under CE 5.5.

OVHcloud designs and manufactures its own servers at its two sites in Croix (France) and Beauharnois (Canada) for its own use, as described in Section 3.2.3 of this Universal Registration Document. The Group has therefore included CE 1.2 “Manufacture of electrical and electronic equipment” in its eligibility analysis. However, in the case of the manufacture of servers that the Group uses solely for its offerings, the capex relating to the manufacturing activity is taken into account and eligible under CE 5.5 “Product-as-a-service and other circular use- and result-oriented service models”.

OVHcloud has not identified any eligible activities linked to the objectives of sustainable use and protection of water and marine resources, pollution prevention and control, or the prevention and restoration of biodiversity and ecosystems.

The table below summarises for which environmental target the activities are considered eligible:

Determination of OVHcloud's economic activities aligned with the European Taxonomy

Unlike eligibility, which is solely based on the description of the activities, alignment takes into account the substantial contribution criteria, the "do no significant harm" principle and the minimum safeguards. For the financial year ended 31 August 2025, the alignment analysis concerns the six environmental objectives, in accordance with the Taxonomy Regulation.

With regard to Activity 8.1 “Data processing, hosting and related activities”, the Group has analysed its alignment with objective 1 ‒ climate change mitigation (CCM) and objective 2 – climate change adaptation (CCA).

Substantial contribution criteria

The Group has analysed the three cumulative substantial contribution criteria for Activity 8.1 “Data processing, hosting and related activities” with respect to the mitigation objective as follows:

Do no significant harm ("DNSH")

In order to validate the alignment of its datacenters with Activity 8.1 of the climate change mitigation objective, OVHcloud then ensured compliance with the DNSH criteria for all its datacenters meeting the substantial contribution criteria (see details above):

The alignment criteria for the CCA 8.1 Activity are similar to those for the CCM 8.1 Activity, therefore when the Group’s datacenters are aligned for climate change mitigation, they are also aligned for climate change adaptation. 

With regard to Activity CE 5.5 "Product-as-a-service and other circular use- and result-oriented service models", the Group has analysed its alignment under the transition to a circular economy objective.

Substantial contribution criteria

The Group has analysed the substantial contribution criteria as follows:

Do no significant harm ("DNSH")

In order to validate the alignment of its datacenters with Activity CE 5.5, OVHcloud then ensured compliance with the DNSH criteria for all its datacenters meeting the substantial contribution criteria (see details above):

Minimum safeguards applicable to all the Group’s Taxonomy-eligible activities

Lastly, OVHcloud has ensured that the minimum safeguards have been met. The Group has a set of policies and processes in place to ensure that it meets the Taxonomy requirements in the areas of:

• human rights and labour law (see Sections 3.3.1 – Human rights, 3.3.2 – ESRS S1 – Own workforce and 3.4.2 – ESRS G1-1 – Corporate culture and business conduct policies);
• competition (see Section 3.4.2 – ESRS G1-1 – Corporate culture and business conduct policies);
• corruption (see Section 3.4.3 – ESRS G1-3 – Prevention and detection of corruption and bribery);
• tax (see Section 2.1.2.4 – Financial risks);

The Group has put in place procedures for identifying, analysing, monitoring, evaluating and updating all the pillars.

The Group asks its suppliers to sign the Supplier Code of Conduct, which provides that human rights, and in particular the principles set out in the Universal Declaration of Human Rights, must be respected. The Group continues to analyse human rights across its entire value chain.

OVHcloud complies with the provisions of the Sapin II Act of 9 December 2016.

Lastly, the Group has not been convicted for material breaches of any of the various aspects of the minimum safeguards.

Methodology for evaluating European Taxonomy indicators

The scope considered for the estimation of the three indicators is the Group consolidated scope as defined in Note 5.5. to the 2025 consolidated financial statements presented in Chapter 5 of this Universal Registration Document.

Eligible and aligned revenue

The proportion of economic activities eligible for the Taxonomy in OVHcloud's consolidated revenue was obtained by dividing the share of revenue generated by the sale of services associated with economic activities eligible for the Taxonomy (numerator) by the net revenue (denominator), in each case for the financial year from 1 September 2024 to 31 August 2025.

Denominator

The denominator of the revenue indicator is based on OVHcloud's consolidated revenue, in accordance with IAS 1.82 (a) (see Note 4.3. to the 2025 consolidated financial statements presented in Chapter 5 of this Universal Registration Document).

Numerator

The numerator of the indicator is defined as the proportion of net revenue generated by services associated with the economic activities eligible for the Taxonomy, as described above in the paragraph “Determination of OVHcloud's economic activities eligible for the European Taxonomy” in this section. This share was estimated on the basis of OVHcloud's management reports including the level of detail necessary for direct reading.

The aligned revenue corresponds to the revenue generated by:

• Activity CCM 8.1: the datacenters that have been audited by the independent third party and certified as compliant with the Code of Conduct. On the basis of the revenue generated by these datacenters, the Group has applied the allocation key described in the previous section, "Substantial contribution criteria", in order to retain only the revenue generated by watercooled servers.

At 31 August 2025, the proportion of eligible and aligned revenue was 90% and 67%, respectively, as shown in the table below: