2021 UNIVERSAL REGISTRATION DOCUMENT

General and financial elements

2.2.2  Legal and regulatory compliance

Given the diversity of their activities and geographical locations, the Group’s companies operate within specific legal and regulatory environments that vary depending on the place where the service is provided and on the sector involved.

Laws in effect in some countries may have an extraterritorial scope that could apply to the Group’s companies.

In particular, Group companies must comply with rules relating to:

  • the terms of agreement and performance of public and private sector contracts and orders;
  • laws governing construction activities and in particular the applicable technical rules governing the delivery of services, supplies and works;
  • environmental law, commercial law, labour law, competition law, and financial and securities la;
  • personal data protection;
  • duty of vigilance and accident prevention (especially the Sapin 2 and duty of vigilance laws in France);
  • international sanctions in force, in particular by way of specific due diligence and an active regulatory watch on the regulations involved.
Risk identification Risk management procedures

With respect to concessions, aside from the legislative, regulatory and tax policy changes that are always possible during such long-term contracts, the Group is dependent on public authorities that may, as is the case in France, have the right to unilaterally alter the terms and conditions of public service, PPP or concession contracts during their execution phase or even terminate the contract itself, subject to compensation.

In the performance of their activities, Group companies could be held civilly or criminally liable and thus suffer the financial or administrative consequences thereof. Similarly, Group executives and employees may be held criminally liable. A large share of the risks of non-compliance is therefore likely to lie primarily with senior executives and with employees to whom responsibility has been delegated, but may also lie with legal entities. The consequences may be financial (fines) or criminal penalties (conviction and/or being banned from operating).

In environmental law, the emergence of new regulations regarding climate change, such as RE2020 in France or the European taxonomy, can constitute risks with financial consequences (loss of contracts in competitive bidding, fines, impact on the profitability of projects underway), non-financial costs and damage to the Group’s reputation.

With respect to concessions, aside from the legislative, regulatory and tax policy changes that are always possible during such long-term contracts, the Group is dependent on public authorities that may, as is the case in France, have the right to unilaterally alter the terms and conditions of public service, PPP or concession contracts during their execution phase or even terminate the contract itself, subject to compensation.

In the performance of their activities, Group companies could be held civilly or criminally liable and thus suffer the financial or administrative consequences thereof. Similarly, Group executives and employees may be held criminally liable. A large share of the risks of non-compliance is therefore likely to lie primarily with senior executives and with employees to whom responsibility has been delegated, but may also lie with legal entities. The consequences may be financial (fines) or criminal penalties (conviction and/or being banned from operating).

In environmental law, the emergence of new regulations regarding climate change, such as RE2020 in France or the European taxonomy, can constitute risks with financial consequences (loss of contracts in competitive bidding, fines, impact on the profitability of projects underway), non-financial costs and damage to the Group’s reputation.

Risk management procedures

The main measures relating to legal and regulatory controls are presented in paragraph 2.3, “Respect for human rights”, page 199, and paragraph 2.4, “Business ethics”, page 201, of chapter E, “Workforce-related, social and environmental information”.

The financial risks relating to the potential invoking of the third-party liability of Group companies are covered within certain limits by the insurance policies described in paragraph 3.5, “Insurance cover against risks”, pages 170 to 171.

Owing to its ability to adapt to new regulations and track changes in standards, the Group actively monitors legal and regulatory compliance risks.

2.3 Cyber risks

Protecting VINCI’s informational capital is of major strategic importance, particularly now that all its businesses are becoming digital. Cyber risks are one of VINCI’s major concerns. The Group is constantly working to strengthen its IT system security and raise awareness among all employees.

2.3.1 Cyberattacks

New collaborative practices have made it possible to work in the office, at construction sites and remotely in a more fluid and efficient manner. In today’s hyper-connected world, those same technologies have become a source of vulnerability, because they are both essential to the Group’s operational efficiency and exposed to cyberattacks. These attacks can be very diverse and have become increasingly sophisticated. Major international groups are frequently subject to sometimes massive cyberattacks as well as fraud attempts. This trend intensified in 2021, especially during lockdown periods, during which remote working was encouraged and its use expanded considerably.

Risk identification Risk management procedures
  • – Cyberattacks: attacks on information systems
  • – Data leaks: loss or disclosure of data
  • – Cyberespionage: eavesdropping or theft of confidential data
  • Possible consequences:
  • – Damage to the Group’s reputation
  • – Financial loss
  • – Unavailability of information systems
  • – Non-compliance
  • – Cyberattacks: attacks on information systems
  • – Data leaks: loss or disclosure of data
  • – Cyberespionage: eavesdropping or theft of confidential data
  • Possible consequences:
  • – Damage to the Group’s reputation
  • – Financial loss
  • – Unavailability of information systems
  • – Non-compliance

Risk management procedures

In 2021, VINCI stepped up the rollout of its overall IT security policy, under the impetus of the Executive Committee member serving as the Group’s cybersecurity coordinator.

The principal activities carried out were as follows:

  • – regular presentations by the Information Systems Department and the Chief Information Security Officer (CISO) to the Executive Committee on the stage of completion of projects that are part of the Group’s cybersecurity programme;
  • – update of the multi-year cybersecurity plan with representatives of each of the business lines;
  • – strengthening, both centrally and in the business lines, of VINCI-CERT, the Group’s computer emergency response team, whose role is to identify threats to information systems and those systems’ vulnerabilities, as well as to bring its expertise to bear in the event of a cyber incident;
  • – monitoring of the application of IT system security directives, which specify mandatory security rules for each area of the information system;
  • – update of VINCI’s cybersecurity radar, which measures the level of cybersecurity maturity in all of the Group’s entities;
  • – standardisation and rollout of workstation securitisation and digital identity management mechanisms;
  • – rollout of numerous initiatives to raise awareness among all employees;
  • – intrusion tests on the Group’s critical infrastructure;
  • – resilience improvements for IT infrastructure essential to the Group’s businesses (redundancy, recovery);
  • – simulation of cyber crises at Group level and by business line;
  • – internal cybersecurity audits performed with the holding company’s Internal Audit and Information Systems departments.