2022 Universal Registration Document

Risk identification	Risk management procedures
With respect to concessions, aside from the legislative, regulatory and tax policy changes that are always possible during such long-term contracts, the Group is dependent on public authorities that may have the right to unilaterally alter the terms and conditions of public service, PPP or concession contracts during their execution phase or even terminate the contract itself, subject to compensation. In the performance of their activities, Group companies could be held civilly or criminally liable and thus suffer the financial or administrative consequences thereof. Similarly, Group executives and employees may be held criminally liable. A large share of the risks of non-compliance is therefore likely to lie primarily with senior executives and with employees to whom responsibility has been delegated, but may also lie with legal entities. The consequences may be financial (fines) or criminal penalties (conviction and/or being banned from operating). The environmental transition is causing numerous uncertainties in the interpretation of market signals. The emergence of new cap-and-trade (or pollution rights trading) systems, which could affect VINCI activities that emit greenhouse gases, a possible carbon tax or the consequences of the EU Taxonomy on sectors that are excluded therefrom could constitute risks with financial consequences (loss of contracts in competitive bidding, fines, impact on the profitability of projects under way), non-financial costs or damage to the Group’s reputation (see paragraph 4.4.1, “Mapping of the Group’s major risks”, of chapter E, “Workforce-related, social and environmental information”, page 273).	With respect to concessions, aside from the legislative, regulatory and tax policy changes that are always possible during such long-term contracts, the Group is dependent on public authorities that may have the right to unilaterally alter the terms and conditions of public service, PPP or concession contracts during their execution phase or even terminate the contract itself, subject to compensation. In the performance of their activities, Group companies could be held civilly or criminally liable and thus suffer the financial or administrative consequences thereof. Similarly, Group executives and employees may be held criminally liable. A large share of the risks of non-compliance is therefore likely to lie primarily with senior executives and with employees to whom responsibility has been delegated, but may also lie with legal entities. The consequences may be financial (fines) or criminal penalties (conviction and/or being banned from operating). The environmental transition is causing numerous uncertainties in the interpretation of market signals. The emergence of new cap-and-trade (or pollution rights trading) systems, which could affect VINCI activities that emit greenhouse gases, a possible carbon tax or the consequences of the EU Taxonomy on sectors that are excluded therefrom could constitute risks with financial consequences (loss of contracts in competitive bidding, fines, impact on the profitability of projects under way), non-financial costs or damage to the Group’s reputation (see paragraph 4.4.1, “Mapping of the Group’s major risks”, of chapter E, “Workforce-related, social and environmental information”, page 273). Risk management procedures The main measures relating to legal and regulatory controls are presented in paragraphs 2.3, “Respect for human rights”, and 2.4, “Business ethics”, of chapter E, “Workforce-related, social and environmental information”, pages 216 to 219. The financial risks relating to the potential invoking of the third-party liability of Group companies are covered within certain limits by the insurance policies described in paragraph 3.5, “Insurance cover against risks”, pages 185 to 187. Owing to its ability to adapt to changes in the markets in which it operates, to new regulations and to changes in standards, the Group actively monitors legal and regulatory compliance risks.

Risk identification

Risk management procedures

With respect to concessions, aside from the legislative, regulatory and tax policy changes that are always possible during such long-term contracts, the Group is dependent on public authorities that may have the right to unilaterally alter the terms and conditions of public service, PPP or concession contracts during their execution phase or even terminate the contract itself, subject to compensation.

In the performance of their activities, Group companies could be held civilly or criminally liable and thus suffer the financial or administrative consequences thereof. Similarly, Group executives and employees may be held criminally liable. A large share of the risks of non-compliance is therefore likely to lie primarily with senior executives and with employees to whom responsibility has been delegated, but may also lie with legal entities. The consequences may be financial (fines) or criminal penalties (conviction and/or being banned from operating).

The environmental transition is causing numerous uncertainties in the interpretation of market signals. The emergence of new cap-and-trade (or pollution rights trading) systems, which could affect VINCI activities that emit greenhouse gases, a possible carbon tax or the consequences of the EU Taxonomy on sectors that are excluded therefrom could constitute risks with financial consequences (loss of contracts in competitive bidding, fines, impact on the profitability of projects under way), non-financial costs or damage to the Group’s reputation (see paragraph 4.4.1, “Mapping of the Group’s major risks”, of chapter E, “Workforce-related, social and environmental information”, page 273).

The main measures relating to legal and regulatory controls are presented in paragraphs 2.3, “Respect for human rights”, and 2.4, “Business ethics”, of chapter E, “Workforce-related, social and environmental information”, pages 216 to 219. The financial risks relating to the potential invoking of the third-party liability of Group companies are covered within certain limits by the insurance policies described in paragraph 3.5, “Insurance cover against risks”, pages 185 to 187. Owing to its ability to adapt to changes in the markets in which it operates, to new regulations and to changes in standards, the Group actively monitors legal and regulatory compliance risks.

2.3 Cyber risks

Protecting VINCI’s informational capital is of major strategic importance, particularly now that all its businesses are becoming digital. Cyber risks are one of VINCI’s major concerns. The Group is constantly working to strengthen its IT system security and raise awareness among all employees.

2.3.1 Cyberattacks

New collaborative practices have made it possible to work in the office, at construction sites and remotely in a more fluid and efficient manner. In today’s hyper-connected world, those same technologies have become a source of vulnerability, because they are both essential to the Group’s operational efficiency and exposed to cyberattacks. These attacks can be very diverse and have become increasingly sophisticated.

Risk identification	Risk management procedures
Cyberattacks: attacks on information systems Data leaks: loss or disclosure of data Cyberespionage: eavesdropping or theft of confidential data Possible consequences: Damage to the Group’s reputation Financial loss Unavailability of information systems Non-compliance	Cyberattacks: attacks on information systems Data leaks: loss or disclosure of data Cyberespionage: eavesdropping or theft of confidential data Possible consequences: Damage to the Group’s reputation Financial loss Unavailability of information systems Non-compliance Risk management procedures In 2022, VINCI stepped up the rollout of its overall IT security policy, under the impetus of the Executive Committee member serving as the Group’s cybersecurity coordinator. The principal activities carried out were as follows: regular presentations by the Information Systems Department to the Executive Committee on the stage of completion of projects that are part of the Group’s cybersecurity programme; update of the multi-year cybersecurity plan with representatives of each of the business lines; rollout of new services by VINCI-Cert, the Group’s computer emergency response team, both centrally and in the business lines, so as to improve the supervision of internet-exposed assets; monitoring of the application of IT system security directives, which specify mandatory security rules for each area of the information system; update of VINCI’s cybersecurity radar, which measures the level of cybersecurity maturity in all of the Group’s entities; standardisation and rollout of workstation securitisation and digital identity management mechanisms; rollout of numerous initiatives to raise awareness among all employees; more simulated phishing campaigns directed at employees to raise awareness; intrusion tests on the Group’s critical infrastructure; resilience improvements for IT infrastructure essential to the Group’s businesses (redundancy, recovery); simulation of cyber crises at Group level and by business line; establishment of an SOC (security operations centre); internal cybersecurity audits performed with the holding company’s Internal Audit and Information Systems departments.

Risk identification

Risk management procedures

Cyberattacks: attacks on information systems
Data leaks: loss or disclosure of data
Cyberespionage: eavesdropping or theft of confidential data

Possible consequences:

Damage to the Group’s reputation
Financial loss
Unavailability of information systems
Non-compliance

In 2022, VINCI stepped up the rollout of its overall IT security policy, under the impetus of the Executive Committee member serving as the Group’s cybersecurity coordinator.

The principal activities carried out were as follows:

regular presentations by the Information Systems Department to the Executive Committee on the stage of completion of projects that are part of the Group’s cybersecurity programme;
update of the multi-year cybersecurity plan with representatives of each of the business lines;
rollout of new services by VINCI-Cert, the Group’s computer emergency response team, both centrally and in the business lines, so as to improve the supervision of internet-exposed assets;
monitoring of the application of IT system security directives, which specify mandatory security rules for each area of the information system;
update of VINCI’s cybersecurity radar, which measures the level of cybersecurity maturity in all of the Group’s entities;
standardisation and rollout of workstation securitisation and digital identity management mechanisms; rollout of numerous initiatives to raise awareness among all employees;
more simulated phishing campaigns directed at employees to raise awareness;
intrusion tests on the Group’s critical infrastructure;
resilience improvements for IT infrastructure essential to the Group’s businesses (redundancy, recovery);
simulation of cyber crises at Group level and by business line;
establishment of an SOC (security operations centre);
internal cybersecurity audits performed with the holding company’s Internal Audit and Information Systems departments.

2022 Universal Registration Document

Key Data

2.3 Cyber risks

2.3.1 Cyberattacks