2024 Universal Registration Document

General and financial elements

Risk identification Risk management procedures
Risk identification

With respect to concessions, aside from the legislative, regulatory and tax policy changes that are always possible during such long-term contracts, the Group is dependent on public authorities that may have the right to unilaterally alter the terms and conditions of public service, PPP or concession contracts during their performance or even terminate the contract itself, subject to compensation.

In the performance of their activities, Group companies could be held civilly or criminally liable and thus suffer the financial or administrative consequences thereof. Similarly, Group executives and employees may be held criminally liable.

A large share of the risks of non-compliance is therefore likely to lie primarily with senior executives and with employees to whom responsibility has been delegated, but may also lie with legal entities. The consequences may be financial (fines) or may involve criminal penalties (conviction and/or being banned from tendering for contracts).

Risk management procedures

The Group’s ability to adapt to changes in the markets in which it operates and new regulations as well as its active monitoring of changes in standards significantly enhance its management of legal and regulatory compliance risks.

The financial risks relating to the potential invoking of the third-party liability of Group companies are covered within certain limits by the insurance policies described in paragraph 2.5, “Insurance cover against risks”, pages 186 to 187.

1.3 Cyber risks

Protecting VINCI’s informational capital is of major strategic importance, particularly now that all its businesses are becoming digital. In a world where artificial intelligence is rapidly advancing and being used without adequate safeguards, cyber risks are a major concern for the Group, which is constantly working to strengthen its IT system security and raise awareness among all employees.

1.3.1 Cyberattacks

New collaborative practices have made it possible to work in the office, at construction sites and remotely in a fluid and efficient manner. In today’s hyper-connected world, those same technologies have become a source of vulnerability, because they are both essential to the Group’s operational efficiency and exposed to cyberattacks. These attacks can be very diverse and have become increasingly sophisticated.

Risk identification Risk management procedures
Risk identification
  • Cyberattacks: attacks on information systems
  • Data leaks: loss or disclosure of data
  • Cyberespionage: eavesdropping or theft of confidential data

Possible consequences:

  • Damage to the Group’s reputation
  • Disruption or shutdown of operations at the entity targeted by the attack
  • Financial loss
  • Unavailability of information systems
  • Non-compliance

Risk management procedures

In 2024, VINCI continued the rollout of its overall IT security policy, under the impetus of the Executive Committee member serving as the Group’s cybersecurity coordinator.

Designed to raise the Group’s level of security, the transformation plan put in place by the Group’s Information Systems Department for the period from 2022 to 2024 was completed successfully. The new plan for 2025 to 2027 is an extension of the previous one, taking into account developments in threats and risks.

This plan, called VINCI CyberShields, has four main focus areas:

  • The first relates to the security policy, governance, user awareness campaigns and audits.
  • The second involves the implementation of an integrated technology solution, covering the protection of emails, workstation security and Active Directory compliance as well as identity, vulnerability and access management.
  • The third pertains to services, taking a cyber-as-a-service (CaaS) approach, which allows for the pooling of some investments, particularly in connection with the activities of the Group’s computer emergency response team (VINCI-Cert), which disseminates security alerts and information to all of the Group’s subsidiaries and provides assistance in the event of a security incident. This structure is supplemented by a security operations centre (SOC), put in place two years ago, whose role is to detect and respond to security incidents as early as possible.
  • The last concerns the automated detection and handling of incidents by taking advantage of advanced algorithms as well as artificial intelligence to improve the effectiveness of cybersecurity measures.

During the year, the following main activities were carried out under the Group’s IT security policy:

  • regular progress reports by the Information Systems Department to the Executive Committee on projects that are part of the Group’s cybersecurity programme;
  • update of the VINCI CyberShields multi-year plan;
  • publication of a new cybersecurity directive covering the issues raised by generative artificial intelligence;
  • continuation of audits and controls on the application of the IT security policy, carried out jointly with the Audit Department, with the auditor reporting directly to VINCI’s Chief Information Security Officer (CISO);
  • annual update of VINCI’s cybersecurity radar, which measures the level of cybersecurity maturity in all of the Group’s entities;
  • standardisation and rollout of workstation securitisation and digital identity management mechanisms;
  • rollout of numerous initiatives to raise awareness among all employees, in particular simulated phishing campaigns, a mandatory “cyberpassport” (obtained by completing an e-learning module) for all information system users and a Cybersecurity Week organised by VINCI to share best practices in this area;
  • intrusion tests on the Group’s critical infrastructure;
  • resilience improvements for IT infrastructure essential to the Group’s businesses (redundancy, recovery);
  • cyber crisis simulation exercises (both technical exercises and managerial ones by business line).