2025 Universal Registration Document

General and financial elements

Legal and regulatory compliance
Risk identification Risk management procedures

With respect to concessions, aside from the legislative, regulatory and tax policy changes that are always possible during such long-term contracts, the Group is dependent on public authorities that may have the right to unilaterally alter the terms and conditions of public service, PPP or concession contracts during their performance or even terminate the contract itself, subject to compensation.

In the performance of their activities, Group companies could be held civilly or criminally liable and thus suffer the financial or administrative consequences thereof. Similarly, Group executives and employees may be held criminally liable.

A large share of the risks of non-compliance is therefore likely to lie primarily with executive officers and with employees to whom responsibility has been delegated, but may also lie with legal entities. The consequences may be financial (fines) or may involve criminal penalties (conviction and/or being banned from tendering for contracts).

With respect to concessions, aside from the legislative, regulatory and tax policy changes that are always possible during such long-term contracts, the Group is dependent on public authorities that may have the right to unilaterally alter the terms and conditions of public service, PPP or concession contracts during their performance or even terminate the contract itself, subject to compensation.

In the performance of their activities, Group companies could be held civilly or criminally liable and thus suffer the financial or administrative consequences thereof. Similarly, Group executives and employees may be held criminally liable.

A large share of the risks of non-compliance is therefore likely to lie primarily with executive officers and with employees to whom responsibility has been delegated, but may also lie with legal entities. The consequences may be financial (fines) or may involve criminal penalties (conviction and/or being banned from tendering for contracts).

Risk management procedures

The Group’s ability to adapt to changes in the markets in which it operates and new regulations as well as its active monitoring of changes in standards significantly enhance its management of legal and regulatory compliance risks.

The financial risks relating to the potential invoking of the third-party liability of Group companies are covered within certain limits by the insurance policies described in paragraph 2.5, “Insurance cover against risks”, pages 184 to 186.
 
1.3 Cyber risks

Protecting VINCI’s informational capital is of major strategic importance, particularly now that all its businesses are becoming digital. In a world where artificial intelligence is rapidly advancing and being used without adequate safeguards, cyber risks are a major concern for the Group. The teams in charge of cybersecurity within the holding company and the business lines are responsible for strengthening the cyber defence capabilities of the Group’s information systems and raising awareness among all employees

1.3.1 Cyberattacks

Collaborative practices have made it possible to work in the office, at construction sites and remotely in a fluid and efficient manner. In today’s hyper-connected world, those same technologies have become a source of vulnerability, because they are both essential to the Group’s operational efficiency and exposed to cyberattacks. These attacks can be very diverse and have become increasingly sophisticated.

Cyberattacks
Risk identification Risk management procedures
  • Cyberattacks: attacks on information systems
  • Data leaks: loss or disclosure of data
  • Cyberespionage: eavesdropping or theft of confidential data

Possible consequences:

  • Damage to the Group’s reputation
  • Disruption or shutdown of operations at the entity targeted by the attack
  • Financial loss
  • Unavailability of information systems
  • Non-compliance
  • Cyberattacks: attacks on information systems
  • Data leaks: loss or disclosure of data
  • Cyberespionage: eavesdropping or theft of confidential data

Possible consequences:

  • Damage to the Group’s reputation
  • Disruption or shutdown of operations at the entity targeted by the attack
  • Financial loss
  • Unavailability of information systems
  • Non-compliance

Risk management procedures

In 2025, VINCI continued the rollout of its overall IT security policy, under the impetus of the Executive Committee member serving as the Group’s cybersecurity coordinator.

Designed to raise the Group’s level of security, the transformation plan put in place by the Group’s Information Systems Department for the period from 2022 to 2024 was completed successfully. The new plan for the period from 2026 to 2028 is an extension of the previous one, taking into account developments in threats and risks.

It has been built to cover:

  • Critical infrastructure resilience: ensuring business continuity, particularly at concessions, in the face of cybersecurity threats, with a commitment to excellence for projects.
  • Protection of industrial systems: making sure that the essential operational technology (OT) is in place for infrastructure security and quality of service.
  • Unified cybersecurity governance: strengthening cybersecurity governance by deploying harmonised IT security standards across the Group and assisting entities in bringing their processes into compliance with Directive (EU) 2022/2555 (the NIS2 Directive), particularly in relation to managing and mitigating supply chain risks.
  • Promoting the cybersecurity culture: continuing to raise awareness and strengthen vigilance among the 210,000 employees who use information systems in order to mitigate risks relating to inappropriate use of these systems.

The following main actions were carried out during the year:

  • regular progress reports by the Information Systems Department to the Executive Committee on projects that are part of the Group’s cybersecurity programme;
  • analysis of the impact of the new NIS2 Directive on the Group’s entities;
  • update of the cybersecurity directive covering the issues raised by generative artificial intelligence;
  • continuation of audits and controls on the application of the IT security policy, carried out jointly with the Audit Department;
  • annual update of VINCI’s cybersecurity radar, which measures the level of cybersecurity maturity in all of the Group’s entities;
  • standardisation and rollout of workstation securitisation and digital identity management mechanisms;
  • rollout of numerous awareness initiatives targeting all employees, in particular simulated phishing campaigns, a mandatory “cyberpassport” (obtained by completing an e-learning module) for all information system users and a Cybersecurity Week organised by VINCI to raise awareness and share best practices in this area;
  • intrusion tests on the Group’s critical infrastructure;
  • resilience improvements for IT infrastructure essential to the Group’s businesses (redundancy, recovery);
  • cyber crisis simulation exercises (both technical exercises and managerial ones by business line).