Permanent benchmarking and an independent cyber ranking agency enable us to remain informed of the measures implemented by other air transport industry players and thus adapt our own processes if necessary. In December 2021, the Air France-KLM IT centers had a cyber score situated above the top end of the range for the air transport industry.

To manage cyber-security risks, the Group's strategy is underpinned by several initiatives:

• Close cooperation with the national authorities and the relevant European agencies (EASA, ENISA).
• Calling on the expertise of consultants who are leaders in the cyber security market and actively collaborating with the companies connected to its information system.
• Participating in working groups with the main airline associations (IATA, A4E, etc.) and contributing to the research of associations specialized in cyber security (CLUSIF, CESIN, CIGREF, etc.)

To offer the best level of protection on the ground and in the air, Air France-KLM has reinforced its teams dedicated to cyber security and increased the financing of a number of major programs:

• An overall awareness-raising program for all the Group’s staff with mandatory Cyber training
• A regulatory compliance program which notably includes a specific level of protection and supervision for the critical systems.
• A digital transformation support program to provide a simplified and secure experience for the user.
• a plan directed at delivering the best effective cybersecurity solutions and infrastructures to adapt permanently to the evolving cyber threats. This includes a cyber insurance policy
• a state-of-the-art cybersecurity infrastructure and services, with a robust organization coordinated around the SOC (Security Operations Center), including our affiliates and partners,

An annual presentation on these programs is made to the Group Executive Committee and to the Audit Committee of the Air France-KLM Board of Directors, guaranteeing sponsorship at the highest level. These programs are supported by a Cyber Security Governance composed of:

• A cyber security regulatory framework for ground IT and onboard systems (safety policy based on the ISO27000 series of international standards and other standards or regulations applicable to Air France-KLM’s activities)
• An annual monitoring plan for risks linked to the digital technologies, and testing of the cyber crisis mechanism overseen by the Operations Control Center and the Authorities
• Three management committees with complementary perspectives. The Group’s IT Executive Committee notably reviews the match between the cyber risks and IT investment. The Cyber Plane Committee, chaired by the Accountable Manager, decides on the orientations to be adopted to reduce potential cyber risks to Flight Safety. Lastly, the Safety Performance Committee evaluates the effective mitigation of generic safety risks, including cyber security.
• A report on the residual cybersecurity risk in the major operating risk sheets steered by Internal Control.