27 Life Is On | Schneider Electric www.se.com 2021 Sustainable Development Report Risk description and impact Policies Main actions and 2021 performance Opportunity created Cybersecurity and data privacy Business disruption Industrial activities Risk of a malicious exploitation or intrusion into the infrastructures of Schneider Electric production and distribution centers • Impacts on productivity, data privacy, operations • Financial cost, and loss of confidence from stakeholders Directive Site Protection Data center, IT Room and Network Enclosure Security Policy IT Disaster Recovery Plan for Business Continuity Policy Network Security Policy Acceptable Use of Assets Policy Security testing for products and systems • 200+ Cybersecurity leaders appointed and trained • Operational Technologies (OT) workers security awareness deployed • Access level defined, granted, and checked as per the profile/need • Endpoints inventory and protection • Topography of OT network, OT monitoring and threat detection, security policy compliance, incident response process • IT/OT network segmentation secured industrial Personal Computer (PCs), secure remote access, backup restore for PCs and Programmable Logic Controller (PLCs) Improved supply chain resilience Greater confidence of our customers and partners into our supply chain and products Market access to critical infrastructures/customers Advanced discussions with authorities and greater collaboration on safety and security Human resources (HR) and employee collaboration Risks of HR systems disruption or HR data leakage • Impact on business continuity, legal compliance and overall reputation Acceptable Use of Assets Policy Crown Jewel Security Policy Digital Certification Policy Email Security Policy Personnel Management Security Policy Third-Party Security Policy User Access Management Policy • Cybersecurity Charter shared and signed by all employees and contractors • All employees trained every year on Cybersecurity and Ethics; dedicated mandatory training for high-value asset administrators • Monthly phishing campaigns • Data protection and cleanup yearly campaign • Yearly access audits on all HR applications • Data Protection Impact Assessments for high-risk applications • External pen tests performed on all high-value asset applications • Background verification checks in accordance with relevant laws and regulations Attractiveness of Schneider Electric for prospective candidates aligned with Trust Charter commitments Compliance Data privacy, retention & residency • Risk of compromise, modification or exfiltration of data from Schneider Electric’s data systems • Representing a non- compliance to data protection regulations and laws as well as business purpose leading to potential penalties • Non-compliance to data protection regulations leads to potential fines Data Privacy Policy Data Classification Policy Global Data Retention Record Creation Backup and Recovery Policy Log Management & Monitoring Policy Acceptable Use of Assets Policy Digital Certification Policy • Mandatory Cybersecurity & Data Privacy annual training sessions • Data privacy champions appointed • Annual review of all policies • Data Retention implemented by area • Sensitivity label feature enabled on Microsoft Office 365 Suite for all employees Increase sentiment of trust for our customers, partners and larger community Prove alignment to regulations and devotion to ESG requirements