Approach

Identifying a risk does not necessarily mean declaring its certain existence, but being aware that a specific risk could verify. The mission of ERM model is thus to promote the assumption of informed decisions, based not only on expected results but also on underlying risk profile with the guarantee of a proper management in line with corporate risk appetite.

The principles underpinning Nexi’s ERM model are the following

• Comprehensive vision: by analysing all types of risk the Group is or might be exposed to under ordinary or stress situations.
• Value-driven approach: focus on the most significant risk events that may impact the Group’s value drivers, the achievement of strategic goals and/or the business’ sustainability in the medium-long run.
• Top-down approach: the Top Management, with the support of the Risk Management Function, identifies, prioritises, and manages the main corporate risks.
• Actionability: focus resources on the management and mitigation of risks for which Nexi has intervention levers.
• Collaboration: all organisational units of the Group are called to actively contribute, according to their areas of expertise and activities, to the identification, assessment and management of risks, based on the risk appetite defined by the Holding Company’s Board of Directors.
• Transparency: in relation to the Group's risk profile and risk management strategies towards the Board of Directors and adequate disclosure to shareholders and all other relevant stakeholders

Nexi Group actively promotes a risk culture as a strategic lever to support informed and responsible decision-making. This culture is embedded across all levels of the organization through continuous training and awareness initiatives involving all employees, including non-executive directors, with the aim of spread knowledge of key principles, tools, and methodologies for identifying, assessing, and managing risks.

To reinforce this approach, Nexi also provides dedicated sessions focused on specific risk areas such as anti-corruption, AML, GDPR and security awareness. These actions contribute to building an integrated and forward-looking risk management framework, ensuring that risk awareness becomes a shared mindset and a core element of the Group’s operational excellence

Nexi Group is exposed to acquiring/chargeback risk.

The Group adopts a structured and proactive approach to managing counterparty risk, which refers to the potential for financial loss arising from counterparty’s failure to meet its contractual obligations. In particular, first-level functions are responsible for the continuous monitoring, initiating the appropriate mitigation and/or escalation measures in case of anomalies. Moreover, second-level Risk Management functions contribute to the definition of risk governance policies as a specific Risk Appetite Framework to ensure proper monitoring of risk performance.

With specific reference to acquiring counterparty risk, the Group has defined overarching guidelines that are translated into specific Risk Appetite metrics and managerial limits triggering actions. The Risk Appetite Framework is reviewed by Group Risk Management on an annual basis and approved by the Group Board. The RAF metrics include portfolio maximum loss in stress test to capture the unexpected loss and the single name exposure per rating bucket to monitor top merchant’s exposure. For each metric the Group defines a soft limit (breaches trigger discussion at Group Credit Committee level) and a hard limit (breaches trigger discussion at Group Board level).

The Risk Appetite Framework is applied across the organization, serving as a fundamental tool for shaping risk response strategies and supporting effective risk management operations.

Nexi recognizes the importance of its suppliers and related actions to drive continuous ESG performance improvements.

The Group oversees suppliers’ relationships through a procurement and supply chain process, including a qualification phase that takes into account key principles such as respect for human rights, net-zero alignment, safety records, anti-corruption compliance and a self-assesment based on Environmental, Social, and Governance (ESG) criteria. Nexi’s principles are fully aligned with UN Conventions, the International Labour Organization (ILO) standards, and all applicable legislation to ensure responsible and sustainable supplier practices. This structured framework not only helps Nexi uphold its own values but also fosters ethical relationships across its supply chain.

Based on these insights, Nexi Group conducts on-site audits on critical suppliers to verify compliance with local and international standards, such as H&S, Human Rights, Labour, Governance, Management of environmental aspects, Management of Business Continuity issues and security of the information managed.

In 2024 the 7.5% of suppliers, that covers the 80% of spending, have been assessed through a self assessment questionnaire, of which 1.2% suppliers have been audited through an on-site verification (for 100% of risks identified a mitigation plan has been developed).

Given their strategic and reputational relevance, climate-related risks are regularly assessed and monitored by the Group to evaluate potential implications and define appropriate mitigation and adaptation strategies, if necessary.

In particular, Nexi Group conducts periodical dedicated climate-related assessments and scenario analysis (over a medium and long-term horizon), to evaluate potential physical and transitional risks that could impact Nexi assets and critical infrastructure (e.g. data centers, office buildings), third parties and clients, potentially affecting the business resilience and sustainability. These risks are also integrated into the broader Enterprise Risk Management process, in case relevant risks arise.

To mitigate such risks, the Group has implemented a comprehensive Business Continuity Management System (BCMS), aimed at strengthening the resilience of its processes and services provided while ensuring customer satisfaction. The Business Continuity Plan (BCP) guarantees the operational continuity of activities and services provided in the event of short - term interruption or partial unavailability and includes a Disaster Recovery Planning (DRP) designed to ensure the resilience of essential IT and payment infrastructure through a coordinated emergency response mechanisms that includes system redundancies and geographic diversification of critical assets. Nexi also evaluates the exposure to potential risks of both existing and future operations, in order to ensure that they are aligned with long-term climate resilience objectives.

Furthermore, the Group maintains insurance policies in place to mitigate any losses from this type of event and is committed to continuously enhance its operations with a forward-looking approach, ensuring long-term resilience and sustainability in the face of evolving climate challenges.

Emerging risks and medium to long-term trends that could have a significant impact on Nexi Group in the coming years include the following:

1 - INCREASING GEOPOLITICAL TENSION AND MACROECONOMIC UNCERTAINTINES

Europe’s economic outlook has been significantly shaped by global geopolitical dynamics, that remain a major source of uncertainty. A further escalation in global trade policy environment and associated uncertainties could lower euro area growth by dampening exports and dragging down investment and consumption.

Potential Impact
Geopolitical tensions could have an impact in cyberspace, increasing the likelihood of hacktivist operations and cybercriminal activity, such as ransomware deployment, data theft and resale or advertisement of initial network access, targeting strategic organization. Moreover, the current uncertainties could impact the macroeconomic outlook and create uncertainty, as a deterioration in financial market sentiment could tighten financing conditions and reduce the willingness of firms and households to invest and consume.

Mitigating Actions
To mitigate potential threats from cybercriminal activities Nexi has implemented robust mechanisms to protect information assets from cyber security threats ensuring its resilience and regularly conducts security awareness training for employees. Additionally, continuous analyses are carried out to assess the potential impact due to macroeconomic uncertainties, such as the potential impact of tariffs on Nexi Group supply chain.

2 - ARTIFICIAL INTELLIGENCE POTENTIAL THREATS

The rapid adoption of Artificial Intelligence and Machine Learning in the financial sector is expected to have a significant impact, requiring strong policy responses to safeguard the integrity and security of the financial system. Key concerns include embedded bias, lack of transparency in decision-making, cybersecurity vulnerabilities, and privacy risks. AI/ML systems may increase exposure to cyber threats by enabling data manipulation that evades detection or leads to incorrect outcomes. Additionally, these technologies can compromise privacy by re-identifying anonymized data or leaking sensitive information through inference or model behavior.

Potential Impact
AI/ML systems could bring new and unique risks arising from the opacity of their decisions, susceptibility to manipulation, robustness issues, and privacy concerns. These could undermine the public’s trust in the integrity and safety of the financial system. Furthermore, AI/ML could potentially bring about new sources and transmission channels of systemic risks such as: security/safety risk, third party risk and increase in digital payment frauds.

Mitigating Actions
Nexi has identified some actions to direct the company’s AI goals and mitigate potential risks, that includes the establishment of behavioral guidelines for employees and developers, mapping of AI risk scenario and definition of a dedicated risk framework.