2.2 Global Management Systems

Integrated Management System

Cellnex has developed a Global Integrated Management System to integrate: quality, environment and health and safety. In addition to these three pillars, further management systems will be added in future. Cellnex also has a Global Information Security Management System, which is expected to be integrated into the Global Integrated Management System over the next year.

The Global Integrated Management System serves as a framework for adopting a systematic approach to the implementation of processes to ensure their effectiveness; establishing procedures to ensure the quality of the services provided; ensuring that business is conducted in accordance with the requirements set out in the reference standards on quality, environment, health and safety at work and information security, as well as the legislation in force; and, obtaining ISO standard certifications for Cellnex.

In this way, the Global Integrated Management System enables new business opportunities, facilitates the implementation of the Cellnex Industrial Model, enables continuous improvement and stakeholder engagement.

The Global Integrated Management System is currently implemented and certified in seven of Cellnex's business units plus Corporate. This means that the geographical scope of certification is currently France, Ireland, Portugal, Switzerland, the Netherlands, the United Kingdom and Poland, the latter two being the new business units included in the scope of global certification during 2022.

Moreover, Italy and Spain also have implemented and certified management systems which, owing to their maturity, they maintain locally. Integration into the Global Integrated Management System is planned for the coming years.

Considering the Information Security Management System, this system was the first to be certified globally at Cellnex in 2019 and since then we have been working to include all the business units of the Cellnex footprint in the scope of the system. In 2022, three new countries: Austria, Denmark and Sweden were included in the scope of certification. With these additions, there are now 11 certified countries plus the Corporation: Spain, Italy, Switzerland, Netherlands, France, United Kingdom, Ireland, Portugal, Austria, Denmark, Sweden and the Corporation.

"Being a company certified in internationally recognised standards helps Cellnex to provide high-quality services and to forge strategic alliances, gives confidence to our main stakeholders, and offers new opportunities that promote our business and growth in a sustainable way."

Anna Villa, EHS-Q EXPERT - Cellnex Corporate

Quality and certifications

Quality

Cellnex Group has a Global Quality Policy which its basic principle is to provide high-availability and high-quality services as a neutral operator of wireless telecommunications infrastructures. In this sense, the Board of Directors established the Quality and Certifications strategy and its commitment to the application of best practices in the countries in which the Company operates and on the basis of international reference standards.

Quality enhances Cellnex's brand and reputation, protects it against risks, increases its efficiency, boosts its profits and positions it to continue growing in a strong and sustainable way, all focused on the customer experience and the confidence of Cellnex's stakeholders. Through Quality, Cellnex contributes to its sustainable development and is consistent with the Company's mission, vision, values, objectives and strategy.

Quality enhances Cellnex's brand and reputation, protects it against risks, increases efficiency, boosts its profits and positions it to continue growing

Cellnex’s quality objectives are to promote a quality culture through Cellnex values, awareness and training at all levels, to achieve the highest levels of quality and commitment to the customer, to enhance the perception of stakeholders by innovating and improving products and services, to ensure quality throughout the value chain and supply chain, to promote a culture of continuous improvement by guaranteeing methodologies and procedures to ensure that improvement opportunities that arise are properly managed, and to lead exemplary practices to commit to all the Sustainable Development Goals. Against this background, Cellnex focuses on stakeholder needs and expectations, offers high-quality services, satisfies customers and continuously improves its services and management using a Plan-Do-Check-Act model.

In accordance with the Global Quality Policy, Cellnex devised a two-year Quality Master Plan (2021-2022) applicable to the whole company. This Quality Master Plan is defined on the basis of five strategic lines: Customer centric; Continuous improvement and business excellence; Leadership and commitment; Interest groups; Continuous evaluation. These strategic lines are split into seven initiatives.

Certifications

Implementing a Global Management System that encompasses all Cellnex's business units makes the maintenance and renewal of certifications more efficient because it involves a single certification process. In addition, it takes advantage of synergies and eliminates redundancies. Accordingly, based on the Global Integrated Management System, the Quality and Certifications Department has focused its work on implementing global certifications in non-certified countries. To do so, Cellnex has a Certification Catalogue that is used as a tool that indicates the exact certification status of all business units and their expiration year.

During 2022, the Quality & Certifications Department worked jointly with the business units on the maintenance of the certifications of the countries included within the scope of the Global Integrated Management System, which as already mentioned are: France, Ireland, Portugal, Switzerland, the Netherlands and Corporate. In addition, two new countries were included in the scope of global certification this year: Poland and the United Kingdom; the UK moved from a local Integrated Management System to the Global one.

In addition to global certifications, Cellnex is certified locally under other international standards such as energy efficiency (ISO 50001), service management (ISO 20000-1), National Security Scheme for the Smart Brain service in Spain, and SA 8000 Social Responsibility, Gender Equality and EASI Model in Italy.

Standard	Expiry date
ISO 9001 Quality Management System
ISO 9001 Quality Management System	2025	2025	2024	2025	2025	2025	2025	2025	2025	2025
ISO 14001 Environmental Management System
ISO 14001 Environmental Management System	2025	2025	2023	2025	2025	2025	2025	2025	2025	2025
ISO 45001 Occupational Health & Safety Management System
ISO 45001 Occupational Health & Safety Management System	2025	2025	2025	2025	2025	2025	2025	2025	2025	2025
ISO 27001 Information Security Management System
ISO 27001 Information Security Management System	2026	2026	2026	2026	2026	2026	2026	2026	2026		2026	2026	2026
ISO 14064 Carbon Footprint
ISO 14064 Carbon Footprint	2024	2024	2024	2024	2024	2024	2024	2024	2024	2024	2024	2024	2024
ISO 14046 Water Footprint
ISO 14046 Water Footprint	2024	2024	2024	2024	2024	2024	2024	2024	2024	2024	2024	2024	2024
SA 8000 Social Responsibility
SA 8000 Social Responsibility			2024
UNI/PdR 125:2022 Gender equality
UNI/PdR 125:2022 Gender equality			2025
Modello EASI
Modello EASI			2023
ISO 50001 Energy
ISO 50001 Energy		2023
ISO 20000-1 Service Management
ISO 20000-1 Service Management		2023
National Security Scheme - Smart Brain
National Security Scheme - Smart Brain		2024

Cellnex operates in accordance with international reference standards and voluntary initiatives

Risk Management

On 27 April 2022 the Cellnex Board of Directors amended the Global Risk Management Policy for all Cellnex Group companies. The approval of this policy also established the strategy for Global Risk Management and its commitment to the application of best practices in the countries in which the Company operates, based in turn on international reference standards.

Cellnex operates in accordance with international reference standards and voluntary initiatives that include, among others:

The Sustainable Development Goals (SDGs).
The 10 principles of the United Nations Global Compact.
The United Nations Guiding Principles on Business and Human Rights.
The United Nations Principles for Social Investment.
The OECD Guidelines for Multinational Enterprises.
The Global Reporting Initiative (GRI) guidelines.
The Tripartite Declaration of Principles on Multinational Enterprises and Social Policy of the International Labour Organization (ILO).

Likewise, the provisions of the Company's global Integrated Management System and the requirements of the ISO standards in which it is going to be certified in terms of risk management are also taken into account. In that connection, the Global Risk Management Policy highlights the Company's efforts to mitigate the inherent risks that may affect the business, thus guaranteeing the continuity of each of its projects and actions. It also promotes the creation of sustained value in the short, medium and long term for all the company's stakeholders, while demonstrating its commitment to reducing adverse impacts on economic activity.

The Cellnex Board of Directors has focused its work on defining the risk management strategy, supervising its application and monitoring it, as well as promoting best corporate governance practices. As a function entrusted by the Board of Directors, the Audit and Risk Management Committee (ARMC) supervises the effectiveness of the Global Risk Management Model and the information provided to third parties, and must ensure that the risk management framework identifies, prioritises, controls, monitors and reports them properly. Moreover, in 2022 a new Global Risk Committee was established, formed by all functional Corporate departments, advised by the internal audit unit; this Committee meets quarterly.

The Global Risk Management function is based on anticipation, independence and commitment

The Global Risk Management department is the main one responsible for the optimal deployment of the risk management methodology within the organisation, ensuring monitoring and compliance. The Global Risk Management function is based on anticipation, independence and commitment to the Group's business objectives, guaranteeing the robustness of the Global Risk Management Model through a risk assessment methodology aligned and adapted to the needs of the risk function and of the Company.

Risks are events that may have an impact on the achievement of the strategic objectives established by the Board of Directors, so these must always be considered for risk management in order to guarantee the resilience of the organisation.

1. Identify the risks: identification and preparation of the risk inventory. Risks are classified using the four categories of the COSO methodology:

Strategic: risks that affect the business strategy or strategic objectives of any company.
Operational: risks of potential losses resulting from the inadequacy of the operations processes, as well as the people, equipment and systems that support those processes.
Financial and reporting: risks that have a direct impact on the financial and reliability variables of the Cellnex Group.
Legal and compliance: risks related to legal or administrative sanctions, significant financial losses or loss of reputation owing to non-compliance with laws, regulations, internal rules or codes of conduct applicable to the business.

2. Assess risks: carry out an assessment of the risks identified both at corporate level and in the business units. Risks are assessed considering their impact, and the probability of their occurrence. The potential impact of a risk should be considered on the basis of the following variables:

Economic (40%): Impact on the company's expected revenues.
Operational (40%): Interruption of processes with a finite or indefinite impact over time, as well as possibly affecting relations with third parties.
Reputational (20%): Impact on the media and/or shareholders, with consequent media coverage at local, national and/or international level, which leads in turn to a number of liability actions.

3. Define risk responses: definition of a response to address or mitigate these risks in order to achieve acceptable risk levels. The possible answers are framed in the options indicated as follows: avoid, transfer, accept and reduce. If the answer is reduce, define internal controls where possible.

4. Monitor risks: check that risk levels, once a risk response has been applied, match the risk appetite defined by the organisation.

5. Continuous improvement: continuous monitoring and review of the process to achieve improvements in the risk management life cycle.

In order to carry out correct risk management, it is important to analyse both the possible external and internal factors that could lead to an event having an impact on the Cellnex Group's objectives.

The governance of the Global Risk Management Model is configured taking the best international practices as a reference. It is based on a combined assurance around the Three Lines Model, providing an integrated vision of how the different parts of the Cellnex Group organisation interact effectively and in a coordinated manner, making the Group's risk management and internal control processes more efficient.The Global Risk Management framework is based on the application of the Three Lines Model:

First Line: all the functional departments of the Cellnex Group, both in the corporation and in the business units, are the owners and responsible for identifying, assessing, monitoring and mitigating risks, as well as maintaining effective internal controls.
Second Line: The Risk Management function facilitates and supervises the implementation of effective risk management practices and supports the definition of target risk exposure and the communication of risk information throughout the Group. The Global Risk Committee ensures adequate risk coverage by promoting a risk culture in the Company. All functional departments are represented in the Global Risk Committee.
Third Line: Internal Audit provides an independent guarantee to the Board of Directors, the Audit and Risk Management Committee (ARMC) and Senior Management on the effectiveness with which the Cellnex Group assesses and manages its risks, validating how the First and Second Lines operate.

For day-to-day operational risk management at Cellnex, the Risk Management Department implemented a Global Risk Management Master Plan 2021-2023. All initiatives identified for 2022 have been completed. One of these relates to the SAP GRC, where the activities carried out in 2022 were:

The implementation of the Process Control module during the first half of 2022, with the launch of the Tax controls campaign.
The implementation of the Risk Management module during the second half of 2022, which will include the Company's Risk Map.
The implementation of the Audit Management module during the first half of 2023, relating to Internal Audit.

Regarding the Business Continuity Management System, in 2022, work was done to establish the Framework (Business Continuity policy, BIA of products and services, critical processes and activities, necessary resources, etc.), and during 2023 work will be done with some Business Units to deploy the business continuity management system after adapting it to their needs.

Regarding the Risk Management Communication Plan, training and awareness-raising actions on the new risk management methodology were carried out in 2022, with the Risk Partners, to support them as Second Line. In addition, training and awareness-raising actions on the new risk management methodology were also carried out in the corporate departments during the risk assessment process.

Cellnex has been recognised for its good practices in financial information

Cellnex has received the award for good practices in financial information from the Catalan Association of Accounting and Management (ACCID), an entity founded by the College of Economists of Catalonia and the College of Chartered Accountants of Catalonia. The Award, presented at the 19th edition of the ACCID Awards, recognises the quality and transparency of the Company's annual report. Specifically, it values information on the situation and risk management, intangible assets (including intellectual capital), the environment and the social dimension, among others.

There follows a list of the main risks that may affect Cellnex Group business and the achievement of its objectives.

Strategic risks	I)	Risks related to the environment in which the Group operates and risks stemming from the specific nature of its businesses.
	II)	Risks of increasing competition.
	III)	The Group’s status as a “significant market power” (SMP) operator in the digital terrestrial television (DTT) market in Spain imposes certain detrimental obligations on it compared with its competitors.
	IV)	Industry trends and technological developments may require the Group to continue investing in adjacent businesses to telecommunication towers, such as fibre, edge computing and small cells.
	V)	Spectrum is a scarce resource and it is highly dependent on political decisions. Access may not be secured in the future, which would prevent the Group from providing a high portion of its services in accordance with its plans.
	VI)	Risk related to a substantial portion of Group revenue being derived from a small number of customers.
	VII)	Risk of infrastructure sharing.
	VIII)	Risk of non-execution of the entire committed perimeter.
	IX)	The expansion or development of the Group's businesses, including through acquisitions or other growth opportunities, involve a number of risks and uncertainties that could adversely affect operating results or disrupt operations.
	X)	Risks inherent in the businesses acquired and the Group’s international expansion.
	XI)	Risk related to the non-control of certain subsidiaries.
	XII)	Risks related to execution of Cellnex's acquisition strategy.
	XIII)	Regulatory and other similar risks.
	XIV)	Litigation.
	XV)	Risk related to the Parent Company’s significant shareholders’ interests differing from those of the Group.

Operational risks	XVI)	Risks related to the industry and the business in which the Group operates.
	XVII)	Risk of not implementing the strategic sustainability plan.
	XVIII)	Risks related to maintaining the rights over land where the Group’s infrastructures are located.
	XIX)	Failure to attract and retain high quality personnel could adversely affect the Group’s ability to operate its business.
	XX)	The Group relies on third parties for key equipment and services, and their failure to properly maintain these assets could adversely affect the quality of its services

Financial risks	XXI)	Financial information.
	XXII)	Expected contracted revenue (backlog).
	XXIII)	Foreign currency risks.
	XXIV)	Interest rate risk.
	XXV)	Credit risk.
	XXVI)	Liquidity risks.
	XXVII)	Inflation risk.
	XXVIII)	Risk related to the Group's indebtedness.
	XXIX)	The Parent Company cannot guarantee that it will be able to implement its Shareholders' Remuneration Policy or to pay dividends (and even if it were able to, that it would do so).

Compliance risks	XXX)	Fraud and compliance risks.
Compliance risks	XXXI)	Risk associated with significant agreements signed by the Group that could be modified due to change-of-control clauses.

Further detailed information, please see Annex 1. Risks.