The sustainability reporting process is subject to internal controls that are based on risk assessment. The internal control system focuses on a set of disclosures identified as 'high-priority' KPI, determined based on a list of selected parameters, such as feasibility, complexity, potential reputational and reporting risks. The high priority KPIs are included in a 'risk control matrix', where controls are formalized and tracked.

The internal control system has been defined following the guidelines of the Internal Control over Sustainability Reporting (ICSR) issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and based on the COSO Internal Control-Integrated Framework (ICIF). For the set of selected KPIs, the entire data flow is mapped from primary data collection to consolidation and final validation, clearly defining roles and responsibilities. To mitigate the most relevant risks resulting from those selected KPIs, the Group has implemented an internal control process to ensure data consistency and accuracy. The nature and frequency of the controls varies based on the risks associated with each KPI. Depending on the control to be performed, different tools are used, including internal files specifically designed to support the control and various software.

The risk assessment approach involves identifying disclosures as 'high-priority' KPIs based on selected parameters such as feasibility, complexity, potential reputational, and reporting risks. These high-priority KPIs are included in a 'risk control matrix', where controls are formalized and tracked. The internal control system is defined following the guidelines of the Internal Control over Sustainability Reporting (ICSR) issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and based on the COSO Internal Control-Integrated Framework (ICIF). For the set of selected KPIs, the entire data flow is mapped from primary data collection to consolidation and final validation, clearly defining roles and responsibilities.

The main risks identified involve potential misstatements due to data elaboration or consolidation from primary sources. The risks identified are:

• Potential misstatements due to incorrect manual data entry, in relation to data referred to Energy, Waste, F-gas, Emissions, and Social areas;
• Potential misstatements due to incomplete data (in relation to the same areas of reporting as above);
• Potential misstatements due to incoherent or wrongly measured data (Energy, Waste, F-gas and Social);
• Potential misstatements due to incorrect data extraction from IT systems (in relation to the same areas of reporting as above);
• Potential misstatements due to errors in calculations, in particular for GHG data and social data;
• Potential misstatements due to wrong selection of conversion factors for calculations (Energy and GHG emissions).

As mitigation strategies, envisaged controls (also at entity level) can be either preventive or detective, depending on whether they are aimed at finding potential misstatements (detective) or rather avoid them (preventive). In relation to these mitigation strategies, a monitoring plan was introduced at the end of 2024 to prospectively test the adequacy of the design and the effectiveness of the controls in place to mitigate and reduce the identified risks.

The risk assessment performed during 2024 for the definition of the 'high-priority' KPIs will be updated in order to progressively include disclosures contained in the sustainability statement in the internal control framework. The Group Internal Control and Sox Compliance Function is responsible for the risks mitigation and related findings, and they periodically report updates and potential findings to the relevant management and supervisory bodies, in particular the FLT and the Audit Committee respectively.

The Group Internal Control and Sox Compliance Function is responsible for the risks mitigation and related findings, and they periodically report updates and potential findings to the relevant management and supervisory bodies, in particular the FLT and the Audit Committee respectively.