ENTITY-SPECIFIC

Cybersecurity and data processing

SBM-3 - MATERIAL IMPACTS, RISKS, AND OPPORTUNITIES AND THEIR INTERACTION WITH STRATEGY AND BUSINESS MODEL

Entity-specific	Stage*	Description	Likelihood of occurrence	Time horizon
Cybersecurity
(+) Impact	OP, Pt	Prevention and/or mitigation of incidents that could affect the integrity of the infrastructure managed by the Company, as well as the integrity and privacy of individuals, and/or the environment.	Current	S
(+) Impact	VC	Improvement of the cybersecurity culture among the Company’s stakeholders.	Current	S
(-) Impact	VC	Occurrence of incidents that could impact on the integrity of the infrastructure managed by the Company, the integrity and privacy of individuals, and/or the environment.	Current	S
Risk	VC	Sophisticated cyberattacks that impact on the Company’s operations, productivity, information, intellectual property, or image/reputation, as well as the integrity of individuals.		S
Risk	VC	Severe fines and penalties for breaches of regulations and enforcement control frameworks.		S
Opportunity	VC	Security as as a driver of business, reinforcing the company’s competitive edge through advanced security practices and high levels of compliance.		S
Opportunity	VC	Improvement of corporate governance and trust in the Company.	Potential	S

* OP: Own operations; VC: Value chain; Pu: Purchases; C: Customers; Pt: Partners; S: Short term; M: Medium term; L: Long term.

MDR-P: POLICIES

Ferrovial has a Corporate Cybersecurity Policy in place approved by the CEO in 2022. The policy applies to all divisions and subsidiaries and can be consulted on the Company’s website. Its principles and objectives are aligned with the business strategy. It is implemented by means of Security Policies that encompass organization, people, processes, and technologies, formalized in a set of Security Principles based on best industry practices, notably the NIST CSF and the ISO 27001 standard, under which Ferrovial has been certified since 2012).

Policy	Cybersecurity Policy
Description	This policy defines the principles and guidelines for safeguarding Ferrovial’s information, systems, and operations against cyber threats, ensuring the confidentiality, integrity, and availability of digital assets. It supports the organization’s commitment to business continuity and secure data management.
Objective	The policy aims to: Ensure a digital and technological environment with the necessary level of security. Guarantee legal, regulatory, and contractual compliance. Ensure operational resilience against cyberattacks. Foster a culture of awareness and responsibility in cybersecurity among employees, suppliers, and partners.
Associated material impacts, risks and opportunities	Material impacts: Potential financial losses, reputational damage, legal, regulatory, and contractual non-compliance, and disruptions due to cyber incidents. Risks: Sophisticated cyberattacks that affect operations, productivity, information, intellectual property, or the Company’s image/reputation, as well as the integrity of individuals. Severe fines and penalties for non-compliance with regulations and enforcement control frameworks. Opportunities: Building stakeholder trust through robust cybersecurity practices, leveraging innovation for competitive advantage, and compliance with global regulatory standards to strengthen market positioning.
Follow-up and remediation process	Ferrovial ensures the implementation and compliance of the Cybersecurity Policy through regular reviews of risks and controls covering all business units and participated assets. This information is reported periodically to the Company’s governing bodies that oversee the status of cybersecurity.
Scope of the policy
Affected stakeholders	All Ferrovial employees, suppliers, and customers with access to Company systems or data.
Geographic areas	Global
Value chain application	The policy extends across the entire value chain, including suppliers and customers, ensuring secure practices in all business interactions. Cybersecurity is a practice that supports digital assets that ultimately support business activities.
Exclusions from the application	There are currently no exclusions; the policy applies to all areas of activity, geographies, and stakeholders globally.
Policy approval flow
Responsible party	Chief Executive Officer (CEO) – responsible for approving and implementing the policy
Other issues to report (if applicable)
Consistency with third-party instruments or standards	The policy complies with: International standards, including ISO 27001 European regulations such as the GDPR The Spanish National Security Scheme (ENS) Ferrovial’s Corporate Responsibility and Sustainability Policies
Stakeholder engagement	The policy incorporates feedback from key stakeholders to effectively address cybersecurity issues and ensure secure collaboration across the organization.
How it is made available	This policy is available on Ferrovial’s website (ferrovial.com) and on the intranet.
Significant policy changes	N/A – no changes have been made.

"Associated material impacts, risks, and opportunities" is a concept related to ESRS and double materiality. It is NOT related to the materiality of cyber incidents considered by the SEC.

MDR-A: ACTIONS

THE THREAT DETECTION, CORRELATION, AND CYBERINTELLIGENCE MODEL

The Company has SOC (Security Operations Center) capabilities to protect its data centers, perimeters, endpoints, and cloud environments. This service responds to alerts generated by SIEM (Security Information and Event Management) tools and detects events in accordance with use cases defined by Ferrovial’s Cybersecurity Department.

There is currently a SOAR (Security Orchestration Automation and Response) platform that enables the coordinated integration and operation of various prevention and protection tools, facilitating automated detection and response, as well as the orchestration of activities for the containment, resolution, and neutralization of threats.

The organization integrates advanced cybersecurity capabilities for the protection against threats and the detection of information-related compromises, such as unauthorized access, anomalous transmission of large volumes of data, and exfiltration, whether through physical storage or cloud services.

Cyber intelligence capabilities expand threat detection processes and enhance response capabilities by identifying Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) used by cyber-offenders to carry out their attacks. Threat hunting exercises are also run to identify potential compromises that have not been previously detected.

Finally, the Company exchanges information on threats and manages incidents in coordination with national and international cybersecurity agencies when appropriate.

RESPONSE TO CYBERATTACKS

The Company has a CSIRT (Computer Security Incident Response Team) that responds to events detected by the SOC (Security Operations Center) that may become security incidents. This team has DFIR (Digital Forensics and Incident Response) capabilities to analyze, contain, mitigate, and prevent such events. The periodic identification of IoCs (Indicators of Compromise) and TTPs (Tactics, Techniques, and Procedures) are key to improving protection and detection mechanisms and the SOC’s response, both manual and automated.

Likewise, Ferrovial has cybersecurity posture tools that enable real-time assessment of compliance with specific security parameters and controls, of the managed IT infrastructure (in data centers and cloud environments) and of endpoints. This provides a comprehensive overview of the risks and controls related to security recommendations issued by manufacturers, market standards, and security frameworks, as well as enabling the development of action plans to improve posture.

The capabilities and processes described above are driven by generative artificial intelligence, both for optimization purposes and to counteract new techniques applied by cyber-offenders who also rely on these technologies.

Ferrovial has an incident response protocol based on best market practices (INCIBE-CERT Guide, ISO/IEC 27035, and NIST). In addition, a global procedure has been implemented for the identification and reporting of material cyber incidents to regulatory bodies (SEC, national and international cybersecurity agencies, AEPD, among others). Communication with regulators, authorities, customers, and other stakeholders, through mechanisms within specific time frames, is one of the key elements for Ferrovial to ensure transparency and due diligence.

Detection and response capabilities are systematically evaluated through Breach & Attack and Pentesting simulations, using commercially available technologies (Cymulate and Pentera, respectively).

It is important to note that, during 2025, there were no material cybersecurity breaches in Ferrovial’s information systems. Approximately 3.165 incidents were handled by the CSIRT and Ferrovial’s Cybersecurity team.

RESILIENCE AND CYBER-RESILIENCE

The Company established Contingency and Recovery Plans to respond to and recover from disruptive events, when required. Ferrovial is currently invested in the evolution of the Continuity model, with the aim of adopting a more global approach to standardize practices across all of the Company’s business divisions.

These Contingency Plans cover crisis scenarios triggered by cyber threats. There is a Cyber Crisis Committee responsible for managing this type of incident. Likewise, Ferrovial has a procedure in place for reporting incidents to regulators and other stakeholders within this area.

Ferrovial, aware of the importance of resilience in its supply chain, incorporates the verification of contingency and recovery plans into the Vendor Risk Management (VRM) process, in the context of the service provided to the Company.

The business continuity model establishes the need to conduct regular testing of the plans, which is why Table-Top and Disaster Recovery Plan tests have been carried out throughout the year. The results have been positive overall, and opportunities for improvement have been identified, currently being implemented.

The Company maintains a cyber insurance policy, having expanded the limits and types of coverage for disruptive events and cyber incidents that may occur in the context of the activities carried out by Ferrovial, its business units, and subsidiaries; these include financial coverage, incident response, and legal advice. It should be noted that in 2025 it was not necessary to activate this policy, as no material cyber incidents have taken place.

THIRD-PARTY RISK MANAGEMENT

Ferrovial’s Vendor Risk Management (VRM) program defines the security requirements third parties must meet, depending on the type of service they provide to the Company and the level of access they have to its information and digital assets.

In 2025, the supplier onboarding process has been automated and systematized, and the monitoring of suppliers that provide recurring services to Ferrovial is currently undergoing automation and systematization processes.

The VRM process assesses the accreditations, certifications, qualifications, and evidence that attest to the level of security compliance of the relevant product or service provided by the vendor, as well as the level of security maturity the vendor can prove. If material risks are identified during the review processes, appropriate measures are taken, including contract termination.

Third-party risk management ensures that cyber incidents that may affect Ferrovial are reported in a timely manner, and that response and recovery plans are in place should they be necessary.

EXTERNAL VERIFICATION AND VULNERABILITY ANALYSIS

As part of Ferrovial’s continuous improvement process, it is essential to carry out both internal and external audits to identify vulnerabilities and areas for improvement, the implementation of which will strengthen cybersecurity and contribute to the mitigation of risks.

The following are the reviews and audits being carried out on a recurring basis within the organization:

Internal and third-party audits based on the ISO 27001 certification.
Integrated SOX audits:
- ITGC controls.
- Cybersecurity model controls.
External audit by SWIFT (Society for Worldwide Interbank Financial Telecommunication).
Audits carried out by Internal Audit (third line of defense) in accordance with their annual plan (two or three annual audits).
Questionnaires, security approvals required by Ferrovial’s clients.
Dow Jones Best-in-Class Index.
ESG Sustainability Report (double materiality).
Ad hoc security reviews according to annual planning.
Breach & attack, and recurring pentesting based on Cymulate and Pentera tools, according to annual planning.
Threat Hunting & Compromise Assessment reviews to identify potential compromises/breaches not detected by monitoring systems.
Vulnerability review in data centers, endpoints, perimeters, and cloud environments, as well as in industrial environments.
Review of vulnerabilities in source code.
Review of Ferrovial’s cybersecurity rating through BitSight.
Vendor security risk reviews (Vendor Risk Management).
Crisis simulations (tabletop exercises).
Posture management provided by cybersecurity tools (Microsoft Compliance and Wiz).

The Cybersecurity Department consolidates, assigns, plans, and supervises the implementation of the different action plans arising from the assessments, reviews, and audits carried out.

The management review process is formally conducted on a yearly basis, one of its purposes being the review of the achievement level corresponding to planned cybersecurity actions. This process is supervised by the Global CISO, taking into account a number of data, such as KGIs and KPIs, the results of audit and review processes, and the monitoring of risk treatment plans.

MDR-T: TARGETS

The objectives defined in the Corporate Cybersecurity Policy are measured using Key Goal Indicators (KGIs) defined in the Information Security Management System (ISMS), which is based on the ISO 27001 standard, audited on an annual basis by BSI. This allows for monitoring the effectiveness of the Policy’s implementation. The indicators are based on measurements of organizational, technological, and process capabilities related to cybersecurity, associated with each of the Strategic Objectives established in the Policy.

Some of the main targets are aimed at:

Ensuring a digital and technological environment with the necessary level of security.
Guaranteeing legal, regulatory, and contractual compliance.
Properly managing security incidents and building resilience to them.
Promoting an appropriate security culture.
Harmonizing security across different business units and subsidiaries.
Facilitating digitization, innovation, and the adoption of new technologies to support the business.
Facilitating business opportunities and bidding processes.
Establishing strategic partnerships in the area of security.
Fostering a culture of awareness and responsibility in cybersecurity among employees, suppliers, and partners.

MDR-M: METRICS

100% of security incidents successfully managed	193,592 phishing simulation emails received by employees annually	11,431 unique users included in phishing simulations annually
61,538 phishing emails blocked per month by the company’s systems	14,991 attempts to access corporate resources blocked (malicious/untrustworthy source) per month	9.3 ransomware attacks detected and automatically blocked per month

Security incidents

In 2025, 100% of security incidents were successfully managed. The objective of this indicator is to verify that the security incidents occurring at Ferrovial are managed in the best possible way to mitigate their potential impact. Only those incidents managed by the Cybersecurity Department are included in this review, covering all business divisions using Corporate Digital Products and Services. The measurement criterion is the ratio of incidents properly managed versus the total number of incidents registered in the reference period, based on response time, actions taken, follow-up and evidence gathering, resolution, root cause analysis proportionate to the incident type and lessons learned. The provided data corresponds to the annual average, calculated from all monthly measurements collected during the year from January 2025 to December 2025. This control forms part of the SOX Cybersecurity framework, and is reviewed by the external auditor PwC.

Phishing simulation emails received by employees

In 2025, employees received a total of 193,592 phishing simulation emails, as part of regular and systematic training aimed at strengthening users’ ability to identify potential threats. This metric is based on the number of emails issued through the awareness platform during simulated phishing campaigns, limited to users managed by the Corporate Cybersecurity Department, covering from January to December 2025. The KPI is integrated into the Information Security Management System (ISMS) and is audited externally by BSI under ISO 27001 certification, ensuring the robustness and traceability of the process.

Users included in phishing simulations

Throughout 2025, 11,431 unique users participated in phishing simulations. The indicator reflects the number of unique users registered on the awareness platform and involved in phishing simulations. It applies exclusively to users managed by the Corporate Cybersecurity Department and uses the number of unique users registered on the KnowBe4 platform. This KPI forms part in the ISMS, and undergoes external audit (BSI) required for ISO 27001 certification.

Blocked phishing emails

The company’s systems blocked an average of 61,538 phishing emails per month, across 2025, demonstrating the effectiveness and quality of the filtering capabilities of the MS Defender platform. The metric is calculated based on the total number of phishing, malware, impersonation-blocked emails and policy-blocked messages, excluding spam. It applies only to users under the Corporate Cybersecurity Department, and reflects an annual average of monthly measurements collected between January and December 2025. The KPI is incorporated into the Information Security Management System (ISMS) and is subject to external audit by BSI under ISO 27001 certification, ensuring rigorous oversight and verification.

Blocked attempts to access corporate resources

In 2025, the company blocked an average of 14,991 attempts per month to access corporate resources from malicious or untrustworthy sources, demonstrating the effectiveness and quality of the communications filtering performed by the MS Defender platform. This indicator is based on the number of malicious domains, IPs and URLs blocked, and covers users managed by the Corporate Cybersecurity Department, following the annual average calculated from all monthly measurements collected between January and December 2025. The KPI forms part of the Information Security Management System (ISMS) and is audited externally by BSI under ISO 27001 certification, ensuring rigorous oversight and verification.

Ransomware attacks detected and automatically blocked

In 2025, an annual average of 9.3 ransomware attacks were detected and automatically blocked per month. This indicator measures the effectiveness of detection and protection capabilities against ransomware, after the (manual) exclusion of potential false positive and covers only users managed by the Corporate Cybersecurity Department, using the measurement criterion of Microsoft Defender (XDR), after manually filtering potential false positives. This KPI is included in the ISMS, and subject to external audit (BSI) required for ISO 27001 certification.

Cookie	Duration	Description
_csrf	1 year	Anti Cross-site request forgery cookie.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gid	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
dtCookie	Sesión

Cookie	Duration	Description
_fbp	2 months 28 days 23 hours 59 minutes	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
uid	1 año	This cookie is used to measure the number and behavior of visitors to the website anonymously. The data includes the number of visits, average length of visit on the website, pages visited, etc. in order to better understand user preferences for targeted ads.