Risk Report

In an increasingly complex environment, effective risk management, integrated into corporate management and aligned with the company’s strategy, constitutes a key competitive advantage.

Risk management is an essential pillar of business management practices, aimed at ensuring the achievement of strategic objectives. It is a shared responsibility among all Ferrovial members, from the Board of Directors to every employee.

The Board of Directors has defined and adopted a Risk Control and Management Policy (hereinafter, “the Policy”), in line with COSO ERM and the ‘Three Lines Model as international reference standards. Its purpose is to provide Ferrovial employees with a general framework for controlling and managing risks of any nature, including strategic, financial and sustainability reporting, operational and compliance risks, that they may face in fulfilling business objectives and Ferrovial’s overall strategy. It is reviewed at least once every three years; the latest update having taken place in 2025.

The Policy is complemented by other corporate policies and internal regulations and is implemented through Ferrovial’s Risk Management Procedure (FRM), as well as procedures related to specific risk domains (risk areas or activities) aligned with COSO ERM global methodology.

Regarding financial reporting risks, Ferrovial’s ICFR system is based on the model outlined by the Committee of Sponsoring Organizations of the Treadway Commission, known as the Internal Control Framework for Financial Reporting (ICFR), which incorporates requirements due to its Spanish, Dutch and Nasdaq listing and the provisions of the Sarbanes-Oxley Act (SOX). The main characteristics of the ICFR system are described in note 7.2 of the Consolidated Annual Accounts.

With respect to sustainability reporting risks, Ferrovial follows the recommendations of the Task Force on Nature-related Financial Disclosures (TNFD) and the Task Force on Climate-Related Financial Disclosures (TCFD), which are included in this report and for which relevant information can be found, among others, in:

IRO-1: DESCRIPTION OF PROCESSES TO IDENTIFY AND ASSESS MATERIAL IMPACTS, RISKS, AND OPPORTUNITIES RELATED TO CLIMATE
SBM-3: MATERIAL IMPACTS, RISKS AND OPPORTUNITIES AND THEIR INTERACTION WITH THE STRATEGY AND BUSINESS MODEL.

Compliance risks are managed through the general framework of COSO ERM and are governed by the framework of the Compliance Policies of Ferrovial and are adapted, if necessary, to follow the applicable laws in each of the jurisdictions where Ferrovial performs its activities being particularly relevant the Dutch Penal Code, the Spanish Penal Code, the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act.

The Compliance Program is assessed annually under the supervision of the Corporate Compliance Department, the Corporate Tax Department and the Tax Compliance Committee and reported to the Audit and Control Committee and Board of Directors. More information to be found under section G1-1: Corporate Culture and Business Conduct Policies in the Statement of Consolidated non-financial and sustainability information.

Operational risks are managed through the general framework of COSO ERM, and supervised by the Enterprise Risk Department as further detailed under the topic “Effective Risk Management: Ferrovial Risk Management (FRM)”.

The Risk Management process, defined in the FRM Procedure, comprises identification, assessment, management, control, monitoring and reporting of risks within Ferrovial and will follow the following basic principles:

It must cover the possible risk factors that may be present in the pursuit of the strategic objectives.
It is integrated into Ferrovial´s processes, especially in those related to strategy and planning, or that have a higher impact in reaching strategic objectives.
The approach for the identification, management and control of risks is homogeneous and systematic across the Group and seeks the involvement in decision-making of the parties concerned.
It will focus not only on imminent risks but also on emerging ones. Ferrovial’s understanding is that emerging risks are new or known risks that are changing or present themselves in a new form. These are difficult to quantify and to establish the probability of their materialization, with their impact being in the medium/long term. Additionally, they have the potential to have a significant impact on the business.
Reporting of the main risks that could affect the achievement of strategic objectives will be transparent and without delay, allowing the governing bodies of Ferrovial to act if needed.
Responsibilities will be shared in key processes to seek diversification of critical functions mitigating the risk of fraud and errors.
It will be performed pursuant to the applicable laws and regulations and in respect of the principles of behaviour included in the Code of Business Ethics.
Continuous improvement will be sought through periodic assessments of the FRM process, being verified both internally and externally.

GOVERNANCE OF THE MODEL

The Board of Directors is responsible for establishing the level of risk the Company is willing to assume in the course of its activities (Ferrovial’s risk appetite), as well as for designing, implementing, and maintaining appropriate internal risk management and control systems that enable the achievement of its strategic objectives.

The Audit and Control Committee assists the Board of Directors in fulfilling its responsibilities. Among its functions is supervising and evaluating the effectiveness of Ferrovial Group’s risk management and control systems, which include strategic, financial and sustainability reporting, operational, and compliance risks.

The Chief Executive Officer and members of the Management Committee are responsible for implementing the Policy throughout the Group.

Enterprise Risks, reports directly to the Audit and Control Committee of the Board of Directors. It is independent of business lines and is responsible for developing the risk management process (FRM). Additionally, it reports quarterly to the Management Committee, semi-annually to the Audit and Control Committee, and at least annually to the Board of Directors.

Aligned with the ‘Three Lines Model:

The first line includes all business managers, responsible for identifying and managing risks associated with achieving objectives in their area of activity.
The second line, composed of certain divisional and corporate departments, including Enterprise Risks, is responsible for establishing policies and strategies regarding their specific risks and overseeing them across the organization.
Internal Audit acts as an independent third line, providing assurance to senior management and the Audit and Control Committee on the proper functioning of the Risk Management and Control System.

RISK APPETITE

The Board of Directors sets the risk appetite Ferrovial is willing to assume in achieving its strategic objectives, including both qualitative statements of appetite and quantified tracking metrics. This process involves Senior Management, which, after analyzing potential impacts on the strategic plan, proposes revisions to existing metrics and the inclusion of new ones to facilitate organizational alignment. Risk appetite is a key element of risk management, forming part of the Policy, and was reassessed in 2025.

Ferrovial has defined a risk appetite scale ranging from aversion to a high willingness to assume risk. For the main critical areas—Regulatory Compliance, Growth, Operational Performance, Financial Management, Environment, and Health & Safety—qualitative statements have been defined to reflect the level of risk accepted within the framework of strategic objectives. Additionally, specific metrics have been incorporated for the most relevant factors, allowing appetite to be quantified and monitored. Compliance with the approved appetite is monitored and periodically reported to the Audit and Control Committee, which in turn reports to the Board. The goal is to align the company using appetite as a management and decision-making tool.

EFFECTIVE RISK MANAGEMENT: FERROVIAL RISK MANAGEMENT (FRM)

The Risk Management process, defined in FRM, includes the identification, valuation, management, monitoring, control, and reporting of risks within the Ferrovial Group.

Identification and assessment are carried out twice a year and involve all business divisions and geographic areas of the Ferrovial Group. The approach is bottom-up, starting at the project level and ascending through Ferrovial’s hierarchical structure via validation exercises up to the Management Committee. Using corporate scales, inherent risk—prior to specific control measures applied to mitigate risk—and residual risk—considering specific control measures—are assessed, analyzing in both cases the likelihood of occurrence and potential impact on the Ferrovial Group through two different dimensions: economic and reputational.

The objective is to prioritize and allocate Ferrovial’s resources correctly, identifying risks with the greatest impact and deviation from the defined appetite. For all risks exceeding a certain threshold on the scale, the process requires action plan identification and implementation. Additionally, during 2025, a risk alert system was developed through Key Risk Indicators (KRIs) for all risks with critical or high impact. Enterprise Risks periodically monitors this information, reporting quarterly to the Management Committee and twice a year to the Audit and Control Committee.

Furthermore, the identification and assessment of emerging risks are carried out annually and are a fundamental part of the function’s forwardlooking vision. This process involves multidisciplinary teams within the Ferrovial Group and is complemented by information from external sources such as Gartner, World Economic Forum or the CRO Forum.

The risk management process is periodically reviewed with the aim of continuous improvement. During 2025, Ferrovial launched a project to update the FRM model, including the implementation of a new GRC system, which will be operational in 2026 and will further develop the valuation, control, monitoring and management of Ferrovial’s risk system. Furthermore, the GRC will serve as a unified platform for other areas that manage or oversee specific risks; where applicable, these domains will be integrated with the FRM. These improvements fulfil the recommendations from the most recent reviews included in the latest internal audit and an external consulting exercise, both conducted in the past two years. Additionally, in collaboration with an external consultant and on an annual basis, a self-assessment and a benchmarking analysis with international sector companies are carried out.

The Board of Directors and Audit and Control Committee perform an annual assessment of the effectiveness of the Risk and Control management systems included under the section 9. CORPORATE GOVERNANCE STATEMENT, STATEMENTS BY THE BOARD ON RISK MANAGEMENT of the Corporate Governance Report. In 2025 they relied on among others, the following resources:

Its own assessment of the information presented by the Ferrovial Group management, including a self-assessment of the risk management
system. During 2025, the Audit and Control Committee reviewed Ferrovial’s risk map in May and its subsequent update in December. Additionally,
it periodically receives information on the evolution of key risks and their mitigation plans.
Analysis provided by the Internal Audit department.
External audits regarding reporting risks for both financial and sustainability information.

Ferrovial believes it has a strong risk management culture present across all its divisions, supported by various initiatives such as periodic risk training programs and the inclusion of specific risk management metrics within senior management’s financial incentives. The Board of Directors receives annual specialized and updated training aimed at strengthening, among other things, its risk oversight function. These training sessions, which address key topics such as cybersecurity and sustainability, aim to ensure that Board members have the appropriate knowledge, thereby fostering continuous improvement in decision-making processes and risk management.

FERROVIAL RISK MANAGEMENT

MAIN RISKS

The chart shows the most relevant risk events that threaten the execution of Ferrovial’s corporate strategy.

The most relevant risk events, their potential impact and the main control measures implemented to mitigate their impact and/or probability of occurrence are described below. In addition, the level of risk appetite that Ferrovial is willing to assume in accordance with the Risk Control and Management Policy is indicated for each of them.

Pursuant to Ferrovial’s listing on Nasdaq, Ferrovial is also required to make public and file an annual report on Form 20-F, which includes a detailed description of the inherent risk factor that may affect Ferrovial, and which is available on Ferrovial’s website www.ferrovial.com.

Risk Event	Description	Potential Impact	Control measures
Geopolitical instability	In addition to the challenges arising from the conflicts in Ukraine and the Middle East, which may generate price volatility and/or the reemergence of global-scale bottlenecks, there is growing uncertainty regarding potential regulatory and trade changes driven by the United States. Such measures could impact both competitiveness and access to certain markets, increasing operational costs and the complexity of managing global projects.	Margin reduction due to rising costs Failure to meet client commitments Failure to achieve growth targets	– Introduction of price review mechanisms in contracts – Negotiation of pre-contracts with suppliers and subcontractors – Early supply planning from the study and bidding phase – Monitoring market trends and supply planning – Hedging of materials and interest rates
Cyberthreats	Cyber threats represent a significant and sustained risk for organizations due to the increasing integration of digital products and services in hyperconnected environments. Armed conflicts that enable state- ponsored threats, the proliferation of organized crime, and the use of Artificial Intelligence (AI) as an amplifier of existing threats result in more successful and impactful attacks, such as supply chain attacks, asset disruption, phishing, digital identity theft, fraud, and more. Consequently, infrastructures may be vulnerable to these threats, potentially affecting the normal operation of assets, their ability to generate expected value, and the company’s reputation.	Degradation or inability to operate assets Economic loss due to activity recovery costs Penalties for regulatory and/or contractual breaches Impact on the business plan, leading to a reduction in asset value Damage to corporate reputation and competitive advantage, compromising potential business opportunities Loss or theft of know-how and/or intellectual and industrial property Data hijacking Impact from fraud	– Global Security Model based on NIST CSF and ISO 27002, ISO 27001 certified (audited annually) – Security capabilities and controls periodically assessed to implement the security model – Global Cybersecurity Committee and Community as key drivers for deploying security capabilities – Insurance policies covering various types of cyber incidents – Formal collaboration agreements with National and International Cybersecurity Agencies – Advanced AI-powered capabilities for protection, detection, and response to threats
Availability of value generating projects	Large infrastructure development and operation projects in the transportation sector are exposed to a highly competitive market and subject to political decisions and social movements that may impact the availability of attractive projects for the company.All of this can affect Ferrovial’s growth and its ability to achieve its strategic objectives.	Reduction of value-generating business opportunities Achievement of growth objectives Margin reduction due to increased risk	– Analysis of new markets – Unsolicited infrastructure project proposals – Review of risk profile by project type
Health and Safety	Accidents may occur at the sites and facilities of our projects and infrastructure assets, which could seriously disrupt our operations and cause harm to our employees or customers. This, in turn, could have a material adverse effect on our business, financial position, operating results, and reputation.	Physical harm to employees and third parties Operational impacts due to disruption of operations Civil/criminal liability Damage to corporate reputation Difficulty accessing financing and/or worsening of conditions	– Integration of occupational health and safety as a core company value – Implementation of a health, safety, and well-being strategy, with a stronger operational focus – Annual health, safety, and wellbeing plans – Active involvement of senior management in health, safety, and well-being matters – President’s Health, Safety, and Wellbeing Awards – Deployment of health and safety prevention systems – Continuous employee training – Awareness and sensitization campaigns – Audit plan for management systems – Civil and professional liability coverage
Talent retention and attraction	The high demand for qualified professionals, combined with low unemployment rates in some of Ferrovial’s target markets and the declining attractiveness of the construction sector for new professionals, increases the risk of attracting and retaining talent. This could affect our competitiveness and have an adverse effect on our business, financial position, and operating results.	Loss of business opportunities due to lack of qualified personnel Failure to meet client commitments (deadlines, quality, etc.) Margin reduction due to increased costs	– Talent identification and development plan within the organization – Strengthen local talent attraction – Specific plans for key personnel – Promotion of diverse talent; equity and inclusion
Design, construction, and operation of Projects	Ferrovial’s strategy is focused on technically complex projects with long development periods, during which numerous risk factors may arise, sometimes difficult to foresee. These circumstances can lead to noncompliance in terms of quality, deadlines, or expected performance, resulting in disputes with clients, counterparties, or affecting the company’s own interests. In addition, the growing activity in the U.S. legal environment— haracterized by high litigation and complex regulation—may increase legal conflicts, costs, and reputational risk for the company.	Margin reduction due to increased costs Damage to corporate reputation Increase in legal costs Higher insurance premiums	– Review of risk profile by project type – Protective contractual clauses – Transfer of certain risks to the insurance market (Civil Liability, Property Damage, and Construction Insurance, among others)
Regulatory Complexity	Listing on new markets entails compliance with information and control requirements, the breach of which could result in sanctions from regulatory bodies, as well as a loss of confidence among investors, clients, and analysts.	Loss of credibility with investors, clients, analysts, and rating agencies Penalties for non-compliance with requirements	– Development of the internal control process over financial information in accordance with U.S. Sarbanes-Oxley (SOX) legislation – Communication campaign with stakeholders – Compliance program
Climate change	Ferrovial is exposed to risks arising from climate change. On one hand, there are physical risks, such as extreme weather events, which can affect infrastructure. In addition, there are transition risks, as global trends aimed at reducing the causes and consequences of climate change, which may lead to economic effects (such as increased raw material costs), as well as regulatory, technological, and/or reputational impacts.	Operational disruptions due to physical damage to infrastructure Reduced productivity under extreme weather conditions Increase in insurance premiums Higher operational costs due to rising raw material prices, increased fossil fuel taxes, or adaptation to new technologies, among others	– Process for identifying and assessing climate-related risks to which the company may be exposed – Review of the Deep Decarbonization Path – Control and monitoring tools – Implementation of recommendations from the Task Force on Climate-related Financial Disclosures (TCFD)
Ethics and Integrity	The company faces the risk that employees or collaborators may engage in acts that violate standards and requirements of integrity, transparency, compliance with the law, and respect for human rights, particularly acts of corruption.	Criminal liability for individuals and the company Loss of business opportunities due to non-compliance with ethical requirements Damage to corporate reputation Economic impact from sanctions	– Compliance program aimed at preventing acts contrary to ethics and integrity, following DOJ guidelines – Certified criminal compliance and anti-bribery management system (UNE-ISO 19601 and ISO 37001) – Specific training and communication plan to promote an ethical culture and prevent corruption
Financial risks (see note 5.4 of the Consolidated Annual Accounts for further information)	The company’s businesses are affected by changes in financial variables such as interest rates, exchange rates, inflation, credit, or liquidity.	Loss of opportunities due to reduced project financing capacity Reduction of net margins Fulfillment of financial commitments	– Financial risk management policies – Analysis and active management of exposure to key financial variables – Effective management o financial alternatives

EMERGING RISKS

The FRM process also identifies, assesses, and monitors emerging risks caused by external factors with a potentially significant long-term impact on the business. Among others, the following risks stand out:

Risk Event	Description	Potential Impact	Control measures
Disruptive technologies in mobility	Several emerging technologies and trends have the potential to change long-term mobility patterns in ways that could negatively impact the business. The rise of vehicle automation could reduce travellers’ willingness to pay for road infrastructure that saves time, while the expansion of AI could lead to job losses among current commuters.	Decrease in overall travel demand Reduction in project margins and cash flows Reduction in business opportunities	– Monitoring emerging trends to ensure business model resilience against potential changes – Scenario analysis exercises – Strategic partnerships with leading companies
Air Travel Sustainability Risk	The perception that air travel does not contribute to sustainability could lead to a possible decrease in air travel due to a combination of factors, such as the effects of climate change, health risks, and growing awareness of tourism’s environmental impact. This change could first affect “business” flights, which may be reduced to align with new sustainability policies, and secondly could impact leisure/tourism flights, which might decrease as a result of greater environmental awareness.	Decrease in air traffic demand Higher costs due to new regulation Disruption of strategic plans and future business opportunities	– Continuous monitoring and analysis of emerging trends – Scenario analysis exercises

Risk Event

Description

Potential Impact

Control measures

Disruptive technologies in mobility

Several emerging technologies and trends have the potential to change long-term mobility patterns in ways that could negatively impact the business. The rise of vehicle automation could reduce travellers’ willingness to pay for road infrastructure that saves time, while the expansion of AI could lead to job losses among current commuters.

Decrease in overall travel demand
Reduction in project margins and cash flows
Reduction in business opportunities

– Monitoring emerging trends to ensure business model resilience against potential changes

– Scenario analysis exercises

– Strategic partnerships with leading companies

Air Travel Sustainability Risk

The perception that air travel does not contribute to sustainability could lead to a possible decrease in air travel due to a combination of factors, such as the effects of climate change, health risks, and growing awareness of tourism’s environmental impact. This change could first affect “business” flights, which may be reduced to align with new sustainability policies, and secondly could impact leisure/tourism flights, which might decrease as a result of greater environmental awareness.

Decrease in air traffic demand
Higher costs due to new regulation
Disruption of strategic plans and future business opportunities

– Continuous monitoring and analysis of emerging trends

– Scenario analysis exercises

Cookie	Duration	Description
_csrf	1 year	Anti Cross-site request forgery cookie.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gid	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
dtCookie	Sesión

Cookie	Duration	Description
_fbp	2 months 28 days 23 hours 59 minutes	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
uid	1 año	This cookie is used to measure the number and behavior of visitors to the website anonymously. The data includes the number of visits, average length of visit on the website, pages visited, etc. in order to better understand user preferences for targeted ads.