The Contract Management function, led by the Contract Management Department, itself reporting to the Group Legal Affairs Department, aims to improve risk management and create opportunities in the management of contracts. This function calls on the involvement of Contract Managers from the departments throughout the contractual process. It is an additional line of defence in the management of contracts, along with Group senior managers and the departments.
In response to the regulations and laws adopted by the USA and China, and in order to ensure its compliance with these laws and decisions, the EDF group (EDF, NNB, Framatome, etc.) has taken precautionary measures in connection with the organisation of its nuclear projects, particularly in the United Kingdom.
4C – Occupational health or safety violations (employees and service providers)
Summary: The Group is exposed to health and safety risks in the workplace, both in terms of its employees and those of its service providers.
Criticality: 
Intermediate
a) Main risks
Human resources and their related skills are a major challenge for the Group and its service providers. The industrial nature and diversity of the Group’s activities reinforce the crucial importance of complying with the rules and taking into account the various risks that may affect people working in the Group’s industrial facilities in order to protect health and safety in the workplace.
The risk of work-related accidents or occupational illnesses cannot be excluded in any of the Group’s areas of activity. The occurrence of such events may lead to lawsuits against the Group and may result in the payment of damages, which could be significant.
b) Control actions
The Group has for many years taken the steps necessary to comply with the health and safety laws and regulations in the various countries in which it operates, and considers that it takes the measures required to ensure the health and safety of both its employees and its subcontractors.
Each Group entity has action plans aimed at continuously improving health and safety at work. Actions are also carried out at the Group level as a whole: definition and promotion of the vital rules and the BEST reference framework for health and safety management, one-day shutdown on 13 October 2022 for each team to reflect on improving and strengthening safety actions at shop-floor level (see section 3.3.1.3 “Health and safety of employees and subcontractors”).
4D – Attacks against assets, including cyber attacks
Summary: The Group is exposed to risks of failure of or damage to its tangible or intangible assets, including its information system. In particular, these risks may arise from malicious actions, including cybercrime.
Criticality: Intermediate
a) Impact on assets
Main risks
The Group’s assets consist of its staff and its tangible and intangible assets. The facilities or assets operated by the Group or its employees may be the target of malicious acts of any kind. These acts could have negative consequences on the Group’s operational activity, financial position, legal situation, assets or reputation.
The Group would also be forced to make additional investments or incur additional costs if laws and regulations relating to the protection of sensitive sites and critical infrastructures became more stringent.
Control actions
The EDF group has defined its Security of Assets against Malicious Acts policy to prevent this risk and limit its impact in the event of an attack. This policy is supplemented by procedures for the protection of people, property assets, intangible assets, instructions and an IT tool for collecting security incidents. This policy and procedure were updated in 2021 to take into account the changing threat environment. These policies and procedures are supported by a network of Asset Security Managers (RSP) who are members of the entities’ Management Boards.
The main asset-protection actions are:
- coordination of the RSP network, training of new RSPs, letters (DSIE@eDF), support on request (e.g. security of premises, projects abroad and security, etc.) and presentations on current topics (IGI 1300 interministerial general instruction regarding classified media and documents & secrecy protection, new tool for collecting security incidents, etc.);
- production of an e-learning course on the Security of Assets against Malicious Acts policy;
- adapting the EDF procedures for implementing the Group’s Asset Security policy in dealing with malicious acts, in particular the Classification and Protection of Information memorandum and the procedure for reporting security incidents;
- implementation of the new security incident collection application;
- participating in steering the implementation of the NIS directives and the Military Programming Act (LPM) in conjunction with ANSSI, DSIG and the entities involved;
- contributing to the introduction of the obligations associated with the new version of the IGI 1300, an instruction involving significant changes for the Group:
- participating in the drafting of the IGI 1300 ministerial memoranda with the French ecological transition Ministry (MTE) and other relevant operators,
- drafting IGI implementation internal memoranda,
- assisting entities in the implementation of this instruction by ensuring that all regulatory obligations are properly implemented;
- setting up a training course with the DGSI and the DRHG on radicalisation and religious issues in companies for HRDs, managers and lawyers;
- helping to take into account “Asset Security” files during the development of IS applications, etc.;
- contributing to the preparation of compliance files.
b) Information Systems failure, including from cyber attacks
Main risks
The Group operates multiple, interconnected and complex information systems (databases, servers, networks, applications, etc.) that are essential to the conduct of its commercial and industrial activity, the preservation of its human, industrial and commercial assets, and the protection of personal data (of customers and employees) and that must adapt to a rapidly changing context (digital transition, development of working-from-home, new ways to share work in extended companies with suppliers, changes in regulations, etc.).
The facilities and assets operated by the Group or its employees may be the target of external attacks or malicious acts of any kind. An attack or malicious act committed on these facilities could have consequences such as injury to persons and/or damage to property, the Group being held liable on the grounds of measures judged to be inadequate and interruptions to operations. The Group would also be forced to contract additional investments or incur additional costs in the event of greater stringency in laws and regulations relating to the protection of sensitive sites and critical infrastructures.
The frequency and sophistication of information system hacking and data corruption incidents are increasing worldwide. The impact of a malicious attack or any other failure resulting in the unavailability of information systems may have a negative impact on the Group’s operating activity, financial, legal and asset situation or reputation.