Risk management and strategy

On November 15, 2023, the Board approved the Information Security Incident Management Policy (the “Cybersecurity Policy”) which establishes guidelines to identify, assess, manage and communicate material risks from cybersecurity incidents. The Cybersecurity Policy is applicable to the Company and its subsidiaries’ information systems and supporting infrastructure in all locations. It also covers processes to oversee and identify risks from cybersecurity threats associated with the use of third-party service providers, being an important part of the Company’s global risk management strategy. In addition to the Cybersecurity Policy, the Company has enacted a cybersecurity risk matrix (the “Cybersecurity Risk Matrix”) to determine cybersecurity risks and align projects to address such risks. Therefore, our actions, plans and projects are aligned with the risks identified within such Cybersecurity Risk Matrix which is reviewed annually by information security officers and authorized by the corporate information security manager.

All strategic information security projects are established in a global strategic plan, based on the analysis of the risks determined and classified in accordance with the Cybersecurity Risk Matrix. Critical risks are addressed by a combination of security services and technology. Also, a global security operation center and an incident response and threat intelligence service are in place. A combination of information security applications and monitoring controls are also used to detect and protect the information assets based on protection layers criteria. Global penetration testing and security reviews are regularly performed in our subsidiaries. In 2025, the Information Security Dept. implemented a new preventive strategy grounded in offensive security principles. This approach includes ongoing ethical hacking activities targeting both applications and IT infrastructure worldwide. These tasks are conducted by CAAP’s ethical hacking team, supported by specialized cybersecurity professionals from Ernst & Young (EY) Argentina.

Also, the Cybersecurity Policy created the Information Security Incident Response Committee which is a non-permanent body, mainly responsible for coordinating and authorizing the strategy and tasks to contain a Cybersecurity Incident and restore normal operation. The members of the ISIRC are:

According to the Cybersecurity Policy, Cybersecurity Incidents must be classified by the local security manager from a technical perspective in critical, high, medium, low, or very low based on the Incident Impact Calculation Matrix. Such classification is reviewed by the ISIRC, from a qualitative and quantitative perspective, and considers factors that are not taken into account in a mathematical calculation, in order to determine the severity of the incident.

The Cybersecurity Policy establishes an incident management process, which can be defined as a plan to manage Cybersecurity Incidents and to ensure that the Company takes immediate action in case of any incidents. The incident management process consists of the following phases: (i) detection; (ii) analysis and early communication; (iii) containment; (iv) eradication; (v) recovery; (vi) documentation and improvement proposals; and (vii) disclosure.

The phase of “detection” involves (i) data gathering and analysis; (ii) identification of indicators of an attack or compromise of the network; and (iii) correlating events and having the intelligence to identify early signs of an attack. Examples of detectable events include data breaches, an unusual number of locked accounts, encrypted files, among others. Upon detection of a Cybersecurity Incident, such incident is immediately reported to the Local Cybersecurity Manager/Responsible who then convenes an ISIRC meeting. As per the Cybersecurity Policy, once a Cybersecurity Incident is identified, the Local Cybersecurity Manager/Responsible shall classify it from a technical perspective based on the Incident Impact Calculation Matrix, prepare the corresponding Cybersecurity Incident Report and create a record of the information and documentation related to the incident. All the information related to the Cybersecurity Incident is then submitted to the ISIRC which shall review the classification provided by the Local Cybersecurity Manager/Responsible and define the severity of the incident.

​

The Cybersecurity Incidents which individually or in the aggregate are classified by the ISIRC as critical or high, must be reported by the ISIRC to our Executive Committee, which shall analyze if the incident must be disclosed. The Cybersecurity Policy also establishes that in case of detection of any Cybersecurity Incident, it shall be immediately reported to the local cybersecurity officer (local or corporate), who will call an ISIRC meeting. In case of critical or high incident, the Executive Committee must then report it to the Board of Directors of the Company.

In relation to the “containment” strategy, the Cybersecurity Policy establishes that it is dependent on the type of attack and its potential impact on the organization. In any case, after the Cybersecurity Incident has been successfully contained, any element or change produced because of the Cybersecurity Incident must be repaired. This could include rebuilding affected servers, removing malware, or closing and resetting passwords of breached accounts.

On the “recovery” phase, every affected system should be restored in order to reinstate regular operations.

After receiving information from the ISIRC, the Executive Committee must determine if a Cybersecurity Incident is material, or if any series of related Cybersecurity Incidents taken together are material, in which case it must decide the necessity and extent of any ongoing and annual disclosures. In order to determine the materiality of a Cybersecurity Incident or series of related cybersecurity incidents taken together, our Executive Committee must evaluate the impact of such incident from a quantitative and a qualitative perspective, as well as, if there is a substantial likelihood that a reasonable investor would have considered it important in making an investment decision or if it significantly alters the total mix of available information. As part of the materiality analysis, our Executive Committee may consider both the immediate fallout and any longer-term effects, including on our operations, finances, brand, reputation and customer relationships. If the Executive Committee deems it necessary, could report the Cybersecurity Incident to our Board of Directors, to be involved in the determination of materiality of the incident.

The Head of Legal and Compliance leads the disclosure process if the Cybersecurity Incident is material. In accordance with the terms and conditions of our third-party agreements, our providers are obliged to inform us immediately in the case of detection of a Cybersecurity Incident that could involve the Company in any manner, in which case the local cybersecurity manager must call an ISIRC who must define if it should be reported to the Executive Committee to determine if it is material.

We also created a global information security department which reports to the Executive Committee. We also hired a global information security manager and reinforced the global information security department with multicultural security specialists in different locations. This area was reorganized in 2024 to incorporate an Identity and Access Manager, to increase the protection and focus over users account, identities and access management. In 2025, we strengthened our cyber defense capabilities by bringing on a Global Cybersecurity Manager to lead corporate level incident response and drive key strategic cybersecurity initiatives. Jointly global and local information security departments are focused on cybersecurity risks, contingency procedures, security governance, access and identity management, infrastructure protection and monitoring, researching and deploying of new technology to improve protection of information and communication systems.

Finally, although our business strategy, results of operations or financial condition have not been materially affected by Cybersecurity Incidents up to the date of this annual report on Form 20-F, we understand that the cybersecurity risks have been increasing, especially as infiltrating technology continues to become increasingly sophisticated, and while we have implemented several measures and procedures to mitigate such risk, such as the Cybersecurity Policy, we must remain vigilant and alert to such risks and keep our systems and procedures updated to the most recent trends.

On November 15, 2023, the Board approved the Information Security Incident Management Policy (the “Cybersecurity Policy”) which establishes guidelines to identify, assess, manage and communicate material risks from cybersecurity incidents. The Cybersecurity Policy is applicable to the Company and its subsidiaries’ information systems and supporting infrastructure in all locations. It also covers processes to oversee and identify risks from cybersecurity threats associated with the use of third-party service providers, being an important part of the Company’s global risk management strategy. In addition to the Cybersecurity Policy, the Company has enacted a cybersecurity risk matrix (the “Cybersecurity Risk Matrix”) to determine cybersecurity risks and align projects to address such risks. Therefore, our actions, plans and projects are aligned with the risks identified within such Cybersecurity Risk Matrix which is reviewed annually by information security officers and authorized by the corporate information security manager.

All strategic information security projects are established in a global strategic plan, based on the analysis of the risks determined and classified in accordance with the Cybersecurity Risk Matrix. Critical risks are addressed by a combination of security services and technology. Also, a global security operation center and an incident response and threat intelligence service are in place. A combination of information security applications and monitoring controls are also used to detect and protect the information assets based on protection layers criteria. Global penetration testing and security reviews are regularly performed in our subsidiaries. In 2025, the Information Security Dept. implemented a new preventive strategy grounded in offensive security principles. This approach includes ongoing ethical hacking activities targeting both applications and IT infrastructure worldwide. These tasks are conducted by CAAP’s ethical hacking team, supported by specialized cybersecurity professionals from Ernst & Young (EY) Argentina.

Also, the Cybersecurity Policy created the Information Security Incident Response Committee which is a non-permanent body, mainly responsible for coordinating and authorizing the strategy and tasks to contain a Cybersecurity Incident and restore normal operation. The members of the ISIRC are:

According to the Cybersecurity Policy, Cybersecurity Incidents must be classified by the local security manager from a technical perspective in critical, high, medium, low, or very low based on the Incident Impact Calculation Matrix. Such classification is reviewed by the ISIRC, from a qualitative and quantitative perspective, and considers factors that are not taken into account in a mathematical calculation, in order to determine the severity of the incident.

The Cybersecurity Policy establishes an incident management process, which can be defined as a plan to manage Cybersecurity Incidents and to ensure that the Company takes immediate action in case of any incidents. The incident management process consists of the following phases: (i) detection; (ii) analysis and early communication; (iii) containment; (iv) eradication; (v) recovery; (vi) documentation and improvement proposals; and (vii) disclosure.

The phase of “detection” involves (i) data gathering and analysis; (ii) identification of indicators of an attack or compromise of the network; and (iii) correlating events and having the intelligence to identify early signs of an attack. Examples of detectable events include data breaches, an unusual number of locked accounts, encrypted files, among others. Upon detection of a Cybersecurity Incident, such incident is immediately reported to the Local Cybersecurity Manager/Responsible who then convenes an ISIRC meeting. As per the Cybersecurity Policy, once a Cybersecurity Incident is identified, the Local Cybersecurity Manager/Responsible shall classify it from a technical perspective based on the Incident Impact Calculation Matrix, prepare the corresponding Cybersecurity Incident Report and create a record of the information and documentation related to the incident. All the information related to the Cybersecurity Incident is then submitted to the ISIRC which shall review the classification provided by the Local Cybersecurity Manager/Responsible and define the severity of the incident.

​

The Cybersecurity Incidents which individually or in the aggregate are classified by the ISIRC as critical or high, must be reported by the ISIRC to our Executive Committee, which shall analyze if the incident must be disclosed. The Cybersecurity Policy also establishes that in case of detection of any Cybersecurity Incident, it shall be immediately reported to the local cybersecurity officer (local or corporate), who will call an ISIRC meeting. In case of critical or high incident, the Executive Committee must then report it to the Board of Directors of the Company.

In relation to the “containment” strategy, the Cybersecurity Policy establishes that it is dependent on the type of attack and its potential impact on the organization. In any case, after the Cybersecurity Incident has been successfully contained, any element or change produced because of the Cybersecurity Incident must be repaired. This could include rebuilding affected servers, removing malware, or closing and resetting passwords of breached accounts.

On the “recovery” phase, every affected system should be restored in order to reinstate regular operations.

After receiving information from the ISIRC, the Executive Committee must determine if a Cybersecurity Incident is material, or if any series of related Cybersecurity Incidents taken together are material, in which case it must decide the necessity and extent of any ongoing and annual disclosures. In order to determine the materiality of a Cybersecurity Incident or series of related cybersecurity incidents taken together, our Executive Committee must evaluate the impact of such incident from a quantitative and a qualitative perspective, as well as, if there is a substantial likelihood that a reasonable investor would have considered it important in making an investment decision or if it significantly alters the total mix of available information. As part of the materiality analysis, our Executive Committee may consider both the immediate fallout and any longer-term effects, including on our operations, finances, brand, reputation and customer relationships. If the Executive Committee deems it necessary, could report the Cybersecurity Incident to our Board of Directors, to be involved in the determination of materiality of the incident.

The Head of Legal and Compliance leads the disclosure process if the Cybersecurity Incident is material. In accordance with the terms and conditions of our third-party agreements, our providers are obliged to inform us immediately in the case of detection of a Cybersecurity Incident that could involve the Company in any manner, in which case the local cybersecurity manager must call an ISIRC who must define if it should be reported to the Executive Committee to determine if it is material.

The Cybersecurity Incidents which individually or in the aggregate are classified by the ISIRC as critical or high, must be reported by the ISIRC to our Executive Committee, which shall analyze if the incident must be disclosed. The Cybersecurity Policy also establishes that in case of detection of any Cybersecurity Incident, it shall be immediately reported to the local cybersecurity officer (local or corporate), who will call an ISIRC meeting. In case of critical or high incident, the Executive Committee must then report it to the Board of Directors of the Company.

The Information Security Corporate Manager has more than twenty years of progressive experience in all aspects of technology risk management, and has a deep understanding of strategic and tactical aspects of information technology security, internal control over information technology and operational processes over critical assets and infrastructure. The Information Security Corporate Manager is experienced in aspects as a comprehensive access management strategy, cybersecurity monitoring and governance, awareness programs, business continuity strategy, information technology general controls under the Sarbanes-Oxley Act, among others.