Intesa Sanpaolo

Audit Report / Information • Mar 28, 2025

Report of the Management Control Committee to the Shareholders' Meeting on the supervisory activities performed in 2024

pursuant to Article 153, paragraph 1, of Legislative Decree 58 of 24 February 1998, and Article 23.1, letter j), of the Articles of Association

Distinguished Shareholders,

As you are aware, the one-tier governance model adopted by Intesa Sanpaolo S.p.A. ("Bank" or "Parent Company") consists of a Board of Directors ("Board") with steering and strategic supervision duties, management duties as well as control duties performed by the Management Control Committee ("Committee" or "Control Body") appointed by the Shareholders' Meeting as part of the Board itself. The Committee currently in office was appointed by the Shareholders' Meeting held on 29 April 2022.

The Committee plays a proactive role, within its own areas of responsibility, towards the Corporate Control Functions and engages in constructive dialogue with the Management of the Bank and the Intesa Sanpaolo Group ("Group"), including on the basis of information received during board meetings and deemed worthy of further in-depth analysis. The activities carried out also take account of the indications provided by the Chair of the Committee during the periodic meetings held with the dedicated Secretariat, aimed at a mutual exchange of information deemed worthy of attention and the subsequent planning of the work of the Committee itself.

The Committee, in the fulfilment of its duties and in the interest of the best performance thereof, exchanges information of reciprocal interest and coordinates the performance of their respective duties with the Risk and Sustainability Committee, established within the Board, and with the Surveillance Body pursuant to Legislative Decree 231/2001. A Committee member usually attends meetings of the Risk and Sustainability Committee, subsequently reporting to the Control Body.

Pursuant to Article 153, paragraph 1, of Legislative Decree 58/1998, ("Consolidated Law on Finance"), the Committee is required to report to the Shareholders' Meeting, called to approve the financial statements for the period, on its supervisory activities and on any omissions or reprehensible facts recorded. This requirement is also stated in Article 23.1, letter j), of the Bank's Articles of Association. The Report was prepared taking into account the Consob recommendations on the matter and, in particular, Communication 1025564 of 6 April 2001 and subsequent updates, expressly referred to in the text.

During 2024, the following meetings were held:

• − 21 meetings of the Board of Directors;
• − 41 meetings of the Management Control Committee.

1. SUPERVISION OF COMPLIANCE WITH THE LAW AND THE MEMORANDUM OF ASSOCIATION

Regulatory developments

Following the changes in the Supervisory Provisions and more generally to external rules, the Committee examined, within its own remit, the proposals to adopt and update some of the internal regulations. In particular, the Committee issued the required opinion on updating the Group Procedures regulating the conduct of Transactions with Related Parties of Intesa Sanpaolo, Associated Entities of the Group and Relevant Parties pursuant to Art. 136 of the Consolidated Law on Banking ("RPT Procedures").

Relations with Supervisory Authorities

The Committee is promptly informed, also with the support of its dedicated Secretariat, of the main communications addressed to the Bank by the Italian and European Supervisory Authorities relating to the matters within its remit, with particular regard to the control system.

With regard to relations with the European Central Bank ("ECB"), the Committee received, amongst other things, regular updates on the preparation and development of the Supervisory Plans following the On-site Inspections, Thematic Reviews and Deep Dives by the Authority itself.

9) Opinions

10) Meetings

The Committee also received the required information and the consequent updates, within its own remit, regarding relations between the Bank and the other Supervisory Authorities, both Italian and of other EU and non-EU countries.

Self-assessment and verification of requirements

As required by the internal rules, the Committee performed the usual annual self-assessment of its own composition and operation that was separate to the one carried out by the Board. As is common knowledge, this exercise was also aimed at assessing the correct and effective performance of the tasks entrusted to the Committee in its capacity as the Control Body of the Bank according to criteria and methods consistent with its own attributes.

Again in 2024, in line with the previous year and with the activities carried out by the Board, the Committee availed itself of the preliminary analysis performed by an independent external consultant. The qualitative and quantitative results confirmed the Committee's adequacy and high level of overall compliance with the provisions of the Corporate Governance Code for listed companies ("Corporate Governance Code"), the guidelines of the European Banking Authority ("EBA"), the provisions of Bank of Italy Circular 285/2013 and with best practices. At the end of the process, on 16 December 2024, the Committee expressed an assessment of adequacy with regard to its own size, composition and operation.

In addition, ahead of the renewal of the Bodies, the Committee analysed - for aspects within its competence - the document containing the Guidance that the Board makes available to the Shareholders in order to facilitate the process of defining the best proposals to identify the candidates for the office of member of the Board of Directors and member of the Management Control Committee.

Moreover, in accordance with the requirements of the internal rules, which incorporate the guidelines issued by EBA and by the European Securities and Markets Authority ("ESMA") implementing the principles set out in the EU Directive 36/2013 ("CRD IV"), on 25 February 2025, the Committee assessed that each of its members meets the necessary requirements, including the absence of significant financial relationships with Group companies, as well as compliance with the limitation of directorships for the purpose of assessing their independence in line with the provisions of the Regulation adopted on this subject by the Board.

As envisaged by the Corporate Governance Code, the members of the Committee ascertained the correct application of the assessment criteria and procedures adopted by the Board for evaluating the independence of its members.

Applications

With reference to a complaint pursuant to Article 2408 of the Italian Civil Code filed by a shareholder with regard to alleged irregularities relating to the liquidation of an Intesa Sanpaolo Vita policy occurring at the death of the policyholder, the Committee examined the results of the checks run by the competent corporate functions, observing that no facts emerged worthy of particular attention or that require the adoption of measures.

During 2024, there were 3 protests received, addressed by customers to the Control Body and related to the Bank's ordinary business. The Committee asked the competent departments to carry out the appropriate checks on the matter which highlighted a situation of substantial regularity of the procedures carried out.

2. SUPERVISION OF COMPLIANCE WITH THE PRINCIPLES OF CORRECT MANAGEMENT

The Committee has overseen compliance with the principles of correct management, holding regular meetings with the heads of the Corporate Control Functions, the Governance Areas and the Group Divisions as well as with the Manager responsible for preparing the Company's financial reports and the independent auditors, including in order to verify that management decisions are based on an adequate system of information flows to the Bodies and that the decision-making processes take account of the riskiness and effects of the management choices made.

The Committee verified that the flows between the corporate departments and the Managing Director and CEO, as well as between them and the Board, are continuous. Information exchange between the Committee and the Managing Director and CEO is enhanced by regular meetings, mostly focused on the Bank's and the Group's performance, the functionality and effectiveness of the internal control and risk management system as well as on the recommendations made by the Committee in this regard in its own quarterly reports to the Board.

The Committee supervised the observance of the obligations envisaged for most significant transactions in terms of economic, financial and balance sheet importance carried out by the Bank or the subsidiaries, confirming that they were performed according to law and the Articles of Association, and that they were not - as required by Consob - manifestly imprudent, hazardous, in conflict of interest, in contrast with resolutions taken by the Shareholders' Meeting, or likely to compromise the integrity of the shareholders' equity. The reports pursuant to Article 150, paragraphs 1 and 2 of the Consolidated Law on Finance were provided both

5) Complaints

6) Protests

11) Principles of correct manageme nt

as part of the information on the preparation of the financial statements given by the Manager responsible for preparing the Company's financial reports and at the regular meetings with the Managing Director and CEO.

The Committee received periodic information in accordance with the internal regulations on governance of the Most Significant Transactions, i.e. transactions that involve a potential significant change in the overall risk profile defined in the Risk Appetite Framework ("RAF").

Pursuant to the RPT Procedures, the Committee received the quarterly report on transactions with related parties and associated entities, including an assessment of the materiality of the financial relations for the purposes of the Directors' independence requirement. On such occasions, the Committee also received the report on the interests declared by the Directors in performing certain transactions pursuant to Article 2391 of the Italian Civil Code and/or Article 53, paragraph 4, of the Consolidated Law on Banking.

Finally, the Committee supervised the implementation and governance of the Group's Code of Ethics, which self-regulates the integration of social and environmental considerations, including those relating to Environmental Social and Governance (ESG) issues, into business processes, practices and decisions.

Given the above, no atypical and/or unusual transactions were carried out - either with third parties, or related parties or intragroup - to be understood as transactions that could give rise to doubts concerning the fairness/completeness of the financial statements, conflicts of interest, the safeguarding of company assets, or the protection of minority interests. Likewise, no management irregularities nor performance anomalies emerged.

Significant events and the main transactions with related parties of major significance (including intragroup ones) and the other significant transactions carried out in compliance with the RPT Procedures were adequately reported and illustrated in the reports on operations and the notes to the Intesa Sanpaolo S.p.A. draft financial statements as at 31 December 2024 and the Intesa Sanpaolo Group's consolidated financial statements as at 31 December 2024 (together the "2024 Financial Statements"), respectively.

3. SUPERVISORY ACTIVITIES OF THE PROCEDURES FOR EFFECTIVE IMPLEMENTATION OF THE CORPORATE GOVERNANCE RULES LAID DOWN IN THE CORPORATE GOVERNANCE CODE

The Committee examined the Report on Corporate Governance and Ownership Structures ("Report on Corporate Governance") for 2024 which was then approved by the Board of Directors on 27 February 2025, with particular reference to the information about the main features of the risk management and internal control systems in relation to the financial reporting process.

In this area, the Committee was pleased to note that the Report was prepared in accordance with the Recommendations for 2025 addressed by the Chair of the Italian Corporate Governance Committee to all the Chairs of the management bodies of Italian listed companies, the results of which indicate a general level of adequacy of the Bank's corporate governance.

The Report on Corporate Governance, which should be consulted for further details, illustrates among other things the management and control model of Intesa Sanpaolo and provides a complete disclosure of how the Bank has adopted and implemented the recommendations of the Corporate Governance Code.

4. SUPERVISORY ACTIVITY ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE ORGANISATIONAL STRUCTURE

The Committee carried out the usual survey of the organisational structure of the Corporate Control Functions and main Divisions of the Group, focussing on the adequacy of risk monitoring processes and procedures to support the business carried out.

During 2024, the Committee was informed, also at its own request, about the:

• − proposed reshaping of the organisational structure of the Chief Risk Officer Governance Area, which led to the establishment of two new Coordination Areas (one relating to the Credit Enterprise and Operational Risk fields and the other dedicated to the monitoring of the risk management of the Divisions and the Financial and Market Risks);
• − establishment, within the Chief Lending Officer Governance Area, of the Strategic Transactions & Credit Funds Head Office Department which has been attributed the activity of managing selected investments in fund units with underlying credit/real estate portfolios and in equity investments deriving from the conversion of credit exposures;
• − the assessment of the suitability requirements of the key function holders at Intesa Sanpaolo, to the extent within the Committee's purview, acknowledging that no situation related to the satisfaction of the prescribed requirements was found.

In addition, during 2024, the Committee favourably assessed the:

− creation of the Chief Sustainability Officer Governance Area, which aims to steer the Group's sustainable

2) Atypical and/or unusual transactio

ns

3) Adequacy of information

17) Complianc e with the Italian Corporate Governanc e Code

12) Organisatio nal structure

development strategies, together with the planning and monitoring of the related activities;

− establishment of the Chief Security Officer Governance Area, able to guarantee a single point of control for security models and solutions, including aspects relating to technological safety.

With regard to the assessments conducted by the Committee on the adequacy of Corporate Control Functions, see the chapter set out further below in this report.

In referring you to the Report on Corporate Governance for further details about the Group's organisational and operational structure, the Bank's organisational chart as at today's date is shown below.

5. SUPERVISORY ACTIVITY ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE ADMINISTRATIVE AND ACCOUNTING SYSTEM AND OF ACCOUNTING AND FINANCIAL INFORMATION

The Committee - including in its capacity as Internal Control and Audit Committee pursuant to Article 19, paragraph 2, letter c) of Legislative Decree 39/2010 - examined the regular report on the activity carried on and the corrective actions prepared by the Manager responsible for preparing the Company's financial reports to support the statutory certifications and has analysed the causes and remedies of any shortcomings of the accounting structure.

The Management and Financial Governance function outlined the half-yearly reports on governance and control activities performed on the internal control system relevant for the financial reporting process, with the relative Tableau de Bord ("TdB") which summarise the main issues requiring attention and the progress of the relative mitigation actions, including the activities carried out by the Balance Sheet Items Valuation Unit, as well as the action plan for 2025.

Considering the governance and oversight activities carried out in 2024, as well as the reduced level of residual risk, the Management and Financial Governance unit expressed a positive opinion - despite the presence of some areas for further improvement for which mitigation measures are under way - on the statutory requirements of the financial reporting, allowing the Managing Director and CEO and the Manager responsible for preparing the Company's financial reports to issue the certifications required under Article 154-bis of the Consolidated Law on Finance with reference to the consolidated half-yearly report as at 30 June 2024, the consolidated results as at 31 December 2024 sent for reporting purposes to the competent Authorities, the 2024 Financial Statements as well as the 2024 Consolidated Sustainability Statement.

The Committee - after receiving a biannual update as at 30 June - examined the Report on tax risk oversight activities carried out by the Bank in 2024, as required by the cooperative compliance scheme, and the activities plan for 2025.

The Committee, together with the Manager responsible for preparing the Company's financial reports, met with the Independent Auditors - in accordance with Article 150, paragraphs 3 and 5 of the Consolidated Law on Finance - to examine the audit plan and receive updates on the activities carried out to formulate the opinion on the 2024 Financial Statements.

16) Meetings with the Independe nt Auditors

With reference to the supervision of the administrative-accounting system, the Committee, at its own request, was updated on a regular basis on the progress of the project aimed at implementing at Group level the sustainability reporting framework defined by EU Directive 2022/2464 (CSRD).

As part of its supervisory activities on accounting and corporate reporting, including to contribute to the assessment on the correct use of accounting standards, the Committee met with the Manager responsible for preparing the Company's financial reports, the other relevant functions of the Bank as well as the Independent Auditors to review the procedures for the preparation of the Consolidated Interim Report as at 31 March 2024, the Consolidated Half-Yearly Report as at 30 June 2024, the Consolidated Interim Report as at 30 September 2024 and the 2024 Financial Statements.

The Committee also examined the process of preparing the Consolidated Sustainability Statement, which, starting from the current financial year, is included in a specific section of the Report on operations and is approved by the Board on 27 February 2025. This new document contains the information required to understand the impact of the company on the sustainability issues and how these affect the company's performance, results and situation. In particular, the Committee verified compliance with the provisions pursuant to Legislative Decree 125/2024 (which replaced the previous regulations on non-financial reporting contained in Legislative Decree 254/2016 now repealed), compliance with the reporting standards required by EU regulations as well as the Group's methods for managing, planning and controlling ESG, environmental, social, personnel and human rights issues. Lastly, the Committee - during the Board meeting – received disclosure on the process of preparing Pillar 3, approved by the Board on 12 March 2025.

The Bank's financial statements and the Group's consolidated financial statements, pursuant to Legislative Decree 38/2005, are prepared in compliance with the IAS/IFRS issued by the International Accounting Standards Board and relative interpretations of the International Financial Reporting Interpretations Committee, endorsed by the European Commission, as provided for by EC Regulation 1606/2002. These documents are drawn up on the basis of the instructions issued by the Bank of Italy with Circular 262/2005 as subsequently amended.

The parent company draft financial statements as at 31 December 2024 and the Group's consolidated financial statements as at 31 December 2024 were approved on 27 February by the Board of Directors.

The disclosure to the public, under the provisions of the prudential supervisory regulations, was provided on the Bank's website within the term laid down for publication of the financial statements.

On 20 March 2025, pursuant to Article 14 of Legislative Decree 39/2010 and Article 10 of EU Regulation 537/2014, the Independent Auditors issued the reports on the audit of the Intesa Sanpaolo S.p.A.'s financial statements and on the consolidated financial statements of the Intesa Sanpaolo Group for the year ended 31 December 2024. In particular, the Independent Auditors:

• issued an opinion in which they affirm that the financial statements provide a true and fair view of the balance sheet and financial position of Intesa Sanpaolo and the Group, and of the profit and loss and the cash flows for the year ended at that date;
• presented the key aspects of the audit which, in their own professional opinion, are most significant and are used in forming their overall opinion of the financial statements;
• attested that the reports on operations and some specific information contained in the Report on Corporate Governance are consistent with the financial statements to which they refer and are prepared in compliance with the law;
• declared they had nothing to report pursuant to Article 14, paragraph 2, letter e), of Legislative Decree 39/2010, based on the knowledge and understanding of the company and its context acquired during the audit.

This opinion, issued by the Independent Auditors in compliance with the law, does not extend to the section of the Group's Report on operations regarding the Consolidated Sustainability Statement. Pursuant to Article 14-bis of Legislative Decree 39/2010, the Independent Auditors issued a specific report on the limited examination of the Consolidated Sustainability Statement for the year ended 31 December 2024, in which it stated that the work carried out did not reveal any elements that would lead to believe that:

• the Group's Consolidated Sustainability Statement was not prepared, in all the significant aspects, in compliance with the reporting standards adopted by the European Commission pursuant to Directive (UE) 2013/34/UE (European Sustainability Reporting Standards);
• the information contained in the paragraph "Reporting pursuant to the EU Taxonomy (EU Regulation 2020/852)" of the Consolidated Sustainability Statement was not prepared, in all the significant aspects, in compliance with Article 8 of Regulation (EU) no. 852 of 18 June 2020.

Moreover, on 20 March 2025, the Independent Auditors issued the Committee with the additional report envisaged under Article 11 of EU Regulation 537/2014, according to which no significant shortcomings were found in the financial reporting internal control system and/or in the accounting system, which should be brought to the attention of those responsible for Governance activities.

The annual confirmation of independence was issued, together with this report, pursuant to Article 6, paragraph 2, letter a) of EU Regulation 537/2014 and paragraph 17 of the International Standard on Auditing (ISA Italia) 260.

16) Meetings with the Independe nt Auditors

6. SUPERVISORY ACTIVITY OF THE STATUTORY AUDIT PROCESS AND THE INDEPENDENCE OF THE INDEPENDENT AUDITORS

Intesa Sanpaolo has adopted specific Group Regulations governing assignments to independent auditors and their networks. This governs, among other things, the system for supervising the assignment of auditing services and other services conferred by the Parent Company and Group Companies to independent auditors, their networks and associated entities, with the aim of overseeing the application of the relevant regulations and the independence of auditors.

In this context, the Regulations also include specific prior authorisation, monitoring and regular reporting procedures to the Committee, which are aimed at overseeing the independence of the independent auditors. For the purpose of this monitoring, the following types of appointment are defined:

• Audit, i.e. statutory audit services pursuant to Article 14 of Legislative Decree 39/2010 and Article 2409 bis of the Italian Civil Code as well as the other voluntary audit services;
• Audit-Related, i.e. activities entrusted by law or order of an Authority, as well as activities that represent an extension of the auditing assignment (issuance of certificates, review of reports, agreed auditing procedures). These assignments are normally awarded to the Auditor as, by nature, they are not detrimental to independence;
• Non-Audit, relating to services not included within the foregoing types of Audit or Audit Related types, which pursuant to the Regulations cannot be awarded to the Main Auditor, i.e. the independent auditors engaged to perform the statutory audit of the Parent Company.

Monitoring also ensures that assignments expressly prohibited by Articles 10 and 17, paragraph 3, of Legislative Decree 39/2010 are not awarded to the Main Auditor.

EY is the independent auditor which was assigned the role of Main Auditor. All proposals for assignments relating to the independent auditors and parties belonging to its network have been monitored in advance and - where applicable - authorised. Based on the results of this control process, we confirm that during the 2024 financial year no further non audit assignments were granted to EY and parties connected to them by ongoing relationships.

According to the provisions of the Group Regulations, the full picture of the assignments to the independent auditors is described twice a year to the Committee by the Manager responsible for preparing the Company's financial reports, including for the purposes of the related reporting obligations in the financial statements and to the Shareholders' Meeting. A complete picture of the amounts paid to the independent auditors in 2024 is represented in the Annex to the financial statements entitled "Fees for auditing and the services other than auditing pursuant to Article 149-duodecies of Consob Regulation no. 11971", to which reference should be made.

The details of the fees for the Audit-Related assignments for 2024 are shown below.

				(millions of euro)
Type of service	Intesa Sanpaolo		Group Company (*)
	EY	EY network	EY	EY network
Certification services (**)	2.74	-	3.81	-
Other services:
agreed audit procedures	0.08	-	0.30	-
sustainability reporting	1.32	-	0.26	-
Total	4.14	-	4.37	-

(*) Subsidiary Group Companies and other consolidated companies.

(**) Including audit costs, on a voluntary basis, for "Pillar 3" disclosure.

Fees net of VAT, out-of-pocket expenses and Consob contribution.

In line with previous years, the fees for Audit-Related assignments mainly refer to activities attributable to the recurring obligations regarding the deposit and sub-deposit of the assets of the customers of the intermediaries (pursuant to the provisions of the Bank of Italy Regulation of 5 December 2019), checks aimed at issuing Comfort Letters in implementation of international issue programmes and other contractual activities envisaged by the commitments already assumed by the Bank.

In addition, some proposals were submitted to the Committee for integration with the existing auditing assignments with EY (in line with the conditions foreseen by the same): in particular, reference is made to the integration with the assignment for the limited examination of the 2021-2029 Consolidated Non-financial Statement (CNFS), functional to assigning the limited assurance on the 2024-2029 Sustainability Statement. Where requested, the Committee expressed a favourable opinion on the proposals for additions, after verifying the underlying motivations and their suitability to the audit proposal.

7-8) Additional audit assignments

Finally, the Committee acknowledged the results of the constant monitoring by the responsible structure of the Bank of the process of awarding assignments to the Independent Auditors, observing that this process did not result in any consequences at the level of independence.

7. SUPERVISORY ACTIVITY ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE INTERNAL CONTROL SYSTEM

The Group's Integrated Internal Control System Regulation, implementing the current Supervisory Rules, outlines the duties and responsibilities of all the stakeholders in the internal control system, the procedures for coordination and interaction between Control Functions, the guidance and coordination procedures of the Group companies and international branches, and the main information flows between the various stakeholders in the system. The internal control system is structured on three levels:

• − Level I: line controls conducted by the operating and business structures, including through units dedicated solely to control duties, and as far as possible incorporated in IT procedures, aimed at ensuring the proper conduct of operations;
• − Level II: controls aimed at ensuring the proper implementation of the risk management process, observance of operating limits and compliance of the operations with regulations. The functions assigned to such controls are separate from the ones in charge of production and contribute to the definition of governance policies and the risk management process. These controls are performed:
  • ✓ by the Chief Compliance Officer Governance Area, which has the tasks and responsibilities of the Compliance function and which includes the Anti-Money Laundering function,
  • ✓ by the Chief Risk Officer Governance Area, which has the tasks and responsibilities of the Risk Management function and which includes the Validation function;
• − Level III: internal audit controls to identify breaches of procedures and regulations, as well as to assess the completeness, adequacy, functionality and reliability of the internal control system and the Group's IT system, in relation to the nature and intensity of the risks. At Intesa Sanpaolo, the Chief Audit Officer reports directly to the Board of Directors and also reports functionally to the Committee, without prejudice to the appropriate sharing of information with the Managing Director and CEO.

The Group's internal control system - described in detail in the Report on Corporate Governance, to which reference should be made for further details - also sees other functions involved with control responsibilities (the Business Continuity function, the Cybersecurity function, the specialist functions) and, among others, also the Manager responsible for the Group Business Continuity Plan, the Manager responsible for preparing the Company's financial reports, the Independent Auditors and the Parent Company's Surveillance Body pursuant to Legislative Decree 231/2001.

With reference to the latter, every six months the Committee examined the report on the activities carried out noting that, according to the disclosure made, there are no facts or circumstances worthy of mention. Based on a synergistic approach, the Committee and the Surveillance Body promptly exchanged relevant data and information during the year, by coordinating during joint meetings on matters of mutual responsibility.

Below you will find a summary of the activities conducted by the parties responsible for carrying out internal controls.

Chief Compliance Officer

The Chief Compliance Officer delivered the institutional and periodic reports within his remit to the Committee, and in particular the half-yearly report, the annual report and Risk Assessment, with the action plan for 2025, drafted pursuant to applicable regulations; the Compliance Tableau de Bord, which provides an overview on the outlook for the most significant areas of attention, is enclosed with these reports which also provide a summary report on the progress of complaints, protests and appeals by customers. The endof-year report also includes the details of the activities carried out in 2024 and the activities planned for 2025 with reference to the central depositories and the entities managed according to the guidance, coordination and control model, the report on the Governance of the Group asset management companies, the Product Governance Report, the regulatory areas covered and details of the human and financial resources allocated to compliance macro-processes.

Pursuant to the regulations issued by Consob, the Chief Compliance Officer, aided by the Chief Transformation & Organization Officer, presented to the Committee the annual report on the terms of provision of services and investing activities and ancillary services and of distribution of financial products issued by insurance companies or banks.

Furthermore, the Chief Compliance Officer submitted the following to the Committee:

• − the Group annual report on the overall situation of complaints, disclaimers, protests to Supervisory Authorities and appeals to alternative dispute resolution entities;
• − the annual report on conflict-of-interest situations recorded in the area of investment or ancillary services, investing activities and distribution of insurance-based investment products;

13) Internal control system

• − at the Committee's request, the state of progress of the work of the Compliance Next Programme, whose activities continue according to schedule, without particular critical issues in reaching the milestones set;
• − the technological solutions which Intesa Sanpaolo adopted in compliance with EBA Guidelines on the use of remote customer onboarding solutions;
• − the expectations of the Istituto per la Vigilanza sulle Assicurazioni Insurance Regulatory Authority (IVASS) regarding the governance and oversight of insurance products as well as the main evidence that emerged from the self-assessment carried out with reference to the same and the improvement measures that the Group intends to implement;
• − an update concerning the strengthening measures adopted in accordance with the requirements of US regulation on Swap Dealers (Dodd-Frank Act);
• − results of the self-assessment proven adequate requested by the Bank of Italy with regard to the consistency of the structures, procedures and practices in use regarding disclaimers with the regulatory provisions and with the expectations of the Authority itself.

To enable the Committee to adequately perform its supervisory role on compliance with the rules for combating money laundering, terrorist financing and for embargo management as well as verifying the completeness, functionality and adequacy of the relative controls system, the head of the Anti-Money Laundering function illustrated the half-yearly report and the annual report for 2024, with their respective Tableau de Bord, the annual Risk Assessment on the areas of anti-money laundering, terrorist financing and violation of embargoes, and the action plan for 2025. These reports include summary information on the progress of the training plan, as well as details of the human and financial resources allocated to compliance macro-processes with respect to anti-money laundering, anti-terrorism, embargo and anti-corruption regulation.

Also at the Committee's request, the head of the Anti-money laundering function submitted:

• − specific updates concerning the state of progress of the ENIF long-term strategic plan, with a focus on the various areas of action identified, taking favourable note of the results obtained thus far;
• − the proposal to update the Anti-Money Laundering and Counter-Terrorism Financing Programme of the Sidney branch, in accordance with Australian regulations, in view of its submission to the Board for approval;
• − an update on the Countering Financing of Terrorism (CFT) risk and the measures applied by the Group in this regard. On this occasion it was also informed about the strengthened measures adopted in relation to the emerging risk connected to the Israeli-Palestinian conflict and transactions to/from Iran;
• − the proposal to refine the criteria identified by the Group to manage the "High" risk customers with connections to Russia, subject of reporting of suspicious transactions.

Chief Risk Officer

The Chief Risk Officer submitted the following to the Committee: the Tableau de Bord of the critical issues in his own Governance Area on a six-monthly basis, the annual report on the activities carried out in 2024, the Risk Assessment and the plan of the activities scheduled for 2025, including those for the Validation function. In accordance with Article 13, paragraph 2, of the Regulations issued by the Bank of Italy and Consob pursuant to Article 6, paragraph 2-bis, of the Consolidated Law on Finance, he also illustrated the Report on risk management activities within the scope of the investment services to customers carried out during 2024.

The Chief Risk Officer also described:

• − the positive results of the annual assessment on the overall consistency of the ratings of the External Credit Assessment Institutions with the measurements processed independently by the Bank;
• − the preliminary indications on 2nd level controls carried out as part of the process of assessing the Credits Funds for financial reporting purposes (focusing on the variables used for the assessments of these investments with the aim of checking consistency and in compliance with the disclosure and legal requirements that characterise the segment).

Chief Audit Officer

The Committee mainly uses the Internal Audit function to carry out its supervisory duties. The Chief Audit Officer normally participates at meetings and constantly provides information on the activities carried out some of which at the Committee's own request - and on the progress of the remediation plans undertaken by the competent corporate functions to overcome the critical issues encountered. The priorities reported by the Committee are taken into consideration when defining the annual Internal Audit plan. In addition, the Committee, at its own request, met with the Chief Audit Officer to reach a preliminary understanding as to the main areas to be covered in 2025 and the guidelines for planning audit activities.

During the year, the Chief Audit Officer systematically and promptly reported to the Committee the main findings that emerged whilst performing his own activities, including at the Committee's specific request, as well as the progress of the related remediation measures, where there were areas for improvement. In particular, attention is drawn to the results of the audits of the following issues:

• − critical issues detected as regards the compliance of company risk data aggregation and risk reporting processes with the standards defined by the ECB in the new "Guide on effective risk data aggregation and risk reporting - RDARR". The Committee subsequently reviewed the related Multi-Annual Implementation Plan aimed at strengthening the mentioned processes;
• − the Group's ability to produce the Single Customer View report, as required by the instructions of the National Interbank Deposit Guarantee Fund, with evidence of an adequately structured operating and control process for producing reports;
• − checks carried out with regard to the abnormal operation of a former Fideuram financial advisor;
• − adequacy of the measures put in place by the supplier Italpol, which is entrusted with the Control Room management services;
• − critical issues detected at the subsidiary Mooney (held by Isybank), for which close monitoring has been activated of the interventions planned by the company to achieve its business objectives;
• − update on the ICT Audit activities implemented with particular reference to Cloud Computing;
• − self-assessment required by the Bank of Italy with regard to disclaimers, confirming the adequacy of the Plan of actions, which was completed within the timeframe required by the Supervisors, albeit with residual areas for improvement;
• − process of managing operations with related parties and associated entities, which revealed an area of overall adequacy, albeit in the presence of certain areas of improvement, for which the necessary remedial actions were identified.

The Chief Audit Officer also presented to the Committee, including at its specific request, an update on the impacts on the internal control system deriving from the assignment to the above-mentioned Strategic Transactions & Credit Funds Head Office Department (within the Chief Lending Officer Governance Area) of the activity of managing selected investments in fund shares with underlying credit/real estate portfolios and in equity investments deriving from the conversion of credit exposures.

Every three months, using the Synthetic Audit Tableau de Bord, the Chief Audit Officer reported to the Committee on the outlook for the most significant weaknesses found during the Internal Audit activities including in light of the respective remediation plans. Every six months, within the context of a specific report, he submitted his own considerations and assessments on the adequacy of the internal control system for risk management and presented, at the Committee's request, the changes in the least significant weaknesses set out in the Analytical Audit Tableau de Bord. On an annual basis, he prepared and then shared with the Committee, the final report on the activities carried out and the results of the Audit Risk Assessment and the activities plan for the following financial year. The final report on the activities carried out in 2024 also fulfils the obligations laid down by the Bank of Italy with regard to disclosures to the competent Bodies on some specific areas such as liquidity risk management, anti-money laundering, information systems, Parent Company governance of the Group's asset management companies, the result of the audits carried out at international branches and the internal systems for reporting violations of the rules governing banking (so-called whistleblowing).

The Chief Audit Officer also conducted the compulsory assurance activities and prepared the following regular disclosures pursuant to the current Supervisory Rules:

• − the annual report on the outsourcing of essential or important functions outside the Group;
• − the quarterly report on whistleblowing reporting;
• − the annual report on internal audit activities pursuant to Article 14 of the Joint Consob-Bank of Italy Regulations, pursuant to Article 6, paragraph 2-bis, of the Consolidated Law on Finance.

During Board meetings, the Committee examined reports from the Internal Audit function on the results of consistency checks on the operating practices followed in the actual delivery of the 2024 incentive system as well as in the quantification and approval of the 2025 incentive system with the policies and the application parameters approved by the various Bodies and with the provisions issued by the Bank of Italy on this subject in transposing EU Directives. The Chief Audit Officer expressed his opinion of adequacy.

Integrated Reporting of Corporate Control Functions

The Integrated Tableau de Bord was submitted to the Committee on a six-monthly basis; it provides a summary of the findings with the greatest impact among those highlighted by the Corporate Control Functions and the Management and Financial Governance unit in their own Tableau de Bord, with details of the progress of their respective mitigation actions. On the basis of the assessments carried out by the Corporate Control Functions in 2024, the annual summary report was drawn up which shows that overall risk management is adequate in terms of completeness, functionality and reliability of the internal control

system. This opinion is supported by the Integrated Risk Assessment, the results of which were included in the 2025 RAF.

In addition, with half-yearly frequency, the Integrated Tableau de Bord of the International Subsidiary Banks, which include a summary of the findings with the greatest impact on the international scope, were also submitted to the Committee.

In the presence of the Chief Audit Officer, the Committee constantly monitored the implementation of the remediation actions planned to resolve the critical issues identified by the Corporate Control Functions.

With regard to Intesa Sanpaolo RBM (incorporated into the other non-life company of the Insurance Division and now renamed Intesa Sanpaolo Protezione) and Previmedical, the Committee noted favourably the realisation of the main activities contained in the commitments made with the AGCM (Italian Competition Authority) as well as a decrease in the number of complaints.

At its own request, the Committee also met the Chief Data, A.I., Innovation and Technology Officer (CDAITO), also in the presence of the Chief Audit Officer, to:

• review the progress of the measures introduced and the remedial actions activated with the Remediation ION Programme aimed at strengthening the Group's Business Resilience on outsourced Critical Services; - receive information on the development of the 1st level controls monitoring the ICT and Security Risk.

The Committee periodically deepened the risk assessment conducted by the Corporate Control Functions on the progress of the macro-initiatives of the 2022-2025 Business Plan, dwelling on the main focal points including the Bank's ESG initiatives - and on the actions identified from time to time to mitigate the related potential risks.

Assessment of the Corporate Control Functions

For the purposes of assessing the suitability of the essential elements of the risk management internal control system architecture, the Committee examined the annual disclosure on the changes in staff, costs and investments directly attributable to the Corporate Control Functions. Further details on the staffing and Target sizing of the structures of the Corporate Control Functions are provided in their respective periodic reports to the Bodies. In light of the results obtained during its activities, the Committee expressed its own positive considerations on the aspects of independence, objectivity and effectiveness of risk management actions for the annual assessment carried out by the Board regarding the adequacy of the Corporate Control Functions.

For the purpose of paying the variable component of remuneration for 2024, the Committee first met, also in the presence of the Chief People & Culture Officer, with the Chief Audit Officer, the Chief Compliance Officer and the Chief Risk Officer to receive the results of the activities carried out by the respective areas during 2024. During the Performance Evaluation phase, it then met with the competent structures of the Chief People & Culture Officer to examine the assessment proposals formulated by the latter and express its opinion to the Remuneration Committee - within the scope of its responsibility - regarding the achievement of the objectives by the Chief Audit Officer, Chief Compliance Officer, head of the Anti-Financial Crime Department, Chief Risk Officer, head of the Internal Validation & Controls Coordination Area and the Manager responsible for preparing the Company's financial reports.

For the purposes of the 2025 incentive system, during the Goal & Target Setting phase, the Committee first met, also in the presence of the Chief People & Culture Officer, with the Chief Audit Officer, the Chief Compliance Officer and the Chief Risk Officer to examine the activities plan envisaged by each of their respective functions for 2025, including in order to evaluate the panel of possible Key Performance Indicators with which to monitor the effectiveness of the action by the relative functions and evaluate the managers' performance. The Committee then expressed its opinion - within its own remit - to the Remuneration Committee for the purpose of defining the objectives and individual performance levels to be attributed to the said Chiefs as well as to the heads of the Internal Validation & Controls Coordination Area, Anti-Money Laundering Function and the Manager responsible for preparing the Company's financial reports. The Committee took positive note of the forecast, also for 2025, of a Group transversal KPI pertaining to ESG issues.

8. SUPERVISORY ACTIVITY ON THE ADEQUACY, EFFICIENCY AND FUNCTIONALITY OF THE GOVERNANCE AND RISK MANAGEMENT PROCESS

The Committee supervised:

− the compliance with the provisions relating to the Internal Capital Adequacy Assessment Process and the Internal Liquidity Adequacy Assessment Process (ICAAP/ILAAP), analysing, in particular, scenarios and methodological and process aspects, as well as the results of the Validation function on the adequacy of the framework for the quantification of economic capital and for managing liquidity risk as well as the results of the Internal Audit self-assessment on the quantification and assessment processes adopted;

9) Opinions

13) Internal control system

− the completeness, adequacy, functionality and reliability of internal risk measurement systems for determining capital requirements, checking their compliance with regulatory requirements including for the purpose of the annual certification issued by the Board. The Committee examined, issuing the required opinion, the specific annual reports of the Internal Audit and Validation functions, as well as the Action Plan of the Risk Management function, in order to mitigate the critical issues identified;

9) Opinions

− the completeness, adequacy, functionality and reliability of the RAF for 2025, examining its methodological aspects, definition process and consistency with the Recovery Plan.

The Committee then examined the following periodic reports:

• − report on operational and security risks in payment services;
• − the results of the annual checks by the Asset Monitors on the Covered Bonds programmes. Likewise, the Internal Auditing Function assigned a "Low" residual risk assessment relating to the areas examined;
• − the information flows on ICT risk and IT security for the 2024 period pursuant to the Supervisory regulations for banks;
• − the results of the checks and controls of the Group's business continuity plan;
• − preparation of the Group's IT security plan for the current year;
• − report by the Data Protection Officer on the activity carried out as at 30 June and 31 December 2024, together with the activities plan for 2025, which were covered in detail by the Committee, with particular regard to the continuous improvement of safeguards to protect the confidentiality of personal data.

The Committee was also updated on the progress of the actions identified by the Internal Audit function following the mentioned assignment to the Chief Lending Officer Governance Area to manage selected investments in fund shares with underlying credit/real estate portfolios and in equity investments deriving from the conversion of credit exposures, and subsequently reviewed the results of the ex post controls carried out by the Risk Management and Validation functions in this regard.

The Committee also met with the Chief Lending Officer, at its own request, to examine:

• half-yearly reporting on value adjustments applied in analytical measurement of NPL positions falling within its scope;
• the progress made in the project areas regarding the FLAG (Forward looking Lending for sustainable Asset Growth) Project, aimed at implementing a new credit decision-making model capable of managing the entire credit process cycle from origination to credit assessment, monitoring and management.

Lastly, the Committee examined on a regular basis the development of the issue relating to the unauthorised access to customers' personal information by some employees of Intesa Sanpaolo. In particular, the Committee focused on the initiatives identified with a view to the continuous strengthening of IT data privacy safeguards - aimed at guaranteeing the confidentiality and correct processing of customer data and information - as well as organisational and operational safeguards designed, among other things, at intensifying awareness-raising and training initiatives for employees on the issues in question. The Committee was also constantly updated on the developments of the interactions in place with the various Authorities involved.

9. SUPERVISORY ACTIVITIES OF COMPLIANCE WITH THE LEGISLATION APPLICABLE TO THE BANK IN ITS CAPACITY AS THE PARENT COMPANY

The Committee - including by making use of the support of the Corporate Control Functions - found that the Bank, within the framework of the management and coordination activity of the Group, exercises control over the development of the different business areas in which the Group operates and the incumbent risks, over the maintenance of conditions of economic, financial and balance sheet equilibrium both of the individual companies and of the Group as a whole, as well as over the assessment of the various risk profiles contributed by individual subsidiaries and the total risk. The rules and procedures in place allow the Parent Company to promptly fulfil its disclosure obligations to the public in accordance with current provisions pursuant to Article 114, paragraph 2, of the Consolidated Law on Finance. The information flows between the Parent Company and its subsidiaries guarantee an effective exchange of information with regard to the management and control systems and the overall performance of the business.

Within the framework of the information flows provided for in Article 151-ter, paragraphs 1 and 4, of the Consolidated Law on Finance, the Committee met with the Board of Statutory Auditors of Isybank to examine, among other aspects, the items of attention identified by the Corporate Control Functions and discuss the progress of the remediation actions identified.

Moreover, with a view to ensuring consistency at Group level in the manner of transposing and implementing Legislative Decree 231/2001, the Committee analysed the customary half-yearly report on the activities carried out by the Surveillance Bodies pursuant to Legislative Decree 231/2001, of the Italian companies of the Group.

15) Subsidiarie s requiremen ts

10. CONCLUSIVE ASSESSMENTS ON THE SUPERVISORY ACTIVITY CARRIED OUT

12) Organisati onal structure

14) Adequacy of the accounting system

18) Conclusive assessme nts

As detailed in the Report, the Committee verified the functionality of the internal procedures, which have been found fit also in 2024, to guarantee compliance with the laws, regulations and articles of association. The Committee ascertained that the decision-making process takes into due consideration the riskiness and the effects of management decisions taken and that Corporate Bodies have an adequate information flow system, including with reference to any Directors' interests. The organisational structure, the internal control system as a whole, the administrative and accounting system and the statutory audit of accounts process were found adequate and functional for the tasks they are expected to perform. Where deemed appropriate, adoption of functional corrective measures was promoted to address any deficiencies identified.

In particular, the Committee believes that the Bank's and Group's administrative and accounting system is such as to ensure a fair presentation of the operational events and that there are no significant shortcomings in the internal control system in relation to the financial reporting process. The Committee also found that the administrative and accounting procedures for the preparation of the financial statements and all other communications of a financial nature had been effectively applied as well as the Consolidated Sustainability Statement.

Taking into account all the foregoing, having considered the content of the opinions issued by the Independent Auditors, and having taken note of the attestations issued jointly by the Managing Director and CEO and the Manager responsible for preparing the Company's financial reports, the Committee does not report - in as far as it is within their remit - any impediment to the approval of the financial statements of Intesa Sanpaolo S.p.A. as at 31 December 2024 accompanied by the Report on operations – including the Consolidated Sustainability Statement - and the Notes thereto, as approved by the Board on 27 February 2025.

Finally, the Committee expresses its opinion in favour of the proposal to allocate the net income for the year and the related distribution of dividends formulated by the Board of Directors.

Milan, 20 March 2025 for the Management Control Committee

The Chair – Alberto Maria Pisani

This is an English translation of the original Italian document. In cases of conflict between the English language document and the Italian document, the interpretation of the Italian language document prevails.