REPORT ON CORPORATE GOVERNANCE AND OWNERSHIP STRUCTURES

2024

www.gruppo.bancobpm.it

(13 March 2025)

EXECUTIVE SUMMARY 5

1 PROFILE OF THE ISSUER 17
2 INFORMATION ON THE OWNERSHIP STRUCTURE (pursuant to article 123-bis, paragraph 1, of the
Consolidated Law on Finance) 26
3 COMPLIANCE (pursuant to article 123-bis, paragraph 2, letter a), first part of the Consolidated Law
on Finance) 33
4 MANAGEMENT AND COORDINATION: the role of the Parent Company and the Banco BPM Group 34
5 SHAREHOLDERS' MEETING 35
6 BOARD OF DIRECTORS 39
6.1 APPOINTMENT, REPLACEMENT AND COMPOSITION OF THE BOARD OF DIRECTORS 39
ROLE OF THE BOARD OF DIRECTORS 68 6.2
6.3 MEETINGS 77
6.4 INDIVIDUAL BODIES 80
6.5 INTERNAL COMMITTEES OF THE BOARD OF DIRECTORS 86
6.6 REMUNERATION 102
6.7 INDEPENDENT AND NON-EXECUTIVE DIRECTORS 102
7 BOARD OF STATUTORY AUDITORS 109
7.1 APPOINTMENT, REPLACEMENT AND COMPOSITION OF THE BOARD OF STATUTORY AUDITORS 109
7.2 ROLE OF THE BOARD OF STATUTORY AUDITORS 129
7.3 REMUNERATION 133
8 COMPANY FUNCTIONS AND PROCEDURES 134
8.1 PROCEDURES FOR PROCESSING CORPORATE INFORMATION 134
8.2 THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM 136
8.3 EXTERNAL AUDITOR 150
8.4 FINANCIAL REPORTING MANAGER 151
8.5 ORGANISATION, MANAGEMENT AND CONTROL MODEL pursuant to Italian Legislative Decree no.
231/01 and relating to the Supervisory Board of Banco BPM 153
8.6 THE INVESTOR RELATIONS DEPARTMENT 154
8.7 DIRECTORS' INTERESTS AND TRANSACTIONS WITH RELATED PARTIES 156
9 RELATIONS WITH SHAREHOLDERS AND THE FINANCIAL COMMUNITY 159

INTRODUCTION

Banco BPM Società per Azioni (hereinafter "Banco BPM" or the "Company") is a bank in the form of a company limited by shares, resulting from the merger (hereinafter the "Merger") between Banco Popolare - Società Cooperativa and Banca Popolare di Milano S.c. a r.l., which took effect on 1 January 2017 (hereinafter also referred to as the "Date of Establishment").

The main information regarding the Merger is set out below.

On 23 March 2016, subject to approval by the respective governing bodies, Banco Popolare and BPM signed a memorandum of understanding concerning the essential points of the merger (known as "own") between Banco Popolare and BPM, to be implemented, in accordance with articles 2501 et seq. of the Italian Civil Code, by creating a new company with the legal form of a company limited by shares and with the name "Banco BPM Società per Azioni". On 24 May 2016, the governing bodies of Banco Popolare and BPM approved the Merger Plan in accordance with article 2502 of the Italian Civil Code (hereinafter the "Merger Plan") as subsequently amended up to 12 September 2016. On 15 October 2016, the extraordinary Shareholders' Meetings of Banco Popolare and BPM approved the Merger Plan subject to the required authorisations being issued by the Supervisory Authorities.

The Merger took effect on 1 January 2017, subject to issue of the authorisations by Borsa Italiana S.p.A. for the newly issued Banco BPM shares from the Merger to be admitted to listing on the Electronic Stock Exchange, and authorisations from CONSOB to publish the prospectus needed for that purpose, and subject to registration, on said date, of the merger deed (entered into on 13 December 2016) with the applicable Company Registration Offices of Verona and Milan, in accordance with article 2504 of the Italian Civil Code.

Banco BPM has followed the Code of Best Practice of Listed Companies (hereinafter the "Borsa Italiana Code of Best Practice" or the "Borsa Italiana Code") of Borsa Italiana S.p.A. (hereinafter "Borsa Italiana") from its establishment (January 2017), with certain exceptions as described in more detail below.

Effective from 1 January 2021, the new Code of Corporate Governance came into force (accessible to the public on the website of the Corporate Governance Committee at the url https://www.borsaitaliana.it/comitato-corporate-governance/codice/2020.pdf, hereinafter also "the new Code" or "CCG"), which Banco BPM adhered to by means of resolution of the Board of Directors of 14-15 December 2020, replacing the Borsa Italiana Code of Best Practice previously in force, whose effectiveness therefore came to an end on 31 December 2020. The new Code is the result of in-depth discussions with listed companies, as well as careful analysis of international developments in corporate governance and the continuous monitoring of implementation of the Code performed over the years by the Italian Corporate Governance Committee. The recommendations of the new Code involved some updates to the internal regulations/documentation of Banco BPM through the gradual adoption of the said recommendations starting from 2021 financial year, notifying the market of them in the report on corporate governance to be published in 2022.

The aim of this document is to provide shareholders, investors and the market with adequate information on the corporate governance and the main actions taken to this end by Banco BPM, and how, first the Borsa Italiana Code of Best Practice, and then the Code of Corporate Governance were applied by Banco BPM, providing disclosure on the principles and application criteria that were fully adhered to and those from which the Company has decided to deviate only in part, also considering the date of establishment of the Company (1 January 2017) and the specific nature of banking companies, which have to strictly comply with the regulations contained in Italian Legislative Decree 385/1993 (Consolidated Banking Law) as well as in the supervisory provisions of the Bank of Italy and European Union regulations. Bear in mind that for the purposes of the Code of Corporate Governance, Banco BPM falls under "large companies" (understood as those whose capitalization exceeds Euro 1 billion, on the last open market day in each of the three previous calendar years).

This was prepared in accordance with article 123-bis of Italian Legislative Decree 58/1998, considering, with regard to the nature and content of the information, the suggestions provided by Borsa Italiana in its "Format for the Report on corporate governance and ownership structures", lastly updated on December 2024.

The new edition of the Format takes into account the approval of the new European¹ and Italian² regulations on corporate sustainability reporting, which introduces very analytical sustainability reporting obligations for listed companies that also include information relating to the corporate governance of issuers which, in some parts, overlap with the those that companies are already required to publish in the annual report on corporate governance and ownership structures (the "Sustainability Regulations").

The new edition of the Format aims to offer issuers a tool that can also be useful for coordinating the internal processes of preparing the "traditional" corporate governance report with those relating to the preparation of the new sustainability report, in order to provide the market with an overall clear, coherent and complete description of its corporate governance system.

¹ Please refer to Directive (EU) no. 2022/2464 of the Parliament and of the Council of December 14, 2022 (amending Regulation (EU) No. 537/2014, Directive 2004/109/CE, Directive 2006/43/CE and Directive 2013/34/EU as regards corporate sustainability reporting) and Commission Delegated Regulation (EU) 2023/2772 of July 31, 2023 (integrating Directive 2013/34/EU of the European Parliament and of the Council with regard to sustainability reporting requirements).

² Please refer to Legislative Decree no. 125, of September 6, 20924.

EXECUTIVE SUMMARY

Banco BPM is a bank listed on the Electronic Stock Exchange, organised and managed by Borsa Italiana S.p.A. ("MTA", now Euronext Milan).

CORPORATE GOVERNANCE MODEL

Banco BPM adopts the "traditional" administration and control model. The strategic supervision and management functions are attributed to the Board of Directors, while the control function is assigned to the Board of Statutory Auditors. Both bodies are appointed by the Shareholders' Meeting.

Shareholders' Meeting

In accordance with article 11 of the By-Laws, the Shareholders' Meeting, duly called and constituted, represents all the shareholders and its resolutions, passed in accordance with the law and the By-Laws, shall apply to all shareholders even if absent or not in agreement.

The Shareholders' Meetings shall be ordinary or extraordinary in accordance with the law.

Ordinary Shareholders' Meetings shall:

a) appoint, in accordance with the number established by the By-Laws and the mechanisms described under article 20.5 of the By-Laws, the members of the Board of Directors, revoke said appointment, determine their remuneration and elect the Chairman and the Vice Chairman, according to the provisions of article 20.8 of the By-Laws;

b) appoint the Statutory Auditors and the Chairman of the Board of Statutory Auditors with the mechanisms described under article 35 of the By-Laws and establish their fees;

c) decide on the responsibilities of the members of the Board of Directors and the Board of Statutory Auditors;

d) approve the financial statements;

e)decide on the allocation and distribution of profits;

f) appoint, upon the justified proposal of the Board of Statutory Auditors, and revoke or change said appointment, where necessary, in agreement with the Board of Statutory Auditors, the company engaged to perform the statutory audit, and determine the relative fees;

g) resolves on the approval of (i) remuneration and incentive policies for Directors, Statutory Auditors and employees, including any proposal by the Board of Directors to set a limit on the ratio between the variable and fixed components of individual remuneration of identified staff of higher than 1:1 and within the limit established by the regulations in force from time to time; (ii) remuneration and/or incentive plans based on financial instruments; and (iii) criteria for determining payment to be agreed in the case of early termination of employment or office, including fixed limits such as payment in terms of annuity of fixed remuneration and the maximum amount that derives from implementation thereof;

h) approve and amend the shareholders' meeting rules;

i) resolve upon the other matters assigned to it by the pro tempore applicable laws or the By-Laws.

Extraordinary Shareholders' Meetings decide upon amendments to the By-Laws (without prejudice to the powers allocated to the Board of Directors in accordance with article 24.2.2., letter aa) of the By-Laws), and the appointment, revocation, replacement and powers of receivers or on any other matter assigned to it by law for which it is responsible and not exempted by the By-Laws.

The Banco BPM Group pays close attention to the management of relations with shareholders, institutional investors and other operators in the national and international financial community, and to guarantee the regular and systematic disclosure of qualified, complete and prompt information on Group operations, results and strategies, also in the light of indications provided by CONSOB, the principles expressed in the Borsa Italiana Code and in national and international best practices.

The establishment and maintenance of constant and ongoing relations with all shareholders, through

correct, transparent and differentiated forms of dialogue (engagement) contributes to ensure information transparency and continuous attention to the Bank's governance issues, with a view to fostering the creation of value in the medium to long term.

In addition to the methods through which, via the competent corporate functions, in particular, the Investor Relations function and, as regards retail relations, the Corporate Affairs Secretariat, the Bank interacts on a continuous basis with shareholders, investors and the financial community in general, Banco BPM, by means of board resolution of 23 November 2021, adopted the "Regulation governing the management of dialogue with shareholders", drafted in accordance with the provisions of the 35th update to Bank of Italy Circular no. 285 of 17 December 2013 and the recommendations in the Code of Corporate Governance.

This Regulation governs dialogue between the Board of Directors or its members and all shareholders of Banco BPM, meaning by this, and according to the definitions in force on each occasion, institutional investors, asset managers and the relevant trade associations, other holders of shares issued by the Bank, potential investors, proxy advisors, in relation to the matters within the competence of the Board of Directors, including corporate strategies, financial and non-financial results, the capital structure, corporate governance, the social and environmental impact, the internal control and risk management system and the remuneration policies (so-called "Shareholder-Director Engagement" or "S-DE").

Board of Directors

In accordance with article 20.1.1. of the By-Laws, the Board of Directors is composed of 15 (fifteen) directors, including non shareholders, including a Chairman and a Vice Chairman appointed by the Shareholders' Meeting in accordance with the provisions of article 20.8 of the By-Laws.

On the basis of article 20.1.2. of the By-Laws, the composition of the Board of Directors guarantees gender balance, in compliance with the law, even of a regulatory nature, applicable from time to time.

In this regard, it should be noted that, in compliance with the legal and regulatory provisions that govern equal access to the Management bodies of listed companies on regulated markets, the current Board of Directors of Banco BPM is composed of 6 directors out of 15 belonging to the less represented gender.

Subject to any other provisions of law applicable from time to time, at least 8 (eight) directors must meet the independence requirements set out under article 20.1.6. of the By-Laws.

Pursuant to article 24 of the By-Laws, the Board of Directors is responsible for strategic supervision and business management. For this purpose, the Board of Directors may take all actions that are necessary, useful or appropriate to implement the corporate purpose, relating to both ordinary and extraordinary course of business, and has the right to permit the release or reduction of mortgages even against the non-integral payment of the receivable, including through delegated parties.

The table below provides information on each member of the Board of Directors in office as of 31 December 2024:

Name and surname	Office held	Year of birth	Date of first appoin tment	In office from	In office to	List I	Exec. II	Indep. Articles of Associat ion III	Indep. C.C.G. (code of corporate governan ce)IV	Indep. Cons. Law on FinanceV	% BoDVI	Other position VII
Massimo Tononi	Chairman, Director	1964	4-Apr-2020 28-Feb-2020	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	1
Maurizio Comoli	Vice Chairman, Director	1958	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	5
Giuseppe Castagna	Chief Executive Officer, Director	1959	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	YES	NO	NO	NO	100%	1
Mario Anolli	Director	1963	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	95%	1
Paolo Boccardelli	Director	1971	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	3	NO	YES	YES	YES	100%	1
Paolo Bordogna	Director	1958	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	85%	2
Nadine Farida Faruque	Director	1960	4-Apr-2020	20-Apr 2023	Approv. financial statements as at 31.12.2025	3	NO	YES	YES	YES	100%	1
Paola Ferretti	Director	1967	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	0
Marina Mantelli	Director	1956	4-Apr-2020	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	95%	2
Chiara Mio	Director	1964	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	3
Alberto Oliveti	Director	1953	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	2
Mauro Paoloni	Director	1960	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	2	NO	NO	NO	YES	100%	4
Eugenio Rossetti	Director	1956	4-Apr-2020	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	3
Manuela Soffientini	Director	1959	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	80%	3

Luigia Tauro	Director	1962	4-Apr-2020	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	1
I: This column shows the number of the source list based on the order of presentation of the lists.

II: This column indicates the Directors who are considered "executive" pursuant to the Code of Corporate Governance.

III: This column indicates whether or not the Directors fulfil the independence requirement pursuant to article 20.1.6. of the Articles of Association.

IV: This column indicates whether or not the Directors fulfil the independence requirement pursuant to the application criterion indicated in article 2 of the Code of Corporate Governance.

V: This column indicates whether or not the Directors fulfil the independence requirement pursuant to article 148, paragraph 3 of the Consolidated Law on Finance (TUF).

VI: This column indicates the attendance, in percentage terms, at the meetings of the Board of Directors held in 2024, taking the term of office as reference.

VII: This column shows the total number of directorship, management and control positions held in other listed, financial, banki ng, insurance or significantly sized companies; the latter have been identified in light of the provisions set forth in the Regulation "Limits to number of offices" adopted by Banco BPM. The detailed list of positions is provided in annex 1 to this report.

Board of Statutory Auditors

In compliance with article 33.3. of the By-Laws, the composition of the Board of Statutory Auditors ensures, in compliance with the provisions of Italian Law no. 120 of 12 July 2011, as amended, as well as the legislation and regulations in force at the time, gender balance for the period envisaged under the same law.

In this regard, it should be noted that, in compliance with the legal and regulatory provisions that govern equal access to the control bodies of listed companies on regulated markets, two standing auditors out of five belong to the less represented gender on the current Board of Statutory Auditors of Banco BPM.

The table below provides information on each member of the Board of Statutory Auditors in office until 31 December 2024:

Name and Surname	Office held	Year of birth	Date of first appointment	In office from	In office from	List I	Indep. Cons. Law on FinanceII	Indep. CodeIII	% B.S. A.IV	Other Positi onsV
Marcello Priori*	Chairman	1964	01-Jan-2017	20-Apr-2023	Approval of financial statements as at 31.12.2025	3	YES	YES	100%	4
Elbano De Nuccio	Standing Auditor	1970	20-Apr-2023	20-Apr-2023	Approval of financial statements as at 31.12.2025	2	YES	YES	82%	3
Maurizio Lauri*	Standing Auditor	1962	04-Apr-2020	20-Apr-2023	Approval of financial statements as at 31.12.2025	1	YES	YES	80%	3
Silvia Muzi*	Standing Auditor	1969	15-Apr-2021	-Apr-2023	Approval of financial statements as at 31.12.2025	2	YES	YES	100%	5
Nadia Valenti	Standing Auditor	1974	04-Apr-2020	20-Apr-2023	Approval of financial statements as at 31.12.2025	1	YES	YES	100%	1
Sara Antonelli	Alternate Auditor	1989	20-Apr-2023	20-Apr-2023	Approval of financial statements as at 31.12.2025	3	YES	YES	-	12

Marina Scandurra*	Alternate Auditor	1969	20-Apr-2023	20-Apr-2023	Approval of financial statements as at 31.12.2025	2	YES	YES	-	15
Mario Tagliaferri*	Alternate Auditor	1961	20-Apr-2023	20-Apr-2023	Approval of financial statements as at 31.12.2025	1	YES	YES	-	8

I: This column shows the number of the source list based on the order of presentation of the lists.

II: This column indicates whether or not the Statutory Auditors fulfil the independence requirement pursuant to article 148, paragraph 3, of the Consolidated Law on Finance.
III: This column indicates whether or not the Statutory Auditors meet the independence requirement in accordance with the Code of Corporate Governance.
IV: This column indicates the attendance, in percentage terms, at the meetings of the Board of Statutory Auditors held in 2024, taking the term of office as reference.
V: This column shows the total number of directorship, management and control positions held in other listed, financial, banking, insurance or significantly sized companies; these have been identified in light, in terms of uniformity of information, of the provisions set forth in the Regulation "Limits to the number of offices" adopted by Banco BPM. The detailed list of positions is provided in annex 3 to this report.

* Enrolled in the Register of Auditors established with the Italian Ministry of Justice.

		Internal Board Committees

Appointments Committee	Remuneration Committee	Internal Control and Risk Committee	Related Parties Committee	Sustainability Committee
Pursuant to article 24.4.1.of the By Laws, the Board of Directors shall establish an Appointments Committee internally, approving the Regulation which determine its responsibilities and operation, in accordance with the Supervisory Regulations. The Bank's By Laws establish that the Appointments Committee will comprise 3 (three) Directors, all non executive and the majority of whom (including the individual appointed as Chairman) will meet the independence requirements established in the By-Laws. All members must possess, individually and collectively, adequate knowledge, skills and expertise regarding the selection process and adequacy requirements, also pursuant to the Guidelines prepared by the competent Authorities. The Appointments Committee, established by the	Pursuant to article 24.4.1. of the By-Laws, the Board of Directors shall establish a Remuneration Committee internally, approving the Regulation, which determine its responsibilities and operation, in accordance with the Supervisory Regulations. The Bank's By-Laws establish that the Remuneration Committee shall Comprise three Directors, all non executive and the majority of whom (including the individual appointed as Chairman) shall meet the independence requirements established in the Articles of Association. At least one member of the Committee must have suitable knowledge and experience in the financial field or of remuneration policies. The Remuneration Committee, established by the Board of Directors at the meeting on 10 January 2017 and renewed by board resolution of 26 April 2023,	Pursuant to article 24.4.1. of the By-Laws, the Board of Directors establishes an Internal Control and Risk Committee, drafting the Regulation, most recently updated at the meeting of 29 May 2023, regulating its responsibilities and operations in compliance with the Supervisory Provisions for Banks and other relevant regulations and the Code of Corporate Governance to which Banco BPM S.p.A. has adhered. The Bank's By-Laws establish that the Committee will comprise five Directors, all non-executive and the majority of whom (including the individual appointed as Chairman) will meet the independence requirements established in the By-Laws. It is also expected that the members of the Committee have the knowledge, expertise and experience to be able to fully understand and monitor the Group's risk strategies and guidelines; at least one member of the Committee must have suitable experience in accounting and financial matters, or in risk management. The composition of the Committee also meets the requirements of the following: − the Code of Corporate Governance which requires the Committee to possess, as a whole, adequate expertise in the sector in which the company operates (requirement conducive to evaluating its	Pursuant to article 24.4.1. of the By-Laws of Banco BPM S.p.A, the Board of Directors shall establish a Related Parties Committee internally, approving the Regulation, which will determine its responsibilities and operation in accordance with prevailing laws and regulations. The Related Parties Committee will comprise three Directors in accordance with the By Laws, all of whom meet the independence requirements pursuant to the Articles of Association; it shall be in charge of ensuring the linear, unequivocal management of the CONSOB rules on Related Parties and the Provisions of the Bank of Italy on risk activities and conflicts of interest with respect to Connected Persons. The Related Parties Committee, established by the Board of Directors at the meeting on 10 January 2017 and renewed by board resolution of 7 April 2020, comprises the following three Directors on the date of this report (and until the approval of the financial statements for 2025): - Paolo Boccardelli (Chairman); - Paola Ferretti; - Luigia Tauro. All members of the Committee meet the statutory independence	Pursuant to art. 24.4.1. of the By-Laws, the Board of Directors has the power to establish, by drawing up specific regulations, additional committees to those already named with advisory, investigative and propositional powers. At its meeting of 26 April 2023, the Board of Directors set up a specific Sustainability Committee in order to further develop what had been ensured up to then by the Internal Control, Risk and Sustainability Committee (renamed the "Internal Control and Risk Committee"). The Sustainability Committee offers support in the assessment and in-depth analysis of ESG issues related to the Bank's operations and in the approval of strategic guidelines and policies on sustainability, including the social and cultural responsibility model and the fight against climate change, helping to ensure the best control of risks and taking into account the objectives of solid and sustainable creation and distribution of value for all stakeholders. The tasks and functions of this new Committee have been laid down in the relevant "Sustainability Committee Regulation". This Regulation establishes that the Committee shall be composed of three Directors, all non-executive and the majority of whom (including the individual appointed as Chairman of the Board of Directors) will
Board of Directors at the meeting on 10 January 2017 and renewed by board resolution of 26 April 2023,	comprises the following three Directors on the date of this report (and until the approval of the financial statements	associated risks) and at least one member to have adequate accounting and financial or risk management experience; − the Committee	requirement. The Committee fulfils its duties and exercises the powers attributed to the independent directors: a) from article 2391-bis of	meet the independence requirements established in the By-Laws. It is also stipulated that Committee members must possess knowledge, skills and experience to fully

comprises the Following three Directors on the date of this report (and until the approval of the financial statements for 2025): − Mario Anolli (Chairman); − Marina Mantelli; − Chiara Mio. All members of the Committee are non executive, a majority of whom are independent, including the Chairman. The Appointments Committee is responsible for the functions and tasks assigned to it by the Code of Corporate Governance and the applicable supervisory regulations (see Circular no. 285/2013, First Part, IV, Chapter 1, Title Section IV).	for 2025): − Manuela Soffientini (Chairman); − Paolo Bordogna; − Mauro Paoloni. All members of the Committee are non-executive directors, independent (including the Chairman) and collectively possess the necessary professional knowledge, expertise and experience regarding the remuneration policies and practices and the risk management and control activities. The Remuneration Committee is responsible for the functions and tasks assigned to it by the Code of Corporate Governance and the applicable supervisory regulations (see in particular Circular no. 285/2013, First Part, Title IV, Chapter 2, Section II, as recently amended by the 37th update of 24 November 2021).	Regulation, pursuant to which the members must have such knowledge, expertise and experience as to be able to fully understand and monitor the strategies and risk guidance of the Group. The Committee, renewed by board resolution of 26 April 2023, comprises the following five Directors on the date of this report (and until the approval of the financial statements for 2025): - Eugenio Rossetti (Chairman); - Mario Anolli; - Maurizio Comoli; - Nadine Faruque; - Paolo Bordogna. All members of the Committee are non executive, a majority of whom are independent, including the Chairman. The Internal Control and Risk Committee is charged with the duties envisaged by the supervisory provisions of the Bank of Italy, the By-Laws as well as the Code of Corporate Governance, in particular performing duties to assist the Board of Directors of the Issuer with regard to risks and the internal control system, the scope of which applies to the entire Group.	the Italian Civil Code and related implementing and regulatory provisions (CONSOB Decision no. 17221 of 12 March 2010 and subsequent amendments and additions, CONSOB Communication DEM/10078683 of 24 September 2010 and subsequent amendments and additions) and company rules (Regulation of the Procedures to Govern Related Party Transactions adopted by Banco BPM S.p.A.); b) by article 53, paragraphs 4 and 4- quarter of the Consolidated Banking Law and related implementing and regulatory provisions (Bank of Italy Circular no. 285/2013 and subsequent amendments and additions) and company rules (Regulation on the Procedures relating to risk activities and conflicts of interest with respect to Connected Persons adopted by the Parent Company and the other Group Banks).	understand and monitor the pursuit of the Group's strategies and guidelines in the area of sustainability and its "Environmental, Social and Governance" dimensions; at least one Committee member must have adequate experience in the area of sustainability. As of the date of this report (and until approval of the financial statements for 2025), the Committee consists of the following three Directors: - Luigia Tauro (Chairman); - Chiara Mio; - Alberto Oliveti. All members of the committee are non executive and independent directors, including the Chairman of the Board of Directors. With regard to the scope of its activities, it should be noted that the Committee collaborates and coordinates with the Internal Control and Risk Committee and the Remuneration Committee of the Bank, as well as with the Committees within the Boards of Directors of the other Group companies, through its Chairman, without prejudice to the responsibilities of each Committee.

Board of Directors

	Board of Directors
Appointment 20 April 2023
Duration	three financial years
Expiry	approval of financial statements as at 31 December 2025
Members	15
Directors from less represented gender	6
Executive Directors	1
Independent Directors	13
Average age	63.33

Board of Directors statistics

Meetings of the Board of Directors

Number of meetings in 2024	20
Average duration (h)	4:46
Percentage attendance	97%
Meetings of Independent directors	1
Meetings scheduled for 2025	17

Board of Statutory Auditors

	Board of Statutory Auditors
Appointment	20 April 2023
Duration	three financial years
Expiry	approval of financial statements as at 31 December 2025
Members	5
Statutory auditors from less represented gender	2
Average age	54.25

Board of Statutory Auditors statistics

Average age 54.25 years old.

Meetings of the Board of Statutory Auditors

Number of meetings in 2024	34
Average duration (h)	3:05
Percentage attendance	92.35%
Meetings scheduled for 2025	33

Internal Board Committees

	Appointments Committee	Remuneration Committee	Internal Control and Risk Committee	Related Parties Committee	Sustainability Committee
Members	3	3	5	3	3
Number of meetings in 2024	21	23	23	4	17
Average meeting duration (h)	0:49	1:17	4:57	0:22	1:32

THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM

The Internal Control System comprises the set of rules, functions, structures, resources, processes and procedures which, in order to contribute to the sustainable success of the company, aim to ensure, in respect of sound and prudent management, the pursuit of the	• verification of the implementation of company strategies and policies; • reduction of risk within the limits indicated in the reference framework for determining the Group's risk appetite (Risk Appetite Framework - "RAF"); • safeguarding of the value of assets and protection against losses; • effectiveness and efficiency of company processes; • reliability and security of company information and IT procedures; • prevention of the risks of involvement, including involuntarily, in unlawful activities, to which the Group is exposed (with particular reference to
following objectives:	those connected with money laundering, usury and financing of terrorism);
	• operating and regulatory compliance with respect to the law, the supervisory regulations as well as the internal policies, plans, regulations and procedures.

The Internal Control System
comprises the set of rules,
functions, structures, resources,
processes and procedures
which, in order to contribute to
the sustainable success of the
company, aim to ensure, in
respect of sound and prudent
management, the pursuit of the

•
verification of the implementation of company strategies and policies;
•
reduction of risk within the limits indicated in the reference framework for
determining the Group's risk appetite (Risk Appetite Framework - "RAF");
•
safeguarding of the value of assets and protection against losses;
•
effectiveness and efficiency of company processes;
•
reliability and security of company information and IT procedures;
•
prevention of the risks of involvement, including involuntarily, in unlawful
activities, to which the Group is exposed (with particular reference to

following objectives:

those connected with money laundering, usury and financing of
terrorism);

•
operating and regulatory compliance with respect to the law, the
supervisory regulations as well as the internal policies, plans, regulations and
procedures.

Internal control functions

From a technical-operational standpoint, the internal control system includes, in addition to the line controls carried out by the operational structures and incorporated in the IT procedures (first level controls), the internal second level (Risk, Internal Audit, Compliance, Anti-money Laundering), and third level (Audit) control functions.

ENVIRONMENTAL, SOCIAL AND GOVERNANCE (ESG)

With reference to Environmental, Social and Governance (ESG) topics, the Sustainability Committee supports the Board of Directors in defining and approving the Group's strategic guidelines, also monitoring the Group's activities in this area in line with the strategic guidelines. In order to monitor the sustainability matters, a specific managerial committee has also been set up called the "Environmental, Social and Governance Committee" (ESG) — Chaired by the CEO — which has proposal-making tasks in order to define the Group's social responsibility model and to supervise the implementation of the company strategies and initiatives regarding Environmental, Social and Governance matters.

1 PROFILE OF THE ISSUER

The governance of Banco BPM, intended as the set of rules that governs and controls the company and that it has to refer to in order to provide guidelines for its line of conduct and to fulfil its responsibilities with respect to the shareholders, investors and all the stakeholders, is in line with the principles indicated in the new Code and the recommendations made by CONSOB to that effect, and also takes account of the specific nature of Banco BPM, a company resulting from the merger between two companies established as cooperatives and "people's" banks, with strong roots in their respective territories.

The governance adopted by Banco BPM is also in line with the best practices that can be found at a national and international level, where the goal is to ensure an adequate distribution of responsibilities and powers through a proper balance between management and control functions.

Banco BPM adopted, upon its establishment, the traditional governance system, based on the presence of a Board of Directors and a Board of Statutory Auditors pursuant to articles 2380-bis et seq. of the Italian Civil Code.

In establishing the corporate governance structure, account was always taken of the instructions, for listed issuers, contained in the Borsa Italiana Code and the new Code, and when defining the division of powers, special attention was paid to protecting the various roles of the Bodies (Board of Directors, Chairman of the Board of Directors, Chief Executive Officer, General Manager where appointed, Co-General Managers and Board of Statutory Auditors), also in accordance with their respective responsibilities, both with respect to general law and regulations, while ensuring the necessary coordination of their actions.

In accordance with the provisions of prevailing law, Banco BPM identified, within the scope of its governance, its corporate bodies which, as at the date of this report, are organised as described below:

− the Shareholders' Meeting, which generally meets once a year to decide on, inter alia, the approval of the financial statements for the financial year, the allocation and distribution of the profits, the appointment of the members of the Board of Directors and the Board of Statutory Auditors, determining their remuneration;
− the Board of Directors, comprising 15 members;
− the Chairman of the Board of Directors;
− the Vice Chairman of the Board of Directors;
− the Chief Executive Officer;
− the General Management, comprising two Co-General Managers;
− the Board of Statutory Auditors, comprising 5 Standing Auditors and 3 Alternate Auditors.

With reference to the organizational structure of Banco BPM and the relevant top management, reference is made to the institutional website www.gruppo.bancobpm.it in the following section: "Corporate Governance > Top Management and Organizational Structure".

Banco BPM can also operate using, inter alia, as traditional distinctive marks of local significance "Banca Popolare di Verona", "Banca Popolare di Verona - Banco S.Geminiano e S.Prospero", "Banco S. Geminiano e S. Prospero", "Banca Popolare di Lodi", "Banca Popolare di Novara", "Cassa di Risparmio di Lucca Pisa Livorno", "Cassa di Risparmio di Lucca", "Cassa di Risparmio di Pisa", "Cassa di Risparmi di Livorno", "Credito Bergamasco", "Banco San Marco", "Banca Popolare del Trentino", "Banca Popolare di Cremona", "Banca Popolare di Crema", "Banco di Chiavari e della Riviera Ligure", "Cassa di Risparmio di Imola", "Banco Popolare Siciliano", "Banca di Legnano" and "Cassa di Risparmio di Alessandria", "Banca Popolare di Milano" and the names and/or trademarks or distinctive marks used over time by BP and BPM and any companies merged into the Company over time.

The Company operates in accordance with the values represented by strong roots of BP and BPM in their respective historical areas.

The Company is organised into territorial Departments ("Departments") corresponding to one or more of the areas in which they had been traditionally rooted.

The most significant elements that describe the Banco BPM governance system include:

− the central importance of the Shareholders, which materialises especially at the Shareholders' Meeting, a significant and essential event in the life of the bank;
− the role of the Board of Directors in charge of the strategic supervision and management of the social enterprise that it exercises using the support of the Chief Executive Officer and General Management;
− the role of the Board of Statutory Auditors, which exercises the control functions provided under prevailing law and more specifically which oversees: a) compliance with laws, regulations and the By-Laws as well as compliance with the principles of proper administration; b) the adequacy of the Company's organisational and administrative/accounting structure and the financial reporting process; c) the effectiveness and adequacy of the risk management and control system, as well as the internal audit system, and the functioning and adequacy of the overall internal control system; d) the separate and consolidated accounts auditing process; e) the independence of the auditing firm, particularly as regards the provision of non-auditing services.

UPDATE OF THE STRATEGIC PLAN

In the course of the meeting held on 11 February 2025 approved the update of the Strategic Plan of the Group for the next 3 years, i.e. until 2027.

***

The update of the Strategic Plan (and the relevant targets) was developed taking into account firstly the unique and distinctive competitive positioning that Banco BPM holds in the Country, in particular:

A "best-in-class" territorial footprint, favored by the concentrated presence in the most dynamic and richest regions of Italy (75% of the resources toward core customers and 76% of retail branches concentrated in the regions of Northern Italy);
A solid business model capable of providing a wide and complete range of products and financial services, which relies on a complete set of product factory, as an enabling factor of a strong oversight on specialized sectors with high added value and of a competitive distribution franchise. Namely:
- o Some product factories are "in house": Asset management (Anima) and Life insurance (Banco BPM Vita, Vra Vita and BPM Life);
- o Others structured as Joint Ventures: Non life-insurance (Banco BPM Assicurazioni, Vera Assicurazioni), Consumer Credit (Agos), Payments (Numia).

In particular, with specific reference to the oversight on the specialized sectors constituted by Banco BPM and the events occurred in the course of the 2024 financial year:

During the third quarter of 2024, the Numia transaction was successfully completed, creating the second national player in the payments system. Banco BPM holds a 28.6% stake in Numia Group (other shareholders FSI 42.9%, BCC Banca 28.6%). The process towards full operation of the JV has already begun, starting with the migration of the POS network, which is expected to be completed in 2025, together with the launch of the distribution of issuing products;
On 6 November 2024, Banco BPM Vita launched a voluntary public tender offer for all the shares of Anima Holding, which has been a strategic partner of Banco BPM for over 15 years. This offer is mainly aimed at strengthening the business model of Banco BPM Vita, as part of the transformation of the latter into a product factory integrated by Life Insurance and Savings Management.

The update of the Strategic Plan also relies on a new starting point, the financial year 2024, which for Banco BPM was a year of unprecedented excellent results, above the 2026 targets of the 2023-26 Strategic Plan for the main KPIs. These results also made it possible to increase shareholders' remuneration to historic highs.

The over performance achieved in 2024 is further confirmation of a solid and reliable track record built up over the years and of the reliable and constant commitment of the management in the path of significant growth and creation of sustainable value of the Bank:

• Profit acceleration: 2024 adjusted net profit equal to Euro 1.691 billion (compared to a value equal to Euro 710 million in 2021), a result >+Euro 300 million compared to the 2024 guidance of the 2023-2026 Strategic Plan (equal to Euro 1.360 billion);

Reduction of impaired loans: 2024 Gross NPE ratio equal to 2.8% (compared to a value of 5.8% in 2021), already below the 3% target threshold for 2026 of the 2023-26 Strategic Plan;
capital solidity: CET1 ratio of 15% in 2024 (compared to 13.4% in 2021), in line with the 15% threshold of the 2024 guidance of the 2023-2026 strategic plan.

The above has allowed the generation of unprecedented value for shareholders, with an extraordinary performance of the stock, which has grown by +770% in the last 5 years (from May 2020 to early February 2025), as well as the dividend yield which ranks among the top performers at European level for 2024 (at 11.2%)3.

In light of the above, the Bank has updated its Strategic Plan targets, defining new performance targets as of 2027 that are even more ambitious, but at the same time credible, maintaining the same growth drivers as the 2023-2026 Strategic Plan, but starting from the extraordinary results of 2024, and with even higher shareholder remuneration targets.

The update of Banco BPM's Strategic Plan is based on the same 7 strategic pillars of the 2023-26 Plan, with the addition of a new pillar that factors in Anima's integration, starting from the second half of 2025, as an enabling factor of an evolutionary and transformative path in an integrated player in the asset management sector.

Banco BPM's macro strategy for the next three years will be as follows:

To consolidate the vocation as a bank close to business and PMI;
To confirm the will to strength the wealth management and the life insurance;
To foresee the development of product factories from the perspective of strengthening a more diversified business model with higher added value;
To focus on strengthening the multi-channel approach for an increasingly digital bank;
To confirm the innovation as a priority to make the bak more "lien" and more safe with regard to cyber matters;
To aim to be close to people and the community, supporting their growth;
To confirm the will to further strengthen the Group's equity profile;

In consideration of the strategic framework outlined above, the planned ambition is to achieve a net profit of Euro2.15 billion by 2027 (starting from the excellent result of Euro1.69 billion adjusted to 2024), which reflects:

A downward trend in the interest margin, against a less favourable macroeconomic scenario less favourable (average 3 m EURIBOR at 2% in 2026-2027);
The increase in the non-interest income component of approx. Euro 0.45 billion, of which approx. Euro 0.28 billion from commissions, which benefit from the full operation of the main product factories, as well as from the growing commissions thanks to the strategic partnership with Anima;
The decrease in the total cost base, equal to approximately Euro0.06 billion, thanks to the rigorous cost containment activities to deal with inflationary dynamics, already implemented by the Bank, able to compensate for the increase in amortization in line with the investment plan;
Anima's contribution to net profit of approximately Euro0.2 billion, based on the latest market consensus estimates for Anima's profit and loss items, also including a conservative estimate of revenue and cost synergies.

At the end of the plan, ROTE >24% is expected, favored by an improvement in the business mix, the result of a transformation process, already undertaken by the Bank and which will continue throughout the plan, towards a business model with greater added value, with an ever-increasing contribution to net profit in 2027 from Wealth & Asset Management, of the Protection sector and Specialty Banking Solutions, whose impact is expected to reach ~45-50%, compared to ~50-55% for commercial banking.

As far as the quality of the assets, the Strategic Plan also envisages the continuation of intense workout

³ Calculated on the closing prices as of 11 February 2025.

activities that will allow us to reach a gross NPE ratio of ~3.0% and a cost of risk of 40 bps at the end of the plan.

In terms of shareholder remuneration, management is committed to achieving over Euro6 billion in cumulative remuneration 2024-2027 (+Euro 1 billion of additional distribution following positive feedback on the application of the regulatory treatment of the so-called Danish Compromise), compared to the Euro 4 billion cumulative over the plan period envisaged in the 2023-2026 Strategic Plan. The capital position remains solid (CET1 ratio >13% throughout the plan period). Danish Compromise), compared to the Euro 4 billion accumulated over the plan period envisaged in the 2023-2026 Strategic Plan. The capital position remains solid (CET1 ratio >13% throughout the plan period, >14% factoring in a positive outcome on the application of the regulatory treatment of the so-called Danish Compromise).

MAIN AMBITIONS IN THE FIELD OF ESG SUSTAINABILITY

The Banco BPM Group continues to be strongly committed to supporting the ESG sustainability paths of its customers, favoring i) the decarbonization of production processes in support of the transition to an economy with zero net greenhouse gas emissions, in line with the objectives of the European Green Deal, ii) support for the territories in which Banco BPM operates and the communities present therein, including through training and awareness-raising initiatives on sustainability issues and the provision of contributions for the development of social and environmental projects, iii) the promotion of interventions aimed at ensuring the productive and housing continuity of our stakeholders and, finally, iv) ESG training activities for Group employees, an indispensable vehicle for the development and dissemination of ESG culture among our stakeholders.

At the same time, Banco BPM is constantly looking for actions aimed at minimizing the direct impact on people and the environment resulting from its operations, and is strongly committed to the activities necessary to mitigate the consequences that ESG sustainability issues have on its risk profile, also taking advantage of the significant opportunities offered by the implementation of a new paradigm aimed at combining the company's economic and financial performance with the climate and environmental sustainability of the business in the medium and long term, with full respect for the social and working environment.

In particular, with regard to Environmental initiatives, over the course of the Plan the Group expects to increase new medium and long-term loans to support decarbonization projects and/or counterparties operating in sectors with low greenhouse gas emission levels, significantly increasing from 2024 onwards, up to Euro7 billion per year.

Furthermore, as evidence of the Group's contribution in supporting the transition of its Corporate customers towards a carbon-free economy, after having published in August 2024 the intermediate decarbonization targets for 2030 of its Banking Book credit and securities portfolios for each of the 5 priority sectors identified within the first wave of the Net-Zero Banking Alliance, during the three-year period of the Plan, the related Transition Plans will be defined and published, aimed at illustrating the ways in which Banco BPM plans to achieve the aforementioned targets, as well as evaluating the possible extension of the NZBA perimeter and approach to additional sectors of economic activity characterized by production processes with high greenhouse gas emission intensity.

Actions aimed at containing direct Scope 1 and 2 emissions deriving from the Group's operations will also continue, and in 2027, are expected to decrease by about 1% to 10.9 thousand tons compared to 20244, as well as direct energy consumption, which will be reduced by at least 3%, falling below 472 thousand GigaJoules.⁵

In the Social field, the Group will further accelerate the virtuous path of valorization of female personnel, increasing the incidence of women in managerial positions to 36% by the end of 2027, more than 5 p.p. higher than the 2024 data. Furthermore, Banco BPM's contribution to the local area and community will be realized through the hiring of #800 units by 2026 for generational turnover6. In 2027, the Group's employees

⁴ Excluding GAS HFC losses.

⁵ Excluding real estate properties leased to third parties.

⁶ Not including further no. 100 new hirings at open-ended term.

will also be able to benefit from 200 thousand hours of ESG training per year, compared to 178 thousand in 2024, while at the end of the Plan, the hours worked in smart working by office staff will reach 40% of the total. Finally, by the end of 2027, new loans to the third sector will exceed euro 250 million, an increase of over 25% compared to 2024.

In the area of Governance, Banco BPM's attention to potential problems arising from exposure to IT risks is demonstrated by its commitment to increase the number of cyber security specialists in the IT department to 15% of the total workforce. This will further improve the prevention of cyber attacks and the mitigation of their impacts, also to protect customers who favour the use of digital channels to access the products and services offered by the Group. In addition, activities aimed at integrating ESG sustainability aspects into the credit, financial, insurance and asset management businesses in which the Group operates will continue, strengthening the frameworks for the collection, control and use of ESG data that will allow the development of adequate methodologies necessary to calculate sustainability metrics which, through even more efficient IT procedures and adequately regulated internal rules, can be used in the main corporate governance, control and operational processes.

Finally, with reference to ESG finance, as part of its Green, Social and Sustainability Bond Framework, Banco BPM plans to issue bonds totaling euro 5 billion over the three-year period of the Plan, while the cumulative amount of ESG bond issues followed by Banca Akros as joint bookrunner or lead manager is expected to reach euros 19.5 billion. In terms of investments supporting sustainability, ESG bonds will reach 40% (from 35.0% recorded as of December 31, 2024) of the total non-government proprietary portfolio accounted for in the Banking Book and managed by the Parent Company's Finance department from 2026.

The Strategic Plan is available on the website www.gruppo.bancobpm.it, in the Investor Relations section, Presentations.

SUSTAINABILITY REPORTING

With reference to information on sustainability, Banco BPM publishes a specific consolidated sustainability reporting ("Sustainability Reporting") drawn up in accordance with Legislative Decree no. 125 of September 6, 2024, and in compliance with the sustainability reporting principles defined in Commission Delegated Regulation (EU) 2023/2772 of July 31, 2023, which is an integral part of the "Management Report" and is available in the "Annual Financial Report as of December 31, 2024" published, inter alia, on the company website www.gruppo.bancobpm.it (section "Investor Relations" - Financial Statements and Reports).

The information on corporate governance, included in the Sustainability Reporting and relevant for the purposes of this document, are referred to from time to time, by means of specific cross-references, in the relevant sections.

Furthermore, unless otherwise specified, the sections that refer to the content of the relevant ESRS are also to be understood as referring to the definitions of the ESRS themselves, in particular those relating to: lobbying activities, value chain, affected communities, corruption and bribery, corporate culture, consumer, sustainability statement, employee, discrimination, supplier, own workforce, impacts, sustainability-related impacts, value chain worker, non-employees, independent board member, metrics, business model, harassment, targets, opportunities, sustainability-related opportunities, administrative, management and supervisory bodies, policy, indigenous peoples, stakeholders, sustainability matters, materiality, risks, sustainability-related risks, end-users.

***

The Corporate Governance Plan

A corporate governance structure and efficient organisational structure are essential conditions – at both regulatory and application level – for the correct operation of credit institutions and, therefore, for the entire banking sector and the economy in general. Banks play a crucial role in the economy since they hold the funds of savers on the one hand, while also providing resources to support the activities that support businesses and stimulate economic growth.

Therefore, the organisational structures and corporate governance of a bank, in addition to meeting the interests of companies, must also ensure that the conditions for sound and prudent management are in place, an essential objective in regulatory and supervisory controls.

In said frame of reference, the Bank of Italy, with Circular no. 285 of 17 December 2013, containing the "Supervisory Provisions for banks" (hereinafter "Circular 285"), issued general principles and guidelines on

corporate governance in order to reinforce the minimum principles of corporate organisation and governance of banks and to ensure "sound and prudent management" (as provided for under article 56 of Italian Legislative Decree 385/1993). Specifically, the First Part - Title IV - Chapter 1 of Circular 285, in line with European principles and guidelines7, sets out a framework of rules, principles and guidelines that, as a whole, comprise an organic set of rules and regulations of the role and function of the administration and control bodies, and their relationships with the company departments. In order to define the company strategies and management and control policies for risks that are typical of banking and financial activities, the corporate governance system takes on central importance.

The Bank of Italy, with Circular 285, decided to pursue the following objectives: (i) clear distinction between functions and responsibilities, (ii) appropriate balance of powers between the corporate bodies, (iii) balanced composition of the corporate bodies, (iv) effectiveness of the controls, (v) oversight of all company risks; (vi) remuneration mechanisms in line with the risk management policies and long-term strategies, and (vii) adequacy of the information flows.

The above-mentioned law assigns intermediaries the task of identifying the most suitable solutions on an independent basis, and creating, in accordance with criteria of proportionality, the general standards in this area. More specifically, the actual choice of corporate governance adopted may change in accordance with the size, organisational and operational characteristics of the company and if the company shares are listed on the stock exchange.

In order to pursue the objectives indicated, Circular 285 introduced the following obligations for banks:

(i) to exercise their power of choice between the three administration and control systems provided for under the Italian Civil Code (traditional, dualistic and one-tier) on the basis of an in-depth self-assessment that takes account of specific, identified elements;
(ii) to draw up and update a Corporate Governance Plan each time there are significant organisational changes which both sets out the reasons behind the choice of the administration and control model, and also illustrates the structure of the By-Laws and internal governance model.

In the case of a banking group, the Corporate Governance Plan drawn up by the Parent Company will also illustrate the choices made to ensure the effectiveness and efficiency of the management and control systems at a consolidated level, acknowledging the organisational structures adopted by subsidiaries.

In this frame of reference, since Banco BPM is a banking company that was established on 1 January 2017 due to its "own" merger between Banco Popolare Società Cooperativa and Banca Popolare di Milano S.c. a r.l., the Board of Directors of Banco BPM, at its meeting of 13 June 2017, approved the Corporate Governance Plan for the Banco BPM Group, updated on 17 January 2023, the essential sections of which are set out in this document.

The Merger was carried out in accordance with Italian Decree Law no. 3 of 3 January 2015, converted with amendments by Italian Law no. 33 of 24 March 2015 (known as the people's banks reform), which established the obligation for people's banks with assets of more than Euro 8 billion to implement, within 18 months from the entry into effect of the implementation provisions issued by the Bank of Italy in accordance with article 29 of the Consolidated Banking Law (by 27 December 2016), the measures needed to ensure compliance with article 29, paragraph 2-ter, of the Consolidated Banking Law, and more specifically: (a) voluntary winding-up or (b) reduction of the assets below the threshold, or (c) transformation into a company limited by shares. In essence, the Merger, and specifically, the proposed merger (the "Merger Plan"), approved by the extraordinary shareholders' meetings of the two companies joined in the Merger on 15 October 2016, led to the transformation of Banco Popolare and BPM from people's banks to a company limited by shares (known as a "transformational merger").

Moreover, the Merger is based on (and justified by) an industrial rationale that overrides the merely transformational effects that originate from the transaction.

To that end, the corporate governance structure reflected in the By-Laws is the result of the understandings reached by Banco Popolare and BPM, submitted to the ECB for examination, which, in the exercise of the oversight functions carried out within the scope of the preliminary inquiry carried out before

⁷ The reference is to the document (called "Guidelines - Corporate Governance principles for banks") published in July 2015 by the Basel Committee and containing the guidelines and principles on corporate governance for banks.

the issue of the legal authorisation, provided certain instructions in order to ensure that the entity resulting from the Merger would have clear, efficient governance, with special reference to the performance of the corporate bodies.

Consider also that the listing of the Banco BPM shares with the Electronic Stock Exchange organised and managed by Borsa Italiana S.p.A. ("MTA", now Euronext Milan) at the same time as the Merger taking effect led to application by the Company of the requirements and/or recommendations provided by Circular 285 and amended by the Code of Best Practice for listed companies approved by Borsa Italiana.

The Corporate Governance Plan, in accordance with the provisions of the Supervisory Provisions:

− illustrates the reasons why the administration and control model chosen for the Parent Company and the Subsidiary Banks is the most suitable to ensure the efficiency of management and the effectiveness of the controls;
− describes the specific choices relating to the organisational structure, shareholder rights, the financial structure and the mechanisms to manage conflicts of interest;
− provides, in the case of the Parent Company, an adequate representation of and the reasoning behind the connections between the corporate bodies and departments of the various divisions, with specific attention to the profiles relating to the control system.

The above-mentioned provisions of the Bank of Italy give the banks the independent right to identify the most suitable solutions with regard to the corporate governance choices in accordance with the size, organisational and operational characteristics of the company. More specifically, the New Supervisory Provisions make it obligatory for banks to choose between the three administration and control systems provided for under the Italian Civil Code on the basis of an in-depth self- assessment that takes account of specific, identified elements.

The shareholders' meetings of Banco Popolare and Banca Popolare di Milano, when approving the Merger on 15 October 2016, approved the adoption of the "traditional" system of administration and control as the best solution to ensure the sound and prudent management of the bank considering that (i) the adoption of said governance structure was the one that had been adopted by both Banks for the longest periods of time (with the sole exception of the short periods in which they applied a dualistic system, to meet specific requirements however) and therefore more suitable than the others to ensure, in such a delicate situation as the Merger, the conditions for more efficient interaction between the two Groups, and therefore for the sound and prudent management of the Bank, and (ii) it was considered to be the most suitable system to ensure the efficiency of the decision- making processes (short and linear) and the information flows, and a higher presence of foreign investors in the Banco BPM shareholding structure.

With reference to the membership category (pursuant to Section I, paragraph 4.1, of the Bank of Italy Circular no. 285 of 17 December 2013, hereinafter the "Supervisory Provisions" or the "Supervisory Provisions for banks"), Banco BPM is classified among banks of greater size or operational complexity, since:

(a) the bank is considered significant in accordance with article 6, paragraph 4, of the Regulation (EU) no. 1024/2013, which assigns the ECB with specific duties with regard to the prudential supervision of credit institutions;
(b) it is a listed bank.

* * *

The changes made to the corporate scope and the organisational structures of the Banco BPM Group, since the last approval of the Corporate Governance Plan on 15 December 2020, led to the need to update the document, which was approved by the Board of Directors at its meeting of 17 January 2023.

It should also be noted that in the course of 2023 additional transactions of relevance in relation to the corporate scope and organisational structures of the Banco BPM Group took place.

Specifically:

− it should be noted that on 22 July 2022, Banco BPM completed the purchase from Covéa Coopérations S.A. of 81% of the share capital of Banco BPM Vita S.p.A. (an insurance company, already held with a 19% stake, operating in the life insurance sector and in turn holding 100% of the capital of Banco BPM Assicurazioni S.p.A., operating in the non-life insurance sector), thus obtaining 100% of its capital;
− on 22 December 2022, Banco BPM and Crédit Agricole Assurances S.A. signed a binding term- sheet for

the establishment of a long-term strategic partnership in bancassurance, limited to the Non-Life and Protection sector: the agreements envisaged, inter alia, that Crédit Agricole Assurances S.A. acquired from Banco BPM a 65% stake in the capital of Banco BPM Assicurazioni S.p.A. and a 65% stake in the capital of Vera Assicurazioni S.p.A., subject to the purchase by Banco BPM of the 65% stake in the share capital of Vera Assicurazioni S.p.A. as well as of Vera Vita S.p.A., held by Società Cattolica di Assicurazione S.p.A./Generali Italia S.p.A;

− the measures aimed at ensuring that the governance of the Companies was adapted to the changed structure of their corporate structure were instrumental in obtaining for the Banco BPM Group the status of "financial conglomerate", the award of which was announced by the European Central Bank on 7 March 2023;
− on 29 May 2023, Banco BPM exercised the aforementioned purchase options relating to 65% of the share capital of Vera Vita S.p.A. and Vera Assicurazioni S.p.A.;
− until 14 December 2023, Banco BPM also held 35%, respectively, of the share capital of Vera Vita S.p.A., an insurance company operating in the life insurance segment (which in turn holds 100% of the share capital of the Irish-registered company Vera Financial Dac, now called BBPM Life Dac) and Vera Assicurazioni S.p.A., an insurance company operating in the non-life business (in turn holding 100% of the share capital of Vera Protezione S.p.A.), as part of the partnership in the life and non-life bancassurance between Banco BPM and Società Cattolica di Assicurazione S.p.A launched in 20188.

Given the above, on 14 December 2023, having obtained the required legal authorisations, the Group finalised the transactions necessary for the start of the partnership in the bancassurance of the Non-Life and Protection sector with Crédit Agricole Assurances S.A., subject to the execution (which took place on the same date) of the aforementioned purchase options with respect to Generali Italia S.p.A.

Therefore, taking into account additional intercompany transfer transactions completed on 15 December 2023, Banco BPM, through Banco BPM Vita S.p.A., holds:

i) 100% of the share capital of Vera Vita S.p.A., which in turn holds 100% of the share capital of BBPM Life Dac;
ii) as part of the partnership with Crédit Agricole Assurances S.A., 35% of Vera Assicurazioni S.p.A. and Banco BPM Assicurazioni S.p.A., respectively.

Again with reference to the corporate transactions carried out in 2023, it should be noted that on 18 December 2023, the deed of partial demerger of Banca Akros S.p.A. in favour of Banco BPM was signed, concerning the assignment to the beneficiary of the "Proprietary Finance" business unit. The transaction, aimed among other things at simplifying the business model within the Group and strengthening some strategic areas, will allow the specialisation: (i) of the Parent Company in the management of owned portfolios and in the issuance of financial instruments and (ii) Banca Akros in its Investment Banking, Brokerage and Sales activities. The legal, accounting and tax effects of the demerger took effect on 1 January 2024.

Furthermore, on 27 June 2023, Banco BPM established a new company, called "Banco BPM Invest SGR S.p.A.", an asset management company operating in the segment of closed- end reserved alternative investment funds. The company, 100% owned by Banco BPM, was authorized by the Bank of Italy on 13 March 2024 pursuant to Article 34 of Legislative Decree of 24 February 1998, no. 58. On 25 June 2024, Banco BPM and Banco BPM Invest SGR executed the deed of transfer of the business unit represented by the "Alternative Investments and Funds" structure of Banco BPM and dedicated to the investment activity of quotas of closed-end funds of the Bank. The transfer took effect from 1 July 2024.

Finally, it should be noted that during 2024 the operations to valorize the payment systems sector were finalized.

In this regard, it should be noted that on 14 July 2023 Banco BPM, Numia S.p.A., Numia Group S.p.A., FSI

⁸ In this regard, it should be noted that on 1 July 2023 the partial proportional intragroup spin-off of Società Cattolica di Assicurazione S.p.A. in favour of Generali Italia S.p.A. took effect, as a result of which the equity investments held by the former in Vera Vita S.p.A. and in Vera Assicurazioni S.p.A., equal to 65% of their share capital, were transferred to Generali Italia S.p.A., which therefore took over the aforementioned partnership agreements between Banco BPM and Società Cattolica di Assicurazione S.p.A.

Holding S.p.A. FSI SGR S.p.A. and Iccrea Banca S.p.A. executed a memorandum of understanding concerning the establishment of a strategic partnership in the electronic money sector to be implemented, inter alia, through the following transactions: (i) the transfer by Banco BPM to Numia of the business unit relating to the production of electronic money owned by the same (including, inter alia, the so-called issuing activities and the so-called acquiring activities) and of the stake held by Banco BPM representing 100% of the share capital of ecmarket Servizi S.p.A.; (ii) the sale, by Banco BPM to Numia Group, of all Numia shares deriving from the aforementioned contribution; (iii) Banco BPM's entry into Numia Group's corporate capital through the acquisition of a 28.57% stake in Numia Group's share capital and voting rights; (iv) the execution of several commercial agreements between Numia and Banco BPM.

The closing of the transaction, which subject to, inter alia, the issue of the required authorizations/clearances by the competent supervisory authorities, took place on 30 September 2024.

With the completion of the transaction, the corporate capital of Numia Group is held by FSIH (42.86%), Iccrea (28.57%) and Banco BPM (28.57%). Numia Group continues to hold 100% of the share capital of Numia, while the latter holds 100% of the corporate capital of Tecmarket.

2 INFORMATION ON THE OWNERSHIP STRUCTURE (pursuant to article 123-bis, paragraph 1, of the Consolidated Law on Finance)

Capital structure, including securities not traded on a regulated market in an EU Member State, with an indication of the different classes of shares and, for each class of shares, the related rights and obligations and the percentage of total share capital represented (article 123-bis, paragraph 1, letter a) of the Consolidated Law on Finance).

As at the date of this report, the share capital of Banco BPM, subscribed and paid in, amounted to Euro 7,100,000,000.00, represented by 1,515,182,126 ordinary shares, without nominal value.

The shares are listed on the Electronic Stock Exchange, organised and managed by Borsa Italiana S.p.A.

As at the date of this report, there are no shares that have a different category to the one mentioned.

Restrictions on the transfer of securities such as limitations to the possession of securities or the need to obtain consent from the company or other securities holders (article 123-bis, paragraph 1, letter b), of the Consolidated Law on Finance)

As at the date of this report, there were no restrictions on the free transferability of the Company shares in accordance with the law or the By-Laws.

Significant direct and indirect shareholdings, for example through pyramid schemes or cross-holdings, as stated in the reports made pursuant to article 120 of the Consolidated Law on Finance (article 123- bis, paragraph 1, letter c), of the Consolidated Law on Finance)

In accordance with article 120 of the Consolidated Law on Finance, anyone who has more than 3% of the share capital in a listed share-based company will have to notify the investee company and CONSOB.

As at the date of this report, in accordance with the information published on the Internet site of CONSOB, parties who hold shareholdings of more than 3% of the share capital of Banco BPM are reported in the table below:

SIGNIFICANT STAKES IN CAPITAL
Declarant	Direct shareholder	% share of ordinary capital	% share of voting capital
CREDIT AGRICOLE SA	DELFINANCES SAS	15.10%(1)	9.90%
BLACKROCK INC	BLACKROCK INVESTMENT MANAGEMENT, LLC BLACKROCK INVESTMENT MANAGEMENT (AUSTRALIA) LIMITED BLACKROCK FINANCIAL MANAGEMENT, INC. BLACKROCK INSTITUTIONAL TRUST COMPANY, NATIONAL ASSOCIATION BLACKROCK ADVISORS (UK) LIMITED APERIO GROUP LLC BLACKROCK (SINGAPORE) LIMITED BLACKROCK INTERNATIONAL LIMITED BLACKROCK FUND ADVISORS BLACKROCK JAPAN CO LTD BLACKROCK ADVISORS LLC BLACKROCK ASSET MANAGEMENT DEUTSCHLAND AG BLACKROCK ASSET MANAGEMENT CANADA LIMITED BLACKROCK INVESTMENT MANAGEMENT (UK) LIMITED BLACKROCK ASSET MANAGEMENT NORTH ASIA LIMITED	5.04%	5.04%

DEUTSCHE BANK AG	DEUTSCHE BANK AG	5.18%	5.18%
JP MORGAN CHASE & CO	JP MORGAN SECURITIES PLC	3.06%	3.06%

(1) The amount includes 5.20% falling under the type of stake "Other long positions with cash regulation", represented by two derivative agreements classified as " total return swaps" with cash regulation but with the right of Delfinances SAS to request, after obtaining the necessary authorizations, that the regulation takes place with physical delivery of the shares underlying the derivative agreements - Source: Consob.it website – Listed companies – Section Significant stakes pursuant to Article 120 of Legislative Decree 58/98.

In addition to the stakes mentioned above, the following should be taken into account:

1 The stake held by Davide Leone, through the subsidiary companies DL Partners Opportunities Master Fund Ltd and DL Partners A Fund LP. This stake is represented by voting rights referable to shares (2.147% of the share capital) and by potential stakes and other long positions with physical and cash regulation (3.177% of the share capital).
2 The stake held by Bank of America Corporation, through its subsidiary companies Merrill Lynch International, Bank of America National Association and BOFA Securities Europe SA. This stake is represented by voting rights relating to shares (1.168% of the share capital) and by potential stakes and other long positions with physical and cash regulation (5.684% of the share capital).

The mechanism for the exercise of voting rights in any employee share scheme where voting rights are not exercised directly by the employees (article 123-bis, paragraph 1, letter e), of the Consolidated Law on Finance)

If a Banco BPM employee is also a shareholder of the Company, he or she will have the same voting rights as other shareholders, including the right to be represented by written proxy issued to another party.

Restrictions on voting rights, such as limitations of the voting rights of holders of a given percentage or number of votes, deadlines for the exercise of voting rights, or systems whereby, with the company's cooperation, the financial rights attached to the securities are separate from the holding of securities (article 123-bis, paragraph 1, letter f), of the Consolidated Law on Finance)

There are currently no restrictions on the voting rights.

Significant agreements to which the company (or its subsidiaries) is party and which take effect, alter or terminate upon a change of control of the company, and the effects thereof, except where their nature is such that their disclosure would be seriously prejudicial to the company; this exception does not apply when the company is specifically obliged to disclose such information on the basis of other legal requirements (article 123-bis, paragraph 1, letter h), of the Consolidated Law on Finance)

The agreements referring to Banco BPM S.p.A are set forth below.

Shareholding held in Agos-Ducato S.p.A.

On 28 June 2019, in performance of the agreements signed at the end of 2018 between Banco BPM, Crédit Agricole S.A., Crédit Agricole Personal Finance & Mobility9 and Agos-Ducato, the reorganisation of the Group consumer credit division was completed. The reorganisation, which confirms the partnership between Banco BPM Group and Crédit Agricole for the next 15 years:

(i) provided for, inter alia, formalisation of the following: (a) a new Shareholders' Agreement, (b) a new Distribution Agreement, (c) a new Funding Agreement;
(ii) led to the sale of ProFamily to Agos-Ducato, subject to the completion of a demerger of the noncaptive assets of Profamily in favour of a newly established company, which kept the name ProFamily, 100% controlled by Banco BPM. The new ProFamily was merged in Banco BPM on 19 July 2021.

On 18 December 2020, an Amendment Agreement between the parties was signed, with a view to further consolidating the existing partnership related to the consumer finance activities in Italy of Agos Ducato, through which some changes were made to the agreements signed in 2018. Those amendments provided, inter alia, the extension of an additional 24 months, and therefore, up to 31 July 2023, the term for

⁹ Already Crèdit Agricole Consumer Finance SA.

the exercise of the put option referring to a 10% investment in the capital of Agos Ducato held by Banco BPM, at the previously agreed strike price of Euro 150 million.

As part of the Banco BPM's bancassurance evolution project, which included the launch of a 20-year commercial partnership with Crédit Agricole Assurances S.A. in the Non-Life and Protection sector, on 12 May 2023, the term for the exercise of the put option was extended for a further two years, i.e. until 31 July 2025 (this further extension was conditional on the closing of the transaction for the acquisition by Crédit Agricole Assurances of the equity investments in Banco BPM Assicurazioni and in Vera Assicurazioni, finalised on 14 December 2023).

Lastly, upon expiry of the Agreement, and specifically on 28 June 2024, the Shareholders' Agreement between Banco BPM, on the one hand, and Crédit Agricole SA and Crédit Agricole Personal Finance & Mobility10, on the other, relating to the company Agos Ducato, was formally renewed until 28 June 2029. In this context, Banco BPM's right to exercise the unconditional put option on 10% of Agos Ducato's capital has been extended for another three years, specifically from 1 July 2028 to 31 July 2028, at an already agreed exercise price of Euro 150 million.

The new Shareholders' Agreement also provides for the extension of the previously existing change of control clause, through the recognition, in favor of Crédit Agricole Personal Finance & Mobility11, of a call option on the entire 39% stake in Agos Ducato held by Banco BPM, in the event of the acquisition of a controlling stake in Banco BPM, through any extraordinary transaction, by certain specifically identified banks that carry out consumer credit activities, potentially competing with Agos Ducato. In the event that Crédit Agricole Personal Finance & Mobility12 exercises the call option, both the Distribution Agreement will automatically cease to be valid, and therefore Banco BPM will be free from its exclusive undertaking with Agos for consumer credit products, and the Funding Agreement will also cease to be valid. The exercise price will be determined based on the fair market value of Agos at the time the option is exercised, determined excluding the distribution agreement with Banco BPM, which will no longer be in force.

Furthermore, the new Shareholders 'Agreement has simplified the potential listing process of Agos Ducato, by agreeing on a single procedure to be implemented upon Banco BPM's request starting from 1 July 2025, until the expiry of the Shareholders' Agreement.

Within the context of those agreements, it was also provided that if an extraordinary transaction was finalised (with that referring to: acquisition of control of Banco BPM by a third party operator or more than one third party operator acting in association with each other; merger of Banco BPM with third party operators; acquisition by Banco BPM of another bank or other distribution channels; acquisition by Banco BPM of a third party operator active in the consumer credit sector), or in the event that the extraordinary transaction qualifies as a "BBPM Change of Control" pursuant to the Shareholders' Agreement and Crédit Agricole Personal Finance & Mobility13 has sent Banco BPM a written communication declaring its intention not to exercise the purchase option, or Crédit Agricole Personal Finance & Mobility14 has not exercised the purchase option within the terms established by the Agreement, the parties will, inter alia, discuss in good faith, according to the case: i) the possible acquisition by Agos-Ducato at market value of the entity that operates in the consumer credit sector due to the extraordinary transaction; ii) the extension of the new Distribution Agreement to the distribution network of the third party operator active in the consumer credit sector; iii) the inclusion of the other distribution channel acquired into the distribution network of the Banco BPM Group.

Equity investments held in Banco BPM Assicurazioni S.p.A., in Vera Assicurazioni S.p.A. and, indirectly, in Vera Protezione S.p.A.

Please note the following:

− on 22 July 2022, Banco BPM finalised the purchase from Covéa Coopérations S.A. of 81% of the share capital of Banco BPM Vita S.p.A., an insurance company operating in the life insurance sector already

¹⁰ Please refer to footnote no. 9.

¹¹ Please refer to footnote no. 9.

¹² Please refer to footnote no. 9.

¹³ Please refer to footnote no. 9.

¹⁴ Please refer to footnote no. 9.

held by Banco BPM with a 19% stake, thus acquiring 100% of it, which in turn held 100% of the share capital of Banco BPM Assicurazioni S.p.A., operating in the non-life insurance sector;

− on 22 December 2022, Banco BPM and Crédit Agricole Assurances S.A. signed a binding term-sheet for the establishment of a long-term strategic partnership in bancassurance, limited to the Non-Life and Protection sector: the agreements envisaged, inter alia, that Crédit Agricole Assurances S.A. acquired from Banco BPM a 65% stake in the share capital of Banco BPM Assicurazioni S.p.A. and a 65% stake in the share capital of Vera Assicurazioni S.p.A., subject to the purchase by Banco BPM of a 65% stake in the share capital of Vera Assicurazioni S.p.A. as well as of Vera Vita S.p.A., held by Società Cattolica di Assicurazione S.p.A./Generali Italia S.p.A.;
− on 29 May 2023, Banco BPM exercised the aforementioned purchase options relating to 65% of the share capital of Vera Vita S.p.A. and Vera Assicurazioni S.p.A.;
− furthermore, until 14 December 2023, Banco BPM held 35%, respectively, of the share capital of Vera Vita S.p.A., an insurance company operating in the life business (in turn holding 100% of the Irish company Vera Financial Dac, now known as BBPM Life Dac) and Vera Assicurazioni S.p.A., an insurance company operating in the non-life business (in turn holding 100% of the share capital of Vera Protezione S.p.A.), as part of the partnership in the life and non-life bancassurance between Banco BPM and Società Cattolica di Assicurazione S.p.A. launched in 201815;
− the provisions of this partnership envisaged, inter alia, an option right for Banco BPM for the purchase of the equity investments representing 65% of the share capital of Vera Vita S.p.A. and 65% of the share capital of Vera Assicurazioni S.p.A., held by Società Cattolica di Assicurazione S.p.A./Generali Italia S.p.A.;
− on 14 December 2023, having obtained the required legal authorisations, the transactions necessary for the launch of the partnership in the bancassurance of the Non-Life and Protection sector with Crédit Agricole Assurances S.A. were finalised, subject to the execution (on the same date) of the above mentioned purchase options with respect to Generali Italia S.p.A.

Therefore, taking into account further intra-group transfer transactions finalised on 15 December 2023, Banco BPM, through Banco BPM Vita S.p.A., holds 35% of Vera Assicurazioni S.p.A. (exclusive parent company of Vera Protezione S.p.A.) and Banco BPM Assicurazioni S.p.A., respectively, as part of the partnership with Crédit Agricole Assurances S.A.

That said, the shareholders' agreements relating to the aforementioned equity investments held in Banco BPM Assicurazioni S.p.A., in Vera Assicurazioni S.p.A. and indirectly in Vera Protezione S.p.A., contemplated by the partnership with Crédit Agricole Assurances S.A., provide for a right of sale for Crédit Agricole Assurance S.A. referring to all the equity investments held by the same in the share capital of Banco BPM Assicurazioni S.p.A. and Vera Assicurazioni S.p.A., which can be exercised, inter alia, in the event of a change of control referring to Banco BPM; these are the cases in which: (i) a bank, or (ii) an insurance company or other financial institution that exercises or controls, directly or indirectly, an entity, a company or a company operating, in all or in part, in the services or banking sector, (iii) any combination of investors acting in tandem, acquires control of, or combines with, Banco BPM through any extraordinary transaction, without prejudice to the fact that the transactions in which Banco BPM is the acquiring entity, and which involve the issue of new Banco BPM shares corresponding to less than 20% of the total capital of Banco BPM, will not constitute a case of change of control of Banco BPM.

Stakes held in Numia Group S.p.A.

On 30 September 2024, Numia, Banco BPM, BCC Iccrea Group and FSI finalized the transaction relating to the strategic partnership announced to the market on 14 July 2023, which led to the creation of the second player in the electronic money sector in Italy. The transaction was completed following regulatory and legal approvals, with Numia Group S.p.A. (the company that holds the entire capital of Numia S.p.A.) becoming 42.86% owned by FSI and 28.57% each by Banco BPM and BCC Banca Iccrea.

¹⁵ In this regard, it should be noted that on 1 July 2023 the partial proportional intragroup spin-off of Società Cattolica di Assicurazione S.p.A. in favour of Generali Italia S.p.A. took effect, as a result of which the equity investments held by the former in Vera Vita S.p.A. and in Vera Assicurazioni S.p.A., equal to 65% of their share capital, were transferred to Generali Italia S.p.A., which therefore took over the aforementioned partnership agreements between Banco BPM and Società Cattolica di Assicurazione S.p.A.

The Framework Agreement executed in December 2023 provides, with reference to the circulation regime of the stake held by Banco BPM in Numia Group, that any corporate transactions (such as mergers or acquisitions) carried out on the capital of Banco BPM involving certain specifically identified banks, will not be subject to the limitations set forth in the Numia Group bylaws in relation to the prohibition for Banco BPM to sell its stake, in whole or in part, to these banks.

Furthermore, the Commercial Agreement signed on 30 September 2024, provides that, in the event that one or more entities should acquire control of Banco BPM as a result of an extraordinary transaction carried out by other banks, credit institutions or any other entity ("Controlling Entity"), Banco BPM shall ensure that, following the completion of the aforementioned transaction, (i) any distribution networks of the Controlling Entity are kept separate, for contractual purposes, from the distribution networks of Banco BPM and therefore operate with the exclusion of any prohibition or limitation of integration, including those of an administrative and functional nature and (ii) the Controlling Entity and any distribution networks of the Controlling Entity (a) do not solicit, in any way, customers of Banco BPM distribution networks to terminate their contractual relationship with Numia S.p.A. and (b) do not solicit any of the customers and/or do not supply any electronic money products or services to customers who are exclusive customers of the Banco BPM distribution networks at the date of completion of the related extraordinary transaction.

Agreements between companies and directors, members of the control body or supervisory board, which provide for compensation in the event of resignation or dismissal without just cause, or if their employment contract should terminate as a result of a takeover bid (article 123-bis, paragraph 1, letter i) of the Consolidated Law on Finance).

At the date of this report, the members of the Board of Directors are not employees of Banco BPM or a Group company, apart from the Chief Executive Officer, for whom, in the event of early termination of the employment contract or early resignation from the position, the criteria and maximum limits to calculate the amounts, as well as the process for any recognition in accordance with the provisions of the remuneration policy of the Group staff shall apply (see paragraph "Amounts for the early termination of the employment contract" contained in the Report on the Remuneration Policy published on the website www.bancobpm.it – Corporate Governance section – Remuneration policies section).

Rules applying to the appointment and replacement of directors and members of the governing body or supervisory board, and amendments to the By-Laws if different from those applied as a supplementary measure (article 123-bis, paragraph 1, letter l), of the Consolidated Law on Finance)

The information relating to the appointment and replacement of the members of the Board of Directors is set out in paragraph 6.1 of this report.

With regard to the rules applicable to amendments to the By-Laws, the Board of Directors, in accordance with article 24.2.2., letter x) of the By-Laws, approves the proposals to amend the By-Laws of the Company to be submitted to the extraordinary Shareholders' Meeting for approval (article 11.4. of the By-Laws) and to decide on the alignment of the By-Laws with regulatory provisions (article 24.2.2., letter aa) of the By-Laws).

Existence of delegated powers regarding share capital increases pursuant to article 2443 of the Italian Civil Code or powers of the directors or members of the governing body to issue participating financial instruments or to authorise the purchase of own shares (article 123-bis, paragraph 1, letter m), of the Consolidated Law on Finance)

At the date of this report, the Board of Directors of Banco BPM was not delegated any powers to issue participating financial instruments. To that end, the Ordinary Shareholders' Meeting of Banco BPM S.p.A., held in Verona on 18 April 2024, approved the request to authorise the purchase and sale of own shares to serve the share-based remuneration plans of Banco BPM S.p.A.

The number of own shares in the portfolio as at 31 December 2024 was 13,799,807 shares (equal to 0.91% of the corporate capital); at the date of this report, this number of shares is equal to 11.267.616 shares, equal to 0.74% of the share capital.

***

At the date of this report, as far as Banco BPM is aware, there are no entities in possession of securities giving special rights of control of Banco BPM (article 123-bis, paragraph 1, letter d) of the Consolidated Law on Finance), while there are agreements between shareholders pursuant to article 122 of the Consolidated Law on Finance (article 123-bis, paragraph 1, letter g) of the Consolidated Law on Finance).

In particular, a significant shareholders' agreement is in place pursuant to article 122, paragraph 5, letter a) of the Consolidated Law on Finance, as specified below.

This Agreement was originally signed on 21 December 2020 by some shareholders of Banco BPM S.p.A. (Fondazione Cassa di Risparmio di Torino, Fondazione Cassa di Risparmio di Lucca, Fondazione Cassa di Risparmio di Trento e Rovereto, Fondazione Cassa di Risparmio di Alessandria and Fondazione ENPAM), owners of a total of no. 83,237,332 ordinary shares of Banco BPM, equal to 5.498% of the share capital of the Bank (hereinafter the "Parties").

Subsequently, the following transactions were recorded, according to the chronological index described:

− On 20 July 2021, additional shareholders joined, namely Fondazione Cassa di Risparmio di Carpi, Fondazione Cassa di Risparmio di Reggio Emilia Pietro Manodori and Inarcassa, which together hold 10,216,375 Banco BPM ordinary shares, equal to 0.672% of the Bank's share capital. At the date indicated, there were eight (8) signing Parties, totalling 93,453,707 ordinary shares of Banco BPM, equal to 6.17% of the share capital;
− On 18 October 2022, Cassa Nazionale di Previdenza e Assistenza Forense, a shareholder owning 25,200,000 ordinary shares of Banco BPM, equal to 1.66% of the Bank's share capital, also joined the Agreement; on the same date, Fondazione CRT also reported its ownership of 27,273,813 ordinary shares of Banco BPM, equal to 1.8% of the Bank's share capital, up by 300,000 ordinary shares. There were therefore nine (9) shareholders adhering to the Agreement holding a total of 118,953,707 ordinary shares of Banco BPM, equal to 7.8483% of the Bank's share capital.
− As at 31 December 2022, for the sole purpose of taking into account the changes in the number of Banco BPM shares held by Inarcassa, it was communicated that the Parties held 125,507,707 ordinary shares of Banco BPM, equal to 8.28% of the Bank's share capital;
− On 23 March 2023, it was announced that the ENPAM Foundation held 30,288,919 ordinary shares of Banco BPM, equal to 1.999% of the Bank's share capital, due to an increase in the first few months of 2023 of 811,000 ordinary shares (+0.04%). Therefore, as at 27 March 2023, the (9) Parties held a total of 126,318,707 ordinary shares of Banco BPM, equal to 8.33% of the Bank's share capital;
− On 19 December 2023, all the Parties signed a new version of the Consultation Agreement in question, which recorded the exit from the same agreement of the Fondazione Cassa di Risparmio di Trento e Rovereto following the sale of the latter's equity investment in Banco BPM, equal to 419,461 shares (0.028% of the share capital of Banco BPM).
− On 16 February 2024, all the Parties signed a new version of the Consultation Agreement in question, which recorded the exit from the same agreement of the Fondazione Cassa di Risparmio di Torino ("Fondazione CRT") following the sale of the equity investment by the latter held in Banco BPM, equal to 27,273,813 shares (1.8% of the share capital of Banco BPM);
− On 31 December 2024, Inarcassa Cassa Nazionale di Previdenza ed Assistenza per gli Ingegneri ed Architetti Liberi Professionisti holds 15,631,374 Banco BPM ordinary shares, equal to 1.03% of the Bank's share capital, due to an increase, accrued in 2024 of 835,000 shares during the course of 2024.374 Banco BPM ordinary shares, equal to 1.03% of the Bank's share capital, due to an increase of 835,000 ordinary shares (+0.053%) during 2024;
− Fondazione Cassa di Risparmio di Carpi holds 1,019,698 ordinary shares of Banco BPM, equal to 0.067% of the share capital of the Bank, due to a decrease occurred during 2024 of no. 509,849 ordinary shares (-0.034%).

At the date of this Report 7 shareholders are parties to the Agreement, holding a total of 98,950,584 ordinary shares of Banco BPM, equal to 6.51% of the share capital of Banco BPM.

It should be noted that the aforementioned Consultation Agreement aims at recognising and promoting the common interest in the growth and consolidation of the Bank as well as ensuring unity of direction while respecting the autonomy and independence of each participant. The Parties decided how they would meet and share their thoughts and considerations on the Bank's performance also defining a common action regarding the programmatic and business guidelines of the Bank, with reference, by way of example, to (i) the general Group performance; (ii) any application for the offices of members of the Board of Directors and the Board of Statutory Auditors of the Bank; as well as (iii) strategic and/or extraordinary transactions

presented to the Bank's Shareholders' Meeting.

The essential information relating to the aforementioned consultation agreements, pursuant to article 130 of the Issuers' Regulation, are available on the Banco BPM website www.gruppo.bancobpm.it — under Investor Relations > Banco BPM Stock, Shareholder Base and Dividends section.

***

The By-Laws of Banco BPM do not contain provisions making exceptions to the passivity rule as provided under article 104, paragraphs 1 and 1-bis, of the Consolidated Law on Finance, or neutralisation rules as described by article 104-bis, paragraphs 2 and 3, of the Consolidated Law on Finance.

Additionally, the information pursuant to article 123-bis, paragraph 2 of the Consolidated Law on Finance, is set out in the following sections of this report:

− article 123-bis, paragraph 2, letter a): chapter 3
− article 123-bis, paragraph 2, letter b): paragraph 8.2
− article 123-bis, paragraph 2, letter c): chapter 5
− article 123-bis, paragraph 2, letter d) and new d-bis): chapters 6 and 7 relating to the Board of Directors and the Board of Statutory Auditors respectively.

3 COMPLIANCE (pursuant to article 123-bis, paragraph 2, letter a), first part of the Consolidated Law on Finance)

Adherence to the Borsa Italiana Code of Best Practice and the new Code of Corporate Governance (article 123-bis, paragraph 2, letter a) of the Consolidated Law on Finance)

Since its incorporation, the Board of Directors of Banco BPM, by means of resolution of 10 January 2017, has applied the Code of Best Practice of listed companies issued by Borsa Italiana.

By means of resolution of 15 December 2020, the Board of Directors then subscribed, without reservations, to the Code of Corporate Governance issued by the Corporate Governance Committee in January 2020 and in force from the first year starting after 31 December 2020.

It should also be noted that in 2023 the Board of Directors fully aligned with the recommendation of the previous Borsa Italiana Code of Corporate Governance with regard to the Comment in article 4, according to which "in companies that belong to the FTSE-Mib index, the board of directors will evaluate the option to establish a committee in charge of supervising the sustainability issues related to the exercise of the business activities and its interactions with all the stakeholders; alternatively, the board will assess the idea of grouping together or distributing said functions among the other committees."

In fact, a specific Sustainability Committee was set up by board resolution of 26 April 2023, also pursuant to Recommendation 1, letter a) of the Code of Corporate Governance in order to further develop what had been ensured up to then by the Internal Control, Risk and Sustainability Committee (concurrently renamed the "Internal Control and Risk Committee"). The Sustainability Committee offers support in the assessment and in-depth analysis of ESG issues related to the Bank's operations and in the approval of strategic guidelines and policies on sustainability, including the social and cultural responsibility model and the fight against climate change, helping to ensure the best control of risks and taking into account the objectives of solid and sustainable creation and distribution of value for all stakeholders.

The Code of Corporate Governance can be found on the Borsa Italiana website (www.borsaitaliana.it) and is available to the public on the Banco BPM website (www.grupppo.bancobpm.it – Corporate Governance > Report on Corporate Governance section).

It should also be noted that the corporate governance structure of Banco BPM is not influenced by non-Italian legal provisions.

It should be noted, however, that Banco BPM – as Bank – must arrange its organisational structure in compliance with the reference regulatory framework and, in particular, the provisions in the EU industry regulations, the Consolidated Banking Law as well as the provisions issued by the Bank of Italy in exercising its supervisory function; in this regard, it should also be pointed out that Banco BPM — as "significant supervised entity" , as well, most recently, in relation to the acknowledgment of the Group as "financial conglomerate" — is subject to direct supervision by the European Central Bank, which is responsible for specific tasks of prudential supervision of banks as part of the single supervisory mechanism, including the appropriate controls of the presence of solid corporate governance principles.

Adherence to other codes of conduct (article 123-bis, paragraph 2, letter a), of the Consolidated Law on Finance)

As at the date of this report, Banco BPM had not adhered to any other codes of conduct, but did not put any conditions on any decision by the Parent Company to adhere to said codes in the future.

4 MANAGEMENT AND COORDINATION: the role of the Parent Company and the Banco BPM Group

BANKING GROUP

Banco BPM is the Parent Company of the Banco BPM banking Group to which, inter alia, other banks, finance companies and ancillary services undertakings also belong.

In this role, Banco BPM exercises management and coordination of the Group in accordance with article 61 of the Consolidated Banking Law and the specific laws of the Supervisory Authorities. To that end the Company, in the exercise of its management, guidance and coordination:

⁻ issues, with respect to the members of the Group, the provisions needed to implement the Group strategies in accordance with the criteria of uniformity and consistency and adequacy with respect to the specific businesses;
⁻ guarantees the stability of the Group, checking to ensure the goals assigned are pursued and monitoring the adequacy of the internal control system within the scope of the Group and the subsidiaries;
⁻ carries out the Group coordination, including through the centralisation of the powers of oversight and control;
⁻ identifies and asks the subsidiaries for the decisions that they have to make and for which the Parent Company must receive prior notification, and any other information that the Parent Company believes it should acquire in relation to the exercise of its coordination duties;

The main Italian companies that form part of the Banco BPM banking Group are indicated below:

⁻ the Parent Company: Banco BPM S.p.A.;
⁻ Banca Aletti S.p.A.: bank operating in the area of private banking;
⁻ Banca Akros S.p.A.: a bank operating in the area of corporate & investment banking;
⁻ Oaklins Italy S.r.l., subsidiary of Banca Akros operating in the field of "Mergers & Acquisition" advisory services;
⁻ Aletti Fiduciaria S.p.A., a subsidiary of Banca Aletti S.p.A., which carries out the typical activities of a trust company as well as the administration of assets as trustee;
⁻ Banco BPM Invest SGR S.p.A.: asset management company operating in the segment of closed- end reserved alternative investment funds (a company authorized by the Bank of Italy on 13 March 2024 to exercise the collective asset management and portfolio management activities pursuant to art. 34 of Legislative Decree no. 58 of February 24 1998) which currently manages the Private Markets Portfolio entrusted to it by Banco BPM;
⁻ the ancillary services undertaking Ge.Se.So. S.r.l., a business providing company cafeteria services.

The Group also has a presence abroad with:

⁻ 2 foreign companies: Banca Aletti & C. (Suisse) S.A. and Bipielle Bank (Suisse) in liquidation. FINMA (the Swiss Supervisory Authority), having found that Bipielle Bank (Suisse) in liquidazione no longer carries out banking or transferable securities trading activities, gave notice that the company was no longer subject to the federal banking law or the federal law on the stock exchange and transferable securities trading on 20 December 2018;
⁻ liaison offices in the Republic of India (Mumbai) and Hong Kong (Special Administrative Region of the People's Republic of China).

FINANCIAL CONGLOMERATE

It should be noted that on 22 July 2022 Banco BPM finalised the purchase from Covéa Coopérations S.A. of 81% of the share capital of Banco BPM Vita S.p.A. (an insurance company, already held with a 19% stake, operating in the life insurance sector and in turn holding 100% of the capital of Banco BPM Assicurazioni S.p.A., operating in the non-life sector), thus obtaining 100% of its share capital. As a result of the attainment of control over Banco BPM Vita S.p.A. and Banco BPM Assicurazioni S.p.A., measures were launched to ensure the adjustment of the governance of the Companies to the changed corporate structure of the same, extending to them, where applicable, the organisational principles of the Banco BPM Group: these measures were functional to obtaining, for the Banco BPM Group, the status of a "financial conglomerate", the award of which was communicated by the European Central Bank on 7 March 2023.

Until 14 December 2023, Banco BPM also held 35% of the capital, respectively, of Vera Vita S.p.A., an insurance company operating in the life business (in turn wholly-owned by the Irish company Vera Financial Dac, now known as BBPM Life Dac) and Vera Assicurazioni S.p.A., an insurance company operating in the non-life business (in turn holding 100% of the share capital of Vera Protezione S.p.A.), as part of the partnership in life and non-life bancassurance between Banco BPM and Società Cattolica di Assicurazione S.p.A. launched in 201816. The provisions of this partnership envisaged, inter alia, an option right for Banco BPM for the purchase of the equity investments representing 65% of the share capital of Vera Vita S.p.A. and 65% of the share capital of Vera Assicurazioni S.p.A., held by Società Cattolica di Assicurazioni S.p.A./Generali Italia S.p.A.; on 29 May 2023, Banco BPM exercised the aforementioned purchase options relating to 65% of the share capital of Vera Vita S.p.A. and Vera Assicurazioni S.p.A.

It should also be noted that on 22 December 2022, Banco BPM and Crédit Agricole Assurances S.A. signed a binding term-sheet for the establishment of a long-term strategic partnership in bancassurance, limited to the Non-Life and Protection sector: the agreements envisaged, inter alia, that Crédit Agricole Assurances S.A. acquired from Banco BPM a 65% stake in the share capital of Banco BPM Assicurazioni S.p.A. and a 65% stake in the share capital of Vera Assicurazioni S.p.A., subject to the purchase by Banco BPM of a 65% stake in the share capital of Vera Assicurazioni S.p.A. as well as of Vera Vita S.p.A., held by Società Cattolica di Assicurazione S.p.A./Generali Italia S.p.A.

On 14 December 2023, having obtained the required legal authorisations, the Group therefore finalised the transactions necessary for the start of the partnership in the bancassurance of the Non- Life and Protection sector with Crédit Agricole Assurances S.A., subject to the execution (on the same date) of the above-mentioned purchase options with respect to Generali Italia S.p.A.

Therefore, taking into account further intra-group transfer transactions finalised on 15 December 2023, Banco BPM, through Banco BPM Vita S.p.A, owns: i) 100% of the share capital of Vera Vita S.p.A. (which, in turn, owns 100% of the share capital of BBPM Life Dac); ii) as part of the partnership with Crédit Agricole Assurances S.A., 35% of Vera Assicurazioni S.p.A. and Banco BPM Assicurazioni S.p.A., respectively.

5 SHAREHOLDERS' MEETING

The information below is also provided in accordance with article 123-bis, paragraph 2, letter c), of the Consolidated Law on Finance.

The main provisions of the By-Laws of Banco BPM containing the rules on the Shareholders' Meetings of the Company are illustrated. For more information, please refer to the Banco BPM website (www.gruppo.bancobpm.it – under Corporate Governance/Corporate Documents section).

The Shareholders' Meetings shall be ordinary or extraordinary in accordance with the law.

The Ordinary Shareholders' Meetings shall:

a) appoint, in accordance with the number established by the By-Laws and the mechanisms described under article 20.5. of the By-Laws, the members of the Board of Directors, revoke said appointment, determine their remuneration and elect the Chairman and the Vice Chairman, according to the provisions of article 20.8. of the By-Laws;
b) appoint the Statutory Auditors and the Chairman of the Board of Statutory Auditors with the mechanisms described under article 35 of the By-Laws and establish their fees;
c) decide on the responsibilities of the members of the Board of Directors and the Board of Statutory

¹⁶ It should be noted that on 1 July 2023 the partial proportional intragroup spin-off of Società Cattolica di Assicurazione S.p.A. in favour of Generali Italia S.p.A. took effect, as a result of which the equity investments held by the former in Vera Vita S.p.A. and in Vera Assicurazioni S.p.A., equal to 65% of the share capital of the same, were transferred to Generali Italia S.p.A., which therefore took over the aforementioned partnership agreements between Banco BPM and Società Cattolica di Assicurazione S.p.A.

Auditors;

d) approve the financial statements;
e) decide on the allocation and distribution of profits;
f) appoint, upon the justified proposal of the Board of Statutory Auditors, and revoke or change said appointment, where necessary, in agreement with the Board of Statutory Auditors, the company engaged to perform the statutory audit, and determine the relative fees;
g) resolves on the approval of (i) remuneration and incentive policies for Directors, Statutory Auditors and employees, including any proposal by the Board of Directors to set a limit on the ratio between the variable and fixed components of individual remuneration of identified staff of higher than 1:1 and within the limit established by the regulations in force from time to time; (ii) remuneration and/or incentive plans based on financial instruments; and (iii) criteria for determining payment to be agreed in the case of early termination of employment or office, including fixed limits such as payment in terms of annuity of fixed remuneration and the maximum amount that derives from implementation thereof;
h) approve and amend the shareholders' meeting rules;
i) resolve upon the other matters assigned to it by the pro tempore applicable laws or the By-Laws.

In accordance with article 13 of the By-Laws, Shareholders' Meetings are called by the Board of Directors whenever it is deemed appropriate or, according to the provisions of article 2367 of the Italian Civil Code, using the mechanisms provided for by prevailing laws, upon written request containing an indication of the topics to discuss by a number of shareholders that represent at least one twentieth of share capital or any other percentage established by prevailing laws. In any case, an ordinary Shareholders' Meeting must be called at least once a year, no later than 120 (one hundred and twenty) days from the end of the financial year. This period may be extended to 180 (one hundred and eighty) days from the end of the financial year in the cases provided for by law.

Subject to the power to call meetings set out by other provisions of the law, the Shareholders' Meeting may be called, subject to notification to the Chairman of the Board of Directors, also by the Board of Statutory Auditors or by at least two of its members, in accordance with prevailing laws.

Using the mechanisms, terms and limits established by prevailing laws, shareholders who, also jointly, represent at least one fortieth of the share capital, or any other percentage established by prevailing laws, can, by written request, ask for additions to be made to the list of topics to discuss at the Shareholders' Meeting that appear in the notice calling the meeting, indicating in the request the other topics they propose and preparing a report on the matters that they propose discussing, and proposing decisions on matters already on the agenda. Calling meetings and adding topics to the agenda at the request of the shareholders cannot be done for topics which the Shareholders' Meeting addresses, according to the law, upon proposal by the Board of Directors or based on a project or report prepared by said Board, other than those indicated under article 125-ter, paragraph 1, of the Consolidated Law on Finance. The justification for exercise of the right will be proven by filing a copy of the communication or certification issued by the intermediary in accordance with prevailing laws.

Shareholders' Meetings are called by notice stating the day, time and place of the meetings, the list of topics on the agenda and anything else provided by prevailing laws. The notice calling the meeting must be published within the time frames and using the mechanisms provided for by prevailing laws.

Ordinary and extraordinary shareholders' meetings are generally held, at a single call, in accordance with article 2369, paragraph 1 of the Italian Civil Code. However, the Board of Directors may establish that ordinary or extraordinary Shareholders' Meetings are held after more than one call, setting the date for a second call, and for extraordinary shareholders' meetings only, even a third call. This decision will be set out in the notice calling the meeting. Please refer to article 12 of the By-Laws for more information on the places where Shareholders' Meetings can be held.

In accordance with article 14 of the By-Laws, parties with the right to vote who send the Company the notification by the authorised intermediary confirming their right to attend the Shareholders' Meeting and exercise the right to vote, within the terms set out by prevailing laws, may attend the Shareholders' Meetings.

Parties with the right to vote may be represented at the Shareholders' Meeting in accordance with prevailing laws.

The Board of Directors has the right to appoint, disclosing it in the notice calling the meeting, for each Shareholders' Meeting, one or more parties to whom holders of voting rights can confer, using the mechanisms provided for under prevailing laws, a proxy with instructions to vote on all or some of the items on the agenda. The proxy given to the party appointed by the Board of Directors will only be valid for the proposals for which voting instructions have been given.

Subject to the provisions of article 2372, second paragraph, of the Italian Civil Code, the proxy may only be conferred for individual Shareholders' Meetings, and will also be valid for subsequent calls of the Meeting, and may not be conferred with the name of the representative blank. No voting by correspondence is permitted. Please refer to article 14 of the By-Laws for more information on the right to attend and right to be represented at Shareholders' Meetings.

In accordance with article 15 of the By-Laws, in order for either ordinary or extraordinary Shareholders' Meetings to be valid, on the sole, first or second call, or for extraordinary Shareholders' Meetings third call, prevailing laws shall apply with reference to each individual call, subject to the provisions of article 16.2 of the By-Laws.

In accordance with article 16 of the By-Laws, the decisions are made by the ordinary Shareholders' Meeting, on the sole, first or second call, with the majority provided by prevailing laws in relation to each call, with the exception for the provisions set out under article 16.2 of the By-Laws, and subject to the provisions of the By-Laws regarding the election of members of the Board of Directors and the Board of Statutory Auditors. If there is an equal number of votes, the proposal will be considered to have been rejected.

In accordance with article 16.2 of the By-Laws, the decisions concerning any proposal to set a limit to the ratio between the variable component and the fixed component of the individual remuneration of identified staff of higher than 1:1, pursuant to what is set out by prevailing laws, will be approved by the ordinary Shareholders' Meetings when: (i) the Shareholders' Meeting comprises at least half of the share capital and the decision is made with the vote in favour of at least 2/3 (two thirds) of the share capital represented at the Shareholders' Meeting and with the right to vote; or (ii) the decision will be made with the vote in favour of at least 3/4 (three quarters) of the share capital represented at the Shareholders' Meeting and with the right to vote, regardless of the amount of share capital comprising the Shareholders' Meeting. Extraordinary Shareholders' Meetings, on a sole, first, second or third call, shall decide with the vote in favour of the number of shareholders that represent at least 2/3 (two thirds) of the capital represented at the Shareholders' Meeting and with the right to vote. Please refer to article 16 of the By-Laws for more information.

In accordance with article 8 of the By-Laws, each ordinary share confers the right to cast one vote, subject to cases of suspension or loss of the right to vote as provided under the By-Laws or prevailing laws.

For Banco BPM, Shareholders' Meetings represent a favourable opportunity for interacting in a productive way with the shareholders and are an important occasion to disclose news about the Company to the shareholders in accordance with the parity-of-information principle and rules on price sensitive information. For these reasons inter alia, the Company intends to encourage the broadest possible attendance by shareholders at Shareholders' Meetings while also ensuring a higher level in the quality of the information provided.

In order to ensure adequate disclosure of the items that will be examined and approved at Shareholders' Meetings, Banco BPM, in accordance with the legally required deadlines, will make the reports illustrating the items on the agenda available to the public, at the registered office, on its website www.gruppo.bancobpm.it, on the website of Borsa Italiana S.p.A. and using the authorised storage mechanism , informing the market by publishing a press release.

The Ordinary Shareholders' Meeting of Banco BPM S.p.A. was held, in a single call, on Thursday 18 April 2024, at 10 a.m., in Verona, at Banco BPM's administrative office in Piazza Nogara, no 2, Banco BPM decided to avail itself of the option – in accordance with art. 106 of Legislative Decree no. 18 of 17 March 2020, converted by Law no. 27 of 24 April 2020 (the effects of which were extended, in said occasion, by Legislative Decree no. 215 of 30 December 2023, which provides for urgent regulations on regulatory terms, converted,

with amendments, by Law no. 18 of 23 February 2024) – to provide that attendance at the Shareholders' Meeting and voting rights were exercised by those entitled to do so exclusively through the designated representative, without therefore the physical participation of shareholders in the proceedings of the Shareholders' Meeting.

The Shareholders' Meeting resolved to approve the financial statements of Banco BPM S.p.A. as at 31 December 2023 as well as the proposals relating to the result for 2023 according to the information detailed in the Directors' Report.

The Shareholders approved the Report on the Remuneration Policy and on Compensation paid and the Share-based compensation plans of Banco BPM; the Shareholders 'Meeting also approved the purchase of ordinary shares of Banco BPM S.p.A., in one or more instalments, for a maximum total amount of Euro 45 million from the date of the Shareholders' Meeting (18 April 2024) until the first of the term of the 18th (eighteenth) month from the date of the authorization of the Shareholders' Meeting and the date of the Shareholders' Meeting that will be called to approve the financial statements for the year ending 31 December 2024.

Upon reasoned proposal of the Board of Statutory Auditors of Banco BPM, the Shareholders' Meeting also resolved to confer the engagement of statutory auditor of the company's accounts for the period 2026-2034, and indicated the related remuneration.

As is well known, Banco BPM has adopted, since the 2017 Shareholders' Meeting, a "Regulation of Shareholders' Meetings", which can be found on Banco BPM's website (www.gruppo.bancobpm.it — "Corporate Governance/Shareholders' Meetings" section), where the minutes of the Shareholders' Meetings are also available, to which reference should be made for further information, including an indication of the number of directors in attendance.

6 BOARD OF DIRECTORS

The information below is also provided in accordance with article 123-bis, paragraph 1, letter l), and paragraph 2), letters d) and d-bis of the Consolidated Law on Finance.

The main provisions of the By-Laws, as amended on 7 April 2022, containing the rules on the Board of Directors of the Company are illustrated below. For more information, please refer to the By-Laws on the website of Banco BPM (www.gruppo.bancobpm.it – under Corporate Governance section).

6.1 APPOINTMENT, REPLACEMENT AND COMPOSITION OF THE BOARD OF DIRECTORS

In accordance with article 20.1.1. of the By-Laws, the Board of Directors comprises 15 (fifteen) Directors, including non shareholders, including a Chairman and a Vice Chairman appointed by the Shareholders' Meeting in accordance with the provisions of article 20.8. of the By-Laws.

On the basis of article 20.1.2. of the By-Laws, the composition of the Board of Directors guarantees gender balance, in compliance with the currently applicable legislation and regulations.

In this regard, it should be noted that, in compliance with the legal and regulatory provisions that govern equal access to the administration bodies of listed companies on regulated markets, the current Board of Directors of Banco BPM is composed of 6 (six) directors out of 15 (fifteen) belonging to the less represented gender.

In accordance with article 20.1.3. of the By-Laws, the members of the Board of Directors must be capable of performing their duties, in accordance with prevailing laws and the By-Laws, and, more especially, they must possess the requirements of professional competence, integrity and independence, meet the criteria of expertise, honesty, time commitment and the specific limits to the number of offices as provided under prevailing laws and the By-Laws.

Subject to any other provisions of prevailing laws, at least 8 (eight) directors must hold the independence requirements set out under article 20.1.6. of the By-Laws.

In accordance with article 20.2 of the By-Laws, the members of the Board of Directors shall stay in office for three years, expiring on the date of the Shareholders' Meeting called for the approval of the financial statements relative to the last financial year of their office, and they can be reappointed upon expiry of their term of office.

In accordance with article 20.3.1. of the By-Laws, subject to the provisions of article 20.1., individuals who are either ineligible or disqualified from office pursuant to article 2382 of the Italian Civil Code may not be appointed as members of the Board of Directors, and if appointed they will be disqualified. The same limitations apply to individuals who do not meet the integrity or professional competence requirements pursuant to prevailing laws and regulations.

Subject to any other reasons for incompatibility envisaged by prevailing laws, persons that are or become members of management bodies or employees of companies that carry out or belong to groups that carry out business activities that are in competition with those of the Company or the Group to which it belongs, with the exception of central trade institutions or investee companies held directly or indirectly by the Company, may not be appointed to the position, and if appointed, will be removed from office. The above prohibition is not applicable when the participation in management bodies of other banks relates to the representation of trade organisations or associations of the banking system

On the basis of article 20.4. of the By-Laws, the election of members of the Board of Directors shall be based on lists in which the candidates are assigned progressive numbers. If a number of candidates is submitted that is equal to or higher than 3 (three), the list will have to comply with the gender proportions provided under prevailing laws.

The lists of candidates for the position of director may be submitted:

(i) by the Board of Directors (the "Board List"). The composition and the presentation of the Board List must be approved, based on a prior non-binding opinion of the Appointments Committee, with the favourable vote of 11 directors in office;
(ii) by one or more shareholders who own a total shareholding of at least 1% of the share capital of the Company with the right to vote at ordinary Shareholders' Meetings, or any

other percentage established by prevailing laws, and that will be communicated, from time to time, in the notice calling the Shareholders' Meeting convened to decide on the appointment of the Board of Directors (the "Shareholders List"); and

(iii) by one or more shareholders who are also employees of the Company or its subsidiaries and who own a total shareholding of at least 0.12% of the share capital of the Company (the "Shareholders- Employees List").

The ownership of the minimum percentage of shares in the share capital to submit the lists described under (ii) and (iii) is determined with respect to the shares that are registered in favour of the individual shareholder, or by more shareholders on a joint basis, on the day on which the lists were filed with the Company. The ownership of the number of shares necessary to submit the lists must be confirmed in accordance with prevailing laws; this confirmation must be sent to the Company, even after the filing, as long as it takes place at least twenty-one days before the date of the Shareholders' Meeting in compliance with the conditions set forth by prevailing laws.

The following must be complied with in order to be valid:

a) the lists of candidates must be filed with the registered office, including through remote communication means defined by the Board of Directors using methods, set forth in the notice calling the meeting, which allow the identification of the parties who are filing, at least twenty-five days before the date of the Shareholders' Meeting, and made available to the public at the registered office, on the website of the Company and with any other mechanisms provided for under the law in effect at the time, at least twenty-one days before the date of the Shareholders' Meeting;
b) each shareholder may submit or take part in submitting and voting on one list of candidates only, even if through third parties. Shareholders who belong to the same corporate group – with this meaning the parent company, the subsidiaries and the companies subject to joint control – and shareholders who belong to a shareholders' agreement as provided by article 122 of Legislative Decree no. 58 of 24 February 1998 regarding the shares of the Company may not submit, and those who have voting rights may not vote, more than one list, even if through third parties or through trust companies. Shareholders who submit a list and who are not the shareholders who hold a controlling interest or relative majority must also submit a declaration confirming the absence, with respect to said shareholders, of connections that could be classified as significant in accordance with prevailing laws. Each candidate may only be part of one list, if this condition is not met the candidate shall not be eligible;
c) the Board List must comply with the following requirements: (i) it must contain 15 (fifteen) candidates; (ii) the first 2 places must indicate the candidate for the position of Chairman of the Board of Directors in first place on the list, and the person who is proposed to the Board of Directors to cover the position as Chief Executive Officer, in second place on the list; (iii) the third place must indicate the candidate for the position of Vice Chairman of the Board of Directors;
d) the composition of the Shareholders Lists and the Shareholders-Employees Lists does not have to comply with the provisions of letter (c) above. Lists with less candidates than 15 can therefore be submitted provided that: (i) the lists with a number of candidates equal to or higher than 3 must include candidates of different genders in order to ensure that the composition of the Board of Directors complies with gender balance requirements in accordance with prevailing laws and regulations; (ii) they must contain a number of candidates who fulfil the independence requirements provided under article 20.1.6 of the By-Laws that is equal to at least 8 (eight) candidates where the list comprises 15 (fifteen) candidates or at least half (rounding down to the next full figure if the first decimal place is equal to or lower than 5 or rounding up to the next full figure in the other cases) where the list comprises a number of candidates of less than 15 (fifteen);
e) unless otherwise specified by the laws in effect at the time, along with each list, within the deadline for filing it as indicated in letter (a) above, any further documentation or statements required by prevailing laws or regulations must be filed at the registered office of the Company, in addition to the information relating to those who submitted the lists, indicating the percentage shareholding held as a whole, an exhaustive disclosure on the personal and professional characteristics of the candidates, the statements with which the individual candidates accept their candidature and confirm, under their own responsibility, that there are no grounds for ineligibility or incompatibility,

and that the legal, regulatory requirements and those under the By-Laws to hold the position of Board Director are fulfilled, the list of directorship and control positions covered in other companies and the declaration of the possession of the independence requirements provided under the By-Laws, and any other information that would help the overall assessment of suitability for the position in accordance with the scheme that will be made public by the Company beforehand, also taking account of the guidelines of the Supervisory Authorities;

f) in addition to the documentation set out under letter (e) above, the shareholders-employees who submit the Shareholders-Employees List must file the documentation confirming their status as employees of the Company or its subsidiaries.

Any lists that are submitted that do not fulfil the above-mentioned requirements will be considered not to have been submitted. However, the lack of documentation relating to the individual candidates on a list will not automatically invalidate the entire list but only the candidates who are not compliant.

The Board List must be filed and made public using the same mechanisms provided for the lists submitted by shareholders.

In accordance with article 20.5.1. of the By-Laws, if more than one list of candidates is submitted for the election of the Directors, the following procedure will be followed:

a) 12 (twelve) directors shall be taken from the list obtaining most votes, on the basis of the progressive order in which they were listed, or the lower number of directors that correspond to all the candidates indicated on said list;
b) the remaining 3 (three) directors or the higher number of directors if the list indicated in letter (a) above did not contain a total of 12 (twelve) directors — will be appointed from the other lists as follows:
- 1. where at least one Shareholders-Employees List has been validly submitted and obtained votes: (i) 1 (one) director will be appointed from the Shareholders-Employees List that obtained the highest number of votes from the Shareholders-Employees Lists; while (ii) the remaining 2 (two) or more directors to be elected in accordance with this letter (b) will be taken from the list, other than the one described under (i), on the basis of the following criteria: the votes obtained by each list will be divided by one, two, three, four, etc. in accordance with the number of members still to elect. The resulting quotients will be progressively assigned to the candidates on each of said lists according to the order in each list. The quotients attributed in this way to the candidates of the various lists will be set out in a single descending ranking: the candidates that obtained the highest quotients and that are taken from lists that are not related in any way, in accordance with prevailing laws, to the list that obtained the highest number of votes will be elected as board directors up to when the number of directors still to elect has been reached. It is understood that in any case, 1 (one) director will be taken from the Shareholders-Employees List even if the number of votes obtained from said list is lower than that obtained by the other lists;
- 1. if no Shareholders-Employees Lists are submitted or they are submitted but none of the Shareholders-Employees Lists obtained votes or if the list that obtained the highest number of votes in accordance with letter (a) above is a Shareholders-Employees List, the remaining 3 (three) or more directors will be taken from the other lists that obtained votes – different to the one that came first in accordance with letter (a) above – on the basis of the following criteria: the votes obtained by each list will be divided by one, two, three, four, etc. in accordance with the number of members still to elect. The resulting quotients will be progressively assigned to the candidates on each of said lists according to the order in each list. The quotients attributed in this way to the candidates of the various lists will be set out in a single descending ranking: the candidates that obtained the highest quotients and that are taken from lists that are not related in any way, in accordance with prevailing laws, to the list that obtained the highest number of votes will be elected as board directors up to when the number of directors still to elect has been reached.

Subject to the provisions of articles 20.6. and 20.7. of the By-Laws, if it is not possible to complete the composition of the Board of Directors in accordance with the procedure defined in article 20.5.1.

(b) above, or the number of candidates entered onto the lists submitted as a whole is lower than the number of directors to elect, the missing directors will be elected by relative majority decision of the Shareholders' Meeting in accordance with the provisions pursuant to articles 20.1.2., 20.1.3., 20.1.5., 20.1.7., 20.3.1., 20.3.2. and 20.3.3. of the By-Laws, to which the reader should refer for more information.

In accordance with article 20.6. of the Articles of By-Laws, in the cases governed by articles 20.5.1.(b)(1) and 20.5.1.(b)(2) of the By-Laws (i.e. in the cases described by letter (b) points 1 and 2 above), where more than one candidate obtained the same quotient, the candidate belonging to the list from which no Director has been elected yet, or the lower number of Directors has been elected, shall be elected (subject to the cases set out under article 20.5.1.(b)(1) of the By-Laws – i.e. the case under letter (b) point 1 above – 1 (one) director must be elected from the Shareholders-Employees List, if validly submitted, that obtained the highest number of votes among the Shareholders-Employees Lists). If no Director has been appointed from those lists, or the same number of Directors has been appointed from those lists, the candidate who has obtained the highest number of votes shall be elected. If there is the same number of votes obtained and if the quotients are the same, the appointment shall take place by means of a ballot by the whole Shareholders' Meeting, and the candidate who obtains the relative majority of votes shall be elected, subject to compliance with the provisions of articles 20.1.2., 20.1.3., 20.1.5., 20.1.7., 20.3.1., 20.3.2. and 20.3.3. of the By-Laws, to which the reader should refer for more information.

On the basis of article 20.9. of the By-Laws, if only one list is submitted, the members of the Board of Directors will be elected from that list up until the maximum number of candidates included therein. If the number of candidates on the single list is lower than 15 (fifteen), the remaining directors will be appointed by the Shareholders' Meeting passing a resolution with the relative majority of votes of the share capital represented at the Meeting by those with voting rights, upon proposal of the shareholders present.

In accordance with article 20.10. of the By-Laws, if no lists are submitted on time, the Shareholders' Meeting shall pass a resolution with the relative majority of votes of the share capital represented at the Meeting by those with voting rights, upon proposal of the shareholders present. If a number of candidates obtain the same number of votes, another vote shall be held by ballot, subject to the requirements set out by law and articles 20.1.2., 20.1.3., 20.1.4., 20.1.5., 20.1.7., 20.3.1.,20.3.2. and 20.3.3. of the By-Laws with respect to the composition and requirements of members of the Board of Directors, to which the reader should refer for more information.

Please refer to article 20.8. of the By-Laws regarding the election of the Chairman and the Vice Chairman of the Board of Directors.

In accordance with article 20.11. of the By-Laws, if during the year, one or more members of the Board of Directors should leave for any reason, provided that the majority still comprises the members appointed by the Shareholders' Meeting, the Board of Directors will make the replacement by cooption, in accordance with article 2386 of the Italian Civil Code, choosing, where possible, from among the candidates originally submitted on the same list as the outgoing member, who have confirmed their candidature, in compliance with the minimum number of independent directors provided by the By-Laws and the minimum number of directors who belong to the less represented gender provided for under the By-Laws and prevailing laws and regulations.

At the subsequent appointment at the Shareholders' Meeting, in accordance with the principles of independence and gender balance provided by the prevailing laws and regulations and the By-Laws, the following will be necessary:

a) to replace a director who was taken from the list that obtained the highest number of votes, the Shareholders' Meeting will vote on a relative majority basis among the candidates originally on the same list as the outgoing member and who have confirmed their candidature. If that is not possible, the Shareholders' Meeting will vote on a relative majority basis without any list restrictions;
b) to replace a director who was taken from the Shareholders-Employees List, the Shareholders' Meeting will vote on a relative majority basis among the candidates originally on the same list as the outgoing member and who have confirmed their candidature, or, failing this, among the candidates who, if possible, were proposed by the

shareholders/employees of the Company or the subsidiaries at the Shareholders' Meeting in accordance with the By-Laws relating to the submission of the Shareholders-Employees Lists. If that is not possible, the Shareholders' Meeting will vote on a relative majority basis without any list restrictions;

c) to replace a director who was taken from a Shareholders List other than the list that obtained the highest number of votes, the Shareholders' Meeting will vote on a relative majority basis among the candidates submitted on the same list as the outgoing member and who have confirmed their candidature or, failing this, among the candidates on any other Shareholders' Lists besides the Shareholders' List that obtained the highest number of votes and that are not the Shareholders- Employees Lists. If that is not possible, the Shareholders' Meeting will make the replacement by voting on a relative majority basis without any list restrictions, in accordance with the principle of the necessary representation of minorities;
d) to replace a director who was taken from the Board List, if said list had not obtained the highest number of votes, the Shareholders' Meeting will vote on a relative majority basis among the candidates originally on the same list as the outgoing member and who have confirmed their candidature. If that is not possible, the Shareholders' Meeting will vote on a relative majority basis without any list restrictions.

The members of the Board of Directors who have to replace the outgoing members will stay in office up to the expiry of office of the director being replaced.

Should the Chairman of the Board of Directors and/or the Vice Chairman leave office early, the Board of Directors will replace this person/these persons with the ordinary quorum described under article 23.4.1. of the By-Laws. A relative majority of the capital represented at the Shareholders' Meeting with voting rights will vote for the subsequent appointment at the Shareholders' Meeting, without any list restrictions.

If, due to resignation or for any other reason, more than half of the directors appointed by the Shareholders' Meeting are no longer in office before the expiry of the term, the entire Board will be considered to have resigned and a Shareholders' Meeting will have to be called for the new appointments. However, the Board will remain in office until the Shareholders' Meeting has decided on the re-establishment of the Board, and the acceptance of at least half of the new Directors has been received.

* * *

The Board currently in office, appointed by the Ordinary Shareholders' Meeting held on 20 April 2023, is composed of the 15 members and consists, at the date of this report of Messrs: Massimo Tononi, Chairman of the Board of Directors; Prof. Maurizio Comoli, Vice Chairman; Mr Giuseppe Castagna, Chief Executive Officer; Prof. Mario Anolli; Prof. Paolo Boccardelli; Mr Paolo Bordogna, engineer; Ms Nadine Faruque, lawyer; Prof. Paola Ferretti; Ms Marina Mantelli; Prof. Chiara Mio; Mr Alberto Oliveti, Prof. Mauro Paoloni; Mr Eugenio Rossetti, engineer; Ms Manuela Soffientini; Ms Luigia Tauro.

Appointed for a term of three years, they remain in office until the approval of the financial statements for the year 2025 by the Shareholders' Meeting and they may be re-elected.

Qualitative-quantitative composition of the Board of Directors

The qualitative-quantitative composition of the Board of Directors was approved at the meeting of 20 December 2022 as part of the "Process for the formation of the Board List (art. 20.4.2. of the By-Laws)", approved at the meeting of 27 September 2022 in view of the renewal of the administrative body resolved by the Shareholders' Meeting of 20 April 2023.

This document (i) contains, inter alia, the expected profiles of the members of the Board of Directors, including the particularly relevant roles (Chairman of the Board of Directors, Vice Chairman and Chief Executive Officer), also taking into account the outcome of the periodic self- assessment; (ii) available on the Bank's website (www.gruppo.bancobpm.it — Corporate Governance > Corporate Documents section).

Quantitative composition of the Board of Directors

The By-Laws of Banco BPM (article 20.1.1.) provide that the Board of Directors shall be composed of 15 Directors.

Qualitative composition: individual eligibility requirements of Directors

The members of the Board of Directors must be suitable for holding the office and, in particular, must possess the requirements of professionalism, integrity and independence, and meet the criteria of competence, fairness and time commitment and specific limits to the number of offices held as provided under prevailing laws.

Professionalism requirements

All candidates for appointment as members of the Board of Directors must meet the professionalism requirements provided for under prevailing law. In this regard, please note that the Extraordinary Shareholders' Meeting of 7 April 2022 approved the elimination of the statutory definition of professionalism, insofar as it had been absorbed and superseded by the regulations introduced by MEF Decree no. 169/2020.

In particular, pursuant to article 7 of the MEF Decree, candidates to carry out administrative functions must meet certain professionalism requirements depending on whether they hold executive or non-executive positions.

More specifically:

1. Officers with executive positions shall be chosen from among persons who have exercised, for at least three years, including alternatively:
a) administration or control activities or managerial duties in the credit, financial, securities or insurance sectors;
b) administration or control activities or managerial duties at listed companies or those with a size and complexity greater than or similar (in terms of turnover, nature and complexity of the organisation or the activity carried out) to that of the bank at which the position shall be held.
1. Officers with non-executive positions shall be chosen from among persons who meet the requirements set forth in the previous point or who have exercised, for at least three years, including alternatively:
a) professional activities related to the credit, financial, securities and insurance sectors or, in any case, activities that are functional to the bank's activities; the professional activity must be characterised by adequate levels of complexity, including with reference to the recipients of the services provided, and must be carried out on a continuous and significant basis in the above-mentioned sectors;
b) university teaching activities, as a first- or second-level lecturer, in legal or economic subjects or in other subjects that are, in any case, functional to the activities of the credit, financial, securities or insurance sectors;
c) managerial, executive or top management functions, howsoever entitled, at public bodies or public administrations that relate to the credit, financial, securities or insurance sectors, provided that the body at which the officer carried out said functions is of a size and complexity comparable with those of the bank at which the position is to be held.
1. The Chairman of the Board of Directors is a non-executive member with overall experience of at least two years more than the above requirements.
1. The Chief Executive Officer shall be chosen from among persons with specific experience in credit, financial, securities or insurance matters, gained through administration or control activities or managerial duties for a period of not less than five years in the credit, financial, securities or insurance sectors, or in listed companies or those with a size and complexity greater than or similar (in terms of turnover, nature and complexity of the organisation or the activity carried out) to that of the Bank.

For the purposes of meeting the above requirements, the experience gained during the twenty years prior to taking office is taken into account; experience gained simultaneously in more than one function is counted only for the period of time in which they were carried out, with

no accumulation permitted.

Competence criteria

In addition to the requirements of professionalism, the directors must meet the criteria of competence, including in terms of knowledge, experience and characteristics of soft skills, established by the legislation in force at the time and by the "soft laws£ (including the EBA-ESMA Guidelines and the ECB Guide) depending on the nature of the office/particular position held and the size and operating characteristics of Banco BPM.

In this regard, candidates for the office of Director must meet the criteria of competence set forth in article 10 of the MEF Decree. Specifically:

− theoretical knowledge and practical experience in more than one of the following areas will be taken into consideration:
- 1) financial markets;
- 2) regulations in the banking and financial sector;
- 3) guidelines and strategic planning;
- 4) organisational and corporate governance structures;
- 5) risk management (identification, assessment, monitoring, control and mitigation of the main types of risk in a bank, including the responsibilities of the officer in these processes);
- 6) internal control systems and other operational mechanisms;
- 7) banking and financial activities and products;
- 8) accounting and financial information;
- 9) information technology;
− it is subject to analysis whether the above theoretical knowledge or practical experience is suitable with respect to:
- 1) duties pertaining to the role held by the officer and any specific powers or delegations, including participation in Committees;
- 2) the characteristics of the Bank and of the banking Group to which it belongs, in terms of size, complexity, type of activities carried out and related risks, reference markets and countries in which it operates.

For the position of Chairman of the Board of Directors, an assessment is also made of experience gained in coordinating, guiding or managing human resources such as to ensure effective performance of the functions of coordinating and guiding the work of the Board, of promoting its proper functioning (including in terms of the circulation of information, effectiveness of discussion and the fostering of internal debate) and adequate overall composition of the body.

For the sake of completeness, it should be noted that article 10, paragraph 4, of the MEF Decree expressly permits the omission of the assessment with regard to the possession of the criteria of competence outlined above for officers in possession of the requirements of professionalism envisaged by the same MEF Decree, where accrued for a period at least equal to that laid down in the said Decree, and in particular:

5 years (accrued during the last 8 years) for Executive Directors who have carried out administration or control activities or management duties in the credit sector;
3 years (accrued during the previous 6 years) for Non-Executive Directors meeting the professionalism requirements set forth in article 7, paragraph 1, of the MEF Decree, for officers with executive offices;
5 years (accrued during the previous 8 years) for other Non-Executive Directors;
10 years (accrued during the previous 13 years) for the Chairman of the Board of Directors;
10 years (accrued during the previous 13 years) for the Chief Executive Officer and General Manager who have carried out administration or control activities or managerial duties in the

credit, financial, securities or insurance sectors.

The Board of Directors of Banco BPM recommended at the 2023 board renewal, that candidates for the role of Director shall preferably possess one or more of the following further qualifying skills/experience:

financial and/or banking markets;
banking and financial activities and products;
global dynamics of the domestic and international economic and financial system and of the trends and prospects in the reference sector;
internal control systems and other operational mechanisms;
risk management with a focus on: i) Risk Management and climate and environmental risks; ii) money laundering and terrorist financing risk;
accounting and financial information;
directions and programming;
IT technology with specific reference to Digital Transformation, Fintech, Cryptocurrency, Artificial Intelligence and Cybersecurity;
regulations in the banking, financial and insurance sector;
organisational and corporate governance structures;
human resources, remuneration systems and policies;
ESG/social and environmental sustainability.

The Board of Directors of Banco BPM, in formulating its recommendations to the shareholders wishing to submit a list, considers the importance of identifying profiles with adequate availability of time and resources so that the candidates could fulfil their roles on the Board and on the Internal Board Committees as optimally and efficiently as possible, as described below.

Specific skills are also required, for their respective areas of interest, from the members of the Internal Board Committees, with particular reference to the skills and experience referred to in point 5 above (risk management) of the members of the Internal Control, Risks and Sustainability Committee. Special attention is paid to members who cover the role of Chairman in the above-mentioned Internal Board Committees, since they will have to have built up specific experience and specific knowledge and expertise in the matters that the Committees will have to deal with.

The Code of Corporate Governance also requires that at least one member of the:

Control and Risk Committee has adequate experience in accounting and financial matters or risk management, without prejudice to the fact that – as also stipulated in the Supervisory Provisions – this committee must have adequate expertise in the business segment in which the company operates, necessary for assessing the related risks;
Remuneration Committee has adequate knowledge and experience in "financial matters or remuneration policies",

to be assessed by the Board of Directors upon appointment to the Committees.

Finally, with regard to:

the composition and diversity of the Board of Directors, as well as the experience relating to the company's sectors, products and geographic locations and the presence of adequate skills and expertise in the field of sustainability (ESRS 2 – Par. 19, 20 letter a) and c), 21, 23; ESRS 2 – Appendix A – RA 5), further information is provided in the Sustainability Reporting, Section "General Disclosures", Paragraph "Role of the administrative, management and supervisory bodies";
specific policies aimed at the elimination of discrimination, including harassment, promoting equal opportunities (ESRS S1 – Par. 24), further information is provided in the Sustainability Reporting, Section "Social Disclosures", Paragraph "Policies relating to equal treatment and opportunities for own workforce.

Required profiles of the particularly significant roles on the Board

Chairman of the Board of Directors

Below are the personal characteristics and skills that further qualify for the role of Chairman of the Board of Directors:

Ten years of recently accumulated professional experience. This experience must include a significant portion of high-level managerial positions and significant technical know-how in a banking or equivalent area;
A high level of intellectual independence and integrity to ensure the sound and prudent management of the Bank;
A consolidated reputation on the Italian and international markets, in full compliance with the distinctive image of the Group;
The ability to represent the Bank before local and international regulatory bodies, and significant institutions, being a convincing ambassador of the Group's core values;
Leadership in managing people, along with strong emotional intelligence, the ability to listen and independence of thought to be employed in the Board in his/her role as "super partes";
Experience in governance matters in comparable contexts in terms of size and complexity;
Expertise in the quantitative, regulatory and financial reporting areas in order to face challenges with respect to the CEO and top management;
Continuous willingness to examine the details of constantly evolving regulations, developments in the industry as a whole and peer relations, including at European level.

Vice Chairman of the Board of Directors

The personal characteristics and skills further qualifying for the role are reported below:

Leadership in managing people, along with strong emotional intelligence, the ability to listen and independence of thought;
Ability to facilitate dialogue within the Board of Directors;
The capacity to represent the Bank in place of the Chairman in the event of his/her absence or impediment;
Adequate availability of time to stand in for the Chairman in the event of his/her absence or impediment.

Chief Executive Officer (CEO)

The personal characteristics and skills further qualifying for the role are reported below:

Ten years of recent professional experience accumulated in sectors related to banking or financial services. This experience – preferably as a CEO of banks of a similar complexity to Banco BPM – must include holding high-level managerial positions for a significant portion of the above- mentioned period;
A high level of intellectual independence, integrity and reputation with respect to regulators and investors, in full compliance with the distinctive image of the Group;
A high level of sensitivity and exposure to the European and Italian markets;
Leadership skills in managing people, along with the ability to establish and lead high-level and senior teams in a complex organization;
Consolidated experience in the management of listed companies, comparable in complexity to Banco BPM;
In-depth understanding of regulatory issues, risk and all aspects of capital management, experience in budgeting, accounting policies and tax, gained in highly regulated contexts;
Solid capacity to lead and develop commercial aspects in the banking sector, especially in the Retail division, but also in Private Banking, Asset Management, Investment Banking,

Bancassurance, etc.;

Good understanding and fit with the culture and business model of Banco BPM;
Proven strategic capacity, short/medium/long term planning vision;
Proven capacity to be resilient in highly stressful situations.

Chairmans of the Internal Board Committees

The personal characteristics and skills further qualifying for the role of Chairman of Internal Board Committee are reported below:

Leadership in managing people, along with strong emotional intelligence, the ability to listen and independence of thought;
Knowledge and experience in the areas of competence of the specific Committee.

Aptitude requirements

In addition to the professional competence requirements referred to above, the characteristics and personal skills of the candidate (known as soft skills) are duly considered, as indicated by the EBA/ESMA Guidelines, which should be referred to for further details:

Authenticity: consistency in words and deeds in accordance with established values and beliefs. Open communication of intentions, ideas and feelings, promotion of an environment of openness and honesty and duly informing the supervisor of the current situation, while recognising risks and problems.
Language: the candidate can communicate orally in an articulated and conventional manner and write in his/her own national language or in the working language of the entity.
Resolve: the candidate takes timely and informed decisions by acting promptly or by adopting precise behaviour, for example by expressing opinions and avoiding delays.
Communication: the candidate is able to convey a message in an understandable and acceptable manner and in an appropriate form. S/he aims to provide and obtain clarity and transparency and encourages active listening.
Judgement: the candidate is able to weigh heterogeneous data and behaviours and reach a logical conclusion. S/he examines, recognises and understands the elements, as well as the essential issues. S/he has the breadth of views to look beyond his/her area of expertise, in particular in dealing with problems that may jeopardise business continuity.
Quality and customer-oriented approach: the candidate focuses on ensuring quality and, where possible, identifying ways to improve it. S/he identifies and studies the wishes and needs of customers, ensures that customers do not take unnecessary risks and provides accurate, complete and balanced information to customers.
Leadership: the candidate provides instructions and guidance to a group, develops and maintains teamwork, motivates and encourages available human resources and ensures that staff members have the professional competence to achieve a specific objective. S/he is receptive to criticism and offers space for critical debate.
Loyalty: the candidate identifies with the company and has a sense of involvement. The candidate shows that s/he is able to dedicate sufficient time to the work and carry out his/her duties correctly, defend the interests of the company and act in a critical and objective manner. S/he recognises and anticipates potential conflicts of personal and corporate interest.
External awareness: the candidate monitors developments, power bases and conduct within the company. S/he is well informed of relevant national and international financial, economic, social and other developments that may affect the company, as well as the interests of the parties concerned, and is able to use this information effectively.
Negotiation: the candidate identifies and discloses common interests so as to create consensus while pursuing negotiation objectives.
Persuasiveness: the candidate can influence the opinions of others by exercising powers of

persuasion and employing natural authority and tact. S/he has a strong personality and is able to withstand pressure.

Teamwork: the candidate is aware of the interests of the group and contributes to the pursuit of a shared result; is able to act as part of a team.
Strategic acumen: the candidate can develop a realistic vision of future developments and translate this into long-term objectives, e.g. by applying a scenario analysis. In doing so, s/he takes adequate account of the risks to which the company is exposed and adopts the appropriate measures to contain them.
Resilience to stress: the candidate is resilient and able to operate consistently even when subjected to great pressure and in times of uncertainty.
Sense of responsibility: the candidate understands internal and external interests, carefully evaluates them and reports on them. S/he has the ability to learn and understand that his/her actions affect the interests of the parties concerned.
Chair meetings: the candidate can chair meetings efficiently and effectively and create an open atmosphere that encourages everyone to participate on an equal basis; is aware of the duties and responsibilities of other parties.

The Board leadership and coaching/development skills of the Directors are also taken into account.

Integrity requirements

All candidates for appointment as Members of the Board of Directors must ensure compliance with the integrity requirements set forth in article 3 of the MEF Decree and article 2 of Italian Ministerial Decree 162/2000.

Failure to comply with the integrity requirements will make it impossible to take on the office or will lead to loss of the office.

Fairness criteria

In addition to the integrity requirements, Directors must fulfil the criteria of fairness in previous personal and professional conduct, understood as good reputation, honesty, integrity and financial soundness, established by the prevailing legislation and the "soft laws" (including the EBA-ESMA Guidelines and the ECB Guide), pursuant to the provisions of article 4 of the MEF Decree.

With reference to the criteria of fairness, it should be noted that the occurrence of one or more of the situations indicated by the aforementioned article 4 of the MEF Decree does not automatically imply the unsuitability of the officer, but requires assessment by the Board of Directors, conducted with regard to the principles of sound and prudent management as well as the protection of the bank's reputation and public trust.

Given the importance that these criteria play in terms of reputation, the Board expresses the recommendation that the candidates for the office of member of the Board of Directors, in addition to possessing the requirements of integrity set forth by the applicable regulations:

shall not have behaved in a way that, although not necessarily a criminal offence, is not in line with their position as member of the Board of Directors of the Bank or that could result in consequences that are seriously prejudicial to the Bank's reputation;
shall not and have not in the past find themselves in situations which, with regard to the economic activities and financial conditions of the candidates (or the companies controlled or directed by them or in which they hold significant stakes), are – or were – including on a potential basis, capable of affecting their reputation.

Availability of time and commitment required of the Directors

The directors must ensure proper availability to the performance of the their position, including in relation to activities resulting from participation in the work of the internal board committees of which they are members.

The Directors must also undertake to attend induction and training meetings, any additional off-

site meetings, and – as invitees – meetings of committees of which they are not members.

In view of the above, the Board recommends that candidates should accept the position if they believe they can dedicate the necessary time and energy, in consideration of the amount of time needed for other work or professional activities, in addition to the performance of duties for positions held in other companies.

In this regard, when drawing up the "Qualitative-quantitative composition of the Board of Directors", an estimate was made of the minimum time deemed necessary for effective participation in meetings (subsequently supplemented in the context of the Board meeting of 8 May 2023 aimed at verifying the time commitment of the members of the Board of Directors after their appointment to take into account the newly established Sustainability Committee) summarised in the following table, with the specification that the estimate of the commitment for participation in Committees must be considered inclusive of that of the mandate of mere Director:

	Estimated commitment
Position	(days/year)
Chairman	200 days
Chief Executive Officer	Full time
Vice Chairman	100 days
Non-Executive Director	40 days
Commitment for Committees
Position	Estimated commitment (BoD + Committee) (days/year)
Chairman of the Internal Control and Risk Committee	75 days
Member of the Internal Control and Risk Committee	57 days
Chairman of the Appointments Committee	52 days
Member of the Appointments Committee	46 days
Chairman of the Remuneration Committee	52 days
Member of the Remuneration Committee	46 days
Chairman of the Sustainability Committee	52 days
Member of the Sustainability Committee	46 days

It should be noted- for information purposes - that in the three-year period 2022-2024, took place an average of no. 20 meetings of the Board of Directors, no. 21 meetings of the Internal Control and Risk Committee, no. 24 meetings of the Nomination Committee, no. 21 meetings of the Remuneration Committee, and no. 5 meetings of the Related Parties Committee, as well as 1 no. 3 meetings of the Sustainability Committee (established on April 26, 2023) in the two-year period 2023-2024, while during the year 2024, took place no. 20 meetings of the Board of Directors, no. 23 meetings of the Internal Control and Risks Committee, no. 21 meetings of the Appointments Committee, no. 23 meetings of the Remuneration Committee, no. 4 meetings of the Related Parties Committee and no. 17 meetings of the Sustainability Committee.

Limit to the accumulation of external positions

Board Directors shall comply with prevailing laws (art. 91 of CRD IV, arts. 17, 18 and 19 of the MEF Decree, art. 36 of Italian Decree Law no. 201/2011, converted into Italian law no. 214/2011; art. 2390 of the Italian Civil Code) and the By-Laws (arts. 20.1.3., 20.3.2. and 20.3.3.) regarding the taking up of positions in companies other than the Bank.

On the basis of article 91 of the CRD IV, article 17 of the MEF Decree and article 3.1 of the Regulation "Limits to the number of offices" of the Bank, referred to by article 20.3.3. of the By-Laws, members of the Board of Directors of the Bank cannot hold an overall number of positions in banks or other commercial companies that exceeds one of the following alternative combinations:

a) 1 executive position with 2 non-executive positions;

or

b) 4 non-executive positions.

The above is set out in article 3.1 of the above-mentioned Regulation, on the basis of which the following limits on the holding of positions are stipulated for Board Directors of Group Banks:

(i) those who carry out roles with executive functions in Group Banks cannot take on executive positions in companies that do not belong to the Group, while they may take on 2 non-executive positions in companies that do not belong to the Group;
(ii) those who hold positions with non-executive functions in Group Banks may hold the following combinations of offices:
- − 1 executive position in companies not belonging to the Group and 1 non-executive position in companies not belonging to the Group;

alternatively,

− 3 non-executive positions in companies that do not belong to the Group.

For the purposes of calculating the above limits:

(i) the office held in the Bank is included;
(ii) the following specification mechanism is applied: the set of offices held (a) within the same group (including Banco BPM Group), (b) in entities belonging to the same system of institutional protection and (c) in companies in which the Bank has a qualified holding as defined by Regulation (EU) no. 575/2013, article 4(1)(36), is considered a single position. The set of offices counted as a single one is considered executive if at least one of the offices held is executive, while in the other cases it is considered non-executive. Where more than one of the cases set out in this point (ii) apply, the offices are added together;
(iii) consideration is not taken of roles held (aa) at companies other than commercial companies or at entities whose sole purpose consists in managing the private interests of an officer or their non- legally separated spouse, partner in civil unions or cohabiting partners, relatives or in-laws up to the 4th degree, which do not require any type of daily management by the officer; (bb) as a professional in a partnership; (cc) as an alternate auditor.

Additionally, subject to any other incompatibility stipulated by prevailing laws (including the prohibition on interlocking directorships in accordance with Italian Law no. 214 of 22 December 2011, the prohibition laid down by article 4, paragraph 2-bis, of Italian Legislative Decree no. 153/1999, etc.), the position of Director is not compatible with offices of a political nature, meaning national parliamentary duties or as a member of the government. It is also recommended that the position of Director is not carried out by persons who hold European parliamentary office, or are members of regional, provincial or municipal councils (limited to the municipal capitals of Provinces).

For further details and specifications regarding the position accumulation limits, please refer to the Regulation "Limits to the number of offices" available on the Bank's website (www.gruppo.bancobpm.it – Corporate Governance section).

Independence pursuant to the By-Laws and Independence of judgement

Pursuant to the By-Laws, at least 8 Directors must possess the independence requirements established by article 20.1.6. of the By-Laws in effect. Further details are referred under paragraph 6.7 of the this report.

It should be understood that, pursuant to article 15 of the MEF Decree, all Directors shall act with full independence of judgement and awareness of their duties and rights in relation to their position, in the interests of the sound and prudent management of the Bank and in compliance with the law and any other applicable regulation.

All Directors are also required to provide the information requested pursuant to article 15(2) of the MEF Decree and the reasons why any relevant cases pursuant to this provision do not concretely affect their independence of judgement.

Without prejudice to the above, it should be noted that Banco BPM Group has established specific controls aimed at preventing and mitigating possible conflicts of interest pursuant to current regulations and the guidelines of the Supervisory Authorities. Further details are referred under paragraph 8.7 of this report.

Guidelines regarding diversity

In accordance with the provisions of prevailing laws and regulations, and best practices, it is considered necessary to ensure adequate diversification of the members of the Board of Directors with regard to both gender and skills, and also to adopt an age policy.

In compliance with the legal (article 147-ter of the "TUF" – Consolidated Law on Finance) and regulatory provisions which govern equal access to the administrative bodies of companies listed on regulated markets, at least two fifths of the elected directors must be reserved for the gender less represented for six consecutive mandates.

In light of the current regulatory environment, at least 6 (six) members of the Board of Directors must be of the less represented gender.

In addition, without prejudice to the provisions provided for by the law, including regulatory provisions applicable form time to time, to ensure that the administrative body, in his entirety, ensure out an efficient fulfillments of the its duty, the Fit & Proper state that the composition of the body itself ensures the balanced and diversified presence of Directors who, individually, have acquired the skills and experience necessary in order to satisfy the competence criteria above mentioned, with particular reference to the banking and financial sector or financial services sector described in the qualitative-quantitative composition of the Board of Directors.

Lastly, with particular reference to age, the Fit & Proper Policy requires that candidates for the position of statutory auditor in Banco BPM are not older than 75 years, without prejudice to the right to make exceptions to said criteria on the basis of justified and grounded reasons.

The present composition of the Board of Directors fully complies with the provisions of the norms and regulations, as well as those contained in the Fit & Proper Policy concerning diversity policies.

Overall suitability of the Board of Directors

The Fit & Proper Policy requires that the collective composition of the Board of Directors must be adequately diversified – in terms of skills and experience, age, gender and length of office of Directors – so as to:

− foster discussion and internal dialogue within the bodies;
− favour the emergence of a plurality of approaches and perspectives in the analysis of issues and in the making of decisions;
− effectively support the corporate processes of developing strategies, managing activities and risks, controlling the activities of the top management;
− take account of the multiple interests that contribute to the sound and prudent management of the bank.

In order to guarantee the "collective suitability" of the Body, the members of the Board of Directors must express:

− a balanced composition of experience and technical knowledge, of managerial and/or entrepreneurial experience, identified based on an approach that gives preference to concrete, substantial and positive aspects, compared to abstract, theoretical and merely negative ones, as well as outstanding professionals from universities, business consultants or freelancers;
− an actual willingness to make further changes in view of rapid changes in the frame of reference, while maintaining – at the same time – the spirit of integration and its specific aspirations.

Board induction/continuous training activities

Also in light of the provisions of art. 12 of the MEF Decree, the recommendations of the Bank

Supervisory Provisions and the EBA/ESMA Guidelines, the Bank promotes the participation of Directors in specific training initiatives, also considering the involvement of parties outside the Bank in training activities.

The training and induction plans are aimed to foster a clear understanding on the part of the Directors of the structure of the Bank and the Group, the business model, the company dynamics and their development including from the perspective of sustainable success, proper risk management profiles, the legal and regulatory framework in place and to give them in-depth knowledge of issues of strategic relevance.

Specifically, the topics covered in 2024 concerned the following areas in particular: (i) Developmental lines of the ESG strategy and climate/environmental risk management. Evolution of sustainability reporting regulations for 2024; (ii) National and European regulatory framework of a financial conglomerate. Supervisory role of the Parent Company over the Group's insurance sector (with a focus on integrated risk management and challenge activities by the control functions); (iii) Banco BPM Group remuneration and incentive policies with a focus on areas regulated by specific industry regulations. People strategy in terms of diversity, equality and inclusion; (iv) Methodologies assessment and control systems: credit risk and IT risk. Risk assessment of the insurance business insurance; (v) New Code of Business Crisis and Insolvency; (vi) CSRD: double materiality analysis; (vii) ECB Guidelines on Risk Data Aggregation and Risk Reporting. The strengthening of BCBS 239 principles as a supervisory priority; (viii) Regulatory provisions on the prevention of money laundering and terrorist financing; (ix) Insights on human resources issues: (a) women's Leadership in the Banco BPM Group; (b) Human resources and remuneration systems.

The Directors were finally updated (including with specific information reports provided during the Board of Directors and Board of Statutory Auditors meetings) on the main legislative news involving the Company and the Corporate Bodies. In order to ensure that the members of the Board of Directors and Board of Statutory Auditors are kept constantly updated and trained, a regulatory alerting service was prepared and created by the applicable company functions on topics of legal and tax interest.

Succession plans

The "succession plans" concern the top management of Banco BPM, the subsidiary banks and the main non-banking subsidiaries of the Group and all the positions whose appointment is reserved to the Board of Directors and cannot be delegated:

Chairman of the Board of Directors of Banco BPM
Chief Executive Officer of Banco BPM
Co-General Managers of Banco BPM
Senior Operational and Executive Managers
- Chief Lending Officer (CLO)
- Chief Innovation Officer (CIO)
- Corporate & Investment Banking Manager
Control Function Managers
- Chief Risk Officer (also as Risk Manager)
- Internal Audit Manager
- Compliance Manager
- Risk Manager
- Anti-Money Laundering Function Manager
- Internal Validation Function Manager
Financial Reporting Manager for Banco BPM
Chairman of the Board of Directors of Banca Aletti
Chief Executive Officer of Banca Aletti
General Manager of Banca Aletti
Chairman of the Board of Directors of Banca Akros
General Manager of Banca Akros
Chairman of the Board of Directors of Banca Aletti & C. Suisse
General Manager of Banca Aletti & C. Suisse
Chairman of the Board of Directors of Banco BPM Vita
Chairman of the Board of Directors Banco BPM Assicurazioni
Chief Executive Officer of Banco BPM Vita

• Chief Executive Officer of Banco BPM Assicurazioni

For each individual position, processes are provided for the appointment, the roles of the Committees involved are explained and the methods for ensuring business continuity are specified, referencing the system of powers in force from time to time and identifying the company structures able to provide for the temporary absence of function managers.

Special mechanisms are provided for in the event of a replacement occurring earlier than the ordinary term of office.

The succession plan for the Chief Executive Officer of Banco BPM is prepared in accordance with the processes and requirements defined in compliance with the provisions, from time to time in force, governing the matter, as well as with the provisions of the By-Laws and internal regulations, to which reference should be made, and may be initiated when the term of office expires as well as in the event of an unexpected termination.

As set forth in the By-Laws, the appointment and revocation of the Chief Executive Officer and the assignment, amendment and revocation of the related powers are reserved to the non-delegable competence of the Board of Directors (article 24.2.2. Non delegable competences of the Board of Directors – letter f): "assignment of special duties or powers to one of more Board Members and determination, modification and revocation of related powers, including the appointment and revocation of the Chief Executive Officer and the assignment, modification and revocation of related powers").

a - Expiry of the mandate granted to the Chief Executive Officer

Near the end of the mandate, the process for the appointment of the Chief Executive Officer starts with the composition of the list of candidates who, pursuant to article 20.4.2 of the By-Laws: (i) may be presented by the Board of Directors (ii) must be approved by the Board, subject to the non-binding opinion of the Appointments Committee, with the favourable vote of 11 Directors in office. The list of the Board of Directors, pursuant to article 20.4.2, paragraph 3, letter c), must comply with the following requirements: (i) it must contain 15 (fifteen) candidates; (ii) the first 2 (two) places must indicate the candidate for the position of Chairman of the Board of Directors in first place on the list, and the person who proposed to the Board of Directors for the position of Chief Executive Officer, second on the list.

The appointment process involves the following procedure:

− the Appointments Committee gathers all the elements of judgement useful for defining the professionalism, skills and suitability of candidates, whether internal or external to Banco BPM, ensuring compliance with all the requirements laid down by law and in the By-Laws, including in particular those set out in article 20.1 of the By-Laws and the specific requirements for holding the office of Chief Executive Officer laid down by internal regulations, to which reference should be made;
− in compliance with the Supervisory Provisions, the Remuneration Committee performs its advisory and proposal role with regard to the remuneration for the office of mere director;
− the Board of Directors evaluates the proposals of the Appointments Committee and, in the event of a positive outcome of the candidacy, near the end of the mandate, enters the candidate on the list of the Board in the manner indicated above;
− the Board of Directors assesses the proposals of the Remuneration Committee and, in the event of a positive outcome, submits to the Shareholders' Meeting the proposal regarding the remuneration for the office of mere director;
− the Board of Directors, after the Shareholders' Meeting has resolved to appoint the members of the Board, appoints the Chief Executive Officer and determines his/her powers pursuant to articles 24.2.2. and 28.1. of the By-Laws;
− in compliance with the Supervisory Provisions, the Remuneration Committee carries out its advisory and proposal role with regard to the remuneration of the members of the Board of Directors vested with particular offices or special duties or powers (including the Chief Executive Officer);
− the Board of Directors establishes, pursuant to article 22.1. of the By-Laws, upon the proposal of the Remuneration Committee and after consulting with the Board of Statutory Auditors, the

remuneration of the members of the Board of Directors vested with special offices or powers (including the Chief Executive Officer).

b – Replacement of the Chief Executive Officer during the term of office

The process is also activated in the event of unexpected termination. Business continuity is guaranteed by the internal system of delegations and sub-delegations.

The appointment process involves the following procedure:

− the Appointments Committee gathers all the elements of judgement useful for defining the professionalism, skills and suitability of candidates, whether internal or external to Banco BPM, ensuring compliance with all the requirements laid down by law and in the By-Laws, including in particular those set out in article 20.1 of the By-Laws and the specific requirements for holding the office of Chief Executive Officer laid down by internal regulations, to which reference should be made;
− in compliance with the Supervisory Provisions, the Remuneration Committee performs its advisory and proposal role concerning the remuneration for the special office of Chief Executive Officer;
the Board of Directors assesses the proposals:

(i) of the Appointments Committee and, in the event of a positive outcome of the nomination, provides for replacement through the co-optation system pursuant to article 20.11.1. of the By-Laws: " ...if during the course of the office, one or more Board Members cease to hold office for any reason, provided that the majority is still composed of members appointed by the Shareholders' Meeting, the Board of Directors shall replace them by co-optation pursuant to article 2386 of the Italian Civil Code...";

(ii) of the Remuneration Committee and, in the event of a positive outcome, approves the remuneration for the particular office of Chief Executive Officer.

With reference to the parties involved in the process, the following should be noted. The Appointments Committee is entrusted with the functions set out in the Supervisory Provisions, the Code of Corporate Governance and internal regulations.

In particular, with regard to the above, the Appointments Committee:

assesses or processes proposals regarding:
- − the composition and presentation to the Shareholders' Meeting of a list of candidates for the offices of Directors;
- − the appointment or co-opting of Directors to replace those who have resigned pursuant to article 20.11. of the By-Laws;
- − the appointment and revocation of the Chief Executive Officer of Banco BPM S.p.A.;

• provides its opinion to the Board of Directors, on the following:

− the appointment and revocation on the proposal made by the Chief Executive Officer after consulting the Chairman of the Board of Directors – of the General Manager and Co-General Managers of Banco BPM, if these positions are required under article 29 of the By-Laws;
− the names of candidates for Directors, Statutory Auditors, General Managers, Co-General Managers and Deputy General Managers of the Group's subsidiary banks and main non- banking subsidiaries;
− appointment of senior operational and executive managers of Banco BPM S.p.A., as identified by means of the appropriate board decisions;
− the appointment and revocation, in accordance with the By-Laws, of the Financial Reporting Manager of Banco BPM according to article 154-bis of Italian Legislative Decree no. 58/1998 and the managers of Banco BPM S.p.A.'s control functions, namely the Internal Audit Manager, the Compliance Manager, the Risk Manager, the Anti-Money Laundering Manager and the Internal Validation Function Manager.

The Appointments Committee oversees the entire process and is responsible for updating the plans according to changes in organisational requirements or regulatory provisions. It also provides support to the Board of Directors.

The Internal Control and Risk Committee identifies and proposes to the Board of Directors, with the help of the Appointments Committee, the Managers of the internal control functions (Internal Audit, Compliance, Risk Management, Anti-Money Laundering, Internal Validation) and formulates the proposal to revoke said Managers. Without prejudice to the responsibilities of the Remuneration Committee, it formulates its opinion on the remuneration of the Managers of the internal control functions under the responsibility of the Board of Directors.

The Remuneration Committee, in compliance with the Supervisory Provisions, has advisory and proposal-making duties in relation to the remuneration of Directors, Statutory Auditors, General Managers, Co-General Managers, Deputy General Managers, Financial Reporting Manager, the managers of internal control functions and other staff whose remuneration and incentive systems are decided by the Board of Directors, as well as in relation to the criteria to be adopted for the remuneration of the remaining "identified staff".

The Board of Statutory Auditors carries out the duties and exercises the control functions envisaged by the legislation in force at the time and is an integral part of the overall internal control system. It is also consulted on decisions concerning the appointment and revocation of the Managers of the Internal Control Functions and of the Financial Reporting Manager, as well as on the definition of the essential elements of the overall architecture of the control system. In agreement with the Remuneration Committee, it directly monitors the correct application of the rules relating to the remuneration of the Managers of the internal control functions and provides its opinion, pursuant to article 2389 of the Italian Civil Code, on the remuneration for the particular office of Chief Executive Officer.

Pursuant to the current By-Laws, the non-delegable powers of the Board of Directors include the appointment, revocation and replacement of the Chief Executive Officer, the General Manager, the Co-General Managers, the Senior Operational and Executive Managers, the Financial Reporting Manager pursuant to article 154-bis of Italian Legislative Decree no. 58 of 24 February 1998, the Managers of the Compliance Function, the Risk Management Function, the Anti-Money Laundering Function, the Internal Validation Function and the Internal Audit Function.

The Chief Executive Officer makes proposals to the Board of Directors regarding the appointment of the Company and Group senior operational and executive managers and, in association with the Chairman of the Board of Directors, regarding the appointment and removal of the General Manager and Co-General Managers.

In the event that a vacancy in one of the positions covered by the plans occurs or is expected, the Human Resources function promptly takes the necessary steps to activate the required process. In addition, it supports the Chief Executive Officer and the Committees in the collection, analysis and preparation of the documentation useful to the various steps and provides detailed information on the identified candidates.

There is also an annex, entitled "Description of Role Profiles", in which, for each position considered, a profile description has been drawn up highlighting the requirements to fill said position.

Succession plans are update according to changes made to organisational requirements or regulatory provisions.

With regard to the requirement of independence for the current Board of Directors, please refer to paragraph 6.7 of this report for further information.

Pursuant to article 20.1.6. of the By-Laws, the following are considered to be "executive directors":

* * *

(i) the Chief Executive Officer, the directors to whom the Board of Directors has granted powers pursuant to article 2381, paragraph two of the Italian Civil Code (and article 24.2.2, letter f), of the By-Laws) and directors who de facto carry out roles pertinent to the daily management of the company;

(ii) directors who are members of an executive committee;
(iii)members of a board of directors who hold managerial positions in the company they manage, supervising certain areas of company management.

Pursuant to article 20.1.6. of the By-Laws, executive directors cannot be considered to be independent. The only executive Board Director, and therefore not independent on the basis of the provisions of the Code of Corporate Governance, is Giuseppe Castagna, based on said person's position as Chief Executive Officer.

Also bear in mind that the Chairman of the Board of Directors is qualified as "non-executive" as he/she does not have management powers.

The ordinary Shareholders' Meeting of Banco BPM, held on 20 April 2023, appointed the following 15 members of the Board of Directors, who shall remain in office for three financial years (until approval of the financial statements for 2025) and who can be re-elected. The following table shows information on each member of the Board of Directors in office as at 31 December 2024, bearing in mind that no. 20 meetings were held from 1 January to 31 December 2024 and that from 1 January 2025 to the date of this report, no. 3 meetings of the Board of Directors were held.

Name and Surname	Office held	Year of birth	Date of first appointment	In office from	In office to	List I	Exe c. II	Indep By Laws III	Indep. C.C.GIV	Indep. Cons. Law on FinanceV	% BoDVI	Other position VII
Massimo Tononi	Chairman, Director	1964	4-Apr-2020 28-Feb-2020	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	1
Maurizio Comoli	Vice Chairman, Director	1958	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	5
Giuseppe Castagna	Chief Executive Officer, Director	1959	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	YES	NO	NO	NO	100%	0
Mario Anolli	Director	1963	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	95%	1
Paolo Boccardelli	Director	1971	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	3	NO	YES	YES	YES	100%	1
Paolo Bordogna	Director	1958	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	85%	2

Nadine Farida Faruque	Director	1960	4-Apr-2020	20-Apr 2023	Approv. financial statements as at 31.12.2025	3	NO	YES	YES	YES	100%	1
Paola Ferretti	Director	1967	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	0
Marina Mantelli	Director	1956	4-Apr-2020	20-Apr 2023	Approval Financial statements as at 31.12.2025	1	NO	YES	YES	YES	95%	2
Chiara Mio	Director	1964	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	3
Alberto Oliveti	Director	1953	20-Apr-2023	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	2
Mauro Paoloni	Director	1960	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	2	NO	NO	NO	YES	100%	4
Eugenio Rossetti	Director	1956	4-Apr-2020	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	3
Manuela Soffientini	Director	1959	1-Jan-2017	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	80%	3
Luigia Tauro	Director	1962	4-Apr-2020	20-Apr 2023	Approv. financial statements as at 31.12.2025	1	NO	YES	YES	YES	100%	1

I: This column shows the number of the source list based on the order of presentation of the lists.

II: This column indicates the Directors who are considered "executive" pursuant to the Code of Corporate Governance.

III: This column indicates whether or not the Directors fulfil the independence requirement pursuant to article 20.1.6. of the By-Laws.
IV: This column indicates whether or not the Directors fulfil the independence requirement pursuant to the application criterion indicated in article 2 of the Code of Corporate Governance.
V: This column indicates whether or not the Directors fulfil the independence requirement pursuant to article 148, paragraph 3 of the Consolidated Law on Finance.
VI: This column indicates the attendance, in percentage terms, at the meetings of the Board of Directors held in 2023, taking the term of office as reference.
VII: This column shows the total number of directorship, management and control positions held in other listed, financial, banki ng, insurance or significantly sized companies; the latter have been identified in light of the provisions set forth in the Regulation "Limits to number of offices" adopted by Banco BPM. The detailed list of positions is provided in annex 1 to this report.

The table below provides information on the composition of the Board of Directors as indicators of diversity.

Average age 63 years

The table below indicates, for each Board Director currently in office: i) the attendance — as Chairman (C) or member (M) — in the Internal Board Committees, established in accordance with the Code of Corporate Governance (Internal Control and Risk Committee, Appointments Committee and Remuneration Committee); ii) the related attendance in percentage terms at meetings considering that between 1 January and 31 December 2024:

the Internal Control and Risk Committee (C.C.I.R.) met 23 times;
the Appointments Committee (C.N.) met 21 times;
the Remuneration Committee (C.Rem.) met 23 times.

Name and Surname	Office held	C.C.I.R.	% C.C.I.R.	C.N.	% C.N.	C.Rem.	% C.Rem.
Massimo Tononi	Chairman, Director
Maurizio Comoli	Vice Chairman, Director	M	100%
Giuseppe Castagna	Chief Executive Officer, Director
Mario Anolli	Director	M	100%	P	100%
Paolo Boccardelli	Director
Paolo Bordogna, Engineer	Director	M	91%			M	100%
Nadine Farida Faruque	Director	M	100%
Paola Ferretti	Director
Marina Mantelli	Director			M	95%
Chiara Mio	Director			M	95%
Paoloni Mauro	Director					M	96%
Alberto Oliveti	Director
Eugenio Rossetti	Director	P	100%
Manuela Soffientini	Director					P	100%
Luigia Tauro	Director

The table below indicates, for each Board Director: i) the attendance — as Chairman (C), Vice Chairman (DC) or member (M) — in further internal committees: Sustainability Committee and Related Parties Committee of the Board of Directors (the latter established over and above the recommendations set out in the Code of Corporate Governance); ii) the related attendance in percentage terms at meetings considering that between 1 January and 31 December 2024:

the Sustainability Committee (C.Sost.) met 17 times;

the Related Parties Committee (C.P.C.) met 4 times.

Name and Surname	Office held	C.Sost.	% C.Sost.	C.P.C.	% C.P.C.
Massimo Tononi	Chairman, Director
Maurizio Comoli	Vice-Chairman
Giuseppe Castagna	Chief Executive Officer, Director
Mario Anolli	Director
Paolo Boccardelli	Director			P	100%
Paolo Bordogna, Engineer	Director
Nadine Farida Faruque	Director
Paola Ferretti	Director			M	100%
Marina Mantelli	Director
Chiara Mio	Director	M 88%
Mauro Paoloni	Director
Alberto Oliveti	Director	M 100%
Eugenio Rossetti	Director
Manuela Soffientini	Director
Luigia Tauro	Director	P	100%	M	100%

Some short biographical notes on the members of the Board of Directors are provided below, showing that they have adequate professional competence in the areas of banking, finance, legal, corporate, tax, organisational-IT and risk management:

Massimo Tononi – Chairman of the Board of Directors: he graduated in Business Economics from the Bocconi University in 1988. Until 1993, he worked at the London office of Goldman Sachs, dealing mainly with business mergers and acquisitions. In 1993 he became Assistant to the Chairman of IRI, later returning to Goldman Sachs in 1994 where he became Partner Managing Director, first at the Milan office and then in London. In 2006 he was appointed Under-Secretary of State in the Italian Ministry for the Economy and Finance, with duties regarding the public debt and State-owned companies. He returned to Goldman Sachs in 2008, where he stayed for another two years. He has been Chairman of Borsa Italiana (2011-2015), Cassa di Compensazione e Garanzia (2013-2015), Euro TLX (2013-2015), Banca Monte del Paschi di Siena (2015- 2016), Prysmian (2012- 2018), Istituto Atesino di Sviluppo (2012-2018), Cassa Depositi e Prestiti (2018-2019), Vice Chairman of ABI (2016), Director of the London Stock Exchange Group (2010-2015), Mittel (2010- 2014), Sorin (2010-2015), Italmobiliare (2014-2018), Il Sole 24 Ore (2016-2018) and Mediobanca (2017- 2018), as well as a member of the Italian Corporate Governance Committee (2011-2020), of which he is currently President. He is also Vice

Chairman of the Board of Directors of the Italian Banking Association, director of Zambon S.p.A., member of the Board of Directors of FeBAF - Federation of Insurance Banks and Finance, as well as a member of the Board of Directors of Assonime. He has been a Member of the Board of Directors of Banco BPM S.p.A. since 28 February 2020 and has been Chairman of the Board of Directors since 4 April 2020.

Maurizio Comoli – Vice Chairman of the of Board of Directors: he is full professor of Business Economics, teaches General and Applied Accounting and Corporate Valuation at the Piemonte Orientale University, and was previously a lecturer and researcher with the Bocconi University in Milan; he is also a chartered accountant and auditor. From February 2005 to June 2007 he held the office of Acting Vice Chairman of the former BPVN; from July 2007 to November 2011 he held the office of Vice Chairman of the Supervisory Board of Banco Popolare and held the position of Vice Chairman of the Board of Directors from November 2011 to 31 December 2016. He was the Chairman of the Chamber of Commerce, Industry, Crafts and Agriculture of Novara and member of the Executive Committee of the European Association of Cooperative Banks (EACB), Chairman of the Board of Directors of Vera Assicurazioni S.p.A. and Vera Protezione S.p.A. He has held and still holds numerous corporate offices and is a member of the supervisory board of major companies (including Sisal and Mooney). He is currently Chairman of the Board of Statutory Auditors of the Interbank Deposit Guarantee Fund (FITD), Director of the Italian Banking Association, Director of the European Institute of Oncology and holds the following positions: Chairman of the Board of Statutory Auditors of Mirato S.p.A. and of MIL MIL 76 S.p.A., Standing Auditor of Herno S.p.A. and Montura S.r.l. and Chairman of the Board of Statutory Auditors of DEA Capital S.p.A. From 1 January 2017 until 4 April 2020 he was Vice Chairman of the Board of Directors of Banco BPM S.p.A. and from 10 January 2017 until 4 April 2020 member of the Executive Committee; he has been a Member of the Board of Directors of Banco BPM S.p.A. since 4 April 2020 and from 7 April 2020 to 20 April 2023 was a member of the Internal Control, Risks and Sustainability Committee. Since 20 April 2023 he has been Vice Chairman of the Board of Directors of Banco BPM S.p.A. and since 26 April 2023 a member of the Internal Control and Risk Committee.
Giuseppe Castagna – Chief Executive Officer: from 21 January 2014 to 31 December 2016 he was Chief Executive Officer and General Manager of Banca Popolare di Milano S.c. a r.l. He also held significant management positions at Intesa Sanpaolo banking group, where he worked from 1981 to 2013. More specifically, since 1999 he has held the position of Head of the Large Corporate Service in Central Management first in Comit with the position of Co- General Manager of Central Management (April 1999), then in Intesa BCI following the merger between Banca Intesa and Comit in April 2001; in 2003, he became the Manager of the Large Corporate and Structured Finance Service Department of the Corporate Division of Intesa Sanpaolo S.p.A.; from 2005 to 2009, he acted as Manager of the Large and Mid Corporate Department of the Corporate Division of Intesa Sanpaolo S.p.A.; in 2008, he was Coordinator of the Foreign Network Department of the Corporate and Investment Banking Division of Intesa Sanpaolo S.p.A.; in 2009, he was in charge of Corporate Relationship Management in the Corporate and Investment Banking Division of Intesa Sanpaolo S.p.A.; between 2009 and 2013, he served as Regional Director for Campania, Basilicata, Calabria and Apulia, and General Manager at Banco di Napoli S.p.A. (760 Branches) becoming, in addition, from 2011, Regional Director of Sicily (940 Branches); from 2012 to 2013 he took over the management of the Banca dei Territori Division of the Intesa Sanpaolo Group, reporting directly to over 20 Group Network Banks and approximately 47,000 employees and held the position of General Manager of the Intesa Sanpaolo Group (maintaining ad interim the General Management of Banco di Napoli). Furthermore, he held the following offices between 2003 and 2013: Member of the Board of Directors and member of the Executive Committee of Mediofactoring S.p.A.; Administrateur of the Société Européenne de Banque S.A. Luxembourg; Member of the Board of Directors and of the Executive Committee of Società Leasint S.p.A.; Member of the Management Committee of SRM - Studi e Ricerche per il Mezzogiorno; Member of the Board of Directors of Banco di Napoli S.p.A.; Member of the Board of Directors of IMI Fondi Chiusi SGR S.p.A.; Chairman of the ABI Regional Commission of Campania; Member of the Board of Directors of Intesa Sanpaolo Private Banking S.p.A. and Member of the Board of Directors of Agriventure S.p.A. He has been a Member of the Board of Directors of Banca Aletti S.p.A. since April 2018 to April 2024; he has been Director of the Italian Banking Association (ABI) since July 2018. He has been Chief Executive Officer of Banco BPM S.p.A. since 1 January 2017. In 2020, he was appointed Cavaliere del Lavoro [Knight of Labour] by the President of the Republic, Sergio Mattarella. In December 2021, he was awarded with the Ambrogino d'Oro - Merit of the Municipality of Milan.
Mario Anolli – Member of the Board of Directors and Chairman of the Nomination Committee: since

2004, he has been a Full Professor of Economics of Financial Intermediaries at the Banking, Financial and Insurance Sciences Faculty of the Università Cattolica del S. Cuore in Milan. He was Dean of the Faculty between 2006 and 2014. From January 2014 to December 2016 he served as Chairman of the Management Board of Banca Popolare di Milano. He was Chairman of the Board of Directors of Prelios SGR from April 2017 to February 2019, as well as Vice Chairman of the Board of Directors of Società Gestione Servizi BP, a company operating in the field of IT for finance, from March 2017 to February 2019. He has also held the following positions: Member of the Academic Senate of the Università Cattolica del Sacro Cuore in Milan (2006-2014); Member of the Management Board of Fondo Famiglia Lavoro, Milan Diocese; Head of the PrevidSystem and Giustiniano di Intesa Previdenza SIM S.p.A. Public Pension Funds of the Intesa Sanpaolo Group (2007 to 2013); Member of the Board of Arbitration of Borsa Italiana S.p.A. (2007 to 2013); Member of the Committee of Wise People of MTS (2011 to 2013); Independent member of the Board of Directors of Credito Artigiano S.p.A., Credito Valtellinese Group (Member of the Remuneration Committee and, subsequently, of the Internal Controls Committee and the Supervisory and Control Body pursuant to Italian Legislative Decree no. 231/2001) (2008 to 2012); Member of the Board of Directors of Credito Valtellinese S.c.p.A., as well as Chairman of the Internal Control Committee and of the Supervisory and Control Committee pursuant to Italian Legislative Decree no. 231/2001 (April 2012 to January 2014). He is currently a Board Member of the insurance company Vera Vita S.p.A., of which he was Chairman from April 2018 to December 2023. He has been a Member of the Board of Directors of Banco BPM S.p.A. since 1 January 2017, he was the Chairman of the Internal Control and Risk Committee and Vice Chairman of the Related Parties Committee from 10 January 2017 until 4 April 2020, Vice Chairman of the Charitable Donations Committee from 10 February 2017 until 4 April 2020; from 7 April 2020 until 20 April 2023 he was a member of the Internal Control, Risks and Sustainability Committee and from 26 April 2023 has been Chairman of the Appointments Committee and member of the Internal Control and Risk Committee.

Paolo Boccardelli – Member of Board of Directors and Chairman of the Related Parties Committee: he graduated in Business Administration from Luiss University in 1995, he obtained a PhD in Management in 2000. He has been Full Professor of Economics and Business Management and Business Strategies at Luiss University since 2004, where he is also Chairmen of the Research Centre in Strategic Change — Franco Fontana, of which he has been also Director. He has been appointed as Dean and member of the Board of Director since June 26, 2024. He is chairman of the Supervisory Board and founding member of the "Living in the Community" Political School. He was director of the Luiss Business School from 2015 to 2022. His previous offices included: Director of UBI Banca, of Energee3 S.r.l., Director of AACSB (US); CEO of Luiss Business School BV (NL); Director of Amsterdam Fashion Academy BV (NL); Chairman of the Supervisory Commission on Professional Football Clubs; member of the table on Governance for the reform of the Football System at the Italian Football Federation (FIGC); Independent Director of the Board of Directors of Replycare; Member of the Board of Directors of L. Com, Member of the Board of Directors, Chairman of the Related Parties Committee and member of the Control and Risks Committee of TIM S.p.A. He has received several awards and recognitions from the Academy of Management (2009-2011), participated as a speaker at numerous international conferences on topics such as strategy, innovation, digital and IT, video entertainment and business model innovation. He has published several articles and volumes and participated in many consulting and research projects at the Luiss Business School. He is currently Chairman of BDV Consulting S.r.l. He is Chairman of the supervisory Board of the Foundation "Nuovo Millennio" and member of the Board of Directors of the Human Age Institute Foundation (ManpowerGroup). Since 20 April 2023, he has been a member of the Board of Directors and since 26 April 2023 Chairman of the Related Parties Committee of Banco BPM S.p.A.
Paolo Bordogna – Member of Board of Directors: over 30 years of consulting experience in various countries (Europe, South America and the Middle East) with an active role in many projects (turnaround, acquisitions, mergers). After an MBA from the Wharton School, he worked for 14 years in the French and Italian offices of the Boston Consulting Group (1986-1999), where he developed and managed the Financial Services practice, which has become one of the largest of such offices. He worked in the Italian, Russian and French offices of Bain and Company (from 2002 to 2019), where he held the following roles: Country Manager Servizi Finanziari Italia; Financial Services Practice Leader EMEA (Europe, Middle East and Africa); Key Account Manager for large financial services customers in Russia, Italy, Greece and France. He has been active in several restructuring programmes of European banks in difficulty and is an expert in M&A and risks. In particular, he was an advisor to the Bank of Greece (for 18 months) and to the Hellenic Financial Stability Fund (HFSF) for the restructuring and recapitalisation programme of the Greek banking sector and played

an active role in the restructuring of some Italian banks in difficulty. He is the author of the report "Policies and procedures necessary to ensure effective asset management and recovery" prepared by Bain for the Bank of Greece in 2012. He has gained a long experience in the restructuring of Non-Performing Loans, working for several European institutions and playing an active role for Italian banks, European institutions and has collaborated on Bain's global report on "Restoring Financing and Growth to SME's". He was appointed Independent Director of Ubi Banca and member of the Risk Committee (2019-2020). From 2000 to 2002 he was CEO of Sapient Italy digital/IT. In the period from 2018 to 2022, he was director and CEO of Persico Marine – a leading global company that builds bespoke sailing yachts for the most renowned regatta teams and private owners in the world, including the Prada-Pirelli Luna Rossa Challenge for the 2021 America's Cup in Auckland. He is currently Vice Chairman and Executive Director of the Fondazione Centro Velico Caprera, with which he has collaborated since 2013; he is also a Director of Bracca S.p.A. and Fonti Pineta S.p.A. He has been a member of the Board of Directors of Banco BPM S.p.A. since 20 April 2023 and a member of the Internal Control and Risk Committee and the Renumeration Committees since 26 April 2023.

Nadine Farida Faruque – Member of Board of Directors: she graduated in 1987 from the University of Bern School of Law with the title of Fuersprecher (barrister) and obtained her specialisation in 1990 at Duke University School of Law (North Carolina): LLM (Master of Laws) and was admitted to the Swiss Bar Association in November 1987 and the New York Bar Association in 1991. She began her career in private practice in 1990 as an associate at Reid & Priest in the M&A department in New York, before joining Baer & Karrer in Zurich, Switzerland, in September 1992, where she held the role of senior associate, partnerelected and covered M&A, capital markets, banks and financial institutions. In March 1998, she joined Merrill Lynch International in London, where she held various senior roles in the Office of General Counsel, including that of General Counsel and Head of Continental Europe. In October 2008, she took on the role of General Counsel and Group Compliance Officer of the Unicredit Group, where she was a member of the Management Board (CEO office) of the Unicredit Group and of the Group Executive, Group Risk and Group Credit committees, before joining Deutsche Bank AG Frankfurt in December 2014 as Global Head of Compliance, where she was a member of the Group Executive Committee, Group Risk Committee, Group Reputational Risk Committee and Global Incident Management Committee. After leaving Deutsche Bank, she was a member of the Supervisory Board and the Risk Committee of Luminor AB from January 2019 to July 2019 and was an industrial advisor to EQT Partners. She is currently an independent director of Lottomatica Group S.p.A., where she also holds the position of Chairman of the Appointments and Remuneration Committee and is a member of the ESG and Related Parties committees. Since 4 April 2020, she has been a member of the Board of Directors of Banco BPM S.p.A., where she has been a member of the Internal Control, Risks and Sustainability Committee from 7 April 2020 to 20 April 2023 and is currently a member of the Internal Control and Risk Committee since 26 April 2023.
Paola Ferretti – Member of Board of Directors: graduated in Economics and Business from the University of Pisa in 1993, she then obtained a PhD in Financial Institutions and Business. She is an associate professor of Economics of Financial Intermediaries at the Department of Economics and Management of the University of Pisa. She is also a lecturer in banking at the same Department and the author of numerous national and international publications on research topics in the banking sector, including risk management, sustainability (ESG, climate risk), digital transformation, corporate governance, supervisory frameworks and intellectual capital. She was a member of the Board of Statutory Auditors (2021-2022) and Board Member (2022-2023) of BCC Pisa e Fornacette (ICCREA Group) and, previously (2019-2021), a member of the Board of Auditors of the Supervisory Board of the Cassa di Risparmio di Lucca Foundation. Since 20 April 2023, she has been a member of the Board of Directors of Banco BPM S.p.A. and since 26 April 2023, member of the Related Parties Committee.
Marina Mantelli – Member of Board of Directors: she graduated in Foreign Languages at IULM Libera Università di Lingue & Comunicazione, she obtained the Master's Degree in Business Management at SDA Università Commerciale Luigi Bocconi, gaining important experiences in the bancassurance of various insurance banking companies, also on an international level. During her career, in particular, the work experiences carried out in the following companies are highlighted: Montedison (1982-1984): Financial Planning Manager; Standard Chartered Bank (1984- 1987): Account Officer; McKinsey & Company Inc: first as a consultant (1987-1991) and subsequently (1995-1996) with the position of European Insurance Practice Coordinator; Korn Ferry International (1992-1994), head hunting company: consultant with the role of Consultant for recruiting projects and resource evaluation; Lloyd Italico of the Royal Sun Alliance

Group (1996- 2001), where she held various positions, most recently, as General Manager of Lloyd Italico Assicurazioni and Lloyd Italico Vita, as well as Director. From 2001 to 2004 she held the position of Commercial Director of Lloyd Adriatico of the Allianz Group. Subsequently, Head of the Insurance Business Unit of Banca Lombarda (2005-2006), she was then transferred to UBI (2007) and was a Director of UBI Assicurazioni and UBI Broker (2007). From 2007 to 2011, in Crédit Agricole she was Chief Executive Officer and Board Member of the non-life start-up Crédit Agricole Assicurazioni. She had the role of General Manager of CreditRas Assicurazioni of Allianz Italia (2011-2018) and Board Member (2011-2015). From 2018 to April 2020, she was a member of the Board of Directors of Intermonte Holding S.p.A.; from July 2022 to December 2023, she was Director and a member of the Risk Control Committee of Banco BPM Assicurazioni S.p.A. Since April 2020 she has been a member of the Board of Directors of Banco BPM S.p.A. and member of the Appointments Committee. Since July 2022, she has also been a Director and member of the Control and Risk Committee of Banco BPM Vita S.p.A. and since April 2023 she has been Chairman of the Remuneration Committee. Since December 2023, she has been a Director and member of the Control and Risk Committee of Vera Vita S.p.A.

Chiara Mio – Member of Board of Directors: full professor at the Venice School of Management of the Ca' Foscari University of Venice. She is a chartered accountant and sits on the board of IFAC (International Federation of Accountants). From 2009 to 2014 she was the Rector's delegate for Environmental Sustainability and Social Responsibility. She focuses on research in the areas of sustainability and corporate governance systems. In 2017 she was awarded the "Woman of Excellence" award by AIDDA Friuli-Venezia Giulia. From 2014 to 2022, she was Chairman of Crédit Agricole FriulAdria S.p.A. and chaired the sustainability committees of Atlantia S.p.A. and Benetton Group. She is currently Chairman of the Board of Directors of Aquafil S.p.A. as well as a Director of OVS S.p.A., and of Sofidel S.p.A. Since 20 April 2023 she has been a Board Member of Banco BPM S.p.A. and since 26 April 2023 a member of the Appointments Committee and of the Sustainability Committee.
Alberto Oliveti – Member of Board of Directors: he graduated in Medicine in 1980 and specialised in Paediatrics in 1984 at the Faculty of Medicine and Surgery of Ancona. In 1990 he joined ENPAM as a consultant for General Medicine and was later elected Board Member (1995); he held the position of Deputy Vice Chairman from 2010 to 2012 and Chairman of the Board of Directors from 2012 to date. He was also Chairman of ENPAM Real Estate from 2011 to 2017. He was appointed Chairman of the Shareholders' Meeting and of the Advisory Committee of the Hippocrates Fund (2012), of the ANTIRION RETAIL fund (2014), of the ANTIRION GLOBAL and ÆSCULAPIUS fund (2016) and of the Living 2.0 Fund (2022). He was also a Director of F2I SGR S.p.A. from 2019 to 2020, a member of the executive committee and the steering committee of the COIMA ESG CITY IMPACT FUND in 2022. He is also currently Chairman of AdEPP - Association of Private Welfare Bodies (since 2015) and director of REAM SGR S.P.A. (since 2022) and independent director of Garofalo Health Care S.p.A. (since 2024), in addition to being a member of the Strategic Advisory Board of Nextalia SGR S.p.A. He was awarded the Order of Merit of the Italian Republic 5th Class / Knight in 2016 and the Order of Merit of the Italian Republic 3rd Class / Commander in 2017. He has been a member of the Board of Directors of Banco BPM S.p.A. since 20 April 2023 and a member of the Sustainability Committee since 26 April 2023.
Mauro Paoloni – Member of the Board of Directors: Full Professor of Business Economics at Roma Tre University and a practising business consultant, providing advisory services on finance, accounting, extraordinary transactions and corporate crisis management, as well as company valuation services. He was Vice Chairman of the Supervisory Board of Banca Popolare di Milano from 2013 (where he had been a Member of the Supervisory Board and Member of the Internal Control Committee since 2011) until 31 December 2016. He has been a Member of the Interbank Deposit Protection Fund since 2017. He became a Member of the Board of Directors of the Italian Banking Association in early 2017. He was Chairman of the Board of Directors of Bipiemme Vita S.p.A. (Covea Group) from 2014 to July 2022 and of Bipiemme Assicurazioni S.p.A. from 2017 to July 2022; following the acquisition of the two insurance companies by Banco BPM, he was Chairman of the Board of Directors of Banco BPM Vita S.p.A. and Banco BPM Assicurazioni S.p.A. from July 2022 to April 2023; from 2011 to the end of 2022 he was Chairman of the Board of Statutory Auditors of Grottini S.r.l.; Since May 2021, he has been Chairman of the Board of Auditors of the Italian Federation of Pharmacists' Associations (Federazione Italiana degli Ordini dei Farmacisti); since July 2022 he has been Chairman of the Board of Auditors of the Istituto Superiore di Sanità. HE was Chairman of the Board of Auditors of the National Association of Italian Municipalities (Associazione Nazionale Comuni d'Italia), member of the Board of Auditors of the Italian Medicines Agency (Associazione Italiana del Farmaco) and is still a member of the Board of Auditors of the Superior Council of the Judiciary. Since

December 2019, he has been Chairman of the Board of Statutory Auditors of IRCCS "L. Spallanzani" in Rome. From 2012 to 2016, he served as a statutory auditor of Banca Akros S.p.A. He was Chairman of the Board of Statutory Auditors of Credsec S.p.A. between 2004 and 2016, which already operated in the credit sales market. In the past, he held numerous offices, among which the following are mentioned: Chairman of the Board of Statutory Auditors of Hegemon S.p.A. (2010-2012); Strategic Consultant at the Italian Ministry of Economic Development (2009-2010); Chairman of the Board of Statutory Auditors of the Policlinico Tor Vergata Foundation in Rome (2008-2014); Chairman of the Board of Statutory Auditors of Cofiri SIM S.p.A. (Capitalia Group) (2004-2011); Standing Auditor of Unicredit Banca di Roma S.p.A. (2008-2011); Independent director and member of the Internal Control Committee of Servizi Italia S.p.A., a company listed on the Italian Stock Exchange (2007- 2014); Strategic Consultant to the Italian Ministry of Education (2006-2008); Independent Director and Chairman of the Supervisory Board of Selex Sistemi Integrati (Finmeccanica Group Company) (2006-2011); Standing Auditor of Banca di Roma S.p.A. (2000-2008); Standing Auditor of the Italian Medicines Agency (Agenzia Italiana del Farmaco) (2015-2017); member of the Supervisory Board of Banca Popolare di Mantova (2013-2017); member of the Supervisory Board of Profamily S.p.A. (2012-2017); Chairman of the Board of Statutory Auditors of Cofiri S.p.A. (Capitalia Group) in liquidation (2008-2016). He is currently a Director of Unione Fiduciaria S.p.A., Chairman of Banca Akros S.p.A. and Oaklins Italy S.r.l. and Sole Auditor of Connect – Ingegneria e Digitalizzazione. From 1 January 2017 until 4 April 2020 he was Vice Chairman of the Board of Directors of Banco BPM S.p.A., from 10 January 2017 until 4 April 2020 member of the Executive Committee and from 27 March 2018 until 4 April 2020 Member of the Charitable Donations Committee. From 4 April 2020 to 20 April 2023 he was Vice Chairman of the Board of Directors of Banco BPM, from 7 April 2020 to 20 April 2023 he was a member of the Appointments Committee. He has been a member of the Board of Directors since 20 April 2023 and a member of the Remuneration Committee since 26 April 2023.

Eugenio Rossetti – Member of the Board of Directors and Chairman of the Internal Control and Risk Committee: he graduated in Mechanical Engineering at the University of Rome, he possesses solid distinctive managerial skills in banking. In particular, he has had professional experiences in the following companies: Istituto Mobiliare Italiano (1982-1994), where he held several positions, most recently as Head of Regional Area; IMI Bank (LUX) SA (1994-1998) holding the office of General Manager & Member Executive Committee; San Paolo IMI (1999-2006), where he held several positions both in Italy and in the United Kingdom, including the office of Chief Manager for Europe and Head Credit (Italy); Intesa Sanpaolo (2007-2017) holding the role, since 2008, of Chief Lending Officer and Chairman of the Credit Committee. From 2008 to April 2020, he held several positions as director in companies belonging to the Intesa Sanpaolo Group. Since 2018, he has held administrative positions in the Tinexta Group (heir to the Tecnoinvestimenti Group), a dynamic and rapidly expanding group that operates in three business areas: advanced services for identity and digital certification, cybersecurity, digital marketing and access to financing for innovation and internationalization: he was a member of the Board of Directors Inforcert S.p.A. until September 2024 and is currently a member of the board Director of Tinexta S.p.A., Ascertia Limited and ABF Group S.A.S. Since January 2023 he has also held the position of Chairman of the Investment Committee of Azimut Private Capital Management S.a.r.l. and since September 2024 he has been a senior advisor to New Deal Advisors S.p.A. Since 4 April 2020 he has been a member of the Board of Directors of Banco BPM S.p.A., from 7 April 2020 to 20 April 2023 he was Chairman of the Internal Control, Risks and Sustainability Committee and since 26 April 2023 he has been Chairman of the Internal Control and Risk Committee.
Manuela Soffientini – Member of the Board of Directors and Chairman of the Remuneration Committee: graduated in economics from the Università Cattolica del S. Cuore in Milan in 1983, she began her professional career as a product manager for Perlana and Dixan Powder at Henkel Italia in 1984, where she stayed until 1990; from 1990 to 1997, she was marketing manager and marketing director at Nuova Forniera, a company operating in the food & snacks sector; from 1997 to 2000, she served as consumer manager in the lamps and batteries department of Philips Lighting; from 2001 to October 2008 she was CEO of Philips DAP Italy; from 2008 to 2012, she served as CEO of Philips Consumer Lifestyle in Italy, Greece and Israel, where she was responsible for the small appliances and consumer electronics division; on 1 March 2008, she became a Member of the Board of Directors of Philips S.p.A.; between 2012 and 2016, she served as an Independent Member of the Board of Directors of Pirelli and a Member of the relative Strategy and Remuneration Committees; she was an Independent Director of Geox S.p.A. from April 2016 until April 2019 and a Member of its Control and Risks Committee. From June 2016 to June 2021, she was Chairman of Confindustria Applia Italia Associazione; from March 2022, she has also been an Independent Director of Brembo S.p.A. From April to December 2016 she was a member of the Supervisory Board of Banca Popolare di Milano s.c. a r.l. She has been a Member of the Board of Directors

of Banco BPM S.p.A. since 1 January 2017, was Vice Chairman of the Remuneration Committee from 10 January 2017 until 4 April 2020, and has been Chairman of the Remuneration Committee since 7 April 2020. Since 2012 she has been President and Chief Executive Officer of Electrolux Appliances Spa and since 1 January 2021 she has been Chairman of the Board of Directors of Electrolux Italia S.p.A.

Luigia Tauro – Member of the Board of Directors and Chairman of the Sustainability Committee: she graduated in Computer Science at the University of Bari, received an MBA at the business school of the Milan Polytechnic, and has gained important experience on both the managerial and business front in the fintech and digital banking fields. In particular, she has had professional experiences in the following companies: Olivetti (1986-1997), where she held several positions until she became Research and Development Manager; Banca del Salento (1999-2001) with the position of Head of WEB Strategies; Monte dei Paschi di Siena Group (2001-2013), holding the following positions: until 2008 Head of ICT Governance and ICT Program Management Office, from 2008 to 2011 Deputy Manager of Retail Sales Department and, lastly, Head of CRM (2011- 2013). She was a Director at ABI LAB (2002-2007), Research and Innovation Centre for the Bank promoted by ABI, contributing to its foundation; Docutel, joint venture between Banca Monte dei Paschi di Siena and Postel (2003-2007), ASP City of Siena (2014-2018). From 2014 to 2022, she was a lecturer at Università Cattolica del Sacro Cuore in Milan in IT Strategy & Innovation for Finance. In 2017 she founded "Prevention for You", of which she is Sole Director, a tech-ed company that offers digital and advanced analytics services to companies and supplementary health funds to promote health and prevention. Since 4 April 2020, she has been a Director of Banco BPM S.p.A., from 7 April 2020 to April 2023 she was a member of the Internal Control, Risks and Sustainability Committee, and from 26 April 2023 she has been Chairman of the Sustainability Committee and a member of the Related Parties Committee.

6.2 ROLE OF THE BOARD OF DIRECTORS

Pursuant to article 24.1. of the By-Laws, the Board of Directors is also responsible for the strategic supervision and management of the company, to be conducted also with a view to sustainable success, understood as the creation of long-term value to the benefit of shareholders, taking into account the interests of other stakeholders relevant to the Company. For this purpose, the Board of Directors may take all required actions, which it deems necessary, useful or appropriate to implement the corporate purpose, relating to both ordinary and extraordinary administration, and has the right to permit the release or reduction of mortgages even if they have not been fully paid off, including through authorised parties if necessary.

The directors will have to inform the Board of Directors and the Board of Statutory Auditors of any interests that, on their own account or on behalf of third parties, they have in a given transaction of the Company, indicating the nature, terms, origin and extent of the interest; if the Chief Executive Officer is involved, he/she must refrain from undertaking the transaction entrusting it to the Board.

In accordance with the below, the Board of Directors will delegate the daily management of the Company to the Chief Executive Officer who will exercise it in accordance with the general planning and strategic guidelines established by the Board of Directors.

In addition to the matters that cannot be delegated in accordance with the law, and those listed in article 23.5. of the By-Laws, and subject to the authority of the Shareholders' Meeting, the following are reserved to the Board of Directors and cannot be delegated (except for the provisions of article 28.3 in relation to the matters pursuant to letters p), q) and y)):

(a) approval of the business model, general planning and strategic directions and guidelines, risk objectives and governance policies, and management of risks related to the Company and the Group, as well as their periodic review to ensure their effectiveness over time;
(b) the decisions provided for under article 3.3 of the By-Laws;
(c) the industrial and financial planning, the approval of the budget of the Company and the Group, the definition of the geographic structure of the territorial Departments and the approval of the expansion plans of the territorial networks (including any general variations) of the Company and the Group;
(d) the definition and approval: (i) of the Risk Appetite Framework; (ii) the guidelines of the internal control system, so that the main risks relating to the Company and its subsidiaries and to the most significant transactions are correctly identified, as well as adequately measured, managed and monitored, also establishing criteria relating to the compatibility of said risks with the sound and correct management of the Company; the Board of Directors is also responsible for approving (i) the establishment of internal control functions, assigning the relative tasks, responsibilities as well as the procedures for the coordination and collaboration of the same, the information flows between functions and between the latter and corporate bodies; (ii) the approval process for new products and services, the implementation of new activities, the entry into new markets; (iii) company policies regarding the outsourcing of company functions; (iv) the adoption of internal risk measurement systems. The Board of Directors will also carry out all other duties it has been assigned by the prudential supervisory provisions regarding the internal control system in effect;
(e) the assessment, at least on an annual basis, of the adequacy, effectiveness and actual functioning of the internal control system;
(f) the assignment of specific positions or powers to one or more Board Members and the determination, amendment or removal of their powers, including the appointment and removal of the Chief Executive Officer and the attribution, amendment or removal of his/her powers;
(g) upon proposal by the Chief Executive Officer, in agreement with the Chairman of the Board of Directors, the appointment, removal or replacement of the General Manager and the Co-General Managers, the determination or change of the powers, functions and duties of the General Manager and the Co-General Managers and the determination of the salary package, and on proposal of the Chief Executive Officer, the appointment of senior operational and executive managers of the Company and the determination of their powers and salary packages. The Board of Directors ensures an effective dialogue with the managers of the main

company functions and verifies the choices and decisions made by them over time;

(h) the adequacy assessment and approval of the organisational, administrative and accounting structure of the Company and the approval of the corporate governance structure of the Company and the Group and the reporting systems;
(i) the determination of the criteria for the coordination and guidance of the Group companies and the criteria for the implementation of the instructions issued by the Bank of Italy and any other competent Supervisory Authority;
(j) based on the prior mandatory non-binding opinion of the Board of Statutory Auditors, the appointment and revocation of the Financial Reporting Manager, pursuant to article 154-bis of Legislative Decree no. 58 of 24 February 1998 and determination of the associated powers, resources and compensation;
(k) subject to the provisions of letter (l) below, the appointment and removal of the function managers, carried out on the back of legal or regulatory provisions;
(l) upon proposal of the Internal Control, Risks and Sustainability Committee (now Internal Control and Risk Committee), based on the prior mandatory non-binding opinion of the Board of Statutory Auditors, the appointment of the Compliance Manager and the Risk Manager, the Anti-Money Laundering Manager and the Internal Validation Manager as well as the Internal Audit Manager, who will be under the direct authority of the Board of Directors, to which s/he will report, after informing the Chairman of the Board of Directors, notwithstanding the fact that the Chief Executive Officer will be the Director in charge of the internal control and risk management system;
(m) drawing up the draft separate and consolidated financial statements and the drafting and approval of the interim reports provided for under prevailing laws;
(n) the acquisition and sale of shareholdings held in Companies that involve changes in the Group and/or those that have strategic significance and in any case those with a value of at least 5% of the consolidated regulatory capital of the Group;
(o) delegated share capital increases in accordance with article 2443 of the Italian Civil Code, and the issue of delegated convertible bonds in accordance with article 2420-ter of the Italian Civil Code, including the right to make decisions by excluding or limiting the option rights pursuant to the fourth and fifth paragraph of article 2441 of the Italian Civil Code;
(p) approval: (i) of the bond and other financial instrument issuing programmes; (ii) of the individual Company participating in guarantee and placement consortia, all in accordance with the applicable internal regulation;
(q) approval of collective labour and corporate contracts and other agreements with the trade unions;
(r) the duties of the Board of Directors pursuant to articles 2446 and 2447 of the Italian Civil Code;
(s) the preparation of merger and demerger projects;
(t) the approval and amendment of a Regulation governing the flow of information;
(u) the adoption, annulment or amendment of internal procedures that, in the immediate implementation of laws or regulations relate to the prevention or governance of cases of conflict of interest, with the ability to make exceptions, inter alia, in urgent cases;
(v) the appointment of candidates to act as company representatives (including the members of the general management) of the banks controlled by the Group and the main non-banking subsidiaries of the Group, and the indication of their salaries;
(w) participation in, and the determination of the vote to express in, the shareholders' meetings of the subsidiary banks and the main non-banking subsidiaries of the Group, and the prior agreement to any changes to the By-Laws of the Group companies, when the decision is the responsibility of another body besides the Shareholders' Meeting, and approval of the exercise of the option rights relating to capital increases of the subsidiary banks and the main non-banking subsidiaries of the Group; the approval of the changes to the rules of the investment funds or similar legal entities subscribed to by the Company;

(x) the approval of proposals to call Shareholders' Meetings to amend the By-Laws;
(y) approval and amendment of internal regulations, including a policy for the promotion of diversity and inclusion;
(z) appointment of the members of the bodies of the territorial Foundations set up in accordance with article 5 of the By-Laws;
(aa) decisions concerning the alignment of the By-Laws with regulatory provisions;
(bb) supervision of the process to disclose information to the public and the communication process of the Company;
(cc) regulation of the selection processes for the members of the territorial consultation committees, which, where established, will have merely advisory functions, corresponding to or within each territorial Department;
(dd) the adoption, with appropriate instruments, of measures to facilitate attendance by the shareholder-employees and the small shareholders at shareholders' meetings, by themselves, or through proxies;
(ee) the approval, review and update of the recovery plan, as well as its amendment and update at the request of the supervisory authority;
(ff) the adoption, at the request of the supervisory authority, of changes to be made to the activity, organisational structure or corporate form of the Company or Group, and other measures necessary to achieve the objectives of the remediation plan, as well as the elimination of the causes that form a prerequisite for early intervention;
(gg) the decision to adopt a measure set forth in the recovery plan or to refrain from adopting a measure despite the circumstances.

The Board of Directors is also in charge, in accordance with article 2436 of the Italian Civil Code, of making the decisions regarding mergers in the cases provided under articles 2505 and 2505-bis of the Italian Civil Code, demergers in the cases provided under article 2506-ter, last paragraph, of the Italian Civil Code, capital reductions in the event of a shareholder withdrawing, in accordance with article 2365, paragraph 2 of the Italian Civil Code, the establishment and closure of other secondary branches besides those indicated in the By-Laws, in any case excluding the establishment of new branches or the closure of those provided for under the By-Laws.

For certain categories of legal actions and businesses, the Board of Directors may assign specific powers, in accordance with the law, to managers, heads of single branches or other staff, determining the limits and means for the exercise of such assigned powers, and providing that the authorised parties may act separately or jointly or through a committee. Unless otherwise provided for in the assignment, notifications of the decisions made by the authorised bodies will have to be given to the authorising body. Notification of the decisions made by other authorised parties must be given to the superior body in accordance with the mechanisms established in the applicable Regulation decided by the Board of Directors.

With reference to the main activities carried out by the Board of Directors during the 2024 financial year, the following should be noted in particular:

the approval of the 2025 Budget, the 2025 draft financial statements, the other accounting documents for the period and the Remuneration Report, to the extent of its competence, as well as the Consolidated Non-Financial Statement and the periodic review of the management performance;
the implementation of the project to enhance the activities of the monetics company, through the entry of Numia Group into the company structure and the start of commercial activities for the development of products and services in collaboration with the new partner;
the major valorization of a portfolio of properties owned by Banco BPM, through a securitisation transaction involving the sale of a portfolio of over 330 properties owned for non-instrumental use (the 'Square' Project);
the approval of the framework referred to Net Zero Banking Alliance (NZBA), an initiative

promoted by the United Nations with the aim of accelerating the sustainable transition and which requires participating banks to commit to aligning their lending and investment portfolios to achieving net zero emissions by 2050, in line with the targets set by the Paris Climate Agreement, with the calibration of decarburization targets set for 2030 for the 5 priority sectors: coal, automotive, cement, oil & gas, power generation;

the launch of new company, called "Banco BPM Invest SGR S.p.A.", an asset management company operating in the segment of closed-end reserved alternative investment funds, starting the activities through the conferral of the individual management mandate for the Private Markets portfolio of Banco BPM;
the approval of the credit policy framework developed in line with the guidelines declared in the Net Zero Banking Alliance context, with examination of the related periodic monitoring, the provision of loans and the periodic analysis of the Bank's loan portfolio with a focus on Non-Performing Exposures;
approval of specific finance transactions, including the issue of 1 Green Bond and no.1 Social Bond, which the income has been allocated to the financing and/or refinancing of Eligible Green Loans, no.2 Covered Bonds, no. 2 Tier, no. 2 Bonds, no. 1Additional Tier no. 1 Bond, as well as some synthetic asset securitization transactions/restructurings.
the progressive implementation of the Risk Appetite Framework in line with the new financial conglomerate structure also aimed at implementing what emerged from the continuous dialogue with the main internal stakeholders (corporate bodies and internal control functions) and external (Supervisory Authorities and main stakeholders at Group level), the six-monthly assessment of the adequacy of the strategy, risk appetite and risk management framework of the financial conglomerate with respect to the development of the group's insurance business, the periodic monitoring of the evolution of risks and risk data quality activities within the Group, as well as the management and monitoring of ICT & Security Risk;
the approval of the Reports on the Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment Process (ILAAP), as part of the periodic processes for assessing the capital adequacy and liquidity profile;
the examination of Group monitoring in the context of the Russian-Ukrainian and Middle East crises;
the periodic review of the tableau de bord and other reports prepared by the internal control functions, as well as the results of the supervisory activities of the European Central Bank, deliberating on said activities, where necessary, and monitoring the execution of the planned activities;
the approval of the Banco BPM Group's 2024-2025 training and induction plan, aimed at continuously increasing the knowledge of the representatives of the sectors of activity in which the Bank and the Group operate, as well as of the relative organisational structure, the business model, the company dynamics and their evolution also with a view to sustainable success, the reference legislative and regulatory framework, the methods for identifying, measuring and managing the risks typically associated with financial activities, as well as any other issue considered relevant to the functioning of the corporate bodies;
the approval of criteria and guidelines regarding spending and social responsibility policies for the purpose of supporting and promoting the territories and communities of reference, also through the Group's Foundations, with donations in favour of associations, schools and local bodies.

Furthermore, in the last two months of 2024, the Board was:

called upon to resolve, in the meeting of 26 November 2024, on the appointment of Mr Edoardo Faletti as the new Head of Risk Management and Chief Risk Officer (CRO) of Banco BPM with effect from 1 December 2024, replacing Dr Andrea Rovellini, who has left the position to retire;
particularly busy with the launch of a voluntary public tender offer for all the ordinary shares of Anima Holding S.p.A. promoted by Banco Bpm Vita S.p.A., together with evaluations regarding the strengthening of the product factories and with the participation in a market operation with assumption of guarantee aimed at acquiring a share in the share capital of Monte dei Paschi di

Siena S.p.A. For further information, please refer to the press releases issued by Banco BPM, available, among other places, on the website www.gruppo.bancobpm.it, in the section: 'Investor Relations > Banco BPM Vita takeover bid for Anima Holding shares';

– systematically involved in relation to the voluntary public exchange offer promoted by Unicredit S.p.A. on all the shares of Banco BPM S.p.A. For further details, please refer to the press releases issued by Banco BPM available, among other places, on the website www.gruppo.bancobpm.it, in the section: 'Press & Media'.

The Board of Directors, including through the Internal Control and Risk Committee, continuously assessed:

the adequacy of the organisational, administrative and accounting structure of Banco BPM and of strategically important subsidiaries with specific reference to the internal control and risk management system, inter alia, through (i) periodic reports by the internal control functions and the aforementioned Committee; (ii) actions of the corporate managers involved, for their respective profiles of interest; (iii) reports by the Chief Executive Officer, the Chairman of the Internal Control and Risk Committee and the Chairman of the Board of Statutory Auditors;
the general business performance, comparing the results achieved with the planned results. More specifically, the Chief Executive Officer periodically reports to the Board of Directors on the overall business performance of the Bank and the Group.

Please refer to the "Report on Operations" attached to the consolidated financial statements as at

31 December 2023 published on the Bank's website www.gruppo.bancobpm.it, under Investor Relations section for further details on the results of the activities carried out.

Finally, with regard to the sustainability topics relating to:

the roles and responsibilities of the Board of Directors in overseeing the procedures aimed at managing material impacts, risks and opportunities relating to sustainability (ESRS 2 - Par. 19, 20 letter b), 22; ESRS 2 - Appendix A - RA 3 and RA 4), please refer to the Sustainability Reporting, Section "General Disclosures", Paragraph "Role of the administrative, management and supervisory bodies";
how the Board of Directors is informed about sustainability matters and how these matters were addressed (ESRS 2 - Par. 24, 26), please refer to the Sustainability Reporting, Section "General Disclosures", Paragraph "Information provided to the company's administrative, management and supervisory bodies and sustainability matters addressed by them", as well as Paragraph "Interaction of impacts, risks and opportunities with the company's strategy and business model".

Considerations on the letter dated December 17, 2024 by the Chairman of the Corporate Governance Committee

***

At its meeting of January 21, 2025, the Board of Directors, acknowledged the letter dated December 17, 2024 by the Chairman of the Corporate Governance Committee addressed to the Chairmen of the governing bodies, and in copy to the Chief Executive Officers and the Chairmen of the control bodies of Italian listed companies, with which the Committee reported the main evidence that had emerged from the monitoring activities carried out and, in particular, the main critical issues encountered, formulating specific recommendations in this regard, aimed at strengthening the credibility of compliance with the Code as a sign of the quality of the corporate governance practices actually in place. With the letter, moreover, the Committee intended to communicate the main general directions on the application of the Code, with particular attention to the issues that had been the subject of specific recommendations in the previous letter dated 2023. In this regard, the Committee reiterated its call for an increasingly effective application of the "comply or explain" principle, noting the desirability of an increased transparency both in the practices adopted in the application of some of the Code's recommendations and in the clear identification of any deviations and explanation of the reasons for them.

As a reminder, the Committee's duties include issuing and updating the Code of Corporate Governance and periodically monitoring the status of its implementation by companies that declare

their adherence to it. With this in mind, the Committee approved an Annual Report on the Application of the Code, which reached its twelfth edition this year.

In this context, the Committee provided an overview of the current application of the Code by the issuers, highlighting the main critical issues encountered while making specific additional recommendations aimed at strengthening the credibility of adherence to the Code as a signal of the quality of corporate governance practices actually followed.

The monitoring carried out in 2024 covered the corporate governance reports reported in 2023 and published in 2024 and constitutes the third analysis of the application of the new Code. The Committee recommended that the outcomes of the analyses and in-depth studies carried out be the subject of a specific Board discussion, with the potential support of the preliminary activity of the relevant committees, in which the company's position with respect to the Committee's 2025 recommendations would be assessed and potential governance evolution initiatives would be defined. The Committee also recommended that the considerations made regarding the 2025 recommendations and any initiative taken or planned to be reported, with appropriate evidence, in the subsequent corporate governance report (this report), to enable the market to assess the evolution of the quality of governance systems and for companies to report their commitment in this regard.

The objective is to improve the transparency of governance practices with respect to the directions of the Code, to incentivize its increasingly conscious application and, more generally, to promote the evolution of corporate governance by all companies listed on the Italian regulated market according to the principles of the Code, regardless of their formal adherence to it. To this end, the letter in question was also sent to Italian listed companies that were not adhering to the Code as of December 31, 2023, and to foreign-regulated companies that have their main trading venue in Italy, in order to encourage greater convergence of the best governance practices for the latter companies listed on the domestic market.

Therefore, the "2024 Report" and the "2025 Recommendations" were submitted to the Board of Directors of Banco BPM for review in order to analyse the alignment of the company's standard practice with what was recommended and to identify any gaps in implementation or explanations provided.

In detail, the Report shows that, as of the end of 2023, 97% of Italian companies with shares listed on Euronext Milan (EXM) formally declared their adoption of the Code. The decision not to adopt is limited to a few cases and is generally attributable to smaller companies. In this regard, it should be noted that all Italian companies listed on the EXM during the last ten years have adopted the Code, with a progressive improvement in the application of the recommendations, including with regard to the Code's thematic innovations, such as adherence to sustainable success and dialogue with shareholders and other relevant stakeholders, although there is still room for improvement in the evolution of the standard practice.

The new Code, as it should be recalled, has expanded the possible implementation methods of some recommendations based on the size and ownership structure of the companies, particularly allowing in particular "non-large" companies and those with "concentrated ownership" to adopt simplified organizational and procedural solutions with respect to those envisaged for other companies.

An element of particular importance which emerged from the monitoring activity is the growing use of the flexibility and proportionality measures offered by the Code (e.g., self-assessment on a threeyear basis).

With regard to the effects of the recommendations sent in 2023, it should be noted that overall, from the analysis of the 2024 reports, it emerges that almost all of the companies that adhere to the Code (about 94%) have taken into due consideration the recommendations contained in the Committee's letter of December 14, 2023. These indications were also taken into consideration by half of the Italian companies that do not adhere to the Code (a stable figure compared to the last two years, but up from 20% in 2021), confirming the growing guidance value of the Committee's monitoring activities for all listed companies, even beyond their compliance with the Code.

With reference to the first recommendation in the 2023 Letter regarding the business plan and the Committee's request for an adequate disclosure of the board's involvement in the review and

approval of the business plan and in the analysis of issues relevant to long-term value generation, the persistence of a large area of possible improvement was noted. While the degree of adherence to the goal of sustainable success was high, the degree of board involvement with respect to the integration of sustainability factors into strategic planning was essentially stable (albeit slightly improving).

The prevalence of the practice, highlighted in the second recommendation of the 2023 Letter and repeatedly reported in the previous years, of making exceptions to the timeliness of pre-consultation disclosures for confidentiality reasons has remained largely unchanged from last year. This case history continues to be encountered in 24% of companies adhering to the Code (it was 26% in 2023 and 37% in 2022). In most cases, these are general provisions that allow the company to waive compliance with respect to notice periods when there are reasons for confidentiality or secrecy of information, sometimes even with broad formulas that include information on forward-looking data or strategic transactions, while in rare cases the issuer emerged in the ex post disclosure, i.e., acknowledging that - for confidentiality reasons - it was not possible to comply with the notice period previously identified in the rules of operation of the board and information was provided during the board meeting.

There appears to be a gradual improvement with respect to the past in the board's commitment concerning orientation on its optimal composition in non-concentrated ownership companies. This area of governance was the subject of a specific recommendation in the 2023 Letter from two perspectives: (i) the expression and timely publication of the orientation of the outgoing board in preparation for its renewal; and (ii) the requirement for those submitting a "long" list to provide adequate information regarding its compliance with the orientation expressed by the outgoing board. Concerning the first aspect, it was noted that in non-concentrated companies, which are expressly subject to the relevant recommendation of the Code, the majority of the boards issued an orientation (83% of the non-concentrated companies with renewal in 2024) and that in most of these cases (70% of the orientations issued in the non-concentrated companies with renewal in 2024) the orientation was published before the publication of the notice of the meeting. Although the timeliness of the orientations appeared to be improving compared to the data collected in 2023, it was still observed that in 2024 less than half of the orientations were actually published 30 days or more before the publication of the meeting notice (in 2023, only a quarter of the orientations in the non-concentrated companies with renewal in the same year were published 30 days or more before the publication of the meeting notice). Concerning the second aspect, the quality of the information provided in the socalled "long" lists with respect to the consistency with the guidelines expressed by the outgoing board did not appear to be substantially improving: while the majority of the lists stated that they had took into consideration the guidelines (80% compared to 75% in 2023), only one-third of these cases explicitly expressed an opinion on the "consistency" of the list with the guidelines expressed (it was about half in 2023).

With respect to the fourth recommendation stated in the 2023 Letter, concerning the reasons given by the board for the introduction of loyalty shares, there has been an improvement in compliance with the related Code recommendation with respect to the disclosure of the expected effects on ownership structure and future strategies, as well as the deliberative process.

The thorough review of the information provided in the corporate governance reports published in 2024 showed signs of improvement in several areas reported in recent years, highlighting both the long-term effectiveness of recommendations previously made by the Committee and progress in companies' gradual adherence to the new Code.

In order to consolidate current trends, the Committee felt it was appropriate to reiterate the importance of adjusting to the specific recommendations made over the past three years, where the need for further improvement was encountered.

The Committee therefore deemed it appropriate to highlight for 2025 certain cases worthy of attention (the "2025 Recommendations"), set out below, reiterating the importance of providing in subsequent reports on corporate governance and ownership structures adequate justification for any deviations from the corresponding recommendations of the Code:

− Completeness and promptness of pre-council information: the Committee drew attention to Recommendation 11 for the application of Principle IX, which stipulates that the board of directors, as part of the rules for the functioning of the board itself and its committees, in defining

the procedures for the management of disclosures, identify "the deadlines for the prior submission of disclosures and the arrangements for protecting the confidentiality of the data and information provided so as not to prejudice the promptness and completeness of the information flows" and provide adequate information "on compliance with the procedures relating to promptness and adequacy of the information provided to directors." This Recommendation is of paramount importance in ensuring the effective functioning of the board of directors, as the establishment of clear rules for timely information flow on all agenda items and their effective compliance in practice are necessary conditions for enabling directors to take the informed action that characterizes their function and responsibilities.

Therefore, the Committee invited companies to provide all relevant information on how Recommendation 11 is applied, taking into account that failure to set deadlines for the prior submission of information to the board and committees and/or failure to provide information on the actual compliance with the deadlines and/or the provision in the board regulations or adopted in practices of the possibility of derogating from the promptness of the disclosure for confidentiality reasons may constitute the disapplication of Recommendation 11 of the Code. In the event of actual disapplication, companies were therefore asked to clearly state so in the corporate governance report, explaining: the reasons for disapplication, how the decision to disapply was made within the company, and how compliance with Principle IX of the Code is to be ensured;

− Transparency and effectiveness of the remuneration policy: the Committee drew attention to Recommendation 27 regarding the policy for the remuneration of executive directors and top management in application of Principle XV, which requires, in paragraph c), that the performance objectives, to which the disbursement of variable components is linked, be "predetermined and measurable." This Recommendation is of fundamental importance in ensuring the transparency and effectiveness of the remuneration policy, as the firmness and measurability of the performance parameters of the variable components is a necessary condition for determining their weight in the overall remuneration and their functionality in achieving the company's strategic objectives.

Therefore, the Committee invited companies to provide all relevant information on how Recommendation 27 is applied, taking into account that the provision in the remuneration policy of variable components linked to generic sustainability objectives for which (i) the specific evaluation parameters are not provided and/or extraordinary one-off disbursements (ii) the nature and objectives are not identified (iii) adequate deliberative procedures are not defined, may determine the disapplication of Recommendation 27 of the Code. In case of actual disapplication, companies were asked to expressly indicate it in the corporate governance report, explaining: the reasons, how the decision to disapply was made within the company, and how it is intended to ensure compliance with Principle XV of the Code;

− Executive Role of the Chairman: The Committee drew attention to Recommendation 4 for the application of Principle V, which requires that, "in the event that the chairman is granted the office of chief executive officer or is given significant management authority, the board of directors shall explain the reasons for this choice." This Recommendation is of fundamental importance to ensure the transparency of the articulation of functions between executive and non-executive directors within the board of directors, required by Principle V, but also to ensure effective performance of the duties of the Chairman, defined by Principle X. In fact, the Code, while not recommending that the Chairman be "non-executive," attributes to him, precisely with Principle X, the role of taking care of the effective functioning of board proceedings and a liaison function between executive and non-executive directors. In the event that the Chairman assumes executive positions, either if he or she serves as CEO or if he or she is granted significant management powers, it is therefore necessary that this situation be clearly indicated and that adequate reasons be given for this choice

Therefore, the Committee invited companies to provide all relevant information on how Recommendation 4 was applied, bearing in mind that the lack of an adequately reasoned explanation of the decision to give the Chairman significant management authority (whether it being the CEO or not) may constitute a disapplication of Recommendation 4 of the Code. In the event of actual disapplication, companies were asked to clearly state this in the corporate

governance report, explaining: the reasons, how the decision to disapply was made within the company, and how it is intended to ensure compliance with Principles V and X of the Code.

That being said, it should be noted that, as a result of the examination conducted by the Board of Directors at its meeting on January 21, 2025, it emerged that Banco BPM is already substantially compliant with the 2025 Recommendations, specifying also that the relevant structures have already been involved for any further actions that may be necessary.

***

At the meeting held on January 23, 2018, the Board of Directors approved the "Regulations for the Operation and Organization of the Board of Directors and the Executive Committee and Self-Evaluation of the Board of Directors and its Committees," regulating the principles, criteria, roles and responsibilities regarding the functioning and organization of the works of the Board of Directors of Banco BPM, the self-assessment of the Board of Directors and its Committees and regarding information flows to the respective members.

Said Regulation governs also, with regard to the deadlines and the matters dealt with, the mechanisms with which the information circulates between the corporate bodies to monitor the efficiency goals of the management and effectiveness of the controls, also in line with the Supervisory Provisions of the Bank of Italy, and prevailing laws and regulations.

At the meeting of February 23, 2021, the Board of Directors approved an update to the Regulation in question - moreover, changing its title to "Regulation for the functioning and organization of the Board of Directors and for the self-assessment of the Board of Directors and its Committees" - and the related annex concerning the information flows, in order to adjust it to (i) the changes introduced by the new Code of Corporate Governance, (ii) the proposed amendments to the By-Laws relating to the validity of board meetings, approved by the Shareholders' Meeting of April 15, 2021, (iii) certain recommendations formulated by the European Central Bank, as well as to make some formal changes, including, for example, the elimination of the references to the Executive Committee and the Acting Vice Chairman, no longer provided for among the corporate bodies in the governance structure in force.

With particular reference to the system of internal controls, the relevant information flows are governed, inter alia, with special company regulations.

Banco BPM set up an effective Internal Control System to monitor the company risks incurred (please see the relevant paragraph for further information on this)

The Board of Directors, in the exercise of its management and coordination activity pursuant to articles 2497 et seq. of the Italian Civil Code and art. 61, paragraph 4, of the Consolidated Banking Law, defined, in a "Regulation for the Governance of the Banco BPM Group," the rules and procedures to be followed with respect to unified management, with specific reference to the decisions, divided by subject matter, which have to be made by Banco BPM, in its position as Parent Company, and the consequent decision-making obligations of the subsidiaries with respect to implementing them.

* * *

Self-assessment document of the Board of Directors and its Committees for the year 2024

At its meeting on March 13, 2025, the Board of Directors approved the document "Board of Directors of Banco BPM S.p.A. - Self-Assessment Document - FY 2024" in compliance with:

− the Supervisory Provisions pursuant to Bank of Italy Circular No. 285 of December 17, 2013 (First Part, Title IV, Chapter 1, Section VI);
− the recommendations of the Code of Corporate Governance for listed companies promoted by the Italian Corporate Governance Committee, which the Bank applies;
− the "Regulation on the Operation and Organization of the Board of Directors and Self-Evaluation of the Board of Directors and its Committees."

With reference to the 2024 financial year, the self-assessment is the second one conducted by the Board of Directors in office and was handled, in accordance with the aforementioned Regulation, by

the Corporate Affairs Secretariat, as indicated by the Chairman of the Board of Directors and shared by the Appointments Committee.

The self-assessment process was structured, in line with the aforementioned regulatory provisions into the following phases:

− preliminary investigation, information and data gathering, during which information, data and documentation were gathered to support the process (for example questionnaires filled out and statistical data supporting the self-assessment) were carried out, as well as the previously mentioned extensive interviews;
− processing of the data, during which the information and data gathered during the previous inquiry phase were organised;
− preparation of the results of the process during which the results were summarised and the strengths and weaknesses identified in relation to the composition and functioning of the Body;
− inspection of the initiatives taken beforehand, with a check being made on the level of implementation of the initiatives carried out as a result of the previous self-evaluation;
− collective discussion on the results of the process and preparation of any corrective measures, that led to the release of the document on the results of the self-assessment;
− approval of the document (including therein any corrective measures) by the Board of Directors.

The results of the self-assessment confirmed, in continuity with the previous year, a substantially positive picture in relation to both the composition and functioning of the Board of Directors. The responses were, on the whole, on profiles of adequacy.

There are still, however, certain limited potential areas for improvement to be placed within the framework of typical continuous improvement paradigms and alignment to best practices that characterize complex organizations, among which Banco BPM is included.

The main results are summarized below:

− opportunities for further consolidation/strengthening of the overall skills expressed by the Board of Directors through the strengthening and integration of training courses, related to the following areas: (i) business and risk metrics of the insurance industry; (ii) banking, finance and insurance industry regulation; (iii) measurement methodology in capital and profitability; and (iv) sustainability reporting.
− opportunity to devote more council time to the following subject areas:
− strategic issues;
− management, coordination and monitoring of Group Companies;
− Finance area operations;
− outsourcing policies;
− information systems, new technologies, and cyber security;
− diversity and inclusion;
− shareholder engagement.

* * *

The Shareholders' Meeting did not confer any non-competing general or prior authorizations pursuant to article 2390 of the Italian Civil Code.

6.3 MEETINGS

General criteria

In accordance with article 23.1.2. of the By-Laws, the Chairman of the Board of Directors or, in the event of his/her absence or impediment, the person replacing him/her pursuant in accordance with article 27.2. will call the Board of Directors meeting.

The Board of Directors must meet, generally, once a month and in any case any time the Chairman

of the Board of Directors considers it necessary.

A meeting of the Board of Directors may be called in the other cases provided for by law. Meetings of the Board of Directors can also be called by the Board of Statutory Auditors or its members, including individually, in the cases and using the mechanisms provided for by the legislation pro tempore in force, subject to notifying the Chairman of the Board of Directors.

On the basis of article 23.2.1, meetings of the Board of Directors shall be convened by notice, which shall include the agenda of the topics to discuss, sent - at least 3 (three) days before the meeting and, in cases of urgency, at least 12 (twelve) hours beforehand, by any means that can prove evidence of receipt - to each member of the Board of Directors and the Board of Statutory Auditors. The notice may also state the places from which members may participate by means of remote connection systems, as provided for by article 23.3. of the By-Laws. Where not formally convened, meetings which are attended by all members of the Board of Directors and the Board of Statutory Auditors in office are intended, in any case, as validly constituted and fit to pass resolutions.

Pursuant to the aforementioned article 23.3.1, except for cases in which the meeting is held exclusively using remote connection systems, at least the Chairman and the Secretary (or the notary where appointed) must be present at the place where the Board meeting is called, where said meeting shall be considered held.

In accordance with article 23.4.1 of the By-Laws, the resolutions of the Board of Directors will only be valid if the majority of its members in office attends the meeting. Without prejudice to the provisions of article 23.5 regarding decisions made by a qualified majority, decisions will be made on the basis of the absolute majority of the votes of those present.

In accordance with article 23.5.1 of the By-Laws, decisions exclusively concerning the following on a direct/indirect basis will be valid if they are made with the vote in favour of at least 11 members of the Board of Directors in office (the "Qualified Board Majority"):

(i). the approval of the Board List;
(ii). sale, transfer and disposal and restructuring actions in general (even if in one or more tranches) of companies or banking branches that have a unitary value of higher than 20% of the consolidated regulatory capital of the Company, as resulting from the most recently approved consolidated financial statements, with the exception of the cases in which the transactions result from instructions given by the Supervisory Authorities.

Number of meetings and attendance

In the period January 1 to December 31, 2024, the Board of Directors met 20 times; and the meetings lasted about 4 hours and 46 minutes on average, with 97%.attendance by Directors.

The Directors who asked were given the opportunity to attend using remote connection systems, in accordance with article 23.3.1. of the By-Laws.

During 2024 financial year, the Board of Statutory Auditors always attended the meetings of the Board of Directors (attendance of 92.73% by Statutory Auditors).

At the invitation of the Chairman, the heads of the internal control functions (and therefore the Internal Audit Manager, the Compliance Manager, the Chief Risk Officer, the Anti-Money Laundering Manager the Internal Validation Manager) as well as the Financial Reporting Manager and the heads of other corporate functions of Banco BPM attended the Board of Directors' meetings for the matters falling within their respective spheres of competence, personally or with the support of their direct collaborators, the items on the agenda proposed by the organizational units entrusted to their responsibilities, as well as to respond to requests for clarifications or clarifications from the board, thus favouring moments of direct confrontation between the Board and management.

17 meetings have been scheduled for the current year, of which 4 have already been held by the date of approval of this Report.

Prior information

The prior disclosure of the items to be discussed at board meetings is handled by the Chairman of the Board of Directors. It is an extremely significant aspect since it represents one of the basic

prerequisites to enable the Board members to have adequate prior knowledge of the topics under discussion and contribute to the debate in a proactive and effective manner so that the Board, as a whole, can make its decision in an informed manner.

In compliance with the aforementioned regulation, and also taking into account the recommendations formulated for 2025 by the Corporate Governance Committee, it should be noted that:

Article 3.1 of the Regulations of the Board of Directors provides that the documentation supporting the items on the agenda, or at least an initial report on the matters under discussion, shall be made available in digital format and in a manner that protects confidentiality, by the Corporate Affairs Secretariat, sufficiently in advance to all members (usually at least three days in advance);
in order to ensure the necessary operational efficiency and timeliness in the process of prior disclosure, a dedicated computer application is used, which allows the management of information flows intended for the Board in compliance with the security standards required by external regulations and internal provisions on the matter, in particular with regard to the methods of access to the platform by all authorized users and controls on document activities;
during the 2024 financial year, the documents supporting the meetings were made available to the Directors, in the vast majority, by the fourth day prior to the meeting (equal to approximately 77% of the total documentation, or approximately 81% considering the third day prior); the meetings were called, in almost all cases, five days in advance;
in the very limited cases where the documentation was made available less in advance of the board meeting – due to proven needs authorized on a case-by-case basis by Top Management and related to the need to complete ongoing projects or to progress activities in the context of extraordinary operations, or again to the modification/integration interventions requested by the Board Committees at the outcome of the preliminary investigation activity under their responsibility - the Chairman ensured that the collegial discussion was given all the time necessary to guarantee a full understanding and informed decision by the Board, promoting the widest possible participation in the debate;
the Secretary of the Board of Directors, with the support of the Secretariat, shall examine and include resolution/information proposals on the agenda, submitting them to the Chairman or the Chief Executive Officer, as appropriate, for subsequent examination by the Board;
the documentation usually includes (i) a dedicated template (executive summary) summarizing the most relevant points of the topic under discussion (quantitative information, where applicable, and/or key elements), as well as (ii) additional documents/presentations, where necessary, containing a clear and concise description of the topic, as well as data for comparison with previous periods, evidence of benchmarking and outcomes from management or board committees, where a prior examination is envisaged or required, in order to evaluate the challenge throughout the decision-making process;

Information to the Board of Statutory Auditors on the activities carried out and on the most significant economic, financial and equity transactions carried out by the Company or by its subsidiaries - with particular reference to the decisions taken in the exercise of management and coordination activities - or in which the directors have an interest on their own behalf or on behalf of third parties, is provided, also by the delegated bodies pursuant to art. 2381 of the Italian Civil Code, at least quarterly and, in any case, ordinarily at meetings of the Board of Directors, by providing a summary document that gives an account of the decisions taken by the Board of Directors during the period of reference, which are relevant according to the applicable regulations. Outside of board meetings, information is provided to the Board of Statutory Auditors through the Chairman of the Board of Statutory Auditors.

In order to facilitate access to and consultation of corporate documents by the members of the corporate bodies, the latter have the exclusive use of a web application repository, in which, in addition to the material subject to be dealt with at the board meeting, is published, other documentation that could be useful in order to carry out their respective functions.

Procedures for the meetings and taking minutes

The management and coordination of board work is carried out by the Chairman who also ensures that the items on the agenda are dealt with in accordance with an analytical format, dedicating the necessary time to allow for constructive debate, especially to examine the most significant matters, and encouraging contributions from the Directors during the meetings.

In cases where the minutes are not drawn up by a notary public in accordance with the law, the Secretary is responsible for drawing up the minutes of the meeting containing the discussion and the resolutions adopted and submits a draft thereof in advance to the Chairman. The draft minutes are then sent to the Directors who can submit their comments to the Secretary. The minutes are then submitted for review to the Board of Directors, generally at the next meeting, for formal approval. In urgent cases, the Board of Directors may approve the minutes, or a portion thereof, immediately.

6.4 INDIVIDUAL BODIES

Chairman and Vice Chairman of the Board of Directors.

In accordance with article 11.3. of the By-Laws, the ordinary Shareholders' Meeting will elect the Chairman and Vice Chairman of the Board of Directors using the mechanisms described in article 20.8. of the By-Laws.

In accordance with article 27 of the By-Laws, the Chairman of the Board of Directors:

a) acts as a driving force for the work of the Board of Directors and in the organization and coordination of the work, and proposes the appointment of a secretary for that purpose to the Board. More specifically, the Chairman calls and presides over the meetings of the Board of Directors, establishes the agenda also taking into account the decision proposals made by the Chief Executive Officer as well as the opinion of the internal board committees (where required), he/she introduces the discussion and coordinates the work, ensuring, inter alia, that: (i) the issues with strategic importance are dealt with on a priority basis; and (ii) adequate information is promptly provided on the matters on the agenda to all directors; he/she ensures that the selfassessment process is carried out effectively. The Chairman, informing the Chief Executive Officer, accesses the corporate and Group information needed for that purpose in order to carry out the duties effectively
b) interacts as necessary with the Chief Executive Officer
c) ensures that the corporate governance system functions properly, guaranteeing the balance of powers with respect to the Chief Executive Officer, acting as a liaison for the internal control bodies and internal committees. He/she makes also proposals to the Board of Directors regarding the establishment of Internal Board Committees;
d) promotes the implementation of the rights reserved to the Board of Directors, encouraging effective board discussions, with special attention to sustainable development conditions in the long term and the social responsibility of the company;
e) guarantees and oversees relations with the shareholders, and in that sense, foster relations with them, along with the Chief Executive Officer. The Chairman uses the applicable corporate functions to carry out this task;
f) in accordance and coordination with the Chief Executive Officer, he/she oversees official relations with the bodies and Authorities, and the external communication of the information relating to the Company, using the applicable company divisions;
g) presides over the Sherholders' Meetings and supervises their running and the work carried out;
h) subject to the provisions of article 31, he/she has the right, in urgent cases and on the proposal of the Chief Executive Officer, to bring or defend legal actions before any judicial or administrative authority, file lawsuits, and grant powers of attorney, even of a general nature, for court proceedings, with the obligation to inform the Board of Directors of the decisions made at its next meeting;
i) exercises all other functional powers in carrying out his/her office.

In accordance with article 31.1. of the By-Laws, the Chairman of the Board of Directors represents

the Company in the pursuit and defence of actions, before third parties and in both legal and administrative courts, including for supreme court judgements and vacated judgements, and has sole signing authority, and in the case of his/her absence or incapacity, including temporary, these duties are granted to the Vice Chairman.

The Shareholders' Meeting, by means of minutes of 20 April 2023, confirmed Mr. Massimo Tononi as the Chairman of the Board of Directors of Banco BPM and Mr. Maurizio Comoli as the Vice Chairman of the Company's Board of Directors.

* * *

In compliance with recommendation no. 18 of the Code of Corporate Governance and in compliance with article 20.12.1 of the By-Laws, the Board of Directors, at its meeting of 26 April 2023, resolved, at the Chairman's proposal, to appoint, from among the Executives of Banco BPM, as Secretary of the Board of Directors for the three-year period 2023-2024-2025, and therefore until the approval of the financial statements as at 31 December 2025, Mr. Andrea Marconi, given that he is Manager of the Corporate Affairs Secretariat, verifying that he met the requirements set forth in articles 3 (integrity requirements), 4 (fairness criteria), and 10, paragraphs 1 and 2 (competence criteria, taking into consideration the specifics of the role covered), of Italian Ministerial Decree 169/2020 as well as the respective provisions contained in the Regulation "Requirements and suitability criteria for fulfilment of the engagement of company representative for the Banco BPM Group" (the Fit & Proper Policy).

Pursuant to the provisions of the "Regulation for the functioning and organisation of the Board of Directors and for the self-assessment of the Board of Directors and its Committees", the Secretary supports the activities of the Chairman and provides assistance and advice to the Board of Directors, based on impartiality of judgement, on any relevant aspect for the correct functioning of the corporate governance system.

Chief Executive Officer

Pursuant to Art. 28. of the By-Laws, the Board of Directors appoints a Chief Executive Officer from among its members and confers certain powers of the Board of Directors to him/her in accordance with article 2381 paragraph 2 of the Italian Civil Code.

Without prejudice to the legal reserves attributed to the collective competence of the Board of Directors as governed by article 24.2. of the By-Laws, the Chief Executive Officer has been granted the following powers of management autonomy with regard to guidance and management:

supervise the corporate management of the Bank and the Group, reconciling current affairs, in accordance with the general planning and strategies established by the Board of Directors, checking their performance;
formulate proposals, in accordance with the Chairman of the Board of Directors, regarding the strategic guidelines, and the short-term and/or non-ordinary projects and objectives of the Bank and the Group;
on his/her own initiative and responsibility, draw up the plans and forecasts documents of a strategic and/or extraordinary nature (budget and long-term plans) of the Group and the Bank, to be submitted for the approval of the Board of Directors, overseeing their implementation through the General Management;
oversee the development, preparation of the documents and sending of confidential or exclusive letters relating to extraordinary transactions or agreements, to be submitted to the Board of Directors;
formulate proposals to the Board of Directors regarding the geographic layout of the commercial networks of the Parent Company and the Group banks and the plans for the expansion and rearrangement of the Group Companies;
formulate proposals to the Board of Directors regarding policies on the financial statements and guidelines on the optimisation and enhancement of use of resources, and submitting the draft financial statements and periodic situations to the Board of Directors;
prepare and submit to the Board of Directors, for approval, the annual budget, also of the individual Group Companies, in line with the higher level plans, and to carry out periodic checks of the results, approving any corrective actions considered necessary;
coordinate the executive activities of the Bank and the Group, giving guidelines and instructions to ensure that the performance of the operating units complies with the decisions made by the applicable bodies, and that the activities of the subsidiaries are in line with the orders and strategies established by the Parent Company;
within the scope of the guidelines established by the Board of Directors, give guidelines and oversee the organisational, administrative and accounting structure of the Bank and the Group, in accordance with the value system recognised by the Bank;
supervise the organisation and integration of the Group, and the performance of the sales channel network, the transactions and services managed by the Bank and the Group Companies;
exercise, in accordance with the regulations, the power to propose and disburse loans, within the limits established by the regulations on loans in effect at the time;
supervise and manage the staff, improving the human resource policies of the Bank and the Group to pursue the goals of integration, managerial continuity, encouraging the appropriate motivation;
determine the guidelines and instructions for General Management;
submit to the Chairman of the Board of Directors, topics to put on the agenda of the meetings of the Board of Directors;
exercise the powers specifically allocated by the Board of Directors (to the extent of the ceilings assigned) with the related rules;
report periodically to the Board of Directors on the activities carried out in the exercise of the powers granted to him/her and (along with, where appointed, the General Manager, the Co-General

Managers and the Heads of Function in accordance with their responsibilities) on the performance of the activities and overall performance of Company and Group management, and on the correspondence of the results with the forecast documents and planning;

formulate proposals to the Board of Directors regarding the guidelines of the internal control system in compliance with supervisory regulations;
address to the Audit Function, through the Internal Control and Risk Committee, extraordinary requests for inspection and/or investigation;
formulate proposals regarding risk taking and management policies and capital adequacy in accordance with the operating areas, restrictions and instructions from the supervisory laws;
formulate proposals to the Board of Directors on liquidity risk taking and management, establishing the limits in accordance with supervisory laws;
formulate proposals to the Board of Directors, after hearing the Chairman of the Board of Directors, regarding the appointment and removal of the General Manager and Co-General Managers, if any, and make proposals to the Board of Directors regarding the appointment of any other Group senior operational and executive managers;
manage, in accordance and coordination with the Chairman of the Board of Directors, the external communication of information regarding the Bank and the other Group Companies and relations with the Supervisory Authorities;
oversee the valuation and management of bad loans including any decision regarding their management (for example settlements and disputes).

Pursuant to article 28.3 of the By-Laws, in cases of exceptional urgency, the Chief Executive Officer, in accordance with the Chairman of the Board of Directors, may make decisions regarding any transaction that is the responsibility of the Board of Directors, provided that the law or the By-Laws do not make it mandatory for the Board of Directors to make said decisions on a collective basis, with the exception of the provisions of article 24.2.2, paragraph 1, letters p), q) and y) — and even if it regards transactions governed by the procedures adopted in accordance with article 2391-bis of the Italian Civil Code and article 53 of Italian Legislative Decree no. 385 of 1 September 1993, subject in those cases to compliance with the specific provisions of said procedures for urgent transactions. In any case, the decisions made in that manner must be brought to the attention of the Board of Directors at its next meeting.

Pursuant to article 28.4 of the By-Laws, the Chief Executive Officer reports, with the General Manager and the Co-General Managers, if appointed and insofar as they are responsible, to the Board of Directors, at least once every quarter, on the general business performance and on its outlook and on the most significant transactions carried out by the Company and its subsidiaries.

The Board of Directors, with minutes of 26 April 2023, resolved (pursuant to art. 28.1. of the By-Laws, in execution of the outcome of the Shareholders' Meeting vote of 20 April 2023 referred to in item 7 on the agenda "Appointment of the members of the Board of Directors for the years 2023-2024-2025, including the Chairman and the Vice Chairman", with the abstention of the interested party) the appointment of Mr. Giuseppe Castagna as Chief Executive Officer of Banco BPM for the duration of the Board mandate and, therefore, until the date of approval of the financial statements as at 31 December 2025.

At the same meeting, the Board of Directors decided to assign the Chief Executive Officer, in accordance with article 24.2.1. of the By-Laws, the power to make decisions regarding the daily management of the Company − that are not reserved by law or the By-Laws to the collective responsibility of the Board of Directors− to be exercised in accordance with the general planning and strategic guidelines established by the Board of Directors, with the right to assign consistent powers, also within the scope of the powers referring to specific matters indicated below, to managers and other employees, to be identified also in accordance with their roles, establishing the applicable limits and mechanisms and notifying it to the Board of Directors.

More specifically, subject to the above-mentioned powers regarding daily management pursuant to art. 24.2.1. of the By-Laws, the Board of Directors assigned the Chief Executive Officer further specific powers in operating matters as described below:

Autonomous management rights in finance matters
Autonomous management rights in commercial matters
- Definition of pricing policies
- Settlement in agreements and conventions
Autonomous management rights in staff matters
- Industrial relations management;
- Management of recruitment, development and administration of staff
- Management of social security issues
Autonomous management rights in organizational matters
- Definition of the organizational structure
- Definition of qualitative and quantitative requirements of staff
- Definition of the approval and modification of internal regulations and guidelines
- Definition of the internal operating model
Autonomous management rights regarding promotional initiatives and sponsorships
Autonomous management rights in shareholding matters
Autonomous management rights in administration matters
Autonomous management rights in investment, spending and budget use matters
Autonomous management rights in the management of movable an immovable assets and historic - artistic assets
Autonomous management rights in relations with the Public Administration
Autonomous management rights to manage disputes and lawsuits that can also be exercised for Group Companies for which Banco BPM performs such activities on an outsourced basis
Autonomous management rights in write-offs
Autonomous management rights in regarding associations

The full list of the powers assigned by the Board of Directors to the Chief Executive Officer was filed with the applicable Companies Register of Milan Monza Brianza Lodi.

The Chief Executive Officer will report to the Board of Directors as follows:

on a quarterly basis, generally and for total amounts, on the exercise of all the powers assigned where not already carried out in implementation of a specific Regulation or within the scope of the general periodic information report on the general business performance and outlook, and on the most significant transactions carried out by the Company and its subsidiaries;
at the first meeting following decisions made on an urgent basis in accordance with article 28.3. of the By-Laws.

It should be noted that, with reference to the Chief Executive Officer, Giuseppe Castagna, there are no situations involving interlocking directorates pursuant to article 36 of Law 214/2011.

Co-General Managers

In accordance with article 29 of the By-Laws, the Company can appoint a General Manager and/or one or more Co-General Managers, establishing, if appointed, powers, responsibilities and functions to exercise in accordance with the guidelines given, according to their respective responsibilities, by the Board of Directors and the Chief Executive Officer.

The appointment, removal or replacement of the General Manager and/or each Co-General Manager (and the determination or amendment of the powers, functions and responsibilities of each

of them) will be decided by the Board of Directors upon the proposal by the Chief Executive Officer in accordance with the Chairman of the Board of Directors.

The Board of Directors, in its meeting of December 20, 2022, defined - with the aim of improving the coordination of the Group's activities with respect to the path outlined in the Strategic Plan 2021- 2024 and facilitating the governance of the areas of greater complexity in line with the evolution of the external context, to better meet the expectations on governance developed in recent years, including at the supervisory level - the new articulation of the General Management and the executive leadership by providing, among other things:

the establishment of the General Co-direction Chief Financial Officer (CFO), entrusted to the responsibility of Mr. Edoardo Ginevra, formerly Chief Financial Officer of Banco BPM, who then became Co-General Manager (CFO) with the assignment of the responsibilities of coordinating the activities of the newly established Planning and Value Management, Integrated Procurement Management, Finance, Administration and Financial Statements, Investor Relations, Equity Investments and, finally, Transition and Sustainability functions;
the definition of the new perimeter of the General Co-direction Chief Business Officer (CBO) in the Commercial area, formerly under the responsibility of Mr. Domenico De Angelis, who retains supervision over the Commercial functions - divided into Private and Corporate - Institutional Entities and Third Sector, Marketing and Omnichannel and over the 8 Territorial Departments, as well as over the Bancassurance function following the recent reorganization of the insurance sector. The Co-General Manager (CBO) was also entrusted with the coordination and supervision of the subsidiary Banca Aletti S.p.A.

The Board of Directors, in order to ensure business continuity, also based on the increased operational needs related to the significant size of the company, decided, with reference to article 31.3. of the Company's By-Laws, to attribute to the Co-General Managers Mr. Domenico De Angelis and Mr. Edoardo Ginevra, only in the event of the absence or impediment, even temporary, of the Chairman of the Board of Directors, the Vice Chairman and the Chief Executive Officer, the pursuit and defence of actions of Banco BPM S.p.A. vis-à-vis third parties and in court, both in judicial and administrative proceedings, including supreme court and revocation proceedings, as well as the free corporate signature.

Some short biographical notes on the members of the General Management are provided below, showing that they have adequate professional expertise in banking, finance, legal, corporate, tax, organisational-IT and risk management matters.

Domenico De Angelis - Co-General Manager Chief Business Officer (CBO) within the Commercial area: Having held various executive positions within the Eni Group and the Unicredit Group, since June 2000, he was appointed Central Director and Head of Markets of the former Banca Popolare di Novara S.c.r.l. In June 2002, following the foundation of the BPVN Group, he was appointed General Manager of former Banca Popolare di Novara, and served as Chief Executive Officer from April 2004 to December 2011. He was a Member of the Management Board of Banco Popolare from July 2007 to November 2011, and subsequently a Member of the Board of Directors (from November 2011) and Co-General Manager (from November 2011) until the effective date of the merger with BPM S.c.a r.l. He has previously taught the Economics and Financial Intermediation Management master's programme at Università degli Studi del Piemonte Orientale. He teaches Executive Management programme in Banking (CIB) at the SDA Bocconi in Milan. He is a Director of the "Associazione Franca Capurro per Novara" non-profit organisation and Chairman of the "Associazione Novaresi Per". Since January 2017, he has been Co-General Manager of Banco BPM S.p.A. and on 20 December 2022 he took on the role of Co-General Manager Chief Business Officer (CBO) within the Commercial area. He has been a director of Banca Aletti S.p.A. since April 2024.
Edoardo Maria Ginevra - Co-General Manager Chief Financial Officer (CFO): graduated in Political Economy with honours in 1988, he first worked (from 1990 to 1999) at the Bank of Italy, Credit and Financial Supervision, "off-site" supervision sector. Subsequently he held, at McKinsey, positions as Consultant (from 1999 to 2005) and Partner (from 2006 to 2012), participating in various projects, always focusing on the banking sector, both in Italy and in international contexts. From 2012 to 2015 he was Partner of the Italian office and a member of the EMEA Finance & Risk practice at Oliver Wyman, with responsibilities for covering banking customers/supervisory bodies divided between Italy (mainly

commercial banks), Greece and Cyprus (in both cases, mainly Central Banks). In 2015, he joined Banca Popolare di Milano, where he held the position of Chief Risk Officer until 2016. At the time of the merger between BPM and Banco Popolare (January 2017), he assumed the position of Head of the NPL Department of Banco BPM, of which he became Chief Financial Officer in June 2019. Since May 2019 he has been the Chairman of the Board of Directors of Gardant Liberty Servicing; since June 2019 a Director of the Interbank Deposit Protection Fund (FITD) and since March 2020 a member of the Board of Directors of Agos Ducato. On 20 March 2023, he was appointed as Co-General Manager CFO of Banco BPM.

Lastly, it should be noted that the Company has adopted an organisational structure that does not envisage the figure of the General Manager and envisages, in addition to the two Co-General Managers, the figures of the senior operational and executive managers represented by: Chief Lending Officer (CLO) in the person of Teresio Testa; Chief Innovation Officer (CIO) in the person of Adolfo Pellegrino; Head of Corporate and Investment Banking in the person of Luca Manzoni.

6.5 INTERNAL COMMITTEES OF THE BOARD OF DIRECTORS

While compliant with the principle of collegiality in the performance of its duties, the By-Laws provide that the Board of Directors — in relation to the responsibilities assigned to it, its composition and the characteristics of its members — will create, internally, also in accordance with the recommendations contained in the Code of Corporate Governance, specific Committees with investigatory, proposal-making, advisory and control functions regarding appointments, remuneration and control, risks and sustainability.

The Board of Directors also has the right to establish other Committees, drawing up appropriate Regulations, with advisory, investigatory or proposal-making powers. Each committee is composed of a majority of members who meet the independence requirements set forth under article 20.1.6. of the By-Laws.

As at the date of this report, 5 internal committees have been established (Appointments Committee, Remuneration Committee, Internal Control and Risk Committee, Related Parties Committee and Sustainability Committee) that have to provide support to the Board through the formulation of proposals, opinions and observations, and insights into the areas they are responsible for.

In the establishment of said Committees, in the appointment of the respective members and in drafting the Regulations that clearly determine the responsibilities and function of each of them, attention was paid to ensure that they would contribute to the Board of Directors in an effective way in terms of contributing analyses, content and efficiency, both from the standpoint of investigation and from an advisory stance; the suitability of their overall organisation was assessed to ensure there was no overlapping of responsibilities and/or decision-making processes.

It should be noted that, following the renewal of the composition of the Internal Board Committees, which took place by resolution of the Board of Directors on 26 April 2023, changes were made to certain Regulations of the same, aimed essentially at implementing the establishment of the new Sustainability Committee, whose tasks were previously assigned to the Internal Control and Risk Committee (which was called Internal Control, Risks and Sustainability Committee), as well as in order to better meet certain expectations on governance that emerged in the discussions with the Joint Supervisory Team of the European Central Bank, as part of the "ad hoc analysis", during which the Regulator assessed, among other things, the role played by the Board of Directors and by the Internal Board Committees, also with regard to the methods of interaction between the then Internal Control, Risks and Sustainability Committee and the Remuneration Committee, for risk-related issues within the scope of remuneration policies. During 2024, the Regulation of the Sustainability Committee underwent further updates due to significant changes in the Bank's organizational structure, as well as in order to ensure a better alignment of the provisions with the activities performed, as described in better detail below.

Appointments Committee

Pursuant to article 24.4.1. of the By-Laws, the Board of Directors shall establish an Appointments Committee internally, approving the Regulation which determine its responsibilities and operation, in accordance with the Supervisory Provisions.

The Bank's By-Laws establish that the Appointments Committee will comprise 3 (three) Directors, all non-executive and the majority of whom (including the individual appointed as Chairman) will meet the independence requirements established in the By-Laws.

All members must possess, individually and collectively, adequate knowledge, skills and expertise regarding the selection process and adequacy requirements, also pursuant to the Guidelines prepared by the competent Authorities.

The Appointments Committee, renewed by the Board of Directors at its meeting on April 26, 2023, is composed as of the date of this report (and until the approval of the financial statements for the year 2025) of the following three directors: Mr. Mario Anolli (Chairman), Mrs. Marina Mantelli, and Mrs. Chiara Mio. All members of the Committee are non-executive and independent directors.

The Appointments Committee is responsible for the functions and tasks assigned to it by the Code of Corporate Governance and the applicable supervisory regulations (see Circular no. 285/2013, First Part, Title IV, Chapter 1, Section IV).

The Committee has the duty to screen or process proposals on the following matters:

submission to the Shareholders' Meeting and composition of a list of candidates for the appointment of the Board of Directors;
appointment or co-opting Directors to replace any who have resigned pursuant to article 20.11. of the By-Laws;
appointment and removal of the Chief Executive Officer;
appointment and removal of the members of the Territorial Advisory Committees in the Territorial Divisions, where established.

The Committee also provides support to the Board of Directors, in accordance with the specifications in the Supervisory Provisions and in the internal regulations, in the following processes:

prior identification and subsequent checking of the qualitative-quantitative composition of the Board of Directors considered to be optimal;
self-assessment of the Board of Directors;
assessment of the suitability and the requirements envisaged in article 26 of the Consolidated Banking Law and of the Regulation "Requirements and suitability criteria for fulfilment of the engagement of company representative for the Banco BPM Group" (the "Fit & Proper Policy");
definition of succession plans and performance of the tasks attributed to the Committee by said plans;
approval and updates of the Fit & Proper Policy;
approval and updates of the Regulation "Limits to the number of offices".

The Committee will also express its opinion on the following to the Board of Directors:

the candidates to act as statutory auditors (standing and alternate), general managers, co-general managers and deputy general managers of the banks and the main non-banking subsidiaries of the Group;
the appointment and removal upon proposal of the Chief Executive Officer, having consulted with the Chairman of the Board of Directors — of the following company figures, if set forth in article 29 of the Company's By-Laws (the General Manager and the Co-General Managers);
appointment of senior operational and executive managers of Banco BPM S.p.A., as identified by means of the appropriate board decisions;
the appointment and removal, in accordance with the By-Laws, of the Financial Reporting

Manager of Banco BPM according to article 154-bis of Italian Legislative Decree no. 58/1998 and the determination of the related powers and means, and the appointment and removal of the heads of the internal control functions of Banco BPM S.p.A. – and therefore the Internal Audit Manager, the Compliance Manager, the Risk Manager, the Anti-Money Laundering Manager and the Internal Validation Manager.

In compliance with the provisions of article 23.8 of Decree of the Ministry of Economy and Finance no. 169 of 23 November 2020 and the Fit & Proper Policy, the Appointments Committee, for the declaration of the removal of office of independent directors or representatives elected from minority lists, issues a justified opinion to the competent body on the merits of the assessments relating to suitability of the representative.

With reference to the specific functions provided for under the Code of Corporate Governance, the Committee will also give its opinions to the Board of Directors regarding its size and composition and make recommendations on the professional figures whose presence on the Board is advisable, in addition to any other topics indicated by the above-mentioned Code.

To carry out its activities, the Committee avails itself of the technical support of the competent corporate structures. In performing its duties, the Committee has access to all business areas and corporate functions of the Parent Company and of Group companies, including at central offices and peripheral structures, and has the right to obtain any information or data deemed necessary to perform its duties.

The Committee may also use external specialist advisors with proven experience, to the extent of the annual budgets approved by the Board of Directors. In any case, the Board of Directors will ensure that the Committee is suitably equipped with adequate resources to fulfil its tasks and exercise its powers.

Committee meetings are called by the Chairman whenever it is considered appropriate, by notice, containing an indication of the items to be discussed on the agenda, to be sent via any means, which guarantees proof of receipt, sent at least three days before the date set for the meeting, in time to provide the Committee members with sufficient information on the issues to be discussed, and this shall be followed by delivery of the necessary documentation, where available, to ensure the best operation of the collective work. In cases of particular urgency, the meeting may be called twelve hours in advance, using any suitable means. In this case, an adequate assessment of and comprehensive information regarding each issue to be discussed must be provided during the meeting, with specific attention to the contents of documents which it was impossible to transmit via ordinary methods.

If a Committee member has a personal interest or third-party interest in an item to be discussed, he/she must inform the Committee and abstain from participating in the debate and voting.

The following may be invited to attend the meetings, in relation to the topic being discussed: (i) Chairman of the Board of Directors, (ii) the Chief Executive Officer, (iii) the other directors, (iv) where appointed, the General Manager and the Co-General Managers, (v) the managers of the internal control functions, (vi) informing the Chief Executive Officer, the managers of the company functions of Banco BPM S.p.A. and of other Group companies competent on the matter, as well as (vii) the other parties whose presence is deemed useful by the Committee.

The members of the Board of Statutory Auditors have the right to attend Committee meetings.

Between January 1st to December 31, 2024, the Appointments Committee met 21 times, with a meeting attendance rate of slightly under 100% and the meetings lasted on average fifty minutes. All meetings were attended by at least one member of the Board of Statutory Auditors.

The meetings are convened on a "call" basis, and 2 meetings were held between January 1st, 2025 and the date of approval of this Report.

In 2024, the Committee, inter alia, assisted the Board of Directors in verifying the legal, statutory and regulatory requirements for its members, the members of the Board of Statutory Auditors and the General Management, as well as the members of the Boards of Directors of the Group's banking subsidiaries. The Committee supported also the Board of Directors, more specifically:

(i). in the annual self-assessment process of the Board of Directors of Banco BPM S.p.A. and its

Committees;

(ii). in the annual self-assessment process and optimal qualitative and quantitative composition of the Board of Directors of the subsidiary Banca Aletti S.p.A;
(iii). in the annual self-assessment process of the Board of Directors of the subsidiaries Banca Akros S.p.A., Banco BPM Vita S.p.A. and Vera Vita S.p.A;
(iv).in the indication of the representatives of Group banks and major non-bank subsidiaries;
(v). in consultation with the Audit and Risk Committee, in the processes of identifying (i) the candidate to fill the role of Head of the Risk Management Function (Risk Manager), as well as Chief Risk Officer (CRO) of Banco BPM, following the termination of the previous CRO due to its retirement, and (ii) the candidate to fill the role of Head of the Internal Validation function.

Some of the Bank's managers were invited to attend the Committee's meetings held in 2024, with regard to individual items on the agenda, notifying the Chief Executive Officer in the event of the participation of the managers of the corporate functions of Banco BPM and the other Group companies competent in the matter.

The appropriate minutes of the Committee meetings are drafted by the Secretary, appointed by the Committee, who need not be a member, provided in that case that he or she is a member of the secretariat staff, pursuant to article 20.12.1 of the By-Laws.

When the minutes of the resolutions cannot be drawn up in time for the Board of Directors meeting in which a proposal must be formulated or an opinion granted, the Chairman of the Committee must notify, also verbally, the Board of Directors at the next meeting of the same, on the decisions made by the Committee.

Remuneration Committee

Pursuant to article 24.4.1 of the By-Laws, the Board of Directors establishes a Remuneration Committee, approving the related Regulation (most recently updated at the Board meeting of 6-7 February 2023), which determines its responsibilities and operations in compliance with the Supervisory Provisions for banks and other relevant regulations (hereinafter the "Supervisory Provisions") and with the Code of Corporate Governance promoted by Borsa Italiana S.p.A. which Banco BPM S.p.A. (hereinafter, "Banco BPM") has adopted.

The Bank's By-Laws, recently amended by the Extraordinary shareholders' Meeting of Banco BPM of 7 April 2022, establish that the Remuneration Committee will include three Directors, all nonexecutive and the majority of whom (including the individual appointed as Chairman) holding the independence requirements established in the By-Laws. At least one member of the Committee must have suitable knowledge and experience in the financial field or of remuneration policies. The Chairman of the Committee is appointed by the Board of Directors and cannot coincide with the Chairman of the latter.

The Remuneration Committee, renewed by board resolution of 26 April 2023, includes the following three directors on the date of this report (and until the approval of the 2025 financial statements): Mrs. Manuela Soffientini (Chairman), Mr. Mauro Paoloni and Mr. Paolo Bordogna. All members of the Committee are non-executive directors, in the most part (including the Chairman) independent and collectively possess the necessary professional knowledge, expertise and experience regarding the remuneration policies and practices and the risk management and control activities.

The Remuneration Committee is entrusted with the functions set out in the Supervisory Provisions and the Code of Corporate Governance.

In compliance with the Supervisory Provisions and in accordance with its own Regulation, the Remuneration Committee performs the following duties for the Parent Company, subsidiary banks and the Group's main non-banking companies, inter alia:

has advisory status and makes proposals regarding the remuneration of directors, statutory auditors, general managers, co-general managers and deputy general managers;
has advisory and proposal duties regarding the remuneration of the Financial Reporting Manager

pursuant to article 154-bis of Italian Legislative Decree no. 58/1998 as well as the managers of the internal control functions as defined by the Supervisory Provisions;

has advisory and proposal duties on the remuneration of the remaining staff whose remuneration and incentive systems are decided upon by the Board of Directors, as well as on the matter of determining the criteria for remuneration of the remaining "identified staff", identified according to the methods set forth in the Supervisory Provisions regarding remuneration and incentive policies and practices;
directly supervises the correct application of rules relating to remuneration of the managers of the internal control functions, in close co-operation with the Board of Statutory Auditors;
handles the preparation of documentation to be submitted to the Board of Directors for decisions on remuneration and incentives;
provides opinions, also based on information received from relevant corporate functions, on the outcome of the "identified staff" process, including any exclusions, and, on the achievement of performance objectives related to incentive plans and on the fulfilment of the other conditions established for payment of remuneration;
ensures that the relevant corporate functions are involved in drawing up and controlling remuneration and incentive policies and practices;
provides adequate reflection on activity carried out by the Board of Directors, the Board of Statutory Auditors and the Shareholders' Meeting.

For the performance of the assigned tasks, where appropriate, the Committee collaborates and coordinates with the other internal committees of the Board of Directors of the Parent Company and with the similar internal committees of the Boards of Directors of the other Group companies, also through joint meetings, without prejudice to the responsibilities of each committee.

In compliance with the specific functions envisaged by the Code of Corporate Governance, the Committee carries out also, among other things, in accordance with the Regulation, the following duties:

supports the Board of Directors in drawing up the remuneration policy;
periodically assesses the adequacy and overall consistency of the remuneration policy for directors and top management;
submits proposals to the Board of Directors on the remuneration of executive directors and other directors holding particular offices, as well as on the setting of performance targets relating to the variable component of this remuneration;
monitors the actual application of the remuneration policy and verifies, in particular, the actual achievement of performance objectives.

This is subject to any other power given to the Committee pursuant to the law or regulations, or supervisory regulations or decided upon by the Board of Directors.

The Committee must base the performance of its tasks on the principles of autonomy and independence and carries out its functions and activities with the support of experts, including external experts, in the areas of risk, capital and liquidity management, to ensure that the incentives underlying the remuneration and incentive system are consistent with the management of these matters by the Group, as set forth in the provisions issued by the Supervisory Authority. To this end, the Committee routinely makes use of the company's risk control structures and, in particular, the Chief Risk Officer and the Compliance Manager. The Committee may call upon external expert advice from independent parties of recognised expertise, verifying in advance that they are not in situations that compromise their independent judgement.

The Committee has also access to all areas of activity and company functions of Banco BPM and the companies of the Group, including central offices and peripheral structures, and has the right to obtain any information, data or copies of documents deemed necessary to carry out its tasks.

Using the annual budget approved by the Board of Directors, the Committee may also make use of external expert advice from independent persons of recognised expertise. In any case, the Board

of Directors will ensure that the Committee is suitably equipped with adequate resources to fulfil its tasks independently and exercise its powers.

The Committee meets when convened by its Chairman, whenever the latter deems it appropriate, by notice, containing an indication of the items to be discussed on the agenda, to be sent via any means, which guarantees receipt, sent at least three days before the date set for the meeting, in time to provide the members with sufficient information on the issues to be discussed, and this shall be followed by delivery of the necessary documentation, where available, to ensure the best operation of the Committee work.

The Chief Risk Officer and the heads of the Compliance, Human Resources and Audit functions regularly attend the meetings, in person or through their delegate and unless otherwise determined by the Chairman from time to time. The Chairman of the Board of Directors, the Chief Executive Officer, the other directors and, by informing the Chief Executive Officer, the heads of the corporate functions of Banco BPM and other Group companies with jurisdiction over the subject matter, as well as other persons whose presence is deemed useful by the Committee, may be invited to attend the meetings. Moreover, no director takes part in Committee meetings in which proposals are discussed to make to the Board of Directors relating to his/her personal remuneration.

In any event, members of the Board of Statutory Auditors are entitled to attend Committee meetings and they must always be invited — also through the Chairman of the Board of Statutory Auditors (to whom the notice of meetings is always sent for information) or a Statutory Auditor designated for this purpose — to meetings regarding the verification of the proper application of rules relating to the remuneration of internal control function managers.

The Chairman coordinates the Committee's work. The data and information provided to support the discussion of the topics are managed in a manner that protects confidentiality, through a dedicated application, and in such a way as to not jeopardise the timeliness and completeness of the information flows.

If a Committee member has a personal interest, or third-party interest in an item to be discussed, they must inform the committee and abstain from participating in the debate and voting.

Specific minutes are drawn up by a Secretary designated by the Committee, even if not a member of the same, for each Committee meeting. The minutes, approved by the Committee, are signed by the Chairman and by the Secretary.

When the minutes of the resolutions cannot be drawn up in time for the Board of Directors meeting in which a proposal must be formulated or an opinion granted, the Chairman of the Committee must notify, also verbally, the Board of Directors at the next meeting, on the determinations made by the Committee itself, outlining any considerations of the Risk Manager.

As envisaged by the specific Regulation, the Chairman of the Remuneration Committee reports to the Board, usually at the first meeting, on the activities carried out by the Committee, making available the index of the topics of the meeting and providing a summary illustration thereof, possibly also in verbal form.

In the period from January 1, 2024 to December 31, 2024, the Committee met 23 times with the meetings called by its Chairman, with an attendance rate of 99% and the average duration of the sessions was about one hour and 20 minutes.

In the 2024 financial year, the Committee carried out the activities falling within its area of responsibility, responsibility, specifically performing activities — depending on the case — of preliminary investigation, consultation and/or proposal concerning: (i) supervising the identification process of identified staff; (ii) verifying the conditions of access to variable remuneration components, in implementation of the 2023 Policy; (iii) the assessment of the impacts of non-recurring components of the financial statements on the profit from current operations before taxes, the financial adjustment ratio and the Key Performance Indicators for FY 2023; (iv) the benchmark analysis with the external market for the Group's top figures, carried out with the advice of a leading company, aimed at verifying the level of competitiveness of the different components of the remuneration package, preparatory to the formulation of proposals for remuneration interventions; (v) the share-based Remuneration Plan of Banco BPM under the Short Term Incentive Plan 2024; (vi) the 2024 Policy and the criteria for determining the compensation to be granted in the event of early termination of

employment or early termination of office; (vii) the review of the performance achieved by the Chief Executive Officer with respect to the objectives assigned for 2023; (viii) the remuneration of the exponents of the Group's subsidiary banks and main non-banking subsidiaries; (ix) the determination of the objectives of the 2024 Short Term Incentive Plan to be assigned to the Chief Executive Officer and related variable remuneration for the year; (x) the 2024-2026 Long Term Incentive Plan, evaluating its access conditions and performance targets, as well as to the quarterly monitoring regarding the achievement of the targets of the previous 2021-2023 Long Term Incentive Plan; (xi) the maximum incentive values to be associated with the 2024 Short Term Incentive Plan; (xii) the assessment of the soundness of the 2023 Short Term Incentive Plan regarding the correlation of the Group's performance to individual incentives pursuant to the defined risk system; (xiii) the objectives of the 2024 Short Term Incentive Plan of the most relevant staff, with a particular focus on KPIs in the sustainability and riskbased areas; (xiv) the assessment, in coordination with the Audit and Risk Committee and the Board of Statutory Auditors, of the correct application of the rules established by the 2023 Policy for the variable remuneration of the heads of corporate control functions; (xv) the performance achieved by staff under the 2023 Short Term Incentive Plan and the ongoing monitoring of the implementation of the 2024 Short Term Incentive Plan; (xvi) the project path in the area of diversity, equity & inclusion undertaken by the Group with the support of a leading consulting firm, constantly monitoring the evolution of the project and periodically checking the gender pay gap; (xvii) the remuneration package of the newly appointed Chief Risk Officer and Head of Internal Validation; (xviii) the determination of the criteria for the definition of the target sheets of the Short Term Incentive 2025 Plan.

For the pursuit of its own activities in the year in question, the Committee received all the information deemed necessary and the support of competent company functions. The data and information provided in support of the discussion of the topics in the meetings of the Committee were managed in such a way as not to jeopardise the timeliness and completeness of the information flows. As a rule, at the date of sending the call for each meeting, according to the terms set forth in the Regulation of the Remuneration Committee, the documentation produced by the company functions concerned was made available to the Directors, except on certain occasions in which, albeit with adequate advance, a delay was recorded due to the particular sensitivity of the subject matter or the nature of relevant or inside information contained therein.

The Chief Risk Officer, the Compliance Manager, the Internal Audit Manager, the Head of Human Resources and the Head of Remuneration Policies attended the Committee meetings in person or through their delegate and unless otherwise determined by the Chairman from time to time. If deemed necessary and/or appropriate, the Committee also made use of the support of other managers of the Bank to carry out its activities, in order to deal with individual items on the agenda.

The Statutory Auditor, specifically appointed to this effect, attended Committee meetings, without prejudice to the right of all members of the Board of Statutory Auditors to attend meetings, as established by Regulation.

A total of 19 meetings of the Remuneration Committee were scheduled for 2025, of which 5 had already been held by the date of approval of this Report.

For more information on the Remuneration Committee, please refer to the "Remuneration Report" published pursuant to Article 123-ter of the T.U.F. on Banco BPM's website www.gruppo.bancobpm.it - Corporate Governance Section.

Internal Control and Risk Committee

Pursuant to art. 24.4.1. of the By-Laws, the Board of Directors establishes an Internal Control and Risk Committee (hereinafter also the "Committee"), by drafting the Regulation, most recently updated at the meeting of May 29, 2023, which regulates its responsibilities and operations in compliance with the Supervisory Provisions for Banks and other relevant regulations (hereinafter the "Supervisory Provisions") and the Code of Corporate Governance promoted by Borsa Italiana S.p.A. to which Banco BPM S.p.A. (hereinafter, "Banco BPM") has adhered.

The Bank's By-Laws, recently amended by the extraordinary shareholders' meeting of Banco BPM of April 7, 2022, establish that the Committee will be composed of five Directors, all non-executive and the majority of whom (including the individual appointed as Chairman) satisfy the independence

requirements referred to in art. 20.1.6. of the By-Laws.

The members of the Committee must have the knowledge, expertise and experience to be able to fully understand and monitor the Group's risk strategies and guidelines; at least one member of the Committee must have suitable experience in accounting and financial matters, or in risk management. The Chairman of the Committee is appointed by the Board of Directors and cannot coincide with the Chairman of the latter or the Chairman of other committees.

The Internal Control and Risk Committee, updated by Board of Directors resolution of 26 April 2023, is composed of the following 5 Directors as of the date of this report (and until approval of the 2025 financial statements): Mr. Eugenio Rossetti (Chairman), Mr. Mario Anolli, Mr. Paolo Bordogna, Mr. Maurizio Comoli and Mrs. Nadine Faruque. All members of the Committee are non-executive, a majority of whom are independent, including the Chairman.

The Internal Control and Risk Committee is charged with the duties provided for in the Supervisory Provisions and the Code of Corporate Governance, in particular performing duties to assist the Board of Directors of the Parent Company with regard to risks and the internal control system, the scope of which applies to the entire Group.

The Committee is responsible, inter alia, for investigation and advisory activities with regard to the scope reserved to the Board of Directors relating to the:

internal control system;
risk analysis, measurement, monitoring and management;
IT accounting structure.

With regard to the scope of activities, it should be noted that, until the aforementioned Board meeting of 29 May 2023, the Committee's responsibilities also included that specific to sustainability and social responsibility, removed as a result of the establishment of the Sustainability Committee (on 26 April 2023). As part of the revision of the Regulation, the Chairman of the Sustainability Committee is also expected to attend the meetings of the Internal Control and Risk Committee when discussing topics with implications relating to sustainability and in particular to ESG dimensions.

In performing its duties, the Committee pays special attention to all activities that are instrumental or necessary for the Board of Directors to be able to correctly and effectively establish the Risk Appetite Framework (hereinafter "RAF") and risk governance policies.

In compliance with the specific functions envisaged in the Supervisory Provisions and the Code of Corporate Governance, the Committee also carries out the following duties in accordance with its specific Regulation:

assists the Board of Directors by providing its opinion:
on establishing the guidelines of the internal audit and risk management system, so that the main risks to which the Parent Company and its subsidiaries are exposed to are correctly identified as well as adequately measured, managed and monitored;
on determining the level of compatibility of such risks with the sound and prudent management, consistent with the strategic objectives identified and the pursuit of sustainable success;
identifies and proposes to the Board of Directors, with the contribution of the Appointments Committee and the managers of the internal control functions to be appointed and formulates the proposal to remove them;
forms an opinion on changes to the organisational structure of the internal control functions within the scope of the Board of Directors, on the adequacy of the resources assigned to them, with respect to the performance of their duties and, subject to the responsibilities of the Remuneration Committee, on the remuneration of the relative managers in accordance with company policy;
makes assessments and forms opinions for the Board of Directors on compliance with standards, legislative and regulatory provisions, to which the internal control system and the company organisation must adhere, and the requirements that must be fulfilled by the internal control functions, bringing any weak areas to the attention of the Board of Directors as well as the consequent corrective measures to be implemented; to this end, assess the proposals of the

management body;

examines the programmes (including the audit plan) and the annual reports of the internal control functions addressed to the Board of Directors in advance, providing the Board with its opinion;
contributes, through assessments and opinions, to the definition of the company outsourcing policy as regards the internal control functions;
supervises the internal control functions, ensuring that they correctly comply with the recommendations and the guidelines of the Board of Directors, assisting it in drawing up the Regulation for the coordination and collaboration of the Control Bodies and Functions;
assesses the correct use of accounting standards for the preparation of the separate and consolidated financial statements, to this end coordinating with the Financial Reporting Manager and with the Board of Statutory Auditors, also consulting, if deemed appropriate, the parties assigned the independent auditing of the accounts;
expresses its opinion to the Board of Directors regarding the assessment of the results illustrated by the parties assigned to independently audit the accounts in any letter of recommendations and in the report on fundamental matters that arose at the time of the independent audit;
forms its opinion, and informs the Board of Directors on the description, in the report on corporate governance, of the main characteristics of the internal audit and risk management system and on assessments as to its adequacy;
assesses, every six months, the adequacy of the internal control and risk management system with respect to the characteristics of the Group and its selected risk appetite, as well as its effectiveness, providing its opinion regarding the similar annual assessment conducted by the Board of Directors;

and with specific reference to its risk management and control duties, it:

verifies the consistency of risk management policies and the evolution over time of the Group's risk profile with respect to the strategic guidelines and the RAF framework;
supports the Board of Directors in defining and approving strategic guidelines and policies for risk management. More specifically, as regard the RAF, in the process of determining the risk appetite, it makes assessments and proposals, in accordance with company regulations, so that the Board of Directors may define and approve the risk appetite and the risk tolerance;
supervises the alignment between all substantial financial products and services offered to customers with the business model and the risk strategy of the Group;
assists the Board of Directors in defining the policies and the processes to assess company activities, including ensuring that the price and the terms of transactions with customers are consistent with the business model and risk strategies;
provides support to the Board of Directors in verifying the correct implementation of the strategies, the risk governance policies and the RAF, also by examining the periodic reports on Group risk exposure prepared by the relevant company functions;
through reports from the control functions, examines and formulates its own opinion on compliance with regulatory requirements for the use of risk measurement models;
without prejudice to the responsibilities of the Remuneration Committee, it verifies that the incentives underlying the remuneration and incentive system are consistent with the RAF.

The Committee, in particular, acquires the observations and makes use of the support of the Sustainability Committee, taking into account the responsibilities reserved to the latter in matters of sustainability. To this end, the Chair of the Sustainability Committee is invited to participate in Committee meetings when topics that have sustainability implications are discussed.

The Committee reports to the Board of Directors when necessary, through its Chairman, on the

outcome of the activities performed, as well as, at least every six months, at the time of the approval of the annual and interim financial statements, prepares a specific report on the activities performed and on the adequacy of the internal control and risk management system.

The Committee must structure the execution of its tasks around the standards of autonomy and independence. To this end, it must be granted autonomous powers of initiative and, to effectively perform its duties, it may carry out verification and audit activities within all areas of Group activities.

To perform its assigned tasks, the Committee normally makes use of the internal control functions as well as the Financial Reporting Manager.

The Committee has also access to all areas of activity and company functions of the Parent Company and the companies of the Group, including central offices and peripheral structures, and has the right to obtain any information, data or copies of documents deemed necessary to carry out its tasks.

The Committee, in accordance with company regulations, may suggest that the Chairman of the Board of Directors requests the Internal Audit Function to conduct specific audits.

Using the annual budget approved by the Board of Directors, the Committee may also make use of external expert advice from independent persons of recognised expertise. In any case, the Board of Directors will ensure that the Committee is suitably equipped with adequate resources to fulfil its tasks independently and exercise its powers.

The Committee meets, when called by the Chairman, each time the Chairman deems suitable. Committee meetings are convened by notice, containing an indication of the items to be discussed on the agenda, to be sent via any means, which guarantees receipt, sent at least three days before the date set for the meeting, in time to provide the members with sufficient information on the issues to be discussed, and this shall be followed by delivery of the necessary documentation, where available, to ensure the best operation of the Committee work. The notice is sent to the Committee members, as well as the Chairman of the Board of Statutory Auditors for information.

The following may be invited to attend the meetings, in relation to the topic being discussed: (i) the Chairman of the Board of Directors, (ii) the Chief Executive Officer, (iii) the other directors, (iv) where appointed, the General Manager and the Co-General Managers, (v) the managers of the internal control functions, (vi) informing the Chief Executive Officer of them, the managers of the company functions of Banco BPM and of other Group companies competent on the matter, (vii) the statutory auditors of the Group companies, (viii) the members of the Supervisory Board pursuant to Italian Legislative Decree 231/2001, (ix) the parties assigned the independent auditing of the accounts and (x) other parties whose presence is deemed useful by the Committee.

When deemed necessary and/or appropriate, the Committee actually availed of the support of other managers of the Bank to carry out its activities, in order to deal with individual items on the agenda.

The meetings of the Committee were attended by the Chairman of the Board of Statutory Auditors or another Statutory Auditor designated by the latter, without prejudice to the right of all members of the Board of Statutory Auditors to attend meetings as provided for in the Regulation.

The meetings of the Committee were attended, as permanent guests, by the Chief Risk Officer and the Internal Audit Manager, in person or through their delegate and unless otherwise determined from time to time by the Chairman.

If a Committee member has a personal interest or third-party interest in an item to be discussed, they must inform the Committee and abstain from participating in the debate and voting.

Specific minutes are drawn up by a Secretary designated by the Committee, even if not a member, for each Committee meeting. The minutes, approved by the Committee, are signed by the Chairman and by the Secretary.

When the minutes of the Committee's resolutions cannot be drawn up in time for the Board of Directors meeting in which a proposal must be formulated or an opinion granted, the Chairman of the committee must notify, also verbally, the Board of Directors at the next meeting of the same, on the Committee's resolutions.

As envisaged by the specific Regulation, the Chairman of the Internal Control and Risk Committee reports to the Board, usually at the first meeting, on the activities carried out by the Committee, making available the index of the topics of the meeting and providing a summary illustration thereof, possibly also in verbal form.

Between January 1 and December 31, 2024, the Internal Control and Risk Committee met 23 times, with an attendance rate of 98% and the meetings lasted on average five hours.

In FY2024, the Committee also assisted the Board of Directors with regard to:

the support activities in the preparation of the 2024 Funding Plan and the 2024 Capital Plan, examining the risk opinion of the CRO Area prepared for this purpose and aimed at assessing the robustness of the estimates of the cost of credit; updates to these documents were also examined;
the Internal Capital Adequacy Assessment Process (ICAAP) and the Internal Liquidity Adequacy Assessment Process (ILAAP);
the process of defining the overall Risk Appetite Framework with particular reference to: (i) the relevant Guidelines supporting the Budget for the year 2024, defined - in January 2024 - consistently with the Financial Conglomerate's business model that sees the subsidiaries that have entered the Conglomerate's perimeter integrated into the Group's RAF; (ii) the Guidelines to support the Credit Policies 2025; (iii) the first evolutionary lines of the RAF 2025 concept as well as, in January 2025, the definition of the RAF 2025 Guidelines aimed, among other things, at directing the definition of the 2025 Budget;
the examination of the periodic risk monitoring and control reports prepared by the competent corporate functions, including the Risk Appetite Monitoring and the Integrated Tableau de Bord produced by the Internal Control Functions;
the monitoring of Conduct Risk, conducting in-depth analyses of the components of fiscal and legal risk to which the Group is exposed;
the update of the risk measurement internal models
the review of reports on activities performed by Internal Control Functions during 2023, as well as the respective action plans for 2024 (and/or long-term plans) and subsequent proposed revisions and updates;
the appointment of the heads of the (i) Internal Validation and (ii) risk control (risk management function) functions, pursuant to Bank of Italy Circular No. 285 of December 17, 2013, as well as their remuneration;
the examination of issues concerning relations with the Supervisory Authorities, with particular regard to in-depth analysis of the results of inspection activities, the preparation of the related remediation plans by carrying out careful control and monitoring activities on the implementation of corrective actions and on the fulfilment of the requests made by the Supervisory Authority;
the adoption and updating of relevant Regulations and legislation within the scope of the internal regulatory framework relating to the organisational and functional model of Banco BPM;
the assessment of the adequacy of the organisational, administrative, accounting and IT structure of Banco BPM and of strategically important subsidiaries, with specific reference to the internal control and risk management system;
the issues pertaining to the integration of the insurance sector, both in terms of governance and risk management and monitoring;
the qualitative and quantitative dimensioning of the Internal Control Functions;
the activities to update the 2024 Recovery Plan.

For the pursuit of its own activities in the year in question, the Committee received all the

information deemed necessary and the support of competent company functions. The data and information provided in support of the discussion of the topics in the meetings of the Committee were managed in such a way as not to jeopardise the timeliness and completeness of the information flows. As a rule, 5 days before the meeting, according to the terms set forth in the Regulation of the Internal Control and Risk Committee, the documentation produced by the company functions concerned was made available to the Directors, except on certain occasions in which, albeit with adequate advance, a delay was recorded due to the particular sensitivity of the subject matter or the nature of relevant or inside information contained therein.

A total of 18 meetings were scheduled for 2025, of which 4 had already been held by the date of approval of this Report.

Sustainability Committee

Pursuant to art. 24.4.1 of the By-Laws, the Board of Directors has the power to establish additional committees to those already provided for in the same provision, with advisory, investigative and propositional powers, by drawing up the appropriate regulations. Each committee must include at least one member who meets the independence requirements laid down in the By-Laws.

At the meeting of April 26, 2023, the Board of Directors established a "Sustainability Committee" (hereinafter also referred to as the "Committee") from among the "Other Committees," providing that it be composed of three directors, all of whom are non-executive and the majority of whom (including the person elected to the position of Chairman) meet the independence requirements set forth in Article 20.1.6. of the By-Laws. The Chairman of the Committee cannot be the Chairman of strategic supervisory body or the Chairman of other committees.

A Board resolution of May 29, 2023 approved the Regulations that determine the powers and operation of the Committee in accordance with relevant external and internal regulations, also taking into account the provisions of the Corporate Governance Code with reference to the objectives of sustainable success. The Regulations were updated on July 2, 2024 in order to incorporate changes in the Bank's organizational structure relevant to the Committee's operations and, more recently, on October 1, 2024, to ensure the consistency of the relevant provisions with the activities carried out by the Committee over time.

Pursuant to the aforementioned board resolution and the Sustainability Committee Regulation in force, it is envisaged that, without prejudice to the additional requirements prescribed by the legislation in force at the time, the members of the Committee must have sufficient knowledge, skills and experience to be able to fully understand and monitor the pursuit of the strategies and the Group's guidelines in the area of sustainability and in its "Environmental, Social and Governance" (also "ESG") dimensions. At least one member of the Committee must have adequate experience in the field of sustainability, in particular the related risk reporting and management, to be ascertained by the Board of Directors at the time of appointment.

The Sustainability Committee, established by board resolution of 26 April 2023, is composed, as of the date of this report (and until the approval of the financial statements for the year 2025), of the following three directors: Mrs. Luigia Tauro (Chairman), Mrs. Chiara Mio and Mr. Alberto Oliveti. All members of the Committee are non-executive, independent directors (including the Chairman) and comply with the requirements and knowledge, skills and competences required by current legislation (including regulatory, external and internal), in force at the time of their appointment, including the experience required by the Chairman of the Fit & Proper Policy Committee and the Qualitative-Quantitative Composition.

The Sustainability Committee performs support functions for the Board of Directors and the Bank's other Board Committees on sustainability matters, with competence applying to the entire Group; the Committee is entrusted with overseeing the evolution of ESG dimensions, including in the light of legislation, practice and academia, indications emerging from the materiality analysis, as well as market developments in the area of competence. In this context, the Sustainability Committee, without prejudice to the respective responsibilities of the other internal board committees, in particular the Internal Control and Risk Committee and the Remuneration Committee, performs, inter alia, functions to support the Board of Directors in:

defining and approving strategic guidelines on sustainability, also examining proposals and making

recommendations;

assessing proposed project initiatives (i) in order to integrate sustainability into business processes, consistent with regulatory developments and the strategic guidelines defined in the Strategic Plan with reference to ESG dimensions, and (ii) for the development and promotion of the territories and communities where the Group is based.

The Sustainability Committee also:

examines communications, requests and, in general, correspondence with the Supervisory Authorities on ESG dimensions, liaising with the Internal Control and Risk Committee through its Chairman;
supports the Board of Directors in monitoring the adequacy and consistency of initiatives aimed at implementing the defined strategic guidelines on sustainability;
assesses in coordination with the Manager in charge of preparing corporate accounting documents and with the Board of Statutory Auditors, also hearing, if deemed appropriate, the persons in charge of certifying compliance - the correct use of the principles and standards provided by the reference norms for the preparation of sustainability reporting, examines their content, including for the purposes of the internal control risk management system, and expresses its opinion to the Board of Directors;
screens the contribution pertaining to ESG dimensions within the scope of disclosures distributed to the public and, in particular, the Public Disclosure (so-called "Pillar 3"), expressing its observations for the latter to the Internal Control and Risk Committee;
examines the outcomes of Risk Identification, the Risk Appetite Framework, the related Guidelines, and the Risk Appetite Statement, sharing its observations with the Internal Control and Risk Committee with respect to the indicators referring to ESG dimensions;
examines, with respect to sustainability objectives, credit policy guidelines, their implementation and monitoring, sharing its observations with the Internal Control and Risk Committee;
promotes the adoption of remuneration policies that envisage the integration of ESG objectives into incentive plans in order to underline the importance of these aspects by enhancing management's contribution to the achievement of sustainability objectives. On these aspects, it coordinates and consults with the Remuneration Committee through its Chairman;
oversees the integration of sustainability aspects in the context of banking and investment services, as well as in investment and funding strategies for the property;
examines internal sustainability regulatory documents submitted to the Board of Directors for approval, including the Code of Ethics.

The Sustainability Committee expresses its observations to the Committees and/or formulates its opinions and/or assessments to the Board of Directors through its Chairman.

This is subject to any other power given to the Committee pursuant to the law or regulations, or supervisory regulations or decided upon by the Board of Directors.

The Regulation also provides that the Sustainability Committee, through its Chairman, reports to the Board of Directors, when necessary, on the results of the activity carried out, and, in relation to its area of competence, may exchange all information of mutual interest with the Internal Control and Risk Committee, the Remuneration Committee and the Director in charge of the internal control and risk management system regarding the latter's work on ESG dimensions and, in particular, on climate and environmental dimensions.

The Chairman of the Sustainability Committee is invited to participate in the Internal Control and Risk Committee and Remuneration Committee meetings when topics that have sustainability implications are discussed.

The Sustainability Committee also collaborates and coordinates with the internal Committees of the Boards of Directors of the other Group companies, through its Chairman, without prejudice to the responsibilities of each Committee.

In performing its activities, the Committee has also access to all business areas and corporate functions within Banco BPM and the companies of the Group, including central offices and peripheral structures, and has the right to obtain any information, data or copies documents deemed necessary to carry out its tasks.

Within the limits of the amount of the annual budget approved by the Board of Directors, the Committee may also make use of external expert advice from independent persons of recognised expertise. In any case, the Board of Directors will ensure that the Committee is suitably equipped with adequate resources to fulfil its tasks and exercise its powers.

The Sustainability Committee meets when convened by the Chairman, whenever the latter deems it appropriate, by notice, containing an indication of the items to be discussed on the agenda, to be sent via any means, which guarantees receipt, sent at least three days before the date set for the meeting, in time to provide the members with sufficient information on the issues to be discussed, and this shall be followed by delivery of the necessary documentation, where available, to ensure the best operation of the Committee work. The notice is sent to the Committee members, as well as to the Chairman of the Board of Directors and Chairman of the Board of Statutory Auditors for information.

The Chairman of the Board of Statutory Auditors (or another statutory auditor designated by the Chairman) and, as a permanent guest, the Head of the Transition and Sustainability function (from July 2024, prior Head of the function named Communication and Sustainability) attend the meetings of the Committee. The following may be invited to attend the meetings, in relation to the topic being discussed: (i) the Chairman of the Board of Directors, (ii) the Chief Executive Officer, (iii) the other directors, (iv) where appointed, the General Manager and the Co-General Managers, (v) the managers of the internal control functions, (vi) informing the Chief Executive Officer, the managers of the corporate functions of Banco BPM and of other Group companies, (vii) the members of the Supervisory Board pursuant to Italian Legislative Decree 231/2001, (viii) the parties assigned the independent auditing of the accounts, (ix) other parties whose presence is deemed useful by the Committee.

The Chairman coordinates the Committee's work. The data and information provided to support the discussion of the topics are managed with methods of protection of confidentiality, through a dedicated application, and in such a way as to not jeopardise the timeliness and completeness of the information flows.

If a Committee member has a personal interest or third-party interest in an item to be discussed, they must inform the Committee and abstain from participating in the debate and voting.

When the minutes of the resolutions cannot be drawn up in time for the Board of Directors and/or a Committee meeting in which a proposal must be formulated or an opinion provided, the Chairman of the Sustainability Committee must inform the Committee and the Board of Directors, also verbally, at the next Board meeting, of the resolutions adopted by the Committee.

As envisaged by the specific Regulation, the Chairman of the Sustainability Committee reports to the Board, usually at the first meeting, on the activities carried out by the Committee, making available the index of the topics of the meeting and providing a summary illustration thereof, possibly also in verbal form.

During the year 2024, the Sustainability Committee met 17 times, with an attendance rate of 96% and an average meeting duration of approximately one hour and thirty minutes.

The participation of the Chairman of the Board of Statutory Auditors or another statutory auditor designated by the Chairman was 100%. The Head of the Transition and Sustainability function (since July 2024, previously the Head of the function which was then named Communication and Sustainability) and, with regard to individual items on the agenda, a number of Bank managers were invited to attend Committee meetings on a permanent basis.

In fiscal year 2024, in continuity with the previous one, the Committee conducted the activities within its competence, carrying out an advisory and/or proposal function, vis-à-vis the Board of

Directors and the other Committees according to their respective responsibilities.

For the year at stake, the data and information provided to support the discussion of the topics in the meetings of the Sustainability Committee were managed in such a way as to not jeopardise the timeliness and completeness of the information flows. At the date of sending the call for each meeting, according to the terms set forth in the Regulation of the Sustainability Committee, the documentation produced by the company functions concerned was made available to the Directors, except on certain occasions in which, albeit with adequate advance, a delay was recorded due to the particular sensitivity of the subject matter or the need to update documents in light of recommendations made by other committees.

The main areas covered during the Committee's meetings during 2024 were, in descending order of recurrence of related topics:

ESG Risk and Compliance, examining the outcomes of Risk Identification, the Risk Appetite Framework, related Guidelines and the Risk Appetite Statement, as well as scrutinizing the contribution pertaining to ESG dimensions in the context of Public Disclosure (so-called "Pillar 3") and in relation to credit policy guidelines, their implementation and related monitoring;
ESG governance, analyzing, in relation to assigned responsibilities, changes in organizational structure and disclosures spread to the public as well as defining a tool for monitoring the adequacy and consistency of initiatives aimed at implementing identified strategic directions in sustainability;
ESG Reporting, overseeing the project activities dedicated to the transposition of the former Corporate Sustainability Reporting Directive (also "CSRD") regulations as well as the process of preparing the Consolidated Non-Financial Statement 2023 and that defined for the next Consolidated Sustainability Reporting;
Relations with Supervisory Authorities, reviewing communications, requests and, in general, correspondence with Supervisory Authorities on ESG dimensions relating specifically to the Bank or addressed to all supervised entities;
ESG Strategy and Objectives, assessing the development of the project initiatives adopted in order to integrate sustainability into business processes, with particular reference to the commitments made by joining the Net Zero Banking Alliance initiative and the targets set for the selected priority areas;
ESG ratings, overseeing the updating of those assigned to the Bank.

19 meetings of the Sustainability Committee have been scheduled for FY2025, five of which have already been held as of the date of approval of this Report

Related Parties Committee

Pursuant to article 24.4.1. of the By-Laws of Banco BPM S.p.A, the Board of Directors shall establish a Related Parties Committee, the "Related Parties Committee", internally, approving the Regulation, which will determine its responsibilities and operation in accordance with prevailing laws and regulations.

The Related Parties Committee will comprise three Directors in accordance with the By-Laws, all of whom meet the independence requirements pursuant to the By-Laws (Article 20.1.6); it shall be in charge of ensuring the smooth and unambiguous management of the CONSOB rules on Related Parties and the Provisions of the Bank of Italy on risk activities and conflicts of interest with respect to Connected Persons.

The Related Parties Committee — renewed with board resolution of 26 April 2023 — comprises the following three directors on the date of this report (and until the approval of the 2023 financial statements): Paolo Boccardelli (Chairman), Paola Ferretti and Luigia Tauro, all meeting the statutory independence requirement.

The Committee fulfills the duties and exercises the powers attributed to the independent directors:

a) by article 2391-bis of the Italian Civil Code and related implementing and regulatory provisions (CONSOB Decision no. 17221 of 12 March 2010 and subsequent amendments and additions, CONSOB Communication DEM/10078683 of 24 September 2010 and subsequent amendments

and additions) and company rules (Regulation on the management of transactions with parties in conflict of interest adopted by the Parent Company and other Group Banks and Companies);

b) by article 53, paragraphs 4 and 4-quater of the Consolidated Banking Law and related implementing and regulatory provisions (Bank of Italy Circular no. 285/2013 and subsequent amendments and additions) and company rules in force (Regulation on the management of transactions with parties in conflict of interest adopted by the Parent Company and other Group Banks and Companies).

In the performance of its duties, the Committee has also access to all areas of activity and corporate functions of the Company and of the other Group companies, both through central offices and peripheral structures, and has the right to obtain any information or data deemed necessary for the performance of its task. In any case, the Board of Directors guarantees that the Committee has adequate resources available to fulfil its tasks and exercise its powers, establishing a budget annually, within the limits of which the Committee may make use of external specialist consulting from entities with recognised experience.

Committee meetings are called by the Chairman or whoever is acting on his/her behalf, whenever they deem it appropriate, by notice, containing an indication of the items to be discussed on the agenda, to be sent via any means, which guarantees proof of receipt, sent at least three days before the date set for the meeting, in time to provide the members of the Committee with sufficient information on the issues to be discussed.

Pursuant to art. 10 of the Related Parties Committee Regulation, if a member of the Committee is, with respect to an individual transaction, a counterparty or a Related Party in accordance with article 2391-bis of the Italian Civil Code (provided that the transaction is among those governed by article 2391-bis), or a Connected Person in accordance with the Supervisory Provisions of the Bank of Italy, or has an interest in the transaction pursuant to art. 2391 of the Italian Civil Code, or has, other than in the previous cases, relations with the counterparty such as to impair its independence with respect to the same (the "Interested Director"), the aforesaid Interested Director is replaced by the independent, unrelated Director outside the Committee who is senior in age and who does not incur the aforesaid impediments. The related declaration must be given by the Director with an Interest as soon as they have enough information to make a reliable examination regarding a transaction. If there is more than one Director with an Interest, the duties of the Committee will be carried out by the remaining members (or substitutes) or individually by the sole independent director without an interest if it is not possible to substitute other independent directors without an interest.

The Director with an Interest will not attend or take part in the meetings regarding the communications, discussions or decisions of the Committee relating to the transactions that relate to the impediment.

The Chairman of the Board of Directors, the Chief Executive Officer, the other directors, where appointed the General Manager, the Co-General Managers, the managers of the internal control functions as well as, informing the Chief Executive Officer of them, the managers of the company functions of Banco BPM S.p.A. and of the other Group companies competent on the matter, and other parties whose presence is deemed useful by the Committee may be invited to attend meetings.

The members of the Board of Statutory Auditors have the right to attend Committee meetings. Pursuant to article 8.2 of the Related Parties Committee Regulation, a standing member of the Board of Statutory Auditors designed by the Chairman of said Board attends the meetings.

Specific minutes are drawn up by a Secretary designated by the Committee, even if not a member, for each Committee meeting. The reports must show the reasons behind the vote expressed by each member.

If the minutes of the resolutions cannot be sent in time to the Board of Directors or any other body in charge of deciding on the transaction or proposal to which the opinion refers, the Chairman of the Committee must notify, also verbally, the body in charge of the decisions made by Committee itself.

In the period between 1 January 2024 and 31 December 2024, the Related Parties Committee met 4 times to express the assessments required by the regulations on Related Parties (CONSOB regulations) and/or Connected Persons (Bank of Italy regulations) and to acknowledge the information reports on

(i) monitoring the limits to risk exposures to Connected Persons in which the Chief Risk Officer or his/her direct collaborator participated; (ii) periodic reporting (quarterly) of the transactions entered into in the applicable period.

More specifically, during the above-mentioned meetings, the Related Parties Committee monitored constantly the level of exposure to Connected Persons and consequently the compliance with the related risk limits, giving evidence of the checks carried out in meetings held on a periodic basis (quarterly).

2 meetings were held between January 1, 2025 and the date of approval of this Report.

6.6 REMUNERATION

The information concerning, inter alia, the remuneration of the executive and non-executive Board Members and the managers with strategic responsibilities, and the general remuneration policies and any share-backed remuneration plans are available in the "Remuneration Report" published in accordance with article 123-ter of the Consolidated Law on Finance.

Furthermore, with regard to incentive schemes and remuneration policies linked to sustainabilityrelated performance (ESRS 2 - Par. 27, 29), please refer to the Sustainability Reporting, Section "General Information", Paragraph "Integration of sustainability-related performance in incentive systems".

6.7 INDEPENDENT AND NON-EXECUTIVE DIRECTORS

Independent directors

Regarding the independence requirement, it should be noted that, based on the Code of Corporate Governance, independent directors are defined as "non-executive directors who do not have, nor have recently had, directly or indirectly, any relationships with the company or persons linked to the latter, of such a significance as to influence their autonomy of judgement". Recommendation no. 5 contained in the Code of Corporate Governance also sets forth that "in large companies [understood as those whose capitalisation exceeded Euro 1 billion on the last open market day in each of the three previous calendar years, a category Banco BPM falls under] independent directors must make up at least one half of the administrative body".

Recommendation no. 7 contained in the Code of Corporate Governance sets forth that the "circumstances that compromise, or appear to compromise the independence of a director include at least the following:

a) if he/she is a significant shareholder of the company;
b) if he/she is, or has been in the previous three financial years, an executive director or an employee:
- − of the company, one of its strategically relevant subsidiaries or a company subject to joint control;
- − of a significant shareholder of the company;
c) if he/she has, or had in the previous three financial years, directly or indirectly (e.g. through subsidiaries or companies in which he/she is an executive director, or in the capacity as partner of a professional firm or consulting firm) a significant commercial, financial or professional relationship:
- − with the company or its subsidiaries, or with the associated directors or the top management;
- − with a party that, also together with others through a shareholders' agreement, controls the company; or if the parent company is a company or entity, with the associated executive directors or the top management;
d) if he/she receives, or has received in the previous three financial years, from the company, one of its subsidiaries or parent companies, significant additional remuneration to the fixed compensation for office or to that envisaged for participation in the committees recommended by the Code or required by the legislation in force;
e) if he/she has been a director in the Company for more than nine years, including non-

consecutive, out of the last twelve;

f) if he/she holds the position of executive director in another company in which an executive director of the Company is a director;
g) if he/she is a partner or a director of a company or of an entity belonging to the network of the company appointed for the external auditing of the Company;
h) if he/she is a close relative of a person who holds any position listed in the above paragraphs".

For the purposes of the above, a "significant shareholder" is "a party that, directly or indirectly (also through subsidiaries, trust companies or third parties), controls the company or is able to exercise a significant influence over the same, or participates, directly or indirectly, in a shareholders' agreement through which one or more parties may exercise control or a significant influence over the company" (definitions of the Code of Corporate Governance).

In accordance with article 147-ter, paragraph 4 of the Consolidated Law on Finance, where the Board of Directors has more than seven members, at least two of the Directors must fulfil the requirements of independence established for Statutory Auditors by article 148, paragraph 3 of said law.

It should also be noted that the Shareholders' Meeting held on 7 April 2022 approved the proposed amendments to some articles of the By-Laws, including 20.1.6 and 20.1.7, resolved upon by the Board of Directors of Banco BPM at its meeting on 14 December 2021, aimed at harmonising and adjusting the statutory requirement regarding the independence of directors with the provisions introduced by Italian Ministerial Decree no. 169 of 23 November 2020 ("MD 169"), acknowledging additional provisions contained in the Code of Corporate Governance. In particular, (i) the concept of "significant shareholder", which is included in the Code of Corporate Governance and supplemented by the provisions regarding the definition of Bank's "participant" introduced by Italian Ministerial Decree 16, has been introduced into the By-Laws, and (ii)the list of situations has also been added, upon verification of which a director no longer meets the independence requirement envisaged statutorily under the cases provided for in article 13 of Italian Ministerial Decree 169 regarding the independence of directors.

In light of the above, also in order to acknowledge the updates made by the Code of Corporate Governance, in force from 1 January 2021, with reference to circumstances that are relevant for the purposes of the evaluation of the existence of the independence requirement, the Company's By-Laws make provision for the following in particular:

(i) a single definition of independence (see article 20.1.6. of the By-Laws), which, on the one hand, takes into consideration the provisions of article 148, paragraph 3 of the Consolidated Law on Finance noted above and the recommendations set forth in the Code of Corporate Governance and, on the other hand, meets the need for having an easy way to assess significant situations (relating to degree of kinship, financial or professional relationships, etc.);
(ii) regarding the minimum number of members who must meet the aforementioned statutory independence requirement, the setting of a quota of independent directors equal to at least 8 (eight) members of the Board of Directors (see article 20.1.5. of the By-Laws), equal therefore to more than half of the members of said Board. In this regard, it is pointed out that the aforementioned recommendation no. 5 contained in the Code of Corporate Governance sets forth that "in large companies [understood as those whose capitalisation exceeded Euro 1 billion on the last open market day in each of the three previous calendar years, under which Banco BPM falls] independent directors must make up at least one half of the administrative body". Taking into account that the FAQs of the Corporate Governance Committee make provision for rounding off, according to the arithmetic criterion, the non-whole numbers of independent directors (and, in particular, where the decimal figure is equal to or greater than 5, the figure is rounded up to the nearest unit), therefore Banco BPM must have eight independent directors. The Code of Corporate Governance requires, in this regard, that "large companies" apply the recommendations relating to the presence of independent directors in the administrative body (recommendation no. 5) starting from the first renewal of the administrative body after 31 December 2020. Therefore, taking into account that the renewal of the administrative body took place at the Shareholders' Meeting held on 4 April 2020, Banco

BPM would be required to apply the aforementioned recommendation no. 5 on the occasion of the renewal of the administrative body which was submitted to the shareholders' meeting called to approve the financial statements as at 31 December 2022, but has already deemed it appropriate to incorporate it in the amendments to the By-Laws approved at the Shareholders' Meeting held in April 2021;

(iii)the definition of "executive directors" in accordance with the instructions in the Supervisory Provisions, since the independence requirement provides for, inter alia, the director to be nonexecutive (which can therefore be reconstructed a contrariis).

The provisions of the By-Laws relating to the independence requirement are set out below:

"20.1. – Composition, number and requirements

20.1.6. For the purposes of these By-Laws, Directors shall be deemed to be Independent Directors if they do not maintain, nor have recently maintained, directly or indirectly, any professional, pecuniary, personal or other relationship with the Company or any related party such as to influence the objectivity and balance of their judgement, provided that a director shall not, in any event, be deemed to be an Independent Director if he/she is in any of the following situations:

a) is a significant shareholder of the Company, meaning a person who, directly or indirectly (through subsidiaries, trustees or intermediaries) acquires a shareholding equal to or greater than the percentages for which the legislation in force at the time requires authorization to be issued, or which entails the acquisition of control of the Company or the possibility of exercising significant influence over it, or who participates in a shareholders' agreement through which one or more persons exercise control or significant influence over the Company;
b) holds, or has held in the last two years, at a Company's significant shareholder or companies controlled by it, the positions of Chairman of the Board of Directors, the Management Board or Supervisory Board or member with executive duties, or has held, for more than nine of the last twelve years, positions as member of the Board of Directors, Supervisory Board or Management Board as well as management positions at a Company's significant shareholder or companies controlled by it;
c) is, or has been a significant representative in the previous three financial years meaning by such: the Chairman of the Board of Directors, when he/she has been attributed management powers or the authorization to draw up company strategies, the "executive directors" and "top management" — of the Company, of a subsidiary of the same with strategic significance or of a company under joint control with the Company, or of a significant shareholder of the Company;
d) holds the position of independent director in another Banco BPM Group bank, except in the case of banks among which there is a direct or indirect full control relationship;
e) has been a director of, or has held management positions with, the Company for more than nine years, including non-consecutive, out of the last twelve;
f) holds the position of executive director in another company in which an executive director of the Company is also a director, even if non-executive;
g) is a partner, director or employee of a company or of an entity belonging to the network of the company assigned the external auditing of the Company;
h) receives or has received, in the previous three financial years, from the Company or one of its subsidiaries or parent companies, a significant additional remuneration (with respect to the "fixed" compensation and the remuneration for participation in the internal Board of Director committees, any attendance fee for presence at meetings), including therein any participation in bonus plans linked to company performance, also share-based plans;
i) has, or has had, directly or indirectly (for example through subsidiaries or those in which he/she is a significant representative, or as partner of a professional firm or consulting firm), a significant professional, equity, business or financial relationship, even non continuous, in the previous three financial years:

- with the Company, one of its subsidiaries or with any of the respective Chairmans or significant representatives;
- with a significant shareholder of the Company, or in the case of a company or entity — with its Chairmans or significant representatives;
- with companies under joint control with the Company;is, or has been in the previous three financial years, an employee, independent contractor or had a working relationship, even non continuous, with one of the above-mentioned parties; for the sole purposes of this letter i), relations that are held by the director with close family members, as defined below, of the significant representatives of the Company, one of its subsidiaries or a company subject to joint control with the Company, or of a significant shareholder of the Company, are also significant;
j) holds or has held one or more of the following positions in the last two years:
- - member of national and European parliament, of the Government or the European Commission;
- - regional, provincial or municipal councillor or council member, president of a regional council, president of a province, mayor, president or member of a district council, Chairman or member of the Board of Directors of consortia formed of local entities, president or member of the boards or councils of unions of municipalities, board director or Chairman of special companies or institutions pursuant to article 114 of Italian Legislative Decree no. 267 of 18 August 2000, mayor or councillor of metropolitan cities, president or member of mountain or island community bodies, when the overlapping or proximity between the reference territorial area of the entity in which the aforementioned positions are held and the territorial structure of the Company or of the Group as are such to compromise his/her independence;
k) is a close family member (meaning by such, the spouse, provided they are not legally separated, relative or in-law to the fourth degree of kinship, the person bound in a civil partnership or the de facto common law spouse or children of the person bound in a civil partnership or of the de facto common law spouse and cohabiting family members) of a person who is in one of the situations pursuant to the points set out above;
l) is a close family member of a director of the Company or the directors of its subsidiaries, its parent companies or those subject to joint control;
m) falls into any other category that fails to meet the requirement of independence envisaged by the legislation in force at the time.

For the purposes of this article 20.1.6, the following are considered to be "executive directors":

(i) the chief executive officer, directors to whom the Board of Directors has granted powers pursuant to article 2381, paragraph two of the Italian Civil Code (and article 24.2.2, letter f), of the By-Laws) and directors who de facto carry out roles pertinent to the current management of the company for which they serve as directors;
(ii) directors who are members of an executive committee;
(iii) members of a board of directors who hold managerial positions in the company they manage, supervising certain areas of company management.

Additionally, again for the purpose of this article 20.1.6, subjects who are not members of the governing body and have the power and responsibility, directly or indirectly, for the planning, management and control of the activities of a company or a group which it heads up, are considered "top management".

The Board of Directors will generally determine the quantitative and/or qualitative criteria that could determine the materiality of the relationships indicated in letters h) and i) of the first paragraph of this article 20.1.6.".

"20.1.7. The requirements set forth in this article 20.1. may be combined in the same person, it being understood that an executive director of the Company, of one of its subsidiaries having

strategic relevance or of a company under joint control with the Company, or of a significant shareholder of the Company, may not be considered an Independent Director under article 20.1.6. above".

It should also be noted that, at its meeting on 16 April 2024, the Board of Directors most recently updated the criteria, originally established by means of resolution of 1 January 2017, to determine the significance of the cases indicated in article 20.1.6., paragraph 1, letters h) and i) of the By-Laws. In particular, significance thresholds were identified with respect to the following cases:

additional remuneration (including any participation in incentive plans linked to business performance, including share-based) received by the representative with respect to the sum of the following amounts: i) "fixed" remuneration for the office, including that attributed by reason of the special position held; ii) only for the Directors, remuneration for membership of committees of the Banco BPM Board of Directors; iii) any meeting attendance fee. In any event, this is without prejudice to decisions made by resolutions passed at Shareholders' Meetings with regard to remuneration and incentive policies for members of the Board of Directors;
direct/indirect relations, even non-continuous, of a professional and asset-based nature, including trade relations (taking into consideration the financial position of the interested party) and financial relations (with due regard to the value of the credit facility granted/used, its weighting with respect to the system figure and the financial position of the borrower).

"Indirect" relations were also identified (companies or entities attributable to the member, as well as close relatives as specified in art. 20.1.6. of the By-Laws), relevant for the purpose of the independence requirement.

In accordance with article 20.3.5. of the By-Laws, the loss of the independence requirement pursuant to article 20.1.6. by a director will not result in the loss of office if the requirements are still met by the minimum number of directors who, in accordance with the By-Laws and in compliance with the prevailing laws, have to meet said requirement.

The Board of Directors of 7 may 2024 (taking into account the above-mentioned resolutions) verified, as an annual verification, the independence requirement pursuant to art. 20.1.6. of the By-Laws, which takes into account the provisions of art. 148, paragraph 3, of the Consolidated Law on Finance, art. 13 of Ministerial Decree 169/2020, as well as the recommendations contained in the Code of Corporate Governance to which Banco BPM has adhered, in respect of all its members, observing its existence as indicated below: Massimo Tononi (Chairman) (*)17; Giuseppe Castagna (Chief Executive Officer); Maurizio Comoli (Vice Chairman) (*); Mario Anolli (*); Paolo Boccardelli (*); Paolo Bordogna (*); Nadine Faruque (*); Paola Ferretti (*); Marina Mantelli (*); Chiara Mio (*); Alberto Oliveti (*); Mauro Paoloni (**)18; Eugenio Rossetti (*); Manuela Soffientini (*); Luigia Tauro (*).

The names of the Board Directors who were found to be non-independent in accordance with article 20.1.6. of the By-Laws are reported below:

Mr Giuseppe Castagna, due to: i) his position as Chief Executive Officer and therefore, due to his classification as "executive director" (art. 20.1.6., paragraph 1, letter c), of the By-Laws; art. 13, paragraph 1, letter d) of MD 169/2020; art. 2, Recommendation no. 7, letter b) of the Code of Corporate Governance; art. 148, paragraph 3, letter c), of the Consolidated Law on Finance), and as an employee of Banco BPM (art. 20.1.6., paragraph 1, letter i), of the By-Laws; art. 13, paragraph 1, letter h) MD 169/2020; art. 2, Recommendation no. 7, letter b) of the Code of Corporate Governance; art. 148, paragraph 3, letter c), of the Consolidated Law on Finance); ii) the receipt of significant additional remuneration in the previous three years, also considering the criteria for such purpose identified with the board decision mentioned above (art. 20.1.6., paragraph 1, letter h), of the By-Laws; art. 2, Recommendation no. 7 letter d) of the Code of Corporate Governance; art. 148, paragraph 3, letter c), of the

¹⁷ (*) Independent Director pursuant to art. 20.1.6. of the By-Laws and therefore also pursuant to art. 148, paragraph 3, of the Consolidated Law on Finance and art. 13 of Ministerial Decree 169/2020, as well as the recommendations contained in the Code of Corporate Governance.

¹⁸ (**) Independent Director pursuant to article 148, paragraph 3, of the Consolidated Law on Finance and art. 13 of Ministerial Decree 169/2020.

Consolidated Law on Finance);

Mauro Paoloni, by virtue of the receipt in the previous three years by the subsidiarie Banca Akros S.p.A., where he's the Chairman of the Board of Directorsof a significant additional remuneration, taking into account the criteria identified with the board resolution referred to above (art. 20.1.6., paragraph 1, letter h) of the By-Laws; art. 2, Recommendation no. 7, letter d) of the Code of Corporate Governance), while maintaining the independence requirement, individually considered, pursuant to art. 148, paragraph 3, of the Consolidated Law on Finance and art. 13 of Ministerial Decree 169/2020.

In any case, the Board of Directors — after assessing pursuant to art. 15, paragraph 3 of Ministerial Decree 169/2020 that the organisational and procedural measures adopted by the Banco BPM Group in compliance with the legislative and regulatory provisions in force regarding conflicts of interest (art. 2391 of the Italian Civil Code; art. 136 of Italian Legislative Decree 385/1993; art. 6, paragraph 2-novies, of the Consolidated Law on Finance, CONSOB regulation on Related Parties and Bank of Italy regulation regarding Connected Persons) constitute effective safeguards for the prevention and mitigation of potential conflicts of interest — considered that the aforementioned directors can exercise their mandate with independent judgement also pursuant to and in accordance with the provisions of paragraph 2.7 of the Regulation "Requirements and suitability criteria for fulfilment of the engagement of company representative for the Banco BPM Group", of MD 169/2020 and of European Regulation.

Following the above-mentioned inspection, a specific press release was issued.

The number of Board Directors who have been declared as being independent in accordance with article 20.1.6. of the By-Laws, and therefore also pursuant to MD 169/2020, the Code of Corporate Governance as well as article 148, paragraph 3, of the Consolidated Law on Finance, fully complies with the criteria set out by each statutory, regulatory and legislative source mentioned above.

The Board of Directors, upon appointment and afterwards if any significant situations occur with regard to the independence, and in any case once a year, shall assess its members with respect to the independence requirements on the basis:

of information provided by the interested parties (in reference to all cases envisaged in art. 20.1.6. of the By-Laws and applicable legislation as well as criteria identified by specific board decisions);
of other information already in the possession of the Bank;
of documentation provided by the relevant internal technical departments and made available to Directors,
bearing in mind as specified by the Corporate Governance Committee that:
cases indicating the absence of independence listed in the By-Laws are not to be considered obligatory since the substantive element is understood to prevail over merely formal elements (i.e., the occurrence of one or more situations that would indicate the presence/absence of independence);
independence of judgement expressed in the performance of duties is considered to be a significant assessment factor in ascertaining the independence requirement.

The result of the inspections is made known, upon appointment, by a press release to the market, and afterwards if any significant situations occur that relate to the independence, and in any case once a year, as part of the report on corporate governance.

With reference to the "independence" requirement, we should note that, as desired by the Corporate Governance Committee of listed companies that underlines the importance of its assessment on a substantive basis, and not on a merely formal basis, it is also characterised by the independence of judgement required of all Directors, executive and non-executive, and the awareness of their independence in the exercise of the position held.

This is reflected, in Banco BPM, through ways of behaviour that involve full freedom of thought and expression of the Independent Directors, which can be inferred, especially, from the broad

discussions, with the involvement of all the Directors, during the board approval of proposals and projects.

The purpose of the independent directors is to balance out the executive directors, and provide a significant contribution to the development of dialogue in the respective board bodies they belong to and to the in-depth examination of the problems and decisions that said bodies have to make.

To be noted is that in 2024 the independent directors of Banco BPM signed a declaration in which they classified themselves as independent in accordance with the By-Laws (and therefore also in accordance with the Code of Corporate Governance and article 148, paragraph 3, of the Consolidated Law on Finance), undertaking to continue to meet this requirement during the entire duration of the term of office and to give notice of any subsequent situation that may occur that would influence said independence.

In accordance with recommendation no. 5 of the Code of Corporate Governance, in 2024, the 13 independent directors of Banco BPM met, without the other directors, on 16 December 2023.

* * *

On this occasion, attention was focused (i) on enhancement, with a view to continuous improvement, the level of synthesis and systematization of the contents of the documentation supporting the meetings, with particular regard to the use of a language more "inclusive" in order to improve the effectiveness (ii) on the importance that the Board of Directors proactively pursues the activity of challenge vis-à-vis management, also in the dashboard of risk culture.

It was also considered unnecessary to appoint an independent director as the lead independent director since the conditions provided for on that point by Recommendation no. 13 of article 3 of the Code of Corporate Governance were not met.

* * *

Non-Executive Directors

At the date of this report, there are 14 Board Directors considered non-executive pursuant to the Code of Corporate Governance and, more precisely, the following: Massimo Tononi (Chairman); Maurizio Comoli (Vice Chairman); Mario Anolli; Paolo Boccardelli; Paolo Bordogna; Nadine Faruque; Paola Ferretti; Marina Mantelli; Chiara Mio; Alberto Oliveti; Mauro Paoloni; Eugenio Rossetti; Manuela Soffientini; Luigia Tauro, therefore, a number consistent with the provisions of the Code of Corporate Governance and the provisions of the By-Laws in force.

7 BOARD OF STATUTORY AUDITORS

The information below is also provided in accordance with article 123-bis, paragraph 2, letters d) and d-bis of the Consolidated Law on Finance.

The main provisions of the By-Laws, as amended on 7 April 2022, containing the rules on the Board of Statutory Auditors of the Company are illustrated below. For more information, please refer to the By-Laws on the website of Banco BPM (www.gruppo.bancobpm.it – under Corporate Governance -> Corporate Documents section).

7.1 APPOINTMENT, REPLACEMENT AND COMPOSITION OF THE BOARD OF STATUTORY AUDITORS

Pursuant to article 33.1. of the By-Laws, the Board of Statutory Auditors consists of five standing and three alternate auditors, who hold office for three years, expiring on the date of the Shareholders' Meeting called for the approval of the financial statements relative to the last financial year of their office, and can be reappointed. The Statutory Auditors must meet requirements of eligibility, independence, professionalism and integrity and respect the criteria of competence, fairness and time commitment as well as the specific limits to the maximum number of offices held, as set forth in the currently applicable regulations and the provisions of the By-Laws. More specifically, in compliance with article 33.2. of the By-Laws, at least two Standing Auditors and at least one Alternate Auditor must be enrolled in the Register of Auditors and have worked as a statutory auditor for a period of not less than three years.

Pursuant to article 33.3. of the By-Laws, the composition of the Board of Statutory Auditors guarantees gender balance, in compliance with the currently applicable legislation and regulations. In this regard, it should be noted that, in compliance with the legal and regulatory provisions that govern equal access to the control bodies of listed companies on regulated markets, two out of five Standing Auditors of the current Board of Statutory Auditors of Banco BPM belong to the less represented gender.

Pursuant to articles 34 and 35 of the By-Laws, the election of the Board of Statutory Auditors – without prejudice to different and additional provisions set forth in the law or regulations – is carried out on the basis of lists submitted by the shareholders representing a total of at least 1% of the share capital (or a different percentage established by the regulations), with the methods better detailed in the By-Laws and summarised below.

The lists, divided into two sections, one for candidates for the position of Standing Auditor and one for candidates for the position of Alternate Auditor, must indicate a number of candidates no higher than the number of Statutory Auditors to be elected. In each section, the candidates are listed with a sequential number. At least two of the candidates for the office of Standing Auditor and at least one of the candidates for the office of Alternate Auditor included in the respective sections of the list must be enrolled in the Register of Auditors and have exercised statutory audit activities for a period of not less than three years.

The lists that, considering both sections, present a number of candidates equal to or higher than three must also include, in both the section relative to the list of Standing Auditors and to that relative to Alternate Auditors, candidates of different genders in order to ensure that the composition of the Board of Statutory Auditors complies with prevailing laws on gender balance.

Each list must be submitted by one or more shareholders with voting rights who, individually or collectively, hold stakes amounting to at least 1% (one percent) of the Company's share capital, or to any other percentage established by prevailing laws, and that will be communicated, from time to time, in the notice convening the Shareholders' Meeting called to decide on the appointment of the Board of Statutory Auditors. The ownership of the minimum percentage of shares to submit the lists is determined with respect to the shares that are registered in favour of the individual shareholder, or by more shareholders on a joint basis on the day on which the lists were filed with the Company. The ownership of the number of shares necessary to submit the lists must be confirmed in accordance with revailing laws; this confirmation must be sent to the Company, even after the filing, as long as it takes place at least twenty-one days before the date of the Shareholders' Meeting in compliance with the set forth regulatory provisions.

A shareholder may not submit nor vote more than one list of candidates, even by proxy or through trust companies. Shareholders who belong to the same corporate group — with this meaning the

parent company, the subsidiaries and the companies subject to joint control — and shareholders who subscribe to a shareholders' agreement as set forth in article 122 of Italian Legislative Decree no. 58 of 24 February 1998 (Consolidated Law on Finance), regarding the shares of the Company, may not submit, and those who are entitled to vote may not vote for, more than one list, even if through third parties or through trust companies. In the event of failure to comply, the shareholder's signature shall not be counted for any of the lists.

Under penalty of forfeiture, the lists of candidates must be filed with the registered office, including through remote communication means defined by the Board of Directors in accordance with the mechanisms set forth in the notice calling the Shareholders' Meeting, which allow the identification of the parties who are filing, at least twenty-five days before the date of the Shareholders' Meeting, and made available to the public at the registered office, on the website of the Company and with any other mechanisms provided for under the law in effect at the time, at least twenty-one days before the date of the Shareholders' Meeting. Unless otherwise specified by prevailing laws, the following must be attached: (i) information on the identity of the shareholders who submitted the lists, indicating the total percentage shareholding held; (ii) an exhaustive disclosure of the personal and professional characteristics of each candidate, indicating the administration and control positions held in other companies; (iii) the declarations with which the individual candidates accept their candidature and confirm, under their own responsibility, the lack of grounds for ineligibility or incompatibility and the existence of the requirements provided by law or the By-Laws for the position; and (iv) a declaration by the shareholders that submitted the list and not those who hold, including jointly, a controlling interest or relative majority, confirming the absence (or presence) with those of relations linking them pursuant to article 144-quinquies, first paragraph, of CONSOB Regulation no. 11971/1999 and prevailing laws.

If, by the expiration of the above-mentioned deadline, only one list has been submitted, or only lists submitted by shareholders who, on the basis of the declarations made in accordance with article 34.6. of the By-Laws, are related to each other in accordance with prevailing laws, the Company will promptly give notice of this using the mechanisms provided by applicable law, and then proceed in accordance with the law.

Any lists submitted that do not fulfil the above-mentioned terms and procedures will be considered not to have been submitted. Any discrepancies or deficiencies concerning, or the lack of, documentation relating to individual candidates on a list will not automatically invalidate the entire list but only the candidates who are not compliant.

Each candidate may only form part of one list, if this condition is not met the candidate shall not be eligible. Anyone who does not hold the requirements provided by law or the By-Laws may not be elected and if they are elected, they shall be removed from office. Each voting shareholder may vote for one list only.

With regard to the election procedures, the procedure is as follows:

two Standing Auditors and one Alternate Auditor shall be drawn from the list that obtains the highest number of votes, in the sequential order in which they are listed on the sections of the list;
two Standing Auditors and one Alternate Auditor will be taken from the list that comes second in terms of number of votes and that is not linked, even indirectly, in accordance with prevailing laws, with the shareholders that submitted or voted for the list that came first in terms of number of votes, in the sequential order with which they are entered in the sections of the list. If the list obtaining the second highest number of votes is linked to the shareholders who submitted or voted for the list obtaining the highest number of votes, the two Standing Auditors and one Alternate Auditor shall be drawn, in the sequential order in which they are entered in the sections of the list, from the list obtaining the third highest number of votes and which is not linked, not even indirectly, in accordance with the provisions of the laws in force at the time, with the shareholders who submitted or voted for the list obtaining the highest number of votes;
one Standing Auditor, who will be appointed as the Chairman of the Board of Statutory Auditors, and one Alternate Auditor will be taken from the list that comes third in terms of number of votes and that is not linked, even indirectly, in accordance with prevailing laws, with the shareholders that submitted or voted for the lists that came first and second in terms

of number of votes, in the sequential order with which they are entered in the sections of the list. If the list obtaining the third highest number of votes is linked to the shareholders who submitted or voted for the lists obtaining the first and second highest number of votes, the Standing Auditor who will be assigned the office of Chairman of the Board of Statutory Auditors and an Alternate Auditor shall be drawn, in the sequential order in which they are entered in the sections of the list, from the list obtaining the fourth highest number of votes and which is not linked, not even indirectly, in accordance with the provisions of the laws in force at the time, with the shareholders who submitted or voted for the lists that came first and second by number of votes.

In the event of a tie between the various lists, the Shareholders' Meeting shall hold a new vote, only putting the lists with the tied votes to the vote. The candidates from the list that obtains the relative majority of the votes will be elected.

If only one list is submitted and this obtains the majority required by law for the ordinary Shareholders' Meeting, all the Statutory Auditors will be taken from this list, both standing and alternate. In this case, the chair of the Board of Statutory Auditors shall vest in the person indicated in first place in the section of the candidates for the position of Standing Auditor in the list submitted.

If only two lists are submitted: (a) three Standing Auditors and two Alternate Auditors will be taken from the list that obtains the highest number of votes, in the order in which they are listed in the sections of the list; and (b) two Standing Auditors and one Alternate Auditor will be taken from the remaining list that is not linked, even indirectly, in accordance with prevailing laws, with the shareholders that submitted or voted for the list that came first in terms of number of votes, in the order in which the candidates are listed in the sections of the list. The chair of the Board of Statutory Auditors will vest in the person indicated in first place in the section of the candidates for the position of Standing Auditor in the list pursuant to this letter (b).

If, at the end of the voting and considering separately the Statutory Auditors and Alternate Auditors, the minimum number of Statutory Auditors who must be enrolled in the Register of Auditors and have worked as statutory auditors for a period of no less than three years is not elected, taking into account the order in which they are listed in the respective section, the last elected Auditors who do not meet the said requirements, taken from the list that obtained the highest number of votes, shall forfeit their office related to the number necessary to ensure compliance with the requirement, and shall be replaced by the first candidates meeting said requirements and not elected, taken from the same section of the same list. In the absence of candidates meeting the above-mentioned requirements within the same section of the same list that has obtained the highest number of votes, in sufficient number to make the replacement, the Shareholders' Meeting will appoint the missing Standing or Alternate Auditors in accordance with the legally required majority to ensure that the requirement is met.

If, at the end of voting, the composition of the Board of Statutory Auditors, considering separately the Standing Auditors and Alternate Auditors, does not allow for compliance with the minimum number of Statutory Auditors belonging to the least represented gender, taking into account the order in which they are listed in the respective section, the last elected members of the most represented gender taken from the list that has obtained the highest number of votes shall forfeit their office related to the number necessary to ensure compliance with the requirement, and shall be replaced by the first candidates belonging to the least represented gender and not elected, drawn from the same section of the same list. In the absence of candidates belonging to the less represented gender in the relevant section of the list that obtained the highest number of votes in sufficient number to make the replacement, the Shareholders' Meeting will appoint the missing Standing or Alternate Auditors in accordance with the legally required majority to ensure that the requirement is met.

If no list is submitted, the Board of Statutory Auditors will be elected with the relative majority by the Shareholders' Meeting in accordance with the provisions of prevailing laws on gender balance and the eligibility, independence, professional competence and integrity requirements for Statutory Auditors.

If the Chairman of the Board of Statutory Auditors leaves, the Alternate Auditor taken from the same list that the Chairman was taken from will take over the position until the Board is made complete again in accordance with article 2401 of the Italian Civil Code.

Pursuant to article 35.12. of the By-Laws, if for any reason one or more Standing Auditors leave office, they shall be replaced by Alternate Auditors drawn from the same list in compliance with the professionalism requirements set forth in article 33.2. of the By-Laws and the principle of gender balance and, secondarily, in order of age. The incoming Statutory Auditors will remain in office until the following Shareholders' Meeting, which will complete the Board. If it is not possible to replace the Statutory Auditors in the manner described above, or if the Shareholders' Meeting is required by law to elect the Standing Auditors and/or Alternate Auditors necessary to supplement the Board of Statutory Auditors, the following procedure shall be adopted:

(i) if it has to replace the Statutory Auditors taken from the list that came first in terms of number of votes, the election will be by relative majority voting, without the requirement for a list, in accordance however with regulatory provisions on gender balance;
(ii) if, on the other hand, it is necessary to replace Statutory Auditors taken from the list that came second or third in terms of number of votes and that is not linked, even indirectly, with the shareholders that submitted or voted for the list that came first, the Shareholders' Meeting, in accordance with regulations on gender balance, will replace them, by relative majority voting, choosing, where possible, from the candidates indicated on the list on which the Statutory Auditor to replace came from, who have confirmed their candidature, at least twenty five days before the date scheduled for the Shareholders' Meeting on first call, filing the declarations regarding the lack of grounds for ineligibility or incompatibility and the existence of the requirements for the position with the Company's registered office, and providing an updated list of the administration and control positions covered in other companies. If it is not possible to do this, the Shareholders' Meeting will decide with relative majority voting, between the individual candidates submitted by the shareholders who, on their own or together with others, hold the minimum shareholding pursuant to article 34.4. of the By-Laws, without the requirement for a list, in accordance however with prevailing laws on gender balance. In this case, when ascertaining the results of the voting, any votes expressed by shareholders who hold, including indirectly or also jointly with other shareholders who belong to a shareholders' agreement pursuant to article 122 of the Consolidated Law on Finance, the relative majority of votes that can be exercised at the Shareholders' Meeting and the shareholders that control, are controlled by or are subject to their joint control will not be counted; however, this will all be done in accordance with prevailing laws on gender balance.

The application of the above provisions must in any case ensure that at least one Standing Auditor and one Alternate Auditor are elected by minority shareholders who are not connected, even indirectly, with the shareholders who submitted or voted for the list that came first in terms of numbers of votes.

* * *

Qualitative-quantitative composition of the Board of Statutory Auditors

Without prejudice to the professionalism requirements set by (primary and secondary) regulations and by the By-Laws of Banco BPM for the assumption of office, at its meeting of 6 December 2022 the outgoing Board of Statutory Auditors, appointed by the Shareholders' Meeting of 4 April 2020 and later supplemented by the Shareholders' Meeting of 15 April 2021, in compliance with the provisions of article 12, Italian Ministerial Decree no. 169 of 23 November 2020, approved the "Qualitativequantitative composition of the Board of Statutory Auditors", which identifies a qualitative- quantitative profile considered optimum for ensuring adequate collective composition of the Control Body (respectively the "Document" and the "Profile") in anticipation of its renewal for the years 2023- 2025, also taking into account the outcome of the periodic self-assessment process of the Board.

This Document, available to shareholders and anyone interested, can be found on the Bank's website (www.gruppo.bancobpm.it – Corporate Governance Section > Corporate Documents).

The quantitative composition

According to article 33.1. of Banco BPM's By-Laws, the Board is made up of 5 Standing Auditors, including the Chairman, and 3 Alternate Auditors.

The qualitative composition

The optimal composition of the Board of Statutory Auditors of Banco BPM was defined in a way to ensure the complementary nature in terms of professional competence, experience and expertise of its members, with special regard to:

− ensuring that the Control Body features a balanced combination of profiles and experiences in order to foster internal debates and discussions;
− enhancing profiles with personal and aptitudinal characteristics that are able to ensure the best possible performance of the position while encouraging the emergence of a plurality of approaches and perspectives in the analysis of issues, also in contexts such as the Board of Director's internal committees the Statutory Auditors are invited to participate in;
− guaranteeing an adequate diversification of skills so as to effectively supervise the risk management activities while adequately challenging the work of the managers, bearing in mind the multiple interests that contribute to the Bank's sound and prudent management;
− identifying profiles with adequate availability of time and resources to ensure the role is carried out effectively;
− further promoting the diversity requirements already in place, with particular regard to professional training and experience, gender diversity and age diversification.

Professionalism requirements

In defining the requirements, account was taken of the applicable legislation, including regulatory provisions, with particular reference to the Supervisory Provisions, to the evolution of the regulations for listed companies, to the indications of the ECB Guide that regulate the requirements of professionalism and integrity of company representatives.

Significant attention was also given to the principles of self-regulation contained in the Code of Corporate Governance.

In relation to the above, the optimal composition of the Board of Statutory Auditors was defined, in order to ensure the complementarity of its members in terms of the required level of professional experience and expertise.

When selecting the members of the Board of Statutory Auditors, consideration must be given to whether they possess a mix of knowledge, skills and technical experience that enables the Control Body to understand the main business areas and the principal risks to which the Group is exposed, taking into account studies, training and characteristics of the positions held.

All members of the Board of Statutory Auditors must meet the professional requirements set out in the By-Laws and the legislation in force at the time (in particular in article 26 of the Consolidated Banking Law (TUB) and article 148 of the Consolidated Law on Finance (TUF), as well as Italian Ministerial Decree no. 162/2000 and Italian Ministerial Decree no. 169/2020).

At least two of the Standing Auditors and at least one Alternate Auditor must be chosen from those listed on the Register of Auditors with at least three years' experience in the auditing of accounts.

The Chairman of the Board of Statutory Auditors must:

(i) be enrolled in the Register of Auditors and have exercised the statutory audit of accounts for a period of no less than five years, or

(ii) have exercised, also alternatively, the activities envisaged for the other members of the Board of Statutory Auditors by the regulations in force (as described below) for a period of no less than five years.

The Statutory Auditors who do not meet the above-mentioned requirements will be chosen, pursuant to Ministerial Decree 169/2020, from those who have accrued overall experience of at least three years, including alternately, in:

− independent auditing activities;
− professional activities related to the credit, financial, securities and insurance sectors or, in any

case, activities that are functional to the Bank's activities; the professional activity must be characterised by adequate levels of complexity, including with reference to the recipients of the services provided, and must be carried out on a continuous and significant basis in the above- mentioned sectors;

− university teaching activities, as first or second level lecturer, in legal or economic subjects or in other subjects that are in any case functional to the activities of the credit, financial, securities or insurance sector;
− managerial, executive or top management functions, under whatever denomination, at public bodies or public administrations that relate to the credit, financial, securities or insurance sector, provided that the body at which the representative carried out such functions is of a size and complexity that are comparable with those of the Bank at which the position is to be held.

For the purposes of meeting the above requirements, for those Statutory Auditors who are not enrolled in the Register of Auditors, the experience gained during the twenty years prior to taking office is taken into account; experience gained at the same time in more than one function is counted only for the period of time in which they were carried out, without accumulating them.

Pursuant to Ministerial Decree 162/2000, Statutory Auditors who do not meet the above-mentioned requirement of enrolment in the Register of Auditors will be chosen from those who have accrued total experience of at least three years in:

a. administration or control activities, or managerial duties with limited companies that have a share capital of not less than two million euro; or

b. professional activities or tenured university teaching in legal, economic, financial and technical-scientific subjects, strictly related to the company business; or

c. top management functions at public bodies or public administrations operating in the credit, financial and insurance sectors or, in any case, in sectors strictly related to the company business.

The information proving the Statutory Auditors' satisfaction of the professionalism requirements, as described above, shall be included in the curriculum vitae and in the additional documentation submitted in support of the application.

All members of the Board of Statutory Auditors should also have a suitable knowledge of English to allow correct understanding of written texts and, therefore, ensure the possibility of directly carrying out their own control activities also on such documents, also pending the adoption of this language in correspondence between the Bank and the European Supervisory Authority.

Competence criteria

Considerable attention was paid to the reference legislation and the regulations, the Supervisory Provisions, the regulations for listed companies (including the Code of Corporate Governance), as well as the indications contained in the EBA/ESMA Guidelines and the ECB Guide.

In relation to the above and in addition to the requirements of professionalism, all members of the Board of Statutory Auditors must meet criteria of competence aimed at proving their suitability to take on the position – considering the tasks inherent to the position of Statutory Auditor and the size and operating characteristics of Banco BPM – also in the light of the following elements:

− their possession of a mix of knowledge, skills and technical experience that enables the Control

Body to understand the main business areas and the main risks the Banco BPM Group is exposed to;

− the overall experience gained, both through studies and training and through practical experience in the positions held;
− the size, level of operational complexity, scope of activities and related risks, and the markets in which the members have previously operated.

More specifically, it is necessary to take into account both the theoretical knowledge (acquired

through studies and training) and the practical experience (acquired in the performance of previous or current working activities) of the Auditors in one or more of the following fields:

− financial and/or banking markets: to this end, non-executive, executive or supervisory positions in Italy and/or abroad are deemed relevant. The experience gained in relation to the said business in the professional, academic and public sectors is also relevant;
− banking, financial and insurance activities and products;
− risk management (methods of identification, assessment, monitoring, control and mitigation of the main types of risk of a bank, or insurance or reinsurance company, including the responsibilities of a Statutory Auditor in these processes);
− accounting and financial reporting (financial statements, accounting policies and tax matters, gained in the financial and insurance sectors or in auditing firms);
− strategic guidance and planning gained in banks, insurance or reinsurance companies, listed companies or multi-nationals or leading international strategic consulting firms, preferably in financial services;
− information technology in relation to information systems and new technologies applied to the banking, financial and insurance sector gained in leading international strategic consulting firms or in companies, preferably listed, with executive, non-executive or control positions;
− regulation in the banking, financial and insurance sector, gained at leading law firms or in companies or groups of significant size;
− organisational and corporate governance structures, gained in banks, insurance or reinsurance companies, listed or multi-national companies with executive, non-executive or control positions, or at leading international consulting firms;
− internal control systems and other operational mechanisms.

Without prejudice to the above, the following skills and experience are also relevant:

− in human resources, remuneration systems and policies, gained in banks, insurance or reinsurance companies, listed or multi-national companies with executive, non-executive and control roles, or at leading international consulting firms;
− the digitalisation and digital transformation processes and ICT risk management;
− in general, sustainability and non-financial reporting and, in particular, the management of environmental and climate risks;
− the identification and assessment of the risk of money laundering and terrorist financing and policies, controls and procedures regarding the fight against money laundering and terrorist financing.

Without prejudice to the competence and experience criteria listed above and to the provisions of the law and of the By-Laws in force from time to time, it is recommended that these skills and experiences be gathered and acquired in control and/or strategic supervision bodies or in internal board committees with control functions in banking, financial, insurance companies, whether listed or of a size and complexity that are comparable to those of Banco BPM.

With reference to the office of Chairman of the Board of Statutory Auditors, the following additional requirements are also relevant: experience acquired in the coordination, supervision or management of human resources as such to ensure effective performance of the functions of coordination and supervision of the works of the Board of Statutory Auditors, promotion of its adequate functioning, also in terms of the circulation of information, effectiveness of debate and stimulation of internal dialogue as well as adequate overall composition of the Board itself.

The experience and skills of the Auditors, with a specific indication of the ways in which these have been acquired and their duration, must appear in their curricula vitae and in the other documentation produced in support of the application.

Aptitude requirements

The aptitude profiles provided for by the EBA/ESMA Guidelines as determinant in the role as a member of the Board of Statutory Auditors of Banco BPM are also relevant, and in particular:

independent judgement, i.e., the ability to be objective, open and prepared for discussion and the ability to take a position and defend it;
integrity, i.e., the respect for values and the ability to live according to them, honesty and loyalty; authenticity, self-awareness and self-confidence;
commitment and time availability, i.e., willingness to invest time and energy to learn about the Bank; commitment and preparation.

Integrity requirements

All the members of the Board of Statutory Auditors will have to comply with the integrity requirements in accordance with prevailing laws. In particular, they must meet the requirements of integrity set out in Italian Ministerial Decree no. 169/2020 and Italian Ministerial Decree no. 162/2000.

Failure to comply with the integrity requirements will make it impossible to take on the office or will lead to loss of the office.

Fairness criteria

In addition to the requirements of integrity, each member of the Board of Statutory Auditors must meet specific criteria of fairness with regard to their personal and professional conduct, in line with the provisions of Italian Ministerial Decree no. 169/2020, the EBA/ESMA Guidelines and the ECB Guide. More specifically, it is important that the members of the Board of Statutory Auditors:

must not have behaved in a way that, although not constituting an offence, is incompatible with the office of Statutory Auditor of the Bank or that might entail serious prejudicial consequences for the Bank in terms of reputation and public trust;
shall not and have not in the past find themselves in situations which, with regard to the economic activities and financial conditions of the Auditors themselves (or the companies controlled or directed by them or in which they hold significant stakes), are – or were – including on a potential basis, capable of affecting their reputation;
must not be correlated to specific circumstances whose existence could affect the good reputation, honesty, integrity and financial soundness of the candidate.

Each member of the Board of Statutory Auditors must not be involved in situations that could give rise to suspension from the position in accordance with articles 4 and 5 of Italian Ministerial Decree 169/2020.

Availability of time and commitment required of members of the Board of Statutory Auditors

In accordance with the provisions of the applicable law, the availability of time to dedicate to fulfilling the position, in accordance with its nature, quality and complexity, appears to be a fundamental requirement that Auditors must be able to meet.

Attention is also drawn to the expected threshold of attendance at meetings of the Board of Statutory Auditors, in relation to which article 2404 of the Italian Civil Code states that "... a statutory auditor who, without a justified reason, fails to attend two meetings of the Board during a financial year shall lose his/her office...". Also in relation to the guidelines issued by the Supervisory Authority, it is also considered useful (albeit not indispensable) for Statutory Auditors to ensure their physical presence at meetings19, with the exception of any extraordinary meetings or exceptional circumstances20.

Recalling that article 149 of the Consolidated Law on Finance states, among other things, that "... those Statutory Auditors who, without a justified reason, fail to attend two meetings of the Board of Directors or of the Executive Committee, shall lose their office...", to be noted is the expected

¹⁹ The possibility of taking part in meetings by video-conference or audio-conference is ensured, however, in compliance with the provisions of the By-Laws and the Regulation of the Board of Statutory Auditors of Banco BPM. 20 As was the case during the health emergency due to the Covid-19 pandemic.

attendance threshold at the Bank's Board of Directors' meetings and Shareholders' Meetings21.

The Fit & Proper Policy adopted by Banco BPM also requires a minimum percentage of attendance at meetings of 80% in a given financial year.

The above must be augmented by the necessary commitment for participation in the sessions of the training and induction plans, which are normally defined annually for the representatives of the main companies of the Group (including the Statutory Auditors of Banco BPM), as well as any additional off-site meetings.

In view of the above, it is recommended – also in line with the positions expressed by the European Central Bank – that members of the Board of Statutory Auditors accept the position if they believe they can dedicate the energy and the time necessary, taking account of factors such as: the other commitments and situations of a personal and professional nature, and performance of the duties covered in other companies; the nature, extent and complexity of the functions carried out, the sizes and situations of the companies where they hold the positions and the place or country where they operate from.

In this regard and by paying special attention to the proper functioning of the Board of Statutory Auditors and to the contribution of each member to the internal debate within the Board, in compliance with article 16 of Italian Ministerial Decree no. 169/2020, an estimate was carried out – whose validity has been confirmed for the year 2024 during the annual verification of requirements, as specified below - to be used as reference to assess the minimum time deemed necessary for the effective fulfilment of the position, summarized in the following table:

Position	Commitment estimate (days/year)
Chairman of the Board of Statutory Auditors	100 days
Auditor	80 days

With regard to the specific situation of Banco BPM, it should be noted – for information purposes – that in each financial year of the three-year period 2021-2023, an average of 37 meetings of the Board of Statutory Auditors, 21 meetings of the Board of Directors, and 21 meetings of the Internal Control and Risks Committee (called the "Internal Control, Risks and Sustainability Committee" from 28 April 2021 to 26 April 2023), 24 meetings of the Appointments Committee, 6 meetings of the Related Parties Committee and 22 meetings of the Remuneration Committee. It should also be noted that, by resolution of the Board of Directors on April 26, 2023, the Sustainability Committee was established, which met 9 times in 2023.

For the sake of completeness, it should be noted that for the 2024 financial year, there were 34 meetings of the Board of Statutory Auditors, 20 meetings of the Board of Directors, 23 meetings of the Internal Control and Risks Committee, 21 meetings of the Appointments Committee, 4 meetings of the Related Parties Committee, 23 meetings of the Remuneration Committee and 17 meetings of the Sustainability Committee.

The members of the Board of Statutory Auditors substantially participated in all the meetings of the Board of Statutory Auditors and the Board of Directors as well as, through the Chairman or the Statutory Auditor designated by him with the task of reporting to the other Statutory Auditors on the most important issues that emerged during the discussions, in those of the Board Committees.

Beyond the commitment to participate in meetings, it is also necessary to consider the time that each Auditor will dedicate to their own preparation as well as to traveling to and from the meetings.

Limit to the accumulation of external positions

Pursuant to the provisions of the By-Laws, the limits to the accumulation of the administrative and auditing positions established in the CONSOB regulation and any other applicable provisions apply to members of the Board of Statutory Auditors. According to the provisions of the Issuers' Regulation, in implementing article 148-bis of the Consolidated Law on Finance (TUF), the persons holding the same

²¹ One Shareholders' Meeting for each year of the 2020-2022 three-year period and one in 2023.

office in five issuers cannot hold the position of member of the Control Body of an issuer.

The member of the Control Body of an issuer can take on other administration and control positions with the companies indicated by the above-mentioned regulations within the limits established therein. Exempt positions and administration and control positions with small companies (as defined in the above-mentioned regulations) do not count in the calculation of the accumulation of positions.

A member of the Control Body who exceeds those limits for reasons outside his/her control will resign from one or more of the previously covered positions within 90 days of becoming aware that said limit has been exceeded.

Moreover, with specific reference to the limits to the accumulation of positions for the corporate representatives of banks, expressly mentioned also in the Supervisory Provisions, to be noted are the specific provisions in this regard contained in Italian Ministerial Decree no. 169/2020, in the CRD IV Directive and in the Regulation "Limits to the number of offices" of Banco BPM.

In particular, pursuant to article 91 of CRD IV, articles 17 and 18 of Italian Ministerial Decree no. 169/2020 and article 3.1 of the Regulation "Limits to the number of offices" of Banco BPM, the members of the Bank's Board of Statutory Auditors may simultaneously (also taking into account the positions held within the Group) only hold one of the following combinations of corporate offices:

a) 1 executive position with 2 non-executive positions;

b) 4 non-executive positions.

The above was set out under article 3.1 of the above-mentioned Regulation on the basis of which the following limits to taking on positions are provided for the Statutory Auditors of the Group Banks:

those who cover positions with non-executive functions in Banks of the Group, may hold the following combinations of offices:
1 executive position and 1 non-executive position in companies not belonging to the Group; alternatively,
3 non-executive positions in companies that do not belong to the Group.

For further details and specifications concerning the limits to the accumulation of positions, reference should be made to the provisions of the Issuers' Regulation, Italian Ministerial Decree no. 169/2020 and the Regulation "Limits to the number of offices" available on the Bank's website www.gruppo.bancobpm.it – Corporate Governance > Corporate Documents Section.

Grounds for ineligibility, loss of office and incompatibility

In accordance with article 148 of the Consolidated Law on Finance (TUF), the following may not be elected Statutory Auditors and, if elected, shall forfeit their office:

a) those who find themselves in the conditions provided under article 2382 of the Italian Civil Code;
b) the spouse, family and in-laws within the fourth degree of kinship of the directors of the Bank, the directors, the spouse, family and in-laws within the fourth degree of kinship of the directors of the companies it controls, the companies that control it or those subject to joint control;
c) those that are linked to the Bank or its subsidiaries or the companies that control it or those subject to joint control or the directors of the Bank and the parties described under letter b) by self- employment relations or employment relations or other equity-related or professional relations that would compromise their independence.

In accordance with the provisions of article 17 of Italian Legislative Decree no. 39/2010, anyone who had a key role in the independent audit or that carried out an audit on behalf of the auditing firm of Banco BPM may not hold the position of Statutory Auditor in Banco BPM either, unless at least two years have passed since they stopped said work. This prohibition is extended to employees and shareholders, besides the key audit manager, and any other natural person whose services were made available or that were under the control of the auditing firm, if authorised to work as an auditor, for a two-year period from their involvement as an auditor.

In accordance with the Supervisory Provisions, members of the Board of Statutory Auditors cannot accept office in other bodies besides those with control functions with other Group Companies in which Banco BPM holds, also indirectly, a strategic investment, of at least 10% of the share capital or the voting rights at the ordinary shareholders' meetings of the investee company and 5% of the Banking Group's consolidated regulatory capital.

Finally, without prejudice to the other incompatibilities provided for by the regulations in force (including the prohibition of Interlocking Directorships pursuant to Italian Law no. 214 of 22 December 2011), the office of Statutory Auditor, also in the light of the EBA/ESMA Guidelines, is deemed incompatible with political offices, i.e. offices of national member of Parliament and member of the Government. It is also recommended that the position of Statutory Auditor should not be held by persons who are members of the European Parliament or members of the Regional, Provincial or Municipal Boards or Councils (limited to provincial capitals).

Requirements of independence and Independence of judgement

Pursuant to article 14 of Italian Ministerial Decree no. 169/2020, the following persons cannot assume the position of member of the Board of Statutory Auditors:

a) those who are in one of the situations indicated in article 13, paragraph 1, letters b), g) and h) of Italian Ministerial Decree no. 169/2020, namely:
- those who are "participants"2222 in the Bank;
- those who are representatives with executive positions in a company in which a representative with executive tasks of the Bank holds the position of member of the Board of Directors or of the Management Body;
- those who, directly or indirectly, have or have had in the two years prior to taking the position, free-lance or employment relations or other relations of a financial, equity or professional nature, even if not continuously, with the Bank or its executive representatives or its Chairman, with the subsidiaries of the Bank or their executive representatives or their Chairmans, or with a "participant" in the Bank or its executive representatives or its Chairman, such as to compromise their independence;
b) the spouse who is not legally separated, a person bound by civil union or de facto cohabitation, a relative or an in-law within the fourth degree of kinship:
- the managers of the Bank's main corporate functions23;
- those who find themselves in the situations stated in letter a) above or in letter c) below;
c) those who hold, or have held in the last five years, the position of member of the Board of Directors or of the Management Body as well as that of a "participant" in the Bank, the Bank or the Company controlled by it.

This is without prejudice to the possibility for a member of the Board of Statutory Auditors of Banco BPM to hold the office of statutory auditor or member of the Supervisory Board at the same time in one or more Group Companies.

Furthermore, the Statutory Auditors must meet the independence requirements contained in article 148, paragraph 3, of the Consolidated Law on Finance (TUF) and in Italian Ministerial Decree no. 169/2020, as well as in the provisions contained in the Recommendations of the Code of Corporate Governance24.

²² Meaning the person who, holding an interest equal to at least 10% of the share capital or voting rights in the Bank, or involving control or the possibility of exercising significant influence over the Bank, is required to apply for the authorisations provided for under Title II, Chapter III, of the Consolidated Banking Law (TUB) and the relevant implementing provisions.

²³ Pursuant to Ministerial Decree 169/2020, these are: the managers of the anti-money laundering, compliance, risk control and internal audit functions, as defined by the provisions on internal controls issued in accordance with article 53 of the Consolidated Banking Law (TUB), and the Chief Financial Officer of the Bank.

²⁴ Recommendation 9 of article 2 of the Code of Corporate Governance provides as follows: "... All members of the Control Body meet the independence requirements set forth in recommendation 7 for directors...". Recommendation

In this regard, for the purposes of the subsequent assessment of the existence of the suitability requirements of the representative, it should be noted that article 33.4. of the By-Laws prescribes that, without prejudice to the additional provisions of the regulations in force at the time, the Statutory Auditors must meet the independence requirements envisaged for independent directors by article 20.1.6. of the By-Laws.

This last article contains a definition of the independence requirement that concentrates the aforementioned legislative and regulatory provisions and is therefore, mutatis mutandis, also taken into consideration by the Board of Statutory Auditors when verifying the requirement in question by its members. In compliance with this provision of the By-Laws, for example, a Statutory Auditor who has held an office in the Bank, or has held managerial positions at the Bank, for more than nine years, including non-consecutive, in the last twelve years is not considered independent.

In compliance with the aforementioned articles 33.4. and 20.1.6. of the By-Laws and in compliance with best practices, at the time of verification by the members of the Board of Directors of the requirement in question, the quantitative and/or qualitative criteria apply, identified in general by resolution of the Board as suitable to determine the significance of the financial, equity or professional relationships, even if not ongoing, indicated above.

All members of the Board of Statutory Auditors must act with independent judgement, being aware of the duties and rights relating to the position taken, pursuing the Bank's sound and prudent management and in compliance with all applicable regulations.

All members of the Board of Auditors must therefore be able to perform their duties with objectivity and integrity and in the absence of interests, direct or indirect, that compromise their independence of judgement and that may constitute a potential risk for the Bank, also from a reputational perspective.

Guidelines regarding diversity

Without prejudice to the provisions of the legislation and the regulations in force from time to time, in order to ensure adequate discussion and deliberation within the Control Body, it was deemed necessary to ensure that its composition reflects an adequate degree of diversification in terms of gender and skills as well as to adopt an age policy.

In this regard, the specific fit & proper policy in order to regulate, the suitability requirements that the members of the Board of Directors, the Board of Statutory Auditors, the General Management and

⁷ in turn requires that "... Circumstances that impair, or appear to impair, a director's independence include at least the following: a) whether he/she is a significant shareholder of the company; b) whether he/she is, or has been in the previous three financial years, an executive director or an employee: - of the company, of a strategically important subsidiary of the company or a company under joint control; - of a significant shareholder of the company; c) if, directly or indirectly (e.g. through subsidiaries or companies of which he/she is an executive director, or as a partner of a professional firm or consulting firm), he/she has, or has had in the previous three financial years, a significant commercial, financial or professional relationship: - with the company or its subsidiaries, or with the relevant executive directors or top management; - with a subject who, also jointly with others through a shareholders' agreement, controls the company; or, if the controlling party is a company or an entity, with the relevant executive directors or top management; d) if he/she receives, or has received in the previous three financial years, from the company, one of its subsidiaries or the controlling company, significant additional remuneration compared to the fixed remuneration for the office and to the remuneration set for the participation in the committees recommended by the Code or envisaged by the current legislation; e) if he/she has been a director of the company for more than nine financial years, including non-consecutive years, in the last twelve financial years; f) if he/she holds the office of executive director in another company in which an executive director of the company has an administrative position; g) if he/she is a shareholder or the director of a company or an entity belonging to the network of the company entrusted with the independent audit of the company; h) if he/she is a close family member of a person who is in one of the situations referred to in the previous points. The management body shall predefine, at least at the beginning of its term of office, the quantitative and qualitative criteria for assessing the significance referred to in c) and d) above. In the case of a director who is also a partner in a professional firm or consulting firm, the management body assesses the significance of professional relationships that may have an effect on his/her position and role in the firm or consulting firm, or that otherwise relate to significant transactions of the company and its group, even irrespective of the quantitative parameters…", as well as, where present and if different from the latter, the manager in charge of preparing the company's financial reports required by Art. 154-bis of the TUF.

the Top Management must meet, provide necessary guidelines on diversity.

More specifically, the composition of the Board of Statutory Auditors will have to ensure balance between the genders in accordance with the provisions of prevailing laws25, on the basis of which a quota of at least two fifths of the Standing Auditors elected must be reserved for the less represented gender for six consecutive terms of office26. In this regard, reference should be made to what was stated above.

In light of the current reference regulatory context, at least 2 standing members of the Board of Statutory Auditors must belong to the less represented gender.

Furthermore, also without prejudice to the provisions of pro tempore governing regulations, in order to ensure that the Control Body, as a whole, can ensure the effective execution of the tasks assigned to it, the Fit & Proper Policy provides that the composition of the Control Body provides for the balanced and diverse presence of Statutory Auditors who, individually, have acquired the necessary skills and experience to meet the competence criteria mentioned above.

Lastly, with particular reference to age, the Fit & Proper Policy provides that candidates for the position of Statutory Auditor in Banco BPM are not older than 75 years, without prejudice to the right to make exceptions to said criteria on the basis of justified and grounded reasons.

The actual composition of the Board of Statutory Auditors fully complies with the provisions of the law and regulations, as well as those contained in the Fit & Proper Policy regarding diversity policies.

Collective suitability of the Board of Statutory Auditors

In order to ensure the "collective suitability" of the Board of Statutory Auditors, the Fit & Proper Policy provides that the members of the Control Body must show a balanced composition of experience and technical knowledge (in the areas referred to above) that will permit the Body to understand the main areas of business and the main risks that the Banco BPM Group is exposed to.

In particular, in light of the provisions of article 11 of Italian Ministerial Decree no. 169/2020, the presence of Auditors is taken into consideration:

who are diverse in terms of age, gender and duration of the position;
whose skills, considered collectively, are suitable for (i) encouraging internal debate and discussions; (ii) promoting the emergence of a plurality of approaches and perspectives in the analysis of issues and in the taking of decisions; (iii) effectively supervising the management of activities and risks, controlling the work of top management; (iv) taking into account the multiple interests that contribute to the sound and prudent management of the Bank.

For the foregoing purposes, reference is also made to what has already been specified with regard to the qualitative composition.

Induction and training

In accordance with the provisions of the EBA/ESMA Guidelines, the ECB Guide and current regulatory provisions, Banco BPM promotes, through the Chairman of the Board of Directors, the participation of Directors and Statutory Auditors in special training initiatives aimed at fostering an ongoing adequate and in-depth knowledge of the sectors in which the Bank and its Group operate and at ensuring the continuity and safeguarding of the experience gained over the years by Banco BPM's corporate bodies.

The training and induction plans are also aimed at helping Directors and Statutory Auditors so that they can get a clear understanding of the organisational structure of the Bank and the Group, the business model, the company dynamics and their development including from the perspective of

²⁵ Article 148, paragraph 1-bis, of the Consolidated Law on Finance (TUF).

²⁶ In compliance with legal and regulatory provisions governing equal access to the bodies of companies listed in regulated markets, and more specifically the amendments to article 148 of the Consolidated Law on Finance (TUF) introduced by article 1, paragraphs 302 and 304, of Italian Law no. 160 of 27 December 2019, it was provided that – starting from the first renewal of the bodies of listed companies after the date of entry into effect of the law (which for Banco BPM took place with the Shareholders' Meeting of 4 April 2020) – the less represented gender must account for at least two fifths of the Standing Auditors elected for six consecutive terms of office.

sustainable success, the methods for identifying, measuring and managing risks, the current legal and regulatory framework, as well as an in-depth examination of issues of a strategic nature and any other matter considered relevant to the functioning of the corporate bodies.

On the basis of the above, training sessions were organised during 2024, also open to the Statutory Auditors and the representatives of the Group Banks invited if necessary, and that represented – as encouraged by the Supervisory Provisions of the Bank of Italy and the Code of Corporate Governance – an opportunity to obtain more in-depth information on matters of current interest and relevance for the banking system.

Specifically, the topics covered in 2024 concerned, in particular, the following areas: evolutionary lines of the ESG strategy and climate/environmental risk management: evolution of sustainability reporting regulations for 2024; (ii) national and European regulatory framework of a financial conglomerate: the Parent Company's supervisory role over the Group's insurance sector (with a focus on integrated risk management and challenge activities by the control functions); (iii) remuneration and incentive policies of the Banco BPM Group with a focus on areas regulated by specific industry regulations: people strategy in terms of diversity, equality and inclusion; (iv) assessment methodologies and control systems: credit risk and IT risk. Insurance business risk assessment; (v) new Code of Corporate Crisis and Insolvency; (vi) CSRD - Double Materiality Analysis; (vii) ECB Guidelines on Risk Data Aggregation and Risk Reporting: strengthening BCBS 239 principles as a supervisory priority; (vii) Anti Financial Crime: comparing phenomena. Corruption, tax fraud and organized crime; (ix) insights into human resources issues: female leadership in the Banco BPM Group and human resources and remuneration systems.

In addition to this, the Chairman of the Board of Statutory Auditors promoted several moments of in-depth analysis, organised as part of the ordinary meetings, on issues of particular interest to the Statutory Auditors, such as: the Cooperative Compliance regime governed by Legislative Decree no. 128/2015; (ii) regulatory changes regarding the acquisition of tax credits; (iii) Directive (EU) 2022/2555 (so-called "NIS 2") and Regulation (EU) 2022/2554 (so-called "DORA"); (iv) the evolution of the remote control system of the Audit function and the use of Machine Learning models to support Fraud/Anomaly Detection activities; (v) the purchasing budget management process, including the review of the passive cycle and the expenditure optimization project; (vi) ongoing sustainability projects, including, in particular, those aimed at compliance with recent regulations on the subject (Directive (EU) 2022/2464 of the European Parliament and of the Council of December 14, 2022, the so-called "Corporate Sustainability Reporting Directive" or "CSRD") and those related to the NZBA Project, as the Bank has joined the "Net-Zero Banking Alliance" initiative.

The Statutory Auditors were also updated – inter alia with specific information reports provided during the board and collective meetings – on the main legislative and regulatory news involving the Company and the Corporate Bodies. In order to ensure that the members of the Board of Directors and Board of Statutory Auditors are kept constantly updated and trained, a regulatory alerting service was prepared and created by the applicable company functions on topics of legal and tax interest.

* * *

The Board of Statutory Auditors, also in view of the importance and complexity of the duties entrusted to it and prevailing external and internal regulations, approved the "Regulation of the Board of Statutory Auditors", last updated in May 2022, to govern the operation of the Control Body. Said regulation also regulates, inter alia, aspects relating to the composition of the Board of Statutory Auditors, with particular reference to the degree of diversification in terms of skills, experience, age, gender and international outreach, as well as aspects relating to the disclosure obligations on the part of members of the Board of Statutory Auditors regarding any assumption of interests, on own behalf or on behalf of third parties, in a given transaction of Banco BPM by describing the nature, terms, origin and extent of the interest. The Self-Assessment Process to which the Board of Statutory Auditors must undergo periodically to assess its composition (both from a quantitative and qualitative standpoint) and performance is also regulated.

The Board of Statutory Auditors of Banco BPM currently in office was elected by the Shareholders' Meeting on 20 April 2023 and will expire on approval of the financial statements as at 31 December 2025.

* * *

Therefore, as at the date of this report, the Board of Statutory Auditors comprised the following five Standing Auditors: Prof. Marcello Priori (Chairman), Prof. Elbano de Nuccio, Mr Maurizio Lauri, Ms Silvia Muzi and Ms Nadia Valenti, as well as the following three Alternate Auditors: Ms Sara Antonelli, Ms Marina Scandurra and Mr Mario Tagliaferri.

The following should also be noted:

At the meetings of 6 and 7 May 2024, the Board of Statutory Auditors ascertained the following for each of its members the subsistence of the requirement of independence and autonomy of judgement pursuant to the applicable regulations (in particular, art. 148, paragraph 3, of the Consolidated Law on Finance and Articles 13 et seq. of Ministerial Decree 169/2020) as well as the Code of Corporate Governance (recommendation 9 of art. 2, which refers to recommendations 6 and 7 of the same article), to which Banco BPM has adhered, also noting that they are able to perform their duties with autonomous judgement. The outcome of said check was sent to the Board of Directors which disclosed it by issuing a press release on the date (7 May 2024);
the Board of Statutory Auditors, at the aforementioned meeting, also verified with positive results, respect for the limits on the maximum number of offices and the time commitment, as well as compliance with art. 36 of Italian Decree Law no. 201/2011 (converted with amendments from Italian Law no. 214/2011), regarding interlocking directorships with reference to Standing Auditors;
in 2024, the Board of Statutory Auditors met 34 times, each meeting lasting about 3 hours on average; the members of the Board took part, over the course of the applicable office relating to 2024, at the meetings of the Control Body ensuring a substantially adequate presence with respect to the indications contained in the internal policy which, without prejudice to the legal provisions, requires 80% minimum attendance in the meetings over a financial year;
the attendance of the Statutory Auditors at the ordinary Shareholders' Meeting, held on 18 April 2024 took place – similarly to that of the other company representatives – in observance of the containment measures set forth by law, also by using remote connection systems, in compliance with the applicable provisions in force; therefore, all the Auditors attended the aforementioned Shareholders' Meeting (connected via means of telecommunication); in 2024, the Board of Statutory Auditors also participated in all 20 meetings of the Board of Directors and, through one of its representatives, in the meetings of the Internal Board Committees;
the activities of the Board of Statutory Auditors continue in 2025 on a weekly basis in general. Starting from 1 January 2025, and up to the date of this report, the Board of Statutory Auditors met 7 times (on the basis of the no. 33 scheduled).

The following table shows information on 31 december 2024 on each member of the Board of Statutory Auditors, considering that in 2024 34 meetings of the Board of Statutory Auditors were held.

Name and Surname	Office held	Year of birth	Date of first appointment	In office from	In office to	ListI	Indep. Consolidated Law on Financ eII	Indep. CodeIII	% B.S.A. IV	Other Positio ns V
Marcello Priori*	Chairman	1964	01-Jan-2017	20- Apr 2023	Approval of financial statements as at 31.12.2025	3	YES	YES	100%	4
Elbano de Nuccio*	Standing Auditor	1970	20-Apr-2023	20- Apr 2023	Approval of financial statements as at 31.12.2025	2	YES	YES	82%	3

Maurizio Lauri*	Standing Auditor	1962	04-Apr-2020	20- Apr 2023	Approval of financial statements as at 31.12.2025	1	YES	YES	80%	3
Silvia Muzi*	Standing Auditor	1969	15-Apr-2021	20- Apr 2023	Approval of financial statements as at 31.12.2025	2	YES	YES	100%	5
Nadia Valenti	Standing Auditor	1974	04-Apr-2020	20- Apr 2023	Approval of financial statements as at 31.12.2025	1	YES	YES	100%	1
Sara Antonelli*	Alternate Auditor	1989	20-Apr-2023	20- Apr 2023	Approval of financial statements as at 31.12.2025	3	YES	YES	-	12
Marina Scandurra*	Alternate Auditor	1969	20-Apr-2023	20- Apr 2023	Approval of financial statements as at 31.12.2025	2	YES	YES	-	15
Mario Tagliaferri*	Alternate Auditor	1961	20-Apr-2023	20- Apr 2023	Approval of financial statements as at 31.12.2025	1	YES	YES	-	8

I : This column shows the number of the source list based on the order of presentation of the lists.

II: This column indicates whether or not the Statutory Auditors fulfil the independence requirement pursuant to article 148, paragraph 3, of the Consolidated Law on Finance.

III: This column indicates whether or not the Statutory Auditors meet the independence requirement in accordance with the Code of Corporate Governance.

IV: This column indicates the attendance, in percentage terms, at the meetings of the Board of Statutory Auditors held in 2023, taking the term of office as reference.

V: This column shows the total number of directorship, management and control positions held in other listed, financial, banking, insurance or significantly sized companies; these have been identified in light, in terms of uniformity of information, of the provisions set forth in the Regulation "Limits to the number of offices" adopted by Banco BPM. The detailed list of positions is provided in annex 3 to this report.

* Enrolled in the Register of Auditors established with the Italian Ministry of Justice.

The table below provides information on the composition of the Board of Statutory Auditors as indicators of diversity.

25% under 50	63% between	25% over 60		25% under	63% between 50 and 60
	50 and 60			50

0% high school diploma	100% university degree

Some short biographical notes on the members of the Board of Statutory Auditors are provided below, showing that they have adequate professional competence in the areas of banking, finance, law, tax and risk management:

Marcello Priori Chairman of the Board of Statutory Auditors: he is a practising chartered accountant and statutory auditor in Milan, providing consultancy services on corporate, financial, business and corporate governance matters, as well as financial capital valuation services for companies operating in the financial and industrial sector. He is enrolled on the Register of Expert Witnesses of the Civil Court of Milan and has acted as a consultant in legal and arbitration proceedings. He is a lecturer of Business Economics and Business Management at Bocconi University in Milan. He is also a member of the Italian Association of Financial Analysts. He is a keynote speaker at conferences organized by the Italian Banking Association on corporate governance and internal control systems and at professional organizations and leading universities. He served as Vice Chairman of the Supervisory Board of BPM (having been a Member since 2011) until 31 December 2016. He previously served as Chairman, Vice Chairman, Member of the Board of Directors, Chairman of the Board of Statutory Auditors, Standing Auditor and Chairman of the Supervisory Board of several banks and financial intermediaries (Asset Management Holding S.p.A., Banca Farmafactoring S.p.A., Profamily S.p.A., Bipiemme Gestioni S.p.A., Banca Akros S.p.A., Banco BPM Assicurazioni S.p.A., Primonial Reim Itlay S.p.A., Carrefour Servizi Finanziari S.p.A., Cassa di Risparmio di Alessandria, Dexia Crediop S.p.A., Etica SGR S.p.A., Key Client Cards & Solutions, The Royal Bank of Scotland, NatWest Markets among others) and of industrial companies (including Alerion Clean Power S.p.A., Bracco Imaging Italia S.r.l., Daf Veicoli Industriali S.p.A., RGI S.p.A., Reno de Medici S.p.A., Borbonese S.p.A., Fomas Finanziaria S.p.A., Carrefour Italia S.p.A., Monzino S.p.A., Vivigas S.p.A., Corob S.p.A., F2A S.p.A.). He currently holds the following positions: Chairman of the Board of Vista Vision S.r.l.; Chairman of the Board of Statutory Auditors of Banco BPM Vita S.p.A. and of Vera Vita S.p.A. as well as Standing Auditor of Banca Aletti S.p.A. Since 1 January 2017, he has been Chairman of the Board of Statutory Auditors of Banco BPM S.p.A.
Elbano de Nuccio Standing Auditor: graduated in 1992 from the Faculty of Economics of the University of Bari, PhD in Business Economics, Associate Professor of Business Economics at LUM Giuseppe Degennaro University. Since 1993, he has been the owner of a professional practice as a Chartered Accountant and Statutory Auditor with many years of experience in the field of business, accounting, tax, tax and financial litigation for private and public companies of national and international importance and management planning and control. Since 1994 he has been a Statutory Auditor in various joint-stock companies and is Chairman of the Board of Statutory Auditors and Statutory Auditor in various joint-stock companies and non-commercial entities. He holds institutional positions in various bodies representing the professional category. He was Chairman of the Board of the Association of Chartered Accountants and Accounting Experts of Bari, Member of the Board of IFAC (International Federation of Accountants) and Member of the Board of the Edinburgh Group. Since 2023, he has been a member of the "Permanent Observatory on the efficiency of the measures and instruments for the regulation of the business crisis envisaged and governed by the Corporate Crisis and Insolvency Code" at the Ministry of Justice. Since 2022, he has been a Member of the Board of Guarantors of the OIV (Italian Assessment Body). Since 2022, he has been Chairman of the National Council of Chartered Accountants and Accounting Experts. Since 2023, he has been a Member of the Board of Directors of the OIC (Italian Accounting Body). He is currently Chairman of the Board of Statutory Auditors of Acquedotto Pugliese S.p.A., of Cestaro Rossi & C. S.p.A., of F.lli De Cecco S.p.A. since 20 april 2023. Since 20 April 2023 he has been Standing Auditor of Banco BPM S.p.A.
Maurizio Lauri Standing Auditor: he graduated in Economics from the Luiss University in Rome in 1986 and received a Master of Law from London School of Economics in 1989. He has been enrolled in the Italian Register of Chartered Accountants and Accounting Experts of Rome since 1989 and the Italian Register of Auditors since 1995. Previous roles include: Chairman of the Board of Directors of Banca Intermobiliare di Investimenti e Gestioni S.p.A., Chairman of the Board of Statutory Auditors of Unicredit S.p.A. and Vice Chairman of the Board of Directors of Veneto Banca S.p.A. (upon the appointment of Fondo Atlante). He has also been a member of the Board of Auditors for Party Budget Control, Auditor of the Italian Revenue Agency and Standing Auditor of GEDI S.p.A. He is currently the Chairman of the Board of Statutory Auditors of Acea S.p.A., Officine

CST S.p.A., Acting Statutory Auditor of Tirreno Power S.p.A. and Chairman of the Board of Auditors of Fondazione Roma Europa Festival. He has been a Standing Auditor of Banco BPM S.p.A since 4 April 2020.

Silvia Muzi Standing Auditor: she graduated in 1993 in Economics and Business from "La Sapienza" University of Rome. She is a chartered accountant, with offices in Rome and Milan. She has been enrolled in the Italian Register of Association of Chartered Accountants and Accounting Experts since 1996 and the Italian Register of Auditors held at the Ministry of Economy and Finance since 1999. Master's specializing in "Corporate tax and extraordinary transactions". Master's in "Contract Law and International Trade". Master's in "Company Law", both at the Law Society of England and Wales of London. Advanced specialization course in "International Tax" at the Advanced Economics and Finance School. Cursus's specializing in "The fiscal profiles of IFRS", organised by ASSONIME, of which he is a consultant. "Board Academy" Advanced Master's, at the LUISS Business School. Advanced specialised ABI Master's for members of the Board of Statutory Auditors of listed banks. She has many years of experience in listed and public companies as a member of control bodies. She has held the position of member of the Board of Statutory Auditors at a number of companies including: Chairman of the Board of Statutory Auditors of CEMENTIR Holding S.p.a., Istituto Finanziario S.p.A., IDS AIRNAV - Gruppo ENAV; Ansaldo T&D Europe S.p.A. in which she was the Chairman of the Board of Statutory Auditors and then the Chairman of the Supervisory Board. She is currently Chairman of the Board of Statutory Auditors of RAI WAY S.p.A., A2A S.p.A. and of Esprinet S.p.A., as well as that standing Auditor of Banca Aletti S.p.A. and Banco BPM Invest SGR S.p.A. Since 15 April 2021, she has been a Standing Auditor of Banco BPM S.p.A.
Nadia Valenti Standing Auditor: graduated in 2000 in Economics and Legislation for companies from Bocconi University in Milan, she qualified as a chartered accountant in 2022 and has been enrolled in the Register of Statutory Auditors since January 2025. From 2000 to 2016, she gained his professional experience at leading consulting and auditing companies in Italy and abroad (London, Moscow, Dubai) until attaining the position of Executive Director. Subsequently, from September 2016 to March 2022, she held the role of Regional Chief Financial Officer for South East Asia in Singapore and Head of Global Business Planning for leading industrial companies, from March 2022 to November 2023 she was Project Manager at GKSD Investment Holding. In addition, since July 2019, she has been a member of Angels4Women, a "business angels" association, promoted by AXA and Impact Hub, focused exclusively on developing and supporting female entrepreneurship. She has been a Standing Auditor of Banco BPM S.p.A. since 4 April 2020 and a Standing Auditor at Banca Akros S.p.A. from March 2021.
Sara Antonelli Alternate Auditor: graduated in Professional Consulting and Corporate Auditing from the LUISS Guido Carli University of Rome, she is enrolled in the Register of Chartered Accountants and in the Register of Statutory Auditors at the Ministry of Economy and Finance. She carries out support activities on company valuations and extraordinary transactions for companies and entities of different sizes in the preparation and adaptation of the governance system to compliance with special sector regulations (anti-corruption and transparency, administrative liability of entities etc.) and in the definition and reorganisation of governance and internal control systems. She is Chairman or standing member of Boards of Statutory Auditors (among others, Mondo TV S.p.A. (listed), EnVent Italia SIM S.p.A., TECNE Gruppo Autostrade per l'Italia S.p.A. and Logista Retail Italia S.p.A.). She has been an Alternate Auditor of Banco BPM S.p.A since 20 April 2023.
Marina Scandurra Alternate Auditor: graduated with honors in Economics and Business in 1994 from La Sapienza University of Rome. She is enrolled in the Register of Chartered Accountants and Accounting Experts of Rome, in the Register of Statutory Auditors, in the List of Receivers, in the Register of Experts at the Public Prosecutor's Office, in the List of Judicial Custodians and in the Register of Court-appointed receivers. Since 1998 she has been the owner of the firm De Filippo Scandurra & Partners, where she has gained significant experience in management and business administration, governance and business crisis. She assumed relevant positions, as Indipendent Director of Monte dei Paschi di Siena Capital Services (Extraordinary Commissioner) the Tecnis Group composed by 14 Companies, operating in Infrastructural Works sector. Relevant experiences:
- She is an expert in Governance and Corporate Control, having held the roles of Chairman and Member of Boards of Statutory Auditors, and of Supervisory Bodies of companies of primary

standing, including Italia Trasporto Aereo S.p.A., ENAV S.p.A., Rai Pubblicità S.p.A., Daimler Truck Financial Services Italia S.p.A., GEDI Gruppo Editoriale L'Espresso S.p.A.

She is an expert in Crisis and Corporate Restructuring, having held the position of Judicial Commissioner and Judicial Liquidator in Composition with Creditors and Bankruptcy Trustee in over 100 insolvency proceedings.
Judicial and technical advise, she is an expert in Banking Law and Financial Instruments, as Technical Advisor to leading credit institutions in the civil, judicial and extra-judicial fields, as well as providing support in cases of banking and corporate crimes.
Going-concern evaluations: he provides assessments for numerous companies.

Since 20 April 2023, she has been Alternate Auditor of Banco BPM S.p.A.

Mario Tagliaferri – Alternate Auditor: he graduated in Economics and Busienss in 1987 from the University of Bergamo. He has been enrolled in the Register of Chartered Accountants since 1990, in the Register of Technical Consultants of the Judge since 1991, in the Register of Auditors since 1995 and in the CFE - European Register of Tax Advisers since 2019. He is partner of Studio LEXIS - Dottori Commercialisti Associati in Crema, where he carries out his activity mainly focused on tax and corporate consultancy for large and medium-sized companies. He is specialised in corporate and business reorganisation carried out through extraordinary transactions. He has edited several publications and collaborates with the magazine NT Fisco belonging to Il Sole 24 ore. He is currently Chairman of the Board of Statutory Auditors of Kilometro Rosso S.p.A., Alto Robotics S.p.A., Consorzio.it S.p.A.,Crema Diesel S.p.A. and Brembo SGL Carbon Ceramic Brakes S.p.A.. She is a Standing Auditor of Interpump Group S.p.A., Fondazione Ferrovie dello Stato, Marsilli S.p.A., TMC Transformers S.p.A. He also holds the position of Deputee-Director of the Board of Director of Fondazione Benefattori Cremaschi – Istituto polifunzionale e di assistenza socio sanitaria Onlus. From April 20, 2023 he is Alternate Auditor of Banco BPM S.p.A.

7.2 ROLE OF THE BOARD OF STATUTORY AUDITORS

Pursuant to article 36.1. of the By-Laws, the Board of Statutory Auditors carries out the duties and exercises the control functions laid down by legislation in force at the time, and particularly it supervises:

(i) observance of laws, regulations and the By-Laws as well as compliance with the principles of proper administration;
(ii) the adequacy of the Company's organisational and administrative/accounting structure and the

financial reporting process, within its scope of responsibility;

(iii) the effectiveness and adequacy of the risk management and control system, the internal audit system, as well as the functioning and adequacy of the overall internal control system;
(iv) the independent audit process of the separate and consolidated accounts;
(v) the procedures for the proper implementation of the rules of corporate governance with which the Company states that it complies;
(vi) the adequacy of the orders given by the Company to its subsidiaries in the exercise of supervision and coordination activities;
(vii) the independence of the auditing firm, particularly as regards the provision of non-auditing services.

In addition, in accordance with article 19 of Legislative Decree no. 39/2010 and ss.mm.ii, the Board of Statutory Auditors is given the functions of the Internal Control and Auditing Committee, and more specifically, the duty to: (i) inform the Governing Body of the audited entity of the results of the audit and, where applicable, the outcome of the sustainability reporting certification activity send it the additional report pursuant to article 11 of Regulation (EU) no. 537/2014, with any comments attached; (ii) monitor the financial disclosure process, and, where applicable, individual or consolidated sustainability reporting, including the use of the electronic format referred to in Articles 3, paragraph 11, and 4, paragraph 10, of Legislative Decree no. 125/2024, and the procedures implemented for the purpose of compliance with the reporting standards adopted by the European Commission pursuant to art. 29-ter of Directive 2013/34/EU of the European Parliament and of the Council of June 26, 2013, as well as to submit the recommendations or the proposals, ensuring they are complete; (iii) check the effectiveness of the quality and risk management, and if applicable, the internal auditing to the extent the financial disclosure and, where present, to individual or consolidated sustainability reporting (including the use of the electronic format described above), of the entity subject to audit is concerned, without breaching its independence; (iv) monitor the auditing of the separate and consolidated financial statements, and, where available, the activity of certification of conformity of the individual or consolidated sustainability report, also taking account of any results and conclusions of the quality controls carried out by CONSOB in accordance with article 26 paragraph 6 of the abovementioned European Union Regulation where available; (v) assess and monitor the independence of the independent auditing firm in accordance with articles 10, 10-bis, 10-ter, 10-quater and 17 of Legislative Decree no. 39/2010, and article 6 of the above-mentioned Regulation (EU) no. 537/2014, especially with respect to the adequacy of the other services besides the auditing received by the entity being audited in accordance with article 5 of said Regulation; (vi) be responsible for the procedure aimed at selecting the independent auditing firm and recommend the auditors or the auditing firm to be designated in accordance with article 16 of the European Regulation.

In any case, the Board of Statutory Auditors is vested with the powers established in the regulatory provisions and reports to the supervisory authorities pursuant to the regulations in effect at the time.

The Board of Statutory Auditors will inform the Board of Directors of flaws and irregularities that may be identified request the adoption of appropriate corrective measures and verify their effectiveness over time.

Statutory Auditors have also the right to begin, at any time, including individually, actions to inspect and audit, as well as to ask for information from directors, including with reference to subsidiaries, regarding the performance of corporate transactions or certain business affairs, or to send the same requests for information directly to the administration and control bodies of the subsidiaries.

The Board of Statutory Auditors may also exchange information with the corresponding bodies of subsidiaries with regard to the administration and control systems and the general status of corporate activities.

Finally, with regard to the sustainability topics relating to:

the composition and diversity of the Board of Statutory Auditors, as well as the experience relating to the company's sectors, products and geographic locations and the presence of adequate skills and expertise in the field of sustainability (ESRS 2 – Par. 19, 20 letter a) and c), 21, 23; ESRS 2 – Appendix A – RA 5), further information is provided in the Sustainability Reporting, Section "General Disclosures", Paragraph "Role of the administrative, management and supervisory bodies";
the roles and responsibilities of the Board of Statutory Auditors in overseeing the procedures aimed at managing material impacts, risks and opportunities relating to sustainability (ESRS 2 - Par. 19, 20 letter b), 22; ESRS 2 - Appendix A - RA 3 and RA 4), please refer to the Sustainability Reporting, Section "General Disclosures", Paragraph "Role of the administrative, management and supervisory bodies";
how the Board of Statutory Auditors is informed about sustainability matters and how these matters were addressed (ESRS 2 - Par. 24, 26), please refer to the Sustainability Reporting, Section "General Disclosures", Paragraph "Information provided to the company's administrative, management and supervisory bodies and sustainability matters addressed by them", as well as Paragraph "Interaction of impacts, risks and opportunities with the company's strategy and business model".

* * *

In 2024, the Board of Statutory Auditors met 34 times, with an average duration of about 3 hours for each meeting. The activities of the Board of Statutory Auditors continue in 2025 on a weekly basis in general. Starting from 1 January 2025and up to the date of this report, the Board of Statutory Auditors met 7 times (of the no. 33 scheduled).

In 2024, the Board of Statutory Auditors also took part in the Shareholders' Meeting, the meetings of the Board of Directors and, through one of its representatives, the meetings of the Internal Board Committees, as already detailed in the previous chapter.

The Statutory Auditors took also part in training sessions organised by the Bank for the benefit of its corporate representatives.

The Board of Statutory Auditors obtained information from the Directors, also in accordance with article 150, paragraph 1, of the Consolidated Law on Finance, principle XX of article 6 of the Code of Corporate Governance and article 25 of the By-Laws, on the activities carried out and the most significant economic, financial and equity transactions carried out by Banco BPM or its subsidiaries, both through a disclosure made by the bodies with delegated authority in accordance with article 2381 of the Italian Civil Code, and at an ordinary level, through the Board's participation in the meetings of the Board of Directors.

The Supervisory Body has received periodic updates (also through the Statutory Auditor appointed to participate in the Sustainability Committee and/or directly at board meetings) regarding sustainability issues (for example, evolution of the relevant legislation, progress of adaptation interventions and ongoing projects, control framework), also investigating, with the support of the functions involved, certain aspects deemed worthy of attention, in particular: (i) activities in line with CSRD provisions; (ii) the structuring of adequate safeguards in terms of procedures, human resources and organization and the definition of responsibilities and competencies, as well as the necessary information flows, also towards the Financial Reporting Manager; (iii) the " Internal Control System for Sustainability Reporting"; (iv) the progress of the NZBA Project; (v) the status of implementation of the Group's 'Green, Social and Sustainability Bond Framework'; (vi) the double materiality analysis and related outcomes; (vii) the definition of the key sustainability indicators dashboard and the results of the periodic (quarterly) monitoring.

The Board of Statutory Auditors carried out the supervisory duties (in accordance with the law, the By-Laws and internal procedures) assigned to it in accordance with prevailing law, also on the basis of an applicable programme. In this regard, it should be noted that the Control Body, as part of the

previous tasks attributed to it by law and the statutory provisions in force, monitored, in particular, the methods of practical implementation of the rules of corporate governance which the Company has declared its compliance with, by verifying, inter alia, the correct application of the assessment criteria and procedures adopted by the Board of Directors to evaluate the independence of its non-executive members, following appointment and, subsequently, on an annual basis, pursuant to the Code of Corporate Governance. For the year 2024, as for previous years, this verification produced a positive result.

In 2024, the Control Body issued the opinions required by law, the Supervisory Regulations and the By-Laws, formulating proposals to be dealt with by the Shareholders' Meeting, including, in particular, the appointment of the Auditor for the period 2026-2034. It also expressed its considerations and/or observations and carried out specific investigations where requested by the Supervisory Authorities. The Board of Statutory Auditors then examined the disclosure requests and/or the applications for specific actions made by the Supervisory Authorities and the related responses and/or plans drawn up by the Bank, monitoring the progressive implementation of improvement actions where required and referring, if necessary, to the Board of Directors.

With the regard to the most recent uncertainties related to the macroeconimic background, in 2024 the impacts due to the uncertainties connected to the international geopolitical situation continued, still influenced by the Russian-Ukrainian conflict (from 2022) and by those in the Middle East (from October 2023). . In this context of significant concern, also from a forward-looking perspective, and in view of the difficulty of quantifying the impact on the main macroeconomic variables (growth, industrial production, inflation, cost of raw materials and energy etc.) as well as on the financial and currency markets, the Board of Statutory Auditors continued to pay particular attention to the evolution of the situation during the year (as it had already done in the previous years) and emphasized the need for careful monitoring of the Italian context and for a strengthening of the supervision by the operational and control functions due to the possible risks underlying the Bank's activities, including those arising from possible cyber-attacks on the financial system.

In order to deal with the matters provided in the agenda, upon the invitation of the Board, they attended the meetings of the Control Body representing the company divisions including the business divisions.

More specifically, the Board met periodically all the Internal Control Functions and, in implementation of the provisions of Italian Legislative Decree no. 39/2010 and ss.mm.ii, kept up a constant flow of information on the development of the planned activities and the methods applied, both with the Financial Reporting Manager of the

company and with the Auditing Firm PricewaterhouseCoopers S.p.A. (engaged to audit the accounts of Banco BPM S.p.A. for the financial years 2017-2025, as well as the activity of certification of the sustainability report for the years 2024 and 2025. The Board of Statutory Auditors received and examined the so-called "Additional Report" addressed to it as the Internal Control and Auditing Committee in accordance with article 19 of the above-mentioned Italian Legislative Decree no. 39/2010.

In order to guarantee an adequate exchange of information with the Control Bodies of the Group Companies, the Board of Statutory Auditors of the Parent Company organised meetings with the Boards of Statutory Auditors of the main Subsidiaries (especially Banca Aletti S.p.A., Banca Akros S.p.A., Banco BPM Vita S.p.A. and Banco BPM Invest SGR S.p.A.) and maintained constant dialogue (including through the Chairman) with the Supervisory Board pursuant to Italian Legislative Decree no. 231/2001 of Banco BPM, of which an Auditor is a member.

For further details on the activities performed, please refer to the "Report of the Board of Statutory Auditors of Banco BPM S.p.A. to the Shareholders' Meeting pursuant to article 153 of Italian Legislative Decree no. 58 of 24 February 1998" as well as, insofar as they refer to the aforementioned Body, the consolidated sustainability report, which can be consulted in the Annual Financial Report published on the Bank's website www.gruppo.bancobpm.it, in the Investor Relations section > Balance sheets and reports.

***

Considerations on the letter dated 17 December 2024 by the Chairman of the Corporate Governance Committee.

At its meeting of 20 January 2025, the Board of Statutory Auditors acknowledged, for matters within its competence, the contents of the letter dated 17 December 2024 of the Chairman of the Corporate Governance Committee, addressed to the Chairmans of the governing bodies, and in copy to the Chief Executive Officers and the Chairmans of the governing bodies of Italian listed companies, with which the Committee, in order to promote good corporate governance in the financial community, (i) called the attention of the governing bodies and the applicable internal board committees to the recommendations it made in order to ensure that they are carefully complied with both in the corporate governance practices and during the bodies' self-assessments, with the results having to be reported in the annual reports on corporate governance and (ii) informed that it had decided, at the meeting of 16 December 2024, to adopt the updated version of the Format for the report on corporate governance and ownership structures among its tools, which, prepared taking into account the new regulations on corporate sustainability reporting, is aimed, among other things, to offer issuers a tool that can be useful for coordinating the internal processes of preparing the 'traditional' corporate governance report with those relating to the preparation of the aforementioned new sustainability reporting.

For further details, please refer to the remarks on the same letter in section 6.2 of this report.

***

As already reported previously, the Board of Statutory Auditors, also in view of the importance and complexity of the duties entrusted to it and prevailing external and internal regulations, in order to regulate the functioning of the Control Body, approved the "Regulation of the Board of Statutory Auditors" on 26 April 2017 and subsequently supplemented and amended it, most recently on 23 May 2022. Said Regulation governs, inter alia, the aspects relating to the responsibilities and the functioning of the Board, to the tasks and the control functions assigned to it, to the specific role assigned to its Chairman, to the powers conducive to the exercise of its duties and to relations with Company Bodies. The self-assessment process to which the Board of Statutory Auditors must undergo periodically to assess its composition (both from a quantitative and qualitative standpoint) and performance is also regulated.

In support of the aforesaid Regulation, the Board of Statutory Auditors has better defined, in a note of technical-operational content (last updated November 2024), the scope and outline of the activities for which it is responsible, with the intention – in addition to rationalising activities – of more incisively marking out the Board's control role.

* * *

Process of self-assessment of the Board of Statutory Auditors for 2024

The Board of Statutory Auditors, in compliance:

- with the Supervisory Provisions pursuant to Bank of Italy Circular no. 285 of 17 December 2013 (First Part, Title IV, Chapter 1, Section VI);
- with the recommendations of the Code of Corporate Governance, which the Bank applies;
- with the "Regulation of the Board of Statutory Auditors";

launched, at the meeting on 20 January 2025, its annual self-assessment process relating to the 2024 financial year.

The process was managed with the help of the staff belonging to the Corporate Affairs Secretariat, and the use of the questionnaire (with methods suited to guaranteeing respect for confidentiality and anonymity in the final document).

The self-assessment process was structured, in line with the aforementioned regulatory provisions, into the following phases:

- investigatory, with the collection of the information and data forming the basis of the evaluation;
- processing of the data and information collected in the investigatory phase and representation in aggregate form – also through quantitative indicators – of the results obtained;
- preparation of the outcomes of the self-assessment process, expressed through judgments and indications on the strengths and weaknesses identified;

- joint discussion of the outcomes of the evaluation process and their formalisation in the overall self-assessment document which shows, for each of the aspects subject to evaluation, the methodologies adopted and the process phases, the outcomes of the analyses conducted and the adequacy judgement, any areas of improvement highlighted and the points of attention that came to light as well as the relevant corrective actions to be taken;
- verification of the implementation status of the corrective actions adopted in previous selfassessments and the associated effects.

At the meeting on 24 February 2025, the Board of Statutory Auditors therefore approved the document "Board of Statutory Auditors of Banco BPM S.p.A. – Self-assessment document – FY 2024".

The results of the self-assessment showed a substantially positive picture in relation both the composition and functioning of the Board of Statutory Auditors.

In particular, the comparison between the process carried out for the 2024 financial year and that referring to 2023 provides a further picture of improvement for some evaluation profiles, as well as an overall increase in positive assessments of approximately 4.1%. All responses to the questionnaire were adequate.

With regard to the one area of improvement that has emerged, with a view to continuous improvement and in a constantly changing regulatory framework, the Board identified a specific initiative to be implemented in the scope of the new ordinary training and induction plan for the years 2024-2025 of Banco BPM Group aimed at continuously increasing the knowledge of the representatives of the sectors of activity in which the Bank and the Group operate, as well as of the relevant organizational structure, business model, company dynamics and their evolution also with a view to sustainable success, the relevant legal and regulatory framework, the methods for identifying, measuring and managing risks typically associated with financial activities, as well as any other topic considered relevant for the functioning of the company bodies. This initiative concerns (i) information technology in the field of information systems and new technologies applied to the banking, financial and insurance sectors; (ii) digitization and digital transformation processes.

7.3 REMUNERATION

The information concerning, inter alia, the remuneration of the members of the Board of Statutory Auditors, and the general policies on remuneration, are available in the "Remuneration Report" published in accordance with article 123-ter of the Consolidated Law on Finance.

8 COMPANY FUNCTIONS AND PROCEDURES

8.1 PROCEDURES FOR PROCESSING CORPORATE INFORMATION

In relation to the significance and complexity of processes of communication to the market, partners and shareholders, and the principles first approved by the Borsa Italiana Code of Best Practice and, later, by the Code of Corporate Governance, Banco BPM S.p.A., in the month it was established – January 2017 – approved the "Regulation on the management of inside information", subsequently updated in August 2018.

This Regulation, within the scope of Regulation (EU) no. 596/2014 (Market Abuse Regulation), of Implementing Regulation (EU) 2016/347, and the CONSOB guidelines, governs the processes aimed at management of the register of persons who have access to relevant information and inside information and its disclosure to the public, and for the management of market surveys, attributing the roles and responsibilities in this specific area and establishing the measures applicable to employees, any other non-employed staff and representatives of the group companies. To that end, the above- mentioned Regulation was updated in August 2018 – also with the help and advice of an external law firm – in order to implement the recent regulatory provisions and laws in the area of Market Abuse.

The Board of Directors is in charge of supervising information to the public and communications. In accordance with the provisions of article 17 of Regulation (EU) no. 596/2014 and the related implementing regulations, Banco BPM must communicate inside information that directly relates to it and that relates to the subsidiaries to the public as quickly as possible. This is subject to the option for Banco BPM to delay, under its own responsibility, the communication to the public of inside information by applying the so called the "delay process". The Chief Executive Officer oversees the external communication of inside information of Banco BPM or, if he/she makes use of the delay process, the same will inform the Board of Directors as soon as possible. The CEO – through the Communications and Social Responsibility, Corporate Affairs Secretariat, Investor Relations, Compliance, Legal and Regulatory Affairs functions and the company divisions that are responsible for certain situations – will ensure the correct application of said corporate rules.

The above-mentioned divisions work together to manage and define the press releases, especially price sensitive ones, drawn up in accordance with the forms provided by Borsa Italiana – both in Italian and in English – in order to submit them for the approval of the applicable body or parties to disclose them to the market in accordance with the mechanisms provided by prevailing laws.

In relation to the need to coordinate external communications, especially significant communications, by the Group companies, subject to the supervisory duties of the Board of Directors regarding the processes of providing information to the public and corporate communications, a process was defined that provides for giving prior information to the Chief Executive Officer who will examine the text of the press release and approve it. The Board of Directors will be informed as soon as possible.

Price sensitive press releases and internal dealing communications are disclosed to the market using the SDIR disclosure system along with the authorised storage mechanism, STORAGE, managed by Teleborsa S.r.l. (), and published on the Company website (www.gruppo.bancobpm.it) and filed at the registered office in accordance with the law.

When taking part in meetings with analysts and institutional investors or call conferences, generally organised to present the operating results, the documentation is first sent to CONSOB and Borsa Italiana and made available on the company website.

If anyone has access to the news and documents relating to the Company, acquired during their working activities, they will have to keep said information confidential and only use it to carry out their functions.

Failure to comply with the provisions on confidential information will involve application of specific sanctions.

The Regulation governs also the establishment and updating rules of the Registers of persons who have access to relevant information or inside information. Banco BPM manages (i) the Register of Relevant Information (hereinafter also referred to as "RIL"), which contains the registration of the persons who have access to information that could be, subsequently, inside information for Banco BPM, or for third party issuers, and (ii) the Insider List, which must contain the register of persons who have access to inside information of Banco BPM or relating to third party issuers; the Insider List in turn is broken down into occasional sections, specifically created for each piece of inside information, recording the parties who have access to the specific information, and a permanent section, registering those persons who, due to their positions, have access to all the inside information relating to Banco BPM since their identification.

The Regulation can be found on the Bank's website (www.gruppo.bancobpm.it – under Corporate Governance – Corporate Documents section).

With respect to Internal Dealing, in August 2016, the new European law was introduced on market abuse, which became directly applicable to the Member States following the entry into effect of said European Regulation no. 596/2014 of 16 April 2014 relating to market abuse (known as "MAR"), European Directive no. 57/2014 of 16 April 2014 relating to the criminal sanctions in the case of said market abuses (known as "MAD II") and the Delegated Regulation (EU) 2016/522 and Implementing Regulation (EU) 2016/523.

The new law introduced amendments relating to:

the scope of the instruments to be communicated, now also including in addition to the ordinary shares of the Issuer and the related financial instruments – listed bonds and the related financial instruments;
the prohibition on internal dealing in certain blocking periods. With reference to the blocking periods, a time period of 30 calendar days prior to the announcement of an interim financial report or a year-end financial report of the issuer was set.

With regard to the above, the Board of Directors meeting of 1 January 2017 approved the "Internal Dealing Regulation" after an in-depth analysis of the pre-existing and prevailing laws in order to identify the solutions that could be immediately applicable in the Banco BPM Group.

With reference to the reporting officer, in accordance with article 152-octies, paragraph 5, of the Issuers' Regulation, regarding the receipt, the management and the disclosure to the public of the information governed by the Internal Dealing Regulation, and who, to that end sends the information that comes from "insiders" to Borsa Italiana through SDIR-STORAGE, the function is carried out by the Corporate Affairs Secretariat.

Any party who, due to the positions held in Banco BPM or its subsidiaries is included in the category of "insiders" in accordance with the above-mentioned Regulation, shall sign a declaration showing they are fully aware of the Regulation adopted.

Each "insider" of Banco BPM and its subsidiaries are notified of the period of suspension of operations, and any other useful information in that area, as the occasion arises.

Said Regulation can be found on the Bank's website (www.gruppo.bancobpm.it – under Corporate Governance – Internal Dealing section).

8.2 THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM

The Internal Control System comprises the set of rules, functions, structures, resources, processes and procedures which, in order to contribute to the sustainable success of the company, aim to ensure, in respect of sound and prudent management, the pursuit of the following objectives:

− verification of the implementation of company strategies and policies;
− reduction of risk within the limits indicated in the reference framework for determining the Group's risk appetite (Risk Appetite Framework – "RAF");
− safeguarding of the value of assets and protection against losses;
− effectiveness and efficiency of company processes;
− reliability and security of company information and IT procedures;
− prevention of the risks of involvement, including involuntarily, in unlawful activities, to which the Group is exposed (with particular reference to those connected with money laundering, usury and financing of terrorism);
− operating and regulatory compliance with respect to the law, the supervisory regulations as well as the internal policies, plans, regulations and procedures.

The Internal Control System plays a central and strategic role for the Group in the corporate organisation and represents a fundamental element of knowledge for the corporate bodies in order to ensure full awareness and responsibility of the effective monitoring of corporate risks and their interrelationships. In addition, it guides the strategic lines, company policies and therefore the organisational context and oversees the functionality of the management systems and compliance with prudential supervisory institutions, favouring the dissemination of a correct culture of risks, legality and corporate values.

The culture of control takes up an important position in the scale of corporate values, and concerns not only the Internal Control Functions but involves the entire company organisation (company bodies, structures, hierarchical levels, staff), in the development and application of the logical and systematic methods for identifying, measuring, communicating and continuously monitor the typical risks associated with the activities carried out by Group companies.

The Board of Directors of the Parent Company approves the general planning and strategic guidelines and positions and the governance and risk management policies of the company and the Group, and their periodic review to ensure their effectiveness over time, defining and approving, inter alia: (i) the business model by being aware of the related risks, including environmental, social and governance ("ESG") risks, ii) the risk appetite framework ("Risk Appetite Framework") and (iii) the guidelines of the internal control system, so that the main risks relating to the company and its subsidiaries and to most significant transactions ("MST") are correctly identified, as well as adequately measured, managed and monitored.

When drawing up the strategic, business and financial plans, the Board establishes the nature and the level of risk that are compatible with the sound and correct management of the company and the Group. The Group's risk appetite is defined on an annual basis as part of the definition of the Group's risk appetite process.

The Internal Control and Risk Committee (Inetranl Board Committee) is responsible for investigation and advisory activities with regard to the duties reserved to the Board of Directors relating to the system of internal controls, analysis, appraisal, monitoring and risk management, as well as the accounting IT structure. To effectively perform its duties, it may carry out audit and inspection activities in all areas of Group activities.

The Chairman of the Committee cannot coincide with the Chairman of the Board of Directors or the Chairman of other Board Committees.

The Board of Statutory Auditors oversees the effectiveness and adequacy of the risk management and control system, as well as the internal auditing system, and the functioning and adequacy of the overall internal control system.

The Chief Executive Officer of the Parent Company, Giuseppe Castagna, was appointed by the Board of Directors as the "Director in charge of the internal control and risk management system", for the

current term of office and in compliance with the contents of the Code of Corporate Governance. The specific duties that the Code assigns to said position are described below:

− to ensure the identification of the main company risks, taking into account the characteristics of the activities performed by Banco BPM and its subsidiaries, and periodically submit them to the examination of the Board of Directors;
− to implement the guidelines established by the Board of Directors, organising the planning, formation and management of the internal audit and risk management system, and continuously verifying its overall adequacy and effectiveness;
− to handle the adaptation of said system to changes in operating conditions and the legislative and regulatory environment.

In addition, the following powers and obligations are assigned:

− the power to ask the Audit function to conduct audits on specific operating areas and on compliance with internal rules and procedures when performing company transactions, promptly informing the Chairman of the Board of Directors, the Chairman of the Control and Risk Committee and the Chairman of the Board of Statutory Auditors;
− the obligation to promptly inform the Internal Control and Risk Committee (or the Board of Directors) of problems and critical areas that have emerged during the performance of his/her duties or which he/she has been informed of, so that the Committee (or Board) may adopt the appropriate measures.

The Chief Executive Officer, as indicated in the Integrated Internal Control System Regulation:

− oversees the implementation of the strategic guidelines, the RAF and the risk governance policies defined by the Board of Directors and is responsible for the adoption of all the necessary initiatives to ensure the compliance of the organisation and the Internal Control System with the principles and requirements defined by the Supervisory Authorities, continuously monitoring their observance;
− implements the necessary initiatives and actions to constantly guarantee the completeness, adequacy, functionality and reliability of the Internal Control System and brings the results of the checks performed to the attention of the Board of Directors.

The Chief Executive Officer monitors and verifies the functioning of the Internal Control and Risk Management System through the Management Committees, established in the Parent Company organisation and operating at Group level, to support the Chief Executive Officer and the General Management in carrying out their activities.

Each Management Committee sends the Parent Company's Board of Directors at least annually, via the Chief Executive Officer, a report on the activities performed and the main results for matters within their competence. With specific reference to the internal control and risk management system, the following should be noted:

− the Risk Committee, chaired by the Chief Executive Officer, oversees integrated management of the company risks to which the individual Group companies and the Group as a whole are exposed to. The Committee is responsible for the direction, coordination, monitoring and control of risks and for protecting the corporate value and sustainable success of the Group in the long- term;
− the Credit Committee, chaired by the Chief Lending Officer, analyses the trend in the quality of the loan portfolio and the credit classification, monitoring and assessment criteria;
− the NPE Committee, chaired by the Chief Executive Officer, supports the definition and implementation of policies concerning the management of exposures classified as nonperforming and oversees the management and recovery of non-performing loans. It monitors the recovery percentages, performances and the results achieved;
− as part of its responsibilities, the New Products and Markets Committee, chaired by the Co-General Manager CBO - Marketing, takes decisions in relation to commercial operations. In said domain, it examines the classification of the countries subject to restrictions, bans, limits on operations and any changes stemming from the sanctions;
− the Finance Committee, chaired by the Chief Executive Officer, defines and implements the

policies concerning the liquidity and the financial investments, excluding equity investments and hedging transactions for interest rate mismatches for Asset Liability Management (ALM);

− the Crisis Committee, chaired by the Chief Executive Officer, assumes responsibility for coordinating and managing crises relating to emergency situations with potential impacts on business continuity or situations resulting from the fact the thresholds envisaged for the recovery indicators or dissolution status of the Group have been exceeded;
− the Environmental, Social and Governance ("ESG") Committee, chaired by the Chief Executive Officer, has proposal-making tasks in order to define the Group's social responsibility model and to supervise the implementation of the company strategies and initiatives regarding environmental, social and governance matters.

In any case, the Chief Executive Officer and the Co-General Managers are promptly informed of the decisions taken by the Committees, through the Chairman.

The principles, criteria, tasks and responsibilities regarding the functioning of the Management Committee are governed by the Regulation on Management Committees.

The Chief Executive Officer oversees the functioning of the Internal Control and Risk Management Systems also through:

− the constant verification of the progress status of the remediation activities identified to resolve the findings of the Supervisory Authorities, through structured periodic meetings with the company functions responsible for implementing the solutions;
− the outcomes of the verification activities of the internal control functions, directly dependent on the CEO and which periodically report to the Board of Directors.

From a technical-operational standpoint, the Internal Control System includes, in addition to the line controls carried out by the operational structures and incorporated in the IT procedures (first level controls), the Company's second-level (Risk, Internal Validation, Compliance, Anti-Money Laundering and – with reference to the Group's insurance companies – Actuarial) and third-level (Audit) internal control functions.

The Chief Risk Officer, which directly reports to the Chief Executive Officer of the Parent Company, and the functions that support him/her are in charge of monitoring, at Group level, and on an integrated basis, the risk governance processes (Enterprise Risk Management), developing and measuring risks (Risk Models and Methodologies) and the process of validating internal risk measurement models (Internal Validation).

With reference to the activities carried out by the Group's Insurance Companies, there is a risk control department which functionally depends on the Parent Company's Chief Risk Officer and the functions that support him/her.

The Board of Directors, including in the exercise of its management and coordination activity in accordance with article 2497 of the Italian Civil Code, in agreement with the opinions of the Internal Control and Risk Committee, with the support of the Appointments Committee and, to the extent of its responsibility, the Board of Statutory Auditors, decided – effective from 26 November 2024 – to appoint Edoardo Faletti as Manager for the risk management function ("Risk Manager") as well as Chief Risk Officer ("CRO") of Banco BPM.

Within its functions and responsibilities, the Chief Risk Officer, with the assistance its structures:

− oversees, at a Group level, and in an integrated manner, the processes of governance, assessment and risk control (risk management) in line with the defined strategies and policies;
− guarantees the development and constant improvement of risk measurement methodologies, models and metrics;
− ensures that all risks are identified, assessed, measured, monitored (also through specific ESG indicators), managed and adequately communicated; in this regard, provides independent information, analysis and advice on risk exposure, including climate, environmental and sustainabilityrelated risks, which are realized through the types of risk already monitored;
− coordinates the preparation of the RAF, ICAAP, ILAAP and risk governance surveys, monitors the

Group's risk profile and ensures the preparation of reports for corporate bodies and committees;

− facilitates the corporate bodies in the performance of their respective tasks regarding the internal control system by promoting:
- the timely and coordinated gathering of all information relevant to the quantification and management of risks;
- a more integrated capacity to process, systematize and contextualize the information acquired and to carry out evaluations, both in terms of risk and asset value, independently of other instances;
- the adoption of timely corrective measures consistent with the issues and related priorities highlighted through integrated risk management.

In addition, the Chief Risk Officer ensures the functional coordination of the risk control measures of the Group companies.

The Risk management function is composed of three divisions:

− Risk Models and Methodologies;
− Enterprise Risk Management;
− Internal Validation.

In the area of risk, the Group aims to guarantee the development and continuous improvement of processes, models and risk metrics, the alignment to the best international standards, the implementation of the Supervisory regulations and directives, and the development of efficient monitoring and reporting controls.

Risk Models and Methodologies

The Risk Models & Methodologies division, reporting to the CRO, develops, proposes and applies the approaches (tools, models and processes) for the measurement, management and control of the risks for which it is responsible and guarantees the adequacy of liquidity at Group level. The division ensures support for the performance of regulatory exercises and audits and the preparation of disclosures to the Corporate Bodies, Supervisory Authorities and the market.

The main responsibilities of the division can be indicated as follows:

− ensuring the development and continuous improvement of internally developed risk measurement models and methodologies for regulatory, budgetary and management purposes, consistent with the prudential Supervisory Provisions for banks, accounting standards and strategies defined by relevant corporate bodies, collaborating in their application in corporate operations, supporting internal functions in their management use and formulating proposals for mitigating risk exposure;
− ensuring the preparation and maintenance of the "model sheets" which illustrate the main features of the CRO's risk measurement models;
− assisting in assuring Corporate Bodies that the Group is continuously operating with an adequate amount and composition of liquidity by preparing the necessary analysis and documentation for the purposes of the annual adequacy self-assessment ("ILAAP");
− guaranteeing support, for the parts under its responsibility, to the RAF, OMR, ICAAP, Recovery Plan and Resolution Plan processes, contributing to the definition of the operational limits of exposure to risks for each type;
− ensuring the preparation of information and analyses required by the Supervisory Authorities, of the notes to the financial statements and the public disclosure (Pillar 3) relating to the risks under their responsibility, providing specialist methodological support for the definition of relevant company regulations;
− supporting the performance of regulatory exercises and the activities of the inspection team involved in the assessment of the internal risk measurement systems;
− proposing the annual planning of the activities under its responsibility to allow their integration in the overall plan and the annual reporting of the activities of the CRO;

− guaranteeing, even in the absence of the CRO, the monitoring of information flows at Group level to the Corporate and Institutional Bodies;
− operating as a as a point of reference in the field of sustainability, acting in coordination with the Transition and Sustainability function;

The Risk Models & Methodologies division is structured as follows:

− Credit & Non-Financial Risks;
− Financial Risks.

Enterprise Risk Management

The Enterprise Risk Management divisions, reporting to the CRO, contributes to overseeing the process of defining and implementing the Risk Appetite Framework (RAF) and ensures periodic and integrated reporting on the Group's overall risk profile, identifying the main critical issues and contributing to proposing any corrective actions.

The main responsibilities of the division are as follows:

− supporting the competent Bodies in defining the Group's risk appetite through a risk appetite proposal that allows them to increase their awareness of the risks the Group takes in pursuit of its strategic objectives;
− guaranteeing the predisposition of the integrated risk reports for the Corporate Bodies that allows them to be continuously aware of the risk profile undertaken by the Group, verifying its consistency with the approved risk appetite and providing support to the CRO through the formulation of ex ante opinions (e.g. ST, Significant Transactions);
− guaranteeing an effective process for monitoring the Group's risk profile that allows for the timely activation of the escalation mechanisms in the event of exceeding the approved risk thresholds, in order to decide whether to implement the related contingency and recovery actions;
− assisting in assuring Corporate Bodies that the Group is continuously operating with an adequate amount and composition of capital by guaranteeing the predisposition of the necessary analysis and documentation for the purposes of the annual capital adequacy self-assessment (ICAAP);
− guaranteeing support to the Domestic Payments structure in the management of insurance policies taken out at Group level and of any claims;
− guaranteeing the supervision of the Group's insurance programmes and supporting the Domestic Payments structure in the management of any claims in the area of assets and business;
− releasing of an ex-ante opinion on the resolution upon proposal for concession or classification indicated with a risk-based criteria ("OMR/OS");
− supporting the preliminary opinion on the proposed changes to the criteria for identifying financial difficulty, watchlisting, backstops for classification to Stage 2 and classification as higher or lower risk;
− guaranteeing second-level controls on the credit and financial assets inherent in the main items of the Group's financial statements and on relations with customers, consistently with the requirements set out in current supervisory regulations, focusing in particular on the proper implementation of the relevant processes by the operating structures, as well as on the accuracy and representativity of the information used in these areas;
− guaranteeing the quality of the execution and transmission of orders, monitoring in particular the effectiveness of the strategy;
− assisting in assuring the extension of the Risk Data Aggregation and Reporting principles of the Basel Committee (BCBS239) and ensuring the the full application of Group Data Governance framework;
− ensuring the monitoring of regulatory legislation and contributing, to the extent of its competence, to the preparation of the information required by the Supervisory Authorities;
− supporting the Business Lines in the use of risk information within the processes under their responsibility, contributing and promoting the dissemination of the risk culture;

− contributing to the implementation of a "holistic" view of risks by the Internal Control System;
− guaranteeing the monitoring of the IT risk mitigation measures proposed in the periodic reports on the evolution of ICT and security risk;
− helping to identify the criteria and processes for the definition of the customer's risk appetite;
− contributing to the correct assignment to the target market of the products distributed to retail customers and a correct assessment of the same;
− supporting the processes for measuring and monitoring the risks and performance of customer portfolios and Individual Asset Management;
− proposing the annual planning of the activities under its responsibility to allow their integration into the overall plan and the annual reporting of the CRO's activities;
− assisting in assuring the management and supervision of the ICT risks and security.

The Enterprise Risk Management division is structured as follows:

− Risk Control;
− Risk Strategy.

Internal Validation

The Internal Validation division, which reports to the CRO, is aimed at ensuring the validation of the models used internally to quantify the risks to which the Group is exposed.

The main responsibilities of the division are as follows:

− autonomously governing the internal validation process at Group level by managing, to the extent of its competence, relations with the Supervisory Authorities, the Corporate Bodies and with the Internal Audit Function;
− validating the internal risk measurement systems, already in place or in the development phase, assessing on an ongoing basis, to the extent of its competence, the following components: models, processes, controls, data integrity and quality and, in general, their compliance over time with regulatory provisions, company requirements as well as business development;
− assessing, together with the other structures of the CRO, the model risk implicit in the methodologies used to measure risks;
− carrying out in-depth analyses on the calculation of capital requirements, availing itself, where necessary, of the support of the other structures of the Group;
− carrying out the relevant controls in order to verify the adequacy of the methodologies applied to calculate the Group's risk profile;
− sample-checking the pricing models used by the competent corporate functions to determine the fair value of financial instruments;
− carrying out, where possible, benchmarking and back-testing analyses;
− identifying and promptly reporting any critical issues found during the validation analyses, monitoring their progress;
− developing and maintaining validation methodologies up-to-date, guaranteeing compliance with the relevant regulatory requirements;
− carrying out the annual planning on the activities of its competence;
− preparing the periodic and specific (internal and external) information flows (reports) to the corporate bodies and the board and management committees of the Bank and the Group companies as well as to the Supervisory Authorities;
− contributing to the maintenance of the register of the default definition.

The Internal Validation division is structured as follows:

− Credit Validation;

− Validation of Models.

Legal risk oversight is managed by the Legal and Regulatory Affairs department through the process of providing support and advice on legal matters to the central and peripheral structures of the Parent Company and Group companies in relation to the activities they carry out and the related contractual aspects, and also through the management of judicial and extrajudicial litigation of the Group, with the exclusion of labour, social security and tax litigation. Additionally, the Legal and Regulatory Affairs department provides an internal regulatory alerting service to ensure the constant monitoring and provision of information on developments in the external regulatory framework for matters that have an effect on the Group activities (EU and national, primary and secondary) and on case law.

The Tax Risk Management Department, reporting to the Tax Affairs Department, supervises the risk of non-compliance with tax regulations, in line with the responsibilities defined from time to time in company regulations.

The main responsibilities of the department are indicated below:

− to promote the formalization of tax risk management processes in agreement with the Compliance function;
− to verify that proposals for innovation in the Group's products, services and operations guarantee full compliance with current tax regulations;
− to verify from a tax perspective the correct structure of contracts and of forms;
− carry out audits on the tax compliance of the Group's operations in agreement with the Compliance function;
− verify that the structures concerned are correctly fulfilling the formalities required by agreements entered into with the tax authorities of foreign countries and by the implementing regulations;
− carry out planning, monitoring and reporting activities relating to the system for detecting, measuring, managing and controlling tax risk ("Tax Control Framework").

The Group's Compliance function carries out its activities, reporting directly to the Chief Executive Officer, both for the Parent Company and for the Group companies that have outsourced the service, and has direct access to the Corporate Bodies, communicating with them without any restrictions or intermediation.

The function oversees, according to a risk-based approach, the management of compliance risk with regard to all company activities, verifying – during both the start- up and operating phases – that internal procedures are adequate to prevent that risk.

For rules relating to the exercise of banking and brokerage activities, the management of conflicts of interest, transparency towards customers and, more generally, regulations for consumer protection, the Parent Company's Compliance function (as required by the Supervisory Provisions) is directly responsible for managing the risk of non-compliance.

With reference to other regulations for which specific forms of specialist oversight are set forth, the tasks of the Compliance function – based on an assessment of the adequacy of specialist controls to manage non-compliance risk profiles – are graded.

− The Compliance function is in any event responsible (in collaboration with the specialised functions assigned) for defined fields:
− establishing the compliance risk assessment methods;
− identifying the relative procedures;
− verifying the adequacy of said procedures to prevent compliance risk.

For the areas directly supervised by other second-level Control functions of the Parent Company, or by the Financial Reporting Manager, or by the Compliance function of the Group's companies which have not outsourced such function to the Parent Company, the monitoring of non- compliance risk is implemented by those functions limited to the aspects falling within their specific responsibilities and operational scope.

For the areas not directly supervised by the Parent Company's Compliance function, coordination mechanisms and information to the latter flows are provided.

The Compliance function of the Parent Company carries out the functions of guidance, coordination and control for the compliance structures of the companies belonging to the Group that have not outsourced the function to the Parent Company. In particular, in application of the management and coordination mechanisms established in the governance model of the Banco BPM Group, there are functional relationships between the Compliance functions of the insurance companies and the corresponding function of the Parent Company.

The Board of Directors, including in the exercise of its management and coordination in accordance with article 2497 of the Italian Civil Code, in agreement with the opinions of the Internal Control and Risk Committee, with the support of the Appointments Committee and having heard the opinions, to the extent of its responsibility, of the Board of Statutory Auditors, decided – effective from 19 June 2018 – to appoint Maurizio Nigro as responsible for the Compliance function ("Compliance Manager"). The Compliance Manager is also responsible for the engagement of the Data Protection Officer ("Data Protection Officer") pursuant to article 37, paragraph 7, Regulation (EU) 679/2016 (GDPR) regarding privacy.

The current organisational structure of the Parent Company compliance function is divided into four specific structures, two of which report to the Compliance Manager (one responsible for guidance and methodological coordination, preparation of Management Reporting, and definition of the functional requirements for developing supporting applications, while the other is responsible for overseeing the privacy regulatory framework) and two structures are dedicated to regulatory issues applicable to Banco BPM Group. Specifically, the Organisational Units are as follows:

− Methodology and Reporting Coordination;
− DPO Support;
− Banking Services, Governance, and ICT Compliance;
− Investment Services and Markets Compliance.

As of 1 July 2022 and like all other second-level control functions, the Anti-Money Laundering function carries out its activities, reporting directly to the Chief Executive Officer, for the Parent Company and for the Group companies that have outsourced the function.

The relationship between the Anti-Money Laundering function, which has the role of guidance, coordination and control, and the corresponding functions present in the Group companies that have not outsourced them to the Parent Company, is carried out according to the principles defined by the "Banco BPM Group Governance Regulation" (RE 303) on functional dependence.

The function is aimed at overseeing, with full control autonomy and with direct access to the top management bodies (including the Supervisory Board established pursuant to Legislative Decree 231/01), the risk of money laundering and of terrorist financing by performing, in this context, also the obligations related to the assessment and forwarding to the FIU of suspicious transaction reports. This control function is also assigned the duties and responsibilities of the Sanction Compliance Officer in order to monitor compliance with the provisions that apply the international sanctions imposed by the various source countries.

The Anti-Money Laundering is equipped with the necessary independence, resources and skills necessary to carry out its duties, as well as adequate economic resources. It has access to all the activities and data of the Parent Company and of the Group companies that have entrusted the service as well as to any information relevant to the proper performance of its tasks.

The Anti-Money Laundering oversees the management of the risk of money laundering and terrorist financing according to a risk-based approach. To this end:

− collaborates in the definition of the money laundering risk governance policies and the definition of the Internal Control System and the procedures aimed at preventing and combating money laundering risks;
− provides support to corporate bodies;

− identifies the applicable regulations and continuously verifies the adequacy of the money laundering risk management process and the suitability of the Internal Control System;
− defines the criteria and content of the information set required during the due diligence phase; issues a prior opinion to initiate or continue a relationship in cases where the authorisation of a senior manager is required;
− conducts, in liaison with the SOS manager, checks on the functionality of the reporting process and on the appropriateness of the assessments made by the first level on customer operations, and defines procedures for handling SOS concerning particularly high-risk situations to be treated with due urgency;
− conducts, in liaison with the other corporate functions concerned, the annual internal assessment on money laundering risks;
− assesses in advance the risk of money laundering associated with the offer of new products and services, the significant modification of products or services already offered, the entry into a new market or the start-up of new activities;
− verifies the reliability of the information system for the fulfilment of customer due diligence obligations;
− transmits to the FIU objective communications and aggregated data concerning its overall operations;
− transmits to the Bank of Italy, on an annual basis, periodic anti-money laundering notifications;
− manages, in conjunction with the other company departments responsible for training, the preparation of an adequate training plan and the structuring of the effectiveness indicators of the training activity carried out; prepares the periodic information flows to the corporate bodies;
− contributes to the preparation of the Integrated Report on the Internal Control System and expresses its assessment;
− promptly informs the corporate bodies of violations or significant shortcomings found in the exercise of their duties;
− periodically informs the corporate bodies about the progress of the corrective actions adopted;
− at least once a year, prepares and submits to the corporate bodies the Report on the activities carried out, which also includes the results of the self-assessment of the risks of money laundering and terrorism financing.

The Anti-Money Laundering, in addition to providing support and assistance to the Corporate Bodies and Management, promptly informs the Corporate Bodies of significant violations or deficiencies found in the exercise of its duties and prepares stable and periodic information flows.

The Group's Anti-Money Laundering Manager is responsible for the reporting activities and the continuous definition of the methods for assessing the risk of money laundering and terrorist financing for the purposes of carrying out the self-assessment exercise of the Parent Company and the Group, as well as the coordination of the training initiatives conducted or promoted by the Anti-Money Laundering function itself.

The Board of Directors, including in the performance of its management and coordination activities in accordance with article 2497 of the Italian Civil Code, having consulted with the Internal Control and Risk Committee with the support of the Appointments Committee, having also consulted with the Board of Statutory Auditors, resolved on 29 September 2020 to appoint Ms Arianna Rovetto as Manager of the Anti-Money Laundering Function and Group's Anti-Money Laundering Manager. Since that date, the Group's Anti-Money Laundering Manager has also been associated with the position of first delegate for reporting suspicious transactions and for sending communications to the Authority concerning infringements of the provisions restricting the use of cash and bearer securities or prohibiting products in anonymous form or under fictitious names.

This power was granted in accordance with a "cascading" model that provides, in the event of absence or impediment, for granting said powers, on a successive basis, to the other authorised parties who belong to the same function; in this context, in view of the assumption of the role of Head of Controls of the Milan and North Lombardia Territorial Department, the delegation granted to Mr. Marco Caruso

as Head of the Suspicious Transactions Reporting Department ceased as of 1 December 2024. From the same date and subject to the decision of the Board of Directors of Banco BPM, which took place on 26 November 2024, the role of Head of the Suspicious Transactions Reporting Department was granted to Mr. Francesco Cirillo, who also assumed the role of second Delegate for suspicious transaction reporting.

Consequently, an additional name has been identified within the Suspicious Transactions Reporting Department, in addition to the previous delegates, to whom the aforementioned delegation has been granted, which will be exercised in the order provided for in the aforementioned model.

Through the company regulations on the prevention of money laundering and terrorist financing, as last updated on 5 September 2024, the Group has implemented the regulatory provisions relating to the governance of money laundering and terrorist financing risk, following the issue, on 1 August 2023, of the Measure that amended the "Provisions of the Bank of Italy regarding organization, procedures and internal controls for anti-money laundering purposes", which came into force on 14 November 2023.

In line with the above-mentioned Provisions, during 2024 the Manager for Anti-Money Laundering has been therefore appointed by the Boards of Directors (I) of Banco BPM Invest SGR in the person of Mr. Roberto Giancarlo Peronaglio; (II) of Banca Aletti, in the person of Mrs. Arianna Rovetto and (III) of Aletti Fiduciaria in the person of Mr. Giovanni Marafante.

Following the outsourcing of the Anti-Money Laundering function of Banco BPM Invest SGR to the Parent Company – which took place in 2023 – and the specific authorization to operate by the Bank of Italy, received on 13 March 2024, the reference for the outsourced Anti-Money Laundering function was identified and appointed, pursuant to Bank of Italy Circular no. 288, in the person of Mr. Roberto Giancarlo Peronaglio, Executive Director of Banco BPM Invest SGR.

During 2024, in accordance with the same Bank of Italy regulations (Circular no. 285 and Circular no. 288), the internal reference for the Anti-Money Laundering function of the following subsidiaries that have outsourced the Anti-Money Laundering function to the Parent Company have also been changed:

The Anti-Money Laundering is organised internally as follows:

− Anti-Money Laundering Compliance;
− Anti-Money Laundering Controls;
− Suspicious Transaction Reporting;
− Judicial Authority Research and Tax Assessments.

The Actuarial department operates in the insurance sector, which contributes to the implementation of the Internal Control System by:

− coordination of the calculation of technical provisions;
− opinion on the underwriting policy, on the adequacy of reinsurance agreements and risk mitigation techniques;
− contribution to the risk management system.

The Parent Company's Audit function is responsible, on the one hand, for controlling the regular course of operations and the development of risks from a third level perspective, also by means of on- site and remote audits, and on the other hand, for assessing the completeness, adequacy, efficiency and reliability of the Internal Control System, contributing to the spread of the culture of risk and indicating possible improvements to the risk management, measurement and control process to the corporate bodies, and taking an active part in their implementation.

The Audit function – hierarchically reporting to the Board of Directors – is directly in charge, as an internal audit function, for all the central and peripheral divisions of the Parent Company and the Italian companies of the banking Group, which have granted with the function in outsourcing.

The Parent Company Audit function performs the role of directing, coordinating and controlling the Internal Audit functions of companies in the financial Conglomerate that have not outsourced this

function to the Parent Company in accordance with the principles set out in the "Banco BPM Group Governance Regulation" on functional dependence and in compliance with local constraints for foreign companies. .The Board of Directors, including in the exercise of its management and coordination in accordance with article 2497 of the Italian Civil Code, having heard the opinions of the Internal Control and Risk Committee, with the support of the Appointments Committee, and, to the extent of its responsibility, of the Board of Statutory Auditors, decided – from 16 September 2019 – to appoint Andrea Francesco Antonio Alessandri as Audit Manager, defining his remuneration in accordance with company policies. Mr Alessandri was also appointed by the Board as the Manager of the Internal System to Report Breaches (SISV) of the regulations governing the banking activities of the Parent Company.

Mr Andrea Francesco Antonio Alessandri, pursuant to the Code of Corporate Governance, also holds the role of internal control officer and – free from hierarchical constraints with respect to the managers of the operational areas – has access to all information useful and necessary to perform his duties.

The organisational structure of the Audit function includes the following structures:

− Audit and Quality Assurance Coordination;
− Audit methodologies;
− Lending Audit;
− Finance Audit;
− Governance Processes Audit;
− Network Audit.

This structure meets the requirement to ensure constant monitoring of the activities carried out by the Group, while ensuring the continuous strengthening of the audit methods and due attention to the effects of the strategic policies adopted by the Group (i.e. in terms of Risk Appetite Framework, strategic planning, processes with greater significance) to identify those areas that could be more exposed to weakness, including prospective.

The 2024 Audit Plan, approved by the Board of Directors on 12 March 2024 and updated in the third quarter of the same year, is distinguished for being focused on the areas of Group operations characterized by a higher level of current and forward-looking risk. The mandatory activities linked to the regulatory provisions are still significant, in addition to the inspections required by the ECB, with special reference to the risk governance, control and management processes and the internal market and credit risk models.

The inspections of the Sales Network were planned and carried out by also taking account of the risk highlighted by the remote red flags system.

The Audit function guarantees also the certification of adequacy and implementation of the remedial actions resulting from the inspections by the national or supranational Supervisory Authorities.

The Audit function, on the basis of the information flows defined in an applicable company Regulation, last updated in 2024, has prepared and reported, in a timely manner, to the Corporate Bodies (Board of Statutory Auditors, Internal Control and Risk Committee, Board of Directors), on events of particular significance, and has sent periodic reports containing adequate information on their activities, on the mechanisms used to manage risks (and on compliance with the plans defined to reduce risks), and a periodic assessment of the suitability of the internal control and risk management system (including the information systems).

In implementation of the provisions of art. 52-bis of the Consolidated Banking Law, art. 10-quater of the Private Insurance Code, Legislative Decree no. 24 of March 2023 and Legislative Decree 231/2001, the Group has an internal system for reporting violations (so-called whistleblowing) deriving from unlawful conduct, including alleged or attempted conduct. This system promotes the identification of irregular or unlawful conduct, protecting the authors of the reports and the other persons involved. The system is supported by a specific IT procedure which guarantees the confidentiality of the reports received and their management in compliance with the law and regulations.

As a result of the overall activities carried out during 2024, such as the analysis of the periodic and

annual reports of the control functions, the Board of Directors, subject to the opinion of the Internal Control and Risk Committee, notes, at this stage, that no elements have arised to deem that the Internal Control System is not, on the whole, substantially adequate and effective with respect to the characteristics of the Group and the risk profile taken on, even though certain areas could be improved that are already being considered by the competent internal functions.

Coordination between the parties involved in the internal control and risk management system

The direction and unified governance with respect to the Integrated Internal Control System are carried out by the Parent Company, which, within the scope of its functions of management, coordination and control:

− determines the principles, rules, roles and responsibilities;
− defines and delimits the profiles of responsibility of each Group entity, with special reference to the role of the Parent Company and the Group companies;
− defines the information flows and related coordination mechanisms. The Parent Company exercises also the following controls:
− strategic: to check the consistency of the decisions made by the individual members of the Group with respect to the guidelines decided on by the Parent Company and to define any corrective actions;
− management: to ensure the maintenance of the economic, financial and capital balance both by the individual members of the Group and the Group as a whole. This control is exercised on a prior basis through the preparation of plans, programmes and budgets, and on a final basis through the analysis of the periodic situations, the interim accounts and the financial statements of the individual companies and the consolidated accounts;
− operational techniques: to measure and evaluate the overall risks to which the individual Group members are exposed, and the Group as a whole, and to ensure that the activities are carried out with the necessary effectiveness and efficiency and to evaluate the relative oversight in terms of internal controls;
− compliance: to ensure compliance with the regulations and operational compliance of the company processes;
− adequacy: to assess the proper management of risks and the control processes.

The parties appointed to carry out the above-mentioned coordination, each for the aspects falling under their own responsibility, are represented by: Board of Directors of the Parent Company, Chief Executive Officer, Board of Statutory Auditors, Supervisory Board 231/2001, Internal Control and Risk Committee (internal board committee), Coordination Committee of the Group Internal Control System (managerial) and Risks Committee (managerial).

A specific role in the area is assigned to the Coordination Committee of the Group Internal Controls System, which has the specific duty of strengthening the coordination and cooperation mechanisms between the control functions and providing an integrated representation and correct classification of the overall risks that the Group is exposed to, subject to the specific nature and responsibilities of the individual internal control functions.

The Parent Company has defined a coordination model of the Corporate Bodies and the control functions that is set out through the following elements:

a) Definition of the methods and coordination instruments for the assessment of the Internal Control System

In order to guarantee and facilitate the coordination between the control functions and the Corporate Bodies, the Internal Control System adopted an assessment method to perform the control activities that require the use of elements of analysis and common measurement metrics (e.g. criteria for allocating the level of urgency of actions to mitigate the risks arising from the audits of the control functions), and reporting mechanisms to ensure uniform reports (e.g. Integrated Tableau de Bord dashboard of the control functions).

The adoption of an integrated assessment of the Internal Control System aims to permit the

comparison of the assessments made by the various control functions and to obtain an assessment of the overall operating model of the Group.

b) Scheduling the control activities

All the control functions have to prepare a plan of the respective activities.

The control functions, within the scope of the Coordination Committee of the Group Internal Control System, carry out formalised coordination for the periodic scheduling of the respective activities in order to efficiently manage potential areas of overlap and to capitalise on possible synergies.

The plans of the control functions are submitted for approval to the Board of Directors of the Parent Company, with the opinion of the Internal Control and Risk Committee, the Board of Statutory Auditors, as well as the Group companies for the applicable parts, thereby ensuring a further level of inspection of the actual coordination of the activities.

c) Controls, inspections and identification of risk mitigation measures

Regarding coordination, the information flows defined by the control functions are significant with reference to the results of the inspections.

The heads of the functions carrying out second-level controls inform the Audit function manager of the critical points detected in their activities that may be of interest for the audit activity. The Audit function manager will inform the managers of the other internal control functions of any inefficiencies, weak points or irregularities that emerged during their inspections and regarding specific areas of matters they are responsible for.

d) Reports and information flows

Information flows were defined aimed at:

− guaranteeing completeness, quality and promptness of information in the findings that emerge, allowing the recipients to make use of any information useful to perform the activities they are responsible for correctly;
− ensuring adequate coordination between the activities arranged by the Corporate Bodies and the control functions;
− encouraging the movement of reports of weaknesses that allow situations of particular severity to be brought to the attention to the higher hierarchical levels;
− allowing informed choices to be made to support the decision-making process relating to the risk mitigation measures to adopt;
− supporting the Internal Control System improvement process as a whole.

To support the coordination activities between the parties involved in the internal control and risk management system, the GRC (Governance, Risk and Compliance) IT application was adopted in January 2023, which allows easier sharing of information assets between the internal control functions, the creation of synergies in operations and production of the data necessary to empower the summary reports to the corporate bodies. This application supports, among other things, also the preparation of the integrated assessment of the Internal Control System and the integrated management of the risk mitigation measures that emerged from the audits carried out by the control functions, also for the purposes of subsequent reporting to the corporate bodies. The reports supporting this reporting (Integrated Control Functions Tableau de Bord) have been further developed and made available in an automated and dynamic manner during 2024.

Finally, with regard to the sustainability topics concerning:

− the roles and responsibilities of the administrative, management and supervisory bodies in overseeing the procedures aimed at managing material impacts, risks and opportunities relating to sustainability (ESRS 2 - Par. 19, 20 letter b), 22; ESRS 2 - Appendix A - RA 3 and RA 4), please refer to the Sustainability Reporting, Section "General Disclosures", Paragraph "Role of the administrative, management and supervisory bodies";
− how the administrative, management and supervisory bodies are informed about sustainability matters and how these matters were addressed (ESRS 2 - Par. 24, 26), please refer to the Sustainability

Reporting, Section "General Disclosures", Paragraph "Information provided to the company's administrative, management and supervisory bodies and sustainability matters addressed by them".

Main characteristics of the existing internal control and risk management system in relation to the process of financial disclosure (article 123-bis, paragraph 2, letter b), of the Consolidated Law on Finance)

The reference model identified by Banco BPM (hereinafter for brevity the "Model") to fulfil the legal requirements set out by article 154-bis of the Consolidated Law on Finance, is based on the COSO and COBIT Framework27, that constitute the reference standards for the internal control system that are generally accepted at international level.

This Model, formalised in the "Regulation on the Financial Reporting Manager (Italian Law 262/2005)" most recently approved by the Board of Directors of Banco BPM on 29 November 2018, was aimed at guaranteeing reliability, accuracy, trustworthiness and timeliness of financial information, and provides as follows (in summary):

− an adequate internal control system at corporate level to reduce the risk of errors or incorrect conduct for the purpose of accounting and financial reporting;
− the establishment and subsequent maintenance of adequate sensitive processes for financial reporting purposes and the check of their adequacy and actual application.

The main activities of the model are described below, necessary to the issue of the statements provided for under article 154-bis of the Consolidated Law on Finance:

− Identification of the scope of the inquiry in terms of Group companies, financial statements items and processes considered to be significant in relation to the impact on the accounting and financial reporting of the company;
− Assessment of the internal control system at company level (entity level control) in order to ensure adequate governance systems at corporate level, such as adequate risk management processes and clear models for the assignment of authorisations and responsibilities. To that end, the Financial Reporting Manager will coordinate with the Audit Function and examine the "Assessment report of the internal control system of the Group" prepared by the Audit department;
− Formalisation of the processes and controls implemented to mitigate the risks relating to financial reporting. The map of the controls to mitigate the risks to monitor proper financial reporting is carried out by the Financial Reporting Manager on the basis of the formalised processes in the internal rules by the Organisation division;
− Assessment of the risks and the adequacy of the control designs adopted (Risk & Control Assessment/Test of Design). This activity aims to assess the adequacy of the administration and accounting procedures to draw up the financial statements and any other accounting and financial information and is carried out through the assessment of the key controls in order to reduce the risks relating to financial reporting;
− Check of the effective and continuous application of the controls by the operating divisions (Test of Effectiveness). The testing of the effectiveness of the controls ("testing activities") is aimed at assessing the actual application, in the reference period, of the administrative and accounting procedures for the preparation of the financial statements and any other financial information and the technological infrastructure governance procedures;
− Definition and monitoring of any corrective actions to put in place in view of any organisational shortcomings found in the assessment of the adequacy and actual application of the administrativeaccounting procedures and the relative controls.

In order to further support the process described above regarding the adequacy of the accounting and administrative processes aimed at the production of the consolidated financial

²⁷ The COSO Framework was established by the Committee of Sponsoring Organizations of the Treadway Commission, the U.S. organisation dedicated to improving the quality of financial reporting through ethical principles and an effective system for corporate governance and organisation. The COBIT Framework - Control Objectives for IT and related technology is a set of rules prepared by the IT Governance Institute, the U.S. organisation whose aim is to define and improve the principles of corporate IT.

reporting, the Model provides for a statement system by the Group subsidiaries with respect to the Parent Company Financial Reporting Manager whose aim is to ensure that the data communicated by the subsidiaries for the purpose of drawing up the consolidated Group financial statements give a true and fair presentation of the assets, liabilities, profit or loss and financial position of the Company.

The Model defines also an adequate information flow system between the Financial Reporting Manager and the other company divisions/bodies in order to ensure that the Financial Reporting Manager promptly acquires and completes the relevant information for financial reporting purposes, and to guarantee the functional participation of the Financial Reporting Manager in the corporate governance of the Group.

The Financial Reporting Manager will inform the Board of Directors on the performance of the management and control of the process to prepare the accounting and financial reporting documents for the market, on any weaknesses found, on the corrective measures put in place to overcome these weaknesses and the adequacy and actual application of the procedures relating to the financial statements. This reporting obligation will be carried out by drawing up a half-yearly report submitted to the Board of Directors before the approval of the half-yearly and annual financial report.

For information on the appointment of the Financial Reporting Manager and on the related resources and powers, please refer to paragraph below "8.4 Financial Reporting Manager" of this report.

Sustainability reporting information process

The model of the internal control system for the Sustainability Reporting has been defined on the basis of the financial reporting system, as described in the previous paragraph, with the necessary adaptations to take into account the different characteristics of the reporting.

For more details regarding the internal control and risk management system in relation to the Sustainability Reporting process (ESRS 2 - Par. 34, 36; Appendix A - RA 5), please refer to the Sustainability Reporting, Section "General Disclosures", Paragraph "Risk management and internal controls on sustainability reporting".

In this context, the CEO and the Financial Reporting Manager issue the report certifying the compliance of the Sustainability Report, in accordance with the provisions of Article 154-bis, paragraph 5-ter of the Consolidated Finance Law.

8.3 EXTERNAL AUDITOR

In accordance with the law and the By-Laws, the external auditor is appointed by the Ordinary Shareholders' Meeting upon reasoned proposal of the the Board of Statutory Auditors.

The Shareholders' Meetings of Banco Popolare and Banca Popolare di Milano, which decided, on

15 October 2016, to approve the Merger Plan, has also decided to engage the auditing firm PricewaterhouseCoopers S.p.A., with registered office in Milan, Piazza Tre Torri 2, enrolled in the Register of Auditors at the Italian Ministry of Economy and Finance, for the audit the separate and consolidated financial statements of the Group, the limited accounting audit of the abridged interim consolidated financial statements, to ensure that the corporate accounts are properly kept and that the operating events are correctly reflected in the accounting records, pursuant to Articles 13, paragraph 1 and 17 of Legsilative Decree no. 39/2010.

The aforementioned engagement was assigned for the years from 31 December 2017 to 31 December 2025, in compliance with the duration envisaged by law (9 financial years).

In view of the expiration of the current external auditor's term of office, the Ordinary Shareholders' Meeting of 18 April 2024 appointed Deloitte & Touche S.p.A. as the external auditor for the financial years 2026-2034, based on the reasoned proposal of the Board of Statutory Auditors.

The auditing firm expresses its opinion on the separate and consolidated financial statements and on the condensed consolidated half-yearly financial statements. The audit report on the financial statements contains the key aspects of the audit, i.e. the aspects considered the most significant as part of the audit, according to the auditor's professional judgement.

The audit report also contains the judgement on the consistency of the report on operations with the financial statements and some specific information contained in the report on corporate governance and ownership structures and their compliance with the requirements of the legal provisions.

The results reported by the independent auditors in the additional report pursuant to article 11 of European Regulation no. 537/2014, addressed to the Board of Statutory Auditors, and in any letter of suggestions should be sent to the Board of Directors for the appropriate evaluations.

Following a specific engagement, the external auditors issue the report certifying the conformity of the Sustainability Report, included in the Consolidated Management Report, pursuant to Article 14 bis of Legislative Decree No. 39/2010.

8.4 FINANCIAL REPORTING MANAGER

In compliance with the provisions of article 154-bis of the Consolidated Law on Finance, Banco BPM has envisaged the appointment of the Financial Reporting Manager who is responsible for ensuring proper oversight of the adequacy of the accounting-administrative procedures used for the preparation of the financial statements for the year and the consolidated financial statements and, more generally, any financial communication.

To this end, the Financial Reporting Manager exercises, at Group level, a role of guidance and coordination on the administrative-accounting areas and oversees the internal control system on financial reporting.

In accordance with the By-Laws, the Financial Reporting Manager must possess, in addition to the requirements of integrity provided by prevailing laws for those who carry out administration and management, the requirements of professional competence characterised by specific expertise, from the administrative and accounting standpoint, on lending, finance, real estate and insurance matters. These skills must have been acquired through work experience in positions of adequate responsibility for a consistent period of time and in companies of comparable size to the Company.

In this regard, in January 2017, the Board of Directors, subject to the opinion of the Board of Statutory Auditors, appointed Mr Gianpietro Val, Head of Administration and Financial Statements, as the Financial Reporting Manager, in compliance with the provisions pursuant to article 154-bis of the Consolidated Law on Finance.

The Financial Reporting Manager will have specific responsibilities aimed at ensuring a true and fair presentation of the assets, liabilities, profit or loss and financial position of the Group. More specifically, the Financial Reporting Manager will have the following duties:

− to certify that the documents and disclosures disclosed to the market and regarding interim and annual accounting information of the Company correspond to corporate records, books and accounts;
− to prepare, through the corporate divisions in charge, appropriate administrative and accounting procedures to govern the preparation of the separate and consolidated financial statements and all other communications of a financial nature;
− to confirm, jointly with the Chief Executive Officer, through a report attached to the separate and consolidated financial statements and the abridged interim consolidated financial statements (hereinafter "the documents"):
− the adequacy and effective application of the administration and accounting procedures during the period to which the documents refer;
− that the documents have been drawn up in accordance with the applicable international accounting standards recognised by the European Community pursuant to Regulation (EC) no. 1606/2002 of the European Parliament and of the Council of 19 July 2002;
− the correspondence between the documents, the findings in the books and the accounting entries;
− the suitability of the documents to give a true and fair presentation of the assets, liabilities, profit or loss and financial position of the issuer and the companies included in the scope of consolidation;

− for the separate and consolidated financial statements, that the report on operations contains a reliable analysis of the operating performance and results, as well as the financial position of the issuer and the group of companies included in its consolidation, together with a description of the main risks and uncertainties to which they are exposed;
− for the abridged interim financial statements, that the interim report on operations is a reliable analysis of the significant events that took place in the first six months of the year and their impact on the abridged interim financial statements, and describes the main risks and uncertainties for the remaining six months of the year.

In order to express an overall assessment of the internal control system regarding the financial reporting, the Financial Reporting Manager shall refer to a control model defined in the "Regulation on the Financial Reporting Manager (Italian Law 262/2005)", the contents of which are described in paragraph "8.2 The internal control and risk management system" of this report.

The Group Regulation on the Financial Reporting Manager assigns also specific powers and resources as set out below.

The Financial Reporting Manager is guaranteed the following:

− free access to the accounting information needed for the production of accounting data of Banco BPM, without the need for authorisations;
− the free access to managerial information, linked to events that could significantly influence the performance of Banco BPM;
− the freedom to carry out, through the company divisions in charge, inspections of the company processes that have a direct or indirect impact on the financial reporting;
− the right to interact with the Administrative and Control Bodies;
− the right to exercise his powers with respect to all the Group subsidiaries;
− the guidance and coordination role for the Group companies with regard to administrative and accounting matters and for the financial reporting control systems;
− the power to propose to the Chief Executive Officer, in accordance with the Organisation department, the implementation of projects aimed at improving the administrative accounting structure;
− the power to propose any corrective actions to put in place in view of any organisational shortcomings found in the assessment of the adequacy and actual application of the administrative-accounting procedures and the relative controls.

With regard to the main resources, the Financial Reporting Manager:

− has an adequate group operating structure, specifically for the purpose;
− may use, with regard to the performance of the control tests, internal or external resources;
− may avail of external consultation for accounting, tax or legal-administrative issues, and acquire the professional services needed to carry out the role in accordance with prevailing laws and the budget assigned;
− has the full cooperation and support of the other divisions of the Parent Company and the subsidiaries to carry out the activities needed to comply with legally required duties;
− has an adequate flow of information from the Corporate Bodies, the internal control functions and the other organisational divisions in charge of reporting any anomalies or shortcomings in the procedures found within the scope of their activities, that could have significant impacts on the economic and capital situation of Banco BPM;
− takes part in the board meetings in which the draft annual and interim financial statements are drawn up, and, upon invitation, the meetings in which topics that have significant impacts on the administrative-accounting and financial aspects of the Banco BPM are discussed;
− takes part, upon invitation, in the internal board and Management Committees meetings in which topics that have significant impacts on the administrative-accounting and financial aspects of

Banco BPM are discussed.

If the Financial Reporting Manager believes that the powers and resources given are insufficient or not effective enough to carry out the duties provided by law, he/she must promptly inform the Chief Executive Officer so that this can be promptly referred to the Board of Directors.

If the Board of Directors, in the exercise of supervision or if informed by the Chief Executive Officer, believes that the powers and resources given to the Financial Reporting Manager are insufficient or not effective enough on the basis of prevailing laws, it will increase them.

In accordance with the provisions of Article 154-bis, paragraph 5-ter of Consolidated Finance Law, introduced by Legislative Decree 6 September 2024, the Financial Reporting Manager is the person responsible for issuing, together with the Chief Executive Officer, the statement that the Sustainability Report, included in the Consolidated Management Report, has been prepared i) in accordance with the reporting standards applied pursuant to Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013, and Legislative Decree No. 125 of 6 September 2024, and ii) with the specifications adopted pursuant to Article 8, paragraph 4, of Regulation (EU) 2020/852 of the European Parliament and of the Council, of 18 June 2020. To this end, the powers and means granted to the Financial Reporting Manager to oversee financial reporting, as illustrated above, must be understood to extend to the Sustainability Report reporting process.

8.5 ORGANISATION, MANAGEMENT AND CONTROL MODEL pursuant to Italian Legislative Decree no. 231/01 and relating to the Supervisory Board of Banco BPM

Banco BPM continuously updates its Organisation, Management and Control Model, pursuant to Italian Legislative Decree 231/01 (the "Model"), with a view to transposing any new legislative provisions relating to the predicate offences envisaged by Italian Legislative Decree 231/01, as well as changes to the corporate structure that could impact the model in question.

The Model (with a summary of it, along with the Code of Ethics and other internal regulations, published on the website www.gruppo.bancobpm.it, under Corporate Governance section ) comprises a:

− General Part in which the applicable regulatory framework is summarised and the purpose of the Model is described, along with the adoption, amendment and updating process, the relationships between the Parent Company Model and the Model of the Group companies, the role of the Supervisory Board also within the internal system of reporting violations, the sanctions system, the training and performance of the intercompany services;
− Special Part, which, with reference to all types of offences and crimes that Banco BPM established that it would consider in view of its business activities, identifies the activities at risk and the essential elements that the procedures must possess to reduce the risks. The Special Parts, that constitute "Protocols" for the purpose of the Decree, are completed by the regulatory documents drawn up to define and govern the individual processes typical of the business activities.

In this regard, during 2024, interventions have been carried out to ensure the consistency of the Model with the organizational structure of the bank.

The Banco BPM Parent Company, by adopting an organisational structure that distinguishes it as a substantially and economically unified enterprise, gives guidance on the choices to make to implement the Decree, defining guidelines and frames of reference to adhere to in order to prepare the organisation, management and control models of the Group companies, in accordance with the specific situations relating to the nature, size, type of activity, corporate structure and organisation of the internal delegations of authority.

Within the scope of the management and coordination, the Parent Company provides also the subsidiaries with non-binding instructions on the composition of the respective Supervisory Boards, which constitute the minimum requirements and do not rule out the option for higher standards.

The Supervisory Board, which is vested with the rights and powers of initiative and control as provided under Italian Legislative Decree 231/01, is responsible for monitoring the function and compliance of the Model's provisions, and ensuring it is kept updated.

The choice to identify an appropriately established Supervisory Board and that is not the same as the

Board of Statutory Auditors, is determined by:

− the size and organisational complexity of the company, in view of the "231 risk" profile that can be theoretically attributable;
− the advantages that result from the mixed composition (internal/external) referring on the one hand to the knowledge of the enterprise (therefore, more suitable for identifying and monitoring the applicable areas of risk) and on the other, to the independence of the corporate structure that reinforces the impartiality of the controls and judgements.

The Supervisory Board of Banco BPM will include three members from outside the company and the corporate organisation (one of whom will act as Chairman), a member of the Board of Statutory Auditors (appointed by it) and a Manager of the Internal Control Functions, all of whom will meet the requirements necessary for the position. It currently comprises the following:

− Federico Maurizio d'Andrea (Chairman and member from outside the company);
− Gherardo Colombo (member from outside the company);
− Iole Anna Savini (member from outside the company);
− Silvia Muzi (in her position as a member expressly authorised by the Board of Statutory Auditors);
− Andrea Alessandri (internal member, in his position as the Internal Audit Manager).

The Parent Company Board will also have the following functions in addition to those provided for under Legislative Decree 231/01:

− the coordination and guidance of the activities aimed at the application of the Model within the scope of the Group companies to ensure correct and uniform implementation;
− the right to ask the Group companies' Bodies to carry out specific control actions in order to ensure that the Model is adopted and effective.

Finally, with regard to the company's strategy, approach, processes and procedures, as well as its performance relating to the conduct of the company, including corporate ethics and culture and the management of relationships with suppliers and third parties (ESRS G1 - Par. 1, 2), please refer to the Sustainability Reporting, Section "Governance Disclosures", Paragraphs 'Policies regarding corporate culture and business conduct'; 'Actions relating to the management of IROs in relation to corporate culture and business conduct', 'Prevention and detection of corruption and bribery and ascertained cases of corruption and bribery' and 'Management of relationships with suppliers and metrics relating to payment practices'.

8.6 THE INVESTOR RELATIONS DEPARTMENT

The mission of the Investor Relations Department is described below, along with the activities carried out in 2024 and the organisational structure of the Department.

Mission of the Investor Relations Department

The Investor Relations Department, whose reporting is directly to the Co-General Manager CFO, Edoardo Ginevra, is aimed at coordinating relations between the Group and institutional individuals of the financial market, analysing the Group's positioning in the banking system and business sectors of interest.

The main responsibilities of the Department can be summarised as follows:

− to ensure the relations and the management of the financial information flows of the Group with the shareholders, the institutional financial community (financial analysts and institutional investors in both the equity and fixed income markets) and credit rating agencies, in order to publish, in a transparent, continuous prompt and symmetric manner, information relating to the strategies, activities, ESG matters, results and prospects of the Group, also through taking part in the main financial events (banking conferences and other industry events), and organisation of specific events (e.g. roadshows, post-results conference calls/video calls, etc.);
− to ensure monitoring of the information, valuations the income predictions and recommendations

on the securities disclosed by the operators (analysts of the equity markets, fixed income and credit rating) on Banco BPM as well as the expectations and the perception of the market in relation to our Group, more in general;

− to coordinate periodic financial analyses of the banking sector and benchmarking analyses.

Investor Relations activities in 2024

As part of its ordinary relations activities with institutional stakeholders in the financial market, in 2024 the Investor Relations team planned, managed and implemented a total of 192 events, meetings and calls, in some cases also involving the Group's top management. This activity has made it possible to interact with 759 investment companies, financial analysis firms (both in the stock market and in fixed income), credit rating agencies and other institutional entities. Of these events, 9 with a total of 48 parties attending, focused specifically on ESG issues 28.

	No. of events	% of the total	No. of companies Met	% of the total
Industry conferences (stock market)	4	2.1%	108	14.2%
Industry conferences (fixed income market)	11	5.7%	103	13.6%
Roadshows & Reverse Roadshows (stock market)	7	3.6%	101	13.3%
Roadshows & Reverse Roadshows (fixed income market)	6	3.1%	37	4.9%
Other individual and/or group meetings, telephone conferences and video conferences (stock market)	132	68.8%	337	44.4%
Other individual and/or group meetings, telephone conferences and video conferences (fixed income market)	16	8.3%	18	2.4%
Meetings with exclusive ESG focus	9	4.7%	48	6.3%
Meetings/calls with credit rating companies	7	3.6%	7	0.9%
Total	192	100%	759	100%

Presentations to the financial market in conference calls/webcasts 4

During the year, 4 telephone conferences with audio webcasts took place, during which top management presented the Group's financial performance to the market (results as at 31 December 2023, 31 March 2024, 30 June 2024 and 30 September 2024) as well as the Take Over Bid on Anima

²⁸ Includes meetings with exclusively ESG-focused. It should also be noted that it is not unusual for ESG issues to be addressed also in events or meetings without a specific ESG focus or for ESG funds to participate in events or meetings with an exclusively financial focus; nevertheless, these cases are not included in this count, as they are difficult to define.

Holding.

On the stock market front, the Group participated in 4 industry conferences and 7 Roadshows and Reverse Roadshows organised by leading research and brokerage companies. Together, these resulted in meeting 209 counterparties, equal to 27.5% of the total reached overall during the year.

In the fixed income market, Banco BPM participated in 11 industry conferences and 6 Roadshows and Reverse Roadshows, meeting 140 counterparties (18.5% of the total).

The remaining 54.0% of the institutional parties involved had the opportunity to dialogue with the Group on a further 164 occasions (meetings and/or calls, individually and/or as a group). These included 7 Meetings with credit rating agencies including 5 representatives of the Annual Review Meeting.

It should be noted that these figures do not include regular contacts which, during the year, the Investor Relations department manages with investors, analysts and Credit Rating companies.

On a quarterly basis, the Investor Relations department reports to the Board of Directors on the above-mentioned ordinary relations with the institutional interlocutors of the financial market, reporting, inter alia, on the issues dealt with29 and the feedback received.

It should also be noted that, in 2024, no meetings were held as part of the procedures set out in the Shareholder-Director Engagement policy (the policy for the management of dialogue by the BoD or its members with the generality of the Banco BPM shareholders).

Organisation of the Investor Relations Department

As of January 2024, the responsibility of the Investor Relations Department was transferred from Roberto Giancarlo Peronaglio to Edoardo Ginevra ad interim, Co-General Manager CFO; subsequently, from July 2024, this responsibility was assigned to Arne Riscassi.

Furthermore, since December 2024, the Department has benefited from a review of the organizational structure of the internal structures, which is now as follows:

Equity Investor Relations & Benchmarking: Manager Manuela Montagner
Fixed Income and ESG Investor Relations & Credit Rating Agencies: Manager Silvia Leoni;

Institutional investors, financial analysts and credit rating agencies may contact the members of the Investor Relations Department at the following telephone numbers +39 02 94772108 and +39 045 8675613, and by email at [email protected] (email address of the work group).

For further information, please refer to the "Investor Relations" section on the website of the Banco BPM Group (www.gruppo.bancobpm.it).

8.7 DIRECTORS' INTERESTS AND TRANSACTIONS WITH RELATED PARTIES

In compliance with the provisions of the Code of Corporate Governance (in force from 1 January 2021), Banco BPM has adopted measures aimed at ensuring that the representative, on his/her own behalf or on behalf of third parties, who has an interest in a given transaction of the company, promptly and exhaustively informs the other members of the same body and the Chairman of the administrative body regarding the nature, terms, origins and extent of his/her interest, guaranteeing respect for the criteria of substantive and procedural fairness.

To that end, Banco BPM approved the "Application rules on the concept of related parties in accordance with international accounting standard IAS 24", which applies to Banco BPM and all the Group companies. The above-mentioned "Application rules" establish that within the scope of the Banco BPM Group, the definition of "related party" provided by IAS 24 is used, and they define the operating criteria for the identification of the related parties.

With reference to the provisions of the Bank of Italy to draw up separate and consolidated financial

²⁹ During 2024, the main topics dealt with concerned: the Group's strategy and perspectives (with specific reference to the 2023-2026 Strategic Plan), activities, ESG issues and results for 2023 and 2024, as well as extraordinary transactions. See also paragraph 9 for further details.

statements for banks, issued by order dated 22 December 2005, specific information is given on the transactions with Related Parties in accordance with the definition of IAS 24, also with reference to the remuneration of executives with strategic responsibilities, lending and guarantees and other transactions in the applicable section of the Explanatory Notes to the separate and consolidated financial statements. For greater detail, please refer to the above-mentioned section of the Explanatory Notes.

In relation to the provisions of article 2391-bis of the Italian Civil Code, CONSOB adopted, through resolution no. 17221 of 12 March 2010, and subsequent amendments and additions, a "Regulation containing provisions on transactions with related parties" (hereinafter the "CONSOB Regulations") governing the procedures and rules of transparency that transactions with Related Parties are subject to. The regulation sets out the principles that Italian companies with listed shares on Italian regulated markets have to comply with in order to ensure transparency and substantial and procedural fairness in the transactions with Related Parties, carried out directly or through subsidiaries.

In relation to the provisions of art. 53 of the Consolidated Banking Law, Bank of Italy regulated by Circular no. 285/2013, and subsequent amendments and additions, the regulations to be applied to transactions involving risk activities and conflicts of interest with regard to connected persons (hereinafter the "Bank of Italy Regulations").

It should also be noted that in regards to transactions with connected persons, by means of the official document of the 35th update of Title V, Chapter 1 of the First Part of Bank of Italy Circular no. 285/2013, said Bank of Italy also put in place the obligation for banks to comply with the provisions of article 88, sub-section 1, paragraphs 4 and 5 of (EU) Directive 2013/36 (CRD), as amended by (EU) Directive 2019/878 (CRD V), regarding loans to representatives and their related parties. Banks are required to comply with the Supervisory Provisions within six months of the entry into force (which took place on 30 July 2021), i.e. by 30 January 2022. In particular, article 88 of Directive CRD V (i) introduced the specific obligation of providing, at the request of the Supervisory Authorities, documentation relating to the loans granted to members of the management body or their related parties and (ii) made provision for a new definition of related party, with the latter taken to mean:

"a) the spouse, registered partner pursuant to national law, the child or parent of a member of the management body;

b) a commercial entity in which a member of the management body or one of his/her close relatives pursuant to letter a) has a qualified holding equal to or greater than 10% of the capital and voting rights of said entity or over which said persons can exercise significant influence or in which said persons occupy management positions or are members of the management body."

The official document requires the appropriate actions involving connection with the provisions governing transactions with related parties ("Risk activities and conflicts of interest vis-à-vis connected persons" pursuant to the Third Part, Chapter 11 of Bank of Italy Circular no. 285) to be evaluated in conjunction with the launch of an organic update to the Supervisory Provisions, which will be subject to public consultation.

Lastly, the regulations on the obligations of bank representatives pursuant to art. 136 of the Consolidated Banking Law and the interests of directors (art. 2391 of the Italian Civil Code) become relevant.

In compliance with the aforementioned regulatory provisions (CONSOB Regulations; Bank of Italy Regulations; art. 88 CRD V Directive; art. 136 of the Consolidated Banking Law; art. 2391 of the Italian Civil Code), which involve:

− Banco BPM and all employees and non-employed staff of all Group companies (not only those falling within the category of "identified staff",
− the subsidiaries of Banco BPM, pursuant to art. 2359 of the Italian Civil Code,

Banco BPM has continuously updated its internal regulations on the matter; more in detail, with effectiveness starting from 19 December 2023, has lastly adopted a "Regulation on the management of transactions with parties in conflict of interest" (hereinafter the "Regulation"), which, to give greater organic consistency and harmonization, includes a single all-encompassing regulation on the following matters:

(i) obligations of bank representatives referred to in art. 136 of Italian Legislative Decree 385/1993 ("Consolidated Banking Law");
(ii) Procedures to Govern Related Party Transactions pursuant to CONSOB Resolution no. 17221/2010 and
(iii) procedures and control policies on risk activities and conflicts of interest with regard to connected persons pursuant to Bank of Italy Circular no. 285/2013, first governed by three separate internal documents that were simultaneously abrogated.

The purpose of the Regulation is to guard against the risk of potential conflicts of interest that may compromise the objectivity and impartiality of decisions, particularly in relation to the granting of loans or other transactions, vis-à-vis persons close to the decision-making centres, by preserving the integrity of the investigative processes dealt with by the three previous separate regulations, which were repealed.

Specifically:

with regard to the Bank of Italy regulations pursuant to Circular no. 285 of 17 December 2013 and the CONSOB regulations pursuant to Resolution no. 17221 of 12 March 2010: the Regulation, in regulating the principles, roles and responsibilities aimed at preserving the integrity of decision-making processes in transactions with related parties and connected persons, defines the preliminary and decision-making procedures applicable to transactions with related parties and connected persons, containing, between the other:
- (i) the criteria for the registration of persons in potential conflict of interest;
- (ii) the criteria for the recognition of transactions (of greater or lesser importance), providing for the traceability of the same — through the feeding of a specific IT Register — in all phases (preliminary investigation, negotiation and resolution) in order to guaranteeing its constant monitoring as well as, where envisaged, the involvement of the Committee of Independent Directors (Related Parties Committee);
- (iii) the procedure to be followed in the case of transactions subject to waiver/exemption, including the criteria for verifying the existence or otherwise of significant interests of other related parties/connected persons with reference to transactions with or between/through companies, even indirectly, controlled or subject to significant influence;
- (iv) the safeguards to be applied to transactions concluded when they involve staff or result in losses, write-offs, judicial or extrajudicial settlements;
- (v) the controls to be applied to the various corporate components of the Group;
with particular specific focus on the Bank of Italy regulations pursuant to Circular no. 285 of 17 December 2013, the Regulation defines the internal policies on controls on risk activities and on conflicts of interest with regard to connected persons – in addition to what is already governed by specific regulations on integrated internal control systems – aimed, among other things, to:
- (i) identify transactions, including those other than those involving the assumption of "risk assets", in relation to which potential conflicts of interest may arise;
- (ii) set prudential limits, consolidated and individual, to the assumption of risk assets with respect to the same set of connected persons as well as to establish levels of risk appetite consistent with the strategic profile and organisational characteristics of the Bank or of the Group;
- (iii) establish and regulate control processes to ensure the proper measurement and management of risks to connected persons and to verify the proper design and effective application of policies;
- (iv) provide for suitable information flows to the Board of Directors, the Board of Statutory Auditors and the Related Parties Committee on the transactions concluded, in order to ensure a high and constant monitoring of compliance with the provisions of the Regulation;

(v) quarterly monitoring, by the Related Parties Committee, of the information flows on transactions carried out with related parties in order to ensure compliance with the prudential limits set by Circular 285 as well as the management limits identified by Banco BPM referring to the totality of exposures to all related parties;
with regard to the areas of application of art. 136 of the Consolidated Banking Law on the obligations of bank representatives and art. 2391 of the Italian Civil Code on the interests of directors, the Regulation envisages specific obligations for the representatives concerned (Director, Statutory Auditor, and if appointed, General Manager, Co-General Managers etc.) to make a timely declaration to the Board of Directors about the interests they may have in a given transaction. In addition, on the relevant operations in accordance with the art. 136 of the Consolidated Banking Law, the Regulation provides that the obligations that representatives enter into, directly or indirectly, with banks are to be resolved by the Board of Directors unanimously (vote in favour of all those present at the validly constituted meeting with the exception of the interested party) and with the vote in favour of all members of the Board of Statutory Auditors regardless of the amount, subject to the exclusion from voting of the interested party. The Board of Statutory Auditors vote in favour assumes that the transaction does not conflict with the criteria of sound and prudent management and is settled at arm's length.
With regard to art. 88 CRD V, the Regulation, pending the aforementioned adaptation, regulates the census and identification in the information system of the persons concerned.

The "Regulation on the management of transactions with parties in conflict of interest" can be found on Banco BPM's website (www.gruppo.bancobpm.it - "Corporate Governance" section).

In addition, Banco BPM, in order to avoid any situations of incompatibility, while maintaining the compatibility of the interests of the representatives with the interests of the company, by means of a resolution of the Board of Directors of 17 October 2017, adopted a company policy that prohibits, apart from any exceptions that must be authorised by the Board of Directors of the Parent Company, the engagement of any Board members and the members of the Board of Statutory Auditors of the Parent Company and the subsidiaries to carry out professional services, both directly or through professional firms where the representative is a partner, associate or co-owner. This policy was prompted by CONSOB Communication no. 8067632 of 17 July 2008, which provided an interpretation of article 148, paragraph 3, letter c), of the Consolidated Law on Finance, regarding the disqualification of members of the Control Body in listed companies and expanded the subjective range of application to also include the members of the Board of Directors of the Group companies.

On 14 July 2020, the Board of Directors extended the aforementioned policy, including not only the prohibited assignment of professional engagements but also those of a non-professional nature (i.e. direct contracts for the supply of goods or services, such as, for example, supply contracts, tender contracts or service agreements), relating directly or indirectly to company representatives.

9 RELATIONS WITH SHAREHOLDERS AND THE FINANCIAL COMMUNITY

The Banco BPM Group pays close attention to the continuous management of relations with shareholders, institutional investors and other relevant stakeholders in the national and international financial community (financial analysts and credit rating agencies in the first place), and to guarantee the regular and systematic disclosure of qualified, complete, prompt and symmetric information on Group strategy and perspectives, operations ESG matters, results and eventual extraordinary transactions, also in the light of indications provided by CONSOB, the principles expressed in the Code of Corporate Governance and in national and international best practices.

The establishment and maintenance of constant relations with the generality of shareholders and other relevant stakeholders in the financial community, through forms of dialogue and engagement that are correct and specific, contribute to ensure transparency and symmetrical information and continuous attention to the Bank's governance issues, with a view to fostering the creation of value in the medium to long term.

Relations with retail shareholders and the institutional financial community are carried out by separate specialised divisions with adequate resources and professional competence.

Within the scope of the Corporate Affairs Secretariat Department, in fact, a team provides specific assistance to shareholders, takes care of activities related to the organisation of company meetings and,

in particular, manages relations with retail shareholders.

This line of communication transparency includes also cooperation in the setting up and the timely and due updating of the pertinent information on the website www.grupppo.bancobpm.it under Corporate Governance - Shareholders' Meeting section, and in cooperation with the Investor Relations Department, under Investor Relations - Banco BPM Stock, Shareholder Base and Dividends section of the corporate website. This reporting channel reflects both the Company's attention to international best practices regarding investor relations and the need to comply with the requirements of regulations on corporate disclosures.

The website (available in both Italian and English) provides updated information on the structure and governance of the Group, shareholders' meetings, the ownership structure and dividends, as well as share performance, press releases, financial statements and presentations of the results, strategic plans and extraordinary transactions credit ratings, prospectuses concerning securities issued by the Banco BPM Group etc.. In this way the website is where the financial community and stakeholders in general can find numerous opportunities for information and dialogue with the Company within the framework of constant, consistent and complete communication.

Retail shareholders can contact the dedicated team by writing to the certified email address [email protected], or the ordinary email address [email protected] or by contacting the free phone number 800.013.090, as indicated on the "Contacts" page of the Corporate Governance section.

Contacts with institutional investors, financial analysts and the credit rating agencies are followed by the Investor Relations Department; for more details, please refer to the applicable paragraph.

Finally, with regard to the sustainability topics relating to stakeholder engagement (ESRS 2 - par. 43, 45; ESRS 2 - Appendix A - RA 16), please refer to the Sustainability Reporting, Section "General Disclosures", Paragraph "Stakeholder Engagement Activities".

Shareholder-Director Engagement: direct dialogue between shareholders and the BoD

In addition to the methods through which, via the competent corporate functions, in particular, the Investor Relations department and, as regards retail relations, the Corporate Affairs Secretariat, the Bank interacts on a continuous basis with shareholders, investors and the financial community in general, Banco BPM, by means of board resolution of 23 November 2021, has adopted the "Regulation governing the management of dialogue with shareholders", drafted in accordance with the provisions of the 35th update to Bank of Italy Circular no. 285 of 17 December 2013 and the recommendations in the Code of Corporate Governance.

This Regulation governs the dialogue by the Board of Directors or its members with the generality of Banco BPM's shareholders, meaning, and according to the definitions in force from time to time, institutional investors, asset managers and their trade associations, holders of shares issued by the Bank, potential shareholders, voting advisors or proxy advisors.

The topics under discussion include: matters within the Board of Directors' area of competence, including corporate strategies, financial and non-financial results, capital structure, corporate governance, social and environmental impact, the internal control and risk management system and remuneration policies (so-called "Shareholder-Director Engagement" or "S-DE").

Dialogue with shareholders can take place at their written request (so-called reactive engagement) or on the Bank's initiative (proactive engagement). In deciding whether to accept or formulate a S-DE request, according to which methods (two-way or one-way, bilateral or collective) and under which conditions, the Bank takes account of various factors including respect for legislative, regulatory or selfregulation limits (in particular regarding market abuse), the significance of the topics, the potential interest of the matter for shareholders and/or the market, the dimensions and characteristics of the investors concerned and their foreseeable approach, taking into account their policies of responsibility as well as the presence of any situations of any conflicts of interest.

The acceptance or any rejection of the S-DE request are communicated in writing to the applicant by a Focal Point S-DE comprised of the Head of the Investor Relations department and the Secretary of the Board of Directors of Banco BPM.

If the S-DE request comes directly from one or more members of the Board of Directors, the latter

communicate it, also informing the Focal Point S-DE of it, to the Chairman of the Board of Directors who, together with the Chief Executive Officer, takes the relevant decisions according to the provisions of the aforementioned Regulation.

Only the topics taken from those within the competence of the Board of Directors can be discussed during the meetings, which have been presented and agreed in advance; no relevant, privileged or, nonetheless confidential information concerning the Bank or the Group may be disclosed, unless within the limits and according to the methods permitted by the regulations in force.

Based on prior evaluation by the Chairman, together with the Chief Executive Officer, regarding any involvement in the S-DE of other Bank Directors or other entities, such as the Co-General Managers or other Group executives and any external advisors, the following normally take part in the S-DE activities, by managing the associated dialogue:

− the Chairman of the Board of Directors, in agreement with the Chief Executive Officer, if the proposed topics deal with corporate governance issues (such as the appointment, size, composition, responsibilities and functioning of corporate bodies) or the internal control system;
− the Chief Executive Officer, in agreement with the Chairman of the Board of Directors, if the topics are about business strategies, the financial and non-financial results, the capital structure, the social and environmental impact, the remuneration policies or risk management.

The Board of Directors is informed, normally by the next meeting, on the development and significant contents of the S-DE's activities. The Board of Statutory Auditors is also informed on said occasion.

Finally, it should also be noted that, in 2024, no meetings were held as part of the procedures set out in the Shareholder-Director Engagement policy (the policy for the management of dialogue by the BoD or its members with the generality of the Banco BPM shareholders).

The aforementioned regulation is available on the institutional website www.gruppo.bancobpm.it; S-DE requests can be sent to the e-mail address [email protected] or sent to the Group's Corporate Affairs Office, Piazza Filippo Meda 4, 20121 Milan.

Milano, Italy, 13 March 2025

ANNEX 1: List of the positions of administration, management or control held by the members of the Board of Directors in other listed, financial, banking, insurance or significantly sized companies, pursuant to the "Regulation on the Limits to the number of offices" adopted by Banco BPM.

Surname and Name	Company	Position held
TONONI MASSIMO	Zambon S.p.A.	Director
(Chairman)
COMOLI MAURIZIO (Vice Chairman)	Mirato S.p.A. Mil Mil 76 S.p.A.	Chairman of the Board of Statutory Auditors Chairman of the Board of Statutory Auditors
	DEA Capital S.p.A. Herno S.p.A. Montura S.r.l.	Chairman of the Board of Statutory Auditors Standing Auditor Standing Auditor

CASTAGNA GIUSEPPE (Chief Executive Officer)	None	N/A
ANOLLI MARIO (Director)	Vera Vita S.p.A.	Director
BOCCARDELLI PAOLO (Director)	BDV Consulting S.r.l.	Chairman of the BoD
BORDOGNA PAOLO	Bracca S.p.A.	Director
(Director)	Fonti Pineta S.p.A.	Director

FARUQUE NADINE FARIDA (Director)	Lottomatica Group S.p.A.	Director
FERRETTI PAOLA (Director)	Nessuna	N/A
MANTELLI MARINA	Banco BPM Vita S.p.A.	Director
(Director)	Vera Vita S.p.A.	Director

MIO CHIARA	Sofidel S.p.A.	Director
(Director)	Aquafil S.p.A.	Chairman of the BoD
	OVS S.p.A.	Director

OLIVETI ALBERTO	REAM SGR S.p.A.	Director
(Director)	Garofalo Health Care S.p.A.	Director
PAOLONI MAURO	Banca Akros S.p.A.	Chairman of the BoD
(Director)	Oaklins Italy S.r.l.	Chairman of the BoD
	Unione Fiduciaria S.p.A.	Director
	Connect – Ingegneria e Digitalizzazione	Sole Statutory Auditor

ROSSETTI EUGENIO (Director)	Tinexta S.p.A.	Director
	Ascertia Limited	Director
	ABF Group S.A.S.	Director
SOFFIENTINI MANUELA (Director)	Electrolux Appliances S.p.A.	Chairman of the BoD and CEO

Electrolux Italia S.p.A. Brembo S.p.A.

Prevention for you S.r.l. Sole Director

Chairman of the BoD Indipendent Director

TAURO LUIGIA (Director)

ANNEX 2: List of the administration, management or control positions held by the members of the General Management in other listed, financial, banking, insurance or significantly sized companies, pursuant to the "Regulation on the Limits to the number of offices" adopted by Banco BPM.

Surname and Name	Company	Position held
DE ANGELIS DOMENICO (Co-General Manager CBO)	Banca Aletti S.p.A.	Director
EDOARDO MARIA GINEVRA (Co-General Manager CFO)	Agos Ducato S.p.A. Gardant Liberty Servicing S.p.A.	Director Chairman of the BoD

ANNEX 3: List of the administration, management or control positions held by the members of the Board of Statutory Auditors in other listed, financial, banking, insurance or significantly sized companies, pursuant to the "Regulation on the Limits to the number of offices" adopted by Banco BPM.

Surname and Name	Company	Position held
PRIORI MARCELLO (Chairman)	Banco BPM Vita S.p.A.	Chairman of the Board of Statutory Auditors
	Vera Vita S.p.A.	Chairman of the Board of Statutory Auditors
	Banca Aletti S.p.A.	Standing auditors
	Vista Vision S.r.l.	Chairman of the BoD

DE NUCCIO ELBANO (Sindaco effettivo)	Acquedotto Pugliese S.p.A.	Chairman of the Board of Statutory Auditors
	Cestaro & Rossi S.p.A.	Chairman of the Board of Statutory Auditors
	F.lli De Cecco di Filippo S.p.A.	Chairman of the Board of Statutory Auditors
LAURI MAURIZIO (Sindaco effettivo)	Officine CST S.p.A.	Chairman of the Board of Statutory Auditors
	ACEA S.p.A.	Chairman of the Board of Statutory Auditors
	Tirreno Power S.p.A.	Standing Auditors
MUZI SILVIA (Sindaco effettivo)	RAI WAY S.p.A.	Chairman of the Board of Statutory Auditors
	A2A	Chairman of the Board of Statutory Auditors
	Banco BPM Invest SGR S.p.A.	Standing Auditors
	Banca Aletti S.p.A.	Standing Auditors
	Esprinet S.p.A.	Chairman of the Board of Statutory Auditors
VALENTI NADIA (Sindaco effettivo)	Banca Akros S.p.A.	Standing Auditors
ANTONELLI SARA	Mondo TV S.p.A.	Standing Auditors
(Sindaco supplente)	ENVENT Italia SIM S.p.A.	Chairman of the Board of Statutory Auditors
	Logista Retail Italia S.p.A.	Standing Auditors
	Tecne Gruppo Autostrade per l'Italia S.p.A.	Standing Auditors
	Free to X S.r.l.	Standing Auditors
	Free to X S.p.A.	Standing Auditors
	BIG SB S.p.A.	Standing Auditors
	Clinical Trial Center S.p.A.	Standing Auditors
	ELGEA S.p.A.	Standing Auditors
	Energy Ecclesiae S.r.l.	Standing Auditors
	NEXT S.p.A.	Standing Auditors
	Bologna & Fiera Parking S.p.A.	Standing Auditors

SCANDURRA MARINA	Italia Trasporto Aereo S.p.A.	Chairman of the Board of Statutory Auditors
(Sindaco supplente)	Investimenti Immobiliari Italiani SGR S.p.A.	Standing Auditors
	Edison Next Government Napoli Scarl	Chairman of the Board of Statutory Auditors
	Tecnoservizi S.r.l.	Sole Auditor
	Mariconsult S.p.A.	Sole Auditor
	GEMSA Solar S.r.l.	Sole Auditor
	Ravenna 1 FTV S.r.l.	Sole Auditor
	Vivaro FTV	Sole Auditor
	FV4P S.r.l.	Sole Auditor
	ACEA ATO 5 S.p.A.	Standing Auditor
	Daimler Truck Financial service Italia S.p.A.	Standing Auditor
	RAI Pubblicità S.p.A.	Standing Auditor
	Transmed S.p.A.	Standing Auditor
	Aerospace Logistics Technology Engineering Company S.p.A.	Standing Auditor
	Luce Neapolis S.r.l.	Standing Auditor
TAGLIAFERRI MARIO (Sindaco supplente)	Kilometro Rosso S.p.A.	Chairman of the Board of Statutory Auditors
	Alto Robotics S.p.A.	Chairman of the Board of Statutory Auditors
	Consorzio.it S.p.A.	Chairman of the Board of Statutory Auditors
	Crema Diesel S.p.A.	Chairman of the Board of Statutory Auditors
	Brembo SGL Carbon Ceramic Brakes S.p.A.	Chairman of the Board of Statutory Auditors
	Interpump Group S.p.A.	Standing Auditor
	Marsilli S.p.A.	Standing Auditor
	TMC Transformers S.p.A.	Standing Auditor

AI Terminal

Banco BPM SpA

4282_cgr_2025-04-01_b773b619-38e2-4705-869e-9b586a46b11e.pdf

REPORT ON CORPORATE GOVERNANCE AND OWNERSHIP STRUCTURES

INTRODUCTION

EXECUTIVE SUMMARY

CORPORATE GOVERNANCE MODEL

Shareholders' Meeting

Board of Directors

Board of Statutory Auditors

Board of Directors

Board of Directors statistics

Meetings of the Board of Directors

Board of Statutory Auditors

Internal Board Committees

THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM

Internal control functions

ENVIRONMENTAL, SOCIAL AND GOVERNANCE (ESG)

1 PROFILE OF THE ISSUER

UPDATE OF THE STRATEGIC PLAN

MAIN AMBITIONS IN THE FIELD OF ESG SUSTAINABILITY

SUSTAINABILITY REPORTING

The Corporate Governance Plan

2 INFORMATION ON THE OWNERSHIP STRUCTURE (pursuant to article 123-bis, paragraph 1, of the Consolidated Law on Finance)

Stakes held in Numia Group S.p.A.

3 COMPLIANCE (pursuant to article 123-bis, paragraph 2, letter a), first part of the Consolidated Law on Finance)

4 MANAGEMENT AND COORDINATION: the role of the Parent Company and the Banco BPM Group

BANKING GROUP

FINANCIAL CONGLOMERATE

5 SHAREHOLDERS' MEETING

Auditors;

6 BOARD OF DIRECTORS

6.1 APPOINTMENT, REPLACEMENT AND COMPOSITION OF THE BOARD OF DIRECTORS

Qualitative-quantitative composition of the Board of Directors

Qualitative composition: individual eligibility requirements of Directors

Professionalism requirements

Competence criteria

Required profiles of the particularly significant roles on the Board

Chairman of the Board of Directors

Vice Chairman of the Board of Directors

Chief Executive Officer (CEO)

Aptitude requirements

Integrity requirements

Fairness criteria

Availability of time and commitment required of the Directors

Limit to the accumulation of external positions

or

b) 4 non-executive positions.

alternatively,

Independence pursuant to the By-Laws and Independence of judgement

Guidelines regarding diversity

Overall suitability of the Board of Directors

Board induction/continuous training activities

Succession plans

• Chief Executive Officer of Banco BPM Assicurazioni

a - Expiry of the mandate granted to the Chief Executive Officer

The table below provides information on the composition of the Board of Directors as indicators of diversity.

6.2 ROLE OF THE BOARD OF DIRECTORS

Self-assessment document of the Board of Directors and its Committees for the year 2024

6.3 MEETINGS

General criteria

Number of meetings and attendance

Prior information

Procedures for the meetings and taking minutes

6.4 INDIVIDUAL BODIES

Chief Executive Officer

Co-General Managers

6.5 INTERNAL COMMITTEES OF THE BOARD OF DIRECTORS

Appointments Committee

Committees;

Remuneration Committee

Internal Control and Risk Committee

requirements referred to in art. 20.1.6. of the By-Laws.

Sustainability Committee

recommendations;

Related Parties Committee

6.6 REMUNERATION

6.7 INDEPENDENT AND NON-EXECUTIVE DIRECTORS

Independent directors

"20.1. – Composition, number and requirements