mBank S.A.

Board/Management Information • Mar 1, 2025

Enclosure 4 to Supervisory Board Resolution 334/23 dated 21 September 2023

Rules of the IT Committee of the Supervisory Board of mBank S.A.

§ 1

The tasks of the IT Committee include among others, the following:

• 1. to support regular supervision of the IT and IT security of the Bank;
• 1. to analyse the periodic reports for the Supervisory Board regarding IT and IT security;
• 1. to present to the Supervisory Board conclusions from the analysis of the periodic reports on IT and IT security;
• 1. to recommend to the Supervisory Board approval or disapproval of IT and cybersecurity strategy of the Bank, as well as any amendments thereto;
• 1. to monitor execution of IT Strategy Roadmap and implementation of Strategic IT Initiatives; and
• 1. to monitor effectiveness of IT operational risk management system, IT security and IT governance.

§ 2

• 1. The IT Committee is composed of 3 to 4 members, including the Chairperson.
• 1. The IT Committee elects the Chairperson among its members.
• 1. The Chairperson of the IT Committee coordinates the work of the Committee and is authorised to accept and issue statements on behalf of the IT Committee.

§ 3

The IT Committee acts in line with the following rules:

• 1. The Committee holds meetings as and when necessary, but at least twice a year.
• 1. The meetings of the Committee are convened by the Chairperson of the Committee on his/her own initiative, at the request of a member of the Committee or other member of the Supervisory Board.

• 1. Should the Chairperson be unable to attend the meeting of the IT Committee, he or she is substituted by the member of the Committee designated by the Chairperson.
• 1. All the members of the Committee should be invited to the meeting, notified of the agenda planned for the meeting, and receive a complete set of materials intended for consideration at the meeting in adequate advance before the date of the meeting.
• 1. The Chairperson of the IT Committee is authorized to invite other persons to attend a meeting of the Committee, including Management Board members, in particular member of the Management Board responsible for operations and IT.
• 1. The IT Committee shall make decisions (containing recommendations and opinions) by a simple majority of votes at the meeting, provided that at least half of the members of the Committee are present and all the members were notified of the meeting. In the case of an equal number of votes for and against, the Chairperson of the Committee has a casting vote.
• 1. Members of the IT Committee may also attend meetings using means of direct remote communication, ensuring communication in real time between all the participants as well as the possibility to identify all participants of the meeting, while maintaining safety rules adopted in the Bank. Such a fact should be recorded in the minutes of the Committee meeting.
• 1. The course of the IT Committee meeting may be recorded (only sound or sound and video). The recording shall exclusively be used to prepare the minutes of the IT Committee meeting and shall be permanently deleted after its approval by the Members of the IT Committee.
• 1. Notwithstanding provisions of sections 1 to 7, the IT Committee may also make decisions under written procedure or by using means of direct remote communication. The decision shall be effective if all Members of the Committee have been informed of the contents of the draft decision and at least half of the Members of the Committee have taken part in the decision. In case of voting in writing, when putting a matter to the vote the Chairperson of the Committee sets a deadline for the casting of votes .
• 1. Decisions of the IT Committee are signed by the Chairperson of the Committee. In the absence of the Chairperson of the Committee, the decision shall be signed by a member of the Committee designated by the Chairperson of the Committee.
• 1. The IT Committee submits an annual report on its activities to the Supervisory Board. The IT Committee provides the Supervisory Board, with information on the supervisory activities undertaken and the results thereof.
• 1. The Chairperson of the Supervisory Board regularly takes part in meetings of the IT Committee as a guest, unless s/he is its member.

§ 4

1. Minutes are taken at every meeting of the Committee in writing or in a form equivalent to writing. The minutes should include at least full names of the Committee members present and persons attending the meeting, a clear description of items on the agenda, course of the discussion, findings, agreed

actions and decisions made, number of votes for each decision and any comments or dissenting opinions. The minutes are signed by the Chairperson of the Committee and by the employee of the competent unit providing support to the IT Committee who is present at the meeting.

• 1. The minutes shall be subject to approval by the members of the IT Committee taking part in the meeting. Members of the Committee shall be given the opportunity to examine and comment on the minutes documenting the meeting before their approval. Comments not taken into account and dissenting opinions shall be noted together with the reasons for not taking them into account.
• 1. The minutes of the Committee meeting are submitted to the Supervisory Board.