COURTESY TRANSLATION

INFO DISTRICT 2000

CY4GATE S.p.A.

Tax code and VAT number 13129151000

Registered office in Rome (RM) - Via Coponia no. 8

Registered with the Rome Chamber of Commerce - R.E.A. number RM-1426295

Rome Companies Register no. 13129151000 Share capital €1,441,499.94 fully paid up

Report of the Board of Statutory Auditors to the Shareholders' Meeting (Article 153 of Legislative Decree No. 58/1998 and Article 2429(2) of the Civil Code)

1. Introduction: legislative, regulatory and ethical sources

This report (hereinafter the "Report") sets out the supervisory activities carried out by the Board of Statutory Auditors of CY4GATE S.p.A. (hereinafter also the "Company" or "CY") in accordance with the provisions of the law (Article 149 of the Consolidated Law on Finance and Article 2429 of the Italian Civil Code), taking into account the Code of Conduct for the Boards of Statutory Auditors of listed companies issued by the National Council of Chartered Accountants and Accounting Experts, the recommendations of Consob regarding corporate controls and the activities of the Board of Statutory Auditors (see Communication No. DEM 1025564 of 6 April 2001 and subsequent amendments and additions), as well as the guidelines contained in the Corporate Governance Code promoted by Borsa Italiana. Furthermore, as CY4GATE S.p.A. has adopted the traditional governance model, the Board of Statutory Auditors is identified with the "Internal Control and Audit Committee", which is responsible for additional specific control and monitoring functions relating to financial reporting and statutory audit, as provided for in Article 19 of Legislative Decree No. 39 of 27 January 2010, as amended by Legislative Decree No. 135 of 17 July 2016.

The statutory audit duties, pursuant to Legislative Decree 39/2010, have been assigned to the audit firm KPMG S.p.A. ("KPMG" or "Audit Firm"), appointed by the Shareholders' Meeting of 27 April 2023 for the nine-year period 2023-2031.

The Board of Statutory Auditors has obtained the information necessary for the performance of its supervisory duties by, amongst other things, attending meetings of the Board of Directors and its committees, hearings with the Company's management, meetings with the statutory auditor, the Supervisory Body, the Company's control functions and the supervisory bodies of the main subsidiaries, and the analysis of information flows received from the relevant corporate departments.

2. Appointment, self-assessment and activities of the Board of Statutory Auditors

The Board of Statutory Auditors in office at the date of this Report was appointed by the Shareholders' Meeting held on 27 April 2023 and its term of office will end at the Shareholders' Meeting convened to approve the financial statements as at 31 December 2025.

COURTESY TRANSLATION

The Board of Statutory Auditors currently in office, appointed as described above, comprises the following three (3) members:

Mr Stefano Fiorini, a standing auditor nominated as the lead candidate on the Minority List, who has been appointed Chairman of the Board of Statutory Auditors;
Mr Paolo Grecco, who has been appointed as a standing auditor as a candidate on the Majority List;
Ms Daniela Delfrate, a standing auditor, nominated on the Majority List;
Mr Alberto Trabucchi, Alternate Auditor, a candidate on the Majority List;
Ms Allegra Piccini, Alternate Auditor, a candidate on the Majority List.

On 12 February 2026, the Board of Statutory Auditors renewed the assessment of the suitability of its members and the appropriate composition of the body – with reference to the requirements of professionalism, competence, integrity and independence required by law – as well as the availability of time and resources commensurate with the complexity of the role and the proper functioning of the body, taking into account the size, complexity and activities carried out by the Company and the Group, as defined below. The members of the Board of Statutory Auditors have complied with the limit on the accumulation of appointments provided for in Article 144-terdecies of the Issuers' Regulations.

The Board of Statutory Auditors regularly participates, individually, in training sessions organised by trade associations and/or relevant professional bodies, covering topics relating to the role and responsibilities of the Board of Statutory Auditors, as well as issues concerning corporate governance, internal control and risk management systems, and regulations on remuneration and related-party transactions.

The Board of Statutory Auditors, with a view to regulating the composition, operating procedures and powers of the supervisory body, in accordance with the principles laid down by the applicable laws and regulations, as well as by the Corporate Governance Code in the version approved by the Corporate Governance Committee in January 2020 to which the Company adheres, adopted, on 12 October 2023, its own Regulations, which will be kept up to date in line with changes in the law.

The Board of Statutory Auditors, therefore, in respect of matters falling within its remit, monitored compliance with the law and the Articles of Association during the 2025 financial year, as well as adherence to the principles of sound administration, the adequacy of the organisational structure, the internal control and risk management system, the administrative and accounting system, and the

COURTESY TRANSLATION

reliability of the latter in accurately representing management events; and the activities described below were recorded in the minutes of the meetings held, both in person and via video conference.

The Board of Statutory Auditors, which acts as the Internal Control and Audit Committee provided for by Legislative Decree No. 39 of 27 January 2010, carried out, during the financial year, the audit activities assigned to it pursuant to Article 19 of the aforementioned decree.

3. Monitoring compliance with the law and the articles of association

In carrying out its duties, the Board of Statutory Auditors:

a) met 13 times, both in person and via audio-video conference, with an average duration of approximately 2 hours and 7 minutes per meeting;

b) attended all (i) the 8 meetings of the Board of Directors, (ii) the 11 meetings of the Control, Risk and Sustainability Committee, (iii) the 6 meetings of the Related Party Transactions Committee, and (iv) the 7 meetings of the Nomination and Remuneration Committee, both in its capacity as the Nomination Committee and as the Remuneration Committee;

c) attended the Shareholders' Meeting held on 28 April 2025;

d) oversaw compliance with the law and the Articles of Association, and, within the scope of its remit, acquired knowledge of and monitored the adequacy of the Company's organisational structure, compliance with the principles of sound administration, and the adequacy of the instructions issued by the Company to its subsidiaries pursuant to Article 114(2) of the Consolidated Law on Finance;

e) has monitored (i) for the purposes of preparing the financial statements for the year ended 31 December 2025, compliance with the provisions of the ESEF Regulation and (ii) for the purposes of preparing the Group's Sustainability Report for the 2025 financial year, compliance with Regulation (EU) No. 2020/852 of 18 June 2020 and the related Delegated Regulations ("Taxonomy Regulation");

f) oversaw the implementation of the legislation on sustainability reporting (i.e. Legislative Decree 125/2024). In particular, the Board of Statutory Auditors monitored the development of the organisational structure and internal processes designed to comply with the requirements of Directive (EU) No 2022/2464 ("CSRD"), applied by the Company from the 2024 financial year onwards, through the information received and the exchange of information with KPMG, and took note of the certification by the Designated Manager that

COURTESY TRANSLATION

the sustainability reporting (the “Consolidated Sustainability Report”) included in the management report has been prepared in accordance with the reporting standards applied pursuant to Directive 2013/34/EU of the European Parliament and of the Council of 26 June 2013, and Legislative Decree 125/2024, with the specifications adopted in accordance with the Taxonomy Regulation;

g) has obtained information regarding the most significant commercial relationships with the parent company and with the subsidiaries (these, together with CY, the “CY Group” or the “Group”);

h) has received from the Chief Executive Officer, as required by law and during board meetings or at specific briefing sessions, the necessary information on the activities carried out and on the transactions of major economic, financial and equity significance resolved upon and implemented during the financial year by the Company, as well as, pursuant to Article 150(1) of the Consolidated Law on Finance, those carried out by subsidiaries as adequately documented in the management report to which reference is made, and on the general performance of operations and their foreseeable development;

i) has verified that adequate documentation, in support of the matters discussed at board meetings and sub-committee meetings, was made available to the directors and statutory auditors in good time.

j) has obtained the information necessary to carry out the activities falling within its remit by collecting documents, data and information and through periodic meetings, scheduled for the purpose of the mutual exchange of relevant data and information with (i) the Company’s management, (ii) the Supervisory Body, of which, moreover, the Chairman of the Board of Statutory Auditors is a member, as provided for in the organisation, management and control model adopted by the Company in accordance with Legislative Decree No. 231/2001 (the “Model 231”), (iii) representatives of the independent auditors and (iv) the supervisory bodies of the subsidiaries;

k) in its capacity as the “Internal Audit and Control Committee” pursuant to Article 19 of Legislative Decree 39/2010, oversaw (i) the corporate reporting process, (ii) the effectiveness of the internal control and internal audit systems, (iii) the statutory audit of the annual and consolidated financial statements, and (iv) the independence of the audit firm;

l) oversaw the adequacy of the internal control and risk management system and the

COURTESY TRANSLATION

administrative and accounting system, as well as the reliability of the latter in accurately representing management events through the relevant company departments. In particular, the Board of Statutory Auditors oversaw the adequacy and effective functioning of the internal control and risk management system by means of:

the review of the report for the year 2025 on the adequacy of the internal control and risk management system in relation to corporate disclosure and compliance with administrative and accounting procedures, in order to enable the Board of Directors to fulfil its supervisory obligations regarding effective compliance with administrative and accounting procedures, pursuant to Article 154-bis, paragraph 4, of the Consolidated Law on Finance. On 12 March 2026, the Manager responsible for preparing the financial statements and the Chief Executive Officer provided the appropriate certifications as required by Article 154-bis, paragraph 5, of the TUF;
the periodic meetings held during the 2025 financial year with the Head of Internal Audit regarding (i) the activities carried out, (ii) the findings of the audit engagements and (iii) the audit plan for the period January 2024 – June 2026, as renewed in June 2025;
the review of the report and evidence of the Supervisory Body's activities, including with regard to whistleblowing reports received by the Company and its subsidiaries, which show that during 2025 the Company and its subsidiaries did not receive any reports;
the receipt of regular updates regarding reports or notifications of investigations by Italian state bodies and/or authorities with criminal jurisdiction or, in any case, with powers of judicial investigation, in relation to offences that could potentially involve CY and the companies it controls directly or indirectly, as well as its directors and/or employees;
the examination of company documents and the results of the work carried out by the independent auditors;
ongoing relations with the supervisory bodies of subsidiaries, pursuant to Article 151, paragraphs 1 and 2, of the Consolidated Law on Finance;
participation in the work of the Control, Risk and Sustainability Committee, the Nomination and Remuneration Committee and the Related Party Transactions Committee;

COURTESY TRANSLATION

m) has received confirmation from the audit firm of its independence in accordance with Article 6 of Regulation (EU) No 537/2014, as well as a statement detailing the non-statutory audit services provided to the Company by that audit firm and by entities belonging to its network;

n) has received, again from the audit firm, a report on regulatory changes affecting audit activities and, more specifically, the annual audit report;

o) has monitored the practical implementation of the corporate governance rules set out in the Corporate Governance Code, which was adopted by the Company on 2 May 2023, including with regard to the self-assessment of the Board of Directors and the Board Committees, carried out with the assistance of an external consultant;

p) reviewed the corporate processes that led to the formulation of the Company's remuneration policies, with particular reference to the remuneration criteria for the Executive Chairman, the Chief Executive Officer and senior management;

q) monitored the adequacy of the information flows provided by the subsidiaries to CY, aimed at ensuring the timely fulfilment of statutory disclosure obligations, bearing in mind that the Boards of Directors of the subsidiaries generally include directors and executives of the Company, often with operational powers, who ensure coordinated management and an adequate flow of information, supported by appropriate accounting data;

r) also participated in the in-depth sessions organised by the Company as part of the induction process, conducted during Board meetings and focusing on various topics;

s) following the close of the 2025 financial year, examined and assessed the "Remuneration Report" and the text of the "Report on Corporate Governance and Ownership Structure", in the versions approved by the Board of Directors on 12 March 2026, verifying that the content of the aforementioned reports was consistent with the information required by Article 123-bis of the Consolidated Law on Finance and Article 84-quater of the Issuers' Regulations.

The Board of Statutory Auditors notes that, during the 2025 financial year, no reports were made to the board of directors pursuant to Article 25 of Legislative Decree No. 14 of 12 January 2019, as amended and supplemented, nor did it, in turn, receive any reports pursuant to Article 25-novies.

During the 2025 financial year, the Company did not receive any formal requests for information from Consob pursuant to Legislative Decree No. 58/98.

COURTESY TRANSLATION

4. Opinions and recommendations issued by the Board of Statutory Auditors during the 2025 financial year

During the financial year, the Board of Statutory Auditors, as required by current legislation, issued two opinions in relation to the so-called “non-audit services” provided by KPMG S.p.A.

5. Annual financial statements, consolidated financial statements and management report

On 12 March 2026, the Board of Directors approved the draft annual financial statements and the consolidated financial statements as at 31 December 2025, accompanied by the Consolidated Sustainability Report, in accordance with Legislative Decree 125/2024.

The aforementioned annual financial statements as at 31 December 2025, accompanied by the Management Report prepared by the Directors, as well as the certification of the Chief Executive Officer and the Manager responsible for preparing the company’s financial statements, was promptly made available to the Board of Statutory Auditors and the Independent Auditors in preparation for the Shareholders’ Meeting convened in a single call for 28 April 2026. On the same date, the Board of Directors of CY approved the Group’s consolidated financial statements, as prepared by the Manager Responsible for the Preparation of Corporate Accounting Documents, pursuant to Article 154-bis of the Consolidated Law on Finance, accompanied by the certification of the Chief Executive Officer and the Manager Responsible for the Preparation of Corporate Accounting Documents.

The financial statements have been prepared in accordance with the International Financial Reporting Standards (“IFRS”) issued by the International Accounting Standards Board (“IASB”) and adopted by the European Commission in accordance with the procedure set out in Article 6 of Regulation (EU) No 1606/2002 of the European Parliament and of the Council of 19 July 2002 and pursuant to Article 9 of Legislative Decree No 38/2005. IFRS also includes the International Accounting Standards (“IAS”), as well as the interpretative documents still in force issued by the IFRS Interpretations Committee (“IFRIC”), including those previously issued by the International Financial Reporting Interpretations Committee (“IFRIC”) and, prior to that, by the Standing Interpretations Committee (“SIC”).

We also inform you that these financial statements have been prepared in accordance with the requirements of Regulation (EU) No. 2019/815 (“ESEF Regulation”) and, therefore, in XHTML electronic format; they include, with specific reference to CY’s consolidated financial statements as at 31 December 2025, Inline XBRL markings for the information in accordance with the taxonomy specified by the ESEF Regulation.

The notes to the financial statements set out the information and results of the assessment process

COURTESY TRANSLATION

carried out for the purpose of the impairment test, which did not reveal any impairment losses. The Board of Statutory Auditors considers that the procedure and results of the impairment test adopted by the Company, with the favourable opinion of the Control, Risk and Sustainability Committee and by resolution of the Board of Directors dated 5 March 2026 in accordance with the joint document issued by the Bank of Italy, CONSOB and ISVAP on 3 March 2010, as well as the related disclosure in the financial statements, are adequate.

The audit firm KPMG, which has been appointed to carry out the statutory audit, issued, on 31 March 2026, reports pursuant to Article 14 of Legislative Decree No. 39/2010 and Article 10 of Regulation (EU) No. 537/2014 on the financial statements of CY and the consolidated financial statements of the CY Group as at 31 December 2025, expressing an unqualified opinion with no matters of emphasis. In particular, in these reports, the Independent Auditors certify that the consolidated financial statements and the separate financial statements give a true and fair view of the financial position, the financial performance and the cash flows for the financial year ended on that date, in accordance with IFRS, as well as with the provisions issued in implementation of Article 9 of Legislative Decree No. 38/ 2005, and that the Management Report and certain specific information contained in the Report on Corporate Governance and Ownership Structure referred to in Article 123-bis, paragraph 4, of the TUF, for which the Directors of CY are responsible, are consistent with CY's separate financial statements and consolidated financial statements as at 31 December 2025 and comply with the law.

Furthermore, the independent auditors have certified that the Company Financial Statements and the Consolidated Financial Statements comply with the provisions of the ESEF Regulation regarding the XHTML format and tagging, also in light of the guidelines issued by Assirevi (document no. 252 of 6 March 2023);

6. Consolidated Sustainability Report

CY, as a public-interest entity ("PIE"), is required, from the 2024 financial year onwards, to publish a Consolidated Sustainability Report in accordance with the provisions of Legislative Decree 125/24, which transposes the CSRD. This legislation requires a dual-materiality approach, considering both the company's impacts on society and the environment, and how sustainability factors influence the company itself. In compliance with the aforementioned regulations, the CY Group's Consolidated Sustainability Report for the financial year ended 31 December 2025, approved by resolution of the Board of Directors on 12 March 2026 and included in the Annual Financial Report as at 31 December 2025, has been prepared to the extent necessary to ensure an understanding of the Group's activities,

COURTESY TRANSLATION

performance, results and related impacts in relation to sustainability profiles.

The Board of Statutory Auditors plays a central role in monitoring the adequacy and effective functioning of the internal control and risk management system, including with regard to sustainability issues and the new provisions introduced by the CSRD.

In this context, the Board of Statutory Auditors monitored compliance with regulatory obligations regarding sustainability reporting, verifying that the Company had implemented appropriate procedures and processes to ensure the reliability and transparency of non-financial information. To this end, the Board liaised with the corporate departments responsible for overseeing ESG issues and with the Control, Risk and Sustainability Committee.

Information was gathered through a centralised process, in which the Group's functions consolidated data from all subsidiaries, under the coordination of the Company's Finance function.

Furthermore, the Board of Statutory Auditors monitored the integration of ESG factors into the Company's business models and risk management systems. Particular attention was also paid to the Company's involvement in the analysis of the so-called double materiality required by the CSRD, namely the assessment of the company's impacts on the environment and society, as well as the risks and opportunities that sustainability issues may generate for the business.

The Board of Statutory Auditors has actively participated in the processes of verifying and providing assurance on sustainability information, including in collaboration with the firm appointed to carry out the statutory audit. This work has included assessing the reliability of the data, analysing the methodologies adopted for measuring ESG impacts, and verifying the consistency of the reported information with international sustainability standards.

With specific regard to the review of the Sustainability Report, the Board of Statutory Auditors monitored compliance with the provisions set out in Legislative Decree 125/2024, within the scope of the powers conferred upon it by law. In this regard, it is noted that:

pursuant to Article 34(1)(2) of Directive 2013/34/EU, as amended by the CSRD, the company has appointed KPMG to carry out a limited review of the CY Group's Consolidated Sustainability Report;
the Board of Statutory Auditors received regular updates on the progress of the preparatory work for the preparation of the Consolidated Sustainability Report;

COURTESY TRANSLATION

KPMG has issued the report on the limited review of the consolidated sustainability report pursuant to Article 14-bis of Legislative Decree No. 39 of 27 January 2010, in which it is certified that no evidence has come to light to suggest that:
the CY Group’s consolidated sustainability report for the fiscal year ended December 31, 2025, has not been prepared, in all material respects, in accordance with the reporting standards adopted by the European Commission pursuant to Directive 2013/34/EU (“European Sustainability Reporting Standards,” hereinafter also “ESRS”), and
the information contained in section “2.1 Disclosure pursuant to Article 8 of Regulation 2020/852 (EU Taxonomy Regulation)” of the CY Group’s consolidated sustainability report for the financial year ended December 31, 2025, has not been prepared, in all material respects, in accordance with the Taxonomy Regulation.
KPMG issued its report today, which includes a statement of compliance regarding the separate financial statements and the consolidated financial statements, confirming that it has verified the preparation of the Consolidated Sustainability Report.

The Board of Statutory Auditors has not become aware of any violations of the relevant regulatory provisions and therefore confirms that the process for preparing the Sustainability Report is adequate; it further considers that there are no findings to be submitted to the shareholders’ meeting.

Transactions of significant economic, financial, and equity impact, and transactions with related parties

The Board of Statutory Auditors believes that adequate information has been obtained regarding the transactions of greatest economic, financial, and equity significance carried out by CY and the Group companies, as set forth in the Management Report and the Notes to the Financial Statements, to which reference is made—in compliance with the requirements to be met in this regard pursuant to Consob Resolution No. 17221 of March 12, 2010, as amended and supplemented.

The Board of Statutory Auditors draws attention to the following transactions and events:

the inclusion of XTN Cognitive Security S.r.l. in the national tax consolidation of CY4Gate S.p.A. for the three-year period 2025–2027;
the acquisition, on July 30, 2025, of an additional 15.33% stake in the share capital of Diateam S.a.S. (“Diateam”), a company incorporated under French law, for a consideration of

COURTESY TRANSLATION

approximately €1.6 million, pursuant to the call and put option system contractually provided for at the time of the acquisition of the majority of Diateam’s share capital;

during 2025, the option, approved by the Shareholders’ Meeting on November 26, 2024, to make an additional purchase of treasury shares, in one or more tranches, up to a maximum of 450,000 ordinary shares, was not exercised.

In particular, the Board of Directors, in the Management Report and in the notes to the separate and consolidated financial statements, has provided a comprehensive description of transactions (where any) involving the interests of the Directors and Statutory Auditors, as well as transactions with related parties.

Furthermore, the Board of Statutory Auditors acknowledges that the transactions indicated therein were carried out in compliance with the procedures for their approval and execution, as set forth in the specific internal procedure adopted in accordance with Article 2391-bis of the Italian Civil Code and the implementing regulations issued by Consob.

The Board of Statutory Auditors certifies that, based on the information obtained with the support of the Related Party Transactions Committee and Internal Audit, the transactions carried out — which do not include significant transactions but only minor ones — are included in CY’s financial statements as of December 31, 2025, and are in compliance with the law and the Articles of Association, are not manifestly imprudent or risky, nor were they carried out in conflict of interest or in contravention of resolutions adopted by the Shareholders’ Meeting, nor, in any case, are they such as to compromise the integrity of the company’s assets. Furthermore, based on the information available to the Board of Statutory Auditors, no atypical and/or unusual transactions have come to light.

The Management Report and the Notes to the separate financial statements and consolidated financial statements for the year ended December 31, 2025, provide a comprehensive description of the transactions carried out with the Company’s subsidiaries and other related parties. In the opinion of the Board of Statutory Auditors, these transactions are: (i) accurately and completely represented in the aforementioned documents; (ii) in compliance with the law and the Articles of Association; (iii) in the best interests of the Company and in its best interest, safeguarding the Company’s assets and protecting minority shareholders; and (iv) not characterized by the existence of conflicts of interest.

Oversight of compliance with the principles of good governance

We have acquired knowledge of and monitored, to the best of our ability, compliance with the

COURTESY TRANSLATION

fundamental criterion of sound and prudent management of the Company and the more general principle of due diligence, based on our participation in Board of Directors meetings, the documentation, and the information received directly from the various management bodies regarding the transactions carried out by the Group and, where appropriate, conducting specific analyses and verifications, and we can confirm in this regard that corporate activities were guided by criteria of economic validity (i.e., acting in accordance with and within the limits of the Company's resources and assets) and legal validity (i.e., carried out by a party fully empowered to do so). The information obtained allowed us to verify compliance with the law and the Articles of Association of the actions resolved upon and implemented during the 2025 fiscal year and to confirm that such actions were not manifestly imprudent or reckless.

The Board of Statutory Auditors oversaw the decision-making processes of the Board of Directors and verified that management decisions were adopted in the Company's best interest and were compatible with the Company's resources and assets, as well as adequately supported by information, analysis, and verification processes.

The annual financial report, the information received during meetings of the Board of Directors, and the information provided by the Chief Executive Officer, senior management, and the independent auditors did not reveal the existence of any atypical and/or unusual transactions with Group companies, third parties, and/or related parties.

Based on these considerations, the Board of Statutory Auditors has no observations to raise regarding compliance with the principles of proper administration, which appear to have been consistently observed.

Oversight of the adequacy of the organizational structure

The Board of Statutory Auditors has reviewed and monitored, to the extent of its authority, the adequacy of the Company's organizational structure in relation to the size and nature of its business activities, and has found it to be suitable for meeting the Company's management and operational control needs.

In particular, the Board of Statutory Auditors can confirm that the composition of the Board of Directors complies with the provisions of Article 148, paragraph 3, of the Consolidated Law on Finance (TUF), as referred to in Article 147-ter, paragraph 4, with regard to the presence of independent directors and gender quotas within its composition.

COURTESY TRANSLATION

10. Oversight of the adequacy of the internal control and risk management system

The supervisory activities carried out, as described in more detail in paragraph 3 above, did not reveal any anomalies that could be considered indicators of the inadequacy of the internal control and risk management system. In particular, and in accordance with the findings set out in Consob's Notice 1/21 of 16 February 2021, the Board of Statutory Auditors considers that this system is appropriate to the management characteristics of the Company and the Group, meeting the requirements of efficiency and effectiveness in risk management and in compliance with internal and external procedures and regulations.

With regard to the effectiveness of the internal control and risk management system – designed to safeguard the company's assets, ensure the efficiency of business processes, guarantee the reliability of financial information and, more generally, ensure compliance with the provisions of the Articles of Association and internal procedures – we confirm that we have assessed its appropriateness and found that (i) the planning process is supported by adequate information systems and procedures that enable the reliable reconciliation of key economic and financial information with the results of the information systems used within the individual subsidiaries and (ii) the process ensures the accuracy and integrity of such information.

The Board of Statutory Auditors acknowledges that the Company continues to adopt the 231 Model in accordance with the provisions of Legislative Decree No. 231/2001 in order to protect the Company from any conduct that may give rise to its administrative liability in relation to offences committed or attempted in its interest or for its benefit by persons in so-called 'senior' positions within the organisational structure or by persons subject to their supervision and control, and has appointed the Supervisory Body, pursuant to the aforementioned legislative decree, endowed with autonomous powers of initiative and control in accordance with the law.

The Supervisory Body submitted its report to the Board of Statutory Auditors on the activities carried out during the 2025 financial year, which concerned the supervision of the application of the 231 Model and the monitoring of its ongoing implementation and updating, as well as the monitoring of activities carried out by the company departments involved in its implementation, with particular attention to communication and training for CY staff. In this regard, following an exchange of information with the Board of Statutory Auditors, the Supervisory Body did not identify any situations that needed to be reported to the corporate bodies.

COURTESY TRANSLATION

The Board of Statutory Auditors verified that the information required by Article 123-bis, paragraph 2, letter b), of the Consolidated Law on Finance (TUF) regarding the main characteristics of the existing risk management and internal control systems in relation to the financial reporting process, including consolidated reporting, has been provided within the Management Report.

It is confirmed that no facts or situations requiring disclosure in this Report have been reported to the Board of Statutory Auditors.

11. Oversight of the adequacy of the administrative and accounting system and its reliability in accurately reflecting operational events

The Board of Statutory Auditors has no comments to make regarding the adequacy of the administrative and accounting system or its reliability in accurately presenting the facts of the company's operations.

With regard to the accounting disclosures contained in the Company Financial Statements and the Consolidated Financial Statements as at 31 December 2025, the certification by the Chief Executive Officer and the Manager responsible for preparing the company's financial statements has been correctly provided, pursuant to Article 81-ter of the Regulations adopted by Consob Resolution No. 11971 of 14 May 1999 (the "Issuers' Regulations").

The Board of Statutory Auditors met periodically with the Manager responsible for the preparation of the company's financial and corporate documents to exchange information on the administrative and accounting system, as well as on the reliability of the latter for the purposes of a fair presentation of the company's financial performance.

The Company has an internal control and risk management system in place in relation to the Group's financial reporting process, designed to ensure the reliability, accuracy, and timeliness of the Company's financial reporting, as well as the ability of the relevant business processes to produce such reports in accordance with the applicable accounting standards.

CY has established a regulatory framework that defines the rules, methodologies, roles and responsibilities for the design, establishment, ongoing maintenance and assessment of the effectiveness of the internal control and risk management system for corporate reporting, applied to both CY and its subsidiaries.

The internal control model for financial reporting adopted by CY and its subsidiaries has been defined in accordance with the provisions of the aforementioned Article 154-bis of the TUF.

COURTESY TRANSLATION

Comments on any significant issues that arose during the meetings held with the auditors pursuant to Article 150(3) of Legislative Decree No 58/1998, and a report on the activities referred to in Article 19(1) of Legislative Decree No 39/2010

As previously reported, KPMG is the firm to which the ordinary general meeting of 27 April 2023 appointed to carry out the statutory audit of CY's annual financial statements and the CY Group's consolidated financial statements for the financial years from 31 December 2023 to 31 December 2031.

During the supervisory activities carried out in the 2025 financial year, the Board of Statutory Auditors met periodically, for the purpose of exchanging information regarding the results of the audit of the correct keeping of the accounts, the examination of the audit plan for CY and the Group, and the progress of that plan, the managers of the audit firm KPMG - also pursuant to Article 150(3) of the Consolidated Law on Finance (TUF) and Article 19(1) of Legislative Decree No. 39/2010. During these meetings, the Audit Firm did not highlight any acts or facts deemed reprehensible or irregularities that required the formulation of specific reports pursuant to Article 155(2) of the TUF, nor any situations that need to be highlighted in this Report. The flow of information between the Independent Auditors and the Board of Statutory Auditors was constant, including through informal channels, throughout the financial year ended 31 December 2025, as well as during the stages prior to the completion of this Report.

The Board of Statutory Auditors has i) reviewed the work carried out by the Audit Firm and, in particular, the methodological framework, the audit approach used for the various significant areas of the financial statements and the planning of the audit work; and ii) discussed with the Audit Firm issues relating to business risks, thereby being able to assess the adequacy of the response planned by the auditor in relation to the structural and risk profiles of the Company and the Group.

Finally, as further confirmation of the above, on 31 March 2026 the Board of Statutory Auditors received the "Report to the Internal Control and Audit Committee" pursuant to Article 11 of Regulation (EU) No 537/2014, from which no significant matters requiring mention in this Report have emerged. This Report was forwarded today to the Board of Directors by the Board of Statutory Auditors.

With regard to the findings of the Financial Statements for the financial year ended 31 December 2025, appropriate technical analyses were carried out on the most significant items of the document in constant consultation with the Independent Auditors, in accordance with their respective competences and responsibilities.

COURTESY TRANSLATION

During the year, the managers of the Audit Firm informed the Board of the audit plan drawn up, its implementation and the results arising therefrom; no facts or situations emerged from these meetings that need to be highlighted in this Report, either in relation to the audit work or in relation to deficiencies in the integrity of the internal control system.

The Audit Firm also submitted to the Board of Statutory Auditors, in its capacity as the Internal Control and Audit Committee, the additional report required by Article 11 of Regulation (EU) No 537/2014 (the "Additional Report"), which highlighted:

the most significant aspects of the audit of the 2025 financial statements;
the audit methodology, the identification of significant risks and the materiality threshold applied;
the fact that no weaknesses were identified in the internal control system in relation to the financial reporting process.

Furthermore, in the aforementioned Supplementary Report, the Audit Firm confirmed, in accordance with Article 6(2)(4) of Regulation (EU) No 537/2014, its independence, as well as the measures it had taken to mitigate such risks.

Pursuant to Article 17(9) of Legislative Decree 39/2010, the Board of Statutory Auditors has verified that the independent audit firm meets the independence requirements and that no omissions, reprehensible acts or irregularities have come to light. Similarly, no significant matters emerged during the course of the supervisory activities that would require reporting to the supervisory bodies or mention in this Report.

The notes to the Financial Statements provide full disclosure of the fees paid to the Independent Auditors, in accordance with Article 149-duodecies of the Issuers' Regulations, to which reference is made.

The Board of Statutory Auditors, in its role as the "Internal Control and Audit Committee", has fulfilled the duties required by Article 19(1)(e) of Legislative Decree 39/2010, as amended by Legislative Decree 135/2016, and by Article 5, paragraph 4), of Regulation (EU) No 537/2014 regarding the prior approval of the aforementioned appointments, verifying their compatibility with current legislation and, specifically, with the provisions of Article 17 of Legislative Decree 39/2010 - as amended by Legislative Decree 135/2016 - as well as with the prohibitions set out in Article 5 of Regulation (EU) No 537/2014 referred to therein.

COURTESY TRANSLATION

13. Engagements provided to the audit firm and its network

During the 2025 financial year, the Company and the Group assigned the following tasks to the auditors:

The "Other Information" section of the 2025 Consolidated Financial Statements sets out the fees paid to the current audit firm for statutory audit services and for non-audit services in accordance with Article 149-duodecies of the Issuers' Regulations. No assignments prohibited by Article 17(3) of Legislative Decree No. 39/2010 have been assigned to this audit firm.

The Board of Statutory Auditors reports that CY does not yet have an internal "framework" procedure for the approval of services to be entrusted to the audit firm responsible for the statutory audit and its network.

The Board of Statutory Auditors considers that the aforementioned fees are appropriate to the size, complexity and nature of the work carried out.

The Board of Statutory Auditors does not consider that there are any critical issues regarding the independence of the current audit firm, taking into account:

the statement of independence issued by the audit firm KPMG pursuant to Articles 10 and 17 of Legislative Decree No. 39/2010;
the specific nature of the engagements awarded by CY and the companies of the CY Group to the audit firm KPMG and to the firms belonging to its network.

14. Information on how the corporate governance rules are implemented in practice

The Board of Statutory Auditors has, in accordance with Article 149(1)(c-bis) of the Consolidated Law on Finance (TUF), monitored the practical implementation of the corporate governance rules set out in the Corporate Governance Code adopted by the Board of Directors, in accordance with the Code promoted by Borsa Italiana S.p.A.

COURTESY TRANSLATION

The "Report on Corporate Governance and Ownership Structure 2025" pursuant to Article 123-bis, paragraphs 1 and 2, of the TUF, prepared by the Directors and approved by the Board of Directors at its meeting on 12 March 2026, sets out in detail i) the Company's ownership structure, ii) the governance practices actually applied by the Company, iii) the main features of the existing risk management and internal control systems, including in relation to the process of individual and consolidated financial reporting, iv) the operating mechanisms of the Shareholders' Meeting, its main powers, the rights of Shareholders and the procedures for exercising them, and v) the composition and functioning of the administrative and control bodies and their committees, as well as the information required by Article 123-bis of the Consolidated Law on Finance (TUF) and, more generally, the principles and application criteria adopted by the Company, so as to clearly set out which recommendations of the aforementioned Corporate Governance Code have been adopted and how they have been effectively applied, in accordance with the 'comply or explain' principle.

In this regard, the Board of Statutory Auditors has noted that, with reference to Article 4, Recommendation 23 of the Corporate Governance Code, the Board of Directors - having regard to its own functioning, the size and ownership structure of the Company and the Group - has decided not to adopt, at present, with a view to any future renewal, any guidelines regarding its quantitative and qualitative composition deemed optimal.

The Board of Statutory Auditors notes that the Company has a corporate function (i.e. Investor Relations) responsible for relations with shareholders and institutional investors, which operates, amongst other things, in accordance with and within the framework of the "Policy on managing dialogue with shareholders", approved by the Board of Directors on 18 May 2023.

The Board of Statutory Auditors also monitored the proper fulfilment, by the Company's various administrative functions, of their respective obligations regarding periodic or ad hoc disclosures.

With regard to remuneration policies, the Board of Statutory Auditors has reviewed the corporate processes that led to the formulation of the company's remuneration policies, with particular reference to the remuneration criteria for the Executive Chairman, the Chief Executive Officer and senior executives with strategic responsibilities, and has provided the relevant opinions where required by law. On 12 March 2026, the Board of Directors, upon the proposal of the Nomination and Remuneration Committee, approved the "Report on the remuneration policy regarding remuneration paid", prepared in accordance with Article 123-ter of the Consolidated Law on Finance (TUF) and Article 84-quater of the Issuers' Regulations, and in compliance with the provisions of Article 5 of the Corporate Governance

COURTESY TRANSLATION

Code, to which reference is made.

On 16 January 2026, the Board of Directors took note of the letter from the Chairman of the Corporate Governance Committee containing the recommendations formulated for the year 2026.

In accordance with the "Rules of Conduct for the Board of Statutory Auditors of Listed Companies" of the National Council of Chartered Accountants and Accounting Experts, the Board of Statutory Auditors carried out, on 16 February 2026, its assessment of the composition, size and functioning of the Board. With regard to the requirements and personal and collective competences, it emerged, in particular, that:

All standing auditors, in addition to meeting the requirements of integrity and professionalism and not falling within any of the situations of incompatibility provided for by current legislation, also meet the independence requirements set out in the Corporate Governance Code;
The Board of Statutory Auditors ensures gender diversity amongst its members;
Each standing auditor possesses sound knowledge and experience across multiple areas of expertise;
The Board of Statutory Auditors possesses adequate overall expertise.

The results of this activity are kept on file with the Board of Statutory Auditors.

Final assessments regarding the supervisory activities carried out, as well as any omissions, reprehensible acts or irregularities identified in the course of such activities

We hereby certify that the supervisory activities, as described above, were carried out during the 2025 financial year in the normal course of business and that no reprehensible acts, omissions or irregularities came to light that would require reporting to the competent supervisory and control bodies or mention in this Report.

We also confirm that, during 2025, no complaints were received pursuant to Article 2408 of the Italian Civil Code, nor were any complaints lodged by any party.

With regard to the principles of sound management, based on meetings held with management, the control functions, the Financial Reporting Officer and the independent auditors, the Board of Statutory Auditors can reasonably state that the transactions carried out are in accordance with the principles of sound management and that corporate decisions were taken on the basis of adequate information flows.

The Board of Statutory Auditors has also confirmed that there were no atypical and/or unusual

COURTESY TRANSLATION

transactions with Group companies, third parties or related parties.

The Board of Statutory Auditors – also in light of the meetings held with the supervisory bodies of the subsidiaries – is not aware of any other facts or matters that need to be brought to the attention of the Shareholders' Meeting.

The Board of Statutory Auditors carried out its self-assessment for the financial year ended 31 December 2025 through a transparent and structured process, guided by best practice. Overall, the self-assessment provided a positive picture of the composition and functioning of the Board.

16. Result for the year

The net result determined by the Board of Directors for the financial year ended 31 December 2025, as is evident from the financial statements, is a loss of €13,871,762.

The Board of Directors proposes to carry forward the loss of €13,871,762.

17. Conclusions

On the basis of the information set out and explained in this Report, having regard to the findings contained in the auditors' report and taking into account the information obtained by the Board of Statutory Auditors during the course of its routine periodic checks, the Board of Statutory Auditors finds, within the scope of its remit, no grounds preventing the approval of the financial statements for the year ended 31 December 2025, as drawn up and approved by the Board of Directors on 12 March 2026, and of the proposals put forward by the latter to the Shareholders' Meeting regarding the allocation of the profit for the year.

Finally, we would like to remind you that the term of office of the Board of Statutory Auditors expires with the General Meeting convened to approve the financial statements as at 31 December 2025, and we therefore invite you to take the necessary decisions regarding the renewal of the Supervisory Body.

Rome, March 31st 2026

on behalf of the Board of Statutory Auditors

Stefano Fiorini – Chairman

AI assistant

CY4GATE S.p.A. Audit Report / Information 2025

6295_10-k_2026-03-31_a1ac04a3-9c64-4c1d-af95-0945de81890b.pdf

CY4GATE S.p.A.

Report of the Board of Statutory Auditors to the Shareholders' Meeting (Article 153 of Legislative Decree No. 58/1998 and Article 2429(2) of the Civil Code)

1. Introduction: legislative, regulatory and ethical sources

2. Appointment, self-assessment and activities of the Board of Statutory Auditors

3. Monitoring compliance with the law and the articles of association

4. Opinions and recommendations issued by the Board of Statutory Auditors during the 2025 financial year

5. Annual financial statements, consolidated financial statements and management report

6. Consolidated Sustainability Report

10. Oversight of the adequacy of the internal control and risk management system

11. Oversight of the adequacy of the administrative and accounting system and its reliability in accurately reflecting operational events

13. Engagements provided to the audit firm and its network

14. Information on how the corporate governance rules are implemented in practice

16. Result for the year

17. Conclusions

AI assistant

CY4GATE S.p.A. — Audit Report / Information 2025

6295_10-k_2026-03-31_a1ac04a3-9c64-4c1d-af95-0945de81890b.pdf

CY4GATE S.p.A.

Report of the Board of Statutory Auditors to the Shareholders' Meeting (Article 153 of Legislative Decree No. 58/1998 and Article 2429(2) of the Civil Code)

1. Introduction: legislative, regulatory and ethical sources

2. Appointment, self-assessment and activities of the Board of Statutory Auditors

3. Monitoring compliance with the law and the articles of association

4. Opinions and recommendations issued by the Board of Statutory Auditors during the 2025 financial year

5. Annual financial statements, consolidated financial statements and management report

6. Consolidated Sustainability Report

10. Oversight of the adequacy of the internal control and risk management system

11. Oversight of the adequacy of the administrative and accounting system and its reliability in accurately reflecting operational events

13. Engagements provided to the audit firm and its network

14. Information on how the corporate governance rules are implemented in practice

16. Result for the year

17. Conclusions

More from CY4GATE S.p.A.

CY4GATE S.p.A. Audit Report / Information 2025