SUBJECT: Young Platform S.p.A.

Corporate Details

• Company Name: Young Platform S.p.A.
• Registered Office: Via Francesco Cigna 96/17, 10155 Turin (TO), Italy.
• VAT No. / Tax Code: 11931440017.

Preamble

This document serves to certify the alignment of the internal procedures of Young Platform S.p.A. (hereinafter the “Company”) with European provisions regarding digital operational resilience in the financial sector, in strict accordance with:

1. Regulation (EU) 2022/2254 (DORA): On digital operational resilience for the financial sector, establishing uniform requirements for the security of network and information systems of financial entities, including crypto-asset service providers regulated under MiCA.
2. Regulation (EU) 2023/1114 (MiCA): Establishing the prudential and organisational framework for Crypto-Asset Service Providers (CASPs), integrated by DORA regarding aspects of ICT and digital operational risk management.

The Digital Operational Resilience Act (DORA) harmonises standards across the European Union for cybersecurity, business continuity, and ICT risk management applicable to financial operators, including crypto-asset exchange platforms.

Scope of Application

Pursuant to the entry into force of the DORA Regulation, Young Platform is subject to requirements concerning:

• ICT Risk Management;
• Mandatory Incident Reporting;
• Digital Operational Resilience Testing;
• Management of ICT Third-Party Risk;
• Information Sharing on Threats (Threat Intelligence).

Operational Compliance Procedures

To ensure full compliance with the obligations provided for by DORA, Young Platform has implemented a framework structured into five macro-areas:

1. ICT Risk Management

The Company has adopted an integrated governance and control system for ICT risks, which provides for:

• Continuous identification, assessment, and monitoring of cyber risks;
• Adoption of multi-level security controls (both technical and organisational);
• Maintenance of ICT policies, updated and reviewed on a periodic basis.

2. ICT Incident Management and Notification

In accordance with European obligations, Young Platform has defined procedures for:

• Timely detection of operational or security incidents;
• Classification of incidents according to DORA criteria (levels of severity and impact);
• Notification to competent authorities within the timeframes prescribed by the legislation;
• Post-incident analysis (post-mortem) and implementation of corrective measures.

3. Digital Operational Resilience Testing

The Company periodically conducts resilience tests to guarantee system reliability, including:

• Regular vulnerability assessments and penetration tests;
• Advanced testing based on Threat-Led Penetration Testing (TLPT), where required by the regulator;
• Crisis simulations and scenarios involving the interruption of critical services.

4. Management of ICT Third-Party Risk

Young Platform applies a rigorous vendor management process, which includes:

• Preliminary verification of critical ICT third-party service providers (due diligence and risk assessment);
• Contractual clauses compliant with DORA regarding security, auditability, and service continuity;
• Continuous monitoring of performance, service levels, and risks;
• Adoption of exit strategies for critical services.

Technological Infrastructure and Security

To guarantee full operational resilience and user protection, advanced continuous monitoring systems (24/7) of digital infrastructures have been implemented. Furthermore, a multi-level strategy for data security is adopted, based on:

• Advanced encryption;
• Strong customer authentication (SCA);
• Segmentation of critical systems;
• Backup and disaster recovery protocols.

Both cloud and on-premise infrastructures adhere to international security standards (ISO/IEC 27001, ISO 22301).