Risks

In the performance of its corporate objectives, Ferrovial is exposed to diverse risk factors deriving from the nature of the sectors in which it operates, the countries in which its activities are located and the different regulations to which it is subject. Risk management is fostered throughout the Group and integrated in all key processes, from asset management to M&A.

Policy

The company has a Risk Control and Management Policy (hereinafter, “the Policy”), in line with COSO ERM framework and the ‘Three Lines Model’ as International reference standards, which provides the employees of Ferrovial with a general frame of action for the control and management of the risks of any nature that they face in the performance of the business objectives and the general strategy of Ferrovial. Following COSO´s guidance, risk appetite towards our strategic objectives has been determined by management and presented to the BoD, and targets and tolerance identified for key risk factors, integrating them into decision-making.

The Policy, approved by the Board of Directors, is updated at least every three years and is communicated throughout the organization for implementation. The most recent update took place in 2025.

Risk appetite is a key element of both the policy and Ferrovial’s Enterprise Risk Management (ERM) framework. Specific metrics have been established for the most relevant risk factors, enabling the organisation to quantify and effectively monitor its risk appetite.

Recently, the investment process has been reviewed, resulting in the introduction of new risk appetite metrics and targets, as well as the update of existing ones. The Investment Procedure has been revised to ensure that risk methodology is fully embedded, reinforcing the policy principle that risk considerations should be integrated into all strategic processes. This approach reinforces Ferrovial’s commitment to embedding risk management across all critical processes, including not only growth through investment but also the full spectrum of its core service activities, such as infrastructure management, construction, and energy and digital infrastructure

Compliance with the approved risk appetite is continuously monitored and periodically reported to the Audit and Control Committee, which in turn reports to the Board of Directors. The overarching objective is to align the organisation by using risk appetite as a fundamental tool for risk management and decision-making.

Board of Directors

Ferrovial’s Board of Directors identifies and analyses the risks associated with the strategy and activities of the Company and its businesses, in accordance with the Risk Control and Management Policy. It is responsible for risk management oversight, for establishing the risk appetite as well as the measures put in place in order to counter the risk taken. Based on risk assessment, the Board designs, implements and maintains adequate internal risk management and control systems.

Audit and Control Committee

The Audit and Control Committee assists the Board of Directors in fulfilling its responsibilities, discussing the Company’s policies with respect to risk assessment and risk management, and overseeing the Company’s enterprise risk management system.

Internal Audit

The Internal Audit function, acting as a third line of the ‘Three Lines Model’, supervises the company’s risk management system through internal audits of the company’s various risk management processes (financial, operational, compliance, etc.), issuing recommendations to correct any weaknesses detected.

Enterprise Risk department

The Enterprise Risk department, independent of the business lines and acting as second line of the ‘Three Lines Model’, is responsible for developing the risk management process, known as Ferrovial Risk Management. This ensures uniform risk management across Ferrovial and involves periodic reporting to the Audit and Control Committee and, when appropriate, to the Board of Directors on the risks that threaten the achievement of business objectives and compliance with the risk targets approved by the Board of Directors.

On the other hand, as part of the second line, certain divisional and corporate directorates in their area of responsibility are responsible for establishing policies and strategies regarding their specific risks and for the monitoring and oversight of risk management across the organisation.

Business Managers

Business managers, acting as the first line of the ‘Three Lines Model’, are responsible for the identification and management of risks associated with the achievement of the objectives in their area of activity.

Ferrovial Risk Management

The Policy is complemented by the Ferrovial Risk Management (FRM) Procedure that describes in detail the different risk components within the process (identification, evaluation, management, monitoring & reporting) and activities performed by the Group.

The risk identification and assessment, included in FRM, is a bottom-up process promoted by the Management Committee and implemented in all the company’s business areas, under the regular supervision of the Audit and Control Committee of the Board of Directors. The process is carried out twice a year.

Through the application of common metrics, the process allows risk events to be identified in advance and assessed in terms of their likelihood of occurrence and their potential impact on business objectives, including corporate reputation. In this way, the highest rated risks are prioritized in order to take the most appropriate mitigation measures according to the nature of the risk, as well as to take advantage of the opportunities that may arise from proper risk management.

The risk management process is periodically reviewed with the aim of continuous improvement. During 2025, Ferrovial launched a project to update the FRM model, including the implementation of a new GRC system. The new FRM model became fully operational for the 2026 Risk Map campaign and will further strengthen the evaluation, control, monitoring, and administration of Ferrovial’s risk framework. Furthermore, the GRC will serve as a unified platform for other areas that manage or oversee specific risks; where applicable, these domains will be integrated with the FRM.

Among the main innovations introduced in the new process, particular emphasis is placed on the inclusion of opportunities, the quantification of certain risks and opportunities, and the revision and expansion of the assessment scales. Risk management however, is embedded throughout the different processes within the group.

Risk Culture

Ferrovial promotes a strong risk management culture across all its divisions, supported by various initiatives such as periodic training on Risk Management throughout the organisation, including the Board of Directors and Non-executive Directors, and the inclusion of specific risk management metrics within senior management’s financial incentives.

Starting with the tone at the top, to further strengthen Board of Directors risk capabilities, a structured training programme delivered by highly regarded external experts has been established, providing the Board with periodic, specialised, and up-to-date sessions.

Given the seniority of Board members, these sessions focus on key risks—such as geopolitics, cybersecurity or sustainability-, fostering continuous improvement in decision-making processes and risk management. This approach ensures that Board members maintain a robust and current understanding of evolving risks, thereby enhancing the quality of oversight and supporting continuous improvement in both decision-making and risk management processes.

Additionally, and in alignment with the recent methodological enhancements and the introduction of a new risk management tool, mandatory training sessions for all business managers were conducted in February 2026. These consisted of four sessions attended by a total of 162 managers. These sessions comprehensively addressed the latest updates and reinforced fundamental principles of risk management. Furthermore, a deep-dive session was conducted with the management committee, and tailored training was delivered individually to each manager, ensuring a thorough and bespoke understanding of the revised processes and responsibilities.

Emerging Risks

The FRM process also identifies, assesses, and monitors emerging risks. In this regard, Ferrovial has launched an initiative that represents an important step forward in the proactive management of Ferrovial’s emerging risks, which will serve as a support tool in decision-making.

In March 2025, the first workshop on emerging risks brought together experts from various Ferrovial business units to identify and analyse potential risks to the company. Among the identified risks reported to BoD, the following are particularly noteworthy.

Disruptive technologies in mobility, such as vehicle automation and artificial intelligence are poised to significantly alter mobility patterns, potentially leading to decreased travel demand and reduced willingness to pay for time-saving, while the expansion of AI could lead to job losses among current commuters. To address these challenges, Ferrovial actively monitors emerging trends, performs scenario analyses, and pursues strategic partnerships to ensure resilience and adaptability.

Concerns about the sustainability of air travel, driven by its perceived negative impacts on climate change, health, and heightened environmental awareness, may result in declining air traffic demand. These shifts could initially affect business flights due to stricter sustainability policies, followed by reductions in leisure and tourism travel. Additionally, new regulations could increase operational costs and disrupt strategic plans and future business opportunities. To address these risks, continuous monitoring of trends and scenario analysis are performed for maintaining resilience.

Google Play App Store

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	11 months 29 days 23 hours 59 minutes	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category ''Advertisement''.
cookielawinfo-checkbox-analytics	11 months 29 days 23 hours 59 minutes	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category ''Analytics''.
cookielawinfo-checkbox-language	11 months 29 days 23 hours 59 minutes	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookies will remember language preferences.
cookielawinfo-checkbox-necessary	12 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
csrftoken	11 months	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
lang		This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
PHPSESSID		This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp-wpml_current_language	1 day	Used by WPML to store language settings.

Cookie	Duration	Description
_csrf		Anti Cross-site request forgery cookie.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the collection of data on high traffic sites.
_gat_gtag_UA_5784146_31	1 minute	Google Used to distinguish users.
_gat_UA-141180000-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gat_UA-20934186-10	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gat_UA-5826449-38	1 minute	Used by Google Analytics to throttle request rate
_gat_UA-58630905-1	1 minute	Used by Google Analytics to monitor the rate of requests
_gat_UA-70491628-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	2 months	Used by Google AdSense to experiment with advertising efficiency across websites using its services.
_gid	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjCachedUserAttributes	Session	This cookie stores User Attributes which are sent through the Hotjar Identify API, whenever the user is not in the sample. These attributes will only be saved if the user interacts with a Hotjar Feedback tool.
_hjClosedSurveyInvites	365 days	Hotjar cookie that is set once a visitor interacts with an External Link Survey invitation modal. It is used to ensure that the same invite does not reappear if it has already been shown.
_hjDonePolls	365 days	Hotjar cookie that is set once a visitor completes a survey using the On-site Survey widget. It is used to ensure that the same survey does not reappear if it has already been filled in.
_hjid	365 days	Hotjar cookie that is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	30 minutes	This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's pageview limit.
_hjIncludedInSessionSample	30 minutes	This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's daily session limit
_hjLocalStorageTest	Less than 100ms	This cookie is used to check if the Hotjar Tracking Script can use local storage. If it can, a value of 1 is set in this cookie. The data stored in_hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created.
_hjMinimizedPolls	365 days	Hotjar cookie that is set once a visitor minimizes an On-site Survey widget. It is used to ensure that the widget stays minimized when the visitor navigates through your site.
_hjRecordingLastActivity	Session	This should be found in Session storage (as opposed to cookies). This gets updated when a visitor recording starts and when data is sent through the WebSocket (the visitor performs an action that Hotjar records).
_hjShownFeedbackMessage	365 days	Hotjar cookie that is set when a visitor minimizes or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimized immediately if the visitor navigates to another page where it is set to show.
_hjTLDTest	Session	When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
_hjUserAttributesHash	Session	User Attributes sent through the Hotjar Identify API are cached for the duration of the session in order to know when an attribute has changed and needs to be updated.
_smvs	23 hours 59 minutes	Records visitor behavior data on the web. This is used for internal analysis and web optimization.
_uetsid	1 day	This is a cookie used by Microsoft Bing Ads and it is a tracking cookie. Allows you to interact with a user who has already visited our website.
_uetvid	2 weeks	Cookie installed by Google Tag Manager to store and track visits between sites.
apbct_visible_fields	Session	Prevents spam content
apbct_visible_fields_count	Session
ct_checkjs	Session	Stores dynamic variables from the browser
ct_fkp_timestamp	Session	Stores visit time
ct_pointer_data	Session	Stores dynamic variables from the browser
ct_ps_timestamp	Session	Stores visit time
ct_timezone	Session	Stores visit time
dtCookie	Session
GPS	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
lumesse_language	50 years ago	This cookie determines language of Application Process user interface (labels, interface etc.)
MR	1 week	This cookie is used to measure the use of the website for analytical purposes.
smclient	10 years	A cookie itself does not contain any information that enables to identify contacts and to recognize e.g. personal data of the website visitor. Connection to the contact card takes place in the SALESmanago system.
test_cookie	14 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.

Cookie	Duration	Description
_fbp	2 months 28 days 23 hours 59 minutes	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
everest_g_v2	1 year	The cookie is set in eversttech.net domain. The purpose of the cookie is to assign clicks to other events on the customer's website.
fr	2 months 28 days 23 hours 59 minutes	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
lms_ads	30 days	It is used to identify LinkedIn members from designated countries for advertising purposes.
mid	9 years	The cookie is set by Instagram. The cookie is used to distinguish users and to show relevant content, for better user experience and security.
MUID	1 year	Used by Microsoft as a unique identifier. The cookie is set using embedded Microsoft scripts. The purpose of this cookie is to synchronize the identifier in many different Microsoft domains to allow user tracking.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
personalization_id	2 years	This cookie is set by twitter.com. It is used to integrate the sharing features of this social network. It also stores information about how the user uses the website for tracking and targeting.
uid	1 year	This cookie is used to measure the number and behavior of website visitors anonymously. The data includes the number of visits, the average duration of the visit on the website, the pages visited, etc. in order to better understand user preferences for targeted ads.
VISITOR_INFO1_LIVE	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	Session	This cookies is set by Youtube and is used to track the views of embedded videos.

Highways

Highways Websites

Airports

Construction

Energy