2025 Universal Registration Document

3.1 Definition and objectives of Internal Control

3.1.1 Reference framework

For the purposes of preparing this Document and defining Internal Control, L'Oréal has used the Reference Framework and its application guide published by the French Financial Markets Authority (Autorité des marchés financiers – AMF) in January 2007 and updated on 22 July 2010.

3.1.2 Internal Control to prevent and manage risks

At L'Oréal, Internal Control is a system that applies to the Company and its consolidated subsidiaries (the "Group"), which aims at ensuring that:

• economic and financial targets are achieved in compliance with the laws and regulations in force and the Group's Ethical Principles and standards;
• the orientations set by General Management are followed;
• the Group's assets and reputation are valued and protected; and
• the Group's financial and accounting information is reliable and provides a true and fair view.

By contributing to preventing and managing risks, the Internal Control system promotes steady and sustainable industrial and economic development groupwide within a control environment that is appropriate for the Group's businesses. However, any system or process has its limitations. These result from a number of factors, including external uncertainties and malfunctions due to human or technical error.

Risk management should be based in particular on a reasonable, informed choice between the challenges to be controlled, the opportunities to be seized, the cost of risk management measures, and their effects on the occurrence and impact of the risk.

3.1.3 Continuous improvement process for the Internal Control system

In 2025, the Group maintained its efforts to improve the Internal Control system by:

• continuing to adjust the Group matrix for the separation of tasks and the associated control environment;
• providing new operational guides to remind employees of the Group's principles and encourage the sharing of best practices;
• regularly adapting the reference frameworks to address new challenges;
• updating the Fundamentals of Internal Control digital library;
• updating the Group's digital reference framework; and
• updating the fraud risk awareness programme.

Online training courses (anti-corruption, data security, competition, cybersecurity, personal data protection) continue to be rolled out.

The network of Internal Control managers was further strengthened worldwide through:

• compulsory training for onboarding Internal Control managers;
• specific training courses for each business line, to present the risks and associated control framework;
• webchats for sharing updates on Group projects and business standards; and
• a network of Region Internal Control managers and officers in each function and business segment.