2025 Universal Registration Document

L'Oréal has subsidiaries in 72 countries and develops its business activities, including Travel Retail, in an increasingly fragmented political and economic environment. L'Oréal operates mainly in North America (26.6% of sales), North Asia (22.9% of sales) and Latin America (7.4% of sales). An unsettled political and/or economic environment, notably in countries where the Group generates a significant proportion of its sales could affect its business. This could be the result of a sharp economic slowdown due, for example, to rising geopolitical tensions, a prolonged period of inflation, international trade disputes – including changes in tariffs or protectionist measures – or sovereign debt crises.

See also the "Inflation and currency risk", "Non-compliance" and "Safety of people and property" risk factors. 

An Internal Geopolitical Risk Committee meets regularly to monitor these risks and the associated action plans.

The Group closely monitors changes in customs duties in order to anticipate their impact and adapt its pricing, industrial and supply chain policies where necessary. The Group also keeps close watch – where applicable through the professional associations of which it is a member – on potential changes in regulations in light of heightened geopolitical uncertainty.

In a context of digital transformation and constant development of information technologies and their uses, and given L'Oréal's ambition to lead on Beauty Tech, the Group's business activities, expertise and, more generally, its relations with all stakeholders in its social and economic environment, depend on an increasingly virtual and digital operation.

Information systems transformation is necessary to streamline, harmonise, simplify and upgrade systems.

As a result, the malfunction or shutdown of these systems, the leakage, theft, misuse or destruction of data for exogenous or endogenous reasons (including cyberattacks, hacks, etc.) internally or at a third party of the Group could have a material impact on the Group's business activities, performance and reputation. This risk is amplified by the growing complexity inherent in the accessible use of AI and by increasingly sophisticated cyberattacks, which are mainly motivated by financial gain and can be exacerbated by political and geopolitical upheaval.

The IT Department has implemented strict security rules for infrastructures, devices and applications. The information systems transformation process is monitored at the highest level, and any impacts duly planned for, for example in terms of inventory and flow management. To adapt to the development of new ways of communication and collaboration, L'Oréal has introduced an Information and Communication Technologies Charter. In order to tackle the issue of an increasing number of cyber threats, L'Oréal continuously reinforces its level of cybersecurity using a risk-based management approach. A multi-year plan was drawn up with the aim of reducing the level of risk from cyber threats and strengthening the maturity of risk management.

This plan includes, in particular, anti-intrusion solutions, regular red teaming and penetration tests, an information system security audit programme, the protection of sensitive assets and global supervision to detect malicious activities. L'Oréal constantly adapts its cybersecurity risk management to changes in the cyber threat landscape, in particular by investing in prevention, protection, detection and response capabilities, while regularly monitoring the effectiveness of the measures in place. The Group is increasingly investing in incident detection and reaction systems and regularly reviews the effectiveness of these solutions.

An online training programme for cybersecurity best practices is available for all eligible employees (54,118 employees have completed the "Join the next Shield!" programme, i.e., 90% of eligible employees). Specific training programmes are also available for other employees. In addition to regular communication throughout the year, the Group conducts an annual worldwide awareness-raising campaign, Cyberweek.

Management of risks related to data is described in the "Data" risk section.