Risk management

A business must take risks to create value. Having a risk management assessment in place allows a company to take risks in a managed and controlled manner. Strategic, operational, financial, and reputational risks are made manageable by carefully weighing risks and returns against each other. Effective risk management is integrated into our daily operations.

Q-Park deploys a top-down risk management assessment in which strategic risk management is executed at corporate level. Responsibility for operational risk management lies primarily with local country management. The Management Board and key management bear ultimate responsibility for managing the risks the Group faces.

Risk management and internal control

Ongoing identification and assessment of risks is part of our governance and periodic business review. Our Enterprise Risk Management (ERM) assessment and Compliance Programme are designed to provide management with an understanding of the key business risks. These also provide methods and processes to manage risks that might hamper the business in delivering on our strategy.

Q-Park is averse to the risk of non-compliance with relevant laws and regulations, our own codes, contractual agreements and financial covenants. As legislation and other formal guidelines cover various functional areas and can be very extensive, and even country specific, we manage compliance in a structured way, ensuring:

The tone at the top regarding the importance of compliance.
That actions per risk control cycle step are executed based on a clearly defined plan with clear roles and responsibilities.
That implementing relevant legislation and internal guidelines within the organisation is assured.

The Management Board and key management periodically review the risks and related mitigation controls and procedures of the ERM assessment and reconsider the priorities identified. Furthermore, they provide complementary insights into existing and emerging risks that are subsequently included in the policy. The ERM assessment determines the controls and procedures, as well as the focus of business planning and performance process.

In 2025, the most significant developments in our risk priorities were:

We continued to closely monitor our financial structure and broader economic developments. In this context, we completed a new bond issuance and prepared for refinancing the Notes maturing in 2027. This refinancing was successfully finalised in January 2026, extending our next major refinancing event to 2029.
We further implemented our information security programme, addressing the people, process
and technology dimensions to enhance our information security maturity. After consolidating our ICT infrastructure (hosting platform, connectivity platform, end-user equipment), ICT organisation and related processes, we have shifted our focus towards cyber resilience, without losing the protect and identify capabilities. As part of this approach, we identified three priority tracks which we rolled out and which we will continue to pursue in 2026:
- Detect and respond: Enhancing detection tooling and extending our continuous monitoring of the Q-Park ICT landscape, and reducing the time it takes to detect security incidents.
- Segmentation: Enabling effective containment of security incidents at the level of individual assets or small groups of assets in the event of a security incident (e.g. malware infection).
- Attack surface management: Reducing external and internal attack surfaces and improving risk management for our online presence.

Risk appetite

Factors determining our risk appetite include the international footprint of the business, the robustness of the balance sheet, long-term contract duration, strength of cash flows, and our commitment to conservative financial management. Our risk appetite varies per objective and risk category:

Strategic: Taking strategic risks is an inherent part of how we do business. In pursuing growth as a strategic ambition, we are prepared to take risks in a responsible way, taking account of our stakeholders' interests.
Operational: Depending on the type of operational risk, we take a cautious to averse approach. We give the highest priority to ensuring the safety of our employees and customers, to delivering the desired level of service, and to protecting the Group's reputation.
Financial: We pursue a conservative financial strategy, including a balanced combination of self-insurance and commercial insurance coverage.
Compliance: We are averse to the risk of non-compliance with relevant laws or regulations (e.g. GDPR), or non-compliance with internal codes, contractual agreements, and financial covenants. We continuously monitor relevant areas of compliance and intervene where necessary.
Fraudulent and unethical behaviour: We are committed to act with honesty, integrity, and respect. We apply a zero-tolerance policy to fraudulent behaviour. Fraud awareness and anti-corruption, compliance and integrity training are key priorities within our Ethics & Integrity compliance framework.

Main risks

The following risk overview highlights the main risks which might prevent us from achieving our strategic, operational, and financial objectives. This list is not exhaustive and there may be additional risks that do not constitute a direct threat in the short-term that management deems immaterial or otherwise common to most companies in the parking sector, however additional unmentioned risks could at some time have a material adverse effect on our financial position, results, operations, or liquidity.

Strategic

Risk description	Q-Park risk management measures
Regulatory changes
National or local governments could implement measures which could potentially be unfavourable to the parking sector (e.g. Introducing low-emission zones, electric vehicle charging requirements, banning of traffic within inner-city boundaries and implementing reduced parking fees in designated areas).	Play an active role in our industry associations, such as Vexpan and EPA. Create sufficient presence in cities and regions to have a seat at the table and cooperate with governments, NGOs, and businesses on mobility needs. Ensure geographic diversification of Q-Park's portfolio in the different countries but also within cities to avoid large dependencies on specific regions or locations. Invest extensively in online platforms and value-added services to become a proactive business partner for local authorities and to help them develop sustainable mobility solutions. Invest in electric vehicle charging solutions to respond to the growing demand for additional inner-city EV charging facilities.
Economic environment
Factors that potentially influence parking revenues (prices and/or mobility) include pressure from the general public and retailers, political changes, high inflation or a material decrease in GDP. Lower parking revenues could significantly impact Q-Park’s profitability and cash flows, particularly in situations where lower parking prices will not result in more transactions.	Cooperate with governments, NGOs, and other businesses on mobility solutions. Highlight the relevance of regulated and paid parking to society through clear communication through a variety of channels. Maintain commercial functions that analyse different tariff schemes, simulate the effects of changes, and align prices with the local circumstances and market situations. Strengthen our commercial, customer, and market intelligence organisation by establishing Group-wide teams and actively sharing knowledge and experiences.
Competitive environment and economic conditions
The parking market (new business) is characterised by competition between a relatively limited number of primarily established players. In addition, technology is used increasingly in the parking market, resulting in new competitors.	Ensure geographic diversification with sufficient presence in different regions and cities to ensure operational efficiency and competitiveness in tenders. Offer a variety of (long-term) business propositions ranging from full ownership to ground leases, concessions and/or lease contracts. Invest in Q-Park's digital transformation to meet customer needs with up-to-date technology that provides efficient access and payment solutions (i.e. pre-booking propositions and the Q-Park App). Closely monitor developments in digital solutions created by existing and new competitors. Invest in offering other or additional services to our customers such as EV charging or leasing excess space/capacity in our facilities to third parties. Invest in business development teams and knowledge to deliver business proposals in line with market requirements and needs.
Dependency on other businesses and local developments
Car parking is an indirect service which depends on external factors (e.g. offices, shopping centres, leisure amenities). New customer behaviour (e.g. online shopping, working from home) or changes in the popularity of certain stores, locations or areas pose a risk of a decrease in parking demand and, hence, a decrease in Q-Park’s business and revenue.	Maintain geographic diversification of Q-Park's portfolio and a further spread across multiple indirect markets and attractive cities. Manage a portfolio with focus on strategic locations (i.e. healthcare or travel) and/or multifunctional locations instead of monofunctional locations. Adapt products to changing market demands (i.e. by offering more flexibility and new digital products such as our pre-booking propositions and the Q-Park App). Invest in offering other or additional services to our customers such as EV charging or leasing of excess space/capacity in our facilities.

Operational

Risk description	Risk management measures
Pandemic outbreaks A pandemic outbreak in combination with government measures that restrict mobility of people can significantly impact our business and financial results as we are dependent on the availability and accessibility of the amenities in the vicinity of our parking facilities.	Ensure geographic and contractual diversification of Q-Park's portfolio. Manage a portfolio with focus on large multifunctional locations instead of monofunctional locations. Maintain a healthy and solid liquidity position to be able to absorb a temporary loss of income and related cash flow. Apply a high standard of health and safety measures in our parking facilities to provide customers and employees a safe parking experience under all circumstances.
Safety and liability The safety of our customers and employees is a top priority. If an employee or a customer sustains injury while at work or while visiting one of the Q-Park parking facilities, this could also impact our reputation.	Adhere to health and safety procedures relating to employees and customers. Periodic inspection of parking facilities to monitor and assess maintenance condition. Invest in maintenance and security tools (i.e. CCTV monitoring) to ensure clean and safe parking facilities with proper instructions for visitors. Encourage non-cash payments and outsourcing cash handling to specialised third parties to reduce risks of theft. Report and monitor incidents and provide training and development programmes focusing on personal safety and safety measures in and around our parking facilities.
Dependency risks, interruptions, and business continuity
Continuity of the Company and its business is crucial and depends on a number of factors, including suppliers. We are potentially vulnerable to Parking Management Systems (PMS), ICT, and infrastructure which are mainly provided by third-party suppliers.	Business continuity and data recovery are a crucial components of our Information Security Programme. Use different systems from independent suppliers where operational efficiency is one of the key objectives. Conduct preventive maintenance and conclude service level agreements (SLAs) with suppliers to ensure corrective interventions within agreed time frames. Connect parking facilities to the Q-Park Control Room (QCR) to assist in the event of business interruptions and operate a 24/7 service desk.
Staffing and retention
Good, experienced, and knowledgeable people are the foundation of our Company and its success. The Group must ensure that it is able to employ and retain the right people.	Continuously work on employer branding in the job market and have competitive employment conditions. Develop training and development opportunities for employees. Maintain a system for performance measurement and annual reviews.


Anti-corruption, compliance and integrity
Anti-corruption, compliance and integrity are important conditions for confidence in the Company. Behaviour deemed to be unethical could lead to loss of revenue and reputation.	Maintain an anti-corruption, compliance and integrity policy including a whistleblower policy in line with the EU whistleblower directive and organise periodic training sessions to ensure awareness and have proper systems in place to detect irregularities. Ensure that the Management Board and key management demonstrate tone at the top. Apply a zero-tolerance policy.

Financial

*Risk description*	Risk management measures
Valuation of fixed assets and goodwill
The Company owns a considerable amount of property and goodwill. If the economic climate deteriorates this could result in a permanent reduction in the value of assets. If potential impairment indicators are not identified, determined, or communicated in a timely fashion, the Company could incur reputational and financial damage.	Evaluate the existence of impairment indicators annually. Monitor performance against prior periods and budgets to identify risk areas for potential impairments. Employ an independent valuation expert to conduct periodic valuations when necessary.
Financing
Given that the nature of the business is capital-intensive, access to external financing is crucial for continuity. A liquidity risk could arise if external financing is not available to the Company when refinancing is required.	Continually monitor financial covenants and other relevant KPIs. Proactively consult with our external debt providers to discuss the ongoing business, strategy, results, and financing needs. Periodically evaluate the appropriateness of the financing structure and adjust if needed.
Interest rate risks
The external debts can be subject to variable interest rates, thereby exposing the Company to fluctuations in interest rates. A significant increase in variable interest rates would have a negative impact on results.	Include a mix of fixed and variable interest rates for financing operations, combined with interest rate instruments if needed. Adopt an interest rate policy in which at least 70% of the variable rated debt is covered by interest rate derivatives (interest rate swaps and interest caps).
Currency risk
The Company's functional currency is the euro. Given that the Group also operates in the United Kingdom and Denmark, we are exposed to fluctuations in the GBP and DKK exchange rates.	Monitor and report periodically on currency risk exposure. Optimise currency risk through natural hedges (i.e. revenue and costs in the same local currencies, external debt in foreign currency) which reduces the risk on the net cash flow from these operations. Manage a centralised cash pool overlay in which an excess or shortage of GBP or DKK can be effectively managed and translated with our EUR accounts.

Compliance and reporting

*Risk description*	Risk management measures
Financial statement does not give a true and fair view
If misstatements are made such that the financial statements do not give a true and fair view of the Company's financial position, financial performance, and cash flows, users of the financial statements would be incorrectly informed.	Maintain common and consistent accounting policies, reporting processes, and standard chart of accounts. Monitor critical access and segregation of duties and perform compensating controls if necessary. Periodic audits on both consolidated and local statutory financial statements. Actively involve relevant stakeholders.
ICT and information security
Given the increasing use of online communication and the professionalism of cybercriminals, the Group must focus constantly on continuity of ICT systems and on ensuring the security of crucial information and sensitive customer data (e.g. payment card details, passwords). A successful attack or hack by cybercriminals could cause reputational and financial damage and impact business continuity.	Implement the Q-Park Information Security Programme based on a Cybersecurity Maturity Assessment and execute it within a formal governance structure. Key components of this programme include: Conducting periodic reviews and updates to the programme to remain aligned to emerging developments and potential new risks and threats. Embedding and monitoring our information security policies to secure data confidentiality and integrity, including continuity measures in conjunction with outsourcing partners. Enhancing user awareness and behaviour to reduce cybersecurity risks by offering training programmes to our employees. Proactively managing ICT Asset risks. Continuously improving our incident response, disaster recovery and business continuity processes. Ensuring compliance to common standards such as PCI DSS, GDPR and ISO 27001. Using automation and artificial intelligence (AI) to automate handling of security incidents. Centralising ICT systems so we can enforce security measures centrally. Continually improving our Secure Software Development Life Cycle programme for our applications in collaboration with our main supplier. Our CISO (Chief Information Security Officer) coordinates the execution of the Information Security Programme and manages the cybersecurity risks.


Non-compliance with European and national laws
Changes in the legal and regulatory environment tend to increase the risk of non-compliance with local, national, and international laws and regulations, as well as tax legislation. Failure to comply with applicable regulations could lead to fines, claims, and reputational damage.	Having corporate functions in place to monitor local risks and challenges from a Group perspective (e.g. compliance, tax, finance, and legal). Involve external specialists where necessary to analyse impact, risks and actions needed on regulatory changes. As GDPR is a key priority within information security, we closely monitor GDPR legislation and specifically when related to data exchange with non-EU companies.