Digital Services Act 2025 - Report on the results of the Systemic RiskAssessment and Mitigation Measures conductedby Booking.com B.V. under the Digital Services Act Table of Contents Introduction.................................................................................................................................................. 2 Section 1 - Report on DSA Risk Assessment...................................................................................... 4 Section 2 - Methodology...........................................................................................................................6 Section 3 - Booking.com’s External Stakeholder Engagement....................................................... 9 Section 4 - Mitigation Measures........................................................................................................... 10 Section 5 - “Results”................................................................................................................................11 Tier 1.................................................................................................................................................................. 14 Tier 2.................................................................................................................................................................. 14 Tier 3.................................................................................................................................................................. 27 Risks that are not present on / stemming from the Booking.com platform................................ 36 Conclusion..................................................................................................................................................37 Annex - Summary table of existing and new mitigation measures.............................................39 1 Introduction At Booking.com, our mission is to make it easier for everyone to experience the world. Webelieve that travel can bring out the best in humanity. Travel promotes a better understandingof different cultures and ways of life. We also believe in and work towards making travel aforce for good in the world - one that enriches people’s lives through a range of experiences,big and small. As a travel platform, the core of our activities is to facilitate travel experiencescentred on our customers and underpinned by our values. Our long-held values as well as our guidelines and terms and conditions for all users of ourplatform - travellers and supply partners - are designed to foster safe and welcoming travelexperiences for all. ❖ Travel Respectfully (Act with Integrity) \- We expect our employees, customers andpartners to treat each other with respect. We prohibit any form of harassment,discrimination, hate speech, manipulation, physical violence or any other threatening orabusive behaviour. Additionally, we expect our supply partners and travellers toconduct business on our platform in an honest and professional manner, to notmisrepresent themselves and to respect agreements that are made with each other. ❖ Travel Safely \- The safety (physical and otherwise) of our travellers, supply partnersand employees is our priority. Users of our platform may not engage in or promote anyactivities that bring harm to any person, and our terms and conditions limit the use ofour platform to those over the age of 18. ❖ Travel Confidently \- We are committed to providing an excellent user experience foreverybody who uses our travel services. That means that we take user privacy seriouslyand are committed to protecting and safeguarding user privacy in accordance with our Privacy and Cookie Statement and applicable laws. We are dedicated to ensuring that our online environment is trusted and secure. We exercise vigilance to ensure that weiterate our processes and controls to address emerging challenges and risks and do soin real time. Keeping data provided on our platform safe and secure is important to us.Booking.com therefore protects users’ personal data in line with applicable laws,including the GDPR. 2 At Booking.com, we believe that the importance of the travel industry as a powerful globaleconomic driver cannot be viewed separately from our responsibility to ensure there is a worldworth experiencing for future generations. Our environmental, social, and governance (ESG)initiatives, processes and principles demonstrate our continued emphasis on being asustainable and ethical global business. We are committed to respecting human rights wherever we do business. As one of the world’sleading online travel companies, we seek to avoid infringing on the rights of others and work toaddress adverse human rights impacts of our business and the travel sector. Our commitment to respect and promote human rights, as reflected in our Human Rights Statement, is based on internationally recognized standards and principles, including the United Nations (UN) GuidingPrinciples on Business and Human Rights. We also take our regulatory obligations seriously. We dedicate significant resources tocomplying with applicable new and existing regulations, including the EU’s Digital Services Act(DSA). At Booking.com we measure success not only by the value that we create for our company butby the positive impact we create for all - our employees, customers, partners, communities,other stakeholders, shareholders and governments. This report contains the findings of our 2025 risk assessment and the related mitigationmeasures put in place following our previous risk assessments, as required by the DSA. 3 Section 1 - Report on DSA Risk Assessment The DSA requires that “very large online platforms” (VLOPs) conduct annual risk assessmentsto determine if and how their services (or the use of their services) may pose systemic risks toEU citizens. The Booking.com online platform (“Booking.com” or the “platform”) wasdesignated a VLOP under the DSA, and this is our 2025 report setting out the results of ourassessment. The assessment was conducted over a five-month period with a range of internal and externalstakeholder groups and in collaboration with advisors and consultants, including BSR, a globalnon-profit sustainable business network and consultancy. Together, we leveraged diversity ofthought and expertise to assess the range of risk categories outlined in the DSA as well as theexperiences and realities of our business environment. Our process included convening focusgroup discussions with key stakeholders across our organisation (including: Engineering,Compliance \& Ethics, Data Privacy \& Security, Legal \& Public Affairs, Trust and Safety,Consumer Regulatory and Machine Learning / AI, and others). Additionally, we analysed theeffectiveness of the risk mitigation measures that we deploy across the platform. Most of thesehave been developed over many years of experience managing risk on the platform; but wehave also introduced new safety measures as part of our compliance with the DSA, and inresponse to our prior risk assessments. This assessment builds on a body of work and culture of responsibility that has long been apart of Booking.com, including our 2023 and 2024 DSA risk assessments. Our expectations forourselves and our partners are published in a number of public-facing resources. Ourcommitment to respecting and promoting human rights wherever we do business is reflected in our Human Rights Statement \- the result of an assessment supported by business and human rights experts of human rights risks throughout our value chain. We have also outlinedsteps we are taking with respect to the risk of human trafficking and modern slavery in our Modern Slavery Statement. Our commitments to ethics, ESG and sustainability, privacy, fair competition, and other core values can be found in our Code of Conduct, Supplier Code of Conduct, Climate Action Plan, Privacy Statement, Content Standards \& Guidelines, Sustainability Report and our Accessibility Statement \- inviting those who do business with us to share our commitment to absolute integrity and adhere to the highest ethical standards,applicable laws and our own requirements for fostering safe and inclusive travel experiences. This risk assessment report has been prepared under the supervision of the Head of the DSACompliance Function, and reviewed and approved by the company’s Management Body. 4 Consistent with our previous systemic risk assessments, our 2025 assessment shows that thedesign and functioning of Booking.com does not pose significant systemic risks to EUcitizens because of the nature of our service and our history of continuously assessing andmitigating risks to society. That is largely because: 1. We are a transaction-focused platform and not a user-generated content-focusedplatform. Our platform connects travellers (those who make travel reservations via ourplatform) with memorable destinations and trips. Our travellers do not use Booking.comto access news, share strong opinions or influence the behaviour of others (outside oftheir travel experiences), or post high risk or harmful user-generated content. Inaddition, we do not derive our core revenues from ad products that require user leveltargeting. As such, the likelihood of illegal content appearing on our platform islimited and the possibility of such content (were it to occur) spreading “rapidly andwidely through accounts with a particularly wide reach or other means ofamplification” is even more limited (see, Recital 80 of the DSA). 2. We only allow partners that offer travel services on our platform (“supply partners”)and travellers (together, “users”) to upload a limited range of content, and suchcontent is confined to specific areas of the service (like guest reviews foraccommodation properties). We do not provide a personalised user-specific homepagewith user-generated content or news feed where people continuously post broadranges of content types. Where travellers or supply partners do upload their owncontent (e.g., property reviews or content related to the property listings), it mustcomply with our policies and content moderation processes, which prohibit abusive,discriminatory or otherwise harmful content. As such, our platform is unlikely to beused (or even usable) in ways that contribute to “negative effects on democraticprocesses, civic discourse and electoral processes, as well as public security” (see,Recital 82 of the DSA). 3. Our travellers spend their time on Booking.com in a focused and targeted way: tosearch and seamlessly book travel experiences. Our services are not designed to be“binged”, lead to addictive consumption of content and do not organically carry thatkind of allure. The nature of our service (as described above) materially limits thepossibility of the platform being used for “coordinated disinformation campaignsrelated to public health, or in ways that stimulate behavioural addictions ofrecipients of the service” (see, Recital 83 of the DSA). 5 4. Our platform is generally not for use by or of a nature that attracts minors. Theterms and conditions governing the service we provide to users based in the EU limitthe use of our platform to those over the age of 18, and the type of content on ourplatform is not generally associated with minors or direct harm to minors. 5. Where other risks to society may occur (e.g., cyber fraud, phishing, etc.), they stemlargely from abuse or inauthentic use of the service (as opposed to the nature anddesign of the service) that is not in line with our published terms and conditions.These risks are inherent to the digital landscape and generally affect all websites andplatforms, irrespective of scale. On the basis of our assessment, we believe that ourplatform and services pose only low such other risks to society. Our internal processesand controls are generally effective at addressing these risks, and the impacts (shouldsuch risks materialise) are generally remediable. 6. We continue to develop our platform safety features, including as part of ourcompliance with the DSA. This includes the refinement of existing content moderationpolicies and processes, enhanced data gathering and detailed risk monitoring. As noted above and with reference to our values, human rights commitments, and Code ofConduct, we are constantly working to enhance the experience and safety of our travellers andsupply partners. The results of this risk assessment have informed some of our ongoing effortsto ensure the safety and integrity of our platform. Importantly, where necessary, we haveadopted or are in the process of adopting specific measures, in addition to the many existingsafety features and functions we operate, to further mitigate the risks identified. Section 2 - Methodology The DSA requires that we assess the impact of Booking.com in four key risk areas: 1. illegal content; 2. the exercise of fundamental rights; 3. civic discourse, electoral processes, public security; and 4. gender-based violence, physical and mental well-being. 6 We employed a human rights based approach to conduct the systemic risk assessment,grounded in the widely accepted methodology of human rights due diligence under the UNGuiding Principles on Business and Human Rights, which offers an authoritative and trustedmethodological framework and thus enabled us to: 1. achieve compliance with both the intent and letter of the DSA; 2. achieve a higher quality assessment through the use of a tested and provenmethodology; and 3. draw from Booking.com’s broader human rights due diligence activities and experience,including leveraging targeted consultations with external stakeholders in higherseverity risk areas, such as human trafficking and discrimination (see section 3 forfurther information on these consultations). We conducted our assessment taking the following steps: First, we took into account the severity of these risks by reference to three key factors: 1. Scope: this refers to the number of our users (or other people) who could be affected bythe risk. 2. Scale: this refers to the gravity and significance of the impact as experienced by anyindividual affected person. 3. Remediability: this refers to any limits on the ability to put those affected back in thesituation they were in before the impact. Second, we assessed the probability of each risk materialising (more likely than not), i.e., withrespect to any population of people or to a specific individual. For example, the risk thatdiscriminatory content could be visible to any user or a specific individual towards whom thecomment or content may be targeted. Last, we determined a combined risk weighting taking into account the severity of each risk andthe probability of occurrence. Importantly, our methodology gives severity three times the weight of probability in our assessment of the risk.1 This is aligned with international human 1 The methodology for scoring risks in the systemic risk assessments draws inspiration from the UN Guiding Principles on Businessand Human Rights (UNGPs) which require companies to think about risks based on the criteria of severity (which comprises scope,scale and remediability) and likelihood. The Interpretative Guide to the UNGPs provides that while all four criteria are relevant, “inthe context of risks to human rights, the severity of actual or potential risks must be the dominant factor”. The EU’s Corporate Sustainability Reporting Directive requires impacts to be considered as “principal impacts” based on their scope, scale andremediability, rather than its likelihood. On that basis, we have given severity a greater weight than likelihood when scoring theoverall risk level for a particular risk statement. 7 rights standards and approaches and ensures that even if the probability of a risk materialisingis low, the risk may nonetheless be given more weight depending on the severity of the impacton the affected individuals. We assessed the risks that Booking.com may pose to EU citizens by analysing a number of riskscenarios designed to give us broad and comprehensive coverage of the areas required by theDSA. We applied our methodology to each risk statement, and have grouped the results intothree tiers in descending order of significance - with significance being a combination ofseverity (the scope of how many people may be affected, the seriousness of any impact andthe degree of remediability), and probability (likelihood of the risk materialising). In assessingthe severity and probability of the systemic risks identified, we took into account the risk factorslisted in Article 34.2 of the DSA, considering their relevance and to what extent they increasedand/or reduced the risk. As noted above, we have weighed the severity of impact three timesmore than probability. As such, the tiering below is primarily driven by the severity (and of that,remediability in particular) of a potential adverse impact and not just by the likelihood orprobability (or lack thereof) that the adverse impact will materialise. Tier 1 consists of risks where we assess the nature of an adverse impact as high (factoringseverity, scope and probability); with high impacts being those where it is either not possible orit would be particularly challenging to fully remediate the impact. Tier 2 consists of risks where we assess the nature of an adverse impact (factoring severity,scope and probability) as moderate; with moderate impacts being those where the impact canbe remediated to a significant degree with only minimal residual impact. Tier 3 consists of risks where we assess the nature of an adverse impact (factoring severity,scope and probability) as low; with low impacts being those where the impact can be fullyremediated with no measurable residual impact. Further, we considered how the mitigation measures we put in place as a result of our 2023and 2024 risk assessment, and the risk and safety mitigation systems and processes wealready have put in place (developed and honed over more than 25 years running our platform)might impact the potential risks identified. We also took into consideration any impact thatthese mitigation measures would have on other fundamental rights (e.g., the potential impactof a mitigation measure on freedom of speech or expression). 8 Section 3 - Booking.com’s External Stakeholder Engagement Even prior to the enactment of the DSA, and as part of its continuous improvement ideology,Booking.com has long valued external stakeholder engagement to inform its understanding ofrisks affecting the service. This ongoing stakeholder engagement is also used to inform thedevelopment of the systemic risk assessments required by the DSA. As noted in the previous section of this report, a key source of expertise used in thedevelopment of the systemic risk assessments was BSR, with whom Booking.com workedclosely to complete those assessments. BSR is a sustainable business network andconsultancy which has worked with technology companies for over twenty years to supportefforts to ensure respect for human rights, including through undertaking risk assessments thatallow companies to identify and mitigate potential risks to people connected to onlineplatforms. Over the last number of years, Booking.com regularly drew upon BSR’s expertise onrisks connected to online platforms generally, utilizing BSR’s extensive experience and ownstakeholder engagement on technology and human rights. We periodically engage with a range of stakeholders to help understand and identify potentialharms and risks, and consider how they can be mitigated. This engagement takes a range offorms, including online surveys, written submissions, interviews, roundtables, and focusgroups. Booking.com team members also regularly engage in external events, conferences,meetings and other forums in order to remain abreast of developments relevant to mitigation,prevention and remedy efforts. In the last twelve months, Booking.com has also undertaken focused stakeholder engagementto better understand some of the key risks that were prioritised in the 2024 systemic riskassessment, namely risks of human trafficking and discrimination connected to use of theplatform. Stakeholders engaged in these assessments included platform users, human rightsorganizations, LGBTQ+ organizations, anti-trafficking organizations, hotel/travel/tourismentities, and national partnerships focused on equality, sexual harassment, and abuse. Thesein-depth engagements provided critical insights and helped inform our systemic riskassessments in 2025, as well as our broader efforts to tackle potential adverse human rightsimpacts in line with our alignment with the UN Guiding Principles on Business and HumanRights. 9 Section 4 - Mitigation Measures To address risks identified, the DSA provides that VLOPs must put in place reasonable,proportionate and effective mitigation measures. Our approach to mitigating risks under the DSA is iterative and continuous. We monitorongoing changes throughout the year, ensuring our mitigation plan remains relevant andeffective in an ever-changing product and market environment. We believe this approachaligns with the systemic risk management principles outlined in the DSA and contributes to theeffectiveness of the plan by aligning DSA objectives with company processes. The DSACompliance Function collaborates closely with key stakeholder groups in our organisation(including Trust and Safety, Content Integrity, Data Privacy and others) to leverage theirknowledge and expertise in designing and implementing appropriate measures to addressrisks relevant to our business environment. We also track completion of measures that havebeen agreed upon throughout the year. In the last 12 months, measures were introduced and implemented following our 2023 and2024 risk assessments. These efforts have strengthened our ability to protectively addressand mitigate risks identified in the assessments. Some of the key measures include: 1. Expanded Training and Guidance: We have expanded our internal training andguidance programs. For example, comprehensive training sessions and detailedoperational runbooks have been provided to relevant teams, enhancing theircapabilities in proactive identification and mandatory reporting of potential instances ofhuman trafficking and other abusive behaviors on the platform. This ensures aconsistent and timely response to critical safety issues. 2. Continued Collaboration: We continue to work with expert groups to inform ourunderstanding of identified risks impacting fundamental rights. For example, we workwith Stop the Trafik, It’s a Penalty, Unseen, Tech against Trafficking and Polaris to gaininsights into human trafficking which in turn informs our strategies for detection andprevention. In the last 12 months, we have explored collaboration opportunities forindustry-wide risk mitigations and standards; we have worked with experts tounderstand emerging risks; we have conducted internal trainings on topics to deepenour understanding of different facets of a complex risk; we have added more resourcesaccessible to partners and travellers to report risks; and we have provided trainings and 10 educational resources to our partners to raise awareness of this risk. Booking.combenefits from invaluable expert consultation and actionable insights, which are directlyapplied to enhance our prevention strategies, strengthen internal training programs,and align our service with industry best practices. 3. Improvement to Fraud Processes: We update and adapt our processes to counteractand detect bad actors on the platform. We regularly update our fraud detection rulesand policies to swiftly adapt to and counteract evolving fraud patterns. We enhancedour policies and resource allocation, notably with the addition of specialized personneldedicated to fraud detection. Furthermore, we have restructured our assessmentprocess for marketing fraud, leading to more efficient and effective identification andmitigation. 4. Policies and Procedures: We have updated some of our policies and procedures,including the improvement of our anti-discrimination clause within the General DeliveryTerms (GDTs), scheduled for Q4 2025, reinforcing our commitment to equitabletreatment for our users. Additionally, we successfully adopted and published ourAccessibility Statement in June 2025, which formalizes our dedication to ensuring ourplatform is usable for individuals with disabilities. For a comprehensive overview of mitigation measures for each identified risk, please refer to the Annex. Section 5 - “Results” The results of our assessment (reflected in Figures 1 and 2 below) indicate that the design andfunctioning of Booking.com does not pose significant risks to EU citizens. This is consistent withour findings from 2023 and 2024. Four risks have seen a reduction in probability of materialising. This is for a range of reasons,including: the increasing availability of data regarding content moderation and trust and safetyactivities; our DSA compliance efforts; and enhanced efforts in governance and riskmanagement. We adopted a conservative approach and assumed that instances of certain risks may bepresent on the platform if external data (including insights from BSR) suggests a certain level 11 of severity or likelihood, even if we have not yet encountered them. This methodology seeks toensure that no risks connected to the platform are under-appreciated. The probability of the below risks was reduced based on our analysis of content whichrevealed no evidence that this type of content was available on our platform in the last 12months. ● The risk that child sexual abuse material and other illegal content relating to childsexual exploitation may be available on the platform; ● The risk that terrorist content may be available on the platform; ● The risk that content on the platform constitutes illegal defamation; ● The risk that the platform is used for the sharing of illegal non-consensual privateimages. As we seek to obtain more granular data relating to our systems, and deploy more rigorousmethods for assessing (and mitigating) risk on the platform, we have also observed someincrease in the probability scores for certain risks, primarily due to the integration of new AImodels and an increased volume of data requests. For these risks, the increase in probabilityhas not led to an overall increase in risk-tiering. As identified above, our methodology balancesany increased probability with the severity of each risk (the scope of how many people may beaffected, the seriousness of any impact and the degree of remediability) - with severity giventhree times the weight of probability. We remain vigilant when it comes to monitoring andassessing how these risks develop. The two impacted risk areas with increased probabilityscores are: ● The risk that the platform and its algorithms (including recommender systems) may usepersonal data in a way that could result in unjustified discrimination(non-discrimination) ● The risk of unnecessary or disproportionate government data requests (protection ofpersonal data) Nonetheless, ours is a culture of learning and continuous improvement. We routinely useinformation and experience gleaned from our business and our interactions with internal andexternal stakeholders to build on and improve our products and services. Our DSA riskassessment will continue to inform our DSA compliance journey as well as the ongoing stepswe take to mitigate the risks discussed below. 12 Figure 1 - Results of the 2025 risk assessment Figure 2 - Comparison of 2024 and 2025 risk assessment 13 Figure 3 - Description of risks Tier 1 Our 2025 assessment did not identify any risks as Tier 1. Tier 2 Illegal content Risk of abuse or misuse of service by publishing of listings for fraudulent purposes (contentrelating to illegal activities) Fraudsters or purported service providers may try to exploit our platform for improperpurposes. This could include publishing non-existent properties listed for the purpose ofextracting fraudulent payments or obtaining traveller details for illicit purposes, or listingproperties without the owner’s consent. This risk may be greater where payment is handleddirectly by the supply partner. Our standard terms and conditions for our supply partners are designed to ensure that theycomply with relevant legal obligations at a minimum. We have extensive content moderation 14 practices and processes designed to identify and remove content within a listing that is likely tomislead, deceive or confuse our travellers. Furthermore, we utilise human and artificialintelligence to monitor offerings on our platform and to safeguard its integrity againstfraudulent actors. Our customer service representatives help to further detect fraudulentbehaviour and mitigate any negative impacts on travellers To combat risks associated where payments are handled by supply partners, we deployautomated systems to detect and prevent malicious messages being sent via ourpartner-to-guest messaging channels. We also conduct risk-based due diligence on our supplypartners including having verification methods in place aimed at verifying the location ofproperties and utilising AI models to identify fraudulent properties. In addition, over the past twelve months, Booking.com has improved its fraud combattingcapabilities through enhancements in processes, policies and resources. Key initiatives includeupdating our fraud detection rules to counter evolving fraud patterns, restructuring ourassessment process for marketing fraud, and adding new fraud detection specialist personnel.We also launched a new moderation process for car rental reviews and removed self-sign-upfunctionality for small-scale affiliates (for e.g. influencers) in an effort to reduce marketingfraud. Our assessment shows that, despite these efforts, the risk that fraudsters or purported serviceproviders may try to exploit our platform for improper purposes remains. It is important to notethat the external threat landscape is evolving, particularly with the emergence of newAI-driven tools that fraudsters are increasingly exploiting. As a result, the inherent (or total)level of risk in this area has risen. However, through the implementation of more effectivemitigation measures, we have been able to maintain the residual risk at a stable level. This isnot due to the risk being stable, but rather due to stronger controls which have been necessaryto offset a higher baseline of inherent risk. Detection of such cases remains challenging, withsome of the main factors including the availability of information against which we validate thelocation of the properties, the reliability of verification methods in some markets, and instanceswhere Booking.com relies on third-party vendors to diligence supply partners. Fraudulent listings may result in some range of harm to travellers - including paying for orarriving at properties that in reality may not exist, incurring additional expenses from having tomake replacement travel plans, or inconvenience or other loss of comfort and enjoyment.While we take any impact on our travellers seriously, given the damage suffered here isprincipally (though not entirely) financial in nature, the harm is generally more remediable than 15 in other areas where psychological or physical impacts could occur. The nature of Booking.comas an e-commerce travel platform means these incidents do materialise, however we dedicatesignificant resources to minimising occurrences and their impact. Risk that child sexual abuse material and other illegal content relating to sexualexploitation material may be available on the platform (content that is illegal in itself) Booking.com's Content Standards and Guidelines (including our content moderation policy)prohibits content that contains sexually explicit material including content that sexuallyexploits children or presents them in a sexual manner. We also prohibit content that is deemedlegally restricted based on local laws or content that is obscene, offensive or not appropriatefor all audiences. We have automated detection mechanisms to moderate images containingnudity, images and text that are sexual in nature, and have reporting mechanisms for illegalcontent. Our team manually reviews any images and text that are flagged or notified. In addition, Booking.com utilizes AI models and follows established protocols to detect andaction potential instances of child sexual exploitation across the platform (including reviews,review replies, complaints, partner to guest chats, partner to guest emails, guest-to-bookingemails, and guest misconduct reports). Over the past 12 months, Booking.com has partnered with ECPAT (The Code) to combat childsexual exploitation in travel. As members of The Code, we gain expert consultation andactionable insights into preventing exploitation of children on the platform. This partnershipstrengthens our training programs and aligns our services with industry best practices so thatwe can better address the occurrence of the risk on the platform. In 2025, Booking.com againpartnered with It’s a Penalty, a coalition of travel industry companies and NGOs to raiseawareness and provide educational resources during mega sports events to prevent humantrafficking, including child abuse, child sexual exploitation and child trafficking. These effortsform part of our anti-trafficking and prevention initiatives, which are discussed in further detailbelow. Overall, the likelihood of child sexual abuse material being uploaded to Booking.com is lowgiven the platform’s narrow purpose of offering travel experiences and reservations, and therisk is further mitigated by Booking.com's content moderation policies and processes. Inaddition, there are limited features on Booking.com that enable the sharing of images.However, we recognize that if it were to occur, the severity of impact on the traveller may be 16 significant and that impact may not always be fully remediable. Risk that the platform may be used for the sharing of illegal non-consensual private images(content that is illegal in itself) Booking.com’s content moderation policy prohibits any content of an adult nature - includingcontent that contains sexually explicit material, whether or not consensual. It also prohibitscontent that puts the privacy of our users at increased risk. Our automated content moderationsystems detect images containing nudity and images that are of a sexual nature. Although our content moderation systems cannot determine whether something has beenshared with or without consent, we also provide reporting mechanisms to enable individuals toreport illegal content. Our Customer Service team serves as a reactive channel for reportingany intimate image abuses occurring on the platform. While the nature of Booking.com and its intended use make it unlikely that users of the servicewould share illegal non-consensual private images on Booking.com, we recognize that if itwere to occur, the severity of impact on the traveller may be significant and that impact maynot always be fully remediable. Risk of abuse or misuse of the service for human trafficking (content relating to illegalactivities / fundamental rights) Booking.com recognizes the risk that our services could be abused or misused by third partiesfor the purpose of human trafficking and sexual exploitation, in direct contravention of ourterms and conditions. Several factors inherent to online travel platforms increase the risk thatthey may be misused by traffickers, including last minute booking possibilities, limitedverification of user accounts, and digital-only property access. We have processes in place to mitigate human trafficking risks focused on accommodationproviders - including internal human trafficking prevention guidelines, internal and externaltraining and awareness raising efforts, and content moderation guidelines and controls overinformation that is included in the promotion of service listings on Booking.com. Supplypartners can raise complaints via the guest misconduct reporting systems, and our Trust andSafety team conducts assessments if required. Additionally, our content moderation teaminvestigates instances of “dog whistles”- surreptitious messaging that might signal a property’sopenness to traffickers; and we work with external organisations to promote awareness and 17 detect potential instances. Where appropriate, we report instances where there are high riskindicators of human trafficking to law enforcement. Over the past twelve months, we've significantly strengthened our efforts. We have increasedour capacity to proactively detect, assess, and report potentially connected instances of humantrafficking. We have increased dedicated headcount, launched a new operational run book onhuman trafficking detection for the Trust and Safety team, and provided specialized training onhuman trafficking to supply partners to promote awareness and help detection and reportingof cases of human trafficking at properties on our platform. We've also continued ourengagement with external stakeholders and experts to further strengthen our collectiveresponse to human trafficking in the travel and tourism industry. For more information on measures we take, please refer to the Annex. We recognize that harm caused by human trafficking and sexual exploitation, among otherillegal practices, is severe, with high degrees of physical and psychological harm. These harmsmay not be fully remediable. Industry data, our Trust and Safety assessments, and ourengagement with external stakeholders and experts, confirm that online travel platforms arebeing used to facilitate human trafficking. These are and remain critically important areas ofattention for all companies operating in the travel and tourism industry. We are committed tocontinuously evolving our efforts to reduce the risk of the services in our platform being abusedor misused for the purpose of human trafficking and sexual exploitation. Fundamental rights Risk that users may engage in discriminatory behaviour on the platform(non-discrimination) The presence of discriminatory beliefs and values within society unfortunately manifests ininteractions within the travel and tourism sector, impacting individuals as they come together. Travellers of the Booking.com platform have only limited interactions with supply partners andordinarily no direct interaction with other travellers on the platform. Communication orinteraction channels are focused on facilitating the travel experience or to conclude a 18 reservation. Booking.com does not have communications channels of the type generallyassociated with social media and that are conducive to sharing views or opinions that areunrelated to the narrow topic of travel experiences. As such, risks in this area could emanate in only a limited number of ways, including via ourpartner-to-guest messaging utility; our guest reviews utility and in interactions between ourcustomer service representatives and our users. Our Content Standards and Guidelines set out Booking.com's expectations of acceptablecontent for travellers and supply partners and include specific reference to discriminatorylanguage and hate speech as well as content promoting violence, discriminatory language orhatred against a person or groups. Our terms and conditions for supply partners require themto respect the fundamental rights of customers and to not engage in or allow discrimination. In 2024, we also published a new Statement on Non-discrimination, Harassment and Abuse on our Partner Hub, which sets behavioural expectations, and provides targeted training andguidelines to support partners with understanding the risks of unintended discrimination. We take seriously and address any reports of misconduct from travellers or supply partnersincluding allegations of discriminatory behaviour, and take appropriate and proportionateaction (including suspension and removal from the platform) where necessary. Users andemployees may report discriminatory conduct on the platform via our customer service teams or via the Compliance helpline reporting function. Our Trust and Safety and Content Moderation teams and processes have generally beeneffective in identifying discrimination on our platform (as expressed via content on theplatform) and subsequently removing or addressing such content or conduct (giving regard tokey considerations including freedom of speech and expression). The Content Moderation teamescalates content flagged as containing or indicating discriminatory behaviour to the Trust andSafety team for any remedial action required beyond content removal. We have AI models thatare designed specifically to identify discriminatory statements in certain types of content on theplatform including accommodation reviews and partner to guests chat. That said, content moderation and discrimination detection systems may well have somelimitations due to the difficulties in detecting certain types of discriminatory content (e.g., localdialects or symbols). It can also be challenging for automated tooling to determine and analysethe context of a particular exchange, including geographic and cultural nuances. To respond tothese limitations in our detection systems, our content moderation processes now cover 140 19 languages, our human moderators speak almost all languages used on the platform, and weuse sophisticated automated translation tools for any other languages. We are committed tocontinual improvement and refinement of our systems and processes, and ensuring that theyoperate at full capacity across all areas of the platform. To strengthen our response when itoccurs on the platform, in addition to our improved language models, we've added personnelto manage high-priority discrimination cases, and we strive to enhance both internal employeeand external supply partner understanding of discrimination through targeted training and keysupport resources. Discriminatory behaviour could have potential to be distressing and harmful for the individualat whom it is directed. Some consequences of discriminatory behaviour may be remediable(e.g., compelling a supply partner to honour the terms of a reservation or removingdiscriminatory content); but we recognise that the impact of the discriminatory intent andexpression, once experienced, can have psychological and other impacts that are difficult toremediate fully or at all. Risk of unfair commercial practices due to misleading descriptions, pictures or misleadingpricing practices (consumer protection) Booking.com embraces a customer centric culture which places our customers at the centre ofeverything we do. However, given the dynamic nature of information provided by our globalnetwork of partners, we considered the risk that unfair commercial practices could occur,potentially impacting traveler trust and experience. We maintain a broad range of controls and resources designed to prevent unfair practices inline with legal obligations in the EU. These include our team of experienced consumer law andcompliance professionals charged with promoting compliance with relevant rules andregulations. We frequently engage in dialogue with regulators to ensure we maintain thehighest standards of consumer protection. For example, supply partners are responsible for the information they provide to us for creatingan accommodation listing but we offer guidance throughout the process to minimise, forexample, the risk of hidden costs for travellers, and apply automated detection mechanisms toenforce our Content Standard and Guidelines. In addition, our Content Standards andGuidelines set out the expectation that content included in guest reviews should not mislead,deceive, or confuse Booking.com recipients of the service and that travellers or partners shouldnot misrepresent themselves or impersonate another person. 20 The harm associated with unfair commercial practices could range from minor financial impactsto distress caused by travel experiences that do not meet our travellers’ expectations. As such,while still important, we consider that the severity of the impact falls on the lower end of thespectrum and it is likely that most harms are remediable. We continually strive to adopt bestpractices and technologies to monitor and meet our obligations to travellers to ensure weremain vigilant with respect to unfair commercial practices. Risk of data breaches (protection of personal data) The nature of the Booking.com service is such that it requires travellers and supply partners toonly provide certain personal data (including names, physical or electronic addresses and, insome cases, financial information) that is necessary to complete transactions on the platform.However, data of this nature may be of interest to ill-intentioned actors and cyber attackers, forillicit purposes including fraud. Given the volume of potential transactions on the platform, andthe ubiquitous nature of cyber threats in e-commerce generally, there is some likelihood of adigital threat or breach (phishing, malware, etc.) materialising. While risks of this nature could occur in a number of ways, we consider that they generally fallinto two categories: ● attempts to compromise our own systems via phishing, malware, human intelligence orother direct attacks on our platform; or ● attempts to obtain traveller or other data indirectly via traveller or partner accounttake-overs. Booking.com complies with relevant laws designed to protect personal data, but ourcommitment to data security goes beyond compliance with legal requirements. We regularlyenhance our defences against cyber attacks and online fraud attempts by leveraging industrybest practices and technologies and have a dedicated team of cyber security professionals ledby our Chief Information Security Officer. Our cybersecurity, fraud detection/prevention anddata protection measures are generally effective in preventing attacks that seek to compromiseour platform or harvest personal data processed within our platform. For example: ● A machine learning model (running daily) scans guest-to-partner messaging to detectmessages sent in bulk, which might indicate phishing attempts related to reservations. 21 ● Partners are required to authenticate using Two-Factor Authentication on our Extranetfor login and to perform specific (typically more sensitive) operations, such as lookingup reservation or credit card details. We can also deny access or limit session lengthswhere risks of account compromise or abuse are detected. ● We have systems in place to control (in collaboration with partners) the URLs andemails that can be shared with a traveller via the platform to further help partnersprotect themselves (and potentially impacted travellers) from their accounts beingcompromised. In addition, we have mechanisms in place that work to detect andprevent malicious links from reaching travellers. ● Dormant accounts in the Extranet are automatically locked and disabled. This preventsthe risk of such accounts from being used for fraudulent purposes. Additionally, we maintain measures to detect traveller and supply partner account take-overs,including working with and providing education and awareness to partners and travellers onidentifying potential attacks and avoiding them. Where we make traveller data available tothird party companies to enable outsourced activities, we do so in compliance with applicablelaws and ensure that appropriate contractual obligations are in place. The overall external risk environment is increasing, as evidenced by a significant increase in theuse of ransomware and other extortion techniques. The financial impact of these threats is alsoescalating, with an upward trend over the past several years. Despite our comprehensivecybersecurity framework and continuous efforts, the dynamic and sophisticated nature of cyberthreats means that data breaches or digital security incidents, while actively mitigated, remaina possibility. Even in the event of a breach, the impact is generally remediable - as the harmmay in most cases be limited to financial loss, although some impacts may be more difficult toremedy (e.g., in cases of identity theft that go beyond immediate or confined financial loss). Risk of unnecessary or disproportionate government data requests (protection of personaldata) From time to time Booking.com receives requests for traveller or supply partner data fromgovernment authorities (often as part of regulatory enforcement or investigation matters). Overthe past year Booking.com has received an increased number of data requests from authorities. We strive to comply with relevant laws in the EU and other jurisdictions where we operate 22 while applying a rigorous focus on protecting the personal data as well as the rights andfreedoms of users who provide data. We reject requests that cannot be confirmed aslegitimate, necessary and proportionate. An additional challenge stems from conflictingobligations across overlapping legal regimes, leading to ambiguity in how requirements shouldbe applied. We employ specific teams, processes and procedures to ensure requests bygovernment authorities are addressed in consideration of lawfulness, data minimization andother privacy principles to safeguard individual rights and freedoms across all users of ourplatform. We have guidelines in place that provide clarity on the circumstances under whichBooking.com will comply with or reject a law enforcement request (including requiring lawenforcement authorities to submit formal requests in accordance with applicable laws); andBooking.com uses a central portal to receive, analyse and verify inbound requests. Limitedexceptions may be made for emergency requests falling under the categories of terrorist act,imminent threat or serious harm of a person, death of a person, missing person, or minor. While the vast majority of requests we receive come from within the EU, we acknowledge thatthere can be broad variance in rule of law applications in various countries - including theextent to which requests for information are legitimate, necessary and proportionate. Ourdedicated teams are experienced in handling these risks and our processes have provedeffective in significantly reducing the likelihood that inappropriate requests will be fulfilled. Werecognize that data requests from some countries may not comport with these parameters andthat such requests, if complied with, may have significant adverse impacts on the userconcerned depending on the purposes for which that data is requested. However, despite Booking.com’s efforts in diligently assessing the legitimacy of disclosure requests, our assessment indicates that the increasing request volume and the legal and operationalchallenges associated therewith results in an increased likelihood that the risk of unnecessary,disproportionate or conflicting disclosure materializes. Risk that the platform may be used for the sharing of highly personal information of users (right to respect for private and family life) Our Customer Terms of Service prohibits conduct that infringes on the privacy rights of anyuser. Our Guest review removal conditions make clear that Booking.com will not accept anyreviews that contain unauthorised information relating to an identified or identifiable naturalperson. We have content moderation policies and we use automated systems to address therisk of sharing highly personal information of users. However, given the nature of the platform, which encourages photo sharing and allows users 23 to post reviews based on personal experiences, there is a risk that users, whether intentionallyor unintentionally, share private or highly personal information or images. The severity ofimpact on travellers, if their highly personal information were shared on our platform, wouldvary depending on the nature of the information disclosed. Such impact may generally beremediable by removing the content concerned from the platform. Risk that the platform and its algorithms (including recommender systems) may usepersonal data (i) unnecessarily or disproportionately; or (ii) in a way that could result inunjustified discrimination (non-discrimination) Clarity and transparency with respect to how we use our travellers’ and supply partners’ personal data is important to us and to our users. Our user Privacy Statement and the “How we work” section on our website describes the types of personal data collected and how it is used by Booking.com. Our Customer Terms of Service prohibit conduct that infringes on theprivacy rights of any users. Our Guest review removal conditions make clear that Booking.comwill not accept any reviews that contain unauthorised information relating to an identified oridentifiable natural person. We have content moderation policies and we use automatedsystems to address the risk of sharing highly personal information of users. We rely on certain personal data, such as IP addresses of users browsing our platform, in orderto show relevant content such as language and appropriate currency. In order to provide ourservices, we require certain other personal data such as name and email address and mayutilise aggregated personal data for analysis and service improvements. Logged-in users havethe option to provide and store additional personal data or preferences in their accounts. However, we do not intentionally collect special categories of personal data (such as racial andethnic origin, sexual orientation etc., as defined under the GDPR) for use in our recommendersystems. In instances when we may use profiling (as defined under the GDPR) in arecommender system, the user is given the option to opt-out of personalisedrecommendations. This means the user will view service recommendations without ourrecommender systems using profiling. In addition, Booking.com is increasingly integrating AI use cases across its platformfunctionalities, such as to support internal workflows and system efficiency, enhance contentmoderation and fraud detection. Booking.com has formal policies, procedures and technicaltools in place to support the assessment and mitigation of risk posed by use of AI systems,models or AI-enabled tools, products or services. Machine learning models detect and redact 24 certain types of content and keywords, such as personal data and blocks content that amountsto hate speech. Although the ways in which Booking.com uses data will continue to becomemore complex, Booking.com has implemented a range of privacy risk mitigations and continuesto mature these, including privacy policies, workflows, and processes, as well as disclosure ofhow user data that is input to AI models will be processed by Booking.com. Considering the nature of our services and how consumers use our services, the possibility thatsuch personal data could be used in ways that exceed users' expectations is low. Given thetype of personal data we collect, the potential impact of any use beyond the stated purpose inour Privacy Statement and the 'How we work' section on our website would likely be minimal. Risk of harmful misuse of the service by minors (respect for the rights of the child) Booking.com is not intended for use by or directed at minors. The Customer Terms of Servicewhich apply to EU users require users to be at least 18 years old to use the platform. Inaddition to these terms, there are practical barriers which render our services less accessible tominors. In particular, in order to access many of our services, credit card details or another formof online payment method is required to make a reservation. We consider this reduces thepractical risk: these types of payment methods are generally only accessible to persons abovethe age of 18 in the EU or provided under the supervision of a legal guardian. Despite this, wehave measures and policies in place that ensure that only safe and appropriate content isdisplayed to all users of our services, including minors. The protection of minors online is of critical importance, and the severity of impact on minorsfrom a range of online activities may be high. Children who access online travel platforms likeBooking.com to make travel arrangements without adult consent may be doing so in higher risksituations e.g., to engage in dangerous activities like drug use or self-harm. Our assessmentindicates that there is low probability of this risk materialising given the minimum agerequirement on our platform and the logistical barriers to access (e.g., the payment methodrequired to make a reservation). In rare instances where minors are endangered by using ourplatform or services, our Trust and Safety team and relevant processes are designed torespond to such occurrences with higher priority when we are made aware of them. Gender based violence, public health, physical and mental well-being 25 Risk that users may engage in online behaviour that amounts to, incites or encouragesgender-based violence (gender-based violence) Our Content Standards and Guidelines and our Customer Terms of Service set outBooking.com's expectations of what is not acceptable content for travellers and supplypartners to include in reviews, images and listings. These guidelines also specifically address content promoting violence against a person or groups. In addition, our Statement on Non-discrimination, Harassment and Abuse sets out the platform’s commitment to prevent such behaviours against partners and travellers and explains the differences between differenttypes of violence and harassment We maintain a range of content moderation policies and enforcement options, includingmachine learning classifiers and an improved image moderation system to help mitigate thisrisk. Our experienced Trust and Safety team escalates any incidents (including those detectedthrough content moderation systems) involving abusive behaviours to enable appropriateaction to be taken against offenders. However, we recognize that moderation may have limitations due to the difficulties in currenttechnology detecting content that may amount to, incite, or encourage gender-based violence,and that there are challenges in analysing or accounting for context when using automatedtools. Due to the nature of Booking.com as a transactional-focused platform, the likelihood of usersengaging in online behaviour that amounts to, incites, condones or encourages gender basedviolence is lower than on platforms that are content-focused. However, the mere existence ofcommunication channels on any platform, including Booking.com, presents some possibility ofsuch online behaviour. We recognise that if such conduct were to occur, the impact is likely tobe significant and difficult to remediate. Risk that users may engage in abusive behaviour towards other users on the platform(physical and mental well-being) Users of the Booking.com platform have limited opportunities for user-to-user interaction. Assuch, abusive behaviour towards other users on Booking.com is only possible on specificchannels of the platform (for example, in guest reviews or in partner to traveller messaging). We maintain a range of content moderation policies and enforcement options in place to 26 mitigate this risk, and escalation channels to our Trust and Safety team for any remedial actionrequired beyond content removal. Our Statement on Non-discrimination, Harassment andAbuse sets out our commitment to prevent abusive behaviours and educate our guests andpartners. However, moderation may have limitations due to the difficulties in detecting certain types ofabusive content, and analysing or accounting for context when using automated tools (e.g.limitations to moderation of partner to guest messaging), and we acknowledge there are stillinstances of inappropriate communication, including abusive language, on the platform. Werecognise that abusive behaviour can have serious psychological impacts on individuals,particularly when it is specifically directed at a specific person, and can be difficult to remediatefully. Tier 3 Illegal content Risk that illegal hate speech may be available on the platform (content that is illegal initself) The nature of Booking.com as a transaction-focused platform with a specific and narrow focus(making travel arrangements) renders the likelihood of travellers or supply partners sharinghigh-risk illegal content (such as hate speech) lower than on other platforms that arecontent-focused. The Booking.com service does not ordinarily allow for direct interactionbetween travellers. However, the functionalities of the Booking.com platform which enableindividuals to interact with each other, even in a limited setting, and to express views andopinions, are such that there’s still a possibility for illegal hate speech to appear. Our Content Standards and Guidelines and our Customer Terms of Service set outBooking.com's expectations of what is not acceptable content for travellers and supplypartners to include in reviews, images and listings. These guidelines also specifically addresshate speech and discriminatory language as well as content promoting violence, discriminatorylanguage or hatred against a person or groups. We have robust systems in place to detect anysuch harmful content on Booking.com, including through automated keyword filtering andblocklists, AI and human moderation. We also have reporting mechanisms for illegal content,an internal review and escalation path involving our Content Moderation Committee, and ourautomated language models operate in 140 languages. 27 In addition, we recently further refined our approach to assessing hate speech that allows formore distinct differentiation of hate speech from other forms of discriminatory content,enabling more precise detection and response. We plan to further enhance internal alignmentand increase awareness for teams managing hate speech incidents to ensure a consistent and effective response. For more information on measures we take, please refer to the Annex. However, we are aware that the mere existence of communication channels on any platform,including Booking.com, presents an ongoing possibility for the use of hate speech. Wherethese types of illegal and harmful content do materialise, the severity of the impact on thetraveller may be significant and may not always be fully remediable (e.g., in the case ofpsychological distress). Risk that intellectual property may be illegally available on the platform (content that isillegal in itself) By design and nature of operation, Booking.com imposes strict limitations on the type ofcontent that travellers and supply partners can post on the platform. These limitations governthe posting of content that is protected by intellectual property laws and our ContentStandards and Guidelines include specific reference to intellectual property. As such, we generally do not encounter intellectual property issues at scale. Where we do,they tend to relate to copyright claims (e.g., onstock photographs) and we address thosethrough our moderation and related processes. Our image moderating and notice and actionsystems will further reduce risk. Where this risk materialises, it is very unlikely to severelyimpact users at scale as any potential harm is more likely to be some financial loss to theintellectual property owner. Such losses are readily remediable. Risk that content on the platform may promote sale of illegal products and services (e.g.drugs, gambling, underage drinking) and risk that illegal listings of accommodation orother services may be available on the platform (content relating to illegal activities) We recognize there is a risk that ill-intended users may seek to use the Booking.com platformto promote illegal products and services (e.g. related to drugs, gambling, underage drinking), oroffer illegal or unlicensed (accommodation) services, which directly contravenes our policiesand applicable laws. 28 Our Content Standards and Guidelines prohibit content that is illegal or otherwise restrictedunder local laws, including content that offers, sells, advertises or facilitates the sale ofregulated or restricted goods and services. We take down such content according to policy. Ourguest review removal conditions stipulate that reviews promoting, supporting or inciting illegalactivities will not be made available on the platform and our content moderation policyprohibits such content. In practice, we enforce our prohibition on the promotion of certainactivities (such as drug use) regardless of whether those activities are in fact illegal in thelocation where the service is offered, and our improved photo moderating and notice and actionsystems further reduce this risk. Our General Delivery Terms for supply partners require partners to have all rights and licencesrequired to make their accommodation service available on the platform. Travellers and supplypartners may report listings suspected of operating illegally or not having the appropriatelicences to us via a dedicated web form, and we have a specialised team that investigateswhen we are notified of such instances. We also take swift action to remove any illegalproperties which are notified to us by Local Authorities or other Member State governmentbodies. Where travellers make bookings at properties which we subsequently identify asillegal listings, we remove the illegal property listing and will work with the traveller toidentify an alternative accommodation. Accordingly the severity of the impact generally falls onthe low end of the spectrum. We recognize that additional factors, such as low health andsafety standards as a result of being unlicensed, could result in some range of harm dependingon the specific circumstances of the case. In the last year, specifically for attractions, we have increased pre-moderation foruser-generated reviews and images in response to increasing user-generated reviews andimages being posted. Furthermore, while for attractions we primarily rely on the contentmoderation policies and systems of third-party vendor platforms for their hosted content, weactively work to ensure their standards are broadly aligned with our own to mitigate risks fromintegrated listings. Despite our comprehensive policies and enforcement mechanisms, a residual risk remains andwe have, on occasion, identified content on our platform which promotes sale of restricteditems through listings, reviews, etc. through our content moderation systems. While werecognise that the harm caused by different types of illegal products and services or counterfeitgoods may vary, such harm is generally remediable (e.g., by removing such content on theplatform). 29 Risk that content relating to terrorism may be available on the platform (content illegal initself) We have assessed the risk that content relating to terrorism may be available on theBooking.com platform. Booking.com's content moderation policy and Content Standards and Guidelines prohibitterrorism and extremism related content, which includes content that promotes, supports orincites acts of terrorism, or that supports or represents any terrorist organization, its leaders orassociated violent activities and content that Booking.com deems to promote, support or inciteacts of violent extremism, or that supports or represents any organization engaged in violentextremism. Our Content Standards and Guidelines further prohibit content promoting hate, orviolence, including violence against others on the basis of who they are and content thatpromotes, facilitates or encourages any kind of violence against others. Most content on the platform is moderated through blocklists or machine learning models andhuman review before it is published on the platform. Booking.com’s language models operatein 140 languages creating broad linguistic coverage for harmful or illegal content, includingterrorism and extremism. Booking.com has a reporting mechanism for illegal content generally,and a dedicated process for reports from judicial and administrative authorities with guidance.Different reporting mechanisms apply to flights, rides, attractions services, wherebyBooking.com works with partners and provides support via training to align enforcementapproaches. Threats representing an imminent danger to life are reported immediately to therelevant authorities. Due to the nature of Booking.com as a transaction-focused platform as opposed to a socialmedia platform, it is unlikely that the platform would be used to disseminate such content. Ourassessment indicates that the probability of this risk materializing has the lowest of scores. Inthe incidental instances in which this risk does materialise, it is unlikely to cause significantimpact at scale, as harm may be remediated by removing the content concerned and/or byreporting the matter to the relevant authorities. Fundamental rights 30 Risk that content on the platform may be unjustifiably removed and risk that users are notable to appeal content removals and/or report or appeal potentially violating content(freedom of expression and information) Booking.com’s content standards and guidelines available on the platform make clear whatcontent is prohibited, how recipients of the service can report content, and that there existmechanisms for appealing content removal decisions. We built mechanisms for appealing content moderation decisions as part of our DSAcompliance efforts and to further protect users’ freedom of speech. Users are informed whencontent is removed and of the reasons for removal. They are able to edit the content to meetthe standards set out in the guidelines or appeal the decision to remove the content. OurCustomer Service and Partner Service agents have been also being trained to increase overallawareness on our content moderation and appeal processes. Therefore, the likelihood of content being wrongly removed and users wanting to appeal thecontent removal decision, or of a removal being disproportionate or unnecessary, is low. Sincethe vast majority of information on Booking.com relates to travel services, it is unlikely that theremoval of content on our site would be considered to harm or materially impact the freedomof speech of users. Risk that services or features on the platform may not function equitably for users withcertain disabilities or limited digital literacy (non-discrimination) We are continuously working to improve the accessibility of our digital services. Users withdisabilities or digital literacy challenges may face barriers when accessing and utilizing ourplatform, potentially leading to an inequitable user experience and limiting their travel options. Our Accessibility Statement outlines our commitment to digital accessibility and details the measures we are taking to make our platform more accessible. We are committed to meeting the Web Content Accessibility Guidelines (WCAG). We conducta regular audit against WCAG on part of our services that are applicable to the EuropeanAccessibility Act to identify accessibility bugs and defects. Through these audits, we haveidentified accessibility challenges for users. We implemented inclusive design choices such asstandardizing form components and input fields, providing clearer instructions and errormessages, and introducing contextual help and visual cues. The design choices are informed bytesting and feedback from a diverse range of travelers. We also developed a plan to implementan Accessibility by Design framework and plan to expand education and increase awareness of 31 accessibility principles across teams. These efforts reflect our commitment to providingequitable functionality for our users. Our Customer Service team enables accessibility requests to cater for the needs of those withdisabilities and digital literacy challenges. We provide options for users of the Booking.comservice to identify their preference for seeing listings with accessibility criteria, which reducesthe risk of disabled travellers being recommended inappropriate options. Despite our efforts, challenges persist in ensuring all platform features and content are fullyaccessible to every user, particularly those with highly specific needs or significant digitalliteracy challenges. Making and keeping our platform accessible remains a focus area for us.We have and will continue to make enhancements to our platform for making it moreaccessible to persons with disabilities or limited digital literacy and will be doing so in line withthe requirements of the European Accessibility Act (2025). Risk that personally identifiable information about a child may become available on theplatform (respect for the rights of children) In practice, very little personally identifiable information on children is collected by the platform(e.g., names of room occupants or date of birth when required for flight reservations) is collected by Booking.com) and its partners, and the probability that recipients of the service would share such information (other than photos) via user-generated content on the platform(e.g., reviews) is unlikely. However, photos of children may be included in content shared byusers directly or partners (e.g., travelers sharing trip photos, or partners uploading photosincluding children to market their listings as family friendly). And, as more user-generatedreviews and images are being posted on the Booking attractions site, there is an overallincrease of content moderation and removals, some of which may be attributable to personallyidentifiable information of children. Booking.com’s content moderation policy does not allow content that may put the privacy ofothers at risk, and our Privacy Statement provides that Booking.com will only processinformation about children with the consent of their parents or legal guardians, or when theinformation is shared by the parents or legal guardians themselves. Despite our efforts, we recognize there is a risk that unauthorized or identifiable photographsof young children may be posted on the platform, potentially compromising their privacy. Tofurther strengthen our content moderation efforts, in the last year we have increased 32 pre-moderation efforts for attractions services to ensure content integrity particularlyconcerning user generated reviews and images. For partner content, we rely on content policiesand systems of those third parties, which we have determined are broadly aligned with ourown policies. As noted above in addressing the risk of harmful misuse of the service by minors, Booking.comis not intended for use by children and we do not encourage the sharing of personalinformation without the required authorisation. At the same time, we are aware of ourtravelers’ desire to share personal travel experiences by posting photos. As we continue todevelop our policies and practices we always seek the appropriate balance between the rightto privacy and information sharing. Risk that users may submit reviews containing false information (consumer protection) Accurate and non-misleading reviews of accommodation properties and other travel offeringsare an important feature of the Booking.com service. To that end, we have put in place restrictions around who can submit reviews. We have contentmoderation systems in place to ensure that in the instances it may occur, misleading content isremoved from Booking.com. This applies to both reviews submitted by legitimate travellersthat may contain false or misleading information as well as reviews submitted by individualsthat intend to circumvent our controls by posting reviews without making use of the servicesubject to the review. In respect of reviews submitted by supply partners, our Content Standards and Guidelinesdetail that content included in reviews should not mislead, deceive or confuse Booking.comtravellers and that supply partners should not impersonate travellers. Customer reviews fromthird party websites are made available in specific circumstances, in particular for attractions.These reviews are subject to the third parties’ moderation policy and systems. Commercial /self-promotional content in reviews is not allowed on Booking.com, and is addressed by ourmoderation teams. Our policies do not permit reviews that contain fake content and we have anumber of measures in place to identify and moderate such content. We use machine learningmodels to detect such reviews and we conduct investigations into suspected violations of ourpolicies. Travellers who arrive at the accommodation but do not complete their stay are still able toleave a review, provided that the review contains critical information that would be relevant for 33 a future traveller, feedback about the communication with the accommodation or is otherwiserelevant to the travel experience. Last year, Booking.com added labels on the front-end toclearly mark content submitted from reservations where the traveller did not complete theirstay. Guest reviews play an important role in aiding the exercise of consumer choice. We take theintegrity of the reviews on our platform seriously. Reviews containing false or misleadinginformation may have the effect of misinforming travellers and may contribute to them makingparticular travel arrangements. Some of that impact is remediable by removing false ormisleading reviews. Travel reviews are inherently subjective and thus have some likelihood ofinaccuracy. As a check against that risk of inaccuracy, supply partners can proactively challengereviews that may not seem accurate. The combination of our travel review parameters and theenablement provided to supply partners reduces the likelihood of misleading reviews. Risk that geo-pricing on the platform may result in unjustified discrimination (consumerprotection) Customers located in the European Economic Area (EEA) have access to the same content,prices and conditions on Booking.com. Supply partners are restricted from “geo-pricing” (i.e.offering different prices based on travellers’ geographical location) within the EEA. Thisensures that we remain compliant with various legislations that regulate discriminatory(access) conditions. Booking.com, however, may show different prices depending on user characteristics other thanlocation within the EEA. For example, certain supply partners may be able to give targeteddiscounts to a specific category of customers based on the ‘Genius’ Loyalty Program. Outsidethe EEA, partners may offer country rates (targeted discounts for travellers from specificregions). A partner may opt for country rates to attract customers from new markets andimprove occupancy rates. As offering different pricing is not inherently considered unjustifieddiscrimination, our assessment has shown that it is unlikely that this risk would materialiseshould EEA travelers face instances where they are displayed higher prices than non-EEAtravelers on the sole basis of their geographical location. Risk that content moderation systems may perform less optimally in certain languagespotentially resulting in over / under removal of harmful content (non-discrimination) 34 Our content moderation systems, despite covering numerous languages, carry a risk ofperforming sub-optimally in certain linguistic contexts. This could lead to inconsistentapplication of content policies, potentially resulting in either over-removal or under-removal ofharmful content. Our content moderation processes now cover 140 languages, our human moderators speakalmost all languages used on the platform, and we use sophisticated automated translationtools for any other languages. We also conduct quality checks to ensure that our contentmoderation systems perform correctly in all languages covered. In view of our processes, the probability of over or under removal of harmful content is low butnonetheless possible in view of the amount of content we moderate. We recognize that under-removal (i.e., failing to remove content that ought to be removed)could result in some range of harm depending on how harmful the content is (e.g.,discriminatory content). Similarly, over-removal could also result in harm to a certain extent(e.g., mistakenly removing information about illegal activities happening at a property). Thepotential harm or impact of over-removal is lower. However, given the transactional (versususer generated content-focused) nature of our platform, and our continually improvinglanguage capabilities, the volume of potentially removable content is relatively low and theproportion of users who might be affected by under or over-removal of content is similarly low. Gender based violence, public health, physical and mental well-being Risk that harmful (but legal) content on the platform may impact well-being of users(physical and mental well-being) There's a risk that harmful, though legal, content may appear on the platform, potentiallyimpacting the physical and mental well-being of our users. While our platform istransaction-focused, the various communication channels present opportunities for suchcontent to be shared. Our Customer Terms of Service set out what is and is not allowed on the platform, includinginappropriate behaviour (e.g., violence, threats or invasion of privacy). Our content moderationpolicies and guidelines prohibit content that promotes or facilitates serious physical or mentalhealth violence against others. The guidelines also specifically condemn content that promotesviolence, discriminatory language or hatred against a person based on who they are, as well as 35 content that harasses, bullies or threatens others or is obscene or offensive or shocking. Ourimproved image moderating and notice and action systems further reduce risk Additionally, our content guidelines prohibit content depicting harm to animals. Guests,partners, and employees are expected to respect domestic animals and wildlife and provideappropriate living conditions. Booking.com's Animal Welfare Policy outlines the steps we taketo address risks of animal cruelty, including removing all images displaying human interactionwith protected species mentioned in the policy. Due to the nature of Booking.com as a transactional-focused (as opposed to a user-generatedcontent-focused) platform, the likelihood of users sharing legal but harmful content isrelatively lower than platforms that are content focused. However, the existence ofcommunication channels on any platform, including Booking.com, presents some possibility forharmful content. Should these types of harmful content materialise, the severity of the impacton the traveller may be significant and could be more difficult to remediate fully. Booking.comoffers reporting mechanisms for travellers to report such content. All reports are addressedand if appropriate, proportionate remedial action is taken. Risks that are not present on / stemming from the Booking.com platform Our assessment has concluded that the below mentioned list of risks are not present on / donot stem from the design and functioning of the Booking.com platform. Fundamental rights Risk of negative effects on the right to human dignity related to the design, functioning anduse of the platform's services and related systems (right to human dignity) The nature of the operation of the Booking.com platform does not reach the threshold forimpact on human dignity. No risks reaching that threshold were identified as part of ourassessment. Risk of negative effects on freedom and pluralism of the media related to the design,functioning and use of the platform's services and related systems (freedom of expressionand information) 36 The information available on Booking.com relates to opportunities to travel and engage intourism-related activities and is clearly presented in that context. On that basis it is highlyunlikely that any such content could be perceived to undermine the freedom and pluralism ofthe media. Civic discourse, electoral processes, public security Risk of negative effects on civic discourse, electoral processes or public security Our assessment identified no risk in relation to negative effects on civic discourse, electoralprocesses or public security. Information and services available on the Booking.com platformrelate to opportunities to travel and engage in tourism-related activities and are clearlypresented in that context. On that basis, it is unlikely that any content or behaviour onBooking.com could have a material effect (let alone a negative effect) on civic discourse,electoral processes or public security. Gender based violence, physical and mental well-being Risk of negative impacts on public health and minors due to design, functioning and use ofthe platform and related services besides risks previously identified (public health andminors) As the information available and disseminated on Booking.com relates exclusively toopportunities to travel and engage in tourism-related activities and is clearly presented in thatcontext, it is considered highly unlikely that any such content could be linked to negativeimpacts on the protection of public health or minors. Conclusion As noted at the outset of this document, our risk assessment was conducted taking intoaccount the particular parameters outlined in the DSA and utilising an established frameworkfor assessing impacts on people and society. The exercise was supported by advisors andconsultants, including a global non-profit sustainable business network and consultancy, and isthe third of its kind we have completed. Our assessment and the findings indicate thatBooking.com (the platform and the services offered thereon) does not pose significant systemicrisks to EU citizens. First, we are a transaction-focused platform and our services are notdesigned to be binged or addictive. Second, our platform offers limited opportunities for 37 interaction between travellers and we do not provide personalised user-generated homepagesor news feeds that allow for dissemination of a broad range of content types. Third, ourplatform is generally not for use by, or of a nature that appeals to, minors. This year’s assessment shows a stable overall risk landscape for Booking.com. We recognisethat the external threat environment is continuously evolving, leading to an increase in theinherent (total) risk to our platform. However, our mitigation measures have effectivelymaintained a stable residual risk position. We've observed a decrease in the probability of fourspecific risks materializing, while two other risks show an increased probability. Importantly,these shifts have not led to an overall change in the risk tiering for any identified risk, indicatingthat our mitigation strategies are effectively maintaining our risk profile. We recognize that no online platform that brings people together in the way that we do canoperate without encountering any risks. Through our assessments, we continue to monitor howrisk manifests on the platform, whether in relation to illegal content or certain fundamentalrights. Even though prohibited by our terms and conditions and policies, the risks we haveidentified stem largely from abuse or inauthentic use of our services and we will continue toremain vigilant in mitigating them where we are able. By and large, we have existing safety features and functions to address and further mitigatethe risks we identified, ranging from content moderation technology and proficiencies to ourtrust and safety program. Booking.com remains committed to continuously enhancing theintegrity and safety of our platform for all users and to contributing to the overall integrity ofour industry. 38 Annex - Summary table of existing and new mitigation measures Risks 2024 Tier Other responsive mitigation measures 1. Risks that: ● Our Content Standards and Guidelines clearly define acceptable content for travelers and supply partners, explicitly prohibiting content that promotes discriminatory language, hate speech, and violence against individuals or groups. ● Our terms and conditions for supply partners require them to respect the fundamental rights of customers and to not engage in or allow discrimination. By the end of 2025, we will launch enhanced anti-discrimination contractual requirements for partners. ● We have a range of content moderation policies and enforcement options in place which seek to combat such conduct on the platform ● In the past year, we have further refined our approach to assessing hate speech and discriminatory content, and have established an internal review and escalation path to a newly created Content Moderation Committee. ● In 2023, we published a Statement on Non-Discrimination, Harassment, and Abuse on our Partner Hub which further outlines behavioural expectations, and we provide targeted trainings to supply partners to educate them on the risk of discrimination as well as the potential consequences of violations Booking.com’s policies. We have also published an article in the Partner Hub to provide guidance to supply partners on welcoming guests with assistance animals and how they can ensure they are respecting relevant anti-discrimination regulations as well as our policies. (i) users may engage in discriminatory behaviour towards other users on the platform; 2 (iv) users may engage in online behaviour that amounts to, incites or encourages gender-based violence; and (v) users may engage in abusive behaviour towards other users on the platform. 39 ● Our Trust and Safety team takes action against travellers and supply partners that have engaged in discrimination or abusive behavior, ranging from warnings to termination. In 2025, we assigned a dedicated expert analyst to focus exclusively on high-priority discrimination cases. ● Our Content Integrity and Trust and Safety teams receive training to respectively detect and react to any such cases. ● We are expanding dedicated training to our Customer Service and Partner Service teams on the detection and escalation of cases related to discrimination to further ensure that our policies are consistently and properly enforced throughout. ● Since 2024, the Trust and Safety and Global Security Response teams have increased collaboration to detect higher risks of harm, including discrimination, stemming from conflict or other socio-political developments and large scale events. Last year, the team established and piloted a standardized event monitoring life cycle at a number of large scale events. In 2025, we will launch a targeted training campaign for partners to raise awareness and identify concerning activities on key topics, including discrimination and abusive behavior. (ii) illegal hate speech may be available on the platform; 3 2. Risks: ● We have a team of experienced consumer law and compliance professionals charged with promoting compliance with relevant rules and regulations. ● Our partner terms and conditions set out the expectation that supply partner's conditions “make sense for all parties” (including consumers), and that they will not misuse the platform with excessive or extortionate rates or conditions. Supply partners must also comply with all local regulations and are offered guidance on the Partner Hub on complying with European Union consumer law and other local regulations. (i) of unfair commercial practices due to misleading descriptions, pictures or illegal charges, 2 (ii) of abuse or misuse of service by publishing of listings for fraudulent purposes; and 40 ● Our Content Standards and Guidelines prohibit content that is likely to mislead, deceive or confuse travellers. ● We have extensive content moderation practices and processes designed to identify and remove such content within a listing, including AI models that seek to detect properties that do not exist prior to becoming available to travellers. ● We conduct investigations into suspected instances of fraudulent properties. ● We conduct risk-based due diligence on our supply partners including having verification methods in place aimed at verifying the location of properties and utilising machine learning models to identify fraudulent properties (e.g. video uploads and calls). ● Commercial or self-promotional content in reviews is not allowed on Booking.com, and is addressed by our moderation teams and travellers and supply partners may not misrepresent themselves or impersonate others. ● This applies to both reviews submitted by legitimate travellers that may contain false or misleading information as well as reviews submitted by individuals that intend to circumvent our controls by posting reviews without making use of the service subject to the review. ● We use AI models to detect such reviews, we conduct investigations into suspected violations of our policies and have put in place restrictions around who can submit reviews. ● We offer the opportunity for supply partners to proactively challenge reviews that may not seem accurate. ● We removed the self-sign up functionality for affiliates of the platform. ● Over the past twelve months, Booking.com has improved its fraud combatting capabilities through enhancements in processes, policies and 3(iii) that users may submit reviews containing false information. 41 resources. Key initiatives include updating our fraud detection rules to counter evolving fraud patterns, restructuring our assessment process for marketing fraud, and adding new fraud detection specialist personnel. ● We introduced a new process for moderating reviews for car rentals, including workflows for detecting and taking down non-genuine reviews. ● We introduced a solution to check properties that might show an unrealistic supply availability ("Rooms to Sell"). Monitoring of availability abuse was rolled out for both fake and fraudulent partners in Q4 2024. Partners are now being checked and actioned after each monitoring. 3. Risk that: (i) child sexual abuse material (CSAM) and other illegal content relating to child sexual exploitation material may be available on the platform; and (ii) the platform may be used for the sharing of illegal non-consensual private images. 2 ● Our Content Standards and Guidelines (including our content moderation policy) prohibits content that contains sexually explicit material including content that sexually exploits children or presents them in a sexual manner. We also prohibit content that is deemed legally restricted based on local laws or content that is obscene, offensive or not appropriate for all audiences. ● We have automated detection mechanisms to moderate images uploaded by travellers and supply partners containing nudity and images that are sexual in nature. Photos uploaded by travellers are pre-moderated. ● We have a process in place to always treat CSAM with the highest priority should it occur. The relevant teams are trained to recognize and escalate suspected cases of (child) sexual abuse violations and to take appropriate action. ● We have partnered with ECPAT (The Code) to combat child sexual exploitation in travel. As members of The Code, Booking.com benefits from expert consultation and actionable insights on preventing exploitation. This partnership strengthens and enhances Booking.com’s training programs and aligns the service with industry best practices. 4. Risk of abuse or misuse of the service 2 ● Our Human Rights Statement articulates our commitment and approach to 42 for human trafficking respecting and promoting human rights and our Modern Slavery Statement sets out actions taken by us to prevent modern slavery. ● We have processes in place to mitigate human trafficking risks focused on accommodation providers - including internal human trafficking prevention guidelines, internal and external training and awareness raising efforts, and content moderation guidelines and controls over information that is included in the promotion of service listings on Booking.com. ● Our travellers and supply partners can raise complaints via various channels including our Customer Service or via the Compliance helpline reporting function. Supply partners may also report cases via the guest misconduct reporting system. In addition, we published the US National Anti-Trafficking Hotline and UK Modern Slavery Helpline numbers on our Partner Hub. ● Any report of human trafficking or sexual exploitation will be escalated to the Trust and Safety team and will be assessed, following which appropriate action will be taken. This may also include reporting cases to law enforcement. ● In 2025, Trust and Safety established enhanced analytical methodologies to triangulate and identify connected trafficking cases. We may also report these cases to law enforcement ● We have also conducted a company-wide assessment related to human trafficking to help us identify modern slavery risks across our value chain and in our industry, and understand potential effective mitigations. Ongoing work is being done to further implement mitigation and remediation strategies based on the conclusions and recommendations made in the assessments. ● Our Customer Service, Partner Service and Trust and Safety teams are trained to recognize and timely act upon suspected human trafficking risks and our Trust and Safety guidelines for the identification of trafficking risks 43 were improved in 2024. ● In 2025, Trust and Safety launched a new operational runbook on human trafficking signals. This includes additional details on risk indicators associated with potential human trafficking, and more comprehensive guidance on mitigating actions to be taken when risk indicators are present. ● We also provide training to supply partners to promote awareness and help detect cases of human trafficking at properties. For instance, in the past year, we have developed training in collaboration with PACT – Protect All Children from Trafficking (formerly ECPAT-USA) for supply partners. ● Booking.com has for years been a partner of the Code of Conduct for the protection of Children from Sexual Exploitation in Travel and Tourism, a multi-stakeholder initiative with the mission to provide awareness and support to the tourism industry to prevent sexual exploitation of children. ● We offer various materials and resources to supply partners in the Partner Hub including articles on the detection of human trafficking as well as on identifying and acting on potential human trafficking of refugees from Ukraine (published in December 2023 and May 2024 respectively). ● In 2025, we also partnered on a campaign with It’s a Penalty, a coalition of travel industry companies and NGOs to raise awareness and provide educational resources to fight human trafficking during the Super Bowl and UEFA Women’s EURO. As Headline Sponsor of the campaign, we helped raise awareness across in-flight videos, billboards, posters, external media, internal awareness, as well as sharing resources with our travel service partners. ● We engage with certain law enforcement authorities to enhance our understanding of human trafficking risks for online travel agencies. 44 5. Risk of data breaches 2 ● Travellers and supply partners only provide limited personal data that is necessary to complete transactions on the platform. ● Our Privacy Statement informs users of the kind of data that Booking.com collects and the security and retention procedures we have in place to safeguard personal data. ● We regularly enhance our defences against cyber attacks and online fraud attempts by leveraging industry best practices and technologies and have a dedicated team of cyber security professionals led by our Chief Information Security Officer. ● We maintain an extensive array of technical and organisational measures to limit the likelihood of data incidents and impact to customers and other data subjects should such data incidents occur. This includes, but is not limited to, measures such as threat and vulnerability management, network security and application access control, strong authentication, logging and monitoring as well as data leakage prevention, the use of tokenization and documented incident management and data breach management program protocols. Furthermore, we continue to invest in a Security Operations function, which has been staffed with security professionals, data scientists, and product and engineering resources. This team focuses specifically on detecting, monitoring, investigating and remediating traveller and supply partner account take-overs. ● We maintain measures to prevent and detect traveller and supply partner account take-overs, including multi-factor authentication (MFA), automated reporting channels and by working with and providing education and awareness to supply partners and travellers on identifying potential attacks, in our Safety Resource Center, Partner Portal and on vulnerable end-points (e.g. messaging interfaces). In the event that a supply partner’s account is potentially compromised and reported to Booking.com’s Security \& Fraud team, the account is blocked, requiring a 45 password reset. Furthermore, we have implemented measures which limit the impact of a supply partner account take-over. For example, automated phishing message detection can intercept fraudulent messages to travellers, based on known malicious text or URLs. ● Our terms and conditions with third parties (including supply partners) with whom traveller data is shared include contractual obligations to take measures to prevent phishing, keep their account login credentials confidential and preserve protection of such data. 6. Risk of unnecessary or disproportionate government data requests 2 ● Before any request for traveller or supply partner data from government authorities is processed, our dedicated and experienced team confirms and validates the authenticity of the requesting authority against lists of authorities in the EU provided by Europol as well as the grounds for the request. ● We reject requests that cannot be confirmed as legitimate, necessary and proportionate and have detailed guidelines to ensure consistent validation of authorities, verification of requests, and follow-up. ● Requests are received and assessed through a dedicated portal with authentication, which prevents unauthorised access and ensures only qualified team members can view requests and follow-up. ● When access to data is granted, it is available to the authorities for a limited amount of time only, with automated reminders being sent before access expires. Authorities are also required to use a two-authentication factors system to connect to the Booking.com portal. 7. Risk that: (i) the platform may be used for the sharing of highly personal information 2 ● Our Customer Terms of Service and Content Standards and Guidelines prohibit conduct/content that infringes on the privacy rights of any users. ● Our Guest review removal conditions make clear that Booking.com will not accept any reviews that contain unauthorised information relating to an 46 of users; identified or identifiable natural person. ● We have content moderation policies and we use a combination of automated systems and human review to address the risk of sharing highly personal information of users. ● Our Customer Terms of Service require users to be at least 18 years of age to use the platform. ● Very little personally identifiable information on children (e.g., names of room occupants or date of birth when required for flight reservations) is collected by Booking.com. ● Our policies also prohibit unauthorised photographs of young children from being posted where the child is identifiable (e.g., where their face is visible). (ii) personally identifiable information about a child may become available on the platform 3 8. Risks that the platform and its recommender systems may use personal data / aggregated personal data in a way that is not necessary for the stated purpose in the Privacy notices or in a way that could result in unjustified discrimination 2 ● Our user Privacy Statement and the “How we work” section on our website describes the types of personal data collected and how it is used by Booking.com. ● We do not intentionally collect special categories of personal data (such as racial and ethnic origin, sexual orientation etc., as defined under the GDPR) for use in our recommender systems. ● In instances where we may use profiling (as defined under the GDPR) in a recommender system, the user is given the option to opt-out of personalised recommendations. This means the user will view service recommendations without our recommender systems using profiling. ● In 2024, Booking.com updated its AI risk assessment process and mandated a review of all customer-facing Generative AI (GenAI) use cases and GenAI internal productivity use cases. This assessment covers different categories of risk including fundamental rights, regulatory and privacy risks. 47 9. Risk that content moderation systems may perform less optimally in certain languages potentially resulting in over / under removal of harmful content 3 ● Our content moderation processes previously utilised machine learning models in 43 different languages to detect inappropriate content. Today, our automated content moderation processes cover 140 languages and we have human moderators that speak almost all languages used on the platform. ● We use sophisticated automated translations tools that account for colloquialisms for any other language not covered. ● We are working on improving the quality of translations for images and text reviews and expanding our lists of offensive keywords to languages other than English. 10. Risk of harmful misuse of the service by minors 2 ● Our Customer Terms of Service which apply to EU users require users to be at least 18 years old to use the platform. ● Booking.com has recently conducted an extensive review to identify and suspend accounts of users under 18 years of age globally (regardless of their indicated country of residence). As of April 15, 2025, all users that we were aware of globally with an age under 18 in their account settings will have their accounts suspended. ● In order to access many of our services, a credit card or other form of online payment method is required to make a reservation which are generally only accessible to persons above the age of 18 in the EU. ● Our Content Standards and Guidelines are designed to ensure that content displayed on the platform is restricted to travel-related topics thus reducing the risk of exposure to harmful content. ● In addition, incidents escalated to our Trust and Safety team involving minors are treated with the highest priority in order to mitigate misuse of the platform by minors or any potential resulting harm. 48 11. Risk that harmful (but legal) content on the platform may impact well-being of users 3 ● Our Customer Terms of Service do not allow inappropriate behaviour (e.g., violence, threats or invasion of privacy) and our content moderation policies and guidelines prohibit content that promotes or facilitates serious physical or mental health violence against others. The guidelines also specifically condemn content that harasses, bullies or threatens others or is obscene or offensive or shocking. ● We address this risk primarily through our automated content moderation systems (e.g. Machine Learning classifiers) and as stated previously, we offer various avenues for reporting such content where it is not captured by our systems. 12. Risk that intellectual property may be illegally available on the platform 3 ● Our Content Standards and Guidelines provide that we respect intellectual property rights and expect our travellers and supply partners to do the same. ● We review cases of notified intellectual property infringements and act to remove instances of (suspected) infringing content. Where appropriate, we take further action against (repeat) violators (e.g. disabling accounts, restricting access etc.). ● Our content moderators are trained on the fundamentals of intellectual property, privacy and confidential data and we have an internal process in place and a shared inbox to receive and follow-up on any notices involving alleged intellectual property infringements. 13. Risk that content on the platform may constitute illegal defamation 3 ● Our Customer Terms of Service do not allow inappropriate behaviour on the platform (e.g., violence, threats or invasion of privacy). ● Our content moderation policy also prohibits potentially defamatory statements against individuals. 49 ● Our content moderation systems flag potentially inappropriate content for manual review by picking up on blocklisted words and with the use of machine learning capabilities. ● Given the complex and fact-specific nature of defamation, our content moderators are trained to recognize what might constitute illegal defamation 14. Risk that content on the platform may promote sale of illegal products and services (e.g. drugs, gambling, underage drinking) and risk that illegal listings of accommodation or other services may be available on the platform 3 ● Our Content Standards and Guidelines prohibit content that is illegal or otherwise restricted under local laws, including content that offers, sells, advertises or facilitates the sale of regulated or restricted goods and services. ● Our guest review removal conditions stipulate that reviews promoting, supporting or inciting illegal activities will not be made available on the platform and our content moderation policy prohibits such content. We enforce this prohibition regardless of whether those activities are in fact illegal in the location where the service is offered. ● We have also enhanced our moderation of partner photos post-publication (the most relevant type of content for this risk) which increases the chance that any such content will be detected by our systems. ● Booking.com has a reporting mechanism for illegal content generally, and a dedicated process for reports from judicial and administrative authorities with guidance. Users can also always report content through Customer Support, who have clear procedures to escalate as appropriate to the Content Integrity, Trust \& Safety or other functions as appropriate. ● Our content moderators are trained and can recognize what constitutes an illegal product and/or service being offered. ● In 2025, the Attractions team received policy enforcement training to effectively monitor third party content. In addition, a clear escalation path will be created to improve oversight. 50 15. Risk that terrorist content may be available on the platform 3 ● Our Content Standards and Guidelines (including our content moderation policy) prohibit content that promotes, supports or incites terrorism and violent extremism. This includes content that supports or represents any terrorist organization or organization engaged in violent extremism. ● Content on the platform is moderated before it is published on the platform. ● As mentioned above, content moderation processes cover 140 languages and we have human moderators that speak almost all languages used on the platform. ● Threats representing an imminent danger to life are reported immediately to the relevant authorities. Process launched in December 2024. 16. Risk that content on the platform may be unjustifiably removed and risk that users are not able to appeal content removals and/or report or appeal potentially violating content 3 ● Our Content Standards and Guidelines make clear which type of content is prohibited and provide information on how travellers and supply partners can report content and appeal content removal decisions. As discussed, we have expanded our mechanisms for reporting illegal content and appealing content moderation decisions as part of our DSA compliance efforts. ● We also offer various other channels to report illegal content and challenge moderation decisions. For instance, if a supply partner’s account is suspended, the partner concerned will automatically receive a notification that allows it to trigger a process for re-opening if a valid rationale is provided ● Our Customer Service and Partner Service agents are also being trained to increase overall awareness on our content moderation and appeal processes. 17. Risk that services or features on the platform may not function equitably 3 ● Our Customer Terms of Service outline accessibility features on the platform and our Customer Service team enables accessibility requests to cater for the needs of those with disabilities and digital literacy challenges. 51 for users with certain disabilities or limited digital literacy ● We published the Accessibility Statement. which provides a description of the services and measures to support accessibility ● We provide options for users of the Booking.com service to identify their preference for seeing listings with accessibility criteria. ● We have standardised design tools and reusable interface elements available that take into account accessibility standards. We will standardize form components and/or input fields by providing clearer instructions and more descriptive error messages to support a broader range of users. ● We have and will continue to educate Product teams at Booking.com on accessibility practices and ways to build products with accessibility standards in mind. ● We will establish a continuous feedback loop through bug reporting and analytics tracking focused on accessibility-related issues, enabling faster identification and resolution of problems. ● We will introduce contextual help and visual cues to support less digitally literate users, informed by testing and feedback from travellers. ● We will provide further training to our Customer Service Team on addressing accessibility requests from users. 18. Risk that geo-pricing on the platform may result in unjustified discrimination 3 ● Customers located in the European Economic Area (EEA) have access to the same prices and conditions on Booking.com. ● Booking.com supply partners located in the EEA are not allowed to set up domestic or international country rates using geo-pricing. ● Supply partners outside the EEA are also required to treat the EEA as a single market and are thus not allowed to set up a country rate for a specific country within the EEA. 52