CORPORATE RISK MANAGEMENT POLICY March 3rd, 2022 PUBLIC INFORMATION

CORPORATE RISK MANAGEMENT POLICY TABLE OF CONTENTS 1 PURPOSE ........................................................................................................... 3 2 SCOPE ................................................................................................................ 3 3 REFERENCES .................................................................................................... 3 4 CONCEPTS ......................................................................................................... 4 5 GUIDELINES ....................................................................................................... 5 6 RESPONSIBILITIES............................................................................................ 8 7 FINAL PROVISIONS ......................................................................................... 11 2 PUBLIC INFORMATION

CORPORATE RISK MANAGEMENT POLICY 1 PURPOSE The purpose of this Policy is to establish the principles, guidelines and responsibilities to be observed in the process of managing corporate risks, so asto enable their adequate identification, assessment, treatment, monitoring and communication. 2 SCOPE This Policy applies to executive officers, employees, and interns, of B3 S.A. - Brasil, Bolsa, Balcão, its subsidiaries abroad, Cetip Info Tecnologia S.A, B3 Social, and other members ("Company"). Credit, liquidity and market risks relating to the activities of the Company's clearinghouses in their role as central counterparty are covered in the Central Counterparty Risk Management Policy, as well as in the clearinghouses' rulebooks and manuals as approved by the Central Bank of Brazil, the Securities and Exchange Commission of Brazil (CVM) and, specifically in the case of rulebooks, also by B3's Board of Directors, and lie outside the scopeof this Policy. 3 REFERENCES Corporate Bylaws.

Code of Conduct and Ethics.

COSO - ERM: Committee of Sponsoring Organizations of the Treadway Commission - Enterprise Risk Management Framework.

CVM Instruction No. 461/2007.

Compliance and Internal Control Policy.

Disclosure Policy. 3 PUBLIC INFORMATION

CORPORATE RISK MANAGEMENT POLICY Securities Trading Policy.

Information Security Policy.

Policy on Related Party Transactions and other Potential Conflict of Interest Situations.

Socio-environmental Responsibility and Governance Policy.

Responsibility and Governance Policy. Executive Board Advisory Committee Bylaws.

ABNT Standard NBR ISO 31000:2009 - Risk Management: Principles and Guidelines . 4 CONCEPTS Risk appetite: The level of risk that the Company is willing to undertake in order to achieve its strategic objectives. The assessment ranges from

"intolerable" to "propensity for risk". Risk appetite is a qualitative measure.

The level of risk that the Company is willing to undertake in order to achieve its strategic objectives. The assessment ranges from "intolerable" to "propensity for risk". Risk appetite is a qualitative measure. Risk: The possibility of an event that negatively affects the Company's ability to achieve its objectives or to operate its processes.

The possibility of an event that negatively affects the Company's ability to achieve its objectives or to operate its processes. Corporate risk: The strategic, operational, financial and regulatory risks associated with the Company's activities and its ability to achieve its business objectives.

The strategic, operational, financial and regulatory risks associated with the Company's activities and its ability to achieve its business objectives. Strategic risk: The possibility of implementing an unsuccessful or ineffective strategy that fails to achieve the intended returns. Additionally, issues related to the Company's business objectives, its image, its socio- environmental management, people and standards of ethics and of conduct are considered strategic.

The possibility of implementing an unsuccessful or ineffective strategy that fails to achieve the intended returns. Additionally, issues related to the Company's business objectives, its image, its socio- environmental management, people and standards of ethics and of conduct are considered strategic. Operational risk: The possibility of losses due to faults, deficiencies or inadequacies in internal processes, people, and technological environments, or external events. Includes legal risk, associated with inadequacies or 4 PUBLIC INFORMATION