Our Information Security Policy sets out our principles for the protection of information assets and proper controls to ensure compliance with our standards and external regulations. The policy is intended to define the principles and requirements of acceptable use of information assets for our personnel and describe how these will be implemented across our global operations. It also informs our personnel of our expectations and requirements for acceptable use of information assets and the role of our personnel in protecting the security and integrity of our information. The Information Security Policy is comprised of a number of policies, including our: § Password Policy § Acceptable Computer Use Policy § External Data Storage Policy § Email Policy § Remote Access Policy § AI Tools in the Workplace Policy The majority of the members of our Board of Directors have skills and competencies in cybersecurity (following our 2026 annual meeting, three of our Board members, or 33%, will have expert level knowledge of cybersecurity matters, with four others, or 44%, having sufficient knowledge of cybersecurity-related matters to provide high-level oversight of management). The Board engages with management in matters relating to Franco-Nevada’s information and cybersecurity strategy and maintains the necessary skills and competencies in topics such as cybersecurity through ongoing education, including management presentations, conferences, consultations with experts, and off-site meetings. Board members also receive regular relevant materials from management. The ARC has general oversight over technology-related risks, which includes cybersecurity and artificial intelligence risk management, and oversees the Information Security Policy. Our Chief Financial Officer has been designated by the ARC as the executive responsible for: establishing and maintaining the practices and procedures necessary to implement the Information Security Policy, providing training to our personnel on the substance of the Information Security Policy at least once annually, and reporting to the ARC on the operation of and compliance with the policy. In addition to our annual Information Security Policy training, our IT Department also periodically sends newsletters to all personnel, highlighting key updates and developments affecting the company and its personnel from a cyber and technological security perspective. In 2025, we continued to deliver comprehensive IT security awareness training to all employees as part of our ongoing commitment to responsible data management and cyber risk mitigation. The training addressed key areas, such as identifying phishing and social engineering threats, maintaining strong and unique passwords, and securely handling sensitive and confidential information. The program incorporated interactive and scenario - based learning modules focused on recognizing, preventing, and responding to evolving cybersecurity risks, helping to ensure employees are equipped to safeguard both personal information and company data in an evolving digital environment. Cyber and Technological Security Related Policies & Statements § Information Security Policy § Audit and Risk Committee Charter In response to an increasingly complex global cyber threat landscape, we continue to enhance our cyber and information security posture to proactively manage and mitigate cybersecurity risks. During 2025, the following key improvements were implemented: § Strengthened cybersecurity risk management and governance, including providing more frequent cybersecurity updates to the ARC; § Further enhanced password and identity controls, aligned to a Zero Trust framework; § Updated and tested our disaster recovery and business continuity plans; § Engaged third-party specialists to assess risk and test our security and access controls; and § Conducted regular vulnerability assessments and penetration testing to identify and mitigate potential threats. In 2025, ISS ESG continued to assess companies using its Cyber Risk Score, a data - driven rating that evaluates the likelihood of a significant cybersecurity incident within the next 12 months based on externally observable cyber risk signals. Based on the most recent ISS ESG assessment available to the company, Franco - Nevada received an ISS Cyber Risk Score of 826 out of a maximum 850 and an ISS Cyber Risk Decile ranking of 1, indicating that the company is assessed as having a low level of cyber risk relative to its peer group and a low risk of a material cybersecurity breach. Franco-Nevada's Finance team Franco-Nevada Corporation 27