Voluntary Announcement to Market: Cyber Incident NAMPAK LIMITED (Incorporated in the Republic of South Africa) (Registration number 1968/008070/06) Ordinary Share Code: NPK Ordinary share ISIN: ZAE000322095 6.0% Preference Share Code: NPKP ISIN: ZAE000004958 6.5% Preference Share Code: NPP1 ISIN: ZAE000004966 LEI: 3789003820EC27C76729 ("Nampak" or "Company") VOLUNTARY ANNOUNCEMENT TO MARKET: CYBER INCIDENT On 20 March 2024 Nampak detected unauthorised activity on its IT systems. An unknown third-party gained access to its IT systems, notwithstanding the Company's robust and embedded security protocols. The Company immediately took the necessary steps to contain, assess and remediate the incident. Nampak is taking the necessary measures to determine the scope of the compromise, to restore the integrity of its information systems and to ensure that it is not exposed to further risk. The Company has retained local and global cybersecurity and forensic experts to work with its capable in-house IT team to manage this process. In line with the Company's business continuity plans, Nampak has switched over to its backup manual compensating controls and continues to function using these processes. This breach has not affected the manufacturing facilities and operations which are functioning as normal, albeit with some manual operating systems where required. The Company will work with its suppliers and customers to ensure that the impact of the incident is contained, and it is able to continue delivering products as required. Nampak is aware of its obligations under the Protection of Personal Information Act (POPIA) and an initial notification has already been made to the Information Regulator. This will be supplemented as the investigation progresses, and a notification to potentially affected data subjects will be made as soon as possible, in accordance with POPIA requirements. The Company will cooperate with the authorities as and when required. Nampak regularly reviews and strengthens its cybersecurity policies and procedures, and technological capabilities, to mitigate against the ever-evolving cyber risk landscape. Bryanston 26 March 2024 Sponsor: PSG Capital Date: 26-03-2024 04:20:00 Produced by the JSE SENS Department. The SENS service is an information dissemination service administered by the JSE Limited ('JSE'). The JSE does not, whether expressly, tacitly or implicitly, represent, warrant or in any way guarantee the truth, accuracy or completeness of the information published on SENS. The JSE, their officers, employees and agents accept no liability for (or in respect of) any direct, indirect, incidental or consequential loss or damage of any kind or nature, howsoever arising, from the use of SENS or the use of, or reliance on, information disseminated through SENS.