--- ticker: BKNG company: Booking Holdings Inc. filing_type: 10-K year_current: 2024 year_prior: 2023 risks_added: 0 risks_removed: 0 risks_modified: 3 risks_unchanged: 3 source: SEC EDGAR url: https://riskdiff.com/bkng/2024-vs-2023/ markdown_url: https://riskdiff.com/bkng/2024-vs-2023/index.md generated: 2026-05-10 --- # Booking Holdings Inc.: 10-K Risk Factor Changes 2024 vs 2023 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-10 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Booking Holdings made no additions or deletions to its risk factor disclosures between 2023 and 2024, instead substantively modifying three existing risks. The most significant revisions affected Information Security, Cybersecurity, and Data Privacy Risks, along with updates to the general business uncertainties risk and the Risk Factors Summary section, suggesting Booking refined its articulation of existing threats rather than identifying materially new exposures. --- ## Summary | Status | Count | |--------|-------| | New risks added | 0 | | Risks removed | 0 | | Risks modified | 3 | | Unchanged | 3 | --- ## Modified: Information Security, Cybersecurity, and Data Privacy Risks **Key changes:** - Reworded sentence: "Our processing, storage, use, and disclosure of personal data exposes us to risks of data breaches and could give rise to liabilities and/or damage our reputation." - Reworded sentence: "We may not be able to defend against sophisticated cyberattacks from determined adversaries." - Reworded sentence: "See -"Cyberattacks and system vulnerabilities could lead to sustained service outages, data loss, reduced revenue, increased costs, liability claims, or harm to our competitive position." Our efforts to protect information from unauthorized access may also result in the rejection of legitimate attempts to book reservations through our services, which could result in lost business." - Removed sentence: "Furthermore, enforcement actions often cause interpretation of these new laws to evolve, which could require changing our initial responses to these laws." - Removed sentence: "For example, the invalidation of the EU-US Privacy Shield in 2020 altered one of the acceptable approaches which many companies relied upon to ensure compliant data transfers between the European Union and the United States." **Prior (2023):** Our processing, storage, use, and disclosure of personal data exposes us to risks of internal or external security breaches and could give rise to liabilities and/or damage our reputation. We are an innovative technology company dependent on sophisticated software applications and computing infrastructure. If threat actors such as cyber-criminals, hackers, and state-sponsored organizations are able to circumvent our security controls and capabilities, including as a result of our own acts or omissions, it could result in a compromise or breach of consumer or employee data. In e-commerce, data security is essential to maintaining consumer and partner confidence in our services and the uninterrupted availability of our web and mobile platforms is essential for our business. Consumers who use certain of our services provide us with their personal identity data and payment information, which in turn attracts attention from threat actors and fraudsters. Cyberattacks are increasing in frequency and sophistication and are constantly evolving. We may not be able to defend against a persistent, sophisticated cyberattack from a determined adversary. In addition, our security policies and internal security controls may not keep pace with the continuous innovation of our offerings. 20 20 20 Vulnerabilities in our consumer and partner account security and workflow practices could and have resulted in unauthorized access to confidential data. These risks are likely to increase as we expand our offerings, integrate our products and services including as we incorporate AI and machine learning, and store and process more data, including personal information and payment data. The disclosure of non-public Company-sensitive information by our workforce or other parties, through external media channels such as social media, could lead to information loss, reputational harm, or loss of a competitive advantage. We expend significant resources to protect against security breaches, and regularly increase our security-related expenditures to maintain or increase our systems' security. We have experienced and responded to cyberattacks, which we believe have not had a material impact on the integrity of our systems or the security of data, including personal information maintained by us. Security breaches could result in negative publicity, damage our reputation, expose us to risk of loss or litigation and possible liability, subject us to regulatory penalties and sanctions, or cause consumers to lose confidence in our security and choose to use the services of our competitors, any of which would have an adverse effect on our brands, market share, results of operations, and financial condition. See Part I, Item 1A, Risk Factors -"Cyberattacks and system vulnerabilities could lead to sustained service outages, data loss, reduced revenue, increased costs, liability claims, or harm to our competitive position." Additionally, our consumers' personal data could be affected by security breaches at third parties upon which we rely, such as travel service providers, connectivity partners, payroll providers, health plan providers, payment processors, data exchange services (for example, XML Providers), or GDSs. See below Part I, Item 1A, Risk Factors - "Our business relies on a global supply chain of third party services providers and we are exposed to risks because we rely on the resilience, security, and legal compliance of their products and services." Our efforts to protect information from unauthorized access may also result in the rejection of legitimate attempts to book reservations through our services, which could result in lost business. In the operation of our business, we receive and store a large volume of personally identifiable data and payment information. This data is increasingly subject to legislation and regulations in numerous jurisdictions around the world. The European Union's General Data Protection Regulation (the "GDPR") imposes significant compliance obligations and costs on us. Under the GDPR, violations could result in fines of up to 20 million Euros or up to 4% of the annual global revenues of the infringer, whichever is greater. Several data protection authorities have imposed significant fines on companies of various sizes across industry sectors for violations of the GDPR. The California Consumer Privacy Act (the "CCPA"), which became operative in January 2020, and the California Privacy Rights Act, which became operative in January 2023, each impose new privacy requirements and rights for consumers in California and has resulted and will continue to result in additional complexity and costs related to compliance. Many other states in the United States and jurisdictions globally have adopted or may adopt similar data protection regulations. These regulations are typically intended to protect the security of personal data that is collected, processed, and transmitted in or from the governing jurisdiction as well as to give individuals greater rights and/or control over how their data is processed. In many cases, these laws apply not only to third-party transactions, but also to transfers of information between us and our subsidiaries, including employee information. These laws and their interpretations continue to develop and may be inconsistent from jurisdiction to jurisdiction. Furthermore, enforcement actions often cause interpretation of these new laws to evolve, which could require changing our initial responses to these laws. For example, the invalidation of the EU-US Privacy Shield in 2020 altered one of the acceptable approaches which many companies relied upon to ensure compliant data transfers between the European Union and the United States. Additionally, some of these regulations, such as the CCPA, give consumers a private right of action against companies for violations of these rules. While we have invested and continue to invest significant resources to comply with the GDPR, CCPA, and other privacy regulations, many of these regulations (such as the Personal Information Protection Law in the People's Republic of China) are new, complex, and subject to interpretation. Non-compliance with these laws could result in negative publicity, damage to our reputation, significant penalties, or other legal liability. If legislation or regulations are expanded to require changes in our business practices or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively affect our business, our results of operations, financial condition, or competitive position could be adversely affected. Cyberattacks and system vulnerabilities could lead to sustained service outages, data loss, reduced revenue, increased costs, liability claims, or harm to our competitive position. If our systems cannot cope with the level of demand required to service our consumers and accommodations, we could experience unanticipated disruptions in service, slower response times, decreased customer service and customer satisfaction, and delays in the introduction of new services. As an online business, we are dependent on the internet and maintaining connectivity between ourselves and consumers, sources of internet traffic, such as Google, and our travel service providers and restaurants. As consumers increasingly turn to mobile and other smart devices, we also depend on consumers' access to the internet through mobile carriers and their systems. Disruptions in internet access, especially if widespread or prolonged, could materially adversely affect our business and results of operations. While we maintain redundant systems and hosting services, it is possible that we could experience an interruption in our business, and we do not carry business interruption insurance sufficient to compensate us for all losses that may occur. 21 21 21 We have computer hardware for operating our services located in hosting facilities around the world. We do not have a comprehensive disaster recovery plan in every geographic region in which we conduct business, and these systems and operations are vulnerable to damage or interruption from human error, misconduct, or catastrophic events. In the event of any disruption of service at such facilities or the failure by such facilities to provide our required data communications capacity, we may not be able to switch to back-up systems immediately and it could result in lengthy interruptions or delays in our services. In addition to placing increased burdens on our engineering staff, these outages could create a significant amount of consumer questions and complaints that need to be addressed by customer support. Any system failure that causes an interruption or delay in service could impair our reputation, damage our brands, increase customer service costs, or result in lost business, any of which could adversely effect our business and results of operations. We have taken and continue to take steps to increase the reliability and redundancy of our systems. These steps are expensive, may reduce our margins, and may not be successful in reducing the frequency or duration of unscheduled downtime. We have experienced targeted and organized malware, phishing, and account takeover attacks, and may in the future experience these and other forms of attack such as ransomware, SQL injection (where a third party attempts to insert malicious code into our software through data entry fields in our websites in order to gain control of the system), and attempts to use our websites as a platform to launch a denial-of-service attack on another party. Our existing security measures may not be successful in preventing attacks on our systems. For instance, from time to time, we have experienced denial-of-service type attacks on our systems that have made portions of our websites slow or unavailable for periods of time. Our existing IT business continuity and disaster recovery practices are less effective against certain types of attacks such as ransomware, which could result in our services being unavailable for an extended period of time, nullify our data, expose our payment card and personal data, or expose us to an extortion attempt. Reductions in the availability and response time of our online services could cause loss of substantial business volumes during the occurrence of any such attack on our systems and measures we may take to divert suspect traffic in the event of such an attack could result in the diversion of bona fide customers. These issues are more difficult to manage during any expansion of the number of places where we operate and the variety of services we offer, and as the tools and techniques used in such attacks become more advanced. We use sophisticated technology to identify cybersecurity threats; however, a cyberattack may go undetected for a period of time resulting in harm to our computer systems and the loss of data. This could result in financial penalties being imposed by the regulators and reputational harm. Our insurance policies have coverage limits and may not be adequate to reimburse us for all losses caused by security breaches. Successful attacks could result in significant interruptions in our operations, severe damage to our information technology infrastructure, negative publicity, damage our reputation, and prevent consumers from using our services during the attack, any of which could cause consumers to use the services of our competitors, which would have a negative effect on the value of our brands, our market share, business, and results of operations. We use both internally-developed systems and third-party systems to operate our services, including transaction processing, order management, and financial and accounting systems. If the number of consumers using our services increases substantially, or if critical third-party systems stop operating as designed, we may need to significantly expand and upgrade our technology, transaction processing systems, financial and accounting systems, or other infrastructure. We may not be able to upgrade our systems and infrastructure to accommodate such conditions in a timely manner, and, depending on the systems affected, our transactional, financial, and accounting systems could be impacted for a meaningful amount of time before upgrade, expansion, or repair. Many of our processes and systems, including those related to processing and recording revenue, are highly automated and involve multiple inputs from various IT systems, which can mitigate the risk of human error but which can also make testing, troubleshooting, and auditing more difficult. As a result, it may be difficult to quickly detect and correct errors embedded in these processes or systems. Our business relies on a global supply chain of third party services providers and we are exposed to risks because we rely on the resilience, security, and legal compliance of their products and services. We rely on certain third-party computer systems and third-party service providers, including GDSs and computerized central reservation systems of the accommodation, rental car, and airline industries in connection with providing some of our services. Any damage to, breach of or interruption in these third-party services and systems or deterioration in their performance could prevent us from booking related accommodation, rental car, and airline reservations and have a material adverse effect on our business, brands, and results of operations. Third party business partners, service providers, and consultants may be given access to our computer networks. A cyberattack against one of these third parties that compromises their credentials may result in unauthorized access to our systems and data, resulting in a cyberattack against us. Furthermore, our agreements with some third-party service providers are terminable upon short notice and often do not provide recourse for service interruptions. In the event our arrangement with any such third party is terminated, we may not be able to find an alternative source of systems support on a timely basis or on commercially reasonable terms and, as a result, it could have a material adverse effect on our business and results of operations. 22 22 22 Consumers generally are concerned with security and privacy on the internet, and any publicized privacy and security problems could negatively affect consumers' willingness to provide private information or effect online commercial transactions generally, including through our services. Some of our business is conducted with third-party marketing affiliates, which may generate travel reservations through our infrastructure or through other systems. A security breach at any third-party that we conduct business with, such as the security breach experienced by Intercontinental Hotels Group Plc. in September 2022, could be perceived by consumers as a security breach of our systems and could result in negative publicity, subject us to notification requirements, damage our reputation, expose us to risk of loss or litigation and possible liability, and subject us to regulatory penalties and sanctions, even if we had no direct involvement in the breach. In addition, such third parties may not comply with applicable disclosure requirements or with parameters within which we permit them to process data, which could expose us to liability. We depend upon various third parties to process payments, including credit cards, for our merchant transactions around the world. In addition, we rely on third parties to provide credit card numbers which we use as a payment mechanism for merchant transactions. If any such third party were wholly or partially compromised or ceased or suspended operations, our cash flows could be disrupted or we may not be able to generate merchant transactions (and related revenues) for a period of time and this could have a negative effect on our business, reputation, and results of operations and, in certain cases of the insolvency of such a partner, could result in additional payments by us and loss of the total transaction value. **Current (2024):** Our processing, storage, use, and disclosure of personal data exposes us to risks of data breaches and could give rise to liabilities and/or damage our reputation. We are dependent on sophisticated software applications and computing infrastructure for the operation of our business. If threat actors such as cyber-criminals, hackers, and state-sponsored organizations are able to circumvent our security measures, including as a result of our own acts or omissions, it could result in a compromise or breach of consumer, partner, or employee data. Data security is essential to maintaining consumer and partner confidence in our services and the uninterrupted availability of our web and mobile platforms is essential for our business. Consumers may provide us with their personal identity data and payment information, which in turn attracts attention from threat actors. Cyberattacks are increasing in frequency and sophistication and are constantly evolving. We may not be able to defend against sophisticated cyberattacks from determined adversaries. In addition, our security policies and controls may not keep pace with the continuous innovation of our offerings. Vulnerabilities in our consumer and partner account security and workflow practices could and have resulted in unauthorized access to personal and confidential data. These risks are likely to increase as we expand our offerings, integrate our products and services, incorporate AI and Large Language Models, and store and process more data, including personal information and payment data. The disclosure of non-public Company-sensitive information by our workforce or other parties could lead to information loss, reputational harm, or loss of a competitive advantage. We expend significant resources to protect against security breaches and maintain or increase our systems' security. We have experienced and responded to cyberattacks, which we believe have not had a material impact on the integrity of our systems or the security of data, including personal information maintained by us. Security breaches could result in negative publicity, damage our reputation, expose us to risk of loss or litigation and possible liability, subject us to regulatory penalties and sanctions, or cause consumers to lose confidence in our security and choose to use the services of our competitors, any of which would have an adverse effect on our brands, market share, results of operations, and financial condition. See -"Cyberattacks and system vulnerabilities could lead to sustained service outages, data loss, reduced revenue, increased costs, liability claims, or harm to our competitive position." Our efforts to protect information from unauthorized access may also result in the rejection of legitimate attempts to book reservations through our services, which could result in lost business. Additionally, our consumers' personal data could be affected by security breaches at third parties upon which we rely. See - "Our business relies on a global supply chain of third party services providers and we are exposed to risks because we rely on the resilience, security, and legal compliance of their products and services." In the operation of our business, we receive and store a large volume of personally identifiable data and payment information. The handling and storage of such data, as well as privacy rights of consumers, are subject to complex and evolving laws and regulations in numerous jurisdictions. Regulations such as the European Union's General Data Protection Regulation (the "GDPR"), the California Consumer Privacy Act (the "CCPA"), the California Privacy Rights Act, and the Digital Markets Act ("DMA") add complexity and impose significant compliance obligations and costs on us. For example, under the GDPR, violations could result in fines of up to 20 million Euros or up to 4% of the annual global revenues of the infringer, whichever is greater. Several data protection authorities have imposed significant fines on companies for violations of the GDPR. These 16 16 16 regulations typically intend to protect the integrity and security of personal data that is collected, processed, and transmitted in or from the governing jurisdiction as well as to give individuals greater rights and/or control over how their data is processed. In many cases, these laws apply not only to third-party transactions, but also to transfers of information between us and our subsidiaries, including employee information. These laws and their interpretations continue to develop and may be inconsistent from jurisdiction to jurisdiction. Additionally, some of these regulations, such as the CCPA, give consumers a private right of action against companies for violations of these rules. While we invest significant resources to comply with a growing patchwork of privacy regulations, many of these regulations (such as the Personal Information Protection Law in the People's Republic of China and the Digital Personal Data Protection Act in India) are complex to implement and subject to uncertain interpretation. Non-compliance with these laws could result in negative publicity, damage to our reputation, significant penalties, or other legal liability. If laws or regulations are expanded to require changes in our business practices, or interpreted in ways that negatively affect our business, our results of operations, financial condition, or competitive position could be adversely affected. Cyberattacks and system vulnerabilities could lead to sustained service outages, data loss, reduced revenue, increased costs, liability claims, or harm to our competitive position. If our systems cannot cope with the level of demand required to service our consumers and partners, we could experience unanticipated disruptions in service, slower response times, decreased customer service and customer satisfaction, and delays in the introduction of new services. As an online business, we are dependent on the internet, connectivity, and mobile systems throughout the world. Disruptions in internet access could materially adversely affect our business and results of operations. While we maintain redundant systems and hosting services, they are not always sufficient to prevent disruption, and we do not carry business interruption insurance sufficient to compensate us for all losses that may occur. We have computer hardware for operating our services located in hosting facilities around the world. Although we have disaster recovery plans, these systems and operations are vulnerable to damage or interruption and they may not cover us in every region. If such events were to occur, we may not be able to switch to back-up systems immediately and it could result in lengthy interruptions or delays in our services. Any system failure that causes an interruption or delay in service could impair our reputation, damage our brands, increase customer service costs, or result in lost business, any of which could adversely affect our business and results of operations. We seek to increase the reliability and redundancy of our systems. These steps are expensive, may reduce our margins, and may not be successful in reducing the frequency or duration of unscheduled downtime. We have experienced targeted and organized malware, phishing, and account takeover attacks, and may in the future experience these and other forms of attack such as ransomware, SQL injection (where a third party attempts to insert malicious code into our software through data entry fields in our websites in order to gain control of the system), and attempts to use our websites as a platform to launch a denial-of-service attack on another party. Our existing security measures may not be successful in preventing attacks on our systems. For instance, we have incurred costs related to customer reimbursement and customer service, reputational harm, and lost revenue from fictitious listings and partner account takeovers. Our existing IT business continuity and disaster recovery practices are less effective against certain types of attacks such as ransomware, which could result in interruption of our services, data exposure, and/or an extortion attempt. Reductions in the availability and response time of our online services could cause loss of substantial business volumes and measures we may take to divert suspect traffic could result in the diversion of bona fide customers. These issues are more difficult to manage during any expansion of the number of places where we operate and the variety of services we offer, and as the tools and techniques used in such attacks become more advanced. We use sophisticated technology to identify cybersecurity threats; however, a cyberattack may go undetected for a period of time resulting in harm to our computer systems and the loss of data. This could result in regulatory fines and reputational harm, among other costs. Our insurance policies have coverage limits and may not be adequate to reimburse us for all losses caused by security breaches. Successful attacks could result in significant interruptions in our operations, severe damage to our information technology infrastructure, negative publicity, reputational harm, and/or prevent consumers from using our services during the attack, any of which could cause consumers to use the services of our competitors, which would have a negative effect on the value of our brands, market share, business, and results of operations. We use both internally-developed and third-party systems to operate our services, including transaction processing, order management, and financial and accounting systems. If the number of consumers using our services increases substantially, or if critical third-party systems stop operating as designed, we may need to repair, expand or upgrade our systems or infrastructure. If we are unable to meet the demand in a timely manner, it could have a negative impact on our business. Many of our processes and systems are highly automated and involve multiple inputs from various IT systems, which can mitigate the risk of human error but which can also make testing, troubleshooting, and auditing more difficult. As a result, it may be difficult to quickly detect and correct errors embedded in these processes or systems. 17 17 17 Our business relies on a global supply chain of third party services providers and we are exposed to risks because we rely on the resilience, security, and legal compliance of their products and services. We rely on certain third-party computer systems and third-party service providers, including GDSs and computerized central reservation systems of the accommodation, rental car, and airline industries in connection with providing some of our services. Any damage to, breach of, or interruption in these third-party services and systems or deterioration in their performance could prevent us from booking related reservations and have a material adverse effect on our business, brands, and results of operations. Third party business partners, service providers, and consultants may be given access to our computer networks. A cyberattack against one of these third parties that compromises their credentials may result in unauthorized access to our systems and data, resulting in a cyberattack against us. Furthermore, our agreements with some third-party service providers do not provide recourse for service interruptions, and such service interruptions could have a negative impact on our business and results of operations. Consumers generally are concerned with security and privacy on the internet, and any publicized privacy and security problems could negatively affect consumers' willingness to use our services. Some of our business is conducted with third-party marketing affiliates, which may generate travel reservations through our infrastructure or through other systems. A security breach at any third-party that we conduct business with, such as the security breach experienced by MGM Resorts International in 2023, could be perceived by consumers as a security breach of our systems and could result in negative publicity, subject us to notification requirements, damage our reputation, expose us to risk of loss or litigation, and subject us to regulatory penalties and sanctions, even if we had no direct involvement in the breach. In addition, such third parties may not comply with applicable disclosure requirements or with parameters within which we permit them to process data, which could expose us to liability. We depend upon various third parties to process payments, including credit cards, or to provide credit card numbers for payment for our merchant transactions. If any such third party were compromised or ceased or suspended operations, our cash flows could be disrupted or we may not be able to generate merchant transactions (and related revenues) for a period of time and this could have a negative effect on our business, reputation, and results of operations and, in certain cases of the insolvency of such a partner could result in additional payments by us and loss of the total transaction value. Tax Risks We may have exposure to additional tax liabilities. As an international business providing services around the world, we are subject to various taxes. Although we believe that our tax filing positions are reasonable and comply with applicable law, we regularly review them and we may change our positions or determine that previous positions should be amended, either of which could result in additional tax liabilities. The final determination of tax audits or disputes may be different from what is reflected in our historical tax provisions and accruals. We have been audited in many taxing jurisdictions. If audits find that additional taxes are due, we may be subject to incremental tax liabilities, possibly including interest and penalties, which could have a material adverse effect on our results of operations, financial condition, and cash flows. An unfavorable outcome or settlement of pending litigation or audit proceedings could encourage the commencement of additional litigation, audit proceedings, or other regulatory inquiries. See Notes 15 and 16 to our Consolidated Financial Statements for more information regarding certain tax matters and tax contingencies. Governments are increasingly focused on ways to increase tax revenues, which has contributed to an increase in audit activity, more aggressive positions taken by tax authorities, more time and difficulty to resolve any audits or disputes, and an increase in new tax legislation. Any such additional taxes or other assessments may be in excess of our current tax provisions or may require us to modify our business practices in order to reduce our exposure to additional taxes going forward, any of which could have a material adverse effect on our business, results of operations, and financial condition. The United States's Tax Cuts and Jobs Act (the "Tax Act") introduced a tax on 50% of global intangible low-taxed income ("GILTI"), which is income determined to be in excess of a specified routine rate of return on qualifying business assets. The Tax Act further introduced a base erosion and anti-abuse tax ("BEAT") aimed at preventing the erosion of the U.S. tax base and a new tax deduction with respect to certain foreign-derived intangible income. If we are unable to operate our business so that BEAT does not impact us, our effective tax rate, results of operations and cash flows would be adversely affected. The interpretation and implementation of the Tax Act have had and could have a negative impact on our results of operations and cash flows. In addition, the United States's recently enacted Inflation Reduction Act includes a 15% corporate minimum tax on book income and a 1% excise tax on stock repurchases. The interpretation and implementation of these provisions could have a negative impact on our results of operations and cash flows. Increases in the U.S. corporate income tax 18 18 18 rate, increasing the percentage of GILTI subject to tax in the United States, or other changes to U.S. federal tax laws could have a negative impact on our results of operations and cash flows. Certain countries have taken steps to unilaterally introduce a digital services tax to address the issue of multinational businesses carrying on business in their jurisdiction without a physical presence and therefore generally not being subject to income tax in those jurisdictions. These digital services taxes are calculated as a percentage of revenue rather than income or profits. The interpretation and implementation of the various digital services taxes (especially if there is inconsistency in the application of these taxes across tax jurisdictions) could adversely impact our results of operations and cash flows. Further, digital services taxes may not apply to our competitors, which could harm our business and competitive position. Additionally, there have been significant changes made and proposed to international tax laws that increase the complexity, burden, and cost of tax compliance. The Organisation for Economic Co-operation and Development ("OECD") has been working on the "base erosion and profit shifting" ("BEPS") project to ensure international tax standards keep pace with changes in global business practices. This project could change various aspects of the existing rules under which our tax obligations are determined. In 2021, more than 130 countries agreed to a new OECD framework on BEPS that, among other provisions, includes proposed changes to how the right to tax income would be allocated among countries and imposes a 15% global minimum tax. The OECD recently issued additional commentary related to the 15% minimum tax, including the intention that provisions be incorporated into law with an effective date of January 1, 2024. Several member countries outside the U.S. have adopted these rules, effective January 1, 2024. The rules for the calculation of the 15% minimum tax are complex and additional guidance continues to be issued by the OECD and its member countries. The implementation of these rules could have a negative impact on our results of operations or cash flows. Due to the large scale of our business activities outside of the United States, any changes in U.S. or international taxation of our activities, such as new definitions of permanent establishment, new nexus and profit allocation rules, or the combined effect of tax laws in multiple jurisdictions, may increase our worldwide effective tax rate, increase the complexity and costs associated with tax compliance, and adversely affect our cash flows and results of operations. We are also subject to other non-income-based taxes, such as value-added, payroll, sales, use, excise, net worth, property, hotel occupancy, and goods and services. We refer generally to taxes on travel transactions (e.g., value-added taxes, sales taxes, excise taxes, hotel occupancy taxes, etc.) as "travel transaction taxes." From time to time, we are under audit or investigation by tax authorities or involved in legal proceedings related to these non-income-based taxes or we may revise our tax positions, which may result in additional non-income-based tax liabilities. A number of jurisdictions in the United States have initiated lawsuits or other proceedings against OTCs, including us, related to, among other things, the payment of certain travel transaction taxes that could include historical taxes that are claimed to be owed, interest, penalties, punitive damages and/or attorney's fees and costs. Additional jurisdictions may assert that we are subject to travel transaction taxes and could seek to collect such taxes, either retroactively, prospectively or both. We continue to defend against these lawsuits and, where appropriate, intend to continue to assert that we should not be subject to such taxes. Although we believe we do not owe the taxes claimed in these lawsuits, litigation is uncertain, and if there was an adverse outcome in this litigation, or any similar litigation in other jurisdictions, it could result in liabilities for past and/or future bookings, and it could have an adverse effect on our business, profit margins, and results of operations. Jurisdictions could also seek to amend their tax statutes in order to collect travel transaction taxes from us on a prospective basis. Additionally, jurisdictions have adopted or may adopt laws that require us to collect and remit travel transaction or other taxes on the total travel transaction value or on behalf of travel service providers, which in some instances may negatively impact our revenue, margins, cash flows, and results of operations and may require significant and costly system changes to implement. We may not be able to maintain our "Innovation Box Tax" benefit. The Netherlands corporate income tax law provides that income generated from qualifying innovative activities is taxed at the rate of 9% beginning in January 2021 and 7% prior to 2021 ("Innovation Box Tax") rather than the Dutch statutory rate of 25%. Effective January 1, 2022, the Netherlands corporate income tax rate increased from 25% to 25.8%. A portion of Booking.com's earnings historically has qualified for Innovation Box Tax treatment. In order to be eligible for Innovation Box Tax treatment, Booking.com must, among other things, apply for and obtain a research and development ("R&D") certificate from a Dutch governmental agency every six months confirming that the activities that Booking.com intends to be engaged in over the subsequent six-month period are "innovative." The R&D certificate is current but should Booking.com fail to secure such a certificate in any future period - for example, because the 19 19 19 governmental agency does not view Booking.com's new or anticipated activities as innovative, the Innovation Box Tax benefit may be reduced or eliminated. Booking.com intends to apply for continued Innovation Box Tax treatment for future periods. However, Booking.com's application may not be accepted, or, if accepted, the amount of qualifying earnings may be reduced. The loss of the Innovation Box Tax benefit (or any material portion thereof) could substantially increase our effective tax rate and adversely impact our results of operations and cash flows in the future. --- ## Modified: Our business and financial results are subject to risks and uncertainties, which could adversely affect our business, results of operations, financial condition, and cash flows. **Prior (2023):** The risk factors section below contains a description of the significant risks facing our Company and should be carefully considered in full. The following is only a summary of the principal risks that make an investment in our securities speculative or risky. **Current (2024):** The risk factors section below contains a description of the significant risks facing our Company and should be carefully considered in full. The following is only a summary of the principal risks that make an investment in our securities speculative or risky. --- ## Modified: Risk Factors Summary **Key changes:** - Reworded sentence: "Industry and Business Risks •Adverse changes in market conditions for travel services; •The effects of competition; •Our ability to successfully manage growth and expand our global business; •Adverse changes in relationships with travel service providers and restaurants and other third parties on which we are dependent; •Our performance marketing efficiency and the effectiveness of our marketing efforts; •Our ability to respond to and keep up with the rapid pace of technological and market changes; •Our ability to attract and retain qualified personnel; Information Security, Cybersecurity, and Data Privacy Risks •Risks related to data privacy obligations and cyberattacks; •IT systems-related failures or security breaches; Tax Risks •Risks related to exposure to additional tax liabilities and maintaining tax benefits; Legal, Regulatory, Compliance, and Reputational Risks •Legal and regulatory risks; •Risks associated with the facilitation of payments; Financial Risks •Fluctuations in foreign currency exchange rates and other risks associated with doing business in multiple currencies and jurisdictions; •Financial risks including increased debt levels and stock price volatility; and •Success of investments and acquisitions, including integration of acquired businesses." **Prior (2023):** Industry and Business Risks •Adverse changes in market conditions for travel services; •The effects of competition; •Our ability to successfully manage growth and expand our global business; •The adverse impact of the COVID-19 pandemic on our business, financial performance, and travel demand; •Adverse changes in relationships with travel service providers and restaurants and other third parties on which we are dependent; •Our performance marketing efficiency and the general effectiveness of our marketing efforts; •Our ability to respond to and keep up with the rapid pace of technological and market changes; •Our ability to attract and retain qualified personnel; •Any change by our search and meta-search partners in how they present travel search results or conduct their auctions for search placement that would impact us negatively; •Any write-downs or impairments of goodwill or intangible assets related to acquisitions or investments, any increases in provisions for expected credit losses on receivables from and cash advances made to our travel service provider and restaurant partners, and any increases in cash outlays to refund consumers for prepaid reservations; Information Security, Cybersecurity, and Data Privacy Risks •Risks related to data privacy obligations and cyberattacks; •IT systems-related failures or security breaches; Legal, Tax, Regulatory, Compliance, and Reputational Risks •Tax, legal, and regulatory risks; •Risks associated with the facilitation of payments; Financial Risks •Fluctuations in foreign currency exchange rates and other risks associated with doing business in multiple currencies and jurisdictions; •Financial risks including increased debt levels and stock price volatility; and •Success of investments and acquisitions, including integration of acquired businesses. **Current (2024):** Industry and Business Risks •Adverse changes in market conditions for travel services; •The effects of competition; •Our ability to successfully manage growth and expand our global business; •Adverse changes in relationships with travel service providers and restaurants and other third parties on which we are dependent; •Our performance marketing efficiency and the effectiveness of our marketing efforts; •Our ability to respond to and keep up with the rapid pace of technological and market changes; •Our ability to attract and retain qualified personnel; Information Security, Cybersecurity, and Data Privacy Risks •Risks related to data privacy obligations and cyberattacks; •IT systems-related failures or security breaches; Tax Risks •Risks related to exposure to additional tax liabilities and maintaining tax benefits; Legal, Regulatory, Compliance, and Reputational Risks •Legal and regulatory risks; •Risks associated with the facilitation of payments; Financial Risks •Fluctuations in foreign currency exchange rates and other risks associated with doing business in multiple currencies and jurisdictions; •Financial risks including increased debt levels and stock price volatility; and •Success of investments and acquisitions, including integration of acquired businesses. --- *Data sourced from SEC EDGAR. Last updated 2026-05-10.*