IQVIA Holdings Inc.: 10-K Risk Factor Changes

•Consolidation in the industries in which our clients operate may reduce the volume of services purchased by consolidated clients following an acquisition or merger. •We may be adversely affected by client or therapeutic concentration. •Our relationships with existing or potential clients who are in competition with each other may adversely impact the degree to which other clients or potential clients use our services. •There is a risk that we may initiate a clinical trial for a client, and then the client becomes unwilling or unable to fund the completion of the clinical trial, and we may be ethically bound to complete or wind down the clinical trial at our own expense. 18 18 18

•Consolidation in the industries in which our clients operate may reduce the volume of services purchased by consolidated clients following an acquisition or merger. •We may be adversely affected by client or therapeutic concentration. •Our relationships with existing or potential clients who are in competition with each other may adversely impact the degree to which other clients or potential clients use our services. •There is a risk that we may initiate a clinical trial for a client, and then the client becomes unwilling or unable to fund the completion of the clinical trial, and we may be ethically bound to complete or wind down the clinical trial at our own expense. 19 19 19

We operate in businesses that require sophisticated computer systems and software for data collection, data processing, cloud-based platforms, analytics, cryptography, statistical projections and forecasting, mobile computing, social media analytics and other applications and technologies. We are building AI technologies into internal applications and solutions we use with others, including clients; we expect the use of AI to continue to grow. The development, deployment, and commercialization of certain AI‑enabled offerings and services involve significant uncertainty, including risks that models may not perform as intended, may produce incomplete, misleading, or biased outputs, or may not be adopted by customers at the pace or scale we expect. We seek to address some of our technology risks by increasing our reliance on the use of innovations by cross-industry technology leaders and adapt these for our biopharmaceutical and healthcare industry clients. Some of these technologies supporting the industries we serve are changing rapidly and we must continue to adapt to these changes in a timely and effective manner at an acceptable cost. We also must continue to deliver data to our clients in forms that are easy to use while simultaneously providing clear answers to complex questions. There can be no guarantee that we will be able to develop, acquire or integrate new technologies, that these new technologies will meet our needs or those of our clients’ needs or achieve expected investment goals, or that we will be able to do so as quickly or cost-effectively as our competitors. Significant technological change could render certain of our services obsolete. If our investments in AI‑enabled services and offerings do not keep pace with rapid innovation by competitors or technology providers, or if alternative AI solutions evolve more quickly or are more cost‑effective than our offerings, certain of our existing services or platforms could become less competitive or economically viable. Moreover, the introduction of new services embodying new technologies could render certain of our existing services obsolete. Our continued success will depend on our ability to adapt to changing technologies, manage and process ever-increasing amounts of data and information and improve the performance, features and reliability of our services in response to changing client and industry demands. We may experience difficulties that could delay or prevent the successful design, development, testing, introduction or marketing of our services. New services, or enhancements to existing services, may not adequately meet our own requirements or those of current and prospective clients or achieve any degree of significant market acceptance. Regulations relating to the use of AI and the interpretation of those regulations by regulators, courts and others are in the early stages of development and evolving, which may make it difficult to identify or implement adequate compliance requirements or suitable governance practices to meet those requirements, including the activities described in Item 1. Artificial Intelligence in this Annual Report on Form 10-K. These types of failures could have a material adverse effect on our operating results, financial condition and reputation.

We operate in businesses that require sophisticated computer systems and software for data collection, data processing, cloud-based platforms, analytics, cryptography, statistical projections and forecasting, mobile computing, social media analytics and other applications and technologies, particularly in our Technology & Analytics Solutions and Research & Development Solutions businesses. We are building artificial intelligence (AI) technologies into internal applications and solutions we use with others, including clients; we expect the use of AI to grow. We seek to address some of our technology risks by increasing our reliance on the use of innovations by cross-industry technology leaders and adapt these for our biopharmaceutical and healthcare industry clients. Some of these technologies supporting the industries we serve are changing rapidly and we must continue to adapt to these changes in a timely and effective manner at an acceptable cost. We also must continue to deliver data to our clients in forms that are easy to use while simultaneously providing clear answers to complex questions. There can be no guarantee that we will be able to develop, acquire or integrate new technologies, that these new technologies will meet our needs or those of our clients’ needs or achieve expected investment goals, or that we will be able to do so as quickly or cost-effectively as our competitors. Significant technological change could render certain of our services obsolete. Moreover, the introduction of new services embodying new technologies could render certain of our existing services obsolete. Our continued success will depend on our ability to adapt to changing technologies, manage and process ever-increasing amounts of data and information and improve the performance, features and reliability of our services in response to changing client and industry demands. We may experience difficulties that could delay or prevent the successful design, development, testing, introduction or marketing of our services. New services, or enhancements to existing services, may not adequately meet our own requirements or those of current and prospective clients or achieve any degree of significant market acceptance. Regulations relating to the use of AI and the interpretation of those regulations by regulators, courts and others are in the early stages of development and evolving, which may make it difficult to identify adequate compliance requirements or suitable governance practices to meet those requirements. These types of failures could have a material adverse effect on our operating results, financial condition and reputation.

The confidentiality, collection, use, retention, security, transfer and disclosure of personal information is subject to governmental regulation in the countries where the personal information was collected or processed. 23 23 23 For example, United States federal regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) create specific requirements for the protection of the privacy and security of certain individually-identifiable health information, specifically protected health information (PHI). These provisions apply to both “covered entities” (health care providers, health care plans, and clearinghouses) and their “business associates” (service providers who process PHI on behalf of the covered entity). When acting as a HIPAA covered entity or as a business associate of a covered entity, there can be liability for improper processing of PHI. Under HIPAA’s enforcement scheme, overseen by the US Department of Health and Human Services, covered entities and business associates may be subject to significant penalties and fines in connection with HIPAA violations, along with the potential for significant other expenditures related to these activities. Privacy laws and regulations in all regions of the world are designed to ensure that information about an individual is properly protected from inappropriate access, use and disclosure. Such laws and regulations also include the European Union’s (“EU”) General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil’s General Data Protection Law (LGPR), India’s Digital Personal Data Protection Act (DPDP Act), Japan’s Act on the Protection of Personal Information (APPI), China’s Personal Information Protection Law (PIPL) and many other data protection and privacy laws at the national, state/provincial and local level. Under most laws and regulations around the world, any information that relates to an identifiable natural person is considered “personal information”. In general, health information related to an identifiable person is considered “sensitive personal information” and is highly regulated. Processing health information carries additional obligations under these laws and regulations, often including the need to obtain the explicit consent of the individual for collection, use or disclosure of the information. In many countries, there are restrictions related to the cross-border transfer of personal information to other countries, including the need to put measures in place to allow the data transfer to occur. For example, registration with the EU-US Data Protection Framework (DPF) allows the transfer of data from the EU to US. For companies not registering with the DPF, another means of legalizing the transfer is the use of standard contractual clauses. In addition, in several countries around the world there are requirements to maintain personal information or sensitive personal information within that particular country under their data localization laws. We have established frameworks, models, processes and technologies to manage privacy, data protection and security for many data types, from a variety of sources, and under a myriad of privacy and data protection laws. In addition, we rely on our data suppliers to deliver information to us in a form and in a manner that complies with applicable privacy laws and regulations. These laws and regulations are complex, and there is no assurance that the safeguards and controls employed by us or our data suppliers will be sufficient to prevent a breach of these laws or regulations, or that claims will not be filed against us or our data suppliers despite such safeguards and controls. Failure to comply with such laws, certain certification/registration and annual re-certification/registration provisions associated with these data protection and privacy regulations, and similar rules in various jurisdictions, or to resolve any serious privacy complaints, may result in, among other things, regulatory sanctions, criminal prosecution, civil liability, negative publicity, damage to our reputation, or data being blocked from use or liability under contractual provisions. Laws and expectations relating to privacy continue to evolve, and we continue to adapt to changing needs. For example, the definition of “personally identifiable information” and “personal data” continues to evolve and broaden and many new laws and regulations are being enacted. In addition, certain established programs have been (or are at risk of being) declared invalid (such as the EU-U.S. Privacy Shield framework that operated for several years but was struck down by the European Court of Justice in July, 2020). While the replacement for the EU-U.S. Privacy Shield (the EU-U.S. Data Privacy Framework or “DPF”) has been approved for the transfer of personal data from the EU to certified companies in the U.S., the DPF is also subject to legal challenges and potential invalidation, thereby rendering data transfers from the EU to the US legally uncertain and keeping the area of data transfers in a state of flux. Changes to these programs may adversely impact our ability to provide services to our clients or develop new products or services. Federal, state and foreign governments are contemplating or have proposed or adopted new privacy laws and regulations or modifications to existing privacy laws and regulations, including by amendment, replacement or interpretation through judicial or administrative decisions. New or modified privacy laws or regulations might, among other things, require us to implement new security measures and processes or bring within the scope of the privacy law or regulation other data not currently regulated, each of which may require substantial expenditures or limit our ability to offer some of our services. Additionally, changes in privacy laws and regulations may limit our data access, use and disclosure, and may require increased expenditures by us or may dictate that we not offer certain types of services. Any of the foregoing may have a material adverse impact on our ability to provide services to our clients or maintain our profitability. 24 24 24 There is ongoing concern from privacy advocates, regulators and others regarding data protection and privacy issues, and the number of jurisdictions with privacy laws and regulations has been increasing. Also, there are ongoing public policy discussions and legal challenges regarding whether the standards for de-identified, anonymous or pseudonymized health information are sufficient, and the risk of re-identification sufficiently small, to adequately protect patient privacy. These discussions may lead to further restrictions on the use of such information. There can be no assurance that these initiatives or future initiatives will not adversely affect our ability to access and use data or to develop or market current or future services. Many privacy laws and regulations protect more than patient information, and although they vary by jurisdiction, these laws can extend to employee information, business contact information, provider information and other information relating to identifiable individuals. Failure to comply with these laws may result in, among other things, civil and criminal liability, negative publicity, damage to our reputation and liability under contractual provisions. In addition, compliance with such laws may require increased costs to us or may dictate that we not offer certain types of services. The occurrence of any of the foregoing could impact our ability to provide the same level of service to our clients, require us to modify our offerings or increase our costs, which could materially and adversely affect our operating results and financial condition.

The confidentiality, collection, use, retention, security, transfer and disclosure of personal data, including individually identifiable health information and clinical trial patient-specific information, are subject to governmental regulation generally in the country that the personal data were collected or used (collectively, "Privacy Laws"). For example, United States federal regulations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) create specific requirements for the protection of the privacy and security of individual health information. These provisions apply to both “covered entities” (primarily health care providers and health insurers) and their “business associates” or service providers. As there are some instances where we are a HIPAA “business associate” of a “covered entity,” we can be directly liable for mishandling protected health information. Under HIPAA’s enforcement scheme, we can be subject to significant penalties in connection with HIPAA violations, along with the potential for significant other expenditures related to these activities. These rules require individuals’ written authorization in many situations, in addition to any required informed consent, before protected health information may be used for research. We are both directly and indirectly affected by the privacy provisions surrounding individual authorizations because many investigators with whom we are involved in clinical trials are directly subject to them and because we obtain identifiable health information from third parties that are subject to such various Privacy Laws. In general, patient health information is among the most sensitive (and highly regulated) of personal information. Privacy Laws in the United States and around the world are designed to ensure that information about an individual’s healthcare is properly protected from inappropriate access, use and disclosure. Privacy Laws also include the European Union’s (“EU”) General Data Protection Regulation, Canada’s Personal Information Protection and Electronic Documents Act and other data protection, privacy, data security, data localization and similar national, state/provincial and local laws. In the EU and in many other regions or countries, personal data includes any information that relates to an identifiable natural person. Health information about an identifiable person carries additional obligations under these laws, including obtaining the explicit consent from the individual for collection, use or disclosure of the information. In addition, we are subject to EU rules with respect to cross-border transfers of such data out of the EU (along with similar data transfer requirements or data localization requirements in other countries). We have established frameworks, models, processes and technologies to manage privacy and security for many data types, from a variety of sources, and under a myriad of Privacy Laws. In addition, we rely on our data suppliers to deliver information to us in a form and in a manner that complies with applicable Privacy Laws. These laws are complex and there is no assurance that the safeguards and controls employed by us or our data suppliers will be sufficient to prevent a breach of these laws, or that claims will not be filed against us or our data suppliers despite such safeguards and controls. Failure to comply with such laws, certain certification/registration and annual re-certification/registration provisions associated with these data protection and privacy regulations, and similar rules in various jurisdictions, or to resolve any serious privacy complaints, may result in, among other things, regulatory sanctions, criminal prosecution, civil liability, negative publicity, damage to our reputation, or data being blocked from use or liability under contractual provisions. Laws and expectations relating to privacy continue to evolve, and we continue to adapt to changing needs. For example, the definition of “personally identifiable information” and “personal data” continues to evolve and broaden and many new laws and regulations are being enacted. In addition, certain established programs have been (or are at risk of being) declared invalid (such as the EU-U.S. Privacy Shield framework that operated for several years but was struck down by the European Court of Justice in July, 2020). While the replacement for the EU-U.S. Privacy Shield (the EU-U.S. Data Privacy Framework or “DPF”) has been approved for the transfer of personal data from the EU to certified companies in the U.S., the DPF is also subject to legal challenges and potential invalidation, thereby rendering data transfers from the EU to the US legally uncertain and keeping the area of data transfers in a state of flux. Changes to these programs may adversely impact our ability to provide services to our clients or develop new products or services. Federal, state and foreign governments are contemplating or have proposed or adopted new Privacy Laws or modifications to existing Privacy Laws, including by amendment, replacement or interpretation through judicial or administrative decisions. New or modified Privacy Laws might, among other things, require us to implement new security measures and processes or bring within the scope of the Privacy Law other data not currently regulated, each of which may require substantial expenditures or limit our ability to offer some of our services. Additionally, changes in Privacy Laws may limit our data access, use and disclosure, and may require increased expenditures by us or may dictate that we not offer certain types of services. Any of the foregoing may have a material adverse impact on our ability to provide services to our clients or maintain our profitability. 25 25 25 There is ongoing concern from privacy advocates, regulators and others regarding data protection and privacy issues, and the number of jurisdictions with Privacy Laws has been increasing. Also, there are ongoing public policy discussions regarding whether the standards for de-identified, anonymous or pseudonymized health information are sufficient, and the risk of re-identification sufficiently small, to adequately protect patient privacy. These discussions may lead to further restrictions on the use of such information. There can be no assurance that these initiatives or future initiatives will not adversely affect our ability to access and use data or to develop or market current or future services. Many Privacy Laws protect more than patient information, and although they vary by jurisdiction, these laws can extend to employee information, business contact information, provider information and other information relating to identifiable individuals. Failure to comply with these laws may result in, among other things, civil and criminal liability, negative publicity, damage to our reputation and liability under contractual provisions. In addition, compliance with such laws may require increased costs to us or may dictate that we not offer certain types of services. The occurrence of any of the foregoing could impact our ability to provide the same level of service to our clients, require us to modify our offerings or increase our costs, which could materially and adversely affect our operating results and financial condition.

The United States Congress continues to consider healthcare reform legislation and impose health industry cost containment measures, which may significantly impact the biopharmaceutical industry. In addition, numerous government bodies are considering or have adopted various healthcare reforms and may undertake, or are in the process of undertaking, efforts to control growing healthcare costs through legislation, regulation and voluntary agreements with medical care providers and biopharmaceutical companies. We are uncertain as to the effects of these recent reforms on our business and are unable to predict what legislative proposals, if any, will be adopted in the future. If regulatory cost containment efforts limit the profitability of new drugs by, for example, continuing to place downward pressure on pharmaceutical pricing and/or increasing regulatory burdens and operating costs of the biopharmaceutical industry, our clients may reduce their research and development spending or promotional, marketing and sales expenditures, which could reduce the business they outsource to us. Any significant change in regulations, such as the Inflation Reduction Act of 2022 (IRA), which contains drug price negotiation provisions, or change in the interpretation of existing regulations, could reduce demand for our offerings or increase our expenses. For example, in May 2025, the Trump administration issued an executive order entitled “Delivering Most-Favored-Nation Prescription Drug Pricing to American Patients,” which, among other things, directs the HHS and other agencies to communicate most-favored-nation price targets to pharmaceutical manufacturers to bring prices for U.S. patients in line with comparably developed nations and to facilitate direct-to-consumer purchasing programs. It is currently unclear whether and to what extent these measures will be implemented and what impact any such implementation would have on our business. In addition, changes to the Medicaid program or the federal 340B drug pricing program, which imposes ceilings on prices that drug manufacturers can charge for medications sold to certain health care facilities, could have a material impact on our customers, which could reduce demand for our services. Similarly, if regulatory requirements are relaxed or simplified drug approval procedures are adopted, the demand for our services could decrease. Foreign and domestic government bodies have adopted and may continue to adopt new healthcare legislation or regulations that are more burdensome than existing regulations. For example, product safety concerns and recommendations by the Drug Safety Oversight Board could change the regulatory environment for drug products, and new or heightened regulatory and licensing requirements may increase our expenses or limit or delay our ability to offer some of our services. We might have to incur additional costs to comply with these or other new regulations, and failure to comply could harm our financial condition, results of operations, cash flows, and reputation, and result in adverse legal action(s). Additionally, new or heightened regulatory requirements may have a negative impact on the ability of our clients to conduct industry-sponsored clinical trials, which could reduce the need for our services.

The United States Congress continues to consider healthcare reform legislation and impose health industry cost containment measures, which may significantly impact the biopharmaceutical industry. In addition, numerous government bodies are considering or have adopted various healthcare reforms and may undertake, or are in the process of undertaking, efforts to control growing healthcare costs through legislation, regulation and voluntary agreements with medical care providers and biopharmaceutical companies. We are uncertain as to the effects of these recent reforms on our business and are unable to predict what legislative proposals, if any, will be adopted in the future. If regulatory cost containment efforts limit the profitability of new drugs by, for example, continuing to place downward pressure on pharmaceutical pricing and/or increasing regulatory burdens and operating costs of the biopharmaceutical industry, our clients may reduce their research and development spending or promotional, marketing and sales expenditures, which could reduce the business they outsource to us. For example, in August 2022, the Inflation Reduction Act was signed into law in the United States, which, among other things, requires manufacturers of certain drugs to engage in price negotiations with Medicare (beginning in 2026), imposes rebates under Medicare Part B and Medicare Part D to penalize price increases that outpace inflation (first due in 2023), and replaces the Part D coverage gap discount program with a new discounting program (beginning in 2025). In addition, changes to the Medicaid program or the federal 340B drug pricing program, which imposes ceilings on prices that drug manufacturers can charge for medications sold to certain health care facilities, could have a material impact on our customers, which could reduce demand for our services. Similarly, if regulatory requirements are relaxed or simplified drug approval procedures are adopted, the demand for our services could decrease. Foreign and domestic government bodies have adopted and may continue to adopt new healthcare legislation or regulations that are more burdensome than existing regulations. For example, product safety concerns and recommendations by the Drug Safety Oversight Board could change the regulatory environment for drug products, and new or heightened regulatory and licensing requirements may increase our expenses or limit or delay our ability to offer some of our services. We might have to incur additional costs to comply with these or other new regulations, and failure to comply could harm our financial condition, results of operations, cash flows, and reputation, and result in adverse legal action(s). Additionally, new or heightened regulatory requirements may have a negative impact on the ability of our clients to conduct industry-sponsored clinical trials, which could reduce the need for our services.

While we have determined that, at this time, environmental events do not present a material risk to our business given the nature of our activities, we continue to evaluate and mitigate our business risks associated with environmental events, and we recognize that there are inherent climate-related risks wherever business is conducted. Any of our office or IT systems locations may be vulnerable to the adverse effects of environmental events. Furthermore, environmental events may impact patients in our clinical trials and our employees, particularly where they work remotely. Changing market dynamics, global policy developments, and the increasing frequency and impact of extreme weather events on critical infrastructure have the potential to disrupt our business, the business of our third-party suppliers, and the business of our customers, and may cause us to experience losses and additional costs to maintain or resume operations.

While we have determined that, at this time, climate change does not present a material risk to our business given the nature of our activities, we continue to evaluate and mitigate our business risks associated with climate change, and we recognize that there are inherent climate-related risks wherever business is conducted. Any of our office or IT systems locations may be vulnerable to the adverse effects of climate change. Furthermore, climate change may impact patients in our clinical trials and our employees, particularly where they work remotely. Changing market dynamics, global policy developments, and the increasing frequency and impact of extreme weather events on critical infrastructure have the potential to disrupt our business, the business of our third-party suppliers, and the business of our customers, and may cause us to experience losses and additional costs to maintain or resume operations.

We are subject to rapidly changing and varied expectations and requirements on sustainability-related issues, from a wide range of stakeholders, such as governmental and self-regulatory organizations, including the Securities and Exchange Commission, U.S. federal and state governments, New York Stock Exchange, and the European Union, as well as our investors, customers and suppliers. In addition, many of our stakeholders have diverging demands, perspectives and preferences on a variety of sustainability topics. We may not be able to meet the diverging expectations and demands of all of our stakeholders, which could result in an adverse impact on our business, financial results, stock price or reputation, and subject us to legal, reputational and operational risks. For example, U.S. federal, state and local governmental authorities, as well as governmental authorities in various jurisdictions, have proposed or implemented and are likely to continue to propose or implement, legislative and regulatory initiatives around corporate governance and environmental and social practices and disclosures. Compliance with such evolving expectations, rules and regulations, including any that may emerge in the future as well as customer expectations and requirements, could increase the cost and complexity of operating our business, and could adversely impact us. In addition, various jurisdictions have adopted or proposed laws, regulations and policies that diverge from, or potentially conflict with, those adopted or proposed in other jurisdictions, making compliance more difficult and uncertain. Failure to comply with any law, regulation or policy, including as a result of making good faith interpretations that may differ from those taken by authorities in relevant jurisdictions, could potentially result in legal, reputational and operational risks. In addition, compliance with new laws, regulations, and reporting requirements may increase our costs, result in disclosures of potentially competitively sensitive information, or may cause us to be targeted by activists, regulators, or others who want us to take a different approach to such matters or increase our disclosures or commitments. Furthermore, any actual or perceived failure to achieve our current and future sustainability goals, including those which result from customer expectations or requirements, or to act responsibly with respect to such matters or to effectively respond to new or additional sustainability-related legal or regulatory requirements, could result in adverse publicity and adversely affect our business and reputation. There is no assurance that we will be able to successfully achieve any sustainability-related goal or execute on any sustainability-related strategy, or adequately meet stakeholder expectations with respect to such matters. In addition, certain environmental and sustainability disclosures and commitments we make may be reliant in part or in whole on third party information, which we cannot verify the quality of, and third party performance, which we cannot guarantee. We may fail to meet our environmental and sustainability commitments either entirely or on the schedule we commit to. 30 30 30

There has been increasing public focus by investors, customers, environmental activists, the media, and governmental and nongovernmental organizations on a variety of environmental and sustainability matters. In light of the importance of this to our internal and external stakeholders, if we are not effective in addressing environmental and sustainability matters affecting our business, or setting and meeting relevant sustainability goals, our reputation and financial results may suffer. We may experience increased costs in order to execute upon our sustainability goals and measure achievement of those goals, which could have an adverse impact on our business and financial condition. In addition, this emphasis on environmental and sustainability matters has resulted and may result in the adoption of new laws and regulations, including new reporting requirements (including, but not limited to the EU Corporate Sustainability Reporting Directive, the EU Taxonomy, and the EU Corporate Sustainability Due Diligence Directive). Such rules may require us to incur significant additional costs to comply, including the implementation of significant additional internal controls processes and procedures regarding matters that have not been subject to such controls in the past, and impose increased oversight obligations on our management and Board. If we fail to comply with new laws, regulations, or reporting requirements, our reputation and business could be adversely impacted. In addition, compliance with new laws, regulations, and reporting requirements may increase our costs, result in disclosures of potentially competitively sensitive information, or may cause us to be targeted by activists, regulators, or others who want us to take a different approach to such matters or increase our disclosures or commitments. In addition, certain environmental and sustainability disclosures and commitments we make may be reliant in part or in whole on third party information, which we cannot verify the quality of, and third party performance, which we cannot guarantee. We may fail to meet our environmental and sustainability commitments either entirely or on the schedule we commit to.