Palo Alto Networks Inc.: 10-K Risk Factor Changes

Our income tax obligations are based in part on our corporate structure and intercompany arrangements, including the manner in which we develop, value, and use our intellectual property and the valuations of our intercompany transactions. The tax laws applicable to our business, including the laws of the United States and various other jurisdictions, are subject to interpretation and certain jurisdictions may aggressively interpret their laws, regulations, and policies, including in an effort to raise additional tax revenue. The tax authorities of the jurisdictions in which we operate may challenge our methodologies for valuing developed or acquired technology or determining the proper charges for intercompany arrangements, which could increase our worldwide effective tax rate, harm our financial position and operating results, and have a negative effect on our cash flow. For example, beginning in fiscal 2023, we were required to capitalize and amortize research and development expenses as required by the Tax Cuts and Jobs Act. As a result of this change and our increased profitability, we have paid significantly more U.S. cash taxes during fiscal 2024 and we expect our cash tax payments to increase in future periods. Some tax authorities of jurisdictions other than the United States may seek to assert extraterritorial taxing rights on our transactions or operations. It is possible that domestic or international tax authorities may subject us to tax examinations, or audits, and such tax authorities may disagree with certain positions we have taken, and any adverse outcome of such an examination, review or audit could result in additional tax liabilities and penalties and otherwise have a negative effect on our financial position, operating results, and cash flow. Further, the determination of our worldwide provision for or benefit from income taxes and other tax liabilities requires significant judgment by management, and there are transactions where the ultimate tax determination is uncertain. Although we believe that our estimates are reasonable, the ultimate tax outcome may differ from the amounts recorded on our consolidated financial statements and may materially affect our financial results in the period or periods for which such determination is made. In addition, our future income tax obligations could be adversely affected by changes in, or interpretations of, tax laws, regulations, policies, or decisions in the United States or in the other jurisdictions in which we operate.

Our income tax obligations are based in part on our corporate structure and intercompany arrangements, including the manner in which we develop, value, and use our intellectual property and the valuations of our intercompany transactions. The tax laws applicable to our business, including the laws of the United States and various other jurisdictions, are subject to interpretation and certain jurisdictions may aggressively interpret their laws, regulations, and policies, including in an effort to raise additional tax revenue. The tax authorities of the jurisdictions in which we operate may challenge our methodologies for valuing developed or acquired technology or determining the proper charges for intercompany arrangements, which could increase our worldwide effective tax rate and harm our financial position and operating results. Some tax authorities of jurisdictions other than the United States may seek to assert extraterritorial taxing rights on our transactions or operations. It is possible that domestic or international tax authorities may subject us to tax examinations, or audits, and such tax authorities may disagree with certain positions we have taken, and any adverse outcome of such an examination, review or audit could result in additional tax liabilities and penalties and otherwise have a negative effect on our financial position and operating results. Further, the determination of our worldwide provision for or benefit from income taxes and other tax liabilities requires significant judgment by management, and there are transactions where the ultimate tax determination is uncertain. Although we believe that our estimates are reasonable, the ultimate tax outcome may differ from the amounts recorded on our consolidated financial statements and may materially affect our financial results in the period or periods for which such determination is made. In addition, our future income tax obligations could be adversely affected by changes in, or interpretations of, tax laws, regulations, policies, or decisions in the United States or in the other jurisdictions in which we operate.

There is an increasing focus from regulators, certain investors, and other stakeholders concerning ESG matters, both in the United States and internationally. We communicate certain ESG-related initiatives, goals, and/or commitments regarding environmental matters, diversity, responsible sourcing and social investments, and other matters in our annual ESG Report, on our website, in our filings with the SEC, and elsewhere. These initiatives, goals, or commitments could be difficult to achieve and costly to implement. We could fail to achieve, or be perceived to fail to achieve, our ESG-related initiatives, goals, or commitments. In addition, we could be criticized for the timing, scope or nature of these initiatives, goals, or commitments, or for any revisions to them. To the extent that our required and voluntary disclosures about ESG matters increase, we could be criticized for the accuracy, adequacy, or completeness of such disclosures. Our actual or perceived failure to achieve our ESG-related initiatives, goals, or commitments could negatively impact our reputation, result in ESG-focused investors not purchasing and holding our stock, or otherwise materially harm our business. In addition, we are or may become subject to various new and proposed climate-related and other sustainability-related laws and regulations, including, for example, the E.U.’s Corporate Sustainability Reporting Directive. Additional regulation may require us to incur significant additional costs associated with increased compliance burdens, including the implementation of additional internal controls processes and procedures, and impose increased oversight obligations on our management and board of directors, as well as require us to retain third-party experts. Noncompliance with applicable regulations or requirements could subject us to investigations, sanctions, enforcement actions, fines or litigation, which could negatively impact our business, operating results or financial condition.

There is an increasing focus from regulators, certain investors, and other stakeholders concerning ESG matters, both in the United States and internationally. We communicate certain ESG-related initiatives, goals, and/or commitments regarding environmental matters, diversity, responsible sourcing and social investments, and other matters in our annual ESG Report, on our website, in our filings with the SEC, and elsewhere. These initiatives, goals, or commitments could be difficult to achieve and costly to implement. We could fail to achieve, or be perceived to fail to achieve, our ESG-related initiatives, goals, or commitments. In addition, we could be criticized for the timing, scope or nature of these initiatives, goals, or commitments, or for any revisions to them. To the extent that our required and voluntary disclosures about ESG matters increase, we could be criticized for the accuracy, adequacy, or completeness of such disclosures. Our actual or perceived failure to achieve our ESG-related initiatives, goals, or commitments could negatively impact our reputation, result in ESG-focused investors not purchasing and holding our stock, or otherwise materially harm our business. - 30 - - 30 - - 30 - Table of Contents Table of Contents

We have incorporated, and are continuing to develop and deploy, AI into many of our products and solutions, including services that support our products and solutions. We are also incorporating AI into the operations of our business. AI presents challenges and risks that could affect our products and solutions, and the operations of our business. For example, AI algorithms may have flaws, and datasets used to train models may be insufficient or contain biased information. The AI that is being incorporated into our products, solutions, and business operation tools may not be successful or beneficial, and instead may cause technical, legal or ethical problems or result in increased costs. The investments that we are making across our business in AI reflect our ongoing efforts to innovate and provide products and services that are useful to our customers, as well as provide efficiencies in our business. Such investments ultimately may not be commercially viable or may not result in an adequate return of capital and we may incur unanticipated liabilities. These efforts could subject us to regulatory risk, legal liability, including under new proposed legislation regulating AI in jurisdictions such as the E.U. and regulations being considered in other jurisdictions, or brand or reputational harm. The rapid evolution of AI, including potential government regulation of AI, requires us to invest significant resources to develop, test, and maintain AI in our products and services in a manner that meets evolving requirements and expectations. The rules and regulations adopted by policymakers over time may require us to make changes to our business practices. Developing, testing, and deploying AI systems may also increase the cost profile of our offerings due to the nature of the computing costs involved in such systems. The intellectual property ownership and license rights surrounding AI technologies, as well as data protection laws related to the use and development of AI, are currently not fully addressed by courts or regulators. The use or adoption of AI technologies in our products may result in exposure to claims by third parties of copyright infringement or other intellectual property misappropriation, which may require us to pay compensation or license fees to third parties. The evolving legal, regulatory, and compliance framework for AI technologies may also impact our ability to protect our own data and intellectual property against infringing use.

We have incorporated, and are continuing to develop and deploy, AI into many of our products and solutions, including services that support our products and solutions. AI presents challenges and risks that could affect our products and solutions, and therefore our business. For example, AI algorithms may have flaws, and datasets used to train models may be insufficient or contain biased information. These potential issues could subject us to regulatory risk, legal liability, including under new proposed legislation regulating AI in jurisdictions such as the EU and regulations being considered in other jurisdictions, and brand or reputational harm. The rapid evolution of AI, including potential government regulation of AI, requires us to invest significant resources to develop, test, and maintain AI in our products and services in a manner that meets evolving requirements and expectations. The rules and regulations adopted by policymakers over time may require us to make changes to our business practices. Developing, testing, and deploying AI systems may also increase the cost profile of our offerings due to the nature of the computing costs involved in such systems. - 21 - - 21 - - 21 - Table of Contents Table of Contents The intellectual property ownership and license rights surrounding AI technologies, as well as data protection laws related to the use and development of AI, are currently not fully addressed by courts or regulators. The use or adoption of AI technologies in our products may result in exposure to claims by third parties of copyright infringement or other intellectual property misappropriation, which may require us to pay compensation or license fees to third parties. The evolving legal, regulatory, and compliance framework for AI technologies may also impact our ability to protect our own data and intellectual property against infringing use.

We have business operations in Israel and intend to continue growing our presence in Israel. Our operations in Israel could be disrupted by political instability, civil unrest, terrorist attacks, acts of violence, acts of war, or other military actions, including the hostilities in Israel and the surrounding region. The future of peace efforts between Israel and its Arab neighbors remains uncertain. The effects of hostilities and violence on the Israeli economy and our operations in Israel are unclear, and we cannot predict the effect on us of further increases in these hostilities or future armed conflict, political instability, or violence in the region. Current or future tensions and conflicts in the Middle East could adversely affect our business, operating results, financial condition, and cash flows. In addition, many of our employees in Israel are obligated to perform annual reserve duty in the Israeli military and are subject to being called for active duty under emergency circumstances, which has occurred as a result of hostilities in Israel and the surrounding region. We cannot predict the full impact of these conditions on us in the future, particularly if emergency circumstances or an escalation in the political situation occurs. If many of our employees in Israel are called for active duty for a significant period of time, our operations and our business could be disrupted and may not be able to function at full capacity. Any disruption in our operations in Israel could adversely affect our business.

As a result of various of our acquisitions, including Cider, Cyber Secdo Ltd. (“Secdo”), PureSec Ltd. (“PureSec”), and Twistlock Ltd. (“Twistlock”), we have offices and employees located in Israel. Accordingly, political, economic, and military conditions in Israel directly affect our operations, including the recent political unrest in Israel. The future of peace efforts between Israel and its Arab neighbors remains uncertain. The effects of hostilities and violence on the Israeli economy and our operations in Israel are unclear, and we cannot predict the effect on us of further increases in these hostilities or future armed conflict, political instability, or violence in the region. Current or future tensions and conflicts in the Middle East could adversely affect our business, operating results, financial condition, and cash flows. In addition, many of our employees in Israel are obligated to perform annual reserve duty in the Israeli military and are subject to being called for active duty under emergency circumstances. We cannot predict the full impact of these conditions on us in the future, particularly if emergency circumstances or an escalation in the political situation occurs. If many of our employees in Israel are called for active duty for a significant period of time, our operations and our business could be disrupted and may not be able to function at full capacity. Any disruption in our operations in Israel could adversely affect our business.

A wide variety of laws and regulations apply to the collection, use, retention, protection, disclosure, transfer, and other processing of personal data in jurisdictions where we and our customers operate. Compliance with these laws and regulations is difficult and costly. These laws and regulations are also subject to frequent, inconsistent and unexpected changes; new, modified or additional laws or regulations may be adopted; and rulings that invalidate prior laws, regulations, or interpretations of such laws or regulations may be issued. For example, we are subject to the E.U. General Data Protection Regulation (“E.U. GDPR”) and the U.K. General Data Protection Regulation (“U.K. GDPR,” and collectively the “GDPR”), both of which impose stringent data protection requirements, provide for costly penalties for noncompliance (up to the greater of (a) €20 million under the “E.U. GDPR” or £17.5 million under the “U.K. GDPR,” and (b) 4% of annual worldwide turnover), and confer the right upon data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations. - 30 - - 30 - - 30 - Table of Contents Table of Contents The GDPR requires, among other things, that personal data be transferred outside of the E.U. (or, in the case of the U.K. GDPR, the U.K.) to the United States and other jurisdictions only where adequate safeguards are implemented or a derogation applies. In practice, we rely on standard contractual clauses approved under the GDPR to carry out such transfers and to receive personal data subject to the GDPR (directly or indirectly) in the United States. In addition, with respect to the personal data that we process on behalf of our customers, we self-certified to the E.U.-U.S. Data Privacy Framework (“E.U.-U.S. DPF”), which has been approved for transfers of personal data subject to the GDPR to the United States. The E.U.-U.S. DPF has been recognized as adequate under the E.U. law to allow transfers of personal data from the E.U. to companies in the U.S. that have self-certified to the framework. However, the E.U.-U.S. DPF may be subject to legal challenge, which could cause the legal requirements for data transfers from the E.U. to be uncertain. Among other effects, we may experience additional costs associated with increased compliance burdens, reduced demand for our offerings from current or prospective customers in the European Economic Area (“EEA”), Switzerland, and the U.K. (collectively, “Europe”) to use our products, on account of the risks identified in the Schrems II decision, and we may find it necessary or desirable to make further changes to our processing of personal data of European residents. The regulatory environment applicable to the handling of European residents’ personal data, and our actions taken in response, may cause us to assume additional liabilities or incur additional costs. Moreover, much like with Schrems II, we anticipate future legal challenges to the approved data transfer mechanisms between Europe and the United States, including a challenge to the E.U.-U.S. DPF. Such legal challenges could result in additional legal and regulatory risk, compliance costs, and in our business, operating results, and financial condition being harmed. We are also subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”). The CCPA requires, among other things, covered companies to provide enhanced disclosures to California consumers and to afford such consumers certain rights regarding their personal data, including the right to opt out of data sales for targeted advertising, and creates a private right of action to individuals affected by a data breach, if the breach was caused by a lack of reasonable security. The effects of the CCPA have been significant, requiring us to modify our data processing practices and policies and to incur substantial costs and expenses for compliance. Moreover, additional state privacy laws have been passed and will require potentially substantial efforts to obtain compliance. These include laws enacted in at least 19 states, and six other states have active privacy bills pending in state legislative processes. We may also from time to time be subject to obligations relating to personal data by contract, or face assertions that we are subject to self-regulatory obligations or industry standards. Additionally, the Federal Trade Commission and many state attorneys general are more regularly bringing enforcement actions in connection with federal and state consumer protection laws for false or deceptive acts or practices in relation to the online collection, use, dissemination, and security of personal data. Internationally, data localization laws may mandate that personal data collected in a foreign country be processed and stored within that country. We and our customers may face risk of enforcement actions by regulators or data protection authorities, private litigation and adverse publicity including reputational damage and loss of customer confidence for alleged violations of any of the foregoing obligations. Any such claims could result in substantial costs, ongoing remedial, audit and reporting obligations, and diversion of resources, and distract management and technical personnel. These potential liabilities and enforcement actions could also have an overall negative effect on our business, operating results, and financial condition. The amount and scope of insurance we maintain may not cover all types of claims that may arise. New legislation affecting the scope of personal data and personal information where we or our customers and partners have operations, especially relating to classification of Internet Protocol (“IP”) addresses, machine identification, AI and machine learning, location data, and other information, may limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing or uses of data, and may require significant expenditures and efforts in order to comply. Notably, public perception of potential privacy, data protection, or information security concerns—whether or not valid—may harm our reputation and inhibit adoption of our products and subscriptions by current and future end-customers. Each of these laws and regulations, and any changes to these laws and regulations, or new laws and regulations, could impose significant limitations, or require changes to our business model or practices or growth strategy, which may increase our compliance expenses and make our business more costly or less efficient to conduct. - 31 - - 31 - - 31 - Table of Contents Table of Contents

A wide variety of laws and regulations apply to the collection, use, retention, protection, disclosure, transfer, and other processing of personal data in jurisdictions where we and our customers operate. Compliance with these laws and regulations is difficult and costly. These laws and regulations are also subject to frequent and unexpected changes, new or additional laws or regulations may be adopted, and rulings that invalidate prior laws or regulations may be issued. For example, we are subject to the E.U. General Data Protection Regulation (“E.U. GDPR”) and the U.K. General Data Protection Regulation (‘U.K. GDPR,” and collectively the “GDPR”), both of which impose stringent data protection requirements, provide for costly penalties for noncompliance (up to the greater of (a) €20 million under the “E.U. GDPR” or £17.5 million under the “U.K. GDPR,” and (b) 4% of annual worldwide turnover), and confer the right upon data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations. The GDPR requires, among other things, that personal data be transferred outside of the E.U. (or, in the case of the U.K. GDPR, the U.K.) to the United States and other jurisdictions only where adequate safeguards are implemented or a derogation applies. In practice, we rely on standard contractual clauses approved under the GDPR to carry out such transfers and to receive personal data subject to the GDPR (directly or indirectly) in the United States. In the future, we may self-certify to the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), which has been approved for transfers of personal data subject to the GDPR to the United States and requires public disclosures of adherence to data protection principles and the submission of jurisdiction to European regulatory authorities. Following the “Schrems II” decision by the Court of Justice of the European Union, transfers of personal data to recipients in third countries are also subject to additional assessments and safeguards beyond the implementation of approved transfer mechanisms. The decision imposed a requirement for companies to carry out an assessment of the laws and practices governing access to personal data in the third country to ensure an essentially equivalent level of data protection to that afforded in the E.U. Among other effects, we may experience additional costs associated with increased compliance burdens, reduced demand for our offerings from current or prospective customers in the European Economic Area (“EEA”), Switzerland, and the U.K. (collectively, “Europe”) to use our products, on account of the risks identified in the Schrems II decision, and we may find it necessary or desirable to make further changes to our processing of personal data of European residents. The regulatory environment applicable to the handling of European residents’ personal data, and our actions taken in response, may cause us to assume additional liabilities or incur additional costs, including in the event we self-certify to the EU-U.S. DPF. Moreover, much like with Schrems II, we anticipate future legal challenges to the approved data transfer mechanisms between Europe and the United States, including a challenge to the EU-U.S. DPF. Such legal challenges could result in additional legal and regulatory risk, compliance costs, and in our business, operating results, and financial condition being harmed. Additionally, we and our customers may face risk of enforcement actions by data protection authorities in Europe relating to personal data transfers to us and by us from Europe. Any such enforcement actions could result in substantial costs and diversion of resources, and distract management and technical personnel. These potential liabilities and enforcement actions could also have an overall negative affect on our business, operating results, and financial condition. We are also subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”). The CCPA requires, among other things, covered companies to provide enhanced disclosures to California consumers and to afford such consumers certain rights regarding their personal data, including the right to opt out of data sales for targeted advertising, and creates a private right of action to individuals affected by a data breach, if the breach was caused by a lack of reasonable security. The effects of the CCPA have been significant, requiring us to modify our data processing practices and policies and to incur substantial costs and expenses for compliance. Moreover, additional state privacy laws have been passed and will require potentially substantial efforts to obtain compliance. These include laws enacted in at least ten states, which all go into effect by January 1, 2026. We may also from time to time be subject to obligations relating to personal data by contract, or face assertions that we are subject to self-regulatory obligations or industry standards. Additionally, the Federal Trade Commission and many state attorneys general are more regularly bringing enforcement actions in connection with federal and state consumer protection laws for false or deceptive acts or practices in relation to the online collection, use, dissemination, and security of personal data. Internationally, data localization laws may mandate that personal data collected in a foreign country be processed and stored within that country. New legislation affecting the scope of personal data and personal information where we or our customers and partners have operations, especially relating to classification of Internet Protocol (“IP”) addresses, machine identification, AI, location data, and other information, may limit or inhibit our ability to operate or expand our business, including limiting strategic partnerships that may involve the sharing or uses of data, and may require significant expenditures and efforts in order to comply. Notably, public perception of potential privacy, data protection, or information security concerns—whether or not valid—may harm our reputation and inhibit adoption of our products and subscriptions by current and future end-customers. Each of these laws and regulations, and any changes to these laws and regulations, or new laws and regulations, could impose significant limitations, or require changes to our business model or practices or growth strategy, which may increase our compliance expenses and make our business more costly or less efficient to conduct. - 29 - - 29 - - 29 - Table of Contents Table of Contents