Table of Contents Risks Related to our Intellectual Property and Technology We are dependent on information technology systems, infrastructure and data. We or third parties upon which we rely could be subject to breaches of our information technology systems caused by system security risks, failure of our data protection, cyber-attacks and erroneous or non-malicious actions or failures to act by our employees or others with authorized access to our networks, which could cause significant reputational, legal and financial damages. Like many companies, in the ordinary course of business we process, use transfer, generate, disclose, secure, transmit and store a wide variety of confidential and proprietary information including personal information and other sensitive information relating to our business, products and services. The secure maintenance of this information is critical to our business and reputation. Despite our implementation of security measures, our systems are vulnerable to damages from computer viruses, computer denial-of-service attacks, ransomware, supply chain attacks, worms and other malicious software programs or other attacks, covert introduction of malware to computers and networks, unauthorized access, including impersonation of authorized users, social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), efforts to discover and exploit any security vulnerabilities or securities weaknesses and other similar issues and disruptions. In particular, severe ransomware attacks are becoming increasingly prevalent – particularly for companies like ours that interact with critical infrastructure or manufacturing – and can lead to significant interruptions in our operations, and ability to provide our products or services. Although we make significant efforts to maintain the security, availability, integrity and confidentiality of our information technology and related systems and have implemented measures to manage the risk of a security breach or disruption, there can be no assurance that our security efforts and measures will be effective, or that attempted security breaches or disruptions would not be successful or damaging. Remote work has become more common and has increased risks to our information technology and related systems, as more of our employees utilize network connections, computers and devices outside our premises or network, including working at home, while in transit and in public locations. The techniques used in attempted cyber-attacks and intrusions are sophisticated and constantly evolving and may be difficult to detect for long periods of time. We may be unable to anticipate these techniques or implement adequate preventative measures. Although to date we have not experienced any material breaches of our systems that could have material adverse effect on our business, attacks and intrusions on our systems will continue and we may experience a breach of our systems that compromises sensitive company information or customer data including personal information. In addition, hardware, software, or applications we develop or procure from third parties may contain defects in design or manufacture or other problems that could unexpectedly compromise information security. Intentional or non-malicious breaches by employees or others may pose a risk that sensitive data, including our intellectual property, trade secrets or personal information of our employees, customers or users, or other business partners may be exposed to unauthorized persons or to the public, or that risks of loss or misuse of this information could occur. Furthermore, if we experience a significant data security breach, we could be exposed to reputational damage and significant costs, including to rebuild our systems, modify our products and services, defend litigation, respond to government enforcement actions, pay damages or take other remedial steps, any of which could adversely affect our business, results of operations and financial condition. In addition, we may be required to incur significant costs to protect against damage caused by these disruptions or security breaches in the future. These risks, as well as the number and frequency of cybersecurity events globally, may also be heightened during times of geopolitical tension or instability. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities’ systems and technologies. We may also rely on and share information with contractors and third-party providers to conduct our business and provide our products and services. Although such contractors and third-party providers take steps designed to secure data and prevent security incidents, our ability to monitor these third-parties’ information security practices and potential security incidents is limited, and these third-parties may not have adequate information security measures in place. These third-party providers may experience a significant data security breach, which may also detrimentally affect our business, ability to provide our products and services, results of operations and financial condition. Enphase Energy, Inc. | 2023 Form 10-K | 27