BioMarin Pharmaceutical (BMRN) Risk Analysis

In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, transmit, and share (collectively, process) personal data and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, data we collect about trial participants in connection with clinical trials, sensitive third-party data, business plans, transactions, financial information and medical information collected by our patient access management team (collectively, sensitive data). Our data processing activities subject us to certain data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contractual requirements, and other obligations relating to data privacy and security. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), and other similar laws (e.g., wiretapping laws). For example, HIPAA, as amended by HITECH, imposes specific requirements relating to the privacy, security, and transmission of individually identifiable health information. Additionally, numerous U.S. states have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights may impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the CCPA applies to personal data of consumers, business representatives, and employees who are California residents and requires businesses to provide specific disclosures in privacy notices and honor requests of California residents to exercise certain privacy rights. The CCPA provides for fines for intentional violations and allows private litigants affected by certain data breaches to recover significant statutory damages. Although some U.S. comprehensive privacy laws exempt some data processed in the context of clinical trials, these laws may increase compliance costs and potential liability with respect to other personal data we may maintain about California residents. Similar laws are being considered in several other states, as well as at the federal and local levels, and we expect more jurisdictions to pass similar laws in the future. Outside the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, the European Union's General Data Protection Regulation (EU GDPR), United Kingdom's GDPR (UK GDPR) (collectively, the GDPR), Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or LGPD) (Law No. 13,709/2018), and China's Personal Information Protection Law (PIPL) impose strict requirements for processing personal data. For example, under the GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to 20 million Euros under the EU GDPR / 17.5 million pounds sterling under the UK GDPR or 4% of annual global revenue, whichever is greater; or private litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. In addition, we may be unable to transfer personal data from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area (EEA) and the UK have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws it believes are inadequate. Other jurisdictions have adopted may adopt similarly stringent data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and UK to the United States in compliance with law, such as the EEA standard contractual clauses, the UK's International Data Transfer Agreement / Addendum, and the EU-U.S. Data Privacy Framework and the UK extension thereto (which allows for transfers to relevant U.S.-based organizations who self-certify compliance and participate in the Framework), these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the UK, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including by limiting our ability to conduct clinical trial activities in Europe and elsewhere, the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions (such as Europe) at significant expense, increased exposure to regulatory actions, substantial fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers of personal data to recipients outside Europe for allegedly violating the GDPR's cross-border data transfer limitations. Additionally, companies that transfer personal data to recipients outside of the EEA and/or UK to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators individual litigants and activist groups. Additionally, the U.S. Department of Justice issued a rule entitled the Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, which places additional restriction on certain data transactions involving countries of concern (e.g., China, Russia, Iran) and covered persons that may impact certain business activities such as vendor engagements, sale or sharing of data, employment of certain individuals, and investor agreements. Violations of the rule could lead to significant civil and criminal fines and penalties. The rule applies regardless of whether data is anonymized, key-coded, pseudonymized, de-identified or encrypted, which presents particular challenges for companies like ours and may impact our ability to transfer data in connection with certain transactions or agreements. We are subject to new laws governing the privacy of consumer health data, including reproductive, sexual orientation, and gender identity privacy rights that provide consumers certain rights with respect to their health data and create a private right of action to allow individuals to sue for violations. Our employees and personnel, as well as third parties with whom we work, use, or may in the future use, generative AI technologies to perform their work, and the disclosure and use of personal data in generative AI technologies is subject to various privacy laws and other privacy obligations. Governments have passed and are likely to pass additional laws regulating generative AI. Our use of this technology could result in additional compliance costs, regulatory investigations and actions, and lawsuits. If these factors limit or otherwise impair our effective use of generative AI, it could make our business less efficient and result in competitive disadvantages. In addition to data privacy and security laws, we are contractually subject to industry standards adopted by industry groups and may become subject to additional such obligations in the future. We are also bound by other contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We publish privacy policies, marketing materials, and other statements, such as statements related to compliance with certain certifications or self-regulatory principles, regarding data privacy and security. Regulators across the world are increasingly scrutinizing these statements, and if these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, misleading, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Obligations related to data privacy and security (and consumers' data privacy expectations) are quickly changing, becoming increasingly stringent, and creating uncertainty. Additionally, these obligations may be subject to differing applications and interpretations, which may be inconsistent or conflict among jurisdictions. Preparing for and complying with these obligations requires us to devote significant resources and may necessitate changes to our services, information technologies, systems, and practices and to those of any third parties that process personal data on our behalf. We may at times fail (or be perceived to have failed) in our efforts to comply with our data privacy and security obligations. Moreover, despite our efforts, our personnel or third parties with whom we work may fail to comply with such obligations, which could negatively impact our business operations. If we or the third parties with whom we work fail, or are perceived to have failed, to address or comply with applicable data privacy and security obligations, we could face significant consequences, including but not limited to: government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-action claims) and mass arbitration demands; additional reporting requirements and/or oversight; bans or restrictions on processing personal data; and orders to destroy or not use personal data. In particular, plaintiffs have become increasingly more active in bringing privacy-related claims against companies, including class claims. Some of these claims allow for the recovery of statutory damages on a per violation basis, and, if viable, carry the potential for monumental statutory damages, depending on the volume of data and the number of violations. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to loss of customers; inability to process personal data or to operate in certain jurisdictions; interruptions or stoppages in our business operations (including clinical trials); limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or substantial changes to our business model or operations.

New tax laws or regulations could be enacted at any time, and existing tax laws or regulations could be interpreted, modified or applied in a manner that is adverse to us or our customers, which could adversely affect our business and financial condition. For example, legislation referred to as the One Big Beautiful Bill (OBBB) Act enacted in 2025, along with prior U.S. federal tax reform legislation, enacted many significant changes to the U.S. taxation of business entities, including, among other changes, the imposition of minimum taxes and excise taxes under certain circumstances, changes to the taxation of income derived from international operations, changes in the deduction and amortization of research and development expenditures, and limitations on the deductibility of business interest. For tax years beginning after December 31, 2024, the OBBB Act restores the tax deductibility of domestic research and development expenses in the year incurred, which expenses had been required under prior legislation to be capitalized and subsequently amortized over five years. The OBBB Act did not change the tax treatment of expenses incurred in research and development activities conducted outside the United States, which expenses continue to be required to be capitalized and amortized over 15 years. We are evaluating the potential impacts this and other changes under the OBBB Act may have on our business. Future guidance from the Internal Revenue Service and other tax authorities with respect to any legislation may affect us, and certain aspects of such legislation could be repealed or modified in subsequent legislation or sunset in future years. In addition, it is uncertain if and to what extent various states will conform to federal tax laws. Any future tax legislation could increase our U.S. tax expense and could have a material adverse impact on our business and financial condition. Moreover, changes in the tax laws of jurisdictions in which we conduct business could arise, including as a result of the base erosion and profit shifting (BEPS) project that is being led by the Organization for Economic Co-operation and Development (OECD), and other initiatives led by the OECD or the EC. For example, the OECD, which represents a coalition of member countries including the U.S. and other countries in which we have operations, is working on the implementation of proposals, commonly referred to as "BEPS 2.0", which have made (and are expected to continue to make) important changes to the international tax system. These proposals include, among other measures, the imposition of a minimum effective tax rate of 15% on certain multinational enterprises that have consolidated revenues of at least 750 million euros in at least two out of the last four years. A number of countries in which we conduct business have enacted, or are in the process of enacting, core elements of Pillar Two rules (with further provisions expected to be enacted in the future). The OECD has issued (and is expected to continue to issue further) administrative guidance providing transition and safe harbor rules in relation to the implementation of the Pillar Two proposal. For example, on January 5, 2026, the OECD published details of a proposed "side-by-side" arrangement providing for, among other things, additional safe harbors for multinational groups headquartered in certain qualifying jurisdictions, which includes the U.S. Based on the applicable thresholds, we are within the scope of the Pillar Two rules, but do not currently expect such rules to have a material adverse impact on our effective tax rate. It is not uncommon for taxing authorities in different countries to have conflicting views, for instance, with respect to, among other things, the manner in which the arm's length standard is applied for transfer pricing purposes, or with respect to the valuation of intellectual property. If tax authorities successfully challenge our transfer prices as not reflecting arm's length transactions, they could require us to adjust our transfer prices and thereby reallocate our income to reflect these revised transfer prices, resulting in a higher tax liability. In addition, if a country from which income is reallocated does not agree with the reallocation, both that country and the other country to which the income was allocated could tax the same income, potentially resulting in double taxation. If tax authorities were to allocate income to a higher tax jurisdiction, subject our income to double taxation or assess interest and penalties, it would increase our consolidated tax liability, which could adversely affect our business, financial condition, results of operations and cash flows. We continue to monitor developments and are evaluating the potential impacts of the Pillar Two rules, including on our effective tax rates, and considering our eligibility to qualify for the relevant safe harbor rules (including under the proposed "side-by-side" arrangement).

Our competitors may develop, manufacture and market products that are more effective or less expensive than ours. They may also obtain regulatory approvals for their products faster than we can obtain them (including those products with orphan drug designation, which may prevent us from marketing our product entirely for seven years, along with other regulatory exclusivities that could block approval) or commercialize their products before we do. With respect to VOXZOGO, other companies are developing, and may in the future develop, products for treatment for achondroplasia that, if approved, could potentially compete with VOXZOGO even during the period of orphan drug exclusivity, for example by using an alternative formulation or a different delivery technology. As we commercialize our products, we have faced and may continue to face intense competition from other pharmaceutical companies, some of which may have more extensive resources and/or established relationships in the communities we seek to treat. If we do not compete successfully, our revenues would be adversely affected, and we may be unable to generate sufficient sales to recover our expenses related to the development of a product program or to justify continued marketing of a product. We also face competition from generic versions of our products. For example, generic versions of KUVAN are available in several countries around the world, including in the U.S. and the European Union (EU), which has adversely affected and will continue to adversely affect our revenues from KUVAN. Competitors launching generic versions of our products independently establish the price of such products and determine the types of discounts or rebates they will offer parties that purchase or pay for the product. Generic competition often results in decreases in the net prices at which branded products can be sold. After any introduction of a generic product, a significant percentage of the prescriptions written for our branded products will likely be filled with the generic product. Certain U.S. state laws allow for, and in some instances in the absence of specific instructions from the prescribing physician mandate, the dispensing of generic products rather than branded products when a generic version is available. We expect that the approval and launch of generic versions of our products and the approval and launch of branded products that compete with our products will continue to have a negative impact and could have a material adverse effect on our sales of our products and on our business, financial condition, results of operations and growth prospects.

Even if our product candidates are approved, if doctors were to elect a course of treatment which does not include our products, this decision would reduce demand for our products and adversely affect revenues. For example, if gene therapy becomes widely used as a treatment of genetic diseases, the use of enzyme replacement therapy, such as ALDURAZYME, NAGLAZYME, and VIMIZIM in MPS diseases, could be greatly reduced. Changes in treatment method can be caused by the introduction of other companies' products or the development of new technologies or surgical procedures which may not directly compete with ours, but which have the effect of changing how doctors decide to treat a disease. For example, we faced significant uncertainty as to whether gene therapy would gain the acceptance of the public or the medical community. In October 2025, we announced our plan to pursue options to divest ROCTAVIAN, including exploring out-licensing opportunities. Subsequently in December 2025, we committed to a plan to voluntarily withdraw ROCTAVIAN from the market due to lower than previously anticipated commercial opportunities. In connection with this strategic decision, we recorded approximately $240.0 million of restructuring charges in 2025 comprised of an inventory write-off, impairment of long-lived assets, severance and other cost. In addition, if we do not accurately forecast demand or manufacture products at levels in alignment with actual demand due to the failure of our products to gain acceptance by the patients or the medical community or other factors, then we may experience product shortages, pay a fee to contract manufacturers with whom we have non-cancellable capacity reservation agreements, or build excess inventory that may need to be written off, all of which could adversely affect our operating results.

Our products are subject to U.S. export control laws and regulations, including the U.S. Export Administration Regulations and various economic and trade sanctions regulations administered by the U.S. Treasury Department's Office of Foreign Assets Control (OFAC). Exports of our products and solutions must be made in compliance with these laws and regulations. Changes to these laws and regulations, or to the countries, governments, persons or activities targeted by such laws, could result in decreased use of our products, or hinder our ability to export or sell our products to existing or potential customers, which would likely adversely affect our results of operations, financial condition or strategic objectives. For example, sanctions issued by the U.S. and other jurisdictions against Russia and Belarus in response to the invasion of Ukraine have made it very difficult for us to operate in Russia and may have a material adverse impact on our ability to sell our products and/or collect receivables from customers in Russia and Belarus. Moreover, if we fail to comply with these laws and regulations, we could be subject to substantial civil or criminal penalties, including the possible loss of export or import privileges and fines. We rely on a general license from OFAC to sell our medicines for eventual use by hospital and clinic end-users in Iran. The use of this OFAC general license requires us to observe strict conditions with respect to products sold, end-user limitations and payment requirements. Although we believe we have maintained compliance with the general license requirements, there can be no assurance that the general license will not be revoked, the general license will be renewed in the future or we will remain in compliance with the general license. A violation of the OFAC general license could result in substantial fines, sanctions, civil or criminal penalties, competitive or reputational harm, litigation or regulatory action and other consequences that might adversely affect our results of operations, financial condition or strategic objectives. Moreover, U.S. export control and economic sanctions may make operating in certain countries more difficult and expensive. For example, we may be unable to find distributors or financial institutions willing to facilitate the sale of our products and collection of cash from such sales in a cost-effective manner, if at all.

A significant and growing portion of our revenues and earnings, as well as our substantial international assets and liabilities, are exposed to changes in foreign exchange rates. As we operate in multiple foreign currencies, including the Euro, the Brazilian Real, the Japanese Yen, the Canadian Dollar, the Argentine Peso, the Colombian Peso, the Mexican Peso, the British Pound and several other currencies, changes in those currencies relative to the U.S. Dollar (USD) have in the past and may in the future impact our revenues and expenses. If the USD were to weaken against another currency (as has been the case against the Euro in 2025), assuming all other variables remained constant, our revenues would increase, having a positive impact on earnings, and our overall expenses would increase, having a negative impact on earnings. Conversely, if the USD were to strengthen against another currency (as was the case for many currencies in 2022), assuming all other variables remained constant, our revenues would decrease, having a negative impact on earnings, and our overall expenses would decrease, having a positive impact on earnings. In addition, because our financial statements are reported in USD, changes in currency exchange rates between the USD and other currencies have had, and will continue to have, an impact on our results of operations. Therefore, significant changes in foreign exchange rates can impact our results and our financial guidance. We implement currency hedges intended to reduce our exposure to changes in certain foreign currency exchange rates. However, our hedging strategies may not be successful, and any of our unhedged foreign exchange exposures will continue to be subject to market fluctuations. These risks could cause a material adverse effect on our business, financial position and results of operations and could cause the market value of our common stock to decline.

For planning purposes, we estimate the timing of the accomplishment of various scientific, clinical, regulatory and other product development goals, which we sometimes refer to as milestones. These milestones may include the commencement or completion of scientific studies and clinical trials and the submission of regulatory filings. From time to time, we publicly announce the expected timing of some of these milestones. All of these milestones are based on a variety of assumptions. The actual timing of these milestones can vary dramatically compared to our estimates or the milestones may never be achieved, in many cases for reasons beyond our control. If we do not meet development milestones as publicly announced, the commercialization of our products may be delayed or never occur and the credibility of our management may be adversely affected and, as a result, our stock price may decline.

Similar to us, competitors and other third parties continually seek intellectual property protection for their technology. Several of our products and development programs focus on therapeutic areas that have been the subject of extensive research and development by third parties for many years. Due to the amount of intellectual property in our field of technology, we cannot be certain that we do not infringe intellectual property rights of competitors or other third parties or that we will not infringe intellectual property rights of competitors or other third parties granted or created in the future. For example, if a patent holder believes our product infringes its patent, the patent holder may sue us even if we have received patent protection for our technology. If someone else claims we infringe their intellectual property, we would face a number of issues, including the following: - Defending a lawsuit takes significant executive resources and can be very expensive. - If a court decides that our product infringes a competitor's intellectual property, we may have to pay substantial damages. - With respect to patents, in addition to requiring us to pay substantial damages, a court may prohibit us from making, selling, offering to sell, importing or using our product unless the patent holder licenses the patent to us. The patent holder is not required to grant us a license. If a license is available, it may not be available on commercially reasonable terms. For example, we may have to pay substantial royalties or grant cross licenses to our patents and patent applications. - We may need to redesign our product so it does not infringe the intellectual property rights of others. - Redesigning our product so it does not infringe the intellectual property rights of others may not be possible or could require substantial funds and time. We may also support and collaborate in research conducted by government organizations, hospitals, universities or other educational institutions. These research partners may be unwilling to grant us any exclusive rights to technology or products derived from these collaborations. For example, under the Bayh-Dole Act which only applies to patents for inventions generated from federally funded research, the U.S. Department of Commerce may allow the government to use "march-in" rights for prescription drug patents as a means to control prices. If we do not obtain required licenses or rights, we could encounter delays in our product development efforts while we attempt to design around other patents or may be prohibited from making, using, importing, offering to sell or selling products requiring these licenses or rights. There is also a risk that disputes may arise as to the rights to technology or products developed in collaboration with other parties. If we are not able to resolve such disputes and obtain the licenses or rights we need, we may not be able to develop or market our products.

Either party may terminate the Manufacturing, Marketing and Sales Agreement (the MMS Agreement) between Sanofi and us related to ALDURAZYME for specified reasons, including if the other party is in material breach of the MMS Agreement, has experienced a change of control, as such term is defined in the MMS Agreement, or has declared bankruptcy and also is in breach of the MMS Agreement. Although we are not currently in breach of the MMS Agreement, there is a risk that either party could breach the MMS Agreement in the future. Either party may also terminate the MMS Agreement upon one-year prior written notice for any reason. If the MMS Agreement is terminated for breach, the breaching party will transfer its interest in the BioMarin/Genzyme LLC to the non-breaching party, and the non-breaching party will pay a specified buyout amount for the breaching party's interest in ALDURAZYME and in the BioMarin/Genzyme LLC. If we are the breaching party, we would lose our rights to ALDURAZYME and the related intellectual property and regulatory approvals. If the MMS Agreement is terminated without cause, the non-terminating party would have the option, exercisable for one year, to buy out the terminating party's interest in ALDURAZYME and in the BioMarin/Genzyme LLC at a specified buyout amount. If such option is not exercised, all rights to ALDURAZYME will be sold and the BioMarin/Genzyme LLC will be dissolved. In the event of termination of the buyout option without exercise by the non-terminating party as described above, all right and title to ALDURAZYME is to be sold to the highest bidder, with the proceeds to be split between Sanofi and us in accordance with our percentage interest in the BioMarin/Genzyme LLC. If the MMS Agreement is terminated by either party because the other party declared bankruptcy, the terminating party would be obligated to buy out the other party and would obtain all rights to ALDURAZYME exclusively. If the MMS Agreement is terminated by a party because the other party experienced a change of control, the terminating party shall notify the other party, the offeree, of its intent to buy out the offeree's interest in ALDURAZYME and the BioMarin/Genzyme LLC for a stated amount set by the terminating party at its discretion. The offeree must then either accept this offer or agree to buy the terminating party's interest in ALDURAZYME and the BioMarin/Genzyme LLC on those same terms. The party who buys out the other party would then have exclusive worldwide rights to ALDURAZYME. The Amended and Restated Collaboration Agreement between us and Sanofi will automatically terminate upon the effective date of the termination of the MMS Agreement and may not be terminated independently from the MMS Agreement. If we were obligated or given the option to buy out Sanofi's interest in ALDURAZYME and the BioMarin/Genzyme LLC, and thereby gain exclusive rights to ALDURAZYME, we may not have sufficient funds to do so and we may not be able to obtain the financing to do so. If we fail to buy out Sanofi's interest, we may lose any claim to the rights to ALDURAZYME and the related intellectual property and regulatory approvals. We would then effectively be prohibited from developing and commercializing ALDURAZYME. If this happened, not only would our product revenues decrease, but our share price would also decline.