5Governance and Fair Business Practices

GRI 2-25: Processes to remediate negative impacts
GRI 2-26: Mechanisms for seeking advice and raising concerns
GRI 2-27: Compliance with laws and regulations

5.1 Ensuring Governance with Aligned Compliance Management System

GRI 2-9: Governance structure and composition

Strong governance practices are fundamental to ensuring ethical business conduct, compliance with legal frameworks, and effective risk management. The Cicor governance framework directly impacts stakeholders by promoting transparency, accountability, and responsible decision-making. Key areas include anti-corruption measures, data protection policies, and supply chain governance, aiming at ensuring adherence to international human rights and environmental standards. Governance-related issues, such as regulatory changes, non-compliance risks, or reputational challenges stemming from governance failures, can have material financial consequences for the organisation. For example, lapses in governance may result in legal penalties, operational disruptions, or diminished stakeholder trust, ultimately affecting the Company’s market value and financial performance. In the course of 2024, an extended Compliance Management System was implemented by Cicor Group Compliance. It was created to oversee all governance-related risks and opportunities, ensuring alignment with long-term sustainability goals. Furthermore, regular audits and stakeholder engagements reinforce the Company’s commitment to maintaining robust governance practices across all operations.

5.2 Ethical Business Practices Shared with Employees

GRI 3-3: Management of material topics
GRI 205: Anti-corruption 2016

The Company’s employees are expected to act in accordance with the highest standards of personal and professional integrity, especially in matters of ethics and governance. To ensure that the values of Cicor are upheld by all associated persons, the Company’s Employee Code of Conduct and Business Partner Code of Conduct, amongst others, include statements on topics connected to fair business practices. The Employee Code of Conduct applies to all the Company’s personnel, Board Members, legal agents, consultants and intermediaries, and other who act on behalf of Cicor. The Human Resources department of the respective sites ensures that all employees receive an Employee Code of Conduct as part of their on-boarding, and ensures signing as well as acknowledging the applicable rules and guidelines. In addition to the Employee Code of Conduct, Cicor’s employees must also follow local working laws and regulations. Additionally, all employees’ work contracts contain confidentiality and fidelity clauses to avert potential conflicts of interest. Specifically, supplier and customer contracts contain clauses on anti-bribery, labour rights, human rights, child labour and the like. Furthermore, the Company has a clear rule on avoiding politics or officially supporting a political party.

The Company’s Employee Code of Conduct (“Employee Code”) is a foundational governance document and reflects, amongst other topics, Cicor’s commitment to respect the individual, uphold human rights and institute fair and ethical employment practices. The Company maintains and continues to develop training and awareness campaigns to familiarise employees with its expectations of ethical business practices and to reinforce the commitment to compliance. These initiatives include internal online trainings for business ethics, intranet announcements, e-mail communications, townhalls and aligned guidelines. The Employee Code was updated in 2024 to ensure compliance with new regulations and standards. All Cicor employees are provided with the new version of the Employee Code. All new joiners of the Company complete an on-boarding process which includes being introduced to the Employee Code with an onboarding training. The Company plans to extend its training framework for business ethics topics in 2025 to include specific topic-related initiatives in order to share further awareness.

Ethical business practices are fundamental to the Company’s long-term success and sustainability. The Company’s commitment to ethical conduct extends beyond compliance with laws and regulations; it encompasses a broader understanding of the Company’s responsibilities to all stakeholders, including customers, employees, suppliers, and the communities Cicor serve. Cicor believes that acting in accordance with ethical, social and environmental standards and treating others with dignity and respect are key factors of a successful relationship. What Cicor expects from itself is also shared with its business partners. The relationship with business partners of all kinds is an important component for building sustainable business success. As part of the Company’s business ethics approach, Cicor ensures that business activities are conducted in line with legal requirements and ethical principles and values which are based on the United Nations Declaration of Human Rights, the International Labour Organisation (ILO) and the OECD Guidelines for Multinational Enterprises. The Company’s Business Ethics commitment is fully aligned with its core values and lies at the heart of each of Cicor’s business relationships. In 2024, Cicor implemented a specific Business Partner Code of Conduct, sharing a detailed overview of the Company’s values and standards for business partners including the Company’s statement to not tolerate any form of human rights abuses, child labour, discrimination or harassment and shares specific statements on these topics.

5.3 Upholding Fair Business Practices and Values

GRI 205: Anti-corruption 2016

To uphold the principles of the International Labour Organisation (ILO) and the OECD Guidelines for Multinational Enterprises (OECD), Cicor has established a governance framework, including a dedicated individual responsible for overseeing compliance and ethical conduct across the organisation. Cicor provides training to employees on ethical decision-making and conducts periodic assessments to ensure the Company’s policies remain effective and relevant. In 2024, 53% of employees received trainings beyond the Company’s obligatory business ethics approaches on compliance and business ethics.

Cicor believes that upholding fair business practices is essential to its success. The responsible, law-abiding and ethical behaviour of the Company and its employees is of critical importance from an internal perspective, as well as for business partners, customers, authorities and the public. For instance, uncovered cases of corruption or human rights violations cause direct financial burdens in connection to legal actions, such as fines and penalties. Operating in a toxic environment could also lead to knock-on effects such as unethical behaviour against the Company; failure to ensure human rights compliance could cause operational disruptions due to workers’ strikes, loss of employee morale, and increased employee turnover. Lastly, any ethical misbehaviour can cause reputational damage, impairing businesses due to a loss of trust amongst stakeholders and the resulting restrictions in market access. To mitigate such risks, Cicor has implemented fair, honest, and transparent business principles, with processes and products that reflect levels of quality, safety, and environmental impact. By avoiding unethical business practices, the Company strives to promote the population’s trust in the integrity of the Company and the economy overall, and intends to contribute to societal wellbeing. The Company has made and will continue to make efforts to minimise the risk of any form of slavery and to promote fair working conditions within its own business and its value chain; the Company acknowledges that this work is an ongoing commitment. In 2024 no breach against human rights, modern slavery or any form of child labour was evaluated and reported to the Company.

The company protects itself from questionable business relationships by regularly comparing its customer base with sanctions lists and by subjecting all new customers to a compliance check during the onboarding process. As part of the strategy development in 2025, Cicor plans to apply these measures even more strictly and precisely. In 2024, Cicor did not detect any situation of unfair business practices or confirmed cases of corruption. There were also no reported cases of legal proceedings against anti-competitive behaviour or regarding antitrust and monopoly law. Lastly, no breaches of environmental protection, economic or social laws or regulations were identified. Cicor recognises that ethics is an evolving field. As such, the Company is dedicated to continually reviewing and improving the Company’s ethical practices, aligning them with best practices and stakeholder expectations. The Cicor Sustainability Report serves as a platform to communicate the Company’s progress and the steps Cicor is taking to ensure the Company’s ethical standards are not only upheld but enhanced.

5.4 Compliance with Tax Regulations

Cicor is committed to adhering to all applicable tax regulations, including international transfer pricing guidelines and local tax laws. The company’s approach to tax compliance is based on principles of transparency and accuracy, ensuring that corporate, employee, and customer-related taxes are calculated and paid in accordance with legal requirements.

To mitigate tax-related risks and ensure regulatory compliance, Cicor adheres to local transfer pricing regulations and does not engage in profit shifting abroad. The company’s tax governance principles are integrated into the broader risk management process and the related risks are addressed in the internal control system of the group and of each company. The primary controls are implemented within the human resources and finance departments to ensure full compliance with tax legislation.

Cicor employs qualified professionals who maintain up-to-date knowledge of tax regulations. Additionally, relevant personnel are informed of tax-related matters through open and structured communication processes.

5.5 Whistleblower Protection

GRI 3-3: Management of material topics
GRI 406: Non-discrimination 2016

Whistleblower protection is a cornerstone of the Company’s governance framework and a critical aspect of building trust and transparency. The company is committed to creating a safe and secure mechanism for employees, partners and stakeholders to report unethical or illegal practices without fear of retaliation. The 2024 DMA identified protection of whistleblowers and negative impacts on society due to acts of bribery and corruption as material sustainability matters for Cicor. These topics form the basis for the content of the governance structure.

The integration of whistleblower protection aligns with the Company’s dedication to ethical business practices and strengthens its ability to identify and address risks early. It supports the Company’s long-term sustainability by maintaining compliance, safeguarding reputation, and fostering a culture of accountability. Together, corporate culture and whistleblower protection contribute to Cicor’s overarching goal of building a resilient, inclusive, and ethically grounded organisation that creates long-term value for all stakeholders. Cicor supports an open communication environment and invites employees to speak up and raise concerns. The Cicor Integrity Line was implemented in October 2023 as a “speak up process”. Nevertheless, lack of trust in, understanding of, or awareness of the speak up process may result in underreporting of concerns. To mitigate under-reporting, the Company shares information about its speak up channel in trainings and communication. The Cicor Integrity Line is hosted by a third party; this enables internal and external stakeholders to ask questions or report concerns involving breaches of law, regulations or company guidelines. Reporters may choose to submit anonymous questions and concerns through the channel, which supports intake via the web. Additionally, Cicor shares further channels to speak up by e-mail, telephone or written letters. Every concern raised in or submitted by proxy to speak up to the Cicor Integrity Line is closely monitored. Each report is evaluated, reviewed as appropriate (including investigations if warranted), and remediated, if needed. Those responsible for the Integrity Line report anonymised investigation results to the Group Management Team and the Audit Committee.

In 2024, three incidents were filed through the Cicor Integrity Line. Each speak up report may include multiple allegation types, and an allegation does not reflect or suggest confirmation that the alleged conduct occurred. There were no reported incidents of severe human rights violations in 2024. Actions and measures have been evaluated as part of the investigation process on the filed incidents. These include specific training initiatives as and workshops for related employees.

5.6 Corruption and Bribery

GRI 3-3: Management of material topics
GRI 205: Anti-Corruption 2016

Corruption and bribery pose significant financial risks to the Company’s organisation, including potential fines, legal costs, and reputational damage. Regulatory scrutiny and enforcement actions in the Company’s operating regions have intensified, with authorities imposing substantial penalties for non-compliance. Corruption can also disrupt business continuity, impact investor confidence, and lead to reduced access to capital markets. Therefore, mitigating corruption and bribery risks is essential to safeguard the Company’s financial performance and long-term viability. Beyond financial considerations, corruption and bribery have a profound societal impact, undermining the rule of law, distorting market competition, and contributing to social inequality. As an organisation committed to ethical conduct and sustainable development, Cicor recognises its role in promoting transparency and accountability throughout the Company’s value chain. Addressing corruption is critical to fostering trust amongst stakeholders, including customers, employees, and communities, while contributing to broader efforts to achieve sustainable development. Cicor aims to further raise awareness on bribery and corruption criticality by targeted initiatives with training along the Company’s workforce. In 2024 the Company did not detect or has been informed on any form of corruption and bribery breaches.

5.7 Management of Relationships with Suppliers Including Payment Practices

GRI 201-1: Direct Economic value generated and distributed

Effective supplier relationship management is critical to maintaining a resilient and efficient supply chain. Delayed payments or poor communication can disrupt operations, increase costs, and damage relationships with key suppliers, potentially leading to supply shortages or increased procurement costs. Moreover, as regulatory scrutiny around fair payment practices intensifies, non-compliance could result in fines, legal disputes, and reputational harm. Consistent and fair treatment of suppliers supports operational stability and aligns with the Company’s commitment to cost effectiveness and risk mitigation. The Company’s payment practices and supplier management approach have significant social and environmental impacts. Fair and timely payments to suppliers, especially small and medium enterprises (SMEs), contribute to their financial stability and resilience, fostering local economic development. Furthermore, transparent engagement and collaboration with suppliers enables Cicor to promote ethical labour practices, environmental sustainability, and responsible resourcing throughout the Company’s value chain. By maintaining equitable and respectful relationships with suppliers, Cicor contribute to sustainable and inclusive economic growth.

5.8 Digital Frontiers: Cybersecurity

GRI 3-3: Management of material topics
GRI 418: Customer Privacy 2016

Cybersecurity is integral to protecting the organisation’s digital infrastructure, safeguarding sensitive data, and ensuring uninterrupted business operations. Cyberattacks, data breaches, or system failures can result in substantial financial losses, including regulatory fines, legal costs, and remediation expenses. Additionally, compromised cybersecurity can erode customer trust and brand reputation, potentially leading to loss of market share and reduced investor confidence. With increasing regulatory requirements and stakeholder expectations around data privacy and security, robust cybersecurity measures are essential to sustaining financial performance and mitigating business risks. The implications of cybersecurity extend beyond the organisation, influencing the broader digital ecosystem. Breaches can expose sensitive customer and employee data, undermine trust in digital platforms, and disrupt critical services. By prioritising cybersecurity, Cicor contributes to building a safer digital environment, promoting stakeholder confidence in technology, and supporting innovation. Furthermore, the Company’s commitment to data protection aligns with the ethical responsibility to respect privacy rights and comply with global standards. Through active measures and trainings, Cicor also contributes to societal resilience against cyber threats and the broader goals of digital inclusion and sustainable technological progress. This included a group-wide cybersecurity initiative in 2024.

In an increasingly digital world, cybersecurity is a critical component of corporate sustainability and resilience. Cicor cybersecurity governance is anchored with each Cicor entity IT departement including policies, oversight mechanisms, and dedicated leadership.  Vulnerability assessments and penetration testing ensure that the Company’s systems remain secure against emerging threats. Incident response protocols are in place to address potential breaches, minimising impact and restoring normal operations.

5.9 Data Privacy

GRI 3-3: Management of material topics
GRI 418: Customer Privacy 2016

Protecting data integrity and confidentiality is a priority. Cicor adheres to global standards, including the General Data Protection Regulation (GDPR), to safeguard customer, employee and stakeholder information. Advanced encryption methods, secure access controls, and regular training programs reinforce the Company’s commitment to data protection.

Employee awareness is integral to effective cybersecurity. Cicor conducts regular training programs to educate employees on recognising and responding to cyber threats.

5.10 IT Standards Aligned

GRI 3-3: Management of material topics
GRI 418: Customer Privacy 2016

Cicor is implementing a Cicor-wide IT baseline to align with future requirements and challenges. The baseline was created to share a minimum standard across sites, aiming to ensure adequate IT security levels. The baseline also aims to support Cicor entities in the scope of the EU NIS 2 regulations. Multiple entities share certificates on IT standards such as ISO27001 or Cyber Essential Plus as part of their structure.

During 2024, Cicor detected one critical cybersecurity incident in the United Kingdom, in which a local employee’s e-mail inbox was compromised. After detection, further security standards were implemented to avoid an incident of similar nature in the future on the local site. As part of the investigation, it was confirmed that the incident did not cause any major harm.

The evolving cyber threat landscape presents ongoing challenges. The increasing sophistication of attacks and regulatory complexities necessitate continuous adaptation. Cicor commits to ongoing investment in advanced cybersecurity technologies, expanding collaboration with industry consortia, and enhancing transparency in the Company’s cybersecurity practices. Through robust governance, proactive risk management, and a commitment to continuous improvement, Cicor is building a secure and sustainable digital future, including artificial intelligence.