7Governance and Fair Business Practices

GRI 3-3: Management of material topics
GRI 2-25: Processes to remediate negative impacts
GRI 2-26: Mechanisms for seeking advice and raising concerns
GRI 2-27: Compliance with laws and regulations

7.1Governance Structure and Compliance Management System

GRI 2-9: Governance structure and composition
GRI 2-12: Role of the highest governance body in overseeing the management and impacts
GRI 2-13: Delegation of responsibility and management impacts
GRI 2-23: Policy commitments
GRI 2-24: Embedding policy commitments

Cicor considers strong governance and fair business practices a fundamental prerequisite for sustainable value creation and long-term business success. Robust governance structures support ethical decision-making, regulatory compliance, and accountability across all levels of the organisation and throughout the value chain.

‘At Cicor, we are creating together a culture of integrity built on a transparent and resilient compliance framework. Through continuous improvement and proactive risk management, we strengthen our readiness, protect performance, and deliver sustainable long-term value for all our stakeholders.’

Michèle Veraguth

Group Compliance Officer

Cicor operates a governance-aligned Compliance Management System (CMS), which provides a comprehensive, structured framework for identifying, assessing, mitigating, and monitoring legal, regulatory, ethical, and reputational risks. The CMS is applied across all entities and functions and is designed to ensure consistent standards while allowing flexibility to address local regulatory requirements and operational conditions.

Governance and compliance oversight is embedded in the responsibilities of the Board of Directors, Executive Management and Group Compliance function. Clear roles and responsibilities, documented processes, and defined escalation mechanisms ensure that governance-related matters are addressed in a timely and transparent manner. The CMS is regularly reviewed and continuously improved to reflect regulatory developments, evolving risk profiles and lessons learned from audits and incidents. This builds on the foundations described in the Cicor’s 2024 Sustainability Report.

7.2Code of Conduct and Ethical Business Principles

GRI 2-23: Policy commitments
GRI 2-24: Embedding policy commitments
GRI 205-2: Communication and training about anti-corruption policies and procedures
GRI 205-3: Confirmed incidents of corruption and actions taken

Cicor’s commitment to ethical behaviour is anchored in its Code of Conduct, which defines the standards of behaviour expected from all employees, managers, and members of governing bodies. The Code of Conduct applies Group-wide and covers, among others, the following areas:

• Respect for human rights
• Fair and lawful employment practices
• Prohibition of child labour and forced labour
• Zero tolerance for corruption, bribery, and fraud
• Prevention of conflicts of interest
• Fair competition and responsible market behaviour

These principles align with internationally recognised frameworks, including the ILO conventions, the United Nations' Declaration of Human Rights, and the OECD’s Guidelines for Multinational Enterprises.

Compliance with the Code of Conduct is mandatory for all employees and forms part of onboarding, training, and ongoing awareness activities.

7.3Anti-Corruption, Anti-Bribery, and Fraud Prevention

GRI 205: Anti-corruption 2016

Cicor applies a zero-tolerance approach to corruption, bribery, and fraudulent behaviour. The Company has established policies, procedures, and internal controls to prevent, detect, and respond to corruption risks in its own operations and business relationships.

Corruption risk assessments are conducted as part of Cicor’s broader compliance and risk management processes with particular attention given to high-risk regions, business activities, and third-party relationships. Employees in relevant roles receive regular training on anti-corruption requirements, ethical decision-making, and compliance obligations.

Confirmed incidents of corruption or bribery are investigated promptly and addressed through disciplinary measures, contractual remedies or legal actions, as appropriate. Cicor reports confirmed cases in line with GRI Standards requirements and applicable legal obligations. In 2025 one case of potential corruption has been addressed as part of an investigation within the Cicor environment with necessary actions taken immediately.

7.4Human Rights, Child Labour, and Forced Labour

GRI 2-23: Policy commitments

Respect for human rights is a fundamental component of Cicor’s governance framework. The Company prohibits child labour, forced labour, and any form of exploitation in its operations and throughout its supply chain.

These commitments are reflected in internal policies and extended to business partners through the Business Partner Code of Conduct, contractual clauses, and supplier compliance assessments. Cicor actively monitors and assesses human rights risks in its supply chain, and engages with suppliers to address identified risks or gaps.

Any confirmed violations of human rights standards result in immediate engagement with the relevant business partner, implementation of corrective actions and escalation measures, including termination of the business relationship where necessary. In 2025, no breaches against human rights, child labour or forced labour were reported as part of the Cicor governance structure.

7.5Protection of Whistleblowers

GRI 2-26: Mechanisms for seeking advice and raising concerns
GRI 3-3: Management of material topics
GRI 406-1: Incidents of discrimination and corrective actions taken

Cicor operates a confidential and secure whistleblowing system, Integrity Line, that enables employees, business partners, and other stakeholders to report suspected misconduct, unethical behaviour, or violations of laws and Company policies without fear of retaliation.

The Integrity Line is accessible globally and allows anonymous reporting. All reports are assessed and investigated in accordance with defined procedures. Cicor ensures confidentiality, fairness, and objectivity throughout the investigation process, and prohibits any form of retaliation against individuals who raise concerns in good faith.

The whistleblowing system is a key component of Cicor’s Compliance Management System and supports early risk detection, transparency, and continuous improvement. In 2025, 8 cases have been submitted and investigated as part of the Integrity Line processes. All investigations were closed within the legal timeframe of 90 days, including corrective actions and measures where necessary.

The Integrity Line is an integral component of Cicor’s Compliance Management System and plays a central role in the integration of newly acquired sites. As part of the onboarding process, new entities are systematically connected to the Group-wide whistleblowing and reporting framework, ensuring immediate access to a confidential and secure channel for reporting potential misconduct or compliance concerns.

By embedding the Integrity Line early in the integration phase, Cicor strengthens transparency, reinforces a speak-up culture, and ensures that uniform compliance standards are consistently applied across all locations.

7.6Tax Compliance and Responsible Tax Practices

Cicor is committed to responsible tax practices and full compliance with applicable tax laws and regulations in all jurisdictions in which it operates. Tax governance is integrated into the overall compliance framework, with clearly defined roles, responsibilities, and internal controls.

The Company aims to pay taxes where economic value is created, and does not engage in aggressive tax planning or arrangements that are inconsistent with the intent of tax legislation. Tax-related risks are identified, assessed, and monitored as part of Cicor’s enterprise risk management processes.

7.7Risk Management, Site-Level Improvement, and Business Continuity

Governance, compliance, and ethical risks are integrated into Cicor’s enterprise risk management framework, ensuring a holistic view of risks across the organisation. Risk assessments are regularly conducted at Group and site level, reflecting local regulatory environments, operational realities, and evolving external risks.

Each site is responsible for implementing and continuously improving its local risk management measures, in alignment with Group standards. Internal audits, assessments, and incident analyses support ongoing improvement, and lessons learned are shared across sites to promote alignment and the exchange of best practices.

Cicor continues to strengthen its business continuity planning, with a focus on operational resilience and crisis preparedness. Business continuity processes are being increasingly digitalised, which enables improved documentation, risk visibility, scenario analysis, and coordinated response across sites. This digitalisation enhances Cicor’s ability to respond effectively to disruptions such as geopolitical events, supply chain interruptions, cyber incidents or regulatory changes.

7.8Communication and Business Partner Engagement

Cicor actively communicates its governance principles, ethical standards, and compliance expectations through mandatory training, regular internal communications, and onboarding processes. Compliance topics are reinforced through refresher training and targeted awareness initiatives.

Expectations for ethical behaviour and compliance are communicated transparently to business partners through the Business Partner Code of Conduct and contractual requirements. This reinforces the shared responsibility for responsible business conduct.

7.9Digital Frontiers

GRI 3-3: Management of material topics
GRI 418: Customer Privacy 2016

In an increasingly digital and interconnected business environment, cybersecurity and data protection are critical to operational resilience, customer trust, and sustainable value creation. For Cicor, cybersecurity, digitalisation and the responsible use of emerging technologies, such as artificial intelligence (AI), are strategic priorities within the Cicor 2028 Strategy.

Cyber risks, data breaches, system failures or misuse of digital technologies can result in significant financial, operational and reputational impacts, including regulatory fines, legal exposure, business disruption and loss of stakeholder confidence. As regulatory requirements and stakeholder expectations continue to evolve, robust cybersecurity and data privacy practices are essential to managing risks and enabling long-term growth.

Governance and management approach

Cicor has established a Cicor-wide IT baseline to define minimum security standards across all sites. This baseline supports a consistent level of IT security, enhances transparency, and ensures preparedness for current and future regulatory requirements, including alignment with the EU NIS2 Directive. The IT baseline serves as a framework for continuous improvement in cybersecurity maturity across the Group.

Cybersecurity governance is anchored at entity level through local IT departments and supported by Group-wide policies, defined responsibilities, and oversight mechanisms. Multiple Cicor entities hold recognised IT security certifications, such as ISO/IEC 27001 or Cyber Essentials Plus, reflecting the Company’s commitment to internationally recognised standards.

Risk management processes include regular vulnerability assessments, penetration testing and system monitoring to identify and address emerging threats. Incident response protocols are in place to ensure timely detection, containment and remediation of cybersecurity incidents, minimising potential impact and restoring operations efficiently.

Cybersecurity incidents and continuous improvement

In 2025, Cicor conducted screenings of various cybersecurity events, of which 13 were subject to further review. None were classified as critical and none of the cases resulted in material financial losses, significant operational disruption, or reportable data breaches.

The incidents mainly involved spoofing attempts, identity-related alerts, isolated cases of supplier compromise, and limited concerns related to data privacy. Each event was detected and contained at an early stage through Cicor’s monitoring systems, multi-layered security architecture, and defined escalation and response processes. In line with the Company’s risk management and internal control systems, the lessons learned from these incidents were systematically analysed and integrated into the continuous improvement of the cybersecurity framework.

Measures included refining detection mechanisms, targeted awareness initiatives, and adjusting preventive controls where relevant. These activities support Cicor’s objective of maintaining a resilient digital environment, demonstrating the Company’s commitment to proactive cybersecurity risk management, continuous monitoring, and the ongoing enhancement of information security practices.

Digitalisation, AI, and future-oriented risk management

As part of the Cicor 2028 Strategy, the Company is accelerating digitalisation across business processes, while ensuring that cybersecurity and data protection are embedded by design. Cicor recognises that the increasing use of digital tools, automation, and AI introduces new opportunities alongside additional risks.

Cicor is committed to:

• Integrating cybersecurity and data protection considerations into digital transformation initiatives
• Applying risk-based controls to AI-enabled systems and digital applications
• Strengthening governance frameworks to address emerging digital and AI-related risks
• Continuously enhancing IT security capabilities and monitoring mechanisms

By embedding cybersecurity into digitalisation and AI initiatives, Cicor aims to enable innovation while maintaining ambitious standards of security, reliability, and ethical responsibility.

Data privacy and protection

Protecting data integrity, confidentiality, and availability is a priority for Cicor. The Company adheres to applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), to safeguard customer, employee, and stakeholder information.

Data protection measures include secure access controls, encryption technologies, defined data handling procedures, and regular reviews of data processing activities. Cicor continuously assesses privacy risks and implements safeguards to prevent unauthorised access to, misuse of, or loss of personal data. No material complaints regarding breaches of customer privacy were recorded during the reporting period.

Training and awareness

Employee awareness is a key element of effective cybersecurity. Cicor conducts regular training and awareness programmes to educate employees on recognising and responding to cyber threats, secure data handling, and responsible use of digital technologies. In 2025, this included a Group-wide cybersecurity initiative aimed at strengthening awareness and harmonising best practices across sites.

By investing in cybersecurity awareness, governance, and technology, Cicor not only protects its own operations, but also contributes to broader societal resilience against cyber threats. Responsible cybersecurity practices support trust in digital solutions, promote digital inclusion, and enable sustainable technological progress.

7.10Contribution to Sustainable Value Creation

Strong governance structures, clearly defined KPIs, robust risk management processes, and continuous improvement at site level reduce legal, financial, and reputational risks, while strengthening trust among stakeholders. The ongoing digitalisation of risk management and business continuity planning enhances Cicor’s organisational resilience and supports consistent and reliable operations in an increasingly complex global environment.

In line with the Cicor Strategy 2028, these governance and compliance practices also contribute directly to customer and business partner value creation. Transparent, ethical, and compliant business conduct strengthens supply reliability, operational continuity, and product quality, enabling customers and business partners to meet their own regulatory, sustainability, and risk management requirements.

By embedding responsible governance and fair business practices into its strategic framework, Cicor fosters long-term, trust-based relationships with customers and business partners. This approach supports stable collaboration across the value chain, reduces disruption risks, and contributes to sustainable long-term value creation for the Company and its stakeholders.

7.11Governance Monitoring

GRI 2-6: Activities, value chain and other business relationships
GRI 205-3: Confirmed incidents of corruption and actions taken
GRI 406-1: Incidents of discrimination and corrective actions taken

To ensure the effectiveness of its governance and compliance framework, Cicor has established KPIs that enable systematic monitoring, evaluation, and continuous improvement. These are defined at Group level and applied consistently across sites, allowing for comparability and transparency. These indicators include the following:

• Completion rates of Code of Conduct and compliance training
• Number, type, and resolution status of whistleblowing reports
• Coverage and results of compliance risk assessments and internal audits
• Implementation status of corrective and preventive actions

KPI results are reviewed regularly by Group Compliance and management. Insights gained from KPI monitoring inform risk prioritisation, resource allocation, and targeted improvement measures.

7.12Governance Targets

Fiscal year 2025

Fiscal year 2026