ESRS G1 Business conduct

Responsible business conduct forms the basis for lasting success and social trust. The focus in this regard is on key issues such as business ethics and upholding a value-based corporate culture characterized by integrity, transparency, and active anti-corruption and bribery practices. The protection of whistleblowers plays just as important a role as the respectful and fair treatment of all stakeholders. Clear principles have also been established to govern suppliers relationships: Fair payment practices and a dialogue based on partnership—especially with small and medium-sized enterprises—are essential. This commitment is complemented by responsible and comprehensible exercise of political influence, involving transparent lobbying activities. When combined, these aspects form the basis of modern business conduct, which is actively practiced and continuously developed at voestalpine.

The following table provides specific information on SBM-3:

Impact, risk, and opportunity management

G1-1 – CORPORATE CULTURE AND BUSINESS CONDUCT POLICIES

CORPORATE VALUES

Shared values act as a strong anchor that provides security, support, and orientation. They strengthen the corporate culture and sense of unity. In addition, binding corporate values support the implementation of the Group strategy and provide the basis for specific rules and operational guidelines.

ENTREPRENEURIAL MINDSET

We are guided by success.

Our approaches and actions are entrepreneurial. Our passion for solutions and innovation provides the basis for joint action. We are team players primed for success because we always seek the best possible outcome together.

In so doing, we always work to our customers’ benefit while also considering our other stakeholders. We strive for excellence in our actions—and let it be our guide.

THE PRACTICE OF RESPECT

We build upon our diversity as a team.

We are respectful and fair toward each other, our customers, and our partners.

We trust each other and align with values common to us. We create a motivating work environment infused with team spirit, where respectful cooperation is at the core of our actions, day in and day out.

SUSTAINABLE PRACTICES

We perform our jobs responsibly.

In our daily work, all of us act autonomously within defined responsibilities, demanding and fostering high degrees of individual responsibility. We remain curious and do not rest on our laurels; instead, we constantly evolve together to bring about continual improvements. Our actions are sustainable, proactive, and forward looking.

It is our corporate culture that makes us who we are: One step ahead.

The corporate culture significantly influences the success of a company by shaping the values and behaviors of employees and promoting cooperation. The voestalpine culture is continually being refined to strengthen our Group-wide identity in this sense.

Corporate culture can be indirectly evaluated through employee surveys by assigning the questions to one or more company values to the greatest possible extent. This allows correlations and conclusions about the company values to be derived. The results of the 2024 employee survey were reported to the Management Board at a board meeting.

The Code of Conduct forms the foundation of the corporate culture. It sets out the ethical standards and behaviors that voestalpine expects from all employees and reflects the Group’s commitment to integrity, transparency, and corporate social responsibility. Since 2013, voestalpine has supported the UN Global Compact (UNGC) with its ten principles that address labor standards, environmental protection, and the fight against corruption alongside the promotion of human rights. voestalpine is therefore opposed to all forms of corruption, including extortion and bribery.

Code of Conduct and compliance guidelines based on it

Our employees are integral to the Group’s success and are therefore key to both the trust placed in voestalpine and its reputation. This is precisely why it is important to establish unequivocal principles on matters of ethics and morality in business. The Code of Conduct and the compliance guidelines based on it provide the relevant parameters to that end. By providing guidance to employees in their daily actions and decisions, it shapes the corporate culture by making every employee a role model. The Management Board is explicitly and emphatically committed to both this Code of Conduct and a zero-tolerance policy toward violations thereof.

The Code of Conduct requires voestalpine companies in all countries in which they operate and all their employees to comply with all applicable laws. It also set forth how to handle dealings with stakeholders such as customers, suppliers, employees, and other business partners.

The voestalpine Code of Conduct was enshrined in writing in 2009. It is the result of numerous conversations and discussions at the level of the Management Board as well as among executive management and department heads of the voestalpine Group. It is based on the Group’s corporate values and provides the basis for ethically and legally sound conduct on the part of all of the Group’s employees. The principles and requirements documented in the Code of Conduct and the Code of Conduct for business partners are rooted in the Human Rights Policy, the UN Guiding Principles (UNGPs) on Business and Human Rights, the principles enshrined in the UN Global Compact (UNGC), the International Bill of Human Rights, and the United Nations Convention against Corruption.

The Code of Conduct and the directives based on it (compliance guidelines) are continuously evaluated and, if necessary, adapted to take into account new social and legal requirements. Most recently for instance, implementation of the EU Directive on protection for whistleblowers and changes required in connection with supply chain management as well as necessary adjustments due to the EU Directive on transparent and predictable working conditions were anchored within the voestalpine Code of Conduct. The Code of Conduct has been published in more than 20 languages and can be downloaded from the Internet: https://www.voestalpine.com/group/en/group/compliance

The Code of Conduct applies to all members of the Management Board, the managing directors, and the non-executive employees of all entities in which voestalpine AG has a direct or indirect interest of at least 50% or which it controls in some other way. As regards all other companies in which voestalpine AG has a direct or indirect stake of at least 25% but does not control them, the Code of Conduct is brought to their attention with the request that they enforce it by having their corporate decision-making bodies recognize it of their own volition.

Any employee who violates laws, regulations, internal guidelines, rules, and instructions, or provisions of the Code of Conduct may be subject to disciplinary measures. Moreover, violations may also have consequences under criminal and/or civil law, e.g., claims to compensation and claims for damages.

voestalpine aims to have the Code of Conduct apply throughout its sphere of influence. Suppliers and consultants are required to comply with the Code of Conduct for Business Partners (see details below) and are called on to respect and observe human rights as fundamental values.

All of voestalpine’s business partners are also requested to reasonably promote adherence to the Code of Conduct among their own business partners along the supply chain. Additionally, Group companies are urged to bring the Code of Conduct to the attention of their customers and to strongly encourage them to commit to compliance therewith.

voestalpine AG has adopted several Group guidelines that serve as a helpful tool for employees in applying the Code of Conduct. The compliance rules and regulations associated with the voestalpine Code of Conduct currently comprise the following and can be found on the Intranet:

Business conduct

These guidelines supplement and flesh out the Code of Conduct with respect to issues of corruption, bribery, acceptance of gifts, and conflicts of interest. For example, they regulate the permissibility of gifts, invitations, and other benefits; donations and sponsoring; secondary employment as well as the private purchase of goods and services by voestalpine employees from customers and suppliers. The section entitled Business conduct also addresses the prohibition of political contributions. The voestalpine Group does not allow donations to politicians, political parties, organizations affiliated with political parties, or political front organizations. This does not apply to political precursor organizations that are devoted solely to social issues and have been individually approved by the Management Board of voestalpine AG.

Dealings with brokers and consultants

This guideline provides additional information on the topics of corruption, bribery, and the acceptance of gifts. It defines the procedure to be complied with prior to engaging sales representatives, agents, and other marketing consultants. An objective analysis of business partners’ environment and scope of activities before establishing business relationships with them serves to ensure that the business partners also comply with both applicable law and the voestalpine Code of Conduct.

Antitrust law

This guideline describes the prohibition of agreements restricting competition, establishes rules for dealing and interacting with industry associations, professional associations, and/or other sector organizations, and defines particular rules of conduct for employees of the voestalpine Group. Additionally, manuals have been developed with respect to issues of information sharing and benchmarking, procurement alliances, and supplier relationships with competitors, which provide employees with information on these topics from an antitrust perspective.

Compliance manual and compliance violation prevention program

These rules and regulations explain voestalpine’s compliance management system and provide information on the Group’s compliance strategy and compliance structure. They likewise set forth the responsibilities for processing suspected compliance incidents, such as allegations of corruption or bribery. They also provide information on steps taken to prevent and identify compliance violations as well as on the potential repercussions and sanctions such violations may trigger. Information on the web-based whistleblower system, which allows compliance violations to be reported anonymously, can also be found in these regulations. Further information on the whistleblower system can be found below.

Code of Conduct for Business Partners

These rules and regulations that are directed toward suppliers of goods and services as well as toward brokers, consultants, and other business partners define the principles and requirements for doing business with voestalpine. They were comprehensively revised and expanded in the 2022/23 business year. Among other things, voestalpine requires its business partners to respect and comply with human rights as fundamental values in accordance with the International Bill of Human Rights, the UN Guiding Principles (UNGPs) on Business and Human Rights, and the Core Labor Conventions of the International Labor Organization (ILO). In particular, this applies to the prohibition of child and forced labor; the prohibition of human trafficking in any way, shape, or form; the equal treatment of employees; and the right to employee representation and collective bargaining. Business partners must also undertake to comply with environmental protection standards and to set scientifically verifiable targets for reducing their CO₂ footprint. In fact, the business partners must abide by their commitments not just in their own sphere of activity; they must also require their own suppliers to act accordingly and must verify compliance with these commitments in the supply chain. The Code of Conduct for Business Partners has been published in several languages and can be downloaded from the Internet: https://www.voestalpine.com/group/en/group/compliance

Code of Conduct for voestalpine’s Lobbyists (Lobbying Code of Conduct)

voestalpine’s Lobbying Code of Conduct regulates dealings with stakeholders in Austria as well as in Europe and internationally in accordance with the Austrian Lobbying and Advocacy Transparency Act in order to provide a clear and transparent framework for lobbying activities. Just as with the general Code of Conduct, the Lobbying Code of Conduct is also binding on all members of the Management Board, the managing directors, and the non-executive employees of all entities in which voestalpine AG has a direct or indirect interest of at least 50% or which it controls in some other way. Whenever lobbying activities are supported by external parties, care must be taken to ensure that the latter also commit to compliance with the present Code of Conduct. The Lobbying Code of Conduct has been published in German and English and can be downloaded from the Internet: https://www.voestalpine.com/group/en/group/compliance

MECHANISMS FOR IDENTIFYING, REPORTING, AND INVESTIGATING CONCERNS ABOUT UNLAWFUL CONDUCT

Responsibility and compliance organization

Responsibility for adherence to compliance regulations rests with the individual Group company’s management. A compliance system was established in the voestalpine Group to help management fulfil this responsibility and to set up the processes required to that end. Aside from a Group Compliance Officer, a Divisional Compliance Officer has been appointed for each division; additional Compliance Officers are appointed in particular divisional sub-units. The Group Compliance Officer reports directly to the Chairman of the Management Board. The Divisional Compliance Officers report to both the Group Compliance Officer and the respective division heads who are members of the Management Board.

Compliance Organization

Group and Divisional Compliance Officers are appointed and dismissed by voestalpine AG’s Management Board; the member of voestalpine AG’s Management Board responsible for each individual division has a right of nomination with respect to divisional Compliance Officers. Any additional Compliance Officers who may be appointed at the level of divisional sub-units are appointed and dismissed by the respective operating company of that division.

Compliance officers are responsible for the following topics:

• Antitrust law
• Corruption
• Compliance with capital market regulations
• Fraud (internal cases of theft, fraud, misappropriation, or embezzlement)
• Conflicts of interest
• Special topics assigned to the Compliance organization by the Management Board of voestalpine AG (e.g., in connection with issues related to UN or EU sanctions)

All other Compliance issues—e.g., environmental law, taxes, invoicing, labor law, protection of employees, or data privacy—do not fall under the purview of the Compliance Officers’ powers. Other organizational units are responsible for these compliance issues.

In addition to management, the Compliance organization also supports employees in complying with these requirements, including through regular on-site and online training, training, management discussions, and ongoing information initiatives. Awareness campaigns are also conducted regularly to increase awareness of compliance within the Group. More information on training can be found in chapter G1-3 under “Preventive activities.”

Whistleblower system

https://www.bkms-system.net/

The voestalpine Group encourages all employees who observe any violations, or who have seen activities which they suspect might constitute a violation, to report the occurrence. Pursuant to the Code of Conduct, such reports may be addressed to the individual’s direct supervisor; the appropriate legal or human resources department; the management of the respective Group company; the Internal Audit and risk management departments of voestalpine AG; the Group Compliance Officer; or one of the Divisional Compliance Officers. Upon request, whistleblowers are ensured of absolute confidentiality. Employees who report identified violations of laws, the Code of Conduct, or other internal guidelines and regulations will not be subject to reprisals or negative consequences of any kind. This also applies to other persons who contribute important information for the investigation of such misconduct. This provision is in accordance with the applicable law transposing Directive (EU) 2019/1937 (“Whistleblower Directive”).

Furthermore, an option to anonymously report violations via a Web-based whistleblower system has been available since 2012. The voestalpine Group relies on the EQS Group’s many years of expertise with the BKMS^® system, the anonymity of which has been certified by an independent body, in this regard. The BKMS^® system can be used by employees and external whistleblowers. The areas for which misconduct can be reported on the whistleblower system were extended in 2022/23 business year to the following:

• Antitrust, corruption, fraud, conflicts of interest, capital market compliance
• Discrimination, sexual harassment, bullying, human rights
• Data privacy and protection
• Technical compliance, in particular compliance with technical standards and certifications in production processes; IT security
• Environment
• health & safety
• Violations in other areas

The whistleblower system makes it possible for the appropriate Compliance Officers to communicate with whistleblowers while maintaining absolute anonymity. Since the expansion of reporting options in December 2022, a total of 171 incidents have been reported in different areas. The system has established itself as a trusted point of contact and is widely used. The high level of acceptance shows that employees and other authorized persons actively use the whistleblower system to report grievances or irregularities.

Number of reports received on the whistleblower system

Information on the various reporting channels—in particular on the whistleblower system—is publicly available both on the intranet and on the voestalpine website at https://www.voestalpine.com/group/en/group/compliance/reporting-misconduct/. Employees are also informed about the reporting channels and how reports are processed, and receiving training on how to use the system. Corresponding information is disseminated in email newsletters sent to employees or through posters, as well as at in-person and online compliance training. More information on training can be found in chapter G1-3 Prevention and detection of corruption and bribery under “Preventive activities.”

For this chapter, no measurable targets have been defined in the reporting period in accordance with ESRS 2 para. 81b—nevertheless, the company is continuously pursuing the effectiveness of existing actions and policies. The compliance framework is continuously evaluated and, if necessary, adapted to ensure that it meets current requirements and effectively contributes to minimizing risks. Various procedures are used to track the effectiveness of the compliance management system, in particular audits and the evaluation of the whistleblower system’s acceptance.

G1-2 – MANAGEMENT OF RELATIONSHIPS WITH SUPPLIERS

At voestalpine, procurement is organized in consideration of economic, environmental, and social aspects. It revolves around the central goal of establishing fair, long-term relationships with suppliers, including small and medium-sized enterprises (SMEs). Environmental and social criteria are incorporated into the selection process for suppliers.

In order to enhance supply chain management, voestalpine is currently creating the organizational and procedural bases to gradually extend the existing due diligence process—which has been limited to companies subject to the Supply Chain Due Diligence Act (LkSG) until now—to the whole Group and all suppliers. Compliance with human rights and measures to reduce CO₂ emissions are a particular focus in this regard. For more information on human rights compliance and related actions, see chapter S2 Workers in the value chain.

To ensure financial stability in supply chain—especially for SMEs—voestalpine relies on clear payment terms, digital payment monitoring systems, and automated payment reminders. Regular training courses for involved employees support the timely processing of payments. These actions aim to strengthen transparency in procurement, provide financial security for suppliers, and promote environmental and corporate social responsibility along the supply chain.

G1-3 – PREVENTION AND DETECTION OF CORRUPTION AND BRIBERY

Design to prevent corruption and bribery, voestalpine’s compliance management system is based on the following pillars:

• Risk analysis: Identification of compliance risks within the Group through continuous analysis of potential compliance risk areas.
• Prevention: For purposes of prevention, the Group undertakes activities to ensure ethics-based management and to raise awareness, which includes putting measures in place to monitor adherence to the Group’s compliance rules. These include but are not limited to communications activities, training programs, and educational events as well as elements of the internal audit system.
• Detection: In order to identify compliance violations, in addition to the various reporting channels the Group has instituted—in particular the whistleblower system—, the Group also conducts investigations and audits, as circumstances warrant.
• Response: Whenever it has identified compliance violations, the Group takes precautions to avert further compliance violations (e.g., by imposing additional oversight measures, educational events, and training programs).
• Sanction: When compliance violations occur, the Group imposes appropriate sanctions. These include consequences under employment law, filing charges with the appropriate authorities, terminating contracts with third parties, etc.

The Compliance organization at voestalpine is responsible for investigating cases of suspected corruption (more information on the Compliance organization can be found in chapter G1-1 Corporate culture and business conduct policies under “Responsibility and Compliance Organization”). As the highest authority in the Compliance organization, the Group Compliance Officer reports directly to the Chairman of the Management Board. The Officer ensure reports are handled in an objective and timely manner. The members of the administrative, management, and supervisory bodies address the topic of corruption and bribery at meetings of the Management Board and Supervisory Board, as well as in committees of the Supervisory Board as circumstances require. Once per year, the Group Compliance Officer also prepares a summary report for voestalpine AG’s Management Board. This report must contain at least the following points:

• Type and extent of compliance incidences that have been the subject of reports and investigations;
• Status of any pending administrative or judicial proceedings related to compliance incidents;
• Educational events, training programs, and communications measures carried out;
• Sanctions imposed.

The annual compliance report is also submitted to the Supervisory Board. In addition, reporting to the Management Board and Supervisory Board is carried out on an ad hoc basis.

PREVENTIVE ACTIVITIES

As part of its compliance management, voestalpine places particular importance on preventive activities. These include, in particular, training, management meetings, and ongoing information initiatives. Compliance is therefore a recurring theme, particularly at the major employee events at Group and divisional level, but also for top management. This focus on compliance ensures that the policies are accessible and that the impacts are understood by employees.

Employees learn how to deal with issues that include invitations, gifts, and potential conflicts of interest in periodic training courses, training sessions, and management meetings on the topic of business ethics (compliance training). Employees are also trained in dealing with business intermediaries.

The voestalpine Group has been offering e-learning courses on the topic of compliance since 2009. This e-learning curriculum is available in 15 languages and has been repeatedly revised and expanded over time. In addition to the learning units, the courses also present case studies and require a final test.

KEY E-LEARNING TOPIC: “COMPLIANCE BASICS”

KEY E-LEARNING TOPIC: “FAIR COMPETITION”

KEY E-LEARNING TOPIC: “RECAP – FAIR COMPETITION”

KEY E-LEARNING TOPIC: “PROTECTION AGAINST CORRUPTION”

Certain groups, such as employees in procurement, sales, and senior executives, are at higher risk of corruption and bribery. In addition, voestalpine operates in countries where there is generally a higher risk of corruption. Alongside the e-learning courses, target group-oriented face-to-face and online training courses are therefore carried out throughout the Group, especially for employees in high-risk roles such as sales or procurement. This training is generally focused on adherence to the law and internal guidelines as well as on the topics of (anti)corruption and antitrust law as it applies to the participants’ respective sphere of activity. Face-to-face training on issues of compliance with capital market regulations is also provided to employees of voestalpine AG.

Regardless of their function, all new employees of a Group company must complete the e-learning course “Compliance basics.” Compliance training is also mandatory for young executives. Five face-to-face training courses were held in the 2024/25 business year as part of the value:program leadership development program, each of which was attended by up to 40 people.

The following tables provide an overview of the level of compliance training that was completed by employees, executives, and the managing directors of voestalpine in 2024/25.

Face-to-face training: 1,992 participants in the business year 2024/25

Participants by (at-risk) function and sector

The training program outlined here covers all functions across the Group that have been identified as at-risk in a risk analysis.

Metrics and targets

G1-4 – CONFIRMED INCIDENTS OF CORRUPTION OR BRIBERY

There were no convictions or fines for violations of anti-corruption and anti-bribery laws during the reporting period. Therefore, no ad hoc action had to be taken to address such violations. For information on preventive measures, see chapter G1-3 — Prevention and detection of corruption and bribery.

The following case has not led to any convictions or fines to date, but is cited here in view of the media attention in the 2024/25 business year: In early February 2024, deliberate accounting errors to improve results were identified at a German Group company in the Metal Forming Division. Further investigation revealed that the accounting errors dated back to the 2012/13 business year. Assets such as advance payments, receivables, and contract assets were overstated. Inventory accounts were increased due to accounting errors or necessary entries were omitted, such as write-offs of manufacturing costs in relation to tool settlements or advance payments. The accounting errors were corrected in full in the 2023/24 financial statements and ultimately led to revisions totaling EUR 100 million. There were no cash outflows as a result. Detailed reviews of similar Group companies have not revealed any accounting errors aimed at improving results.

In parallel to the accounting treatment of the incident in the 2023/24 financial statements, investigations were launched in February 2024 to identify the causes and responsibilities behind the incident, as well as the lessons that can learned from them. This comprehensive investigation of the very complex situation was carried out by a specialist auditing firm and a German law firm. In the course of the investigation, interviews were conducted, documents and electronic correspondence were reviewed, and a large number of entries were analyzed. The investigation resulted in initial suspicion being placed on two former members of the management board of the German Group company in question regarding the instigation, involvement in, or toleration of accounting errors. As a result, voestalpine filed a criminal complaint against these two former members of executive management in September 2024. At the time the accounting errors were identified, the two members of executive management were no longer active in the voestalpine Group. The criminal complaint was not followed up due to the statute of limitations in Germany. In Austria, the Vienna Public Prosecutor’s Office for Economic Affairs and Corruption has launched an investigation .

At present, the damage incurred by this case has been limited to consultancy fees and remains in the low single-digit million range. voestalpine assumes that the taxes overpaid due to the accounting errors can be virtually fully recovered. In the business year 2024/25, tax refund claims in the amount of EUR 19.2 million (excl. interest) have been recognized as income. Claims for compensation were asserted against two former members of the Management Board—out of court to date. Based on the findings from the investigation, improvement measures were defined in the internal control system both for the Group company and the affected business unit of the Metal Forming Division, and for the Group, the implementation of which has largely been completed.