Description of material fields of risk

The material fields of risk and associated preventive measures presented in the previous business year’s Consolidated Management Report remain valid:

GEOPOLITICAL CONFLICTS AND THEIR IMPACT

The past business year continued to be characterized by geopolitical conflicts and tensions. Geopolitical developments remain a central focus of ongoing monitoring in order to identify any future effects on the voestalpine Group at an early stage and to proactively counteract potential risks in a constantly changing geopolitical environment in the best possible way with a robust and sustainable organization. For example, the activities initiated or derived at the beginning of the war in Ukraine to maintain and secure the supply of relevant raw materials and natural gas continue to apply and are listed in the section “Availability of Raw Materials and Energy Supplies.”

In addition to geopolitical conflicts, trade policy measures, such as tariffs and counter-tariffs, can also hinder economic growth. With regard to the uncertainties surrounding the US tariff policy, voestalpine is directly affected and already paid duties under the quota system of Section 232. Additionally, indirect disadvantages could arise from significantly increased uncertainties (such as sluggish economic growth, reduced demand, and negative impacts on supply chains). Countermeasures are being evaluated respectively successively implemented and may include, among other things, passing on increased prices to customers and further diversifying the customer portfolio. Existing exceptions will be fully utilized until they expire. Despite countermeasures, negative effects on the achievement of planned results in specific business areas of the Group may occur over the years to come. In an ongoing challenging economic environment, voestalpine continuously monitors potential consequences from (punitive) tariffs, global (trade) conflicts, and changing geopolitical conditions. This includes actively considering uncertainties arising from the US tariff policy.

RISKS OF DECARBONIZATION/CLIMATE PROTECTION PROGRAM GREENTEC STEEL

voestalpine is committed to the Paris Agreement on climate and aims to achieve net-zero emissions by 2050, in line with the trajectory of the EU Emissions Trading System. To address the challenge of decarbonizing steel production while also maintaining economic viability and competitiveness, voestalpine has developed the greentec steel climate protection program as a core element of its Group-wide climate transition plan. This program outlines a gradual shift to new technologies.

The technical conversion of existing production methods to emission-free/emission-reduced technologies presents a transitional risk for voestalpine. Further details can be found in the non-financial statement of the Management Report (chapters ESRS 2 SBM-3 E1 Climate change and ESRS E1 Climate change).

AVAILABILITY OF RAW MATERIALS AND ENERGY SUPPLIES

In order to ensure the long-term supply of raw materials and energy in the required qualities and quantities, the voestalpine Group has for many years been pursuing a diversified procurement strategy in line with the heightened political and economic risks of this globalized market. This is further reinforced by the various decarbonization efforts, as well as the geopolitical developments.

• For example, since the beginning of the war in Ukraine, alternative suppliers and transport routes have been activated to ensure the supply of relevant raw materials (such as iron ore, iron ore pellets, pulverized coal injection (PCI) coal, alloys) to the Group’s production plants (especially the steelworks in Austria). The short-term holding of inventories of critical raw materials (such as iron ore and coal) also helps to bridge short-term supply bottlenecks.
• In addition, for several years, the voestalpine Group has contractually secured its own natural gas storage facilities to secure the natural gas supply (particularly for heat treatment and for the rolling mills at the Austrian sites). With the gas storage reserve of approximately 1.0 TWh as of March 2025, voestalpine can maintain full operation for about two months in case of a complete failure of external supply, or partial operation for several months, depending on the specific production methods. In addition, work has been and continues to be carried out with existing and new suppliers to expand sources of natural gas supply. For example, natural gas supplies from non-Russian sources are increasingly being transported to Austria via routes other than the conventional Russian-Ukrainian transport corridors to support ongoing operations. In the event of a potential natural gas bottleneck, contingency plans would also come into effect in which production could gradually be adjusted to the available energy volumes. Last but not least, the Group’s international orientation with 500 companies and locations worldwide—and therefore numerous unaffected locations outside Europe—would also make it possible to compensate for production bottlenecks to some extent. Bottlenecks can be avoided by the adaptability of the supply and logistics processes to new challenges.
• Long-term supply relationships, long-term supply contracts, further expansion of the supplier portfolio and optimizations in self-supply and circular economy principles (e.g., in terms of scrap metal, the possibilities of a circular economy along the entire value chain are being intensified by further expanding or establishing supply opportunities with customers, suppliers and process partners) form the core elements of a diversified procurement strategy, which is of increased importance given geopolitical events and the volatility in raw material markets (for more details, see the "Raw Materials" chapter in this Management Report).

Developments in the supply of energy and, in particular, natural gas and raw materials supplies are constantly monitored, especially in regards to geopolitical developments, and evaluated in regular discussions between experts and the Management Board.

In the area of energy supply, the development of alternative energy resources continues to be actively explored and driven forward. In addition to the systematic expansion of our own renewable energy capacities and the purchase of renewable energy based on long-term PPAs (Power Purchase Agreements), the focus here remains on numerous research and demonstration projects, particularly in the areas of hydrogen, biogas and biomass, as well as in alternative iron and steel production technologies (such as “H2FUTURE” [hydrogen pilot plant], “HYFOR” [Hydrogen-Based Fine-Ore Reduction], and smelter as well as “SuSteel” [Sustainable Steel-making]). Ongoing optimization of energy efficiency in production processes is also continuously being examined and advanced. Research activities in the field of carbon capture, utilization, and storage (CCUS) complete the overall picture.

Further details on individual aspects can be found in the non-financial statement of the Management Report (chapters "ESRS 2 SBM-3 E1 Climate change" and "ESRS E1 Climate change").

HEDGING THE PRICE OF RAW MATERIALS AND ENERGY

Objectives, principles, responsibilities and accountabilities as well as methods, procedures, and decision-making processes for dealing with commodity and energy price risks are set out in an internal guideline. Based on this and taking into account the individual characteristics of the business model of the respective Group company, prices are hedged by means of short-term supply contracts with a fixed price agreement or by means of derivative financial instruments. To partially hedge against long-term electricity price fluctuations, Power Purchase Agreements (PPAs) are used. Depending on the business model of the Group company concerned, changes in energy and commodity prices can for the most part be passed on to customers, sometimes with a time delay. In this case, the aim of risk management is to secure the previously determined contribution margins of the sales contracts. Iron ore, coke, coking coal, zinc, nickel, CO₂, cobalt, and energy (electricity, natural gas) are subject to raw materials risk and energy risk management. The goal is to reduce the fluctuation in earnings from the volatility of raw material and energy prices to a level that is consistent with the principle of conservative financial policy as defined in the voestalpine Group’s financial constitution. The issue of security of supply (procurement risk) has already been addressed under “Availability of raw materials, energy supply.” The comprehensive measures help to ensure financial stability and strengthen the company’s resilience to volatile markets and to effectively manage relevant risks with the necessary flexibility.

DISRUPTIONS IN LOGISTICS AND SUPPLY CHAINS

In general, global supply chains can be disrupted by geopolitical conflicts (such as the war in Ukraine), trade disputes (including related shifts in production), or other events (such as an epidemic or pandemic). Disruptions or rerouting can occur due to issues with suppliers or customers, interruptions in transport routes, or as a result of sanctions, embargoes and trade barriers. The focus on less vulnerable supply chains and the simultaneous broadening of logistical options have already significantly increased the reliability and resilience of our logistics and supply chains in the past (e.g., when transporting raw materials). Diversified procurement strategies and supply chains serve to provide the best possible protection and resilience against unforeseen events. Current developments are continuously monitored and assessed, especially in view of emerging global trade conflicts.

FAILURE OF PRODUCTION FACILITIES

To minimize the risk of failures in critical equipment, necessary modernization and replacement investments have been, and will continue to be, planned and implemented over the long term. Additionally, targeted and extensive investments have been made in the technical optimization of sensitive units. Additional measures have been implemented to continuously improve the performance and reliability of the plants and further minimize the risk of failure. These include consistent, systematic and preventive maintenance, risk-oriented storage of critical spare parts, and appropriate employee training. In addition, emergency plans for essential equipment have been put in place to minimize any potential risks.

Emergency generators are available to protect critical facilities and processes at key sites in case of sudden, unplanned interruptions to power (i.e., blackouts). These generators can be used to support limited operations, emergency modes, and, in extreme cases, a controlled plant shutdown. Additionally, a dedicated power plant with black start capability is operated at the Linz site, for example. For this purpose, internal special networks (dedicated, self-contained, isolated areas) are available. Regular run-throughs of a range of scenarios are carried out (e.g., tests of the emergency generators and the emergency and communications plans for different failure scenarios) to ensure that the facilities are ideally prepared for adverse events. Potential damage to equipment caused by various blackout scenarios is regularly analyzed and assessed, with appropriate preventive measures taken. Existing measures are also reviewed for effectiveness and adjusted as needed.

Existing emergency plans are regularly evaluated by the respective experts for various scenarios and adapted to new or changed circumstances if necessary.

IT SECURITY, FAILURE OF IT SYSTEMS

Services for business and production processes that primarily rely on complex IT systems are provided at most Group sites by IT subsidiaries wholly owned by voestalpine AG. These include voestalpine group-IT GmbH in Austria and its sister companies in Germany, Brazil, and China. Due to the critical importance of IT security and IT availability, and to further minimize any potential IT outage and IT security risks, minimum IT security standards, including requirements for Business Continuity Management, are in place. These standards are regularly adjusted to new circumstances, and compliance is audited annually through both internal and external audits. voestalpine’s highly qualified Security Operation Center (SOC) ensures that security-relevant incidents are identified and rectified on an ongoing basis, thereby also contributing to prevention. To reduce the risk of unauthorized access to IT systems and applications, additional penetration tests are conducted. In the past financial year, extensive online campaigns were again launched to raise awareness among employees regarding security topics, with a focus on the dangers of phishing attacks. Furthermore, an IT security roadmap is being implemented to continuously enhance security through technical measures. This includes, among other things, continuing the network segmentation between production and office IT. In an internal working group, information on potential cyber-fraud attacks (e.g., social engineering, CEO fraud, payment and/or delivery diversion, phishing) is regularly collated, and preventive measures are developed or adapted as needed. To prevent any potential cyber-fraud attacks, related online campaigns are conducted (including simulated phishing awareness programs), and specialized e-learning courses are offered to further raise awareness among employees. Additionally, the use of artificial intelligence is subject to Group-wide usage and security guidelines. All of these measures are aimed at reducing the risk and downtime of IT systems due to cyber attacks, human error, tampering, hardware failures, and similar causes, or keeping them as low as possible.

PERSONNEL RISKS

In the voestalpine Group, employees and their expertise and dedication are a key success factor. The positioning of voestalpine AG as an attractive employer, combined with a range of employee retention measures, is intended to ensure the availability of qualified specialists to the required extent. Ongoing training and education, fair working conditions and terms, a modern working environment and a wide range of development opportunities are some of the key aspects in this regard. Internal apprentice training is another focal point.

KNOWLEDGE MANAGEMENT/ PROJECT MANAGEMENT

To sustainably safeguard the Group’s knowledge, and especially to prevent the loss of existing expertise, complex projects have been initiated, which are consistently implemented, further developed, and adjusted as needed. Besides permanently documenting all available knowledge, new insights from key projects as well as from lessons learned as a result of unplanned events are incorporated where appropriate. Detailed process documentation, especially in IT-supported areas, also contributes to securing the available knowledge.

Any risks arising from projects (e.g., from major projects and investments) are countered by using a wide range of project management tools, appropriate project monitoring, and, depending on the size of the project, by holding regular project oversight meetings with the involvement of top management. In particular, this also concerns any risks associated with ramp-ups and/or cost increases. Insights gained from past activities are also compiled in the sense of lessons learned and form the basis for ongoing enhancements of existing tools to ensure that they are consistently applied in future projects.

COMPLIANCE RISKS

Compliance violations (e.g., antitrust and corruption violations) represent a significant risk and may have adverse effects in that they may trigger financial losses and damage the Group’s reputation. A Group-wide compliance management system is designed to counteract these risks, particularly antitrust and corruption violations. In-person training focused on particular topics is part of this system, along with e-learning programs. Further details can be found in the non-financial statement of the Management Report (chapters ESRS 2 SBM-3 Material impacts, risks, and opportunities and their interaction with strategy and business model as well as ESRS G1: Business conduct).

RISKS OF NONCOMPLIANCE WITH DATA PROTECTION REQUIREMENTS

Violations of requirements under data protection laws may have adverse financial effects and lead to reputational damage. A data protection unit has been established based on the data protection requirements that apply throughout the Group. It helps Group company managers fulfil their responsibilities regarding compliance with statutory and intra-Group data protection requirements. Topic-focused e-learning is offered as a supplementary measure.

RISKS FROM NATURAL HAZARDS, PHYSICAL CLIMATE RISKS

Short- and medium-term physical risks related to natural hazards and associated with climate change are outlined in the non-financial statement of the Management Report (chapters ESRS 2 SBM-3 E1 Climate change and ESRS E1 Climate change). For the identified risks, existing preventive measures are reviewed to ensure they are up-to-date and complete during regular drills, tests of existing emergency plans, site inspections, and risk surveys conducted with insurance providers. These measures are updated or expanded as needed to reflect new conditions. Existing insurance coverage for natural hazards and other risks is also regularly reviewed for relevance in collaboration with our in-house insurance company, voestalpine Insurance Broker GmbH. All implemented measures are regularly evaluated for effectiveness in order to manage risks and counter the progression of climate change as effectively as possible.

OTHER SUSTAINABILITY RISKS

Potential additional sustainability risks, including issues such as climate and environmental protection, social and employee matters, respect for human rights, and anti-corruption, are considered in terms of potential impact at all levels and in line with the Group’s sustainability strategy. Further details can be found in the non-financial statement of the Management Report (chapters ESRS2 SBM-3 Material impacts, risks, and opportunities and their interaction with strategy and business model and in the topic-specific chapters).

Activities required to comply with the German Supply Chain Due Diligence Act have been initiated. Process requirements for affected sites have been rolled out and are being addressed on an ongoing basis. To prepare for the European Supply Chain Due Diligence Act, initial implementation measures have been started, and developments regarding other regulatory requirements are being continuously monitored and assessed.

STRUCTURAL CHANGE IN EUROPEAN INDUSTRY (DEINDUSTRIALIZATION OF EUROPE)

High energy and labor costs, strict environmental requirements, bureaucratic barriers, and regulatory uncertainties are burdening Europe’s position and could lead, for example, to an increasing shift of production and investments abroad, a decline in sales volumes and margins, a further rise in insolvencies, and competitive disadvantages due to one-sided regulations.

Interests and positions on issues relevant to the voestalpine Group (e.g., in relation to politics, administration, institutions, interest groups, civil society organizations (NGOs), and stakeholders) are externally represented in close coordination with the Management Board and internal line management, in order to actively and constructively shape the necessary framework conditions (e.g., for a successful transformation), and thereby create or shape the optimal environment for voestalpine’s economic success.

Further details on individual aspects can be found in the non-financial statement of the Management Report (chapters ESRS2 SBM-3 E1 Climate change and ESRS E1 Climate change).

RISKS FROM THE FINANCIAL SECTOR

Financial risk management is organized centrally regarding policy-making power, strategy setting, and target definition. The existing policies include targets, principles, duties, and responsibilities that apply to both Group Treasury and the finance departments of individual Group companies. Financial risks are monitored continuously and hedged where feasible. Our strategy for managing foreign currency risks is aimed, in particular, at creating natural hedges. The management of other risks (interest rates and raw materials) serves to reduce fluctuations in both cash flows and income and to safeguard contribution margins. Market risks are largely hedged using derivative financial instruments that are used exclusively in connection with an underlying transaction.

Liquidity risk

Liquidity risks generally arise when a company is potentially unable to raise the funds necessary to meet its financial obligations. Existing liquidity reserves enable the company to meet its obligations on time, even in times of crisis. Over and above the liquidity reserves, a precise liquidity plan that is prepared on a revolving, quarterly basis is the Group’s primary instrument for controlling liquidity risk. Group Treasury centrally determines the need for new funding and bank credit lines based on the consolidated operating results. The planned liquidity requirement for the next twelve months consists of scheduled cash outflows for repayments of bonds, loans and other financial liabilities, dividends, investments, and identified working capital needs. When considering uncommitted working capital financing programs, a distinction is made between asset-side structured programs (e.g., factoring) and liability-based programs (e.g., supplier finance). While the latter must be almost fully backed by liquidity reserves due to their dependence on the Group’s creditworthiness, the coverage requirement for factoring programs is lower. This is due to the risk diversification across numerous debtors, the collateral-like structure, and the ability to continue the programs even under stress conditions. The liquidity reserve set against liquidity requirements consists of short-term available treasury cash balances, unused committed credit lines with maturities of more than one year, planned positive free cash flows, contractually fixed asset disposals, and, if applicable, highly liquid securities holdings. Liquidity reserves must cover the identified liquidity needs for the upcoming twelve months. As far as banking policies are concerned, care is taken to avoid concentration risks by diversifying the financial partners. Particular attention is also paid to boosting the company’s internal funding capacity.

Credit risk

Credit risk refers to financial losses that may occur due to non-fulfillment of contractual obligations by individual business partners. The credit risk of the underlying transactions is largely mitigated through a high proportion of credit insurance and bankable securities (such as guarantees and letters of credit). The default risk related to the Group’s remaining own risk is managed by way of defined credit assessment, risk evaluation, risk classification, and credit monitoring processes. The ongoing Ukraine war did not cause loan insurers to significantly reduce credit limits in individual customer segments, nor have these events led to greater receivable charge-offs. Counterparty credit risk in financial contracts is managed through daily monitoring of the counterparties’ credit ratings and any changes in their credit default swap (CDS) levels. Investment limits, weighted by the probability of default (PD), are allocated on that basis.

Foreign currency risk

Foreign currency risk management primarily aims to create a natural hedge (cross-currency netting) within the Group by combining the cash flows. Hedging is centrally managed by the Group Treasury using derivative instruments. voestalpine AG hedges the budgeted net foreign currency cash flows with a horizon of up to twelve months. Longer-term hedging is carried out only in connection with contracted project business. While the hedging ratio is between 25% and 100% of the budgeted cash flows for the next 12 months, the amount of the hedging ratio depends on the business model of the respective Group company concerned. In addition, the hedging ratio generally decreases with maturity.

Interest rate risk

voestalpine AG conducts interest rate risk assessments centrally for the entire Group. In particular, this entails managing cash flow risks (i.e., the risk that interest expense or interest income may undergo an adverse change). As of the March 31, 2025 reporting date, a one percentage point increase in interest rates would increase the net interest expense associated with bank loans and capital market liabilities in the subsequent business year by EUR 0.4 million. However, this is a reporting date assessment that may be subject to fluctuations over time.

Price risk

voestalpine AG also assesses price risk. Scenario analyses are primarily used to quantify interest and currency risks.

Risk of economic crime

To prevent fraudulent activities, the voestalpine Group has established a comprehensive internal control system (ICS) designed to minimize risks associated with business processes, avoid errors, and support the Group in achieving its objectives as effectively as possible. The ICS aims to prevent asset and reputational losses caused by asset-damaging acts, such as unlawful enrichment through theft, fraud, breach of trust, forgery, embezzlement, acceptance of benefits, favoritism, and similar actions intended to gain personal or other advantages. The internal control system includes Group-wide binding policies and guidelines approved by voestalpine AG’s Management Board and is mandatory for all Group companies, along with key control measures. Additionally, due to the decentralized structure of the voestalpine Group, the local management of each Group company is responsible for designing a supplementary ICS that meets the specific requirements of their company, while complying with Group directives and any mandatory external regulations. The ICS framework at voestalpine spans all organizational units, hierarchical levels, and business areas, and is integrated into all business processes. It must be applied and adhered to by all employees and managers throughout the Group. Compliance and implementation are monitored by central functions such as Group Internal Audit. The internal control system at voestalpine, like its risk management, is based on internationally recognized frameworks from COSO (Committee of Sponsoring Organizations of the Treadway Commission).