ESRS G1 Business conduct

Responsible business conduct forms the basis for lasting success and social trust. The focus in this regard is on key issues such as business ethics and upholding a value-based corporate culture characterized by integrity, transparency, and active anti-corruption and bribery practices. The protection of whistleblowers plays just as important a role as the respectful and fair treatment of all stakeholders. Clear principles have also been established to govern supplier relationships: fair payment practices and a dialogue based on partnership—especially with small and medium-sized enterprises—are essential. When combined, these aspects form the basis of modern business conduct, which is actively practiced and continuously developed at voestalpine.

The following table provides specific information on SBM‑3:

Impact, risk, and opportunity management

G1‑1 – Corporate culture and business conduct policies

Corporate values

Shared values act as a strong anchor that provides security, support, and orientation. They strengthen the corporate culture and sense of unity. In addition, binding corporate values support the implementation of the Group strategy and provide the basis for specific rules and operational guidelines.

Entrepreneurial mindset

We are guided by success.

Our approaches and actions are entrepreneurial. Our passion for solutions and innovation provides the basis for joint action. We are team players primed for success because we always seek the best possible outcome together.

In so doing, we always work to our customers’ benefit while also considering our other stakeholders. We strive for excellence in our actions—and let it be our guide.

The practice of respect

We build upon our diversity as a team.

We are respectful and fair toward each other, our customers, and our partners.

We trust each other and align with values common to us. We create a motivating work environment infused with team spirit, where respectful cooperation is at the core of our actions, day in and day out.

Sustainable practices

We perform our jobs responsibly.

In our daily work, all of us act autonomously within defined responsibilities, demanding and fostering high degrees of individual responsibility. We remain curious and do not rest on our laurels; instead, we constantly evolve together to bring about continual improvements. Our actions are sustainable, proactive, and forward looking.

It is our corporate culture that makes us who we are: One step ahead.

The corporate culture significantly influences the success of a company by shaping the values and behaviors of employees and promoting cooperation. The voestalpine culture is continually being refined to strengthen our Group-wide identity in this sense.

Corporate culture can be indirectly evaluated through employee surveys by assigning the questions to one or more company values to the greatest possible extent. This allows correlations and conclusions about the company values to be derived. The results of the 2024 employee survey were reported to the Management Board at a board meeting.

The Code of Conduct forms the foundation of the corporate culture. It sets out the ethical standards and behaviors that voestalpine expects from all employees and reflects the Group’s commitment to integrity, transparency, and corporate social responsibility. Since 2013, voestalpine has supported the UN Global Compact (UNGC) with its ten principles that address labor standards, environmental protection, and the fight against corruption alongside the promotion of human rights. voestalpine is therefore opposed to all forms of corruption, including extortion and bribery.

Code of conduct and compliance guidelines based on it

Our employees are integral to the Group’s success and are therefore key to both the trust placed in voestalpine and its reputation. This is precisely why it is important to establish unequivocal principles on matters of ethics and morality in business. The Code of Conduct and the compliance guidelines based on it provide the relevant parameters to that end. By providing guidance to employees in their daily actions and decisions, it shapes the corporate culture by making every employee a role model. The Management Board is explicitly and emphatically committed to both this Code of Conduct and a zero-tolerance policy toward violations thereof.

The Code of Conduct requires voestalpine companies in all countries in which they operate and all their employees to comply with all applicable laws. It also set forth how to handle dealings with stakeholders such as customers, suppliers, employees, and other business partners.

The voestalpine Code of Conduct was enshrined in writing in 2009. It is the result of numerous conversations and discussions at the level of the Management Board as well as among executive management and department heads of the voestalpine Group. It is based on the Group’s corporate values and provides the basis for ethically and legally sound conduct on the part of all of the Group’s employees. The principles and requirements documented in the voestalpine Code of Conduct and in the Code of Conduct for Business Partners are rooted in the Human Rights Policy, the UN Guiding Principles (UNGPs) on Business and Human Rights, the principles enshrined in the UN Global Compact (UNGC), the International Bill of Human Rights, the Core Labour Standards promulgated by the International Labour Organization, and the United Nations Convention against Corruption.

The Code of Conduct and the directives based on it (compliance guidelines) are continuously evaluated and, if necessary, adapted to take into account new social and legal requirements. Most recently for instance, necessary adjustments were made to the Code of Conduct due to the EU Directive on transparent and predictable working conditions, and the topics of tax and biodiversity were explicitly anchored in the Code. The Code of Conduct has been published in more than 20 languages and can be downloaded from the Internet: https://www.voestalpine.com/compliance/en

The Code of Conduct applies to all members of the Management Board, the managing directors, and the non-executive employees of all entities in which voestalpine AG has a direct or indirect interest of at least 50% or which it controls in some other way. As regards all other companies in which voestalpine AG has a direct or indirect stake of at least 25% but does not control them, the Code of Conduct is brought to their attention with the request that they enforce it by having their corporate decision-making bodies recognize it of their own volition.

Any employee who violates laws, regulations, internal guidelines, rules, and instructions, or provisions of the Code of Conduct may be subject to disciplinary measures. Moreover, violations may also have consequences under criminal and/or civil law, e.g., claims to compensation and claims for damages.

voestalpine aims to have the Code of Conduct apply throughout its sphere of influence. Suppliers and consultants are required to comply with the Code of Conduct for Business Partners (see details below) and are called on to respect and observe human rights as fundamental values.

All of voestalpine’s business partners are also requested to reasonably promote adherence to the Code of Conduct among their own business partners along the supply chain. Additionally, Group companies are urged to bring the Code of Conduct to the attention of their customers and to strongly encourage them to commit to compliance therewith.

voestalpine AG has adopted several Group guidelines that serve as a helpful tool for employees in applying the Code of Conduct. The compliance rules and regulations associated with the voestalpine Code of Conduct currently comprise the following and can be found on the Intranet:

Business Conduct Policy

These guidelines supplement and flesh out the Code of Conduct with respect to issues of corruption, bribery, acceptance of gifts, and conflicts of interest. For example, they regulate the permissibility of gifts, invitations, and other benefits; donations and sponsoring; secondary employment as well as the private purchase of goods and services by voestalpine employees from customers and suppliers. The section entitled Business conduct also addresses the prohibition of political contributions. The voestalpine Group does not allow donations to politicians, political parties, organizations affiliated with political parties, or political front organizations. This does not apply to political precursor organizations that are devoted solely to social issues and have been individually approved by the Management Board of voestalpine AG.

Guideline on dealings with brokers and consultants

This guideline contains additional supplemental information on issues of corruption, bribery, and the acceptance of gifts. It defines the procedure to be complied with prior to engaging sales representatives, agents, and other marketing consultants. Conducting an objective analysis of business partners’ environment and scope of activities (business partner check) before establishing business relationships with them serves to ensure that the business partners also comply with both applicable law and the voestalpine Code of Conduct.

Antitrust Policy

This guideline describes the prohibition of agreements restricting competition, establishes rules for dealing and interacting with industry associations, professional associations, and/or other sector organizations, and defines particular rules of conduct for all employees of the voestalpine Group. Additionally, manuals have been developed with respect to issues of information sharing and benchmarking, procurement alliances, and supplier relationships with competitors, which provide employees with information on these topics from an antitrust perspective.

Compliance manual and compliance violation prevention program

These rules and regulations explain voestalpine’s compliance management system and provide information on the Group’s compliance strategy and compliance structure. They likewise set forth the responsibilities for processing suspected compliance incidents, such as allegations of corruption or bribery. They also provide information on steps taken to prevent and identify compliance violations as well as on the potential repercussions and sanctions such violations may trigger. Information on the web-based whistleblower system, which allows compliance violations to be reported anonymously, can also be found in these regulations. Further information on the whistleblower system can be found below.

Code of Conduct for Business Partners

These rules and regulations that are directed toward suppliers of goods and services as well as toward brokers, consultants, and other business partners define the principles and requirements for doing business with voestalpine. Among other things, voestalpine requires its business partners to respect and comply with human rights as fundamental values in accordance with the International Bill of Human Rights, the UN Guiding Principles (UNGPs) on Business and Human Rights, and the Core Labor Conventions of the International Labor Organization (ILO). In particular, this applies to the prohibition of child and forced labor; the prohibition of human trafficking in any way, shape, or form; the equal treatment of employees; and the right to employee representation and collective bargaining. Business partners must also undertake to comply with environmental protection standards and to set scientifically verifiable targets for reducing their carbon footprint. In fact, the business partners must abide by their commitments not just in their own sphere of activity; they must also require their own suppliers to act accordingly and must verify compliance with these commitments in the supply chain. The Code of Conduct for Business Partners has been published in several languages and can be downloaded from the Internet: https://www.voestalpine.com/compliance/en

Code of Conduct for voestalpine’s Lobbyists (Lobbying Code of Conduct)

voestalpine’s Lobbying Code of Conduct regulates dealings with stakeholders in Austria as well as in Europe and internationally in accordance with the Austrian Lobbying and Advocacy Transparency Act in order to provide a clear and transparent framework for lobbying activities. Just as with the general Code of Conduct, the Lobbying Code of Conduct is also binding for all members of the Management Board, the managing directors, and the non-executive employees of all entities in which voestalpine AG has a direct or indirect interest of at least 50% or which it controls in some other way. Whenever lobbying activities are supported by external parties, care must be taken to ensure that the latter also commit to compliance with the present Code of Conduct. The Lobbying Code of Conduct has been published in German and English and can be downloaded from the Internet: https://www.voestalpine.com/compliance/en

Mechanisms for identifying, reporting, and investigating concerns about unlawful conduct

Responsibility and compliance organization

Upholding the compliance requirements is the responsibility of every member of every management board, every CEO and executive, and every employee. The management board/executive management of each Group company is responsible for effectively implementing, maintaining, and continuously improving voestalpine’s compliance management system, which is based on the Group compliance guidelines. The voestalpine Group has established and internal compliance system to help management fulfill this responsibility, and to set up the processes and control mechanisms required to that end. Aside from a Group Compliance Officer, a Divisional Compliance Officer has been appointed for each division; additional Compliance Officers are appointed in particular divisional sub-units. The Group Compliance Officer reports directly to the Chairman of the Management Board. The Divisional Compliance Officers report to both the Group Compliance Officer and the respective division heads who are members of the Management Board.

Compliance organization

Group and Divisional Compliance Officers are appointed and dismissed by voestalpine AG’s Management Board; the member of voestalpine AG’s Management Board responsible for each individual division has a right of nomination with respect to divisional Compliance Officers. Any additional Compliance Officers who may be appointed at the level of divisional sub-units are appointed and dismissed by the respective operating company of that division.

Compliance officers are responsible for the following topics:

• Antitrust law

• Corruption

• Compliance with capital market regulations

• Fraud (internal cases of theft, fraud, misappropriation, or embezzlement)

• Conflicts of interest

• Special topics assigned to the Compliance organization by the Management Board of voestalpine AG (e.g., in connection with issues related to UN or EU sanctions

All other Compliance issues—e.g., environmental law, taxes, invoicing, labor law, protection of employees, or data privacy—do not fall under the purview of the Compliance Officers’ powers. Other organizational units are responsible for these compliance issues.

In addition to management, the Compliance organization also supports employees in complying with the compliance requirements, including through regular on-site and online training, training, management discussions, and ongoing information initiatives. Awareness campaigns are also conducted regularly to increase awareness of compliance within the Group. More information on training can be found in chapter G1‑3 under “Preventive activities.”

Whistleblower system

https://www.bkms-system.net/

The voestalpine Group encourages all employees who observe any violations, or who have seen activities which they suspect might constitute a violation, to report the occurrence. Pursuant to the Code of Conduct, such reports may be addressed to the individual’s direct supervisor; the appropriate legal or human resources department; the management of the respective Group company; the Internal Audit and risk management departments of voestalpine AG; the Group Compliance Officer; or one of the Divisional Compliance Officers. Upon request, whistleblowers are ensured of absolute confidentiality. Employees who report identified violations of laws, the Code of Conduct, or other internal guidelines and regulations will not be subject to reprisals or negative consequences of any kind. This also applies to other persons who contribute important information for the investigation of such misconduct. This provision is in accordance with the applicable law transposing Directive (EU) 2019/1937 (“Whistleblower Directive”).

Furthermore, an option to anonymously report violations via a web-based whistleblower system has been available since 2012. The voestalpine Group relies on the EQS Group’s many years of expertise with the BKMS^® system, the anonymity of which has been certified by an independent body, in this regard. The BKMS^® system can be used by both employees and external whistleblowers. The areas for which misconduct can be reported on the whistleblower system were extended in 2022/23 business year to include the following topics:

• Antitrust, corruption, fraud, conflicts of interest, capital market compliance

• Discrimination, sexual harassment, bullying, human rights

• Data privacy and protection

• Technical compliance with special reference to adhering to technical standards and certifications in production processes and IT security

• Environmental Information

• Health and safety

• Violations in other areas

The whistleblower system allows the appropriate Compliance Officers to communicate with whistleblowers while maintaining absolute anonymity. Since the expansion of reporting options in December 2022, a total of 246 incidents have been reported in different areas. The system has established itself as a trusted point of contact and is widely used. The high level of acceptance shows that employees and other authorized persons actively use the whistleblower system to report grievances or irregularities.

Number of reports received on the whistleblower system

Information on the various reporting channels—in particular the whistleblower system—is generally available both on the intranet and on the voestalpine website at https://www.voestalpine.com/group/en/group/compliance/reporting-misconduct/. Employees are also informed about the reporting channels and the process for reviewing reports, and receive training on how to use the system. This is achieved by sending emails to the workforce or with posters, for example, as well as through on-site and online compliance training courses. More information on training can be found in chapter G1‑3 under “Preventive activities.”

voestalpine’s compliance management system described here and in chapter G1‑3 comprises clear rules of conduct, internal control mechanisms, a whistleblower system, and training programs designed to ensure that risks of corruption and bribery are systematically identified, assessed, and effectively managed. During the reporting period, voestalpine’s compliance management system in the areas of antitrust law, corruption and the whistleblower system for the Austrian Group companies were certified by Austrian Standards in accordance with internationally recognized standards (ISO 37301:2021, ISO 37001:2025, ISO 37002:2021). The corresponding certificate can be viewed on the website at https://www.voestalpine.com/compliance/en.

For this chapter, no measurable targets have been defined in the reporting period in accordance with ESRS 2 para. 81b—nevertheless, the company is continuously pursuing the effectiveness of existing activities and policies. The compliance framework is continuously evaluated and, if necessary, adapted to ensure that it meets current requirements and effectively contributes to minimizing risks. Various procedures are used to track the effectiveness of the compliance management system, in particular the independent certification of the compliance management system, audits, and the evaluation of the whistleblower system’s acceptance.

G1‑2 – Management of relationships with suppliers

At voestalpine, procurement is organized in consideration of economic, environmental, and social aspects. It revolves around the central goal of establishing fair relationships with suppliers, including small and medium-sized enterprises (SMEs). Environmental and social criteria are incorporated into the selection process for suppliers.

In order to enhance supply chain management, voestalpine is currently creating the organizational and procedural bases to gradually extend the existing due diligence process—which to date has been limited to companies subject to the Supply Chain Due Diligence Act (LkSG)—to the whole Group. Compliance with human rights and measures to reduce CO₂ emissions are a particular focus in this regard.

As a Group-wide directive, the Due Diligence User Manual governs the due diligence procedures in supply chain management and outlines measures for awarding contracts in procurement. Supply chain management at voestalpine follows a risk-based approach. The identification, assessment, and prioritization of risks is based on the OECD guidelines for fulfilling the due diligence requirements for responsible business conduct. This approach ensures that resources are employed in a targeted manner and that the most important and urgent issues are addressed first. In practice, this risk-based approach is implemented in a three-stage process (see figure below). In the first step, supplier prioritization, any risk exposure of suppliers on the basis of country and product group-specific risks is identified. This analysis and categorization must be carried out every year for all active suppliers, including those that were added as new suppliers in the year in question. In the second step, performance review measures are conducted for all suppliers previously classified as high or medium risk, in order to understand their individual sustainability performance and specify the actual risks. The third step aims to achieve continuous supplier development to improve their sustainability performance and awareness of their responsibility with regard to human rights and the environment, and ultimately to avoid and mitigate risks. Here too, action is based on the actual requirements.

Risk-based approach for sustainable supplier management

The analysis of product group-specific risks focuses on product groups that are purchased on a regular basis by voestalpine and that are associated with potential sustainability risks. Sustainability risks are defined as potential violations of laws and guidelines on human rights and environmental protection (see table below). This also includes the risk of potential violations of human and labor rights that may affect workers in the supply chain. These human rights risks are at the heart of the analysis and are summarized in the table below.

The country-specific risk assessment is carried out using public indices that encompass governance and sustainability. Two widely available sources are used by voestalpine to this end: the Worldwide Governance Indicators (source: World Bank) and the CSR Risk Check (source: MVO Nederland). A total of 213 countries and territories are covered by these indices. The combination of the two indices results in an overall risk assessment for each country and region. The following table shows the result of this risk assessment in the business year 2024/25. The data was based on all active suppliers in the business year. Internal value-added orders were not taken into account.

To ensure financial stability in supply chain—especially for SMEs—voestalpine relies on clear payment terms, digital payment monitoring systems, and automated payment reminders. Regular training courses for involved employees support the timely processing of payments. These actions aim to strengthen transparency in procurement, provide financial security for suppliers, and promote environmental and corporate social responsibility along the supply chain.

For more information on human rights compliance and related actions, see chapter S2.

G1‑3 – Prevention and detection of corruption and bribery

Design to prevent corruption and bribery, voestalpine’s compliance management system is based on the following pillars:

• Risk analysis: Identification of compliance risks within the Group through continuous analysis of potential compliance risk areas.

• Prevention: For purposes of prevention, the Group undertakes activities to ensure ethics-based management and to raise awareness, which includes putting measures in place to monitor adherence to the Group’s compliance rules. These include but are not limited to communications activities, training programs, and educational events as well as elements of the internal control system.

• Detection: In order to identify compliance violations, in addition to the various reporting channels the Group has instituted—in particular the whistleblower system—investigations and audits, as circumstances warrant.

• Response: Whenever it has identified compliance violations, the Group takes precautions to avert further compliance violations (e.g., by imposing additional oversight measures, educational events, and training programs).

• Sanction: When compliance violations occur, appropriate sanctions are imposed. These include consequences under employment law, filing charges with the appropriate authorities, terminating contracts with third parties, etc.

The Compliance organization at voestalpine is responsible for investigating cases of suspected corruption (more information on the Compliance organization can be found in chapter G1‑1 under “Responsibility and Compliance Organization”). As the highest authority in the Compliance organization, the Group Compliance Officer reports directly to the Chairman of the Management Board. The Officer ensure reports are handled in an objective and timely manner. The members of the administrative, management, and supervisory bodies address the topic of corruption and bribery at meetings of the Management Board and Supervisory Board, as well as in committees of the Supervisory Board as circumstances require.

Once a year, the Group Compliance Officer also prepares a summary compliance report that includes at least the following points:

• Type and extent of compliance incidences that have been the subject of reports and investigations

• Status of any pending administrative or judicial proceedings related to compliance incidents

• Educational events, training programs, and communications measures carried out

• Sanctions imposed

The annual compliance report is submitted to the Management Board and Supervisory Board of voestalpine AG In addition, reporting to the Management Board and Supervisory Board is carried out on an ad hoc basis.

Preventive activities

As part of its compliance management, voestalpine places particular importance on preventive activities. These include, in particular, training, management meetings, and ongoing information initiatives. Compliance is therefore a recurring theme, particularly at the major employee events at Group and divisional level, but also for top management. This focus on compliance ensures that the policies are accessible and that the impacts are understood by employees. Similarly, successful independent certification of the compliance management system during the reporting period (see G1‑1) also helps to raise awareness of compliance issues and contributes to the continuous improvement of compliance processes. It also promotes employee awareness and highlights the importance of adhering to Group-wide compliance standards.

Employees learn how to deal with issues that include invitations, gifts, and potential conflicts of interest in periodic training courses, training sessions, and management meetings on the topic of business ethics (compliance training). Employees are also trained in dealing with business intermediaries.

Since 2009, the voestalpine Group has been using mandatory e-learning courses to raise awareness on the topic of compliance among its employees. This e-learning curriculum is currently available in 14 languages and has been repeatedly revised and expanded over time. In addition to the learning units, the courses also present case studies and require a final test.

Key e-learning topic: “Compliance basics”

Key e-learning topic: “Fair competition”

Key e-learning topic: “Recap – fair competition”

Key e-learning topic: “protection against corruption”

Certain groups, such as employees in procurement, sales, and senior executives, are at higher risk of corruption and bribery. In addition, voestalpine operates in countries where there is generally a higher risk of corruption. Alongside the e-learning courses, mandatory target group-oriented classroom-based and online training courses are therefore carried out throughout the Group, especially for employees in high-risk roles such as sales or procurement. This mandatory training is generally focused on adherence to the law and internal guidelines as well as on the topics of (anti)corruption and antitrust law as it applies to the participants’ respective sphere of activity. voestalpine AG employees also need to complete classroom-based training on the topic of compliance with capital market regulations.

Regardless of their function, all new employees of a Group company must complete the e-learning course “Compliance basics.” Compliance training is also mandatory for young executives. Four face-to-face training courses were held in the 2025/26 business year (2024/25: five) as part of the value:program management training program, each of which was attended by up to 40 people.

The following tables provide an overview of the level of compliance training that was completed by employees, executives, and the managing directors of voestalpine in 2025/26. Of the 5,820 training courses assigned, in particular for high-risk functions (antitrust law, antitrust law refresher course as well as compliance and anti-corruption training), around 94.59% were successfully completed in the reporting period. Of the 315 (= 5.41%) training courses not yet completed, only around 35% are overdue, while around 65% are still within the scheduled completion period.

Face-to-face training: 1,606 participants in the business year 2025/26

Participants by (at-risk) function and sector (previous year’s figures in brackets)

The training program outlined here covers all functions across the Group (100%) that have been identified as at-risk in a risk analysis.

Metrics and targets

G1‑4 – Confirmed incidents of corruption and bribery

There were no convictions or fines for violations of anti-corruption and anti-bribery laws during the reporting period. This also continues to apply to the case of the accounting errors identified at a German Group company in the Metal Forming Division, as set out under this heading in the 2024/25 consolidated non-financial statement. Accordingly, no incident-related measures had to be taken to address such violations. More information on preventive actions can be found in chapter G1‑3.