Compliance

NORMA Group SE’s compliance organization seeks to prevent violations of laws and other rules, in particular by taking preventive measures. Nevertheless, if there is evidence of violations, these matters are investigated promptly and thoroughly and the necessary consequences are taken. Findings are used to take steps to reduce the risk of future violations. Concrete steps are defined, implemented and tracked annually in a “Compliance Action Plan.”

The group-wide compliance activities are managed by the Chief Compliance Officer of NORMA Group SE. The Chief Compliance Officer regularly reports to the Executive Vice President Integrity and is able to report directly to the Chairman of the Management Board if necessary. In addition to the Compliance department in place at Group level, there are Compliance Delegates at the regional and individual company levels. The three regional Compliance Delegates for the EMEA, Americas and Asia-Pacific regions report to the Compliance department at NORMA Group. In addition, each operating Group company has its own local Compliance Delegate, who reports to the respective Regional Compliance Delegate. The Supervisory Board is responsible for monitoring the appropriateness of the Compliance Management System.

The compliance organization conducts risk analyses together with the relevant units, functions and specialist departments, on the basis of which the compliance organization identifies the need for action and initiates appropriate measures.

Employee training courses are held regularly on selected risk areas and important current topics or developments. In addition to training on specific focus topics, all employees worldwide are trained on the basic compliance rules and important content of the compliance policies. Participation in these training courses is documented and monitored. The training courses of basic importance, which must be completed as basic training by all NORMA Group employees with a PC workstation, include the online training courses “Code of Conduct & Compliance Basics” and “Anti-Corruption.” Depending on the job profile, employees must attend specific focus training sessions (including ‘Antitrust and Competition Law’). Refresher training courses are offered as required. In addition, all employees with a PC workstation must complete the “Data Protection” Integrity training course every year. In addition, relevant employees are also assigned the “Information Security Basics” training course on an annual basis. Compliance Safety Cards were developed in relevant languages for employees without a PC workstation, particularly those in the area of production, in order to clearly communicate important compliance issues. The compliance organization also offers face-to-face training on an ad hoc basis, if necessary. Employees also receive

relevant, up-to-date compliance information regularly and on an ad hoc basis via various information channels, the intranet, brochures, e-mails and notices, for example. Key training figures are reported in the CR report.

The COMPLIANCE GUIDELINES of NORMA Group represent an important means of communicating to employees NORMA Group’s understanding of compliance and demonstrating their ethical and legal obligations. All compliance documents are reviewed regularly and, if necessary, adapted to new legal or social requirements and thus always kept up to date. In the past fiscal year, the existing compliance guidelines were supplemented by a dedicated guideline on whistleblower protection.

The compliance guidelines also include requirements in the area of HUMAN RIGHTS (including forced and child labor, freedom of association and anti-discrimination). Suppliers have their own code of conduct (“Supplier Code of Conduct”), which was updated in the past fiscal year and supplemented in particular with relevant information security requirements. The Supplier Code of Conduct is intended to help ensure that laws and ethical rules are also observed within NORMA Group’s supply chain. The compliance guidelines are as well reviewed and updated on a regular basis to determine whether changes are necessary.

NORMA Group encourages its employees to report violations of regulations and internal guidelines, if necessary also across hierarchy levels. In addition to personally approaching superiors, the HR department or the Compliance Delegates, an Internet-based whistleblower system is available for this purpose WHISTLEBLOWER SYSTEM. This whistleblower system allows internal and external whistleblowers to report suspicious cases to NORMA Group’s compliance organization and, if necessary, to maintain their anonymity. In cases where the electronic whistleblower system cannot be easily used by employees for technical or organizational reasons (for example, lack of PC access by employees in production), NORMA Group offers other reporting channels, such as personal reports to NORMA Group Compliance as well as information boxes at production sites. In addition to the main electronic whistleblower channel, NORMA Group offers additional or alternative reporting channels at all sites where local laws require these. In addition, any member of NORMA Group’s compliance organization can be contacted at any time regarding all questions and issues related to compliance.

Both the suitability and the appropriateness of the reporting system are reviewed on a regular basis – with regard to the requirements of the “Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019, on the protection of persons who report infringements of Union law” (so-called “Whistleblower Protection Directive”) as well as the respective implementing laws of the member states, for example. The system is adapted if necessary. NORMA Group is closely monitoring further developments with regard to the implementation in national laws by individual EU member states in which NORMA Group also operates reporting channels, which in some cases contradict the EU Directive. Necessary adjustments are made if required.

The members of the compliance organization investigate any indications of compliance violations. If violations of compliance rules are discovered or weaknesses in the organization are identified, the management initiates the necessary and appropriate measures in consultation with the compliance organization in a timely manner. These measures range, depending on the specific individual case, for example, from targeted training measures to changes in organizational procedures to disciplinary measures including termination of employment.