Information security

Material impacts, risks, and opportunities and their interaction with strategy and business model (SBM-3)

Information security is a key issue for NORMA Group with high relevance for its own operations. The identified risks affect both internal processes and the entire value chain and are directly related to the business model, corporate strategy, and decision-making. In particular, this includes the risk of unintentional disclosure of confidential information and the risk of order losses due to non-compliance with customer-specific TISAX requirements. To effectively counter these risks, NORMA Group relies on a comprehensive risk management system, clear compliance guidelines, and regular training. This is intended to ensure that all necessary actions are taken to identify, assess, and manage risks at an early stage.

Policies related to information security

The Company is committed to using resilient and secure systems, processes, and procedures to continuously guarantee the confidentiality, integrity, and availability of information – information security is therefore a central foundation for all business activities and operational security. NORMA Group pursues an active safety culture that is promoted through training and employee involvement. Moreover, the Company has transparent, practical policies, training, and ongoing improvement and risk management processes in place. It is also possible to reduce the probability of damage occurring and its impact by systematically and effectively strengthening the information security management system in the long term, thereby not only minimizing financial losses but also creating trust among stakeholders. NORMA Group maintains an information security management system (ISMS) that is based on the requirements of the “Trusted Information Security Assessment Exchange” (TISAX) standard of the German Association of the Automotive Industry (VDA) as well as other recognized best practices and international standards (e.g., ISO 27001). This ISMS aims to ensure information security through systematic planning, implementation, maintenance, review, and continuous improvement.

The structure and elements of the ISMS are defined by the Information Security Policy, which was rolled out in financial year 2024. This guideline forms the basis for the strategic direction and operational actions in the area of information security. It defines the key principles, objectives, and rules that control the implementation and continuous improvement of the ISMS. The guideline – like the ISMS as a whole – aims to ensure that all relevant security aspects are integrated into daily processes.

The Information Security Guideline applies to NORMA Group and all subsidiaries as well as to all employees, including executives, managers, temporary workers, and freelancers, and relevant external parties such as partners and suppliers. The Management Board and local management bear overall responsibility for information security and support the implementation of the guideline and the actions derived from it.

Taking action on material impacts on information security, and approaches to managing material risks and pursuing material opportunities related to information security, and effectiveness of those actions

NORMA Group has implemented targeted actions to achieve its information security goals and actively manage risks in the area of information security. The central task of information security is to identify, assess, and actively manage potential risks.

The following actions are implemented in the area of information security: The process for auditing in accordance with the TISAX standard of the German Association of the Automotive Industry (VDA) includes careful preparation and implementation of the necessary steps. As part of the information security management system, threats and risks are analyzed in detail and actions are taken to mitigate or eliminate them. Continuous monitoring and review of information security takes into account IT infrastructure, processes, technologies, and structures, among other things. The respective activities are carried out in coordination between NORMA Group Information Security and NORMA Group IT, among others. The aim of this approach is to provide effective protection against security breaches and to safeguard the integrity of the Company’s assets. In addition, rules of conduct and structural improvements are implemented to mitigate risks such as cyber attacks or natural disasters.

The Group Information Security Officer is responsible for continuously monitoring the status of information security and the measures implemented to ensure the protection of confidentiality, integrity, and availability.

Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities

NORMA Group has defined a clear ambition for information security, which is anchored in the information security management system. The Group Information Security Officer makes the guidelines available to relevant employees and external partners, e.g., via the intranet page, the website, or by email.

In order to demonstrably and verifiably introduce the standards of the information security management system at relevant NORMA Group sites, the units defined as relevant provide evidence in accordance with the TISAX standard and have an external audit carried out. The certification requirements and scope must be closely coordinated with the customer.

In addition, the aim is for 100% of commercial employees in the units defined as relevant to successfully complete the “Information Security Basics” e-learning course each year. NORMA Group monitors and actions progress in achieving the targets.

Metrics on information security

Completion rate of “Information Security” training per year and employee, taking into account the TISAX-certified sites

NORMA Group uses a Company-specific metric to measure the progress of the defined goals in the area of information security. This metric records the ratio of completed e-learning courses on information security in relation to the total number of training enrolments based on the defined enrolment criteria. Completion of the e-learning course is mandatory for all commercial employees who work for a company within the scope of TISAX certification.

No dedicated training courses on information security were offered in the TISAX-relevant units in reporting year 2025. The completion of more than 200 information security training courses recorded in 2025 results from the 2024 training campaign, for which enrollment did not take place until the fourth quarter of 2024 and most of the training courses were held in the first quarter of 2025. They are therefore attributable to 2024 in accordance with the relevant definition of the training metric and were recognized accordingly in the previous year’s report. The new information security training campaign is in the finalization phase at the time of reporting; the roll-out is scheduled for the first quarter of 2026.