Compliance

Systematic compliance management means defining uniform company-wide standards and developing scalable processes for the relevant requirements. The core objectives of an effective compliance management system include the prevention of legal violations by the company and its employees, the promotion of lawful conduct within the company and the identification, individualization and minimization of risks in connection with legal violations.

The Management Board is obliged to set up appropriate internal control systems throughout the Group to avoid risks (that could potentially jeopardize the continued existence of the company) and to take the corresponding organizational precautions. As part of its supervisory duties, the Supervisory Board is obliged to ensure that the prevention of the relevant risks is given appropriate priority within the company and that the relevant monitoring systems are functioning. In accordance with the rules of procedure for the Supervisory Board, the Audit Committee prepares the review of the effectiveness of the company’s internal controls and thus also the effectiveness of the system for ensuring compliance with and observance of the statutory provisions and internal guidelines by the Group companies. If necessary, it makes recommendations for resolutions to the Supervisory Board.

NORMA Group’s risk-based compliance management system aims to systematically and permanently prevent, detect and sanction violations of rules within the company. NORMA Group’s compliance organization, which is

entrusted with the system by the Management Board, takes a variety of preventive measures to prevent violations of laws and other rules. Nevertheless, if there is evidence of violations, these matters are investigated promptly and thoroughly and the necessary consequences are taken. Findings from investigated cases are used to initiate measures that reduce the risk of future violations in similar situations. Specific steps are regularly set out, implemented and tracked in a compliance action plan. If violations of compliance rules are discovered or weaknesses in the organization are identified, the management initiates the necessary and appropriate measures in consultation with the compliance organization in a timely manner. Depending on the specific individual case, these measures range from targeted training measures and changes to organizational processes through to disciplinary measures, including the termination of employment contracts.

Group-wide compliance activities are managed by the Chief Compliance Officer of NORMA Group SE, who reports to the Executive Vice President Group Legal and Compliance & Integrity and, if necessary, directly to the CEO. The Group-wide compliance organization consists of the Compliance & Integrity department at NORMA Group SE level and the Compliance Delegates at the level of the regions and the local individual companies of NORMA Group. The three regional Compliance Delegates in the EMEA, Americas and APAC regions report on their compliance activities to the Compliance & Integrity department. The local Compliance Delegates of the operating Group companies in turn report to the responsible regional Compliance Delegate.

In the 2025 fiscal year, a committee was formalized with the establishment of the “Compliance Committee,” in which current compliance issues are discussed and necessary measures are coordinated. Permanent members of the Compliance Committee are representatives of the Compliance & Integrity, Legal, and Internal Audit & Risk Management departments of NORMA Group SE. As a rule, the Compliance Committee meets at least quarterly and, if necessary, outside of regular meetings. The compliance organization conducts risk analyses together with the relevant units, functions and specialist departments, on the basis of which the compliance organization identifies the need for action and initiates appropriate measures.

Regular employee training sessions are held on selected risk areas and current topics or developments relevant to NORMA Group. As a basis for these specific focus topics, employees worldwide receive training on the basic rules of conduct of the Code of Conduct and the key content of the compliance guidelines. Participation in these training courses is documented and monitored. The basic training courses, which must be completed by all NORMA Group employees with a PC workstation, include the online training courses “Code of conduct and compliance basics” and “Anti-corruption”. Depending on their job profile, employees must also take part in specific training courses (including “Antitrust and competition law”). As a regular refresher, all employees with a PC workstation must complete the “Data protection” integrity training course every year. Relevant employees are also assigned the “Information security basics” training course for regular repetition on an annual basis. Further refresher training courses are offered as required. Non-commercial employees, especially those in the production area who typically do not have a PC workstation, are provided with clear information on key compliance topics using compliance safety cards or posters in the relevant languages. The compliance organization also offers classroom training on an ad-hoc and needs-oriented basis. Employees also receive important, up-to-date compliance information via various information channels, such as brochures, notices, the intranet and emails. Training indicators are reported in the CR report.

NORMA Group’s Code of Conduct and the COMPLIANCE GUIDELINES are an important instrument for communicating the Group’s understanding of compliance to its employees and highlighting ethical and legal obligations. All compliance documents undergo regular review and are updated as needed to reflect new legal or social requirements, ensuring they remain current at all times.

The compliance guidelines also include requirements in the area of HUMAN RIGHTS (including forced and child labor, freedom of association and anti-discrimination). A separate code of conduct (“Supplier Code of Conduct”) applies to suppliers. The Supplier Code of Conduct is intended to help ensure that laws and ethical rules are also observed within NORMA Group’s supply chain. The compliance guidelines are reviewed and updated regularly to assess the need for changes. With the founding of the Human Rights Committee as a sub-committee of the Compliance Committee, a format was established in the 2024 fiscal year in which potential violations of human rights are discussed and evaluated. The Human Rights Committee’s permanent members include representatives from HR and Corporate Responsibility alongside members of the Compliance Committee. The Human Rights Committee usually meets every six months and also outside of regular meetings if required.

NORMA Group encourages its employees to report violations of regulations and internal policies – including across hierarchical levels if necessary. Employees have various reporting channels at their disposal for this purpose, including an electronic whistleblower system. WHISTLEBLOWER SYSTEM. This whistleblower system allows internal and external whistleblowers to report suspicious cases to NORMA Group’s Compliance organization and, if necessary, to maintain their anonymity. In addition to its central internal whistleblowing channel, which may be accessed electronically or in person, NORMA Group offers supplementary or alternative reporting channels at all locations where required by local laws. In addition, employees are free to contact any member of NORMA Group’s compliance organization at any time with any questions or issues related to compliance.

Both the suitability and the appropriateness of the reporting system are regularly reviewed – for example with regard to the requirements of “Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019 on the protection of persons who report breaches of Union law” (“Whistleblower Protection Directive”) and the corresponding implementing laws of the member states. The system is adapted if necessary. NORMA Group is closely monitoring further developments with regard to the implementation of EU directives into national law by individual EU member states in which NORMA Group also operates reporting channels, which in some cases contradict the EU Directive. Necessary adjustments are made if required.

The members of the compliance organization investigate all indications of alleged compliance violations. If violations of compliance rules are discovered or weaknesses in the organization are identified, the responsible management team, in coordination with the compliance organization, promptly initiates the necessary and appropriate measures. Depending on the specific individual case, these measures range from targeted training measures and changes to organizational processes through to disciplinary measures, including the termination of employment contracts.