Business ethics and human rights

As a global enterprise with a 140-year history, Vossloh has a social responsibility toward its customers, employees, partners, investors and the public. From this responsibility, Vossloh derives the requirement that the company and its employees adhere to the laws as applicable, respect basic ethical values and act in an exemplary fashion at all times and in all scenarios. This requirement is set out in writing in the Vossloh Code of Conduct. The Code of Conduct - which all employees receive and sign when they join the company - is designed to help them living up to this responsibility.

The prevention of violations of the law of all kinds, in particular corruption according to the United Nations Convention against Corruption and anti-competitive behavior in accordance with the antitrust regulations of the European Union and the United States in particular, is a central concern of Vossloh’s Executive Board for the entire Group. The Executive Board has summarized this unequivocally in its Compliance Commitment, which states, among other things: “Compliance with the law has absolute priority over closing a deal or achieving internal targets. We would rather forgo a business opportunity than violate the law. We will not tolerate any violation of the law or of our internal guidelines and policies and will sanction any such behavior (zero tolerance policy).” (see www.vossloh.com > “Investor Relations” > “Corporate Governance” > “ Compliance ”). The area of Compliance is overseen within the Executive Board by the Chief Executive Officer (CEO).

To implement and monitor compliance regulations, the Executive Board has set up a Compliance Organization. Its structure, the responsibilities and tasks of the individual compliance functions as well as the reporting channels are set forth in the “Rules of Procedure of the Compliance Organization”. The Vossloh Compliance Organization consists of the Chief Compliance Officer (supported by a Compliance Office), who has been appointed for an indefinite period of time to strengthen its independence, and the Group Compliance Committee at the level of Vossloh AG, Compliance Officers and Compliance Committees in the Business Units as well as Local Compliance Officers (LCO) in the operating companies.

Vossloh’s Compliance Management System is designed to identify risks arising from compliance violations and to minimize these risks through appropriate measures, in order to prevent damage to Vossloh and its employees. Any indication of misconduct is investigated immediately, independently and objectively by the Compliance Organization. The prevention of corruption and strict compliance with competition law regulations are a particular focus.

Since 2007, Vossloh‘s Compliance Management System has been based on the Vossloh Code of Conduct, which specifies the value of integrity and is binding for the entire Group and all company employees. It is currently available in 15 languages. There are also guidelines on the prevention of corruption, conduct in compliance with antitrust law and the involvement of intermediaries, as well as a data protection guideline, an export control guideline and an insider guideline. In addition to the Code of Conduct, when joining the company each individual in an employment relationship also receives the Guideline on the Prevention of Corruption and the Guideline on Compliance with Antitrust Law, which are acknowledged by signature. Compliance as part of business activities constitutes part of regular classroom trainings held at all Vossloh companies. The training requirements and participants — including those from the high-risk areas of Sales and Purchasing — are determined and defined by the Compliance Officers of the Business Units and the Local Compliance Officers on the basis of the Vossloh Compliance Training Concept. The Compliance Office headed by the Chief Compliance Officer keeps a record of the classroom training sessions held. In 2024, Vossloh conducted compliance trainings around the world with a total number of 804 participants (2023: 653 participants).

Compliance training is also given in the form of eLearning, which was revised from scratch in 2021. The “Code of Conduct – Compliance Basics” module is aimed for all employees who work at a computer workstation. In addition, there are two training modules focusing on competition law and corruption prevention for all managers and employees with external contact, particularly those from the high-risk areas of Sales and Purchasing. Around 50 % of all participants in the basic training module completed these focus modules. The refresher training module on corruption prevention, competition law and foreign trade law is aimed for the same target group. All new employees are gradually taken through the eLearning program. The Local Compliance Officers systematically record the employees’ attendance and send them reminders to attend, if required. The Group wide training rate was 96.8 % as of December 31, 2024 (2023: 97.1 %).

Compliance audits are performed — usually with the assistance of external audit firms — in order to verify that the Compliance Management System rules are being adhered to within the individual operating units. These audits are carried out incident-related and incident-unrelated. In 2024, three incident-unrelated and four incident-related compliance audits were executed. Compliance issues are also audited as part of the internal audit process. Additionally, the company has its Compliance Management System regularly reviewed by external experts and receives recommendations for further development and improvement. The last comprehensive effectiveness review took place in 2017; the audit report is published on the website www.vossloh.com > “Investor Relations“ > “Corporate Governance“ > “Compliance“. Where findings and recommendations for compliance work were made, they have been and will be implemented as part of the continuous development and improvement of the Compliance Management System. A review of compliance risks carried out with external support in the financial year 2023, including a survey on the effectiveness and acceptance of the Compliance Management System with 128 representatively selected managers and employees, primarily from management, sales and purchasing, once again confirmed the previous risk assessment and the high effectiveness and acceptance of the Compliance Management System.

In the financial year2024, the Executive Board decided to subject the Compliance Management System by another external review — in relation to the subsections of antitrust law and anti-corruption — in accordance with IDW PS 980 (2022) and once again commissioned KPMG AG Wirtschaftsprüfungsgesellschaft for this purpose. This audit was started in 2024 with the Readiness Check and will be completed in 2025 with the Adequacy and Effectiveness Audit.

The Compliance Office and Corporate Controlling conducted annual risk dialogs with selected Vossloh Group companies to review the effectiveness of the Compliance Management System with a view to identifying material risks. In 2024, two risk dialogs took place (2023: one dialog). At the end of 2024, the Group Compliance Committee decided to discontinue these risk dialogs in future, but to replace their content with a software-based risk survey of all Group companies. This query was initiated for the first time at the end of 2024.

Vossloh has taken special precautions to ensure compliance with foreign trade regulations, notably export control and embargo legislation. Beyond the obvious need to comply with applicable legal provisions, an export control policy for the entire Group which is based on applicable law creates a binding framework for the entire Vossloh Group and all its employees to ensure compliance with the respective legal requirements. The framework requirements of this policy are supplemented by more extensive regulations in the form of work and organizational instructions or process descriptions. Each operational unit appoints an Export Officer and a Trade Compliance Officer (TCO). In cooperation with the respective HR departments, the TCOs develop training concepts and ensure that all employees working in areas relevant to foreign trade receive the appropriate training. Vossloh’s central compliance eLearning tool also includes the module “Foreign trade law”.

The Vossloh Group also expects its suppliers and service providers to act and behave in a way that complies with the law. This is verified and controlled in specific cases as well as on an ad hoc basis. The Group-wide “Guideline on the Engagement of Intermediaries” applies to business dealings with commercial agents, agencies, distributors and consultants in the sales area. Its aim is to prevent the risk of unfair practices by commissioned third parties and to minimize the risks for the company and its employees.

Vossloh has maintained a Group-wide register of associations as part of its Compliance Management System, in which all company and private memberships in industry associations are recorded. Vossloh AG’s primary association memberships are as follows:

• Verband der Bahnindustrie in Deutschland e.V. (German railway industry association, VDB)
• Association of the European Rail Industry (UNIFE)
• Deutsches Verkehrsforum (German transport forum, DVF)
• Institut für Bahntechnik GmbH (German institute for railway technology, IfB)
• Allianz pro Schiene e.V. (German railways association)
• Verband Deutscher Verkehrsunternehmen e.V. (association of German transport companies, VDV)

Vossloh does not make any donations to political parties or similar institutions.

The Vossloh Group endeavors to respect internationally recognized human rights in its business activities and has codified this in the Vossloh Code of Conduct under point 10 (“Protection of human and employee rights“), which is binding for all employees. The Code of Conduct is publicly available on the website www.vossloh.com > “Investor Relations“ > “Corporate Governance“ > “ Compliance “.

To minimize the risk of child labor, Vossloh, as a rule, does not employ anyone under the age of 14 or 15 (depending on the legal provisions in the different countries). In addition, the majority of Vossloh’s production facilities are located in Europe. Employees under the age of 18 are usually apprentices. The instructors responsible for them are duty-bound to observe all the relevant labor law and occupational safety rules and provisions. A whistleblower hotline is available for possible misconduct to be reported. No human rights violations were reported in the fiscal year 2024 (2023: also no reports).

More recent major partnership contracts, such as joint venture agreements, generally include the Vossloh Code of Conduct and, therefore, also its human rights aspects as mandatory conduct rules. The same applies to contracts with intermediaries (e.g. commercial agents and distributors). Strategic suppliers are required to recognize the Vossloh Code of Conduct for Business Partners, which has been available in revised form since 2023 and includes significant obligations to protect human and employee rights.

The various Vossloh companies audit their suppliers and intermediaries with intensive preliminary checks before concluding a contract with them. So far, the company has not had a reason to check compliance with human rights. This result was confirmed in 2022 in a risk assessment of the supplier portfolio in 15 Vossloh companies supervised by an independent auditing firm.

Adherence to local laws and standards (for example, minimum wage or fundamental labor law conditions) is an integral part of Vossloh’s compliance obligations. The European Works Council, the Group Works Council, the Executive Board and Corporate Human Resources regularly communicate at Vossloh to guarantee the flow of information, discuss the scope for improvements, address new issues together and tackle these in projects.

The protection of personal data is a matter of importance to Vossloh. The company revised its data protection management system to comply with the European General Data Protection Regulation (GDPR) and adjusted the organization in accordance with the new legal requirements. It is binding for all Vossloh companies and all staff worldwide, even outside the European Union. Compliance with the Vossloh Data Protection Policy is monitored by appointed data protection officers and data protection coordinators, as well as a data protection committee at the Vossloh AG level that meets regularly.

Vossloh has set up a whistleblower hotline together with an international law firm. In addition to the option of contacting the Compliance Office, this allows company employees and external whistleblowers to report possible misconduct to an independent external contact (ombudsperson) in their native language. So far, the whistleblower hotline has been set up for 24 countries. As such, the main regions and the languages spoken within the Vossloh Group are essentially covered. The Process for Recording, Processing and Documenting Whistleblower Notifications was adopted by the Executive Board of Vossloh AG on February 23, 2022 as a further development of the Compliance Management System and is a binding component of the Compliance Management System. The contact details of the independent ombudspersons appointed by Vossloh are provided to all employees together with the Code of Conduct and can be found on the Vossloh intranet and on the Company’s homepage. In addition, the Code of Conduct contains a description and application notes on the whistleblowing process.

In 2024, the ombudspersons were contacted twice (2023: once); a further two whistleblower reports were submitted via internal whistleblower channels (2023: two, not disclosed in 2023). All resulting investigations into possible compliance violations were completed. None of the notifications investigated involved a confirmed allegation of bribery or corruption or a violation of relevant laws that would have resulted in fines or individual penalties.

The Compliance Organization ensures that the internal whistleblowers were protected from measures under employment law during the ongoing investigation in accordance with the provisions of the EU Whistleblower Directive.