Key corporate governance principles and practices

thyssenkrupp Code of Conduct

While the group mission statement describes our goals and standards, the concrete principles and ground rules for our work and our behavior towards business partners and the public are summarized in the thyssenkrupp Code of Conduct. We are convinced that responsibility, respect and compliance with laws and regulations are the foundation of all collaboration. We set ourselves the highest standards – something our business partners worldwide can rely on. However, we also expect our business partners to act in the same way. Our Code of Conduct provides guidance to all employees of our company. It applies worldwide at all our sites, serving as the basis for the following topics in particular: compliance with the law; avoiding conflicts of interest; ban on corruption and bribery; fair competition; anti-money laundering; trade compliance; equal treatment and non-discrimination; human and workers’ rights; cooperation with employee representatives; occupational health and safety; sustainable environmental and climate protection; donations; political lobbying; public appearances and communication; reporting; confidential company information / insider information; data protection and information security; and protection of company property.

In addition, thyssenkrupp has signed the United Nations Global Compact, the BME Code of Conduct and the Diversity Charter.

We implement all these principles with the aid of the existing programs and management systems and the non-financial targets. thyssenkrupp also pursues a strategy of sustainable and responsible business in the individual operating segments. Detailed information on our sustainability agenda can be found in the sustainability report, which is integrated in this annual report, and on our website.

Integrated governance, risk and compliance model

Dealing responsibly with risks is part of corporate governance at thyssenkrupp, because the continuous and systematic management of business risks – but also opportunities – is fundamental to professional governance. An integrated governance, risk management and compliance (GRC) model, embedded in the GRC Policy that applies to all companies of the thyssenkrupp group, provides the basis for risk management in the group.

The organizational framework for the integrated GRC model at thyssenkrupp is the three lines model. This shows which line is responsible for risk management in the broadest sense within the group. It helps to identify organizations, structures and processes that facilitate strong governance and strong risk management.

The first line concerns activities (including risk management) and the use of resources, taking into consideration external and internal regulations. The aim is to avoid or identify and mitigate risks where they may arise, i.e., at the operational level within the businesses. To this end, the local risk and control officers apply specific risk management and compliance measures and implement the requirements of the internal control system. All employees in the first line are required to take an independent and risk-aware approach within their area of responsibility, in compliance with the law and binding internal regulations issued by thyssenkrupp to ensure that risks are managed appropriately. The management of the segments maintains a constant dialog with the Executive Board of thyssenkrupp AG on planned, actual and expected outcomes related to the targets of the organization and on risks.

The second line structures governance for the thyssenkrupp group and defines corresponding minimum requirements for systems and processes for use by the first line. It sets the framework for collaboration within the thyssenkrupp group and defines groupwide requirements for the structure of the internal control system, the risk management system and compliance, for example, in the form of binding internal regulations. The specific features of governance are risk-oriented and decided at the discretion of the Executive Board. Management responsibility for achieving the organizational objectives covers the design of both first- and second-line roles.

Close integration of the internal control system, risk management system and compliance aims to maximize the efficiency of risk prevention and management.

Key features of our risk management and control system are described in the “Opportunity and risk report.”

Compliance, in the sense of all groupwide measures to ensure adherence to statutory requirements and binding internal regulations, is a key management and oversight duty at thyssenkrupp. In this context special responsibility is assumed by our executives, who have entrepreneurial responsibility for compliance. The Executive Board’s resolution on entrepreneurial compliance responsibility (most recently updated on May 23, 2025) states in particular that all executives at thyssenkrupp have a duty and a responsibility to ensure compliance with the law and internal regulations in their sphere of responsibility and to work to ensure compliance (obligation to set an example, compliance as a key leadership task). Any identified breaches of laws or binding internal regulations, especially those related to our core compliance areas – antitrust law, corruption prevention, data compliance, anti-money laundering and trade compliance – are halted immediately. To prevent any recurrence in the future, suitable risk-mitigation remedies are implemented without delay. In the event of proven violations, our “zero tolerance” policy applies: where necessary sanctions are systematically imposed on those concerned. At the same time the Compliance Commitment expresses our positive compliance mindset: we stick to the rules out of conviction.

The Group General Counsel, who is also the Chief Compliance Officer, is responsible for the compliance program and reports directly to the CEO of thyssenkrupp AG.

More information on compliance at thyssenkrupp can be found in the “Compliance” section of the combined management report and in the section headed “ESRS G1: Business conduct” in the sustainability report.

As the third line, Corporate Internal Auditing conducts independent audits to monitor the correctness, reliability, appropriateness and efficacy of the processes implemented, the internal controls and the risk management. It supports executive management in the performance of its oversight function and reports directly and independently to the Executive Board of thyssenkrupp AG and, where necessary, to the Supervisory Board. The independence of Internal Auditing ensures that this function can plan and perform its work without hindrance and prejudice and has unrestricted access to the necessary persons, resources and information. The head of the Corporate Function Internal Auditing reports on the auditing function to the Audit Committee twice a year or as needed. Internal Auditing itself is subject to an external quality assessment every five years; the last quality assessment was successfully completed in the fourth quarter of fiscal year 2024 / 2025.

In the area of accounting, the three lines model is supplemented by the work of the external financial statement auditors.

Through the integrated governance, risk and compliance approach, the Executive Board has devised and implemented a framework for the management of thyssenkrupp to provide an appropriate and effective internal control and risk management system. The measures implemented within this framework are also geared to the appropriateness and effectiveness of the internal control and risk management system and are outlined in more detail in the opportunity and risk report. To establish the three lines model and statutory framework in the risk management system, for example, it is accompanied by independent oversight and audits, especially the audits conducted by Internal Auditing and its reports to the Executive Board and the Audit Committee of the Supervisory Board and by other external audits. In the context of continuously developing the control and risk management system, existing potential for improvement is addressed and implemented and new potential for improvement is identified and addressed.¹⁾

From its examination of the internal control and risk management system and the reports by Internal Auditing, the Executive Board is not aware of any circumstances that together undermine the appropriateness and efficacy of these systems.¹⁾

¹⁾ The disclosures in this paragraph are outside the scope of the audit of the management report as explained in the preliminary remarks to this management report.