F Secure

In this Sustainability Statement, 'supervisory bodies' refer to the F-Secure Board of Directors and its Audit Committee and Personal and Nomination Committee. 'Management body' is to be understood as the F-Secure Leadership Team including the CEO and the leadership team members. The Board of Directors oversees the administration of the company and appoints the CEO, who oversees the daily administration of the company in accordance with the instructions and orders given by the Board.

The highest decision-making body in F-Secure is the General Meeting of Shareholders, which elects the members of the Board of Directors. The Board of Directors is responsible for the administration of F-Secure Group and appropriate organization of its operations. The duties and responsibilities of the Board of Directors of F-Secure are, inter alia, defined according to the Articles of Association of F-Secure, the Finnish Companies Act and other applicable laws and regulations. As such, the Board oversees F-Secure's business conduct and compliance, and approves the most significant governance-related policies, such as the Anti-Bribery and Corruption Policy.

The Board of Directors appoints the CEO. The CEO, assisted by the Leadership Team, is responsible for managing the company's business and implementing its strategic and operational targets. Both the CEO and the Leadership Team also play a significant role in ensuring that employees comply with the relevant policies and procedures, including those related to business conduct.

To enhance the efficiency of its work, the Board of Directors has established an Audit Committee and a Personnel and Nomination Committee. The Audit Committee functions as a preparatory body, and the matters it addresses are brought to be decided on by the Board of Directors. The Audit Committee monitors and evaluates risk management, internal controls, IT strategy and practices, sustainability, and financial reporting, as well as auditing. The majority of members of the Audit Committee shall be independent of the company and at least one member shall be independent of the company's significant shareholders. Additionally, any substantiated investigations of incidents related to corruption or bribery are reported to the Audit Committee for evaluation. The Personnel and Nomination Committee prepares material and instructs on issues related to the composition and compensation of the Board of Directors and remuneration of the other members of the top management of the company. The Committee prepares proposals for shareholders related to the Board composition and remuneration. The duties of the Personnel and Nomination Committee include actively seeking and identifying new individuals qualified to become members of the Board.

The Board of Directors and the Leadership Team are supported by the Legal Team that maintains the business conduct-related policies and procedures, as well as offers internal training on such issues.

Expertise related to business conduct matters

The Board members have international experience in different roles in global companies operating in different businesses and geographical market areas. Additionally, the company ensures that all members of the Board of Directors have access to sufficient information about F-Secure's business operations, operating environment, and financial position, and that new members are properly introduced to the operations of F-Secure.

Members of the Audit Committee must have broad business knowledge, as well as sufficient expertise and experience concerning the committee's area of responsibility and the mandatory tasks relating to auditing, including risk management related to business conduct issues. The Audit Committee invites experts to its meetings when necessary for the issues to be discussed. External auditors are permanent invitees to the meetings of the Audit Committee.

When seeking and identifying new individuals qualified to become members of the Board, the Personnel and Nomination Committee takes into account the expertise on business conduct matters of such individuals to ensure that all Board members have sufficient experience and knowledge of business conduct matters.

The Leadership Team members are chosen based on their expertise and experience suitable to their respective roles. The Leadership Team members also supervise the implementation of business conduct-related policies and procedures in their respective business functions.

The number of executive and non-executive members

As of 31 December 2024, F-Secure had 9 executive members in its management body and 6 non-executive members in its supervisory body (Board of Directors), while noting that the latter figure used in this statement also includes F-Secure employee Board member.

Representation of employees and other workers

One member of the Board of Directors is elected from among F-Secure personnel. An election is arranged annually for F-Secure personnel and each permanent employee is eligible to stand as a candidate. The representatives of the Board of Directors interview three to four persons who have obtained the highest number of votes in the elections and choose a candidate from amongst them to be proposed for election as a member of the Board by the Annual General Meeting. The term of office of members of the Board of Directors ends at the close of the Annual General Meeting of shareholders following their election.

Experience relevant to the sectors, products and geographic locations of the company

F-Secure's Board members have international experience and diverse backgrounds from international companies in business sectors and geographical markets (including Europe, North America, APAC and Japan) relevant to F-Secure:

• Pertti Ervi is a seasoned international IT-business leader and Board professional with over 30 years of experience. As Co-President of Computer 2000 AG, Europe's largest IT distributor, he managed global operations across 38 countries. Pertti has extensive Board experience with publicly listed companies like F-Secure, Comptel, Teleste and Efecte, and has worked closely with tens of growth companies, providing expertise in strategy, internationalization, and corporate development. He co-founded Mintly Oy and has successfully led numerous high-value exits. A Finnish citizen living in France, Ervi holds a B.Sc. in Electronics and has completed advanced business studies at INSEAD and Hanken.

• Risto Siilasmaa is the founder of F-Secure and WithSecure Corporations and the Chair of the Board of Directors of WithSecure having served as President and CEO of the company in 1988-2006. He is also an active venture capital investor with over 30 active investments via First Fellow Partners, a fund management company where he is both a general partner and the only limited partner. Previously Risto was the Chair of the Board of Directors of Nokia Corporation in 2012-2020 and of Elisa Corporation in 2008-2012. Risto is the Chair of the Board of Upright and a Board member of F-Secure, Futurice, Pixieray, Quanscient, Hamina Wireless and CybExer Technologies. Since 2019 Risto has been a member of the International Advisory Board at IESE Business School, University of Navarra.

• Thomas Jul is a seasoned Danish executive with over 30 years of global leadership in high-tech, telecom, and fintech sectors. With a history of driving growth and transformation, he held prominent roles at Ericsson and Nokia, including President & CEO of Ericsson Indonesia and West Europe Region Head at Nokia. As co-founder of MATTA Group and former CEO of payments scale-up Inpay, Thomas continues to excel in leading innovative organizations. Currently, he serves as Group CEO of Danish IT leader KMD. Thomas holds an M.Sc. in Software Engineering and has completed advanced business programs at Henley, Wharton, Columbia, Harvard, and London Business Schools.

• Petra Teräsaho is a senior finance executive and Board professional with wide international experience from various industries: forest, telecom, mining, IT, automotive/electric batteries & consumer goods. In addition to finance, Petra has held leadership positions in marketing, strategy and business development. Besides Finland, Petra has worked and lived in India, Belgium, France and Sweden. Her current main occupation is CFO of Transmeri Group. Her earlier employers are UPM, Nokia, Outotec, Stora Enso, Enfo Group and Valmet Automotive. Petra is Board member and Audit committee chair in F-Secure and Paulig Group. She is a Finnish citizen and holds a Masters Degree in Accounting & Finance.

• Tommi Uitto has worked in Nokia's network equipment business for thirty years, from 2G/GSM to 5G/NR and early research of 6G. He is currently leading Nokia's Mobile Networks Business Group, the largest of Nokia's four businesses, and is a member of Nokia Group Leadership Team. He also serves in the Board of Directors and Working Committee of the Board of Technology Industries of Finland (TIF). At Nokia, he has held various executive and managerial positions across several functions from business unit management to sales and region management, from product management to product development, and from production planning to quality management. Before Nokia, he worked in forestry equipment manufacturing. Besides Finland, he has lived in France and the United States.

• With extensive experience in quality assurance, software development management, and portfolio governance, Katja Kuusikumpu is a respected leader in the IT industry. As the Director of Portfolio Governance & Operations at F-Secure, she oversees strategic product initiatives and drives the company's portfolio transformation. She is also currently a Member of the Board of Directors at F-Secure, contributing to the company's strategic direction. Previously, Katja has held several R&D leadership roles at F-Secure and in other Finnish and international companies. Katja is a Finnish citizen and holds a Master of Science degree from Aalto University.

Percentage by gender and other aspects of diversity

According to Diversity Principles established by the Board of Directors, an optimal mix of diverse backgrounds, expertise and experience strengthens the Board's performance and promotes the creation of long-term shareholder value.

The Diversity Principles of the Board of Directors strives towards appropriately balanced gender distribution. At the Annual General Meeting in 2024 six members representing two different nationalities were elected to the Board. The age structure of the Board members is 47–67 years. Two Board members are female and four are male, giving a ratio of 2:4 (female/male) and thus females represent 33.3% and males 66.7% of all members of the Board.

Percentage of independent board members

The majority of the 2024 Board members are independent from the company and from its major shareholders. Two Board members are considered not independent on grounds of share ownership or working for the company meaning ~67% are independent.

The F-Secure Board has ESG on the agenda at minimum once a year, while during 2024 the F-Secure Audit Committee had ESG on the agenda in 4 out of 5 meetings. Updates on ESG topics to the Board, the F-Secure Leadership team, and the Audit Committee have been presented by the SVP of Corporate Development responsible for creating and implementing F-Secure ESG plans, policies and targets and report on their progress as well as implementation of due diligence, based on input from the ESG Council and its members.

The F-Secure ESG Council typically meets monthly including the CFO, CPO, Legal Counsel, SVP of Corporate Development, and the ESG function lead reporting to the SVP of Corporate Development. In addition, the ESG Council includes participants from other functions for further collaboration like sales and product management while the ESG Committee leads provide updates on progress, when topical. Moving to 2025, Committees will also participate in the bi-annual assessment of the DMA/IROs and will track the effectiveness of actions and metrics related to them.

Consideration of IROs when overseeing company strategy and risk management

Sustainability-related risks and adverse impacts are managed as part of F-Secure's risk management process. In short, the primary goal of F-Secure's risk management policy is to enable the organization to identify and manage risks more effectively. The risk management process monitors the potential negative impact and likelihood of various situations arising from the company's operations, its markets, its customers, or its partners.

F-Secure encourages continuous risk assessment by the company's personnel. The relevant operational risks identified through the risk management process are regularly reviewed by each function, including the twice-a-year review with the President and CEO, the Leadership Team, and the Audit Committee. Positive impacts and opportunities, on the other hand, are embedded into the strategy process and considered when reviewing F-Secure's operating plans and related objectives, developing plans and allocating resources to execute said plans.

Evaluating trade-offs related to IROs is an important part of the strategy process, as it involves making decisions about where to allocate resources and prioritize initiatives. This involves weighing the costs and benefits of different options and making choices that align with the organization's overall goals and stakeholder expectations. This ensures that trade-offs are considered relative to the company objectives, while weighing the potential risks and opportunities associated with different options.

Furthermore, during 2024, updates on the DMA including IROs have been presented to the ESG Council and Audit Committee. These impacts, risks and opportunities include topics listed below and are addressed by the administrative, management and supervisory bodies described earlier:

• Protecting consumers' digital moments • Attracting, developing, and retaining talent • Company working conditions and employee well-being • Critical strategic competencies and DEI (equal treatment and opportunities for all) • Privacy and security related to, e.g., how we use and protect consumer or partner data • Cyber security threats related to end-customers, partners, and our operations • Business-conduct topics including anti-bribery, anti-corruption and whistleblowing channels • Development and launching of a new company culture • Climate change mitigation risks, roadmap and strategy

The F-Secure Leadership Team is eligible for the non-sales Short-Term Incentive (STI) Plan. The purpose of the STI Plan is to reward participants for achieving the financial and operational objectives of the Company, to focus on execution of the business plan, and to foster a performance culture.

The Leadership Team is also eligible for the share-based long-term incentives (LTI) to align the interests of the shareholders and the Leadership Team. Part of our administrative and supervisory bodies' renumeration is tied to LTIs similar to the Leadership Team.

Role of sustainability-related targets in incentive schemes

The goals of F-Secure's 2024 non-sales STI Plan included the Company Business Results (combined growth % and profitability %) and the Company Employee Engagement (eNPS). These STI elements are tightly connected to our material sustainability drivers as growth is a proxy number for the number of consumers that we protect globally ("building trust in digitality and society"), while eNPS represents the importance of our employee well-being and satisfaction.

The non-sales STI Plan is included in the remuneration policy, and the goals of the non-sales STI Plan as described here are approved by the Board annually. Similarly, performance against the targets is reviewed regularly while any pay-outs take place annually.

Share-based LTI programs can be based on long-term financial and/or strategic performance or on the company's share value increase. In performance-based LTI programs, the criteria for the performance period are based on strategic financial targets.

STI or LTI plans do not contain any climate-related targets.

Proportion of variable remuneration dependent on sustainability-related targets and approvals

The non-sales STI consists of the Business Results (combined growth % and profitability %) with 60-80% weight, a function-specific target with 0-20% weight that may link to sustainability related targets and the Company Employee Engagement (eNPS) goal with 20% weight. The Long-Term Incentive criteria for the performance period are based on strategic financial targets.

The annual non-Sales STI design and the company-level targets are approved by the Board of Directors based on a proposal made by the Leadership Team. For the LTI programs, the Board of Directors decides on the terms and conditions for the plans and the possible performance criteria and objectives for each performance/vesting period.

As part of F-Secure due diligence we identify, mitigate, and account for how we have addressed actual and potential negative impacts connected to our business, our operations and value chain, our offering and business partners. Due Diligence is an ongoing practice that responds to and may trigger changes in our ESG governance, strategy, business model, activities and processes, business partners, operations, or sourcing. For further details, also see chapter on ESG governance and the role of administrative, management and supervisory bodies and the section on Governance.

Engagement with stakeholders

Through mapping all relevant stakeholders and conducting regular stakeholder engagement, F-Secure ensures an effective corporate sustainability due diligence process. The mapping includes employees, customers, suppliers, investors, and government bodies. We will review the stakeholder map when significant changes in the business model and strategy occur or if new impacts are identified as part of our IRO reviews and as described further under IRO-1 section.

On adverse impacts

Addressing and taking action on adverse impacts is conducted in alignment with F-Secure's risk management policy, where risks have an owner to drive mitigation activities. F-Secure uses risk modeling and quantification methods to identify and manage risks effectively. Risks are mitigated and proactively monitored, also building strategic resilience in the Company and its business operations where applicable. F-Secure has not identified any adverse impacts as described under the "F-Secure impacts on people and the environment" section.

Risk management is an integrated part of F-Secure's governance and management, and the risk management process is aligned with the ISO-31000:2018 guidelines. Each function is responsible for tracking the effectiveness of the mitigation activities and aligning with relevant internal or external stakeholders. The Leadership Team and Audit Committee review the risks bi-annually, while the Audit Committee regularly evaluates the effectiveness of the risk management process (internal controls).

Control over sustainability matters is organized and formalized through policies, procedures, and processes, as described in this sustainability statement. ESG-related policies and procedures are proposed and developed by the ESG Council or relevant functions and approved by the CEO, the Board or a member of management depending on the policy. The Audit Committee reviews the policies presented to the Board and the Code of Conduct is approved by the Board.

F-Secure has internal control operating procedures in place which apply to the entire company. Principles and recommendations introduced in the Finnish Corporate Governance Code for listed companies are reflected in our Internal Control Framework. Based on risk assessment the key processes are identified. For the identified processes key risks and related internal control points have been defined and documented in internal control matrices. ESG has been identified as one of the key processes and we've developed internal controls for material ESG topics. Internal Control definition as adopted by F-Secure consists of e.g. policies, procedures, control activities, and monitoring, executed by F-Secure's Board of Directors supported by the Audit Committee, the CEO, F-Secure's Leadership Team and other operative management, and all F-Secure employees, designed to provide assurance regarding the achievement of F-Secure's objectives.

Main risks, mitigation plans and controls

F-Secure has analyzed the risks for each material topic including sub and sub-sub-[text appears cut off]

Strategy, business model and value chain

Product and services offering

F-Secure offers holistic, engaging and easy-to-use cyber security products and services to consumers to protect their digital moments. This includes:

Security Suite offering (F-Secure Total): An all-in-one app, including end-point security, scam protection, privacy protection, password management, and identity protection. Notable new protection capabilities launched during 2024 focused especially on protecting consumers against various scams.

Embedded Security capabilities: Software development kits, application programming interfaces and browser plug-ins that protect consumers' digital moments typically by embedding cyber security capabilities into partners' apps, devices and services that consumers already have and know how to use, without the need to install a separate security application. Embedded Security solutions can also be used to create entirely new, custom security applications to meet the requirements of service providers looking to create a unique security experience of their own.

Customer Engagement Services: F-Secure offers Service Provider partners a wide range of Customer Engagement Services to support their go-to-market activities such as Marketing & Sales Enablement, and Lifecycle Messaging Services. Combined with our cloud-based Security Business Platform that provides self-service capabilities for partners' app developers, sales & marketing, and customer care teams we can deliver successful business outcomes with security services to our partners.

Markets and customer groups served

F-Secure's end-customers are consumers, who are worried about their online security, looking for a holistic, easy-to-use security solution that addresses today's threat landscape and thereby a sense of security. We serve all consumers directly and indirectly via a global network of 200+ Service Provider partners including communication service providers, retailers, banks, and insurance companies.

F-Secure is a partner-first company, with 2024 revenue split: 81% through partners and 19% directly.

Revenue by geography (2024):

The ESRS sector to which F-Secure belongs is Technology - Software & IT Services. F-Secure's revenue 2024 is 146.3 M€. Our operations and profitability are reported as a single operating segment, which is consistent with internal reporting and the way that operative decisions and assessment of performance are made by F-Secure's Leadership Team.

Headcount by geography

F-Secure employed around 530 people in 2024.

Headcount per country:

Revenue by significant sustainability matter

No specific breakdown of total revenue by significant ESRS sustainability matter is provided. However, protecting consumers' digital moments (a material sustainability impact) is core to all revenue generation.

Sustainability-related goals embedded in the business model

F-Secure believes that understanding human behavior first is fundamental to effective security, which is why delivering experiences is the cornerstone of innovation. Solutions are designed for all consumers across age groups on their terms: an individually personalized and contextually relevant trusted companion protecting consumers in moments when it really matters.

F-Secure has moved away from providing point solutions like separate End-Point Protection or VPN apps and now offers an all-in-one consumer security application or embeds protection capabilities as part of partners' apps or services. This portfolio strategy and focus on "brilliantly simple security and customer experiences" allows F-Secure to protect consumers' digital moments and continuously improve product satisfaction scores (Net Promoter Score, NPS), which are critical sustainability-related goals to F-Secure.

To realize the purpose of making every digital moment more secure for everyone, the go-to-market model is primarily channel-based and through Service Providers allows reaching hundreds of millions of consumers behind these partners in focus regions in Europe, North America and APAC/Japan.

F-Secure's channel model emphasizes the importance of win-win relationships measured both in terms of revenue and partner satisfaction while ensuring this is done with the highest business ethics and conduct. Measuring partner satisfaction is another critical sustainability-related goal to realize the purpose and protect consumers' digital moments.

The goals of F-Secure's 2024 non-sales STI Plan included the Company Business Results (combined growth % and profitability %) and the Company Employee Engagement (eNPS). These STI elements are tightly connected to material sustainability drivers as growth is a proxy number for the number of consumers that F-Secure protects globally ("building trust in digitality and society"), while eNPS represents the importance of employee well-being and satisfaction.

Business model and value chain

F-Secure's business model is based on delivering subscription-based consumer cyber security software products and services directly through own e-com activities and app stores, as well as through channel partners such as Communication Service Providers and financial institutions (banks or insurers).

Key inputs (upstream value chain):

1. Securing the right talent: Expertise in the cyber security industry is scarce and highly sought after. It's critical to build a strong employer value proposition, hire diverse new talent and help them reach their full potential at F-Secure.

2. Access to cyber security technology and threat intelligence: As is common in the cyber security industry, protection is a combination of own core protection capabilities complemented by 3rd party solutions such as threat intelligence. F-Secure always evaluates whether a particular protection functionality is core to strategy and if we should make it, buy it or partner around it.

3. Industry organizations: F-Secure works, for example, with Amtso, Coalition Against Stalkerware, Internet Watch Foundation and GASA, as well as with academia such as Aalto University to increase cyber security awareness.

4. Suppliers: F-Secure is a cloud-based company and works with various suppliers and partners. This includes suppliers to the production environment, business IT, CRM, finance, and other related business systems.

5. Financial institutions: The market where F-Secure operates, and the recurring subscription-based business model provides the opportunity for F-Secure to grow profitably. This in turn gives credibility with financial institutions and investors. All combined makes it possible to pay dividends to shareholders and drive growth that can positively impact share price, while strong cash flow allows managing debt and supports future potential M&A activity.

6. Legislative bodies: For legislative purposes and as a listed company, F-Secure continues to track and evaluate regulatory impacts on operations across regions. This includes, for example, evolving ESG regulation, legislation on the use of AI and data privacy.

Material own operations:

1. Product creation and related operations: Product management functions lead the creation of a compelling and differentiating portfolio vision, offering and roadmap. The R&D function implements roadmaps and also drives security research and innovation agenda to stay ahead of the threat landscape evolution.

2. Sales and marketing (Service Provider channel): Service Provider channel is F-Secure's primary go-to-market model where partners promote and sell security services and support their end-customers (consumers). F-Secure has a dedicated partner sales organization that focuses solely on driving sales through Service Providers.

3. Sales and marketing (Direct channel): Direct channel provides direct access to consumers in focus regions and a source of revenue but also critical insights into what resonates with consumers in terms of the product offering, value proposition and pricing.

4. Services organization: Supports both direct and partner channel activities in terms of delivery, customer care and providing a wide range of partner success services that help partners grow their security business.

5. Business conduct: F-Secure's business is based on trust. All data needs are handled securely and respecting e.g. consumers' right to privacy. F-Secure ensures that employees follow the Code of Conduct and take business ethics into account in all they do, including training on cyber security-related policies and activities.

6. Talent development and well-being: Developing own employees and hiring new talent is critical for F-Secure's growth. This also includes how F-Secure maintains and increases well-being and diversity at F-Secure to create a safe working environment where everyone can reach their full potential.

7. Business support: Finance, HR, legal, CISO, and Corporate Development provide business support activities to all functions such as support in hiring, accounting and financial reporting, invoicing, ensuring company-level cyber security, and support in strategy process and M&A activities.

8. Board of Directors: The Board of Directors plays a crucial role in the governance of a company by providing strategic direction and oversight. The Board is responsible for approving the company's overall vision, strategy and long-term goals, and ensuring that management acts in the best interests of shareholders and other stakeholders. The Board also oversees financial performance, risk management, and compliance with legal and regulatory requirements.

Material downstream operations:

1. Partner support: F-Secure supports partners in selling and promoting cyber security services and delivers concrete business outcomes where security becomes a new core service. Consumer cyber security also has a positive impact on their other core businesses such as fiber or 5G broadband sales, increasing customer retention and overall relevancy of their brand in consumers' everyday lives.

2. App stores: In addition to the own e-Commerce platform, F-Secure makes available and promotes services in Apple's and Google's app stores.

Key outputs:

Through strategy and business model, F-Secure delivers concrete outcomes and benefits to key stakeholders including:

• Protection of consumers' digital moments against cyber threats
• Trust in digitality and society
• Business outcomes for Service Provider partners (new core service, customer retention, brand relevancy)
• Financial returns for investors and lenders
• Meaningful employment and development opportunities for employees

Interests and views of stakeholders

Through ongoing dialogue and engagement with our stakeholders, we strive to understand our stakeholder positions, requirements, concerns, and expectations in more detail. This continuous interaction provides input to our strategy and ESG-related policies, actions, and processes, allowing us to align with the interests and views expressed by our stakeholders. The insights gained from these continuous dialogues serve as the baseline for our due diligence processes and concluding the Double Materiality Assessment.

As described in more detail under General Information and the IRO-1 section, during the F-Secure Double Materiality Assessment, we've engaged in a dialogue with our key stakeholders to understand their expectations, including financial institutions (inc. analysts, investors, lenders), our own workforce, end-customers (consumers), the Board of Directors (via the Audit Committee), and channel partners. In addition, we analyzed selected suppliers and regulatory compliance. F-Secure has conducted several different surveys that have helped identify material themes in these stakeholder groups. Finally, with selected Service Provider partners we've had 1:1 meetings to deep-dive into their sustainability-related needs and expectations, and we'll continue to do so in 2025. Please see Figure 3, F-Secure stakeholder map for further details.

Stakeholder groups, engagement methods, and key concerns

Integration of stakeholder views into strategy and business model

While the outcome of the DMA did not result in material changes in our strategy or business model, we expect the relationship with some of the stakeholders to further strengthen through regular dialogue and complementary ESG agendas, especially our Service Provider partners. We also aim to build on the trust placed in us by continuing to act in a transparent way and following through on our goals. In addition, the standardization of measures will create more common metrics and activities which may serve as a further catalyst for collaboration with our stakeholders.

Informing internal stakeholders on stakeholder interests

Stakeholder feedback has also been presented to the management, administration and supervisory bodies as part of the DMA. F-Secure will continue to consider stakeholder feedback as part of our risk management process and annual strategy reviews. Our ESG Council will continue to review and update DMA and IROs regularly, and the management, administration and supervisory bodies will be informed if there are any significant changes in stakeholder feedback, or new potential or actual impacts are emerging affecting the strategy and business model.

Consumer interests

For clarity, within the context of this Sustainability Statement, terms "consumer" and "end-user" should be treated as synonyms unless explicitly stated otherwise.

Related to consumer interests, views and rights, F-Secure is in the business of protecting consumers against online threats and it is critical to understand consumer needs and concerns around cyber security. F-Secure conducts regular consumer and market surveys to ensure its product and protection roadmaps are aligned with consumer needs. As an example, F-Secure recognized consumer's right to privacy online and implemented a consumer VPN offering several years ago.

Additionally, several other channels serve as input to our product management processes and developing new protection capabilities, such as our own customer care operations or feedback from our Service Providers like Communication Service Providers. Equally important is to have in-depth views of how the threat landscape evolves to provide effective protection to consumers and educate consumers on surfacing threats. Our promise is to provide frictionless user experiences, which means we also involve our end-customers in product usability and accessibility testing.

The above market studies and consumer insights not only allow F-Secure to ensure its product strategy addresses real and relevant consumer needs in an elegant and simplified manner but also serve as input to our channel strategy. According to consumer feedback, approximately 81% of consumers expect internet service providers to provide security services, which has influenced our channel strategy. Furthermore, consumers find cyber security complicated, which is one of the reasons we're now embedding security as part of our partner's existing app or services so there is no need for a consumer to download and learn a new application.

Finally, we are continuously monitoring evolving legislation in our key markets that impact consumers. This includes, for example, EU GDPR and its impacts on the extent we collect consumer data and how it is processed at F-Secure.

Own Workforce interests

F-Secure has involved its workforce when conducting the Double Materiality Assessment and defining IROs. Additionally, we regularly gauge our employees' well-being and obtain their feedback on current events and company strategy, for example. These results are reviewed also by the Leadership Team and each function to drive related actions (where needed). Furthermore, we:

• Ensure that we work according to our Code of Conduct, which includes respecting human rights
• Actively communicate company direction and priorities. This allows every employee to understand how their roles contribute to the broader company goals, thus making them feel connected to the company's direction
• Emphasize F-Secure's cultural values and how things are done at F-Secure to encourage employees to align their actions with shared values. Values are also used as part of our performance management ("how" things got done in addition to "what").

Value chain workers' interests

F-Secure is committed to respecting the human rights of its value chain workers and takes actions to ensure fair labor practices, safe working conditions, and the right to freedom of association and collective bargaining. F-Secure has a supplier Code of Conduct and agreements with certain partners, which seek to ensure that they meet the company's standards for responsible business conduct, including the treatment of their workers.

Material impacts, risks and opportunities and their interaction with strategy and business model

Full list of material IROs

F-Secure has identified several actual positive impacts related to social sustainability, which is closely linked to our strategy and business model. Through our actions and the portfolio of consumer cyber security products and services, we protect people against cyber security threats. Additionally, we make free tools and educational information about the threats available to everyone, helping raise awareness of cyber threats in society at large.

Additionally, we focus on the well-being of our employees, providing equal treatment and opportunities for professional development. Through these activities, we have an actual positive impact on our workforce and support them to be the best professionals they can be. We encourage our employees to speak up, which is also enforced by our recently renewed culture and through our whistleblower channel where any business conduct matter can be raised without fear of retribution.

Related to the environmental topic we see that there is a potential positive impact to be had in the future, which is linked to green coding practices. While we today deploy our solutions in climate-neutral platforms like AWS, we see the use of AI becoming more widespread, and as we protect more consumers, more energy will be needed to run our products, emphasizing the need for green coding and similar practices.

Environment

Potential positive impact (OO)

• Implementation of green coding principles and practices can reduce battery use in consumer devices or computational power needed in a cloud environment

Social

Actual positive impact (OO)

• Protect consumers' digital moments by providing relevant, effective, engaging and easy-to-use cyber security solutions against modern cyber threats directly and through partners
• Create awareness about cybercrimes: Increase consumer awareness about cyber security and cybercrime through marketing campaigns, events, free tools, and content
• Number of annual holidays: We offer more days off than some countries require, such as the US
• Promoting gender equality: Recruit and advance women and under-represented groups, mitigate the gender pay gap
• Inclusive culture with a speak-up culture: Ensure that we have an inclusive culture where the workplace is a safe environment for everyone through our company culture. We foster a speak-up culture ("dare to care")

Governance

Actual positive impact (OO)

• Whistleblower channel available: Protection of whistleblowers encourages and enables all stakeholders to speak up. F-Secure has a whistleblower channel available to all our employees and business partners. Internal awareness is raised about it in mandatory training internally.

We've additionally identified Risks and Opportunities as per the Double Materiality Assessment as described in the IRO-1 section and covered in more detail in the topic-specific sections.

Environment-related risks and opportunities

• RISK: Failure to meet climate change mitigation targets (OO) may have a negative impact on our channel business as some Service Providers expect meeting the 42% CO2 reduction target
• OPPORTUNITY: Continue to enforce policy regarding e- and hybrid leasing vehicles Continue to enforce our policy for e-vehicles over time to reduce our CO2 emissions (OO)

Social-related risks and opportunities

• OPPORTUNITY: Protecting consumers against the evolving threat landscape is seen as an opportunity (VC) for both F-Secure and our channel partners as scams continue to become more widely spread and consumers are seeking solutions to stay protected
• OPPORTUNITY: Use data and AI in security applications to provide more effective protection against online threats and improve the user experience (OO)
• OPPORTUNITY: Identifying critical strategic competencies that are needed for our long-term success (OO) with related opportunities in providing learning and development opportunities to our employees (OO)
• OPPORTUNITY: Expand the use of worktime tracking on the EU level (OO)
• OPPORTUNITY: Employer reputation: Improving the employer brand image can attract especially younger generations through DEI activities (OO). On the other hand, there may be a RISK that our DEI activities are not sufficient, especially for major Service Providers with extensive DEI requirements (VC)
• RISK: F-Secure's go-to-market model is primarily based on channel sales and a significant agreement change or existing partner loss can negatively impact our future outlook
• RISK: Tier 1 partnerships: To drive growth, F-Secure works with the world's largest Service Providers and we may be unable to create and deliver solutions to these partners with sufficient profitability levels or meet extensive contractual obligations
• RISK: Consumer willingness to pay: Intensifying competition and a negative macro-economic situation may hurt consumer willingness to pay for premium security (VC)
• RISK: Failure in talent acquisition and retention (OO)
• RISK: Security of suppliers and partners: As is customary in the cyber security industry we work with several suppliers and partners and the reliance on these suppliers or partners may subject us to vulnerabilities (OO)
• RISK: Cyber security: We may become targets of a cyber security attack negatively impacting our reputation and business (OO)
• RISK: Workload and mental well-being: We acknowledge our industry is demanding for our employees and increasing workloads and negative impacts on mental well-being constitute a risk (OO)

Governance-related risks and opportunities

• OPPORTUNITY: F-Secure launched its new culture program in 2024 to support and accelerate our ESG agenda including the speak-up culture described above (OO)
• RISK: Partner business, use of agents and other intermediaries may increase the risk of bribery and corruption in cases where middlemen are used (VC)
• RISK: Bribery and corruption risks may rise as a result of M&A transactions due to limited understanding of the target (OO)

Linkage between IROs and strategy/business model

The positive impacts related to consumers and end-users are directly linked to F-Secure's business model and strategy. We are in the business of protecting consumers' digital moments against cyber threats directly and through our partners and doing this in a business-responsible manner with our employees.

F-Secure's ambition is to increase the positive impact further based on our growth strategy of protecting consumers' digital moments while increasing reach and scale through our Service Provider partners. These partners that generate most of F-Secure's revenue continue to see protecting their end-customers as a major part of their brand promise and a business opportunity as a new core service. Together with our partners, we can expand the reach and adoption of security in our key markets among consumers, which, in turn, enables us to increase our actual positive impacts further over time.

Similarly, other potential or actual impacts related to green coding (lower electricity use in end-user devices and cloud), only leasing electric vehicles reducing CO2 emissions, activities around employee well-being, such as more holidays than mandatory, our inclusive corporate culture encouraging speaking up and not tolerating any harassment, and anonymous whistleblowing channel related impacts are directly related to F-Secure's strategy and business model.

The positive social sustainability- and governance-related impacts have already materialized, and we see them having an increasingly positive impact also in the long term, as well as per company strategy and priorities. The potential positive impacts related to green coding will grow over time and we expect an actual impact to materialize in the long term.

Effects of IROs on strategy and decision making

Our most material actual positive impact is related to protecting consumers' digital moments against online threats, increasing consumer trust in digitality and hence society. For consumers, this translates to peace of mind and psychological safety using digital services, in addition to protecting against financial losses. We already have this positive impact today based on our own operations directly and through our channel partners, and we expect it to remain our material impact also in the long term. Protecting consumers' digital moments continues to guide and inform the company strategy, decision making and execution, notably including:

1. Allocating product and technology investments to provide relevant, engaging and effective protection capabilities to consumers against modern threats. This also includes investments in innovation, threat research and research in consumer needs.

2. Ensuring that in our go-to-market model that is primarily channel sales driven, we can meet the needs of each partner segment operationally and through our product and services portfolio. This "fit to channel" and being a "partner-first" company further ensures we can reach a sizable number of consumers behind our partners whether providing an all-in-one consumer cyber security application, network security or SDK/API-based security solutions to our partners to protect their end-customers (consumers) and other partner-facing services that support their business growth. These in turn help mitigate the risk of not meeting our Tier 1 partners' needs.

When protecting consumers' digital moments, the constantly evolving threat landscape has been identified as a growth opportunity for F-Secure and our channel partners both in the short and long term. This is because scams have become commonplace and cybercriminals are switching to using AI to create more credible scams, such as fake online shops. Additionally, we see the use of AI as an opportunity for innovating new protection capabilities and improving customer experience.

To take advantage of these opportunities, our portfolio, customer experience and protection roadmaps are now focused on scam protection. This includes providing new protection capabilities such as messaging scam protection, where implementing AI capabilities provides effective protection and ensures an engaging user experience. We expect our scam protection focus to have a positive effect on our financial performance already today while supporting our long-term growth strategy as our offering becomes more attractive to consumers and our partners. Furthermore, providing relevant and engaging scam protection also helps address risks around consumer willingness to pay for security and a potential loss of an existing partner.

Additionally, protecting consumers' digital moments means supporting all consumers, whether they are using F-Secure's products or not. Therefore, we're both directly and through our channel partners having an actual positive impact while increasing consumer awareness about cyber security and cybercrime. Consumers are keen to learn about online threats and how to stay protected, and we address this need today by providing free tools, as well as engaging, digestible, easy-to-action content and communication through our experts that is relevant to consumers. These activities are having a positive impact on consumers already today and we plan to continue providing such services to consumers during our strategy period (2025-2027).

Our employees turn our vision and strategy into actions, and we've identified opportunities to identify and develop strategic competencies that are critical for our long-term competitiveness, especially in the cyber security industry where access to talent can be scarce. Related to this opportunity, attention has been put on our learning and development initiatives, including competencies across the company such as sales skills, product development and research, AI, and leadership development that supports living up to our culture, the daily work and the well-being of our employees.

We also believe we're making an actual positive impact on our work-life balance and well-being as we've decided to offer more days off than some countries require, such as the US, additionally supported by our plans to expand the use of worktime tracking on the EU level. Combined with developing strategic competencies and leadership development we can also reduce the risks related to workload and mental illnesses.

In addition to developing our workforce, hiring new talent is critical for our long-term success. Employer reputation and our employer brand image are crucial in these activities, especially when attracting the younger generations through DEI activities, which has influenced us to support activities such as Women in Tech.

Furthermore, by promoting gender equality and advancing women and under-represented groups as well as mitigating the gender pay gap we can directly make an actual positive impact on our employees. We've already made gender pay gap-related adjustments during 2024 and will continue to do so during our strategy period 2025-2027 and in the future, to the extent needed. Additionally, to support diversity and equality at F-Secure, in 2024 we've decided to define and launch our new inclusive culture with a speak-up culture to support our growth ambition, which directly has an actual positive impact creating an inclusive culture where the workplace is a safe environment for everyone. This includes our new values, defining wanted and unwanted behaviors, as well as leadership principles and Employee Value Proposition (EVP), all aligned with the company vision and feedback from our employees.

The impact of our new culture applies to all employees at F-Secure and we're seeing a positive impact in our employee NPS results already today and expect our culture to further develop and strengthen over the long term as this development is a journey. We believe these actions will help mitigate risks related to certain regions and partner retention and acquisition related to Service Providers may have extensive DEI requirements. Similarly, their combined effect helps mitigate the risk of losing key people or not being able to acquire new talent.

Trust is critical in the cyber security industry. Therefore, we recognize that there is a risk that cyber security attacks negatively impact our reputation and business while working with external suppliers and partners can introduce layers of vulnerabilities. This has led to the decision to improve our product-related vulnerability management processes and develop secure software, as well as conduct due diligence on suppliers as described in more detail under Consumers and End-users – S4 section. Finally, our risk management process assesses risks related to bribery and corruption regularly and potentially applies to future M&A transactions as understanding of the target can be limited and the risk will be addressed when topical and as part of the M&A Due Diligence process.

Additionally, through our whistleblower channel, we see a direct positive impact where the protection of whistleblowers encourages and enables all stakeholders to speak up. F-Secure has made whistleblower channels available to all employees and business partners, and internal awareness is raised through mandatory training. This ensures that any misconduct or risks can be raised without repercussions as discussed later in this statement. The whistleblowing channel has been available since the demerger from WithSecure in mid-2022 and continues to be available in the future as per our policies.

Related to climate change, F-Secure has a relatively small CO2 footprint being a software company but it is committed to the Paris Climate Change Agreement reduction target, which is also important to our stakeholders like Service Providers. Therefore, as our business is primarily channel-driven, should we fail to reach our reduction target it may negatively affect relationships, especially with those Service Providers who are committed to reducing emissions by 2030. With this in mind, F-Secure is mitigating the risk by developing reduction pathways across Scope 1–3 emissions with a special focus on engaging with our suppliers as described under the Climate Change section, in addition to the opportunity to switch to electric or hybrid vehicles, and expect these activities to continue until 2030 when the target has been reached and as described under the Climate Change reduction pathways section.

We also recognize that implementing green coding principles and practices can have a potential positive impact in the medium to long term as we can reduce the impact of our protection offering e.g. further optimizing the footprint in consumer devices and minimizing the impact on battery use, as well as improving cloud computing efficiency even if we run on top of carbon-neutral platforms like Amazon Web Services (AWS).

Resilience to identified IROs

F-Secure's strategy and business model are considered resilient to address material impacts and risks, and leverage opportunities as identified as part of our 2024 strategy process for the next strategy period (2025–2027), which is F-Secure's definition of the mid-term period (1–3 years). This included both qualitative and quantitative analysis, expert assessments and external consultation. Additionally, F-Secure is a highly profitable company with a strong cash flow, providing the ability to invest in our growth initiatives. Furthermore, our dynamic strategy process where we regularly assess our progress as oppositive to an annual one-off corporate strategy planning project also provides the capability to rapidly react to market changes and new opportunities.

Overall, we see that the benefits from our positive impacts and opportunities outweigh the risks that we've identified further increasing our resilience. Most importantly, we continue to have an actual positive impact on consumers' everyday lives, protecting their digital moments, which is very much in demand according to our surveys. This is evidenced also by the fact that we operate in a large and growing consumer cyber security market. All combined, help mitigate risks related to competition and consumer willingness to pay for cyber security becoming lower.

We also see an opportunity to grow further based on the evolving threat landscape, especially providing scam protection. Therefore, during 2024, we've shifted our research, technology and product creation-related investments to address this "scam pandemic".

Our confidence in company resilience is further based on:

1. Our business model is based on recurring subscriptions while our channel strategy further increases our resilience against risks and market disruptions as partners include security in their core offering

2. Our contracts with partners are typically long and should a contract end, there is typically a long tail of revenue generated for a period of time. This combined with building a compelling offering for our partners and building connections with our partners' C-level helps mitigate the risk of losing a partner.

3. We work with the world's largest Service Providers such as Communication Service Providers that have demanding requirements and addressing these needs increases our resilience across our entire business. We've also made significant changes to our operating model and investments to support such Tier 1 partners, ensuring we can win and support these partners.

4. We continue investing in our talent development, well-being and inclusive company culture to support our employees and our growth strategy, which helps mitigate risks related to attracting and retaining talent, and overall employee well-being

For resilience against climate change, refer to the Climate Change section for transition and physical-related risks.

Entity-specific IROs

F-Secure has identified some entity-specific impacts, risks and opportunities related to social topics, which is where F-Secure makes the largest contribution. The descriptions in the entity-specific section include contextual information and any assumptions made when calculating the measure or target. When developing entity-specific measures and targets F-Secure has considered how they can support reducing negative outcomes and increasing positive outcomes for people. The measures and targets have been developed for IROs where we have identified material impacts, risks or possibilities in the short, medium or long term that exceeds the threshold for financial impact (see the section IRO-1).

In short, and based on our double-materiality analysis, these entity-specific disclosure requirements apply to section S4 Consumers and End-Users, covering:

Description of the process to identify and assess material impacts, risks and opportunities

Overview of the Double Materiality Assessment Process

F-Secure completed its first Double Materiality Assessment (DMA) in November 2022 and in 2023–2024 further refined its DMA process and methodology, aligning them with the final version of the European Sustainability Reporting Standards and EFRAG guidance, which resulted in an updated view of material topics, sub-topics, and IROs.

Methodology and Principles Applied

When assessing sustainability matters, the following principles and approaches were applied:

1. ESG matters assessed were selected based on EFRAG sustainability standards while SFRD and NFI regulations were also reviewed
2. Sector and entity-specific disclosure topics were assessed whenever identified as relevant, for example related to cyber security
3. The assessment was conducted as double materiality, considering sustainability matters' impacts on F-Secure and F-Secure's impacts on sustainability matters
4. Assessment of IROs was based on appropriate quantitative and/or qualitative thresholds
5. Engagement with affected stakeholders was conducted and inputs were used to inform the materiality assessment process
6. Acknowledge that cross-cutting matters are to be reported irrespective of the outcome of the materiality assessment, and a topic was considered material if an impact, risk or opportunity was identified that exceeded the thresholds

Inputs to the Assessment

The critical input for the assessment has been dialogue with our key stakeholders to understand their material needs and topics. During the process, F-Secure has engaged with:

• Service Provider partners
• Investors and bankers
• Own workforce
• Consumers
• Requirements from suppliers and regulators were also taken into account

To complete the analysis, we applied:

• Guidance available from EFRAG
• Our own and 3rd party sustainability expert interpretation of the standards
• Developed an assessment process and scoring matrices allowing us to identify the material sustainability matters

Scoring Criteria and Thresholds

Threshold Values for Materiality

Material impacts, risks and opportunities were considered material if one or more of the following thresholds were exceeded:

• Strong stakeholder request
• Exceedance of financial impact
• Scope and scale of event impact global and/or severe and/or irremediable in nature as well as likelihood

A topic was considered material if it scored '3' in any category or met the financial impact threshold.

Table 7. Description of assessment methodology:

Additionally, whenever relevant, studies about global risks and megatrends were utilized to assess further material topics.

Process for Identifying Material IROs

F-Secure is focused on areas where impacts, risks and opportunities are deemed likely to arise, based on the nature of the activities, business relationships, geographies, or other factors concerned.

Material impacts, risks and opportunities were considered material if one or more of the thresholds were exceeded. The risk management, including negative impacts, is conducted in accordance with F-Secure's Risk management policy and as part of F-Secure's risk review. In addition to assessing risks and negative impacts, positive impacts and opportunities are also embedded into the strategy process including all material sustainability matters.

Time Horizons for Assessment

Our Risk Management Policy explicitly requires evaluating the short-, mid- and long-term time horizons taking into consideration the severity of the impact (scale, scope, remendability) and probability for any ESG-related risks including actual and potential negative impacts, and in the case of a potential negative human rights impact, the severity of the impact takes precedence over its likelihood.

Climate-Related IROs Process

F-Secure has applied climate-related scenario analysis. The assessment of transition risks and opportunities are disclosed in the Climate Change section.

Physical Risks Assessment

No significant physical risks were identified related to climate in own operations or value chain and no assets were identified in high-risk regions or there are sufficient guardrails in place like geographical redundancies. The physical risks were not seen as material as they are unlikely for the majority of employees and do not pass the threshold for materiality.

Transition Risks and Opportunities

Through climate-related scenario analysis, the only material risk identified is a transition risk related to reputation. This risk would materialize if F-Secure fails to meet mitigation targets aligned with the Paris Agreement, affecting stakeholders' expectations. Over 90% of F-Secure's emissions are from Scope 3 categories, making emission reduction heavily dependent on the supply chain.

Business Conduct IROs Assessment Process

F-Secure is focused on areas where impacts, risks and opportunities are deemed likely to arise, based on the nature of the activities, business relationships, geographies, or other factors concerned. The business conduct assessment was conducted on a global level and when assessing the impacts, risks and opportunities we also considered special circumstances such as M&As.

F-Secure is operating with large international partners with clear business codes of ethics and practices decreasing the risk of any anti-business conduct behavior. As F-Secure's operations are global, there are countries in which F-Secure has operations and where risks related to corruption and fraud are elevated.

To estimate and understand the risks in the value chain, F-Secure has considered various aspects and operations and their risks of and related magnitude of any unethical behavior. In case any event would take place, it is still estimated to have a rather insignificant financial impact on F-Secure in the long term and would rather be short term and local in nature, with a low likelihood of happening.

Stakeholder feedback was also considered in the assessment. Business ethics are essential for attracting investors and retaining partners, in addition, ethical practices create a positive and productive workplace. This is reflected in the stakeholder surveys and the level of importance the stakeholders place on the topic.

Assessment of Impacts on People and Environment

Through analyzing F-Secure's business model and strategy, discussions with leadership and different functions, reviewing already existing company risks, and reaching out to stakeholders for input we were able to create an understanding of where we might have a heightened risk of adverse impacts.

As a result of the analysis, no adverse impacts have been recognized, however we have recognized risks that might lead to adverse impacts if realized. The impacts have not been included in the materiality analysis as the likelihood that these risks would materialize is more unlikely than likely. Assessment and prioritization of risks were made based on the threshold set for determining materiality.

When conducting the materiality assessment F-Secure as a software-based company has not identified any pollution, water or marine resource, biodiversity and ecosystem or resource use and circular economy-related impacts, risks or opportunities. Furthermore, as F-Secure does not have physical product manufacturing, pollution from the value chain is considered small, and resource use and the circular economy are irrelevant.

During the process of identifying and assessing physical risks, F-Secure has considered climate-related hazards and screened whether its assets or business activities may be exposed to these hazards.

F-Secure applied the same method for identifying and prioritizing material impacts for reporting purposes as for risks and opportunities. An impact was considered material once one or more of the thresholds were exceeded.

Positive impacts have not been further prioritized and are included in the reporting scope. Any potential negative impacts identified during the project but not meeting the threshold values will be managed as part of F-Secure's risk management process, where applicable.

Integration with Risk Management and Internal Controls

The coordination of the DMA process and keeping our DMA up-to-date and relevant bi-annually is handled through F-Secure's ESG Council. Any actual or potential negative impacts or risks found during the assessment would be assigned and owned by each respective function to mitigate the risk or negative impact as part of our risk management process, while actual or potential positive impacts, as well as opportunities are integrated as part of F-Secure's strategy and relevant function execution plans.

The ESG Council is responsible for regularly re-assessing our DMA, as well as our impacts, risks and opportunities. F-Secure's ESG function under Corporate Development develops required internal controls in collaboration with the topic owner and updates of new controls will be presented to the ESG Council and Director of Financial Controlling who is the owner of the company-wide internal controls procedure. The ESG Council will be informed if the control has failed and present risk mitigation actions. Depending on the nature of the control, the Audit Committee will also be informed about the status and further mitigation actions being taken.

Governance and Decision-Making

F-Secure has established an ESG Council containing members from F-Secure's Leadership Team (CPO, CFO, SVP Corporate Development) and key stakeholders from various functions to drive the ESG agenda at F-Secure.

The ESG Council is responsible for regularly re-assessing our DMA, as well as our impacts, risks and opportunities. Moving to 2025, Committees will also participate in the bi-annual assessment of the DMA/IROs and will track the effectiveness of actions and metrics related to them.

F-Secure has implemented a process of continuous risk management in its operations and functions. Each function will monthly or at minimum quarterly, review the risks, the related progress of mitigation plans while the Leadership Team reviews risks bi-annually. Each Leadership Team member (function lead) is accountable for executing the risk management process in their functions.

The input parameters include stakeholder feedback, F-Secure's own insights and estimations for each threshold value. The estimations are made based on the best available information at the time.

Review Frequency and Updates

While 2024 is the first reporting period applying ESRS, DMA and IRO lead reporting structure, the assessment process related to ESG impacts, risks and opportunities has been further developed as part of the F-Secure Double Materiality Assessment finalization. This includes further stakeholder engagement, sub-sub topic analysis and formally assigning specific impacts, risks and opportunities to specific functions.

Possible future revisions of our DMA are subject to our annual DMA review by the ESG Council and as per our risk management process. Our next planned DMA review will take place no later than Q2/2025.

The ESG Council is responsible for facilitating, implementing and tracking our ESG activities, including alignment with the company strategy process and other necessary company processes such as risk management, and drives the creation of the annual sustainability statement. The ESG Council also drives regular reviews of our sustainability topics, including reviewing the relevancy and accuracy of our DMA and IROs.

The cross-functional ESG Council is responsible for the identification and assessment of impacts, risks, and opportunities (IRO) at minimum twice a year. Results are shared with the Audit Committee for review and oversight including internal controls, while targets related to material topics are approved by the Board of Directors.

Material Topics Identified

Table 6. Material ESG Topics:

Use of Value Chain Mapping

F-Secure's resilience analysis covers both the upstream and downstream value chain, as well as own operations. F-Secure has covered relevant physical risks, as well as transition-related risks in its resilience analysis.

When protecting consumers' digital moments, impacts are assessed in both own operations (OO) and value chain (VC), as indicated in the detailed IRO tables under each topic.

F-Secure has involved its value chain workers' interests through supplier Code of Conduct and agreements with certain partners, which seek to ensure that they meet the company's standards for responsible business conduct, including the treatment of their workers.

Transition plan for climate change mitigation

Scope of the transition plan

F-Secure's transition plan covers Scope 1, 2 and 3, and all the relevant categories included in Scope 3. The plan applies to all geographies and is outlined in F-Secure's Climate change policy approved by the CEO covering climate change mitigation, climate change adaptation and renewable energy deployment. The main objective is to manage and prioritize emissions in operations and the value chain, covering all geographies.

Target years and net zero / carbon neutrality

2030 Target: F-Secure has set key greenhouse gas (GHG) emissions reduction targets in line with the Paris Agreement limiting global warming to 1.5°C. The targets cover reducing GHG emissions by 42% between 2024 and 2030 in own operations and across the value chain (Scope 1 & 2 and 3) with the base year set for emission reduction targets as 2024. The emission reduction targets are based on the IPCC 1.5°C Pathways.

In 2030:

• Scope 1&2 emissions aim to be 127 tons of CO2e (combined target of 181 tCO2e for Scope 1 and 110 tCO2e for Scope 2 market-based)
• Scope 3 emissions aim to be 4831 tons of CO2e

2050 Target: F-Secure meets its long-term climate mitigation target by 2030 and becomes climate neutral by 2050. The scenario is in line with limiting global warming to 1.5°C. For 2050, a specific emission reduction target has not yet been set but could include working with carbon-neutral suppliers to further reduce indirect emissions and promote sustainable practices.

Baseline year and GHG reduction milestones

Baseline year: 2024

Baseline emissions (2024):

• Scope 1: 31 tCO2e
• Scope 2 (market-based): 189 tCO2e
• Scope 3: 8330 tCO2e
• Total GHG emissions (market-based): 8550 tCO2e

2030 Reduction target: 42% reduction across all scopes (from 2024 baseline)

Annual reduction rate: 8.70% (based on linear progression)

Methodologies for tracking emission reduction targets vary. Scope 1 emissions are tracked annually based on invoices. Scope 2 emissions are tracked based on the EACs of each location. The base year is updated periodically. Potential events to trigger a base year recalculation are significant structural changes in the company (>10% change), company divestments, changes in calculation methods, discoveries of any error (causing base year to change more than 10%), outsourcing/insourcing of a significant emission contributing activity midyear and also comes with a sizable impact on IACs. After 2030, the base year is set every five years.

Alignment with 1.5°C / SBTi validation status

F-Secure has established GHG emission reduction targets that are compatible with limiting global warming to 1.5°C. The Greenhouse Gas Protocol (GHG Protocol) and IPCC's cross-sector pathway are adopted as the framework for measuring and managing emissions. Emission reduction targets are based on the IPCC 1.5°C Pathways.

SBTi validation: SBTi or a similar framework is under evaluation as per stakeholder requirements but has not yet been applied. The current view is that such a framework would not materially change overall GHG emissions. F-Secure may need to validate its GHG reduction target through SBTi or similar framework due to stakeholder concerns and partner requests.

Sectoral decarbonization is not available for IT and Software companies, yet.

Key decarbonization levers

Three primary decarbonization levers have been identified regarding material IROs:

1. Fuel switching

To reduce the climate impact of the fleet, F-Secure will lease only hybrid and electric vehicles. In 2024, F-Secure decided that all new cars leased from May 1st onwards would be either hybrid or electric vehicles. The estimate is that the amount of leasing vehicles will stay the same of which 50% will be electric vehicles and 50% hybrid vehicles. Hybrid vehicle emissions are estimated to be 50% of regular fuel. In the future, F-Secure aims to update its car policy to ensure that by 2030, all leasing cars are electric. Also, by 2030 F-Secure expects a shift to an all-electric vehicles policy.

Expected impact: No quantitative emission reductions for these actions in 2024.

2. Supply chain decarbonization

Consists of:

• i) improving GHG emissions data quality related to suppliers
• ii) ensuring that travel policy reflects climate ambitions, and prioritizing virtual meetings to minimize travel
• iii) partnering with zero-emission solution providers will ensure that the overall emission profile remains unchanged despite increased energy use while adopting new technologies, for example AI models

Actions initiated include:

• Decision on new VPN technology was finalized
• Travel booking system was updated
• Supplier analysis was initiated to identify the sources of emissions to guide future actions

Expected impact: No quantitative emission reductions in 2024. By 2030, following policies, a 42% decrease in emissions from the value chain is anticipated. Emissions in Scope 3 in 2024 were 8330 tCO2e.

3. Efficient or "green" coding principles

Focus on creating efficient solutions that minimize electricity usage and implement coding standards that reduce energy consumption during software execution in the downstream value chain.

Expected impact: No material reduction in emissions expected due to these activities as the end-customer base is expected to grow at the same time (sold products). This lever covers Scope 3 category 11 and is around 1% of emissions. Emissions in Scope 3 in 2024 were 8330 tCO2e.

Additional actions: Renewable energy deployment

F-Secure operates two major offices with over 50 employees each: one in Helsinki and one in Kuala Lumpur. The long-term plan is to ensure that all large offices, as well as smaller facilities where energy contracts can be controlled, use 100% renewable energy. F-Secure will apply green energy as a requirement for new office spaces and request changes in the current locations, where feasible.

By 2030 for Scope 1&2 emissions it is medium-likely that the transition to green energy is possible in all F-Secure offices and that all leased cars are electric. By 2050 for scope 1&2 emissions it is highly likely that the transition to green energy is possible in all F-Secure offices.

Regarding renewable energy deployment, the policy focuses on using renewable energy in office spaces, integrating climate considerations into office decisions, utilizing low-emission hosting services, and implementing green coding practices.

CapEx / investment commitments

No significant monetary amounts CapEx and OpEx have been required to implement the actions.

Locked-in emissions and stranded assets

Carbon lock-in is generally associated with physical infrastructure and long-term investments in carbon-intensive technologies. While there are some aspects where carbon lock-in can be relevant to software, the topic is not seen as material as the impacts are small due to actions already taken by F-Secure. The implementation of green coding practices further reduces locked-in GHG emissions.

Use of carbon credits / removals

Not disclosed as part of the transition plan. (Note: E1-7 GHG removals and carbon credits was indicated as "Not material" in the disclosure requirements table.)

Transition plan alignment with strategy and financial planning

ESG is not a separate strategy at F-Secure but is incorporated into the company's strategy and is part of normal business operations. Similarly, the transition plan actions will be implemented by appropriate functions including taking actions into account in their annual budgets to meet set goals, and progress will be tracked by F-Secure's Environment Committee and ESG Council.

The 2024 priority was to establish it as the baseline year for GHG reductions. During the year, an Environment Committee has been set up in Q3 2024 to implement the transition plan and owners for each category have been defined. In addition, climate change-related topics are considered in the renovation of the new headquarters project (planning 2024 and execution 2025) and in new leasing agreements. During 2024, F-Secure defined and approved its climate change policy and the supplier Code of Conduct includes relevant environmental topics. Further developments and updates of the GHG emissions model and transition plan have also been conducted to build the foundation to execute the plan. The detailed transition plan is being defined based on the scope described under the Climate Change section and will be reviewed and approved by the Board during 2025.

Scenario analysis and resilience

F-Secure uses scenarios as a tool to analyze its environmental resilience. The time horizons for the scenarios are 2030 and 2050. F-Secure has included the following climate scenarios in the analysis:

Scenario 1: F-Secure meets its long-term climate mitigation target by 2030 and becomes climate neutral by 2050. The scenario is in line with limiting global warming to 1.5°C.

Scenario 2: F-Secure fails to meet the mitigation targets. Society's emission reductions (including F-Secure's supply chain) are not fast or effective enough and therefore the operating environment prevents F-Secure from meeting its climate goal.

Material climate risks identified

Through climate-related scenario analysis, the only material risk identified is a transition risk related to reputation. This risk would materialize if F-Secure fails to meet mitigation targets aligned with the Paris Agreement, affecting stakeholders' expectations. Over 90% of F-Secure's emissions are from Scope 3 categories, making emission reduction heavily dependent on the supply chain.

A transition plan with mitigation actions is in place, and no significant negative impacts have been identified. Continuous monitoring and methodology development are essential to capture climate risks accurately.

Exclusion from Paris-aligned Benchmarks

F-Secure is not excluded from the EU Paris-aligned Benchmarks.

EU Taxonomy alignment

As per disclosure requirement E1-3, F-Secure does not have taxonomy-compliant activities, and therefore no linked investments and financing that would support its transition plan.

Policies related to climate change mitigation and adaptation

Climate change policy

F-Secure has a separate Climate change policy approved by the CEO covering climate change mitigation, climate change adaptation and renewable energy deployment.

Scope:

• Covers all geographies
• Applies to emissions in operations and the value chain
• Covers Scopes 1, 2, and 3

Approval and oversight:

• Approved by the CEO

Key content and principles:

Climate change mitigation:

• Manage and prioritize emissions in operations and the value chain
• Outlines F-Secure's climate change mitigation principles, covering targets and main activities across Scopes 1, 2, and 3

Climate change adaptation:

• Emphasizes identifying climate impacts, risks, and opportunities to inform planning
• Conducting risk assessments
• Integrating climate considerations into the strategy

Renewable energy deployment:

• Using renewable energy in office spaces
• Integrating climate considerations into office decisions
• Utilizing low-emission hosting services
• Implementing green coding practices

Integration with risk assessment:

• F-Secure acknowledges its climate change-related impacts, risks, and opportunities
• The process to identify these includes conducting risk assessments, scenario analyses, and integrating these considerations into the strategy and operations

Supplier Code of Conduct

The Supplier Code of Conduct includes relevant environmental topics.

Note: The document references this policy but does not provide further detail on its climate-related content, scope, or governance.

Actions and resources in relation to climate change policies

F-Secure has identified three primary decarbonization levers linked to material impacts, risks and opportunities (IROs) to meet the 2030 emission reduction target of 42%:

1. Fuel switching

Action: Lease only hybrid and electric vehicles

• Scope: Own operations (company fleet)
• Status: Policy decision made May 1, 2024 - all new cars leased from this date onwards are either hybrid or electric vehicles
• Progress 2024: A few cars were already replaced with hybrid or electric models during 2024
• Time horizon: Ongoing transition as leasing contracts are renewed through 2030
• 2030 target: Update car policy to ensure all leasing cars are electric by 2030
• Expected outcome: No quantitative emission reductions in 2024; 42% reduction expected by 2030
• Link to IRO: Addresses the IRO opportunity related to e-vehicle policy

2. Supply chain decarbonization

Actions:

• Improving GHG emissions data quality related to suppliers
• Ensuring travel policy reflects climate ambitions and prioritizing virtual meetings to minimize travel
• Partnering with zero-emission solution providers to ensure overall emission profile remains unchanged despite increased energy use (e.g., adopting AI models)
• Supplier selection process updates to include climate requirements
• Monitoring spend categories like travel to align with reduction pathway

Scope: Upstream and downstream value chain (Scope 3)

Progress 2024:

• Decision on new VPN technology finalized
• Travel booking system updated
• Supplier analysis initiated to identify sources of emissions to guide future actions
• Supplier Code of Conduct updated to include relevant environmental topics

Expected outcome: No quantitative emission reductions in 2024; 42% reduction expected by 2030

Link to IRO: Addresses the IRO risk that F-Secure's emission reduction is heavily reliant on suppliers

3. Efficient or "green" coding principles

Action: Focus on creating efficient solutions that minimize electricity usage and implement coding standards that reduce energy consumption during software execution

• Scope: Downstream value chain (use of sold products)
• Status: Implementation of green coding principles
• Expected outcome: No quantitative emission reductions in 2024; material impact assessed as low. By 2030, no emission reductions expected as number of sold products projected to grow while optimizing energy consumption
• Link to IRO: Addresses the IRO potential positive impact of implementation of green coding principles

Additional actions

Office renewable energy:

• F-Secure operates two major offices with over 50 employees that use 100% renewable energy (offices where energy use can be controlled)
• Climate considerations integrated into office decisions and new headquarters renovation project (planning 2024, execution 2025)
• Use of low-emission hosting services

Governance and implementation:

• Environment Committee established in Q3 2024 to implement the transition plan
• Owners for each emission category defined
• Climate change policy approved by CEO during 2024
• GHG emissions model and transition plan developed and updated during 2024
• Detailed transition plan being defined and will be reviewed and approved by Board during 2025

Resources allocated

Financial: No significant monetary amounts in CapEx and OpEx have been required to implement the actions.

Non-financial:

• Environment Committee established Q3 2024
• Ownership assigned for each emission category
• ESG Council tracks progress
• Integration into annual budgets of appropriate functions
• External consultant review of 2024 emission calculation methodology

Long-term actions (2050):

• Working with carbon-neutral suppliers to further reduce indirect emissions
• Promote sustainable practices across value chain

Targets related to climate change mitigation and adaptation

Overview

F-Secure has set greenhouse gas (GHG) emission reduction targets aligned with the Paris Agreement, aiming to limit global warming to 1.5°C. The targets are based on the IPCC 1.5°C Pathways and use the Greenhouse Gas Protocol (GHG Protocol) and CSRD as the framework for measuring and managing emissions.

GHG Emission Reduction Targets

Target Details

2030 Target Values:

• Scope 1 & 2 emissions aim to be 127 tons of CO2e by 2030
• Scope 3 emissions aim to be 4,831 tons of CO2e by 2030
• Total GHG emissions (market-based) aim to be 4,958 tons of CO2e by 2030

Annual reduction rate: 8.70% per year from base year

Decarbonization Levers

The following decarbonization levers have been identified to achieve the reduction targets:

1. Fuel switching: Leasing only hybrid and electric vehicles. All new cars leased from May 1, 2024 onwards are either hybrid or electric. By 2030, all leasing cars aim to be electric.

2. Supply chain decarbonization: Improving GHG emissions data quality from suppliers, prioritizing virtual meetings to minimize travel, partnering with zero-emission solution providers. Covers Scope 3 categories 1 and 6 (over 95% of Scope 3 emissions).

3. Efficient coding principles: Creating efficient solutions that minimize electricity usage and implementing coding standards that reduce energy consumption. Covers Scope 3 category 11 (around 1% of emissions). No material reduction expected by 2030 due to anticipated customer base growth.

Progress to Date (2024)

2024 serves as the baseline year; this is the first year of measurement under the new methodology.

Additional Information

• Scope 2 methodology: Both market-based and location-based methods are used, with market-based used for the 2030 target. Location-based Scope 2 emissions in 2024: 233 tCO2eq.
• GHG removals and carbon credits: Emission reduction targets do not include GHG removals, carbon credits, or avoided emissions as a means of achieving the targets.
• Long-term ambition (2050): A specific emission reduction target has not yet been set but could include working with carbon-neutral suppliers. Carbon neutrality target is under consideration.
• Renewable energy: Long-term plan to ensure all large offices (over 50 employees) and smaller facilities where energy contracts can be controlled use 100% renewable energy.
• Validation status: SBTi or similar framework is under evaluation per stakeholder requirements but has not yet been applied. Current view is that such a framework would not materially change overall GHG emissions.

Energy consumption and mix

ESRS E1-7 (formerly E1-5) disclosure status:

F-Secure has omitted ESRS E1-5 (Energy consumption and mix) in accordance with Appendix C of ESRS 1. The company states:

"F-Secure's employee count does not exceed the average number of 750 employees during the 2024 financial year. We have decided to omit some of the information required by ESRS E1 and ESRS S1 in accordance with Appendix C of ESRS 1."

Additionally, in the cross-reference table (page 65-67), the following E1-5 disclosure requirements are listed as "Not material":

• ESRS E1-5 Energy consumption from fossil sources disaggregated by sources (only high climate impact sectors) paragraph 38
• ESRS E1-5 Energy consumption and mix paragraph 37
• ESRS E1-5 Energy intensity associated with activities in high climate impact sectors paragraphs 40 to 43

No disaggregated energy consumption data by fuel type (coal, oil, natural gas, renewables) or energy mix table is provided in the 2024 sustainability statement.

Scope 2 emissions context:

While not a full E1-7 disclosure, the company provides limited energy-related information in the context of Scope 2 GHG emissions calculation:

• Data on purchased electricity is collected from six sites
• Both market-based and location-based methodologies are used for Scope 2 calculations
• Emissions from heating (except Finland) and cooling are calculated using office area and heating/cooling factors
• Kuala Lumpur office is assumed not to require heating due to tropical climate
• For January 2024, Kuala Lumpur's electricity consumption was estimated based on other months
• Emission factors sourced from multiple authorities including Energy Authority, Carbon Footprint, GreenTech Malaysia, Statistics Finland, Forum Energii, Umweltbundesamt, and European Commission

No quantitative energy consumption data in MWh, GWh or other energy units is disclosed.

Gross Scopes 1, 2, 3 and Total GHG emissions

E1-6 Gross scopes and total emissions

The following table summarizes F-Secure's GHG emissions for the reporting year:

¹⁾ Scope 1 and Scope 2 target is combined and not measured separately.
²⁾ Value is based on a linear progression. Our impact is not expected to follow a linear pattern. Scope 1 and Scope 2 target is combined and not measured separately.
³⁾ Value is based on a linear progression. Our impact is not expected to follow a linear pattern.

GHG intensity based on net revenue

Methodology and scope notes

F-Secure's GHG emissions are calculated in accordance with the GHG Protocol Corporate Standard. 2024 is established as the baseline year. The company has set a long-term GHG reduction target for 2030, aiming to reduce emissions by 42% across Scope 1, 2, and 3.

Scope 1: Emissions from fuel combustion in company vehicles. Emissions are calculated based on fuel consumption data from the leasing car system in Finland and country representatives elsewhere. Emission factors are sourced from Statistics Finland.

Scope 2: Both market-based and location-based methodologies are used. Data on purchased electricity is collected from six sites. For heating and cooling (except Finland), emissions are calculated using office area and heating/cooling factors. Emission factors are from multiple authorities including the Energy Authority, Carbon Footprint, GreenTech Malaysia, Statistics Finland, Forum Energii, Umweltbundesamt, and the European Commission.

Scope 3:

• Category 1 (Purchased goods and services, excluding data centre services): Values are derived from financial reports representing expenditure. Some vendor-specific emissions are calculated separately. Emission factors from Lenovo and Exiobase.
• Sub-category (Cloud computing and data centre services): AWS provides primary data representing less than 1% of total Scope 3 emissions. VPN energy usage is provided by Ficolo (Finnish provider); other VPN providers' usage is extrapolated. Emission factors from AWS, EEA, Australian government, Carbon Footprint, Government of Canada, Ficolo, Climate Transparency, Singapore government, EPA, Vietnam government, and GreenTech Malaysia.
• Category 3 (Fuel- and energy-related activities): Based on Scope 1 and 2 values. Factors from GLEC, Defra, and UK Government.
• Category 5 (Waste generated in operations): Waste amounts estimated by extrapolating general office waste. Laptop and monitor data collected from Finnish offices and extrapolated to other offices. Factors from Lenovo and EPA GHG emission factors hub.
• Category 6 (Business travel): Flight data from two travel systems and HR systems. Emission factors from Defra.
• Category 7 (Employee commuting): Work travel distance and type based on external data sources (estimations). Office workdays calculated based on Helsinki and Oulu office data for other sites. Factors from Defra, Statistics Finland, GreenTech Malaysia, Carbon Footprint, and EEA.
• Category 8 (Upstream leased assets): Emissions from home offices and coworking spaces assumed to come from electricity consumption from ICT equipment. Factors from Carbon Footprint, EPA, and Climate Transparency Report India.
• Category 11 (Use of sold products): All sold products assumed taken into use. Factor from Statistics Finland.

Excluded categories:

• Category 2 (Capital goods): Not relevant, F-Secure has not purchased or acquired capital goods.
• Category 4 (Upstream transportation and distribution): Not relevant.
• Category 9 (Downstream transportation and distribution): Not relevant.
• Category 10 (Processing of sold products): Not relevant, product is software.
• Category 12 (End-of-life treatment of sold products): Not relevant, no physical products sold.
• Category 13 (Downstream leased assets): Not relevant.
• Category 14 (Franchises): Not relevant.
• Category 15 (Investments): Not relevant.

Currently, Amazon Web Services (AWS) is the only supplier providing primary data used in emission calculation (less than 1% of total Scope 3 emissions). The remaining emissions have been calculated using standardized emission factors. The emission factors used are carbon dioxide equivalents, except for any specifically mentioned exceptions. This means that in addition to carbon dioxide, other greenhouse gases listed in the Kyoto Protocol (CH4, N2O, HFCs, PFCs, SF6, and NF3) are also included. The equivalents have been calculated using a 100-year time horizon to calculate CO2eq emissions of non-CO2 gases.

F-Secure has no operational control of associates, joint ventures or unconsolidated subsidiaries, nor contractual arrangements in joint arrangements that are not structured through an entity.

Biogenic CO2 emissions: Not separately disclosed.

Regulated emissions (EU ETS): 0% of Scope 1 emissions are from regulated emission trading schemes.

Anticipated financial effects from material physical and transition risks and potential climate-related opportunities

Phase-in exemption

F-Secure has decided to omit in our 2024 statement matters related to "E1-9 Anticipated financial effects from material physical and transition risks and potential climate-related opportunities".

Anticipated financial effects

The estimated anticipated financial effects from material physical and transition risks, as required by Disclosure Requirement E1-9, were not thoroughly evaluated in our resilience analysis due to the omission of E1-9. However, regarding material transition risks related to supply chain dependency, it is likely that F-Secure may face financial implications, though these have not been quantified.

Index table reference

Policies related to own workforce

F-Secure has established multiple policies addressing own workforce matters, all aligned with international human rights principles including the OECD Guidelines for Multinational Enterprises, United Nations Global Compact, UN Guiding Principles on Business and Human Rights, UN Convention against Corruption, International Bill of Human Rights, and the ILO Declaration on Fundamental Principles and Rights at Work.

F-Secure DEI Policy

Scope: All Employees, Employee-like contractors, Leadership Team members, and administrative bodies of F-Secure.

Governance: Approved by the Chief People Officer (CPO).

Key content:

• Sets guidelines to promote diversity, equity, and inclusion aligned with F-Secure values and Code of Conduct
• Creates an inclusive environment where everyone can thrive
• Defines DEI at F-Secure including mission statement aligned with business objectives
• Outlines anti-harassment and non-discrimination guidelines
• Sets diverse targets and tactics for talent acquisition and decision-making
• Ensures legislative compliance
• Establishes accountability and reporting mechanisms
• Includes training, targeted recruitment, programs supporting vulnerable groups and promoting leadership development, pay equity, and gender gap closure
• DEI Committee drives initiatives ensuring a safe and inclusive environment

International standards linkage: Aligned with ILO Declaration on Fundamental Principles and Rights at Work, combining it with ILO principles on Non-discrimination and equal opportunity.

Monitoring: Regular reporting tracks progress. DEI is central to culture, sustainability strategy, and corporate responsibility.

F-Secure Recruitment Policy

Scope: Employees and Employee-like contractors taking part in hiring processes.

Governance: Approved by the Chief People Officer.

Key content:

• Ensures fair and transparent hiring processes
• Adheres to local requirements and compliance factors like non-discrimination laws and background checks
• Aligns with values, culture, and Code of Conduct
• Covers importance of recruitment, diversity and inclusion, overall recruitment process, employer branding, recruitment metrics, legal considerations, and policy review

International standards linkage: Aligned with local compliance integrated with international principles such as the ILO Declaration on Fundamental Principles and Rights at Work.

F-Secure Health and Well-being Policy

Scope: All F-Secure employees.

Governance: Approved by F-Secure CFO.

Key content:

• Outlines principles and practices to ensure employee health and well-being
• Cultivating a healthy work culture
• Role of leadership
• Compliance with local health requirements
• Health activities
• Continuous learning
• Promoting well-being through speed and innovation
• Flexible work environments
• Monitoring success of activities
• Full commitment to adhering to local legislation and requirements in all countries where F-Secure operates

International standards linkage: Adheres to ILO standards on occupational safety and health.

F-Secure Learning and Development Policy

Scope: F-Secure employees, and in certain cases as described in the policy, Employee-like contractors.

Governance: Approved by F-Secure CPO.

Key content:

• Emphasizes continuous learning to enhance workforce expertise, foster collaboration, and maintain structured learning framework
• Covers defining training, roles and responsibilities, learning framework, learning-related data management & reporting, measuring effectiveness of learning efforts

F-Secure Rewards and Recognition Policy

Scope: All F-Secure employees. Does not apply to consultants or others not employed by F-Secure.

Governance: Approved by F-Secure CPO.

Key content:

• Outlines principles and practices for fair and transparent rewards
• Covers policy principles, job architecture, base salary, benefits, incentive plans, recognition, and pensions
• Addresses fair and equal treatment and transparent working conditions
• Defines rewards framework consistent with global standards, ensuring equity and transparency

International standards linkage: In line with OECD and ILO principles.

Human Rights Policy Commitments

F-Secure commits to protecting human and labor rights in all business, operations, and culture. Human rights are incorporated in the Code of Conduct with which all F-Secure employees must comply.

International standards linkage:

• OECD Guidelines for Multinational Enterprises
• United Nations Global Compact
• United Nations Guiding Principles on Business and Human Rights
• United Nations Convention against Corruption
• International Bill of Human Rights
• ILO Declaration on Fundamental Principles and Rights at Work

Key commitments:

1. Respect for Human Rights: Honors internationally recognized human rights standards; prevents adverse human rights impacts; takes swift action to remediate when impacts occur; respects freedom of opinion and expression, freedom of conscience and religion

2. Labor Rights and Safe Working Conditions: Respects labor rights; complies with local laws as minimum standard; respects freedom of association and employees' right to organize; ensures safe and healthy working conditions; zero tolerance for child labor, forced labor, human trafficking, or other human rights violations

3. Application of Standards: Where local laws differ from Code of Conduct: if local laws are less restrictive, Code of Conduct prevails; if local laws are more restrictive, those laws are followed

Scope: Suppliers and partners are also expected to act responsibly and comply with principles in Code of Conduct and local laws.

Public availability: Referenced throughout sustainability statement; Code of Conduct approved by Board of Directors and available to stakeholders.

Monitoring: Whistleblowing channel maintained by third party; mandatory training on Code of Conduct; protection from retaliation for raising concerns; monthly meetings between People & Culture Operations Director, HR Board, and local representatives; compliance with collective bargaining agreements in Finland, France, and Spain.

Taking action on material impacts on own workforce

F-Secure actively takes actions to ensure positive effects on its workforce while addressing risks and actual and potential material impacts. The company's initiatives are aligned with fostering a stable, equitable, and inclusive working environment. The company has not identified any actual or potential negative impacts related to its own workforce exceeding the threshold set in the impact, risk and opportunity assessment as part of the DMA.

Secure Employment and Flexible Workplace

What it does:

• Prioritizes permanent contracts over fixed-term agreements to minimize uncertainty for employees
• Remote work policy allows employees to work from home several days a week

Scope: Own operations

Expected outcomes:

• Promotes work-life balance and improves employee well-being
• In regions like India and Malaysia, where commuting can be time-consuming and stressful, remote work enhances employee satisfaction and productivity while enabling a more diverse and inclusive workforce

Healthcare and Well-being Programs

What it does:

• Comprehensive healthcare and well-being programs to ensure workforce feels supported and secure

Scope: Own operations

Expected outcomes:

• Prioritize employee health and create a stable and reliable employment experience

Fair Working Environment

What it does:

• Continuously evaluating and updating policies and procedures across all locations to ensure full compliance with local, regional, and national regulations
• Comprehensive suite of benefits including health insurance and vacation/leaves, which offer resources for mental health and personal well-being
• Leave policies (e.g., in the US) meet statutory requirements and promote equality for all employees worldwide

Scope: Own operations (all locations)

Expected outcomes:

• Maintain a fair and transparent work environment for all employees
• Foster trust and inclusivity within the organization
• Provide positive work-life balance

Promoting Gender Equality

What it does:

• Focus on promoting job openings to underrepresented groups to ensure diverse talent pools

Scope: Own operations

Expected outcomes:

• Ensure a robust workforce capable of addressing diverse market needs
• Reduce the risk of talent shortages by tapping into a broader range of talent

Inclusive Culture and Speak-Up Culture

What it does:

• Training Leaders: Leadership programs focus on psychological safety, active listening, and feedback
• Feedback Channels: Regular open forums like town halls encourage employees to voice concerns; employees are celebrated for embodying cultural values, such as giving and receiving constructive feedback
• Action on Feedback: Transparent development plans are co-created with employees and reviewed twice annually to ensure follow-through on concerns and feedback
• Anonymous Reporting Channels: An anonymous whistleblowing channel is available for raising concerns, ensuring confidentiality and prompting action

Scope: Own operations

Expected outcomes / KPIs:

• Effectiveness measured through biannual personnel surveys, KPIs like eNPS (employee Net Promoter Score), retention rates, and culture and leadership assessments
• Employees feel safe to raise concerns in an inclusive environment

Accessibility and Inclusivity Measures

What it does:

• Accessible Learning Management Systems with screen reader compatibility
• Features like text-to-speech and closed captioning
• Virtual townhalls include real-time captioning, and recordings available in audio and text
• Wheelchair-accessible meeting rooms
• Clear, simple language in all communications

Scope: Own operations

Expected outcomes:

• Support employees with mobility or cognitive disabilities
• Create an inclusive environment where all employees, regardless of their abilities, feel supported and empowered to participate

Targets related to own workforce

F-Secure has defined the following absolute targets related to its own workforce. All targets apply globally to F-Secure employees (excluding contractors and employee-like consultants unless specified otherwise). Targets are set by the Chief People Officer and approved by the Board of Directors.

Target Summary Table

Target Details

1. Gender Diversity - Directors

• Target type: Absolute
• Scope: Global, all F-Secure employees at director level, excluding contractors and employee-like consultants
• Baseline year: 2023 (23% female, 77% male)
• Target year: 2030 (33% female, 67% male)
• 2024 progress: 25.1% female, 74.9% male
• Methodology: Measured using HR management system data, aligned with EU gender equality strategy 2020–2025 and directive on gender balance in corporate boards

2. Gender Diversity - All Employees

• Target type: Absolute
• Scope: Global, all F-Secure employees, excluding contractors and employee-like consultants
• Baseline year: 2023 (70% male)
• Target year: 2030 (no gender should represent more than 65%)
• 2024 progress: 69.2% male
• Methodology: Data collected through HR system where employees can self-identify as male, female, or third gender

3. Nationality Among Senior Management

• Target type: Absolute
• Scope: Senior leadership positions globally, excluding contractors and employee-like consultants
• Baseline year: 2023 (24 nationalities)
• Target year: 2030 (> 20 nationalities)
• 2024 progress: 28 nationalities
• Methodology: Collected through HR management system, reviewed annually

4. Age Diversity

• Target type: Absolute
• Scope: Global, all F-Secure employees, excluding contractors and employee-like consultants
• Baseline year: 2023 (largest age group 30-40y at 35.7%)
• Target year: 2030 (no single age group represents more than 35%)
• 2024 progress: Age group 30-40y at 36.7% (exceeds target threshold)
• Methodology: Data collected through HR management system, reviewed annually

5. Employee Net Promoter Score (eNPS)

• Target type: Absolute (measured on scale from -100 to +100)
• Scope: Global, all F-Secure employees, excluding contractors
• Baseline year: 2023 (eNPS score of 2)
• Target year: 2030 (eNPS > 50)
• 2024 progress: eNPS score of 40
• Methodology: Measured through regular anonymous employee surveys using standardized global tool
• Policy alignment: Related to health and well-being policy

6. Performance and Career Review Completion

• Target type: Absolute
• Scope: Global, all F-Secure employees, excluding employee-like contractors unless specified
• Baseline year: 2024 (82.04% - first year of data capture)
• Target year: 2030 (98% completion rate)
• 2024 progress: 82.04%
• Methodology: Tracked through HR system
• Policy alignment: Supports Leading Performance policies and process

Additional Information

Target validation: Targets are internally set by the Chief People Officer and approved by the Board of Directors. No external validation (e.g., SBTi) is mentioned.

Negative impacts: No negative impacts on own workforce have been identified during the reporting period. As a result, no specific targets for reducing negative impacts have been established.

Target setting process: Company-level targets are defined by the Leadership Team. Own workforce-related measures are defined by the CPO in collaboration with other Leadership Team members or CEO. Employee input is considered through surveys and expert participation in target setting.

Characteristics of the undertaking's employees

Total headcount and FTE

At the end of December 2024, F-Secure had 529 employees (524 in 2023). The average number of personnel in 2024 was 519 (484 in 2023).

Headcount by gender

Headcount by country

Headcount by employment contract type and employment type

Headcount by region

Employee turnover

The basis for calculating employee turnover is the number of employees who have left voluntarily or due to dismissal, retirement, or death in service, divided by the F-Secure headcount as of December 31, 2024.

Methodology notes

F-Secure reports its personnel as headcount. Full-Time Equivalent (FTE) represents the number of full-time hours worked by employees and helps standardize the working hours of part-time and full-time employees. For example, if 40 hours per week is assumed as full-time, an employee working 40 hours per week would have an FTE of 1.0, and a part-time employee working 20 hours per week would have an FTE of 0.5.

The data is sourced from F-Secure's HR system (Workday), which is the central system for managing employee information. The reporting period is annual, and workforce data is captured at the end of the reporting period.

Employee types include permanent employees (employed with no predefined end date), fixed-term employees (hired for a specific duration with defined end dates), and contractors (all non-employees).

Characteristics of non-employees in the undertaking's own workforce

Disclosure Omission

F-Secure has explicitly omitted ESRS S1-7 "Characteristics of non-employees in the undertaking´s own workforce" in full from its 2024 sustainability statement, as stated in the forward-looking statements section:

"Related to our own workforce (S1), we've omitted 'S1-7 Characteristics of non-employees in the undertaking´s own workforce' in full and 'S1-14 Health and safety metrics' partially."

Qualitative Information on Non-Employees

While quantitative metrics under S1-7 have been omitted, F-Secure provides qualitative descriptions of non-employee categories in its workforce:

Types of Non-Employees (Contractors)

F-Secure defines all non-employees as "Contractors" (alternatively Contingent workers or subcontractors). The company categorizes non-employees into three types:

1. Employee-like ("Fellowlike")

   • Integral part of F-Secure teams, participating in daily activities and team meetings
   • Usually fixed and time-based contracts
   • Examples: People doing the same work as employees when employees are temporarily absent (illness, vacation, parental leave) or working in the same workplace as employees
   • Contracts are with a legal entity, not with a natural person

2. Consultant

   • Supplement F-Secure's workforce on a project basis, related to specific assignments or projects
   • May have access to F-Secure facilities or systems based on project or frame agreements
   • Contracts are with a legal entity, not with a natural person

3. Other

   • Covers non-employees with access to F-Secure facilities but not to F-Secure systems
   • Examples: Board members or people providing facility services

General Statement on Subcontractors

The company states: "The company also employs subcontractors, who may be independent contractors or individuals provided by a third party. Each subcontractor has a contract with the company either directly or through a third party."

Policy Application Scope

Certain policies apply to specific non-employee categories:

• DEI Policy: Applies to all Employees, Employee-like contractors, Leadership Team members, and administrative bodies
• Recruitment Policy: Applies to Employees and Employee-like contractors taking part in hiring processes
• Learning and Development Policy: Applies to F-Secure employees, and in certain cases, Employee-like contractors
• Code of Conduct Training Target: Scope includes F-Secure employees, but selected contractors may also be included

No quantitative data (headcount, FTE, breakdown by type, or multi-year comparisons) for non-employees is disclosed.

Collective bargaining coverage and social dialogue

F-Secure complies with collective bargaining agreements in countries like Finland, France, and Spain. These agreements ensure respect for the human rights of the workforce and help the company engage with workers' representatives. The agreements enable F-Secure to gain insight into the perspectives of its workforce by setting up clear processes for engagement and shared decision-making with employee representatives.

Employees can contact the Shop Steward or employee representatives to raise concerns related to their employment or daily work.

Diversity metrics

Gender distribution at Board level

At the Annual General Meeting in 2024, six members representing two different nationalities were elected to the Board. The age structure of the Board members is 47–67 years. Two Board members are female and four are male, giving a ratio of 2:4 (female/male).

Gender distribution at top management level

According to F-Secure's Job Architecture, employees in roles classified as F6 and above are considered part of top management.

Age distribution of total workforce

Gender diversity targets (all employees)

Diversity, directors target

Baseline year is 2023, with 23% female and 77% male representation among senior leaders. 2024 outcome for senior management diversity is 25.1% female and 74.9% male representation. The 2030 gender target among senior leaders at the director level is 33% female.

Nationality among senior management

Methodology notes

In the context of F-Secure's HR system, employees are provided with the option to select their gender as female, male, other, or not declared. The term "other" refers to individuals whose gender identity does not fall strictly within the categories of male or female. Data contains only employee data and excludes data related to contractors. Related nationality data is collected through the HR management system and reviewed annually.

Training and skills development metrics

Training and Performance Reviews

¹⁾ This excludes a single employee who has not reported gender

Methodology

Performance reviews: The percentage of employees that participated in regular performance and career development reviews is based on all employees as of 31 December 2024, and only calculating an employee once regardless if there have been 1 or 2 performance reviews during the year. Employees terminated during 2024 are excluded.

When calculating the number of performance reviews per employee, all performance reviews completed during the year are divided by the number of employees as of 31 December 2024.

Each employee undergoes two performance reviews per year: a mid-year review and an end-of-year review, both assessing goal achievement and overall performance.

Training data: Data is available on e-learning completions and global training session participation since August 2023 in the Learning Management System (LMS).

Target

The target is to achieve a 98% completion rate of performance and career target setting for all employees by the end of 2030. This target applies to all company employees globally, excluding employee-like contractors unless specified otherwise. The 2024 outcome is 82.04% and will be reported annually as part of the sustainability statement. 2024 serves as the baseline year going forward.

Health and safety metrics

S1-14 Health and safety

Coverage and methodology:

During the autumn of 2024, F-Secure introduced a dedicated form within the HR system to systematically track work-related accidents and any resulting absences. For 2024, employees were requested to retrospectively record any accidents that may have occurred earlier in the year. Beginning in 2025, all accident reports are expected to be submitted promptly following the occurrence of an incident.

In Finland, where F-Secure has a large portion of employees, all health-related data is managed by the occupational health care provider.

Scope and omissions:

Health and safety data include employees only (permanent and fixed-term employees). F-Secure has chosen to omit:

• The number of cases of recordable work-related ill health (subject to legal restrictions on the collection of data)
• The number of days lost to work-related injuries and fatalities from work-related accidents, work-related ill health and fatalities from ill health for the first year

F-Secure has decided to omit "S1-14 Health and safety metrics" partially, as disclosed in the phase-in statement.

Work-life balance metrics

At F-Secure, all employees are entitled to take family-related leave, as outlined by applicable laws of countries, company policies, and collective agreements where relevant. F-Secure supports a work-life balance culture, ensuring that employees can access and utilize family-related leave without barriers. F-Secure actively monitors these metrics to ensure equitable access to family-related leave across all genders.

S1-15 Work-life balance

Compensation metrics

Pay gap

F-Secure reports a gender pay gap of 12.74% for 2024.

Remuneration ratio

The annual total remuneration ratio of the highest paid individual to the median annual total remuneration for all employees is 5.11 for 2024.

Methodology

The main data source is the HR system from which annual base salary and the annual total of allowances and benefits paid on top of the base salary valid at the end of the year are extracted. Total amount of one-time payments (including incentives), overtime compensation (where available) paid during the year, and annual payout amounts from LTI programs are also obtained.

For the gender pay gap, the following formula is used: (Average annual total compensation of male employees – average annual total compensation of female employees) divided by the average annual total compensation of male employees, expressed as a percentage.

For the annual total remuneration ratio, the median annual total compensation amount excluding the highest amount is first calculated. Then the ratio is calculated using: (The highest annual total compensation amount) divided by (the median annual total compensation amount).

Incidents, complaints and severe human rights impacts

F-Secure is committed to fostering an inclusive and respectful workplace where all forms of discrimination are prohibited. In alignment with our zero-tolerance policy, we closely monitor and address any incidents of discrimination or harassment across all operations. During the reporting period, there have been no reported work-related incidents of discrimination based on gender, racial or ethnic origin, nationality, religion or belief, disability, age, sexual orientation, or other forms of discrimination involving internal or external stakeholders.

F-Secure provides a confidential Whistleblowing Channel, available 24/7, to allow employees and stakeholders to report any concerns related to discrimination, harassment, or unfair treatment. All reports are reviewed thoroughly and handled following F-Secure's policies, ensuring compliance with privacy regulations and local legislation.

Through this process, F-Secure remains dedicated to maintaining a fair, safe, and respectful environment for all stakeholders.

S1-17 Incidents

Policies related to consumers and end-users

F-Secure has identified policies related to consumers and end-users under ESRS S4-1. The company notes that while its Code of Conduct is applicable also for consumers and end-users, serving customers and partners in a business ethical manner is described in the Business Conduct section of the statement.

Personal Data Policy

Key content and principles: The F-Secure Personal Data Policy outlines the controls and principles for protecting customer privacy, covering:

• Privacy organization and roles
• Key privacy principles and processes
• Privacy training
• Monitoring of privacy principles

Scope: The policy applies to:

• All consumers
• All F-Secure operations and employees, including subcontractors and suppliers

Governance:

• Approved by F-Secure's CEO and leadership team

Link to international standards:

• Based on the EU General Data Protection Regulation

Monitoring: Cyber security incidents are primary metrics.

Cyber Security Policy

Key content and principles: The F-Secure Cyber Security Policy outlines objectives for strategic cyber security activities, governance practices, and focus areas, including:

• Cyber security objectives
• Governance
• Information security management
• Privacy management
• Software security management
• Relevant policies, procedures, and guidelines

The objective is to define boundaries and guide the implementation of cyber security in F-Secure, including the development of cyber security, identifying cyber security-related opportunities, and mitigating cyber security risks. These activities revolve around information security, software security, and privacy.

Protection of customer and employee data and maintaining the availability of company services are the primary purpose of the cyber security activities, which have a direct impact on consumers' security. Through the activities defined in the policy, F-Secure can collaborate with different stakeholders and promote security awareness across society.

Scope:

• Applies to all consumers
• Applies to all F-Secure operations and employees, including subcontractors and suppliers

Governance:

• Approved by F-Secure's Chief Executive Officer
• F-Secure's CEO is accountable for the enforcement and monitoring of the fulfillment of objectives
• Chief Information Security Officer is responsible for driving the implementation of the policy

Link to international standards:

• Based on the ISO 27001 information security management standard

Monitoring: Primary metrics include:

• Cyber security incidents
• Ratio of externally reported product vulnerabilities to internally identified vulnerabilities
• Completion rate of cyber security training

Related impacts, risks and opportunities:

• Cyber security attacks negatively impacting reputation and business (risk)
• Security of suppliers and partners, especially in terms of vulnerabilities (risk)

AI Policy

Key content and principles: The AI Policy at F-Secure encourages innovation with AI applications while ensuring adherence to high standards in:

• Privacy
• Cyber security
• Intellectual property rights
• Business integrity

It outlines the dos and don'ts of working with AI to maintain these standards. The policy is based on the following values and principles defined in the F-Secure Code of Conduct:

• Building Trust in Society
• Intellectual Property Rights and Confidentiality
• Protecting Human Rights

Scope: The policy applies to all consumers.

Commitment to international principles

F-Secure's internal policies, procedures and guidelines are aligned with the Code of Conduct and the following international principles:

• OECD Guidelines for Multinational Enterprises
• United Nations Global Compact
• United Nations Guiding Principles on Business and Human rights
• United Nations Convention Against Corruption
• International Bill of Human Rights
• The Declaration of the International Labour Organisation on Fundamental Principles and Rights at Work

F-Secure's commitment to international principles extends to its end-users. The company ensures that its products and services are designed and delivered in a manner that respects human rights and ethical standards, including data privacy protections, secure processing of personal data, and transparent communication about user rights and responsibilities.

Engagement and remediation: End-users can provide feedback and report concerns about F-Secure products through:

• Customer Care
• Whistleblowing channel (allows anonymous reporting of Code of Conduct violations including human rights violations by employees, partners, and stakeholders without fear of retaliation)

All reports are taken seriously, investigated, and prompt corrective actions are implemented. Corrective actions may also include remedies for human rights impacts, where deemed appropriate by the result of the investigation.

Taking action on material impacts on consumers

Actions related to actual positive impacts

Protecting digital moments (OO)

Description: Cyber security products and services like F-Secure Total help consumers stay safe online and build trust in society. F-Secure constantly improves protection capabilities in its cloud to increase security efficacy and deliver real-time protection for consumers while regularly launching new product versions with expanded protection capabilities to ensure consumers are protected against scams.

• Scope: Own operations
• Time horizon: Continuous plan of activity for the strategy period (2025–2027)
• Geographic coverage: Focus regions and channels as described under ESRS 2
• Expected outcomes:
  • Increasing the number of consumers protected globally
  • Consumer and partner satisfaction
  • Creating value for partners and shareholders
• Resources allocated: Not quantified

Creating awareness about cyber crimes (OO)

Description: F-Secure drives overall consumer awareness around cyber threats through initiatives such as the Cyber Citizen initiative together with Aalto University and other partners that gamifies training to make it more appealing to consumers. F-Secure has supported the Cyber Citizen initiative by providing consumer insights expertise to define the consumer target audience.

• Scope: Own operations and partnerships
• Time horizon: Continuous plan of activity for the strategy period (2025–2027)
• Geographic coverage: Focus regions and channels as described under ESRS 2
• Expected outcomes: Number of consumers reached annually
• Resources allocated: Not quantified
• Partnerships: Aalto University and other partners

Actions to mitigate material risks

Mitigating Service Provider partner risk

Description: To mitigate the risk of a partner reducing or stopping purchases, F-Secure helps partners drive growth and delivers based on a compelling vision and roadmap to meet partners' business needs.

• Scope: Downstream value chain (partners)
• Time horizon: Strategy period (2025–2027)
• Geographic coverage: Focus regions described under ESRS 2
• Expected outcomes/KPIs:
  • Subscriber base growth
  • ARPU (Average Revenue Per User) development and increase
  • Service activation rates
  • Product upgrades across partners
  • Revenue increase
  • Partner commitment to sales and marketing activities
  • Partner satisfaction (partner NPS)
  • Healthy sales pipeline of new opportunities (funnel size)
• Resources allocated: Not quantified

Meeting Tier 1 Service Provider requirements

Description: F-Secure has defined a partner segment-based operating model to meet Tier 1 specific requirements in a scalable and profitable manner.

• Scope: Downstream value chain (Tier 1 partners)
• Time horizon: Strategy period (2025–2027)
• Geographic coverage: Focus regions described under ESRS 2
• Expected outcomes/KPIs:
  • Project delivery accuracy and quality
  • Meeting partner's service level needs
  • Partner satisfaction (NPS)
• Resources allocated: Not quantified

Ensuring supplier and partner security

Description: F-Secure ensures supplier and partner security by implementing security review gateways in the procurement process, enforcing security requirements contractually, and conducting regular security audits of critical vendors.

• Scope: Upstream value chain (suppliers and partners)
• Time horizon: Strategy period (2025–2027 and ongoing)
• Geographic coverage: All suppliers and partners globally
• Link to policy: Personal Data and Cyber Security Policies
• Resources allocated: Not quantified

Targets related to consumers

F-Secure describes its sustainability-related baseline measures and long-term targets. 2023 is established as a baseline year in all targets except in ratio of reported vulnerabilities and completion rate of security awareness where the baseline year is 2024. The progress will be reported annually moving forward.

Consumer Targets

Additional Target Information

F-Secure consumer product NPS evolution (Total)

• Target for 2027: 50
• Target for 2030: 55
• Related to IROs: protecting digital moments, evolving threat landscape (scams), consumer willingness to pay
• NPS is measured through dedicated marketing survey solution
• Scope: Main consumer product F-Secure Total sold through Direct Business channel

Partner Business NPS

• Measures partner satisfaction
• Related to IROs: channel strategy risk, Tier 1 partnerships
• Target remains: Above 55 for 2030

Completion rate of internal cyber security training

• Based on F-Secure's Cyber Security Policy and Personal Data Policy
• Tracked through F-Secure's Learning Management System
• Applies globally

Major cyber security incidents

• Tracked with dedicated ticketing system
• Applies to global operations and suppliers/partners

Ratio of externally reported vulnerabilities

• Measures effectiveness of internal security monitoring
• Related to Cyber Security Policy objectives

Target Characteristics

• Baseline approach: All targets use either 2023 or 2024 as baseline year
• Type: All targets are absolute targets (not intensity-based)
• External validation: No external validation or science-based target setting mentioned. Targets developed internally in collaboration with relevant functions and approved by Board of Directors
• Stakeholder involvement: No external stakeholders directly involved in target setting. Targets based on material ESG topics, Double Materiality Assessment, industry benchmarking, and stakeholder feedback
• Geographic scope: Targets apply globally to F-Secure operations and focus regions as described under ESRS 2
• Strategy period: Actions and targets align with strategy period 2025-2027

Progress Tracking

Progress is monitored through:

• Dedicated marketing survey solution (NPS metrics)
• Learning Management System (training completion)
• Dedicated ticketing system (security incidents and vulnerabilities)
• Monthly reviews within F-Secure
• Annual reporting in sustainability report

Business conduct policies and corporate culture

F-Secure has established several policies related to business conduct and corporate culture as part of its ESG governance framework.

Code of Conduct

Policy name: Code of Conduct

Scope: The Code of Conduct applies to all F-Secure employees and leadership, regardless of location. In addition to adhering to the principles in this Code of Conduct, F-Secure employees must comply with internal policies, as well as applicable local laws. F-Secure expects its suppliers and partners to act responsibly and adhere to the principles set out in the Code of Conduct.

Who approves and oversees it: The Code of Conduct is approved by the Board of Directors and reviewed regularly. The Board of Directors reviews the policies presented by the Audit Committee. Business conduct-related policies and procedures are maintained by the Legal Team, which also offers internal training on such issues.

Key content/principles: The Code describes the vision, purpose, and mission of F-Secure and outlines the values and principles that guide the actions needed to achieve this vision. The Code references key international principles including:

• OECD Guidelines for Multinational Enterprises
• United Nations Global Compact
• United Nations Guiding Principles on Business and Human Rights
• United Nations Convention Against Corruption
• International Bill of Human Rights
• The Declaration of the International Labour Organisation on Fundamental Principles and Rights at Work

Specific principles include: No Bribery or Corruption, Preventing Conflicts of Interest, Building Trust in Society, Intellectual Property Rights and Confidentiality, and Protecting Human Rights.

Public availability: The Code of Conduct is supported by policies, procedures, and guidelines that provide specific enforcement methods and are periodically reviewed. The principles are referenced throughout the sustainability statement.

Links to international standards: As listed above, the Code explicitly references OECD Guidelines, UN Global Compact, UNGPs, UN Convention Against Corruption, International Bill of Human Rights, and ILO Declaration.

Monitoring implementation: F-Secure offers mandatory training on its Code of Conduct to all employees. The training consists of three parts: reading the Code of Conduct, applying its principles to example scenarios that simulate real-life situations, and resources with additional information. The training is mandatory for all new employees during onboarding. After completing the Code of Conduct course, employees must take a refresher course every other year. Performance is measured by reporting on the percentage of employees that have completed the training on the F-Secure Learning Academy platform. The 2024 outcome was 96% completion rate with a target of 98% by 2027.

Anti-Bribery and Corruption Policy

Policy name: Anti-Bribery and Corruption Policy

Scope: The policy applies to all employees, officers, and directors across all teams and subsidiaries, with particular relevance to those in sales roles.

Who approves and oversees it: The Policy is created by the General Counsel and approved by the Board of Directors. The General Counsel is also authorized to issue detailed procedures and guidelines to further implement and enforce this policy, as well as to review and update this policy from time to time. F-Secure's management is committed to preventing bribery, and each line manager is responsible for ensuring their teams understand and comply with the policy.

Key content/principles: The Policy is based on international principles, including the United Nations Convention Against Corruption. The objective is to reflect F-Secure's commitment to ethical conduct and integrity in all business activities. The Policy covers prohibited conduct, gifts and entertainment, conflicts of interest, due diligence on third parties, compliance with laws, reporting and whistleblowing, training and communication, record-keeping and accounting, monitoring and review, as well as enforcement.

Public availability: Not explicitly stated in the excerpts.

Links to international standards: Based on the United Nations Convention Against Corruption. F-Secure is committed to complying with all laws and regulations including the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act 2010.

Monitoring implementation: The effectiveness of anti-corruption and anti-bribery efforts is regularly monitored through audits and reviews. These help identify and address any areas of risk or non-compliance. The policy is subject to regular review to ensure that it remains robust and relevant to business operations. F-Secure has set a target of zero-tolerance on bribery and corruption. Performance against this target is monitored by reviewing the number of corruption and/or bribery-related incidents reported through the whistleblowing channel or to line managers, the CEO, the HR team, the Legal team, or the Board of Directors. All employees and parties acting on behalf of F-Secure must timely, fairly and accurately report and record their transactions using F-Secure's current expense management systems.

Whistleblowing Policy

Policy name: Whistleblowing Policy

Scope: The whistleblowing channel is available to all F-Secure employees and business partners. External stakeholders can raise concerns through the whistleblowing channel, which is publicly available on the F-Secure website.

Who approves and oversees it: Not explicitly stated which body approves this policy, though it is referenced as part of the Code of Conduct framework overseen by the Board of Directors.

Key content/principles: The policy ensures protection of whistleblowers, including:

• Identity protection
• Protection from retaliation and possible reversal of the burden of proof in handling claims related to retaliation
• Possible compensation and remedies due to retaliation
• Possible protection against civil, criminal and administrative liability

F-Secure provides multiple ways to raise concerns: employees may talk to their line manager, Legal, or HR representatives. Concerns may also be reported via the anonymous whistleblowing channel maintained by a third party. Employees may also write to the CEO or the Board. All concerns are handled confidentially. F-Secure is committed to maintaining a culture in which everyone can feel comfortable raising good-faith concerns about violations of the Code of Conduct without adverse action.

Public availability: The whistleblowing channel is publicly available on the F-Secure website for external stakeholders.

Links to international standards: Aligned with protection of whistleblowers principles and international human rights standards referenced in the Code of Conduct.

Monitoring implementation: Internal awareness is raised through mandatory training. The whistleblowing channel has been available since the demerger from WithSecure in mid-2022. All reports coming through the Whistleblowing Channel are confidential. The reporting service is entirely independent of the organization to ensure anonymity.

ESG Policy

Policy name: ESG Policy

Scope: The ESG Policy provides clear guidance on how the business addresses ESG challenges and monitors progress across the entire company.

Who approves and oversees it: Not explicitly stated which body approves this specific policy.

Key content/principles: The ESG Policy outlines F-Secure's commitments to environmental stewardship, social responsibility, and ethical governance. It provides clear guidance on how the business addresses ESG challenges and monitors progress.

Public availability: Not explicitly stated.

Links to international standards: The ESG activities are based on values, Code of Conduct, and ESG-related policies and processes, which in turn reference international standards like OECD Guidelines, UN Global Compact, UNGPs, etc.

Monitoring implementation: ESG governance is tightly integrated into the company strategy. The Board of Directors is updated at a minimum annually on ESG progress by management. The Audit Committee monitors and evaluates risk management, internal controls, ESG reporting, as well as independent assurance. The ESG Council is responsible for facilitating, implementing and tracking ESG activities.

Climate Change Policy

Policy name: Climate Change Policy

Scope: The policy covers climate change mitigation, climate change adaptation and renewable energy deployment across all geographies and operations including the value chain.

Who approves and oversees it: Approved by the CEO.

Key content/principles: The main objective is to manage and prioritize emissions in operations and the value chain. For climate change mitigation, the policy covers targets and main activities across Scopes 1, 2, and 3. For climate change adaptation, it emphasizes identifying climate impacts, risks, and opportunities to inform planning, including conducting risk assessments and integrating climate considerations into strategy. For renewable energy deployment, the policy focuses on using renewable energy in office spaces, integrating climate considerations into office decisions, utilizing low-emission hosting services, and implementing green coding practices.

Public availability: Not explicitly stated.

Links to international standards: F-Secure is committed to the Paris Climate Change Agreement reduction target.

Monitoring implementation: An Environment Committee has been set up in Q3 2024 to implement the transition plan and owners for each category have been defined. Climate change-related topics are considered in office renovation projects and new leasing agreements. A detailed transition plan is being defined and will be reviewed and approved by the Board during 2025.

Supplier Code of Conduct

Policy name: Supplier Code of Conduct

Scope: The Supplier Code of Conduct covers main ESG topics for suppliers. F-Secure expects suppliers and partners to act responsibly and comply with the principles set in the Code of Conduct and local laws.

Who approves and oversees it: Not explicitly stated.

Key content/principles: The Supplier Code of Conduct includes relevant environmental topics and is aligned with F-Secure's Code of Conduct principles. It addresses business conduct including suppliers and partners up- and downstream.

Public availability: Not explicitly stated.

Links to international standards: Aligned with the same international principles as the Code of Conduct (OECD Guidelines, UN Global Compact, UNGPs, etc.).

Monitoring implementation: F-Secure has a supplier Code of Conduct and agreements with certain partners to ensure they meet the company's standards for responsible business conduct. Basic supplier onboarding process and cybersecurity examination of suppliers conducted by CISO office are in place. Development of supplier code of conduct covering main ESG topics is ongoing.

Other Policies Referenced

The sustainability statement also references several other policies related to specific aspects of business conduct:

• Personal Data Policy (approved by CEO and Leadership Team, based on EU GDPR)
• Cyber Security Policy (approved by CEO, based on ISO 27001 standard)
• AI Policy (approved by CEO in 2024)
• Human Rights Policy (embedded in Code of Conduct)
• DEI Policy (approved by Chief People Officer)
• Health and Well-being Policy (approved by CFO)
• Learning and Development Policy (approved by CPO)
• Rewards and Recognition Policy (approved by CPO)
• Recruitment Policy (approved by CPO)

These policies collectively support F-Secure's business conduct framework and corporate culture, with governance oversight from the Board of Directors, Audit Committee, Personnel and Nomination Committee, Leadership Team, and ESG Council.

Incidents of corruption or bribery

Confirmed incidents

F-Secure reported zero (0) confirmed incidents of corruption or bribery during the 2024 reporting period.

Convictions and fines

F-Secure reported zero (0) convictions and zero (0) euros in fines for violations of anti-corruption and anti-bribery laws during 2024.

G1-4 Confirmed incidents (Table 39)

Targets

F-Secure has established a zero-tolerance target for bribery and corruption incidents across the whole F-Secure group. The baseline year is 2023 (0 incidents), the 2024 outcome is 0 incidents, and the 2030 target remains 0 incidents. This absolute target is measured in the number of incidents related to bribery or corruption and applies to work-related activities of all F-Secure employees, contractors and other representatives across all locations.

Investigation and speak-up procedures

Whistleblowing Channel: F-Secure provides an anonymous whistleblowing channel maintained by a third party, available 24/7 to all employees and business partners (publicly available on the F-Secure website for external stakeholders). All reports are handled confidentially with identity protection and protection from retaliation.

Multiple reporting channels: Employees may report concerns to their line manager, Legal, HR, CEO, or Board of Directors. All reports are carefully reviewed.

Investigation process: Any substantiated investigations concerning suspected incidents of bribery or corruption are reported to the Audit Committee. The investigating team is separate from the chain of management involved and determined case-by-case to ensure impartiality. Cases would be reported to authorities where required by law.

Training: F-Secure offers mandatory Code of Conduct training to all employees, including modules on bribery and corruption with example scenarios testing decision-making and covering reporting mechanisms. The 2024 completion rate was 96% with a target of 98% by 2027.

Monitoring: Performance against the zero-tolerance target is monitored by reviewing the number of corruption/bribery-related incidents reported through the whistleblowing channel or to line managers, CEO, HR, Legal, or Board of Directors.

Policy framework

F-Secure maintains an Anti-Bribery and Corruption Policy based on international principles including the UN Convention Against Corruption, approved by the Board of Directors. The company commits to complying with all applicable laws including the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act 2010. The policy covers prohibited conduct, gifts and entertainment, conflicts of interest, due diligence on third parties, reporting mechanisms, training, record-keeping, monitoring and enforcement.

Political influence and lobbying activities

Zero declaration

F-Secure does not engage in political activities. As stated in the company's Double Materiality Assessment:

Political engagement

F-Secure does not engage politically. No IROs identified.

No political contributions, lobbying expenditure, or trade association membership data related to political influence has been disclosed in the 2024 sustainability statement.