WithSecure

WithSecure's administrative body is the Board of Directors ("the board"). The Board of Directors has seven members, of which six are non-executive. The one executive member is a member elected from WithSecure's personnel.

The Board of Director's Audit Committee is the supervisory body of WithSecure. The Audit Committee is neither a decision-making nor an executive body. The Board of Directors appoints from among itself the members and the Chair of the committee. The Audit Committee has four members, of which three are non-executive. The independence of the members is determined based on their independence of the company, not independence of major shareholders.

In terms of the Board of Directors' roles and responsibilities, WithSecure's Board of Directors is the highest administrative body in charge of sustainability matters in the company. As sustainability is incorporated into WithSecure's business strategy in form of the sustainability program, sustainability matters are a scheduled agenda item in Board of Directors' meetings annually. The Board of Directors approves the high-level priorities and objectives regarding sustainability. The Sustainability report is approved by the Board of Directors, as part of the approval of the Board of Directors report.

The Board of Directors is also involved in approving the identified sustainability-related impacts, risks and opportunities and determining that their mitigation and management has been adequately integrated into the company's sustainability program. The Global Leadership Team (GLT) members set and accept the sustainability-related targets on an operational basis. The progress in targets is presented to the Board of Directors annually. The Board has the final authority to approve these targets when they review and approve the full annual report.

Board Composition and Diversity:

• Board of Director's gender diversity ratio (percentage of women): 29%
• Board of Director's independent board members ratio: 86%
• Audit Committee's gender diversity ratio (percentage of women): 50%
• Audit Committee's independent board members ratio: 75%

The Audit Committee oversees this progress by reviewing and monitoring the status of the company's strategic sustainability related targets. As the Audit committee members are also members of the Board of Directors, they are also involved in setting the sustainability related targets. In addition to overseeing these targets and sustainability reporting, the Audit Committee also reviews policies and makes recommendations to the Board of Directors, who have the authority to approve these policies.

Material Impacts, Risks and Opportunities Addressed:

Sustainability-related performance – including climate-related considerations – has not been integrated into WithSecure's incentive schemes. The incentivising metrics and methods need to be adequately functioning and serve WithSecure's business model and operational industry. WithSecure explores potentially suitable metrics and inclusion methods of sustainability-related matters into incentive schemes.

WithSecure's Board of Directors and the President and CEO are responsible for the company's governance. WithSecure's corporate governance practices are based on applicable Finnish laws, the rules of Helsinki Stock Exchange (NASDAQ Helsinki Oy) and the regulations and guidelines of Finnish Financial Supervisory Authority as well as the company's Articles of Association.

WithSecure's sustainability due diligence process ensures that the company identifies, prevents, mitigates and accounts for how WithSecure addresses the actual and potential negative impacts the company might have both in its own operations as well as within the value chain.

Due diligence has been embedded in the governance, strategy and business model of WithSecure. This is showcased through the level of information provided to and the sustainability matters addressed by the company's administrative, management and supervisory bodies.

Core Elements of Due Diligence:

Affected stakeholders are engaged with in all key steps of the due diligence process. Their views were integrated in the double materiality analysis to identify WithSecure's material impacts, risks and opportunities ensuring that they have had the possibility to influence and guide the company's conduct.

WithSecure's due diligence is an ongoing process that responds to changes both in the company's operations as well as the surrounding environment and society. The company is planning on updating its double materiality analysis during the year 2025 to ensure that the most current information and stakeholder views are taken into account.

Risk Management

Risk management and internal control processes at WithSecure seek to ensure that risks related to the business operations of the company are properly identified, evaluated, monitored and reported in compliance with the applicable regulations.

WithSecure's Board of Directors defines the principles of risk management and internal controls which are followed within the company. The Audit Committee assists the Board of Directors in the supervision of WithSecure's risk management function. The CEO is accountable for ensuring that the risk management principles are implemented and applied constantly and consistently across the organization.

The primary goal of WithSecure's risk management principles is to empower the organization to identify and manage risks more effectively. The potential negative impact and probability of different situations arising from WithSecure's business operations on the company, its customers, or its partners are monitored as part of the risk management process.

WithSecure promotes continuous risk evaluation by the company's personnel. The relevant operational risks identified through the risk management process are regularly reviewed by the CEO and Global Leadership Team. Risk Management is an integrated part of WithSecure's governance and management, and the risk management process is aligned with the ISO-31000 standard. The Audit Committee regularly conducts a review of top operational risks and evaluates the effectiveness of the risk management system.

Internal Control

Internal Control, supported by Risk Management, is an important element of WithSecure's management system. The Board of Directors is responsible for ensuring that the operating principles for internal control have been defined, and that the company monitors the functioning of internal control.

WithSecure has defined its objectives for internal control based on the globally applied principles. Internal control consists of e.g. policies, processes, procedures as well as control and monitoring activities. Internal Control is designed to provide a high level of assurance regarding the achievement of WithSecure's objectives in following categories: • Effectiveness, efficiency and transparency of operations on all levels in accordance with the WithSecure strategy • Reporting, including financial and non-financial, external and internal, to the Board, management, shareholders and stakeholders being complete, reliable, relevant and timely • Compliance with applicable laws, regulations and WithSecure policies and instructions

Sustainability Reporting

In WithSecure's sustainability reporting, the role of internal control is important to ensure transparency and accountability. The internal control catalogue and Internal Control Operating Principles include dedicated sections to ensure that WithSecure's sustainability reporting is conducted timely and accurately, following the relevant regulations. Sustainability-related matters are regularly addressed by the administrative, management and supervisory bodies.

As part of WithSecure's strategy, WithSecure has implemented a sustainability program, to ensure that sustainability issues are addressed in the company's strategy. The leading guideline of WithSecure's sustainability program is Maximizing Net Impact – on the planet, people and society. The objective of the program is to ensure that sustainability is embedded in all the company's decisions. WithSecure also wants to ensure transparency of the company's activities to the users of its reporting.

WithSecure offers cyber security products and services for business customers globally. The company's role of protecting the digital society and preventing damages and losses caused by cybercrime is its most important contribution to a more sustainable world. With this role, WithSecure's activities will always generate a positive impact on society. By preventing cyberattacks, WithSecure helps businesses to avoid financial losses and data breaches, which supports economic stability and trust in digital society. A well-functioning digital society is a major enabler of sustainability. Through its efforts, WithSecure helps create a secure digital society, reducing the need for materials and transportation. This supports a more sustainable world.

Business Model and Value Chain

WithSecure's business model is based on providing cyber security software and services to its customers. The company's clientele consists of other companies, mainly sales partners and their customers who then make up the end-user base of WithSecure's services.

Defining WithSecure's value chain ensured that the materiality assessment considered sustainability topics, sub-topics and sub-sub-topics broadly and throughout the value chain. All the ESRS Standard topics have been screened throughout WithSecure's value chain.

Value Chain Overview:

• Upstream: Equipment and materials manufacturing, where for example hardware and data transmission networks for WithSecure's suppliers is processed. The value chain continues to WithSecure's suppliers who provide WithSecure with software and cloud services, equipment and third-party services, such as marketing.
• WithSecure Operations: Digital product design and cyber security solutions
• Downstream: WithSecure's sales partners, and lastly WithSecure's customers companies and end users, including WithSecure's customer companies and their employees.

People are also at the heart of WithSecure's sustainability endeavours. WithSecure employs highly skilled experts around the world and want to support their wellbeing and growth opportunities. The company's aim is to reach the sustainability goals with the support of the 961 employees divided between the 15 offices globally. The major office locations are Helsinki (Finland), London (UK), Kuala Lumpur (Malaysia) and Poznan (Poland). The rest of the global offices are scattered across Europe, North America, Japan, and Asia Pacific.

WithSecure does not operate in the fossil fuel sector or with chemical production, controversial weapons, and cultivation and production of tobacco. WithSecure's internal operations must always follow high ethical standards. None of WithSecure's products and services are banned in certain markets. For corporate responsibility reasons, WithSecure has however chosen to not conduct business with any Russian or Belarussian parties, even in cases where it would be permitted by the export control regulations.

WithSecure's sustainability related goals are followed on group level, which aligns with the financial reporting being followed based on one segment. Due to the nature of the business, revenue is reviewed at group level. There are no separate sustainability goals per individual product or service group, customer category, geographical area or stakeholder relationship.

WithSecure has identified six different groups of stakeholders. Three stakeholder groups – namely the employees, the partners, and the investors and financial analysts – have participated in the company's double materiality analysis directly. This ensures that their views have been integrated in WithSecure's material impacts, risks and opportunities related to the scope of the standard topics ESRS S1 "Own workforce" and ESRS S4 "Consumers and end-users".

Other stakeholders' views were gathered through different means, such as surveys and interviews. As a part of the information gathering, the stakeholder groups' expectations for WithSecure were determined, the engagement and their possibilities of communicating with WithSecure were evaluated, and the expected outcomes as well as activities were also identified.

Stakeholder Engagement Overview:

WithSecure's stakeholder inclusion in the double materiality analysis process highlights the company's commitment to actively listen to and engage with its stakeholders. To enable the understanding of the stakeholders' expectations and concerns, an ongoing engagement is maintained. The continuous dialogue facilitates the communication of WithSecure's sustainability efforts and processes.

The administrative, management and supervisory bodies of WithSecure are informed about the views and interests of affected stakeholders regarding WithSecure's sustainability-related impacts. Most recently, the views and interests of affected stakeholders were thoroughly determined as part of the double materiality analysis.

As a step towards preparing for the CSRD reporting and to identify WithSecure's material sustainability-related impacts, risks and opportunities, the company conducted a double materiality assessment (DMA) during the year 2023. The assessment was conducted against the EFRAG ESRS (European Sustainability Reporting Standards). This assessment and the related DMA assumptions have been updated during the year 2024 to reflect new insights, stakeholder feedback, and changes in the regulatory environment.

The DMA includes topics where WithSecure could have a material impact (inside-out approach) and those posing financial risks or opportunities (outside-in approach). Following CSRD requirements, only material topics are included in the sustainability report. Both internal and external stakeholders participated in the assessment to identify material sustainability topics across the value chain.

Summary of Material Impacts, Risks and Opportunities:

Material Sub-topics Identified:

• Climate change mitigation (E1)
• Working conditions (S1)
• Equal treatment and working opportunities for all (S1)
• Information-related impacts for consumers and/or end-users (S4)
• Corporate culture (G1)
• Protection of whistleblowers (G1)
• Management of relationships with suppliers including payment practices (G1)

Non-material Environmental Topics: WithSecure has assessed various environmental impacts and determined that E2 Pollution, E3 Water and Marine Resources, E4 Biodiversity and Ecosystems, and E5 Circular Economy are not material topics. These impacts are considered to be of low significance, narrow in scope, and have a low likelihood of occurrence for WithSecure's operations due to the nature of the business as a software and services company.

WithSecure believes that the DMA presented fairly reflects the impacts, risks and opportunities WithSecure faces. Through the DMA, WithSecure identified its material sustainability-related impacts, risks, and opportunities. Stakeholder views and interests were integrated into this assessment and the outcomes.

Background

The Double Materiality Assessment has been carried out as an iterative process with the support of third-party advisors. The initial materiality assessment was conducted in 2022. It was expanded into a double-materiality analysis in 2023 which again was complemented in 2024, to align with the updates of the regulation.

The Double Materiality Assessment topics were selected on the basis of European Sustainability Reporting Standards (ESRS), valid drafts and published standards at the time of each assessment round.

Parameters Used and Scope of Analysis

The same assessment methodology and assumptions were used for assessing all the ESRS topics, possible impacts, risks, and opportunities as well as their materiality. First the value chain perspective was considered. The time horizons were defined and WithSecure's upstream and downstream value chains were assessed. Stakeholders – including silent stakeholders – were engaged in this value chain assessment.

After scoping the value chain, the ESRS topics were evaluated holistically to assess possible material themes based on the scope of the value chain and own operation's assessments. Additionally relevant legal and regulatory landscape was considered.

Financial Materiality Assessment

The process of assessing the materiality of the risks and opportunities is multifaceted:

• Time horizon: Defines the timeframe in which the identified risk or opportunity will occur
• Likelihood: Assessed on a scale from 25% (more likely not to happen) to 100% (actual risk/opportunity)
• Magnitude: Based on the potential impact on related revenue, related costs and group EBITDA

Impact Materiality Assessment

For impact materiality, the assessment uses 3 dimensions in addition to time horizon and likelihood:

• Scale: How significant the positive or negative impact of WithSecure is on the topic
• Scope: How widespread the company's impact is (limited to widespread)
• Irremediability: To what extent negative impacts can be remedied and restored relatively easily

Climate-related Hazards Assessment

The process for identifying climate-related hazards at WithSecure considers one general high-emission scenario across its own operations, upstream, and downstream value chain. This assessment covers short-term and medium-term horizons. WithSecure has also assessed the extent to which its assets and business operations are exposed and sensitive to transition events. No material climate-related hazards or risks were identified.

Environmental Impact Screening

Due to the nature of WithSecure's business, the industry it operates in as well as the locations of its offices as a cybersecurity company, its business activities have been assessed to have a limited impact on pollution, water and marine resources, biodiversity and ecosystems, and circular economy. WithSecure has conducted a screening of its locations, which are all rented offices in established big cities, and found they are not near biodiversity-sensitive areas.

Outcome

WithSecure's double materiality assessment consists of impact materiality and financial materiality. The material impacts, risks and opportunities for WithSecure fall under four ESRS topics: E1 Climate change, S1 Own workforce, S4 Consumers and end-users and G1 Business conduct. Seven different ESRS sub-topics were identified:

1. Climate change mitigation (E1)
2. Working conditions (S1)
3. Equal treatment and working opportunities for all (S1)
4. Information-related impacts for consumers and/or end-users (S4)
5. Corporate culture (G1)
6. Protection of whistleblowers (G1)
7. Management of relationships with suppliers including payment practices (G1)

The tables below describe all the ESRS disclosure requirements in ESRS 2 and the identified material topics E1, S1, S4 and G1 that have set the framework for the preparation of the sustainability report.

Cross-cutting standards – ESRS 2 "General disclosures"

Transition plan for climate change mitigation

Absence of formal transition plan

Due to WithSecure's limited impact on climate change, the company does not currently have a transition plan in place for climate change mitigation. For the same reason, WithSecure has not conducted a resilience analysis in the identification process of the material impacts, risks and opportunities. One general scenario was implemented. Separate scenarios for low, medium or high emission scenarios were not utilized.

Paris Agreement alignment and SBTi status

The climate change related targets are not analysed in relation to limiting global warming to 1.5°C in line with the Paris Agreement. WithSecure is not excluded from the EU Paris-aligned benchmarks.

Future enhancement plans

As WithSecure progresses in its sustainability journey, it will aim to enhance the monitoring and assessment of the company's activities. The intention is to enhance the company's adherence to the provisions of the Delegated Act (EU) 2021/2139, supporting efforts in climate change mitigation.

WithSecure aims to advance its management of climate change related impacts, risks and opportunities during the coming years. The plan is to update the double materiality analysis and re-evaluate the material impacts, risks and opportunities. WithSecure will explore next steps and possible related science-based targets that could be suitable and reasonable for WithSecure's business model and impacts.

Policies related to climate change mitigation and adaptation

WithSecure has a Sustainability Policy which addresses climate change mitigation. The policy is publicly available on WithSecure's website.

Sustainability Policy

Purpose and scope: The purpose of WithSecure's Sustainability Policy is to define the objectives for sustainability-related matters at WithSecure, demonstrate the company's commitment to operating sustainably and establish an effective sustainability governance. The policy serves as a framework for continually improving WithSecure's performance and integrating sustainable practices into the company's daily operations.

Key content:

• The policy outlines WithSecure's commitment to maximizing the company's net impact on the planet, people, and society
• WithSecure aims to embed sustainability into all the company's decision-making processes and ensure transparency of WithSecure's activities to the company's stakeholders
• The policy provides the framework and guidelines for actions WithSecure takes to reduce its carbon footprint
• WithSecure has committed to reducing its carbon footprint as the company's main action to mitigate climate change related negative impacts and risks, while emphasizing the possibilities for positive actions and supporting positive impacts as well as opportunities

Application scope: The sustainability policy applies to WithSecure's own operations and all persons working for WithSecure, anywhere WithSecure operates globally.

Governance: The most senior level accountable for the implementation of this policy are the GLT (Group Leadership Team) members of each business unit most closely associated with the respective policy.

Stakeholder engagement: Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. Thus, the stakeholders have been involved and their views have been included in the policy.

Public availability: The policy is publicly available on WithSecure's website.

Actions and resources in relation to climate change policies

WithSecure does its share in reducing the amount of waste and emissions produced by the company's operations, whenever it is reasonably possible. WithSecure has committed to reducing its carbon footprint as the company's main action to mitigate the climate change related negative impacts and risks, while emphasizing the possibilities for positive actions and supporting positive impacts as well as opportunities.

Scope: The scope of WithSecure's carbon footprint reduction actions is the company's own operations and upstream activities, as no material emissions were identified in the downstream activities.

Time horizon: The carbon footprint reduction is an ongoing process.

Resources allocated: No significant expenditures are allocated for this action.

Policy link: The Sustainability Policy provides the framework and guidelines for the actions WithSecure takes to reduce its carbon footprint.

Specific measures

The carbon footprint reduction is completed through a variety of different measures:

Offices

• WithSecure has 15 offices globally, the major locations being Helsinki (Finland), London (UK), Kuala Lumpur (Malaysia) and Poznan (Poland)
• WithSecure offices are leased premises, and therefore the company does not have full control of the decisions taken by landlords on the energy efficiency of the buildings
• WithSecure strongly encourage the company's landlords to take all available measures to optimize heating, cooling, lighting, and waste management at the company's office premises
• WithSecure has "Sustainable Workplace Guidelines" for all the 15 offices across the globe
• During the year 2024, the Helsinki office moved to new headquarters in Wood City, where the building has a LEED Platinum certification and A class energy rating. The exact impact of this relocation has not been evaluated beyond the calculation of total scope 2 emissions of all offices

Commuting

• Green commuting of the employees is supported through various measures
• In three of WithSecure's locations, the company offers a bicycle benefit for the employees to encourage cycling to work
• In three locations, WithSecure provides commuting allowances to support the use of public transportation

Business travel

• WithSecure Travel Policy continues to provide a unified and simplified travel process to ensure safe, efficient and environmentally friendly business travel
• It aims to reduce the environmental impact of traveling, aligned with the company sustainability targets
• Employees are encouraged to use digital meeting tools when collaborating with internal and external stakeholders, and to travel only when needed, using environmentally friendly options and combining travel when possible
• Due to the nature of WithSecure's business and the company's multi-location teams, the company will always require some travelling

Targets related to climate change mitigation and adaptation

WithSecure has established two targets for climate change mitigation:

Target 1: Total Carbon Footprint Reduction (Intensity-based)

• Target metric: Tons of CO2 emissions per million EUR revenue
• Target value: 75 tons of CO2 per million EUR of revenue (location-based)
• Baseline year: 2022
• Baseline value: Not explicitly stated in the excerpts
• Target year: Not specified
• Scope: Own operations and value chain (upstream). Measured unit includes emissions from WithSecure's own operations and value chain.
• Type: Intensity target (relative to revenue) - allows company growth without similar increase to carbon footprint
• Science-based: Not science-based. WithSecure is exploring the implementation of possible science-based targets suitable for their business model.
• Progress (2024): 69 tCO2eq / MEUR (target reached, -36% decrease from baseline for location-based emissions, -38% for market-based emissions)
• Progress (2023): Data mentioned but specific value not provided in excerpts

Target 2: Business Flight Emissions (Absolute)

• Target metric: Business flight emissions (tCO2eq)
• Target value: Maintained at base year level
• Baseline year: 2022
• Baseline value: 1,084 tCO2eq
• Target year: Not specified
• Scope: People working for WithSecure
• Type: Absolute target
• Science-based: Not science-based
• Progress (2024): 891 tCO2eq (target reached, -33% reduction from baseline)

Target characteristics

• Stakeholder views were investigated during the double materiality analysis and included in target setting
• Targets are measured continuously, at least annually
• WithSecure is exploring implementation of science-based targets suitable for its business model and impacts
• Both targets were reached in 2024

Gross Scopes 1, 2, 3 and Total GHG emissions

Baseline and calculation methodology

WithSecure's carbon footprint consists primarily of indirect emissions. Most of WithSecure's emissions were identified as Scope 3 (indirect, others) emissions. WithSecure's upstream leased assets were identified as Scope 2 (indirect, purchased electricity, steam, heating, and cooling) emissions in 2024, and the company did not identify any Scope 1 emissions (from own offices, vehicles, and fugitive emissions).

WithSecure's CO2 emissions baseline is 2022, with adjustments made in 2023 to include heating estimates for Scope 2 emissions and additional spend-based emissions for Scope 3, specifically in Category 1 – Goods and services. The baseline emissions are 15,935 tons of CO2e for location-based emissions and 15,883 tons of CO2e for market-based emissions.

There was a slight adjustment to Scope 2 emissions for 2023, as the square meterage of the Helsinki, Poznan and Stockholm offices was determined more precisely. Additionally, the emissions allocation per area in use for WithSecure in the old Helsinki office building, which was shared with other tenants, was refined. Furthermore, district heating for the Oulu offices was added to the calculations separately. This increased the scope 2 emissions from 564 tons of CO2e to 850 tons of CO2e. There was also a minor correction to the Scope 3 emissions for 2023, decreasing the total scope 3 emissions from 11,080 tons of CO2e to 11,068 tons of CO2e, due to cloud computing originally being accounted for twice.

The calculations are conducted based on the Greenhouse Gas (GHG) Protocol. The GHG calculation methodology follows the financial control consolidation method. There have been no changes to the GHG protocol consolidation methodology or significant changes to the organisational structure that would impact the GHG emissions calculation.

WithSecure's GHG emissions are calculated in the following manner: the total annual CO2 emissions are determined based on actual emissions from January to November, with December emissions included as a forecast. For primarily the year end months, the scope 2 emissions have been estimated using forecasts and historical data due to insufficient reliable data from the local service partners. The calculation principles for the comparable figures are the same. Biomass or biogenic emissions are not separately calculated or taken into account for any of the emissions.

Total GHG emissions (all scopes)

Scope 2 – Purchased electricity, heating, and cooling

The calculation followed the GHG protocol, consisting of both the location-based and market-based emissions. The methods included the electricity consumption by location and the appropriate emission factor.

The emission factor represents the GHG intensity of the electricity consumption in the location. For the location-based emission factor, the CO2 emissions of electricity generation have been calculated using appropriate CO2 residual mix emission factors for the office locations sourced from AIB for European locations and for non-European locations from local authorities' websites, including DEFRA, SEDA, EMA, Climate Transparency, and EPA.

The market-based emissions have been estimated using the emission factors published on the websites of the companies that provide electricity to WithSecure's office locations. This includes the Helsinki offices' electricity emissions from the base year 2022 onwards and for the London office for the year 2024. In other locations where no specific emission factor is provided by the local electricity providers, the same residual mix factor used for the location-based calculation was applied. There are no contractual obligations or other agreements related to WithSecure's Scope 2 emissions.

The average consumption of WithSecure's offices per square meter was used to estimate the consumption in locations where electricity consumption data was not available. The office electricity consumption corresponds with WithSecure's proportion of each office, when WithSecure shares office space with external parties. Heating consumption was included in the energy consumption of the offices which are located in countries where district heating is common. These countries are Finland, Sweden, Denmark and Poland. Statistical data was used to estimate the heating consumption, and the consumption was calculated in cubic meters. Cooling of the offices is included in the electricity consumption.

For 2024 scope 2 location-based emissions were 928 tons of CO2e (9% of total location-based GHG emissions), while the market-based emissions were 630 tons of CO2e (6% of total market-based GHG emissions). Scope 2 emissions include the energy consumption of WithSecure's offices. Heating emissions have been estimated for offices in Finland, Sweden, Denmark and Poland. In these countries district heating has a significant share of the total heat market. Cooling of the offices is included in the electricity consumption.

Scope 3 – Breakdown by category

Scope 3 emissions were 9,278 tons of CO2e (91% of total location-based GHG emissions, 94% of total market-based GHG emissions). Four categories were identified as Scope 3 indirect emissions. These categories are Category 1 – Goods and services, Category 5 – waste emissions, Category 6 – business travel (flights), and Category 7 – employee commuting.

Category 1 – Goods and services

The category 1 emissions are based on the actual usage related footprint, as collected directly from the service providers, such as the suppliers of cloud computing services. In the absence of such activity-based data for other purchases, WithSecure has used the GHG Protocol's spend-based method to calculate the emissions from goods and services. The emission factor (sourced from Exiobase3) has been applied for the collected economic value of goods and services purchased. The spend-based method is based on estimated averages, and therefore includes significant uncertainty regarding data accuracy. However, WithSecure's purpose is to include the full inventory of emissions in the footprint calculation.

Goods and Services is the largest emission category for WithSecure, as 78% - 80% of the company's total emissions were from Goods and services, depending on whether location- or market-based total emissions are used. Cloud data processing emissions are 0.27% - 0.28% of WithSecure's total emissions.

Category 5 – Waste emissions

WithSecure used GHG Protocol's average-data method in the calculations. First, the average annual waste produced per employee was determined and then the amount of waste was calculated by estimated treatment method. Landfill and combustion were the treatment methods included in the calculations. The applicable emission factor by country (sourced from DEFRA) was used for each waste amount by waste treatment type.

0.16% of WithSecure's total emissions consist of waste emissions.

Category 6 – Business travel (flights)

Applicable emission factors (sourced from DEFRA) were used based on the flight type, distance, and cabin class. The data was collected from internal travel data and third-party data provided by travel agencies. The category only includes the flights booked for the year 2024. The same cut-off method has been consistently applied on the previous year. Other business travel expenses, such as train tickets and hotel expenses, are included in Category 1. In 2022, WithSecure used the applicable emission factors from DEFRA and EPA-US. For 2023 and 2024, all flights were calculated using DEFRA emission factors.

Business travel (flights) amount to 9% of WithSecure's total emissions. WithSecure used GHG Protocol's distance-based method to calculate the emissions from flights.

Category 7 – Employee commuting

GHG Protocol's distance-based method was used in the calculations per employee. WithSecure determined the travel method (car, train, bus, cycling, and walking) and used the applicable emission factor (sourced from DEFRA) in the calculations. The average distance to work, estimated office days per week and the estimated split of travel method per country were determined. The calculations included the bicycle, car, and public transportation benefits, as well as estimates of travel mode per country.

4% - 5% of WithSecure's carbon footprint stem from the employee commuting category.

Excluded categories

WithSecure's carbon footprint currently excludes emissions from third-party devices running WithSecure software (Category 11 – Use of sold products). An estimate for customer device energy use is not included due to the significant variances related to the assumptions. For example, variations in device types, usage patterns, and energy efficiency make it challenging to provide an accurate estimate. Based on the current analysis and assumptions, emissions from this category are not considered significant due to the variability in device energy consumption and their relatively small share of total emissions. However, as part of WithSecure's sustainability initiatives, the company has started collecting real-life endpoint energy-usage data. When reliable, validated measurements are available, WithSecure will consider adding Category 11 to the company's carbon footprint.

WithSecure has also excluded the following categories from the CO2 calculations as these categories are not applicable for WithSecure's business model and operations, or WithSecure has no significant emissions that fall within these categories:

• Category 2 – Capital Goods
• Category 3 – Fuel- and energy-related activities
• Category 4 – Upstream transportation and distribution
• Category 8 – Upstream leased assets
• Category 9 – Downstream transportation and distribution
• Category 10 – Processing of sold products
• Category 12 – End-of-life treatment of sold products
• Category 13 – Downstream leased assets
• Category 14 – Franchises
• Category 15 – Investments

GHG intensity per net revenue

Data quality and measurement uncertainty

Metrics that include value chain and other data estimated using indirect sources are limited to the GHG emissions calculations. These indirect sources include sector-average data and other figures from recognized and reliable databases.

WithSecure has identified that the quantitative metrics related to Greenhouse Gas emission Scope 3 calculations are subject to measurement uncertainty due to the availability and quality of data from the company's upstream and downstream value chains as well as the publicly available databases. WithSecure is dependent on the parties providing the requested information from the upstream and downstream value chains ensuring that the value chain data fulfils the information needs communicated to them. To detect and mitigate any major data discrepancies, WithSecure conducts internal comparison and analysis of the data from the value chain and updates used database sources regularly.

WithSecure's GHG figures are not externally assured beyond the audit assurance of this report. The comparable figures are not within the scope of the audit assurance.

Year 2024 summary

The total location-based emissions for 2024 were 10,205 tons of CO2e, corresponding to the annual emissions of 2,219 typical petrol passenger cars. The total market-based emissions for 2024 were 9,908 tons of CO2e, corresponding to the annual emissions of 2,154 typical petrol passenger cars. The GHG intensity based on net revenue for 2024 is 69.2.

Anticipated financial effects from material physical and transition risks and potential climate-related opportunities

Phase-in exemption applied

WithSecure has applied the phase-in exemption for ESRS E1-9 for the 2024 reporting year. This exemption is permitted for the first three reporting years under CSRD.

The following specific data points are marked as using the phase-in exemption:

• Exposure of the benchmark portfolio to climate-related physical risks
• Disaggregation of monetary amounts by acute and chronic physical risk; Location of significant assets at material physical risk
• Breakdown of the carrying value of real estate assets by energy-efficiency classes
• Degree of exposure of the portfolio to climate-related opportunities

No quantified anticipated financial effects from material physical risks, transition risks, or climate-related opportunities are disclosed in this reporting period.

Policies related to own workforce

WithSecure has adopted a comprehensive set of policies to manage material impacts on its own workforce, addressing employee well-being, professional development, diversity, equity, inclusion, and workplace safety. The most senior level accountable for implementation of these policies are the GLT (Global Leadership Team) members of each business unit most closely associated with the respective policy.

Code of Conduct (including Human Rights Policy)

Scope: Applies universally across the workforce, including employees, contractors, and business partners globally. All WithSecure employees, without exclusions, ensuring consistent standards across locations.

Key content/principles:

• Building and sustaining digital trust, confidence and equity
• Privacy and Security
• Intellectual Property Rights and Confidentiality
• Responsible use of A.I.
• Wellbeing, Inclusion, Diversity, and Equity (WIDE)
• Protecting Human Rights
• Sustainability
• No Bribery or Corruption
• Preventing Conflicts of Interest
• Securities Markets Compliance
• Trade Compliance
• Fair Competition
• Working with Responsible Suppliers
• Whistleblowing

Governance: Training and regular updates to the Code of Conduct are mandatory. The Code of Conduct training is also completed by the Board of Directors.

Link to international standards: The Code of Conduct integrates the United Nations Guiding Principles on Business and Human Rights (UNGPs). While not explicitly outlined in the Code of Conduct, WithSecure upholds internationally recognised human rights standards, including the ILO Declaration on Fundamental Principles and Rights at Work and the OECD Guidelines for Multinational Enterprises. The company ensures compliance with labour laws, fair wages, non-discrimination, and the provision of safe working environments. The Code includes commitment to the Ten Principles of the UN Global Compact, which cover areas such as human rights, labour standards, environmental protection, and anti-corruption.

Human rights commitments: WithSecure does not tolerate any use of child labour, any form of forced labour or any other human rights violations including human trafficking. WithSecure supports the fundamental human rights to good working conditions, and reasonable balance between working hours and leisure time for everyone.

Public availability: The Code of Conduct is publicly available on WithSecure's website.

Monitoring: Mandatory Code of Conduct training for all employees. 100% completion rate achieved for new employees and 95% for all employees in 2024 (targets: 95% for new employees, 90% for all employees).

WIDE Strategy (Wellbeing, Inclusion, Diversity, and Equity)

Scope: Applies organization-wide, all locations where WithSecure operates.

Key content/principles: The WIDE strategy aims to create a supportive, inclusive, and equitable workplace. It prioritizes employee wellbeing, fosters belonging, celebrates diversity, and ensures fair access to opportunities.

Governance: Accountability rests with Chief Culture and Performance Officer.

Monitoring: Progress is monitored through regular employee feedback surveys. The strategy is shared through internal communications and trainings to promote awareness.

Harassment Prevention Policy & Procedure

Scope: Applies globally to all WithSecure employees, without exclusions, ensuring consistent standards across locations.

Key content/principles: Underscores WithSecure's commitment to a workplace free from harassment and discrimination. It aims to foster a respectful, safe, and inclusive environment for all employees, regardless of position or location. The policy outlines the company's zero-tolerance stance on harassment.

Governance: Accountability for implementation rests with Chief Culture and Performance Officer.

Reporting procedures: Employees can raise concerns with their line manager, HR, or Legal representatives, ensuring that incidents are promptly addressed. Disciplinary action is taken where necessary.

Grievance Policy

Scope: Applies to all workers ensuring broad accessibility and fairness. Local legislation and requirements are taken into consideration, and the policy is tailored and detailed in local HR handbooks.

Key content/principles: Ensures employees have a clear and fair process for resolving employment-related concerns promptly and equitably. It promotes consistent and transparent handling of grievances, fostering trust and fairness in the workplace.

Monitoring: Communicated through internal channels to ensure employees understand the process and their rights.

Whistleblowing Policy

Scope: Applies to all internal and external persons. An individual's right to report on the whistleblowing channel is unlimited.

Key content/principles: Sets out how WithSecure provides individuals with an effective, objective, confidential and secure reporting channel (Whistleblowing channel). Protection against retaliation provided to whistleblowers, including identity protection, protection from retaliation, possible compensation and remedies.

Governance: Summaries of the whistleblowing channel reports are reported to the Chief Legal Officer by the third party managing the channel. The Audit Committee receives regular reports on the whistleblowing process.

Public availability: The Whistleblowing Policy is publicly available on WithSecure's website.

Monitoring: Included as a core element of the Code of Conduct training.

Rewarding Philosophy Policy

Scope: Applies to all employees globally, ensuring consistency across countries, business lines, and functions. There are no significant exclusions, as it is tailored to address local market conditions and practices.

Key content/principles: Outlines WithSecure's commitment to fair, transparent, and competitive compensation practices. Objectives are to reward good performance, promote equity, enhance employee engagement, and align compensation with market benchmarks.

Governance: Accountability for implementation lies with the Chief Culture and Performance Officer, ensuring alignment with organizational goals.

Link to external standards: The policy aligns with relevant external market benchmarks and standards to maintain competitiveness and fairness.

Monitoring: Monitoring is conducted through structured processes like the Global Salary Review and performance-based incentive evaluations. The policy is made accessible to all employees through the company intranet.

Learning Philosophy Policy

Scope: Applies to all employees globally, ensuring inclusivity across geographies and roles.

Key content/principles: Highlights WithSecure's commitment to fostering personal and professional growth through equal access to diverse learning opportunities. Guided by the 70-20-10 model, it emphasizes learning through real-world experiences, collaboration, and structured programs.

Governance: Accountability for the policy lies with the Chief Culture and Performance Officer, ensuring its alignment with organizational values.

Monitoring: Progress is supported through performance and development planning, regular check-ins, and access to robust learning resources. It is accessible through the company intranet, providing clear guidance on personal development processes and available learning resources.

Health and Safety Policy

Scope: All workers are covered by local health and safety practices. A new global health and safety policy will be published in early 2025, ensuring that 100% of employees are covered by the health and safety management system.

Key content/principles: Comprehensive health and safety policy being developed, which includes a workplace accident prevention policy and management system. This system is designed to minimize risks, reduce workplace accidents, and ensure a safe environment by identifying, managing, and mitigating hazards that could lead to injuries, illnesses, or fatalities. The WIDE strategy includes not only physical health and safety measures but also mental health support programs.

Governance: The company adheres rigorously to all local regulations and requirements in every country where it operates.

Monitoring: The health and safety management system is regularly reviewed and updated to ensure its effectiveness and ensure continuous improvement. Local policies will align with applicable local laws and legislation.

Remote Work Policy

Scope: Available to all employees.

Key content/principles: Provides flexible working arrangements that allow employees to manage family-related matters, such as flexible hours and remote work options. WithSecure also has a remote work abroad policy to further support employees in balancing work and personal commitments.

Anti-discrimination policies

Key content/principles: WithSecure is committed to preventing discrimination in all its forms, including but not limited to race, gender, age, disability, sexual orientation, religion, and ethnicity. The company promotes equal access to career development, fair treatment, and protection from harassment.

Taking action on material impacts on own workforce

WithSecure has implemented comprehensive initiatives to retain talent, improve employee well-being, promote diversity, equity, and inclusion (DEI), and provide equal opportunities for continuous learning and leadership development. These initiatives include training programs, leadership development, and wellbeing and DEI initiatives, extending across all operations.

Retain talent and leadership development

Scope: Own operations (entire workforce)

Time horizon: Ongoing

Resources allocated: Integrated into general operations, with no significant additional expenditures allocated to implementation.

Actions include:

• Creating equal opportunities for continuous learning and leadership development
• Evidence-based leadership program as a cornerstone, supplemented by an expanding leadership development portfolio

Expected outcomes/KPIs: Effectiveness assessed through employee engagement surveys

Support line managers in having individual development discussions

Scope: Own operations (entire workforce)

Target: 90% of employees to have defined and documented personal development goals

Time horizon: Ongoing (formal bi-annual discussions)

Resources allocated: Line managers supported through resources and training; integrated into general operations, with no significant additional expenditures allocated to implementation.

Expected outcomes/KPIs: Employee feedback on development discussions conducted as part of the personal development plan process

Driving diversity and promoting gender balance in leadership

Scope: Own operations (entire workforce)

Time horizon: Ongoing (quarterly monitoring)

Resources allocated: No significant additional expenditures; embedded within general operations

Actions include:

• Enhanced WIDE strategy through newly developed DEI dashboard, enabling data-driven management discussions
• Dedicated taskforce organizing initiatives throughout the year to strengthen DEI awareness and action

Expected outcomes/KPIs:

• Enhanced representation of female leaders among line managers
• Maintained gender balance and nationality diversity within senior leadership roles
• Quarterly monitoring to ensure progress and alignment with targets
• New Diversity and Inclusion dashboard offering insights into representation metrics
• Identification of gaps and biases in hiring and promotions

Link to policy/target: Links to targets set out in S1-5

Gender pay gap analysis to be conducted with the regular 2025 salary review process

Scope: Own operations (entire workforce)

Target: Reduce gender pay gap to a maximum of 5% by the end of 2027

Time horizon: 2025 (analysis during regular salary review process)

Resources allocated: Integrated into general operations, requiring no significant additional expenditures

Actions include: Comprehensive gender pay gap analysis taking into account geographical differences and job grading structures

Link to policy/target: Links to 5% gender pay gap target by end of 2027

Planned 2025 initiatives

Well-being and DEI:

• WIDE taskforce to continue as key driver of well-being and DEI initiatives
• Series of well-being webinars planned for the year to support all workforce members

Skills development - SaaS Academy:

Scope: Own operations

Time horizon: To be launched in 2025

Actions include:

• Launch of SaaS Academy as key initiative to support ongoing transformation
• Focus on reskilling and upskilling employees
• Ensuring workforce capabilities aligned with WithSecure's strategy

Expected outcomes/KPIs:

• Increase total hours employees spent on learning from previous year
• 90% of employees have personal development goals defined and documented

Link to policy/target: Links to targets set out in S1-5

Effectiveness assessment approach

• Employee engagement surveys and tracking utilization rates of mental health and learning resources
• Feedback gathered through surveys and other channels used to identify and implement timely, targeted actions throughout the year
• Reference to S1-2 for engagement processes with workforce and workers' representatives

Targets related to own workforce

WithSecure has established clear, outcome-oriented, and time-bound targets to reduce negative impacts, advance positive impacts, and manage material risks and opportunities within its workforce. These targets reflect the company's commitment to fostering a learning culture, promoting diversity, and ensuring equal opportunities for all employees.

Baseline and methodology:

• Baseline values for these targets are the 2024 reportable figures
• No scenarios were used to define the targets
• These targets are not science-based
• The process for setting these targets involved members of company's senior leaders, and the WIDE taskforce was consulted during the identification and validation of these targets

Target 1: Gender Balance Among Line Managers

Target: Increase the representation of women among line managers across the company

Target year: End of 2027

Baseline year: 2024

Baseline value: Not disclosed (2024 reportable figures)

Target value: Not quantified

Scope: Company-wide (own operations)

Type: Not specified (absolute or intensity)

Rationale: Reflects the company's commitment to gender equity in leadership roles and ensures that decision-making processes are enriched by diverse perspectives.

Target 2: Diversity Among Senior Leaders

Target: Maintaining diversity among senior leaders, with a focus on maintaining both the number of nationalities represented and the proportion of female leaders within this group

Target year: Not specified

Baseline year: 2024

Baseline value: Not disclosed (2024 reportable figures)

Target value: Maintain current levels (not quantified)

Scope: Senior leadership (own operations)

Type: Not specified (absolute or intensity)

Rationale: Emphasizes the importance of cultural and gender diversity in driving innovation and broadening the leadership perspective.

Target 3: Gender Pay Gap

Target: Reduce the gender pay gap to a maximum of 5%, focusing specifically on eliminating any unjustifiable differences in pay

Target year: End of 2027

Baseline year: 2024

Baseline value: Not disclosed (2024 reportable figures)

Target value: Maximum 5%

Scope: Company-wide (own operations)

Type: Not specified (absolute or intensity)

Rationale: Underscores WithSecure's dedication to equitable compensation practices.

Additional Learning and Development Metrics

It is followed that:

• 90% of employees have personal development goals defined and documented
• Tracking of hours spent on learning from the previous year

Monitoring and reporting:

• WithSecure's performance against these targets is tracked through quarterly reporting
• The company regularly evaluates progress to identify areas for improvement
• Lessons learned from the company's performance are incorporated into future goal setting
• Effectiveness assessed through employee engagement surveys and tracking utilization rates of mental health initiatives

Characteristics of the undertaking's employees

Total headcount and FTE

The data represents employee characteristics as of the end of the reporting period, measured by headcount regardless of employees' full-time or part-time designation.

Total employees (headcount) at 31 December 2024: 961

• Continued operations: 731
• Discontinued operations: 230

Total employees (headcount) at 31 December 2023: 1,043

• Continued operations: 813
• Discontinued operations: 230

Average personnel during the year:

• 2024: 760 (continuing operations only)
• 2023: 845 (continuing operations only)

Employees by contract type, broken down by gender (headcount)

Continued operations

Discontinued operations

Headcount by country or region

Employee headcount in countries where the undertaking has at least 50 employees representing at least 10% of its total number of employees:

Employee turnover

During the reporting period, a total of 270 employees left the company, resulting in a turnover rate of 26.5%. The turnover rate is calculated by dividing the total number of employees who left during the reporting period by the average number of employees employed during that same period.

The voluntary employee turnover rate is 16.2%. The higher total turnover rate is a result of the operating model change and related reorganization in late 2023.

Overall workforce distribution by age

• Under 30 years old: 15.1% of employees
• Between 30 and 50 years old: 70.0% of employees
• Over 50 years old: 14.9% of employees

Non-employee workers

At the end of the reporting period, WithSecure's workforce included 158 non-employees, reported in headcount. When tracked monthly during 2024, the number of non-employees ranged from a minimum of 104 to a maximum of 160.

Methodology notes

The disclosed total employee figures correspond to those in the most representative workforce-related section of WithSecure's financial statements for the reporting period, ensuring alignment between sustainability and financial disclosures.

Non-employee workers are classified into three groups:

• Contingent workers (self-employed individuals operating through their own companies)
• Consultants through frame agreements (professionals employed by larger firms with group-level agreements)
• Non-information workers (workers under group-level agreements who perform operational roles without needing IT tools)

Characteristics of non-employees in the undertaking's own workforce

Total non-employee workers

At the end of the reporting period, WithSecure's workforce included 158 non-employees, reported in headcount.

When tracked and monitored monthly during the year 2024, the number of non-employees ranged from a minimum of 104 to a maximum of 160, based on the status at the end of each month.

Classification by type

WithSecure classifies non-employee workers into three groups based on their roles and contracts:

• Contingent workers: Self-employed individuals operating through their own companies, providing services under tailored agreements aligned with WithSecure's standards.

• Consultants through frame agreements: Professionals employed by larger firms with group-level agreements, offering resources and expertise while adhering to WithSecure's policies.

• Non-information workers (no IT access): Workers under group-level agreements who perform operational roles without needing IT tools, governed by security-focused contracts.

Selected country-level data

Note: The above figures represent contractors at the end of the reporting period for countries where data is disclosed. Total non-employee count of 158 encompasses all non-employee categories globally.

Methodology

• Counting method: Headcount (not FTE)
• Reporting point: End of reporting period (31.12.2024)
• Tracking frequency: Monthly monitoring throughout 2024

Collective bargaining coverage and social dialogue

WithSecure is committed to ensuring that the terms and conditions of employment for its workforce are shaped by fair and inclusive processes, fostering a positive work environment and sustainable business practices.

Collective bargaining coverage

42.6% of WithSecure's total employees were covered by collective bargaining agreements during the reporting period. This percentage is due to the collective bargaining agreement in place for employees in Finland, where coverage is 92.7%. Employees in other locations are not covered by collective bargaining agreements.

WithSecure supports its employees' rights to organize and engage in collective bargaining, where applicable under local laws and practices.

Employee representation and social dialogue

WithSecure aligns with internationally recognized labour standards and is dedicated to maintaining open dialogue with employee representatives to address workplace matters collaboratively. However, the company does not collect information on whether its employees are members of any labour unions to respect their privacy and uphold principles of non-discrimination and neutrality regarding union membership.

WithSecure does not have any agreements in place for employee representation through a European Works Council (EWC), a Societas Europaea (SE) Works Council, or a Societas Cooperativa Europaea (SCE) Works Council.

Collective bargaining coverage and social dialogue metrics

Company-specific collective agreement development

As described under section S1-1, WithSecure is strengthening collective bargaining coverage and social dialogue to foster a sustainable and inclusive work environment. In 2024, in Finland, WithSecure began developing a company-specific collective agreement, ensuring fair labour practices and treating employees with respect and transparency. By collaborating with employee representatives, the company has tailored the agreement to address workforce needs and industry standards, covering areas such as salary, work-life balance, and career development. This initiative supports mutual trust, regulatory compliance, and long-term workforce sustainability, reinforcing WithSecure's commitment to being a trusted, preferred employer in the technology sector.

Diversity metrics

WithSecure is committed to fostering a diverse and inclusive workforce.

Gender diversity in senior leadership

Senior leaders at WithSecure includes the CEO and the two organizational layers directly below the CEO, along with leaders holding specific job grades. At this level, 45 individuals are represented, with 33.3% women and 64.4% men. These figures are calculated based on the total number of individuals in top management and their respective gender distribution.

Age distribution of workforce

Regarding the overall workforce distribution:

• 15.1% of employees are under 30 years old
• 70.0% are between 30 and 50 years old
• 14.9% are over 50 years old

These percentages are derived from the total number of employees and their age groups.

Board of Directors gender diversity

Both genders are represented in the Board of Directors. According to Diversity Principles established by the Board of Directors, the Board aims to strive towards appropriately balanced gender distribution.

Adequate wages

All WithSecure employees are paid an adequate wage, aligned with applicable benchmarks. The company conducts annual salary reviews, utilizing relevant external global benchmarks to assess and implement any necessary adjustments. This process ensures that wages remain adequate for all employees, in line with market standards, and are consistently adjusted to reflect changing economic conditions, ensuring fairness across the entire workforce.

Benchmark used

The company states that wages are "aligned with applicable benchmarks" and that it utilizes "relevant external global benchmarks" during annual salary reviews. However, no specific living wage benchmark methodology or provider is named (e.g., Fair Wage Network, WageIndicator, Anker Methodology, etc.).

Coverage

The disclosure states "all WithSecure employees" are paid an adequate wage and that wages are "adjusted to reflect changing economic conditions, ensuring fairness across the entire workforce." No specific percentage or employee count is provided.

Geographic scope

Global - the statement applies to "all employees" without geographic exclusions.

Targets and commitments

No forward-looking targets or commitments are disclosed.

Methodology

• Annual salary reviews are conducted
• External global benchmarks are utilized
• Adjustments are implemented to reflect changing economic conditions
• No details provided on how "adequate wage" is calculated, whether it reflects living wage covering basic needs for workers and families, frequency beyond "annual," or specific benchmark providers used

Social protection

WithSecure ensures that all its employees are covered by social protection against the loss of income due to sickness, unemployment, employment injury and acquired disability, and parental leave. This coverage is provided either through public social protection programs or through benefits offered by the company.

Coverage by category

• Sickness: All employees are covered and have access to healthcare and support in case of illness.
• Unemployment: In the event of unemployment, WithSecure is committed to providing support for reemployment, including partnerships with external organizations during company restructuring.
• Employment Injury and Acquired Disability: Employees are covered by insurance and appropriate social programs that ensure income security in the event of injury or disability incurred during employment.
• Parental Leave: WithSecure provides paid parental leave to all employees to support them during family-related events.
• Retirement: All employees are covered for income security in retirement, either through public pension programs or employer-sponsored private benefit plans, depending on the country.

WithSecure is committed to ensuring comprehensive social protection for its employees, fostering financial security and well-being during critical life events. By providing coverage through public programs or company-offered benefits, WithSecure upholds its responsibility to support employees across all regions.

Persons with disabilities

WithSecure does not collect information on employees' disabilities, reflecting its commitment to inclusivity and non-discrimination. This approach is consistent with the General Data Protection Regulation (GDPR), which emphasizes safeguarding personal data and protecting privacy.

By refraining from collecting sensitive information such as disability data, WithSecure minimizes potential privacy risks and ensures compliance with GDPR's principles of data minimization and purpose limitation. Instead, the company fosters an inclusive work environment through proactive initiatives and policies that support diversity and equal opportunity.

Methodology: No disability data is collected due to GDPR compliance and data minimization principles.

Training and skills development metrics

WithSecure provides equal opportunities for everyone to learn, grow, and succeed, with a strong focus on increasing employee engagement and retaining top talent. The company's learning philosophy is grounded in the 70-20-10 model, a widely recognized framework for effective skill acquisition.

Strategic Focus Areas (2024)

In 2024, WithSecure placed strong emphasis on upskilling activities aligned with strategic capabilities:

• Leadership development
• Artificial intelligence
• Software-as-a-Service
• Customer success management
• Partnership management

Learning Resources

• LinkedIn Learning introduced as a resource accessible to all employees and non-employees with access to company resources
• Values-based leadership program for cultivating leaders
• Line managers trained to conduct meaningful development talks
• External training programs available for individuals and teams (hours not included in reported averages)

Performance and Career Development Reviews

Annual Performance Review (Q1): 75.9% of employees participated

• Women: 74.8%
• Men: 76.5%

Annual Career Development Review (Q3): 78.8% of employees participated

• Women: 72.9%
• Men: 81.4%

Participation rates are calculated based on completion of the review task by employees' line managers in the performance management tool, using employee headcount at the end of the reporting period.

Training Hours

These figures include training hours logged through virtual and in-person courses recorded in the learning management system, as well as hours spent on the other available learning platform. Hours dedicated to external training opportunities are not included in the reported averages.

Performance Review Coverage

Employee Perception

In the most recent employee engagement survey, 73% of respondents agreed or strongly agreed that they had sufficient opportunities for learning and growth within the company.

Target

Learning Hours Target: Increase the total hours spent on learning from the previous year.

• 2024 Status: 6.3 hours

Development Goals Target: 90% of employees to have personal development goals defined and documented

• 2024 Status: 81.6%

Health and safety metrics

WithSecure's health and safety metrics for 2024 are presented below. The company is in the process of implementing a comprehensive global health and safety policy, to be published in early 2025.

Health and Safety Incidents

*WithSecure has chosen to use the transitional provision related to omitting the data points on number of cases of work-related ill-health and on number of days lost to injuries, accidents, fatalities and work-related ill health for the first year of preparation of its sustainability report.

Coverage

Currently, all workers (100% of employees) are covered by local health and safety practices. This commitment will be formalized through a new global health and safety policy, which will be published in early 2025. The policy ensures that 100% of employees are covered by the health and safety management system that is regularly reviewed and updated.

Methodology

During the reporting period, three workplace accidents were reported. The information was gathered from employees responsible for recording workplace accidents within their respective regions. All reported incidents were thoroughly reviewed and investigated internally, with necessary procedures implemented to ensure compliance with safety regulations.

Work-life balance metrics

Entitlement to Family-Related Leave

100% of WithSecure employees are entitled to take family-related leave, including parental leave, paid compassionate leave in the event of the death of a close family member, and flexible working arrangements. The percentage of entitled employees who took family-related leave is calculated based on records in the HR system, which is used to document all absences.

WithSecure provides flexible working arrangements that allow employees to manage family-related matters, such as flexible hours and remote work options. The company also has a remote work policy and a remote work abroad policy to further support employees in balancing work and personal commitments.

Utilization of Family-Related Leave

WithSecure ensures that all employees are entitled to take family-related leave and is committed to fostering a workplace where everyone feels equally supported in utilizing these benefits. Utilization rates are monitored through the HR system, which records the number of employees taking family-related leave and the types of leave utilized.

Compensation metrics (ESRS S1-16)

Pay gap

WithSecure has disclosed its gender pay gap as 16.2% for the reporting period.

Methodology: The gender pay gap is calculated as the percentage difference between the average pay levels of female and male employees, expressed relative to the average pay level of male employees. To ensure comparability, the annual salaries of employees who work part-time have been adjusted to full-time equivalent figures. In addition to base pay, the analysis includes short-term incentives and sales incentives at their target levels for eligible individuals. The short-term incentive program is provided equally to all employees at certain job grades, while the sales incentive plan applies to everyone in sales roles. Long-term incentive plans are not included in this calculation.

WithSecure has established a goal to reduce the gender pay gap to a maximum of 5% by the end of 2027. The company has consistently prioritized addressing potential gender pay disparities, considering factors such as geographical differences and job grading structures. A comprehensive gender pay gap analysis will be conducted during the regular 2025 salary review process.

Remuneration ratio

WithSecure discloses the ratio of the remuneration of the highest-paid individual to the median total remuneration of all employees (excluding the highest-paid individual). This ratio for the current reporting period is 7.2:1.

Methodology: The annual total remuneration is calculated as a combination of base salary, the target-level payout for short-term incentives (STI), and the target-level payout for sales incentives, where applicable. Additionally, the monetary value of the actual long-term incentive (LTI) payouts made in 2024 is included. The calculation is based on 961 employees, representing the global workforce of WithSecure as of the end of 2024. The median remuneration is determined by averaging the total remuneration of the two employees situated at the midpoint of the remuneration distribution.

Incidents, complaints and severe human rights impacts

WithSecure is committed to maintaining a respectful, inclusive, and safe work environment for all employees. All complaints of discrimination, harassment, or any form of workplace misconduct are taken seriously, and grievance mechanisms are in place to ensure that all employees have the opportunity to raise concerns in a safe and confidential manner.

During the reporting period, five (5) complaints were filed through these mechanisms, which were handled with due diligence and in compliance with WithSecure's company policies. This figure is calculated based on the records maintained by the HR department and includes all complaints received through formal mechanisms. All complaints were thoroughly investigated in accordance with WithSecure's internal grievance procedures, with appropriate actions taken to address the concerns raised. The investigation process involves a detailed review of each complaint by the HR team, interviews with relevant parties, and documentation of findings and actions taken.

No incidents of discrimination, including harassment, were reported, no severe human rights violations were identified and no fines, penalties, or compensation payments were incurred during the reporting period. WithSecure remains committed to continuously monitoring, enhancing, and reinforcing its policies and procedures to foster a respectful, inclusive, and ethical work environment.

Discrimination and Human Rights Incident Metrics

Policies related to consumers and end-users

WithSecure has identified policies related to consumers and end-users as material. End-users are at the heart of WithSecure's privacy and security processes, due to the information-related impact the company is able to exert. The company has a set of policies guiding information-related conduct, with separate policies for cyber security and privacy related matters.

The most senior level accountable for the implementation of these policies are the GLT (Group Leadership Team) members of each business unit most closely associated with the respective policy.

Privacy Principles

Scope: All operations and value chain activities

Key content:

• Data minimisation principle - the company only asks for personal data if it is needed to serve the customer
• Careful partnering with service providers who share the company's commitment to privacy and security
• Basic privacy principles relevant for WithSecure's business to ensure compliance with relevant applicable laws and regulations and to ensure and respect data protection as a fundamental right, specifically the right to privacy of end-users

Public availability: Available on the company's website

Links to standards: Adheres to data protection principles set out in the GDPR

WithSecure Personal Data Policy

Governance: Reviewed annually at a minimum and updated when needed

Key content:

• Adheres to the data protection principles set out in the GDPR
• Privacy by design principles are reiterated in this policy
• Designed to respect the privacy of end-users while allowing the use of personal data for the delivery of services
• Robust privacy impact assessment required before taking into use any tools or offering services that process personal data
• Processes and documentation designed to be as simple as possible to maximise compliance scalability

Scope: All employees

Public availability: Accessible to WithSecure employees via the company's intranet

Monitoring: Part of mandatory onboarding process and mandatory trainings; all employees must complete privacy training; privacy training completion rate monitored (company explores methods to improve completion rate during 2025)

Baseline Security Policy

Key content: Referenced in the document as part of policies guiding information-related conduct (specific details not provided in excerpts)

Business Continuity Management Policy

Key content: Referenced in the document as part of policies guiding information-related conduct (specific details not provided in excerpts)

Personal Data Breach Management Process

Key content: Referenced in the document (detailed information referred to in S4-1 section)

Implementation and monitoring

WithSecure ensures that all employees are aware of and comply with internal policies by including them in the mandatory onboarding process and as part of mandatory trainings. All policies are accessible to WithSecure employees via the company's intranet and any changes are communicated group-wide. Certain policies are also publicly available, especially policies relevant to affected stakeholders.

For third parties, WithSecure ensures compliance with relevant internal policies by including them in the contractual framework as appendices to agreements.

WithSecure policies are regularly reviewed and monitored to ensure compliance and identify areas for improvement. These measures help ensure awareness of and adherence to the policies.

Value chain integration

Upstream activities: WithSecure conducts supplier assessments and reviews that suppliers abide by WithSecure's standards of business conduct

Own operations: Comprehensive training to employees on data protection and privacy, ensuring they handle data responsibly

Downstream activities: Delivering services to end-users, maintaining privacy and security practices, and engaging with customers to address any concerns

WithSecure regularly reviews and updates its privacy and security policies to reflect the latest regulatory requirements and industry best practices.

Human rights alignment

WithSecure is committed to honouring internationally recognized human rights standards as outlined in the company's Code of Conduct. The company commits to respecting:

• UN Guiding Principles on Business and Human Rights
• ILO Declaration on Fundamental Principles and Rights at Work
• OECD Guidelines for Multinational Enterprises

No severe human rights issues and incidents connected to WithSecure's end-users have been reported within WithSecure's own operations, where these standards would not have been respected.

Stakeholder engagement

Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. WithSecure has considered the interests of key stakeholders, including employees, customers, suppliers, and investors, in the formulation of its policies through discussions to gather their input. For example, WithSecure conducted stakeholder meetings to collect feedback on privacy and security practices, which were then incorporated into the policy development processes.

Targets related to consumers

Privacy Training Completion Rate

• Target metric: Privacy training completion rate
• Target value: 90% for all employees and 95% for new employees
• Target year: Not disclosed (measured continuously, reviewed at least annually)
• Baseline year and value: Not disclosed
• Scope: All persons working for WithSecure, anywhere WithSecure operates
• Type: Relative percentage target (not absolute)
• Validation: Internal
• Progress (2024): 96% for all employees (exceeds 90% target)

Cyber Security Awareness Training Completion Rate

• Target metric: Cyber Security Awareness training completion rate (annually mandatory)
• Target value: 90% for all employees and 95% for new employees
• Target year: Not disclosed (measured continuously)
• Baseline year and value: Not disclosed
• Scope: All persons working for WithSecure, anywhere WithSecure operates
• Type: Relative percentage target (not absolute)
• Validation: Internal
• Progress (2024): Performance in line with target; training completion rates have stayed at appropriate levels

Major Security Incidents

• Target metric: Number of major cyber security incidents (categorized as major according to NIS2 directive requirements)
• Target value: Zero major incidents
• Target year: Not disclosed (measured continuously, at least annually)
• Baseline year and value: Not disclosed
• Scope: WithSecure operations
• Type: Absolute number
• Validation: Internal (NIS2 directive requirements)
• Progress (2024): Performance in line with target; zero major security incidents during 2024

ISO 27001 Certification

• Target metric: Maintenance of ISO 27001 certification (audited annually by external party)
• Target value: Maintain certification
• Target year: Annually
• Baseline year and value: Not disclosed
• Scope: Selected WithSecure operations
• Type: Qualitative (certification maintained or not)
• Validation: External (ISO 27001 audited by external party)
• Progress (2024): Performance in line with target; ISO 27001 certification maintained for 2024

Prevention and detection of corruption and bribery

WithSecure has stated that G1-3 Prevention and detection of corruption and bribery is "Not material" according to the materiality assessment table. However, the company has disclosed several policies related to business conduct that address corruption and bribery prevention.

Code of conduct

• Scope: All persons working for WithSecure, anywhere WithSecure operates
• Key content: Sets high-level aims and ethical business standards that the company complies with. Contains dedicated content on corruption and bribery prevention.
• Monitoring: Mandatory employee Code of Conduct training with completion rate targets of 95% for new employees and 90% for all employees (actual achievement: 100% for new employees, 95% for all employees)
• Governance: Reviewed and accepted by administrative and supervisory bodies after inspection and approval by management. The most senior level accountable for implementation are the GLT (Group Leadership Team) members of each business unit.

Anti-bribery policy

• Scope: All persons working for WithSecure, anywhere WithSecure operates
• Key content: Covers situations where WithSecure employees must not give or accept gifts or hospitality exceeding a certain monetary level that could be identified as corruption. An acceptable monetary level has been established.
• International standards: Consistent with the UN Convention Against Corruption
• Public availability: Available internally

Personal Data Breach Management Process

Referenced in the policies list but not detailed in the excerpts provided.

Remuneration Policy

• Scope: All WithSecure employees and the Board of Directors
• Key content: Describes remuneration for the Board of Directors and CEO. Executive remuneration designed to support business objectives and long-term profitability, based on performance and competencies. Employee remuneration regularly reviewed to ensure fair compensation.
• International standards: Complies with recommendations of the Finnish Corporate Governance Code for listed companies and Shareholders' Rights Directive legislation
• Public availability: Available on WithSecure's website (public policy)
• Governance: Approved in the Annual General Meeting (AGM)

Modern Slavery Statement

• Scope: All employees, temporary staff, consultants, contractors, and suppliers working for or on behalf of WithSecure. Globally applicable.
• Key content: Commitment to ensuring no modern slavery or human trafficking in supply chains, employment practices, or any part of the business. Requires suppliers to comply with Code of Conduct prohibiting child labour, forced labour, and human rights violations. Suppliers must pass compliance requirements to sub-contractors.
• Public availability: Available to employees as well as internal and external stakeholders
• Governance: Approved by the Board of Directors of the UK entity, WithSecure Limited

Insider Policy

• Scope: All insiders (anyone with inside information)
• Key content: Aligned with Insider Guidelines of NASDAQ Helsinki. Defines inside information and requirements for insiders.
• Public availability: Available internally

Export Control Policy

• Scope: All WithSecure employees, contingent workers and subcontractors globally. Special attention required for those working in sales, product management, technical product management, R&D and IT/production systems.
• Key content: Addresses EU export control laws (particularly Regulation (EU) 2021/821) and US Export Administration Regulations (15 C.F.R. 730 et seq.). Covers dual-use items and sanctions, prohibiting/restricting transactions with countries, companies, or individuals involved in malign behavior. WithSecure continuously assesses impact of export control and sanctions regulations and implements relevant compliance processes and controls.
• Public availability: Available internally

Whistleblowing policy

Referenced in relation to protection of whistleblowers but detailed policy information not provided in the excerpts.

Corporate procurement policy

Referenced for management of relationships with suppliers but not detailed in the excerpts provided.

Prevention and detection mechanisms

WithSecure has specific mechanisms to prevent corruption and bribery:

• Financial monitoring: Comprehensive invoice and payment management processes to detect wrongful usage
• Investigation process: When suspicious activities are flagged, WithSecure engages in audit and assurance processes with external service providers (no internal investigating body)
• Vetting: All new employees subject to vetting process conducted by third party, with scope determined by role and rights
• Reporting: Information about unethical business conduct relayed to Board of Directors through outcome reviews monthly or more frequently if necessary
• Training: Mandatory privacy training with completion rate targets (95% for new employees, 90% for all employees; actual: 93% for new employees, 92% for all employees)

Performance

There have been no confirmed incidents of corruption or bribery, nor any related convictions or fines in 2024.

Incidents of corruption or bribery

Confirmed incidents

WithSecure reports that there have been no confirmed incidents of corruption or bribery during the reporting period. The company's anti-bribery policy establishes clear guidelines regarding the giving or accepting of gifts or hospitality that would exceed acceptable levels that could be identified as corruption. An acceptable monetary level has been established for such interactions.

Convictions and fines

WithSecure explicitly states: "There have been no confirmed incidents of corruption or bribery, nor any related convictions or fines in 2024."

Investigation and speak-up mechanisms

WithSecure has established comprehensive procedures to prevent, detect, and investigate possible acts of corruption or bribery:

Expenditure monitoring: The company has comprehensive invoice and payment management processes in place to detect any attempted wrongful usage. Proper and comprehensive invoice management plays an important role in this control framework.

Whistleblowing channel: WithSecure provides an effective, objective, confidential and secure Whistleblowing Channel maintained by an impartial and independent service provider, available 24/7 to all stakeholders. The channel allows both WithSecure employees and other stakeholders to express concerns or suspicions openly and safely. Whistleblowers receive protection against retaliation, including identity protection, protection from retaliation with possible reversal of the burden of proof, possible compensation and remedies, and protection against civil, criminal and administrative liability.

Reporting to governance bodies: Information about possible instances of unethical business conduct, such as instances related to corruption and bribery or whistleblowing reports of unethical conduct, are relayed to WithSecure's Board of Directors through outcome reviews once per month, or more frequently if necessary.

Investigation process: When suspicious activities are flagged, WithSecure engages in audit and assurance processes with external service providers. There is no internal investigating body; rather, when incidents require a response, the company has an established investigation process.

Anti-corruption framework

WithSecure's anti-bribery policy is consistent with the UN Convention against Corruption. The company's Code of Conduct, which is mandatory for all employees and includes dedicated training, covers anti-corruption and anti-bribery principles. In 2024, 100% of new employees and 95% of all employees completed the mandatory Code of Conduct training.

Payment practices

WithSecure practises a Fair Payment Terms Policy which is WithSecure's Corporate Procurement Policy, to ensure transparent, fair, and sustainable payment practices that support the financial stability and growth of WithSecure's suppliers in all purchasing categories and supplier segments, particularly small and medium-sized enterprises (SMEs).

Standard payment terms

Payments will be made within 30 days from the date of receipt of a valid invoice, unless otherwise agreed in writing. The standard payment term is 30 days.

Payment terms are applied consistently across different supplier categories and regions, ensuring fairness and transparency. There are no separate policies for small and medium-sized enterprises (SMEs), however some discretion is shown to small companies' payment terms on a case-by-case basis.

Average time to pay invoices

The average time it takes to pay an invoice from the moment the contractual payment period begins is:

• 25 days for all invoices
• 24 days excluding intercompany invoices

Payment performance

Percentage of payments aligned with standard payment terms by main category of suppliers: 58.52%

Percentage of invoices paid by or within a week from the due date: 70.76%

The percentage of payments aligned with standard payment terms includes intercompany invoices, which tend to be paid less frequently within payment terms, which affects the overall percentage. Some invoices were paid late due to various delays, such as late receival or delays in approval process.

Legal proceedings

There are no outstanding legal proceedings for late payments.

Methodology

The percentage of payments aligned with standard payment terms is derived from the invoice management data for the annual year as a whole. Representative sampling was not required, as the full data for the 2024 fiscal year can be analysed. This data includes detailed records of invoices received, their statuses and payment times. From this information the proportion of payments made within 30 days can be determined. WithSecure is working on improving the reporting process and the accuracy of this figure.