3.2 Risk management & internal controls

Risk management is an essential part of our business strategy. The primary objective is to identify and mitigate risks that have a potentially major impact on our ability to achieve our strategic and financial goals, and, consequently, on the overall value of our business.

The Board of Directors has the overall responsibility for achieving our strategy and objectives and establishing adequate internal risk management and internal control systems. The implementation of our strategy, which is aimed at achieving market leadership in our key markets, is consistent with effective risk management, in which risks are identified in a timely manner and mitigating measures are taken.

The business units are responsible for maintaining an effective risk and control environment as part of day-to-day operations. Our employees, both in the business units and in the corporate teams, provide the first line of defense. Our corporate culture, which balances personal responsibility and autonomy with risk awareness, creates a sound foundation for fulfilling this management responsibility and organizing risk management. This is reinforced by our code of conduct.

We firmly believe that a sense of ownership leads to optimum risk management. The Board of Directors, senior management and Supervisory Board members all play a key role in this respect. They safeguard our culture, enabling everyone to feel empowered and free to handle risks responsibly. Through this sense of ownership and personal responsibility, risk management is integrated into the strategic planning process and day-to-day operations. Our long-term perspective and focus on sustainable value creation ensure that long-term impacts are also considered in the decision-making process.

In our open, informal culture, finding the right balance between rules and entrepreneurship requires continuous dialogue, especially given increasing regulatory pressure. While the main responsibility for managing risks lies within the business units, the joint organization and the alignment of supporting processes in our corporate teams allows people within the business units to continue focusing on their core activities.

Sustainability continues to play a growing and prominent role in our value creation model, presenting both risks and opportunities for Nedap. The increasing importance of sustainability, combined with the evolving laws and regulations introduced in recent years, has driven us to embed sustainability into our strategic planning and risk management processes.

Risk appetite

Nedap strives to strike the right balance between acceptable entrepreneurial risk and sustainable long-term value creation while remaining in control. Our risk appetite ranges from moderate to high in terms of solution development, commercial initiatives and operations.

Risk management and control systems

Nedap Risk Management Framework

Nedap has a solid system in place for responsible risk management. Our entrepreneurial culture leads to widespread interaction within and between teams, business units and the Board of Directors, resulting in strong informal checks and balances. These are supplemented by formal procedures and controls where compulsory or deemed useful. These frameworks are based on the Nedap Risk Management Framework, which was adopted by the Board of Directors and the Supervisory Board. This framework identifies the connections between enterprise risk and the internal control system, contextualizing the Committee of Sponsoring Organizations (COSO) principles and linking them to business processes and procedures.

The Nedap Risk Management Framework is organized around our business processes. Risks that, due to their size, nature and impact, could result in substantial losses, serious consequences for a business unit or damage to the company as a whole, are reported to the Board of Directors. The Board of Directors then decides on follow-up actions in these situations.

As part of the strategic process, strategic risks and opportunities are included in the multi-year plan and discussed with the Board of Directors and the Supervisory Board. In addition, we organize annual risk sessions with business units and corporate teams to raise awareness, share knowledge and identify Nedap-wide trends and developments to consider during the strategic process. Relevant risks for each business unit are identified and discussed. Specific sessions are held to raise awareness around fraud and integrity, including measures for detecting and preventing fraud. These risk sessions operate as an extra control mechanism, reinforcing the risk management principles of the business units and the Nedap Risk Management Framework. They also enable management to identify and share best practices within and across business units. As of 2023, we pay specific attention to identifying and prioritizing sustainability risks and opportunities in relation to the CSRD.

Risks that, due to their size, nature and impact, could potentially have major consequences for Nedap, are included in the risk table at the end of this section. These risks have been classified into the following categories: strategic, operational and compliance (including reporting). The risk table includes a description of the associated impact and probability trend, as well as the key measures to mitigate the risk. Specific financial risks are addressed separately in the financial statements.

Strategic and financial management system

Nedap has an adequate and effective strategic and financial management system. Key components include the strategic calendar, which consists of the multi-year plan and the budget, and the financial reporting system, which tracks both the progress and actual outcomes of the company’s operating activities. The financial management system is designed to:

Set and align the right priorities and targets at board and business unit level.
Test actual progress and performance against the objectives.
Enable management to retain control over responsibilities delegated to others.
Manage cash and cash-equivalent flows within the organization.
Identify and restrict risks.
Detect and prevent fraud.

The Board of Directors and business unit leaders also hold consultations on significant market-related matters, major investments, the progress of research and development projects and staff allocation that go beyond the budget. Their final decisions are made in the interest of Nedap as a whole.

The Group Controlling department in Groenlo plays a leading role in finance and risk management. The department’s role is to verify the data used in financial reporting and ensure the proper execution of administration and data processing tasks. It also ensures the correct, complete and timely delivery of these reports, while overseeing other departments responsible for delivering data, with a focus on detecting and preventing fraud. The Group Controlling department holds operational responsibility for financing, cash management, currency management and taxes and is responsible for risk management processes globally. Due to these responsibilities, the department is required to have regular and timely consultations with the Board of Directors and to work closely with employees in the Netherlands and abroad.

Nedap Compliance Framework

The Nedap Compliance Framework describes the formal objectives, mission, responsibilities and scope of Nedap's compliance management. It applies to all business units and subsidiaries worldwide. The framework includes compliance-related communications, compliance monitoring and enforcement and their integration within the organization. Subjects covered by the framework include supplier liability, information security, AI, privacy, insider trading, anti-bribery and corruption, competition, products and entities subject to sanctions under legislation and regulations, customs, HRM, health & safety, and product compliance, such as certifications.

Nedap applies a three-lines model that fits with the nature of the company.

The first line consists of employees working at Nedap business units and entities in the role of compliance theme champion. They are the eyes and ears on the ground in Nedap's day-to-day operations and take action whenever they detect a situation that may pose a compliance risk for the company.
The second line consists of employees in the roles of compliance theme owner and compliance officer. Based on their knowledge, experience and overview of the organization, compliance theme owners connect the dots across business unit and entity boundaries and give feedback to those involved. The compliance officer does the same for the entire organization and reports findings. Compliance theme owners draw up an action plan to address and mitigate the risks attached to the compliance theme. They closely liaise with the compliance theme champions and monitor progress on the action plan. The compliance officer is responsible for developing, updating and evaluating the Nedap Compliance Framework based on feedback received from compliance theme owners.
The third line is formed by the internal auditor. The internal auditor is responsible for auditing Nedap's internal processes and procedures to ensure that regulatory and legal requirements are met. The internal auditor also performs audits to assess whether the organization complies with the applicable rules, regulations and aligned procedures.

Periodic meetings between the compliance theme owners, the compliance officer and CFO are held in the presence of the internal auditor to discuss relevant developments and progress on compliance themes and share knowledge. When unusual developments occur, they are immediately raised with the Board of Directors. Compliance theme owners only convene when there is added value. The Group privacy officers meet around 10 times a year to discuss privacy-related matters. Similarly, the Group information security officers also meet around 10 times annually to discuss information security concerns. The Nedap Compliance Framework is reviewed annually and updated as necessary.

Tax Control Framework

Nedap is exposed to tax risks that could potentially result in double taxation, penalties and interest payments. These risks include, but are not limited to, transfer pricing risks on cross-border inter-company transactions and tax risks related to potential changes in tax laws that could result in higher tax expenses and payments.

Nedap's tax policy corresponds with its global governance model. Our Dutch operations consist mainly of strategy design, product development, marketing, sales, supply chain management, legal affairs, compliance and controlling. Activities at subsidiaries consist almost exclusively of local sales (support). A large part of the Group’s economic value is therefore generated in the Netherlands. Nedap neither engages in aggressive tax planning nor uses 'tax havens' as defined by the OECD.
The Group Controlling department oversees and implements the global tax policy, formulates and implements the transfer pricing policy and actively monitors compliance. Transactions between related entities are subject to the arm’s length principle and the relevant Organization for Economic Cooperation and Development (OECD) Transfer Pricing Guidelines for Multinational Enterprises and Tax Administrations. Through our transfer pricing policy, Nedap aims for all its companies to post profits that are in line with the scale and risks of the activities in their respective countries. Such profits are subject to all applicable local taxes. All Nedap subsidiaries issue periodic reports on their tax position, including taxes charged and paid. In line with the OECD guidelines, a new benchmark study is conducted at least every two years. Most of the countries where Nedap operates have endorsed the OECD guidelines. However, these are not binding, and local tax authorities still have to sign off on a company’s transfer pricing system. While unlikely, local tax authorities may withhold their approval. Nedap does not foresee significant financial, compliance or reputation risks as a result.

Nedap has implemented a Tax Control Framework that is continuously monitored and updated. It documents and formalizes material tax risks, tax control and the monitoring of taxes for income tax, corporate income tax and VAT. Tax risks and mitigation strategies are discussed in regular meetings across the organization. The Tax Control Framework serves as the foundation for the horizontal supervision agreement with the Dutch tax authorities, which was reconfirmed in 2023 and will remain in effect through 2026.

Nedap has one ruling with Dutch tax authorities concerning an agreement to apply the Innovation Box tax regime. The current agreement remains in effect through 2026. When Nedap deems it helpful to gain prior certainty on the application of tax laws and regulations, the company tries to secure a ruling with the tax authorities.

A specific measure was taken to control tax risks and other risks. The directors, under the articles of association of most subsidiaries, are controllers who spend a considerable part of their time working with the Group Controlling department in Groenlo. They are responsible for local compliance, including tax legislation and regulations. The managers of our subsidiaries are evaluated based on the operating results of their respective business entity. Taxes are not a factor in such evaluations.

Risk table

The following risk table provides a summary of the main risks identified, the associated impact and likelihood trend, the developments in 2024 that relate to these risks and the main measures taken to mitigate them. Since specific financial risks, such as credit risk, liquidity risk and currency risk, are addressed separately in the financial statements, they have not been included in the risk table. These risks are not considered vital risks for Nedap and have largely been mitigated, meaning that material consequences are covered.

Other than what is stated in the Directors' Report (the full annual report without chapter 6 Financial statements) there have, to the best of the Board of Directors' knowledge, been no exceptional events that are exempt from being taken into consideration in the financial statements.

Risk type	Risk description		Developments in 2024	Mitigation
Strategic	Speed of technological developments		The rise of generative AI is a development that can impact the markets that Nedap operates in and the solutions that we offer to our customers. Generative AI can lead to competitive disruption if competitors move faster in embedding AI into their product offering and create superior products or services. In addition, generative AI and automation may lead to changes in job roles and responsibilities, potentially resulting in job displacement, job losses or a shift in required skill sets. Nedap recognizes the dual nature of generative AI as both an opportunity and a risk, actively exploring its potential to both safeguard and enhance our market positions and solutions. Besides AI, Nedap continues to monitor the trends in current and upcoming technologies. Also, dedicated exploration teams in each key market assess and invest in potential new solutions.	• We are a digital twin company with extensive expertise and a diverse technological stack that goes beyond RFID. • Nedap has a strong track record in developing successful high-tech solutions and strong customer and partner relationships. • Every year, new developers are hired with up-to-date knowledge of current and upcoming technologies. Nedap events are organized to share technological knowledge and the latest developments. • Nedap explores potential new technologies that can threaten existing market positions. • We have set up of a core AI team with several expertise groups focused on both risk and opportunities of AI.
	Decreased relevance of Nedap's core technologies leading to worsened competitive position.

	Risk appetite	HIGH
	Impact trend	↑
	Likelihood trend	↑

Strategic	Unsuccessful solution and product development		We progressed in strengthening our portfolio through the implementation of a key markets strategy and establishing clear strategies for these positions, also taking into account our plans for realizing our sustainability ambitions. The progress on these strategies is tracked using a strategic calendar, and they are integral to the Create-Scale-Core methodology. We carefully monitor investments in explorations, ensuring they align with our key market strategy. This alignment allows us to make more informed decisions about scaling up or down as necessary.	• Research and Development draws on various business units’ experience and knowledge, built up over many years. • Periodic solution portfolio reviews and a clear process, and key performance indicators for solutions in various phases. • The strategy to focus on four key markets creates leverage to extend our footprint in these markets through innovations and new solutions. • Closely monitoring the development and potential of solutions and products in the exploration and create phase and the ability to scale up or down quickly if required. • Increased focus on market intelligence in key markets.
	Excessive strain on resources over a prolonged period without an instant prospect of returns, resulting in dependence on a limited number of growth factors and limited long-term growth perspective.

	Risk appetite	HIGH
	Impact trend	‒
	Likelihood trend	↓

Strategic	Attracting, developing and retaining talent		We consistently invest in our workforce, recognizing our people as our enduring competitive edge. We enhanced our internal recruitment team to attract the right talent, particularly for key markets. This effort was bolstered by significant progress in cultivating our employer brand. To retain our skilled employees, Nedap offers a variety of training programs focused on both personal and professional growth. We organized events across different business units, covering topics such as business development, AI and technology. Additionally, we improved transparency regarding career opportunities within Nedap and have we developed programs to improve leadership across teams.	• The company offers a culture of entrepreneurship and competitive employment terms, including an employee depositary receipt scheme. • Nedap targets talent through initiatives including the Nedap Masterclass, Nedap University and Nedap Tech Days. • In-house recruitment team takes a dedicated approach to serving each business unit’s needs. • We develop leadership talent through a leadership program and an organizational structure that fosters leadership talent development. • Our Diversity, Equity and Inclusion policy aims to ensure equal opportunities and treatment for all. • There is a continuous focus on health and safety through training sessions, policies and resources.
	Shortage of talented employees leading to a delay in the implementation of the strategy.

	Risk appetite	LOW
	Impact trend	‒
	Likelihood trend	↓

Strategic	Cybersecurity and IT		Significant emphasis has once again been placed on reducing the risk of cyberattacks. The overall risk has increased and is further intensified by the use of AI in orchestrating these attacks. A specialized tool was deployed in 2024 across the entire organization to enhance endpoint security. Next to this, additional certifications were completed in 2024 in several business units. In the upcoming year, the NIS2 directive will be implemented. Substantial groundwork for this initiative was already laid in past years. We have set up an incident response procedure and held cyber crisis exercises on how to respond in case of an incident. Furthermore, Nedap's IT unit has been expanded, as have the roles related to security. Nedap becomes more dependent on (information security in) supply chains, such as Nedap EMS partners and various third-party (open-source) software tools and services. This requires careful supply chain management to ensure both security and compliance with applicable regulations and standards.	• Audits and further roll-out of certifications (including SOC2, ISAE 3402, ISO 9001, ISO 14001 and ISO 27001/NEN 7510). • Increasing awareness in the organization through knowledge sharing, e- learning modules. • Implementation of an incident response procedure with standard operating procedures that are regularly tested and maintained, combined with our culture of empowered and engaged employees enabling quick responsiveness in case of an incident. • Implementation of endpoint security protection. • Quality IT organization, with up-to-date knowledge. • Awareness in recruitment process for new employees, including mandatory certificate of conduct for integrity-sensitive roles. • To mitigate the risk of data breaches in Nedap solutions, penetration tests are done, red teams are set up and knowledge is shared across business units. • Assessment and mitigation of supply-chain risks, including libraries and frameworks used in software applications.
	A successful cyberattack could inflict great financial and legal damage on our company, as well as damage to our reputation (customer confidence).

	Risk appetite	LOW
	Impact trend	‒
	Likelihood trend	↑

Strategic	Geopolitical conflicts in relevant areas		From a supply chain point of view, the circumstances in Asia and Eastern Europe in particular continue to be challenging. Nedap relies heavily on Taiwan for semi-conductors, and many of our EMS providers have historically been located in Hungary. Significant efforts were made, in close collaboration with our strategic suppliers, to identify alternative sources in different regions, such as in Spain. In addition, we notice growing political tensions, potentially leading to trade wars and rising import tariffs, which could impact our competitive position.	• Geographically spread, dual-sourcing strategy. • Sanction control systems. • Scenario management to think through implications of risks materializing. • Growth of SaaS cloud revenue mitigates dependency on one-off hardware revenue.
	Global conflicts and political tension could lead to supply chain disruptions, trade wars and rising import tariffs.

	Risk appetite	MEDIUM
	Impact trend	↑
	Likelihood trend	↑

Strategic	Inability to achieve sustainability goals		The assessment of double materiality helps clarify our exposure from both a risk and opportunity perspective. We have made progress in establishing ambitions across all domains, translating them into clear, tangible and measurable objectives. This foundation enables us to actively pursue the realization of our goals. As the importance of sustainability continues to grow, we must balance our pace carefully—advancing neither too quickly, which could lead to inefficiencies, nor too slowly, which risks falling behind regulatory and market expectations. The next step involves embedding these sustainability objectives into the strategic plans for all key markets. Our actions for ongoing compliance with the Corporate Sustainability Reporting Directive (CSRD) further support us in this process.	• We are setting clear carbon footprint reduction targets and have the right plans to achieve these. • 'Do the right thing' strategy aimed at mobilizing the organization and raising awareness of sustainability. • Implementing non-financial reporting structure that provides all relevant data needed to take the right decisions. • Sustainability is integrated in all key market strategies and discussed several times a year, facilitated by our strategic calendar. • We maintain a long-term perspective when it comes to the development of products and solutions to customers. • We committed to SBTi targets in 2024, with validation starting in 2025.
	More material impact of the environment on our business and greater Nedap impact on the environment.

	Risk appetite	MEDIUM
	Impact trend	↑
	Likelihood trend	↑

Operational	Supply chain dependence and imbalance		In the past years, the component shortages left various business units with excess inventory relative to short-term demand. Distributors are facing challenges in servicing end-customers. At Nedap, we are proactively managing relationships with key suppliers to mitigate risks and guarantee the delivery of quality products at the right price and time. The availability of components is improving, with lead times back to normal for many business units. However, imbalances between demand and supply have resulted in relatively high inventory levels within the supply chain. We are collaborating more closely with our customers and suppliers to achieve optimal stock levels, while simultaneously striving to create a more flexible and agile supply chain.	• Nedap takes great care in selecting its production and logistics partners and sets the highest standards. • Measures taken to improve the robustness of the supply chain include maintenance of buffer inventories, production partner audits, multiple suppliers for critical products and improved testing and measuring systems. • Second sources were set up for many components and strategic relationships with suppliers were expanded. • An effective forecasting process for all business units across Nedap ensures early warning and time to act. • We ensure design flexibility to allow the use of alternative components in case of shortages. • The continuous growth or recurring revenue reduces our dependency of hardware deliveries.
	Insufficient or late product availability resulting in delayed or even aborted delivery of products to our customers.

	Risk appetite	MEDIUM
	Impact trend	↓
	Likelihood trend	↓

Compliance	Legislation and regulations		We are experiencing increasing compliance pressure in a broad range of areas. In past years, further steps were taken to integrate the Nedap Compliance Framework within the organization for various identified compliance themes, including anti-bribery and corruption, privacy, customs, health and safety, competition law, insider trading and information security. To enhance compliance-related knowledge within the business units, awareness programs were established. Additionally, Legal business partners have been appointed for the four key markets.	• The Nedap Compliance Framework is monitored by the Nedap-wide compliance committee of team owners, which meets on a periodic basis. This committee consists of theme owners and discusses, among other topics, relevant developments and the actions required to implement compliance. • The framework is evaluated annually to ensure it remains effective and to identify areas for improvement. • Nedap has expanded its Legal & Compliance team. • Various training and knowledge sharing sessions are held to improve awareness in the organization. • Nedap’s culture and powerful soft controls support compliance.
	Fines, sanctions and/or damage to reputation.

	Risk appetite	LOW
	Impact trend	‒
	Likelihood trend	↑

Compliance	Fraud and corruption		Fraud and corruption remain high on the agenda. In the annual risk sessions with all business units, fraud was discussed and there were no cases identified. As Anti-bribery and corruption is an identified compliance theme, it is also regularly discussed in the compliance committee. Additional Fraud workshops with senior management was organized to further increase awareness.	• Zero tolerance for fraud and corruption. • Strong informal system of checks and balances. • Several formal rules and policies, including a whistleblower policy and a code of conduct. • Centralized management from Groenlo. • Monitoring control: controllers from Groenlo are appointed to management positions at international sites. • Various e-learning programs and workshops are provided on fraud to senior management. • The company has an anti-bribery and corruption policy.
	Fines, sanctions and/or damage to reputation.

	Risk appetite	LOW
	Impact trend	‒
	Likelihood trend	‒

Compliance	Product compliance		Compliance standards for the products that Nedap develops and sells continue to increase. The greater focus on circularity and sustainability has resulted in more comprehensive product legislation and regulations. Nedap actively monitors these developments and integrates them into the design and development work within the business units. The upcoming law on producer circularity could also influence the way Nedap designs products, which could lead to additional costs and resources.	• Third-party evaluation and certification of products, reference to suitable products in manuals. • Pre-sales verification of required certificates for each region. • ATON product master data up to date. • New legislation, especially related to sustainability, is monitored constantly to ensure that new designs meet relevant requirements.
	Not complying with legislation from a product perspective could damage reputation and result in fines.

	Risk appetite	LOW
	Impact trend	‒
	Likelihood trend	↑

Compliance	Reporting		Nedap is experiencing increasing regulatory pressure when it comes to reporting. Examples are the EU Taxonomy and the CSRD.	• Reporting based on the International Financial Reporting Standards (IFRS) as adopted by the European Commission, which are compulsory standards for listed companies in the Netherlands, and the auditing of figures by an independent external auditor. •The Group Controlling department in Groenlo plays a leading role in terms of financial management. This department has set up a reporting system designed to ensure the uniform and correct handling of all financial and business matters, with the added focus of preventing possible fraud. • Implementation of best practices and principles of the Dutch Corporate Governance Code in our governance model. • Dedicated team, supported by an external professional adviser, for compliance with the CSRD.
	Inaccurate or incomplete information provided to shareholders and other stakeholders.

	Risk appetite	LOW
	Impact trend	↑
	Likelihood trend	↑