Our approach


We view compliance with all relevant laws and regulations as an integral part of doing business. Business management is responsible for ensuring adherence to regulatory requirements as well as monitoring performance, and is supported by staff functions. Compliance forms part of our internal control and governance frameworks.

At PostNL we have identified more than 30 relevant compliance areas requiring our management's attention. Depending on the business activities of our entities, different compliance areas need to be managed, including but not limited to Dutch postal law, competition law, transport regulations, tax regulations, data protection and privacy regulations, and labour and social laws.

In relation to sustainable development, stakeholders increasingly expect large companies such as PostNL to lead by example through their influence on value chains. This means that beyond compliance in relation to direct activities, we are expected to stimulate and in some cases assume responsibility for the compliance of our business partners.

This applies to areas such as transport and handling of dangerous goods, environmental compliance, responsible (international) procurement, Foreign Nationals Employment Act(Wet Arbeid Vreemdelingen), and the Labour Market Fraud Act (Wet Aanpak Schijnconstructies).

Our framework

Applying a compliance management cycle

We manage compliance in a management process based on a compliance framework and continuous improvement. Dedicated compliance officers facilitate and challenge management on a regular basis on different elements in the cycle. First, relevant compliance areas are updated in collaboration with the business. For each area, the required maturity level of our compliance management is determined based on a maturity model. The level of compliance management may vary depending on the size, exposure and risks for different entities. We then evaluate, based on the COSO ERM 2017 framework, how compliance can be demonstrated for each relevant area per reporting entity through our risk management, internal control and internal audit processes. Management is required to confirm its responsibility for the compliance with laws and regulations by its legal entities. And as a final step we assess and report the status of compliance to both line management and our formal governance bodies.

Status and summary of main developments in 2022

Based on our internal control assessments and internal audit findings, for the vast majority of laws and regulations we did not identify relevant deficiencies relating to compliance-mitigating activities that require follow-up. We identified the following two areas for improvement: compliance in our value chain and implementation of the Three Lines Model. Connected to this, we remain focussed on the underlying soft controls, or 'cultural drivers'.

Compliance in our value chain

Responsibility along the value chain has become an increasingly relevant topic in the public arena. As a large company, we want to proactively contribute to improvements in our value chain across a broad range of topics, even when this goes beyond our own responsibility under applicable laws and regulations.

Based on a number of events that took place during 2021, we concluded that some domains require additional investigation and adaptations. This related in particular to the Foreign Nationals Employment Act (Wet Arbeid Vreemdelingen), the Labour Market Fraud Act (Wet Aanpak Schijnconstructies) and the situation in Belgium relating to labour and social laws in respect to delivery partners of PostNL. Improvements include more stringent compliance checks at the delivery partners we do business with in the Netherlands and Belgium.

Three Lines Model

There are a variety of different ways in which a company can ensure compliance, including the division of roles and responsibilities, their setup and how they are carried out. Because we view compliance as an integral part of our business, in 2021 we took the decision to begin moving to the Three Lines Model to improve our compliance risk management.

The model is based on explicit divisions of responsibility between the first line (the provision of services to customers and managing risk), the second line (expertise, support, monitoring and challenging) and the third line (internal audit).

Line management is responsible for both the first and second line. We started to implement this model in 2022, which helps build management awareness on how to manage compliance, aimed at the Foreign Nationals Employment Act, transport regulations, GDPR, digital ethics, and environmental laws and regulations. During the intermediate period we have performed additional periodic compliance assessments and internal audits to safeguard compliance with these subjects.