Ethics and compliance

We are committed to sound business conduct, which is why we manage our business according to applicable laws and regulations and according to the PostNL business principles. These provide guidance on interaction with colleagues, customers, business partners and society in general.

Integrity Committee

The Integrity Committee advises and assists the Board of Management in developing, implementing, and monitoring group policies and procedures aimed at enhancing integrity and ethical behaviour as well as preventing fraud, corruption and bribery. The Integrity Committee is composed of the director Audit & Security (chairman), the manager Integrity Office, the Corporate Security Officer, the director Legal, the director HR Legal & Reward, the director Communications, the director Strategy Mail in the Netherlands, and the managing director E-commerce Operations.

The Integrity Committee oversees investigations based on reports of possible breaches filed under the PostNL business principles, the PostNL Group procedure on whistleblowing and the PostNL Group procedure on fraud prevention, anti-bribery, and anti-corruption.

The Director of Audit & Security engages in regular discussions with the Board of Management on a quarterly basis, and semi-annually with the Audit Committee. These discussions cover the activities of the Integrity Committee, providing an overview of all significant reported and investigated misconduct cases, as well as updates on the progress of the annual PostNL Integrity Plan. This plan addresses key areas such as governance, training and awareness, and response and maintenance. Insights gained from these activities are leveraged to recommend improvements, supporting PostNL in its ongoing efforts to mitigate potential integrity risks across its value chain.

Integrity Reporting to Board of Management, Executive Committee, and Supervisory Board 

PostNL’s administrative, management, and supervisory bodies are instrumental in fostering a robust corporate culture. The Integrity Report is shared quarterly with the Integrity Committee, Board of Management, and Executive Committee, and semi-annually with the Audit Committee and Supervisory Board.

This report provides a detailed account of the activities undertaken by the Integrity Committee, offering a comprehensive overview of irregularities related to misconduct and missing items. It also outlines the actions taken by the Integrity Office and Security Investigations, along with updates on the progress of the Integrity Plan. This plan includes governance developments, training and awareness initiatives, and response and maintenance activities, such as analysis, root cause assessments, and continuous improvement efforts.

The responsibility for executing, implementing, and monitoring this group policy has been delegated by the Board of Management to the Director of Audit & Security. This delegation includes ownership of the PostNL business principles, the PostNL Group fraud prevention procedure, and the PostNL Group whistleblowing procedure. Monitoring processes are supported by continuous review and reporting by the Corporate Security Officer, regular audits, compliance checks, and incident reporting. The Integrity Committee reviews these reports and processes on a quarterly basis.

Business conduct and integrity approach

The focus of our integrity approach is to regularly ensure our employees are familiar with and are working in accordance with the PostNL business principles.

Our business principles inform how we act and make our decisions and as early as 2012, PostNL signed up to the ten principles of the United Nations Global Compact on such issues as human rights, labour, climate and anticorruption. We further endorse the OECD guidelines for multinational enterprises on responsible business conduct, while our sustainability strategy aligns us with the United Nations’ Sustainable Development Goals (SDGs). At the same time, our Orange compass influences our culture and behaviour and helps us steer our organisation in the way we want to do business, supporting us as we create the right environment for people to carry out their work effectively and feel connected.

Our business conduct and integrity approach is laid down in the following group policies and procedures:

  • Business Principles
  • Group Policy on Integrity
  • Group Policy on Security
  • Group Procedure on Incident Reporting
  • Group Procedure on Whistleblowing
  • Group Procedure on Conflict of Interest
  • Group Procedure on Gifts and Hospitality
  • Group Procedure on Fraud Prevention - Guidance on bribery and corruption
  • Code of Conduct for the use of business assets

All integrity related incident reports are received at a single point by designated and trained staff and are checked for whether an alleged breach of the law has occurred, a formal whistleblowing report is received, or any other type of reported breach or indicator. These other reports and signals are evaluated for further handling by responsible functions (such as Security, line management or HR). This provides a smoother follow-up of reported incidents, cases and indicators, and ensures the best care for our employees.

Any PostNL Stakeholder who reports suspected misconduct, which the PostNL Stakeholder reasonably believes, or may reasonably believe, to be true, will be given protection for such reporting. This protection means that PostNL will not discharge, demote, suspend, threaten, harass or in any manner discriminate against any PostNL Stakeholder in the terms and conditions of employment.

PostNL does not tolerate any form of threat, retaliation or other action against a PostNL Stakeholder who has made or assisted in the making of a report of suspected misconduct. Any such threat, retaliation or other action must immediately be reported to the director of Audit & Security. Any person entitled to protection from retaliation who considers themself to be a victim of or is threatened with reprisals may submit a reasoned complaint to the local authorities, who will initiate an extrajudicial protection procedure.

During the year, we initiated 545 investigations in response to integrity-related issues. These investigations covered issues such as the theft of parcels or mail, bribery and corruption, or failure to follow workplace practices. The investigations resulted in 224 discontinued work relationships. At year-end 2024, 53 investigations were ongoing.

Integrity-related investigations include cases of alleged (sexual) harassment and discrimination. For more information about reported incidents and complaints please see Measures against violence and harassment in the workplace in the Our workforce section of the Social disclosures.

We are continuously working to improve awareness on these topics, such as by supporting employee communication on the issue of inappropriate conduct, dialogue with line management and HR representatives, and following up on reported integrity-related incidents. Our main business conduct and integrity related policies and procedures are covered in our onboarding process for new employees. In addition, we use the outcomes of the ‘Employee engagement monitor’, results of investigations, and signals to identify potential for continuous improvement of our integrity approach and our activities at the PostNL Group companies. Since October 2023, we have used a new integrity e-learning programme aimed at educating management and employees about our Business Principles, desired behaviour based on these principles, and reporting methods such as our whistleblowing procedure. More information on how we institute and monitor integrity e-learning can be found in the Our policies and Our performance of the Governance disclosures in the Sustainability statement.

Our business conduct and integrity related policies are part of our contracts with suppliers and contractors. For delivery partners in The Netherlands and in Belgium, we have implemented a dedicated due diligence process in 2024 covering a specific business conduct related guideline for delivery partners. This due diligence process was roll-out supported by a dedicated communication and awareness program.

We work continually to create a company environment where people feel safe and empowered to speak up. In addition to case-specific investigations, we apply trend analysis on all reported incidents to identify structural issues that require further preventive actions. Information about the alleged bribery and corruption cases is included in the Our performance of the Governance disclosures in the Sustainability statement. More information about our business conduct is included in Governance disclosures, section Business conduct.

Prevention of fraud, bribery and corruption

PostNL recognises the importance of maintaining robust fraud prevention, anti-bribery, and anti-corruption policies, procedures, and reporting mechanisms. These measures are essential for safeguarding the integrity of our business and ensuring compliance with all applicable laws and regulations. Our policies are particularly focused on employees in key risk areas such as executive and general management, sales (including government-related sales), procurement (capex and opex), temporary labour sourcing, delivery partnerships, transport charters, people management within operations, and finance and accounting. For employees in these at-risk functions, the integrity e-learning programme is mandatory. Additionally, pre-employment screening procedures are in place for these functions to further mitigate risks. More information on how we institute and monitor integrity e-learning can be found in the Our policies and Our performance sections of the Governance disclosures in the Sustainability statement.

Compliance with anti-bribery and anti-corruption legislation, both domestically and internationally, is a top priority for PostNL as we conduct business on a global scale. Any incidents of actual or suspected bribery or corruption involving our employees, suppliers, or delivery partners are promptly investigated and handled appropriately. In 2024, PostNL aligned its fraud prevention and anti-bribery and anti-corruption procedures with the ISO 37001 standard for anti-bribery management systems, reinforcing our commitment to ethical business practices.

The Integrity Committee plays a vital role in advising the Board of Management and line management on mitigating fraud risks and ensuring adherence to ethical standards, anti-bribery, and anti-corruption practices. The Committee provides quarterly reports to the Board of Management and submits a comprehensive report to the Supervisory Board every six months.

All alleged breaches of our anti-bribery and anti-corruption policies are investigated by PostNL Security. Our Security investigators are recruited based on a clearly defined job profile and undergo regular training to ensure they possess the necessary skills to carry out thorough investigations. In addition, Internal Audit systematically addresses fraud, corruption, and bribery risks during the execution of internal audits.

Cybersecurity

At PostNL, as our reliance on systems and data intensifies, the importance of cybersecurity becomes ever greater. To manage our digital information and processes, we ensure the security of data, systems, and applications integral to our business processes. Our cybersecurity policy guides the implementation of effective cybersecurity measures across the organisation.

Our cybersecurity operating model includes first and second line defense capabilities. In our first line of defense, we assess the cyber risk posture for relevant IT assets and update the risk treatment plan accordingly. This covers six main focus areas:

Central monitoring capability

Implementation of central monitoring, including logging requirements based on a standard classification policy, now covers our 10 main log sources, including our AWS engineering environment. This enables us to onboard specific applications and use cases efficiently.

Asset management policy and standard

We have defined a policy and standard for asset management from a cybersecurity perspective, and have implemented a vulnerability management tool to assess risk across critical asset domains.

Information security management system

Utilising our existing repositories and risk system (Topdesk combined with Onetrust), we have integrated these systems to conduct risk assessments according to our data classification.

Risk assessment process

We have standardised the Business Impact Analysis to conduct cyber-risk assessments and made it mandatory for all penetration tests and high-classified assets.

Configuration management control set

Our IT cybersecurity framework is based on the CIS control set, providing benchmarks for common IT environments and applications. This has been particularly effective for our O365 environment.

First-line cybersecurity function

We strengthen our cybersecurity function, by having business information security officers in place for all major Business Units and our Central IT department.

NIS-2

Next to our focus areas we have been preparing for NIS-2 compliance in 2024. This by making sure we have all required policies in place and that underlying procedures and standards are in line with these.  Next to this we evaluated all processes to determine the adequate scope of applicability by defining all underlying critical assets. These have all been assessed on control effectiveness and where needed the right treatments have been defined to lower the risk-profile.  As NIS-2 requires a broad understanding of Cyber risks and measures in the organization we have started to train our Board members and level 1 management.

Securing our Operational Technology

As Operational Technology lies at the heart of our core processes and is in the scope of NIS-2 for PostNL we further improved our defenses. This by defining and implementing OT Security Governance, improving awareness, monitoring and defining a treatment plan for 2025 to further standardize our control implementation. 

Supply chain risk

As the dependance of our safety relies on the level of protection of our vendors and partners we keep investing in a better control of these risks. In 2024, we updated our procurement procedures by adding requirements for both IT and OT, setup risk profiles for our main vendors and partners.  We also assessed our main IT vendors on NIS-2 compliance and have put a monitoring tool in place to track overall their general cybersecurity health. 

We continue to address cybersecurity in our review of internal controls, especially as most of our critical applications are based on SaaS and Cloud principles. These assessments, critical for maintaining robust security, will persist into 2025 and beyond.

Protecting data and privacy

PostNL believes that it is vital to handle the personal data of its customers and consumers with due care and adheres to all applicable laws and regulations. The most notable of these is the General Data Protection Regulation (GDPR), which is further elaborated on in the General Data Protection Regulation Implementation Act.

We have established a Group Policy on Privacy which outlines the fundamental principles we adhere to as a company regarding the use of personal data. These principles are in line with PostNL's business principles. We strive to provide high- quality services, in which reliability is an important factor. We therefore view the protection and careful handling of personal data as an important precondition for further innovation and development of our services. To help achieve this, we have set up governance, processes and procedures to adequately implement 'accountability' in the field of the protection of personal data. This includes a processing register, a reporting process for data breaches, process for handling the rights of the person concerned, implementation of data privacy impact assessments, and the application of the Privacy by Design principle in development of new processes and systems.

PostNL also established a data governance board to provide oversight on how we use and protect data. The Board discussed different data-related topics, including, for example, digital ethics.

Asset protection and loss prevention

In order to prevent any threat which could adversely affect the business of PostNL and its stakeholders, PostNL is committed to ensuring its operations are secure. The group policy on security outlines the mandate of the security function within PostNL and to define the responsibilities relating to security matters. In other words, to ensure that adequate measures, procedures, checks and balances are in place, regarding asset protection, loss prevention and security information management.

The PostNL programme on loss prevention is focused on addressing the specific commercial and operational aspects that may impact the rate of missing parcels. In our continuing efforts to lower the number of missing parcels, the commercial and operational management of Parcels works closely together with PostNL Security to develop and implement dedicated fraud and theft-risk mitigating actions.

Regulatory compliance management

PostNL believes that laws and regulations are essential tools that govern behaviour, protect rights and promote fairness. Laws and regulations are fundamental to the functioning of society in general, and large companies such as PostNL. Compliance forms part of our internal control and governance frameworks, and we operate in a sector that is defined by continually developing regulations. In this paragraph we outline our approach, our focus, and the main regulatory developments in 2024.

Our Approach to compliance

We manage compliance in a management process based on a compliance framework and continuous improvement. Dedicated compliance officers regularly facilitate and challenge management on different elements in the process.

The required maturity level of our compliance management is determined based on a maturity model. The level of compliance management may vary depending on the size, exposure and risks for different entities. We then evaluate, based on the ISO 37031 framework, how compliance can be demonstrated for each relevant area per reporting entity through our compliance risk management, internal control and internal audit processes.

Business management is responsible for ensuring adherence to regulatory requirements as well as monitoring performance, and is supported by staff functions and dedicated compliance officers. Management is required to confirm its responsibility for the compliance with laws and regulations by its legal entities. As a final step, we assess and report the status of compliance on a quarterly basis to both line management and our governance bodies.

Focus areas in 2024

Based on our internal control assessments and internal audit findings, for the vast majority of laws and regulations we did not identify significant deficiencies relating to compliance-mitigating activities that require follow-up. Our four focus areas for 2024 were to make further improvements in the Human Rights compliance management system, prepare for the ‘Verklaring Omtrent Risicobeheersing’ (the new Risk Management Statement relevant as of 2025), as well as Privacy and AI (Artificial Intelligence) compliance controls, and in compliance in our value chain with a particular focus on delivery partners and transport partners.

Risk Management statement

In anticipation of the expected inclusion of the Risk Management Statement (Verklaring omtrent Risicobeheersing, VOR) in the Dutch Corporate Governance Code (CGC) as of 2025, PostNL is preparing to integrate this requirement into its Board Report effective as of 1 January 2025. This aligns with the broader compliance requirements under the Corporate Sustainability Reporting Directive (CSRD).

As part of the evolving regulatory landscape, the VOR mandates the provision of at least a ‘limited assurance’ on the internal control framework related to CSRD reporting. Within this context, we have prioritised key elements such as corporate culture, business principles, and codes of conduct. These topics, identified under the CSRD ESRS G1 standard on ‘Business Conduct,’ are vital to maintaining transparency and integrity across our operations. Specifically, we have identified deliverables and mandatory disclosure requirements concerning:

  • Corporate culture and how it fosters responsible business practices
  • Implementation and adherence to business principles and codes of conduct
  • Establishment and effectiveness of whistle-blowing mechanisms
  • Robust policies and practices to combat anti-corruption and anti-bribery activities.

By focusing on these areas, PostNL aims to strengthen its internal controls, enhance accountability, and meet the growing expectations of our stakeholders regarding transparency and ethical conduct.

Privacy and AI compliance controls

In 2023 we performed an integral review of the current status and adequacy of our privacy control framework as a follow-up on the earlier GDPR implementation. We have reviewed whether all privacy relevant data processing is recognised and recorded. And next we have reviewed that for all high risk data processing the adequate privacy impact assessments are in place. In 2024 we have implemented the identified review findings and successfully re-tested the privacy controls. In 2024, we have implemented the identified review findings and successfully re-tested the privacy controls.’

Connected to the ethical risks in Artificial Intelligence (including Machine Learning and Robotics) we have developed in 2022 a Digital Ethics risk management process. In 2023 we performed an assessment on all AI related technology already in place at PostNL to validate the extent that this technology works within the boundaries of our business principles and other ethical standards at PostNL. During 2024, we have implemented this risk management process as a standard step in our Agile IT development organization to safeguard that newly developed tools also adhere to the Digital Ethics requirements.

Compliance in our value chain 

Stakeholders increasingly expect large companies such as PostNL to lead by example through their influence on value chains. Responsibility along the value chain is a relevant topic in the public arena. As a large company, we proactively contribute to improvements in our value chain across a broad range of topics, even when this goes beyond our own responsibility under applicable laws and regulations. This applies to areas such as the transport and handling of dangerous goods, environmental compliance, responsible (international) procurement, Foreign Nationals Employment Act (Wet Arbeid Vreemdelingen), and the Labour Market Fraud Act (Wet Aanpak Schijnconstructies). Connected to the two last laws, we included specific controls in our hiring and onboarding process applicable to all persons working for or at PostNL.

In 2024, we introduced our newly created due diligence process for delivery partners, which is designed to cover several important compliance and ESG topics. The process is based on the OECD Due Diligence Guidance for Responsible Business Conduct.

Summary of instances of non-compliance

PostNL operates in a sector with a wide variety of compliance topics, where both the number and complexity of laws and regulations is increasing. While this requires a robust approach to compliance (as described earlier in this chapter) we are, on occasion, confronted with instances of non-compliance. When these instances are discovered, we take immediate steps to remedy and deal with them.

While there are a number of cases ongoing linked to PostNL's compliance with laws and regulations, in 2024 there was a significant reportable instance of non-compliance identified, i.e. we incurred in a final judgment a fine for violation in 2019 of the Foreign Nationals Employment Act in the amount of EUR 156.000, for which we were held responsible as principal of a subcontractor who hired employees working at our premises. Several other cases in the period 2019-2022 are still pending.  We have improved our processes to prevent these violations from happening going forward. For the purpose of this report, we did not take relatively small fines such as traffic-related fines into account.

Insider trading – share ownership

Members of the Supervisory Board, the Board of Management and PostNL’s senior management are subject to the PostNL Group policy on prevention of insider trading, which sets rules to prevent insider trading in our financial instruments and in securities other than PostNL’s financial instruments.

Under the current remuneration policies share ownership is mandatory for the Board of Management, and not for members of the Supervisory Board. This is further detailed in the Remuneration report, where you can also find the total number of PostNL shares held by each member of the Board of Management. None of the Supervisory Board members holds any PostNL shares at the date of this Annual Report.

Internal audit

PostNL's internal audit function provides independent and objective assurance to the Board of Management and the Supervisory Board on the effectiveness of the internal control framework, and performs financial, IT and non-financial management systems and operational audits for the various units within the PostNL Group. Audits are scheduled in close cooperation with the business concerned and organised in such a way that the external auditor can use the internal audit activities optimally. Each audit is followed by a formal audit report to the management responsible. Adequate follow-up on audit findings is assured. A summary report of audit-related topics (findings, follow-up, and so on) is issued every quarter to the Board of Management and the Audit Committee. Audit planning, the quality and professionalism of the audit team and the effectiveness and efficiency of the execution of the audits are supervised by the Board of Management and approved by the Audit Committee. The internal audit function reports to the CEO, with open communication to the CFO and the Audit Committee.

Transparent reporting

Transparency is a cornerstone of our corporate responsibility. We understand that clear, comprehensive, and truthful reporting is essential for maintaining trust with our stakeholders, including investors, employees, customers, and the communities in which we operate. This commitment is reflected in our approach to integrated reporting, where we aim to provide a holistic view of our financial and non-financial performance. More information on how we use the Integrated Reporting framework and align with other standards and frameworks is included in Basis of preparation section of the General disclosures later in this report.

In 2024, we were once again ranked as one of the most sustainable companies in the transport and logistics sector worldwide by the Dow Jones Sustainability Index(DJSI). This benchmark evaluates listed companies on economic, social and environmental transparency and performance. We also achieved a B score in the CDP benchmark, a global environmental disclosure system and we were awarded a Gold rating by EcoVadis, placing the company in the top 5% of 75,000 companies surveyed globally in terms of sustainability performance and corporate social responsibility with a focus on sustainable procurement.

External auditor

PostNL’s external auditor, KPMG Accountants NV, is appointed by the General Meeting of Shareholders. The lead partner rotates after a maximum period of five years and the key assurance partners rotate after a maximum period of seven years. Mr Roland Smeets is the lead audit partner since the financial year 2022.

The Supervisory Board recommends to the General Meeting of Shareholders the appointment or replacement of the external auditor. In doing so, it considers the Audit Committee’s advice regarding the external auditor’s nomination for appointment/reappointment or dismissal. The Audit Committee prepares the selection of the external auditor. The Audit Committee reports annually to the Supervisory Board on the functioning of, and relevant developments in the relationship with the external auditor. The Audit Committee gives due consideration to the Board of Management’s observations in this respect. At the Annual General Meeting of Shareholders held on 20 April 2021, KPMG Accountants NV was appointed as the external auditor for PostNL for the financial years 2022, 2023 and 2024. At the Annual General Meeting of Shareholders held on 16 April 2024, KPMG Accountants NV was appointed as the external auditor for PostNL for the financial years 2025 and 2026.

The Audit Committee, supported by the internal audit function, is required to pre-approve all services the external auditor provides to ensure these do not impair the auditor’s independence from PostNL. The Audit Committee grants a general pre-approval for certain routine services every year. By Dutch law, the external auditor is in principle prohibited to render non-audit services.

Conflicts and potential conflicts of interest between the external auditor and PostNL are settled in accordance with the terms of reference of the Audit Committee and Dutch law. See note '2.3.4 Other operating expenses' to the Consolidated financial statements for more information.

The Audit Committee requires a formal written statement from the external auditor confirming its independence.