Emerging risks

Emerging risks are risks we do not expect to materially impact the company in the short term, but which do require prompt mitigation actions to prevent them from exceeding our risk appetite in the mid to long term. In 2025, we pinpointed two such risks: 'AI-driven workforce and organisational transition' and 'Disruption of data sovereignty and digital infrastructure dependence'. These are seen as exacerbating our main operational and strategic risks, namely 'IT and cybersecurity' and 'Data excellence and integrity', respectively.

Risk description	Response
AI-driven workforce and organisational transition As PostNL accelerates its AI-first and automation agenda as part of its Breakthrough 2028 strategy, the company faces a significant organisational transition risk. AI integration is reshaping job roles, skills requirements and operational decision-making. While automation drives efficiency and cost competitiveness, it also introduces uncertainty around workforce adaptation, capability gaps and organisational acceptance. This rapid shift may create misalignment between technological progress and organisational readiness. This risk is amplified by tight labour markets, short AI maturity cycles and evolving ethical standards in AI governance.	Implement AI (up)skilling programme or framework that embeds retraining, inclusion and AI ethics principles in workforce planning. Continuous monitoring of employee sentiment and engagement linked to automation roll-outs. Integration of AI impact assessments in HR, legal, and risk governance processes. Collaboration with labour representatives, policymakers, and educational partners to foster transparent AI adoption pathways.
Disruption of data sovereignty and digital infrastructure dependence As PostNL increasingly digitises its operations and customer interactions, reliance on cloud-based infrastructure, AI-driven analytics and external technology providers has grown substantially. However, emerging global data sovereignty frameworks—particularly EU data residency and protection requirements (such as GDPR), cross-border data flow restrictions and the geopolitical fragmentation of technology standards—pose potential risks to continuity, compliance and competitiveness. Growing dependence on non-European hyperscalers for cloud services introduces systemic risks in the event of regulatory disputes, cyber incidents or service disruptions. Moreover, the rapid evolution of generative AI technologies, while providing operational efficiencies, heightens concerns around algorithmic transparency, data bias and intellectual property exposure.	Diversification of cloud vendors to reduce dependency on single providers and enhance resilience i.e., investments in European-based digital infrastructure and partnerships with EU-compliant cloud and cybersecurity providers. Implement technologies such as client-side encryption to prevent even cloud providers from accessing organisational data. Ongoing assessment of data residency obligations under the EU Data Act and AI Act.

Risk description

Response

AI-driven workforce and organisational transition

As PostNL accelerates its AI-first and automation agenda as part of its Breakthrough 2028 strategy, the company faces a significant organisational transition risk. AI integration is reshaping job roles, skills requirements and operational decision-making. While automation drives efficiency and cost competitiveness, it also introduces uncertainty around workforce adaptation, capability gaps and organisational acceptance. This rapid shift may create misalignment between technological progress and organisational readiness. This risk is amplified by tight labour markets, short AI maturity cycles and evolving ethical standards in AI governance.

Implement AI (up)skilling programme or framework that embeds retraining, inclusion and AI ethics principles in workforce planning.
Continuous monitoring of employee sentiment and engagement linked to automation roll-outs.
Integration of AI impact assessments in HR, legal, and risk governance processes.
Collaboration with labour representatives, policymakers, and educational partners to foster transparent AI adoption pathways.

Disruption of data sovereignty and digital infrastructure dependence

As PostNL increasingly digitises its operations and customer interactions, reliance on cloud-based infrastructure, AI-driven analytics and external technology providers has grown substantially. However, emerging global data sovereignty frameworks—particularly EU data residency and protection requirements (such as GDPR), cross-border data flow restrictions and the geopolitical fragmentation of technology standards—pose potential risks to continuity, compliance and competitiveness. Growing dependence on non-European hyperscalers for cloud services introduces systemic risks in the event of regulatory disputes, cyber incidents or service disruptions. Moreover, the rapid evolution of generative AI technologies, while providing operational efficiencies, heightens concerns around algorithmic transparency, data bias and intellectual property exposure.

Diversification of cloud vendors to reduce dependency on single providers and enhance resilience i.e., investments in European-based digital infrastructure and partnerships with EU-compliant cloud and cybersecurity providers.
Implement technologies such as client-side encryption to prevent even cloud providers from accessing organisational data.
Ongoing assessment of data residency obligations under the EU Data Act and AI Act.