Business conduct – Policies and procedures

Business conduct - Policies and procedures

Code of conduct

We are a large company with tens of thousands of employees, multiple business segments and an international network. Our Code of Conduct forms the foundation for our actions and guides our decisions regarding doing business with others or entering into joint ventures.

To provide further clarity on specific situations, we have developed a range of group policies, such as our integrity policy. These policies detail the appropriate actions to take in particular scenarios and specify the points of contact for any questions or concerns.

In this chapter we provide more insights into our Code of Conduct, policies and procedures, including links to our policies on our website.

Diversity, equity and inclusion

As outlined in the social disclosures, PostNL recognises the power of DEI. We respect and value individual differences, which strengthen our organisation, enhance innovation, and make us more appealing as an employer and partner. This commitment extends to fostering diversity within the composition of the Executive Committee, Board of Management, and Supervisory Board. The Supervisory Board and Board of Management actively promote DEI within these bodies and the Executive Committee, with consideration given to factors such as age, gender, expertise, experience, and nationality. Our aim is to strike a balanced representation, ensuring that diversity is reflected wherever possible, while meeting, as a minimum, the statutory requirements. Further details can be found in our Diversity, Equity and Inclusion Policy, available on our website.

At year-end 2025, PostNL’s Board of Management had two members, of which one was female, i.e. 50% of the seats filled by women. The Executive Committee had eight members, of which two were female, i.e. 25% of the seats filled by women. The Supervisory Board has eight members, of which three are female, i.e. 37.5% of the seats filled by women. As follows from PostNL’s Diversity, Equity and Inclusion Policy and the profile of the Supervisory Board, diversity is taken into account when selecting candidates in case of a vacancy in the Executive Committee, Board of Management and Supervisory Board. Ultimately, the capacities of the selected candidates are assessed irrespective of the candidate's gender and the most qualified candidates will be nominated for appointment.

Per 1 January 2022, new legislation in the Netherlands came into force in relation to a balanced representation of men and women in Supervisory Boards, Boards of Management and senior management. The legislation introduced a binding diversity quota for the Supervisory Board, whereby at least one third of the members of the Supervisory Board should be male, and at least one third of the members should be female. Additionally, large companies such as PostNL should determine an ambitious and appropriate target (in the form of a target number) to promote gender diversity in the Board of Management and senior management. As mentioned above, PostNL complies with the binding diversity quota for the Supervisory Board. PostNL has determined ambitious and appropriate target numbers for the Board of Management and senior management. More information on the implementation of the DEI Policy can be found in the Diversity, Equity and Inclusion Policy paragraph of the social disclosures in the sustainability statements.

Procurement policy

At PostNL, we are working towards ensuring that our procurement and service activities align with our procurement policy, applicable legislation and regulations, social and ethical standards, and sustainability requirements. In collaboration with our suppliers, we continuously strive to strengthen and enhance the supply chain, making it as sustainable as possible. This reflects our focus on protecting the environment, promoting social responsibility, and upholding robust governance standards.

Our approach begins with the careful selection of suppliers and the design of procurement processes that are aligned with our ESG responsibilities. In addition to price, quality, and delivery timelines, we also incorporate social and environmental factors into our decision-making.

To support this, we can employ a risk-assessment matrix when evaluating potential suppliers. Should a supplier fail to meet our standards following this assessment, we will not proceed with a contract. In situations where suppliers are equally suitable, we prioritise those demonstrating stronger sustainability performance.

The Procurement Policy can be found on our website, and contains, for example, guidelines, risk classification, follow-up measures and checklists. These protocols also include a description of how to use our Conditions of Purchase, the PostNL Code of Conduct and the PostNL Set of Guidelines for Suppliers, in which our sustainability and biodiversity requirements for suppliers are set out.

We regularly update our guidelines for suppliers and contractors, providing a clear interpretation of the PostNL Code of Conduct and the OECD guidelines. These refinements emphasise our expectations regarding proactive approaches to improving the environmental impact of goods and services supplied to us.

Biodiversity is explicitly addressed within the PostNL Set of Guidelines for Suppliers. Procurement or production processes must not result in, or contribute to, land conversion or deforestation. The same principle applies to financial investments. Suppliers are expected to ensure that ecosystems remain undisturbed, thereby avoid significant adverse impacts on biodiversity.

Our updated guidelines are applicable to all new contracts and reflect our dedication to promoting sustainable practices across our operations and supply chain. PostNL expects its suppliers to both take responsibility for these issues within their own organisation, and take responsibility further up the supply chain and monitor how well these issues are dealt with by their own suppliers (sub-suppliers). In most cases contractors (i.e. agents or direct manufacturers) are likely to work with sub-suppliers and subcontractors; this represents an additional step that renders the link between PostNL and any risks affecting PostNL less manageable. Nevertheless, PostNL holds the view that involving an agent does not affect its own responsibility for risks and regulation. More information on our procurement policy can be found in the Procurement Policy paragraph of the governance disclosures in the sustainability statements.

Conflict of interest

Each member of the Board of Management and the Supervisory Board must immediately report and provide all relevant information to the chairman of the Supervisory Board about any conflict of interest or potential conflict of interest, material or not to the company and/or to the relevant member. A member of the Board of Management also informs the other members of the Board of Management (as applicable).

If the chairman of the Supervisory Board has a conflict of interest or potential conflict of interest that is material to the company and/or to them, they are required to report this immediately to the vice chairman of the Supervisory Board and to provide all relevant information. In all situations, this includes information concerning a spouse, registered partner or other life companion, (foster) child or other relatives by blood or marriage up to the second degree.

The Supervisory Board is responsible for deciding how to resolve a conflict of interest between members of the Board of Management, members of the Supervisory Board and/or the external auditor on the one hand and the company on the other.

In the event of a conflict of interest between PostNL and a member of the Board of Management, the company will be represented by another member of the Board of Management or a member of the Supervisory Board appointed by the Supervisory Board for this purpose.

A decision to enter into a transaction involving a conflict of interest with a member of the Board of Management or the Supervisory Board, material or not, to the company or to the relevant member requires the approval of the Supervisory Board. No such transactions were entered into in 2025 so best practice provisions 2.7.3 and 2.7.4 of the Code did not apply.

The by-laws of the Board of Management and the Supervisory Board also include a provision that a member of the Board of Management or the Supervisory Board does not participate in any discussion or decision-making that involves a subject or transaction in relation to which the member has a conflict of interest with the company.

Shareholders and their rights

General Meeting of Shareholders

PostNL is required to hold an Annual General Meeting of Shareholders within six months of the end of the financial year. The agenda for this meeting includes the adoption of the financial statements, a proposal on dividend and the release from liability of the members of the Board of Management and the Supervisory Board for the performance of their respective duties during the financial year. This release only covers liability for matters reflected in the relevant financial statements or otherwise disclosed to the General Meeting of Shareholders prior to the adoption of the relevant financial statements.

General Meetings of Shareholders are held as often as the Board of Management or the Supervisory Board deem necessary, and shall be convened in case of a decision entailing a significant change in the identity or character of PostNL or its business.

Furthermore, the Supervisory Board and the Board of Management are in principle required to convene a shareholders meeting in case one or more shareholders representing at least 10% of PostNL’s issued share capital so request in writing, stating the proposed agenda in detail.

General Meetings of Shareholders may be held in Amsterdam, The Hague, Hoofddorp or in the municipality of Haarlemmermeer (Schiphol).

One or more shareholders representing at least 1% of PostNL’s issued share capital are entitled to request that the Board of Management or the Supervisory Board place items on the agenda of a General Meeting of Shareholders. Such a request must be honoured by the Board of Management or the Supervisory Board, provided that the request is received in writing at least 60 days before the date of such a meeting. In the event a request is made by one or more shareholders to either convene a meeting or to place an item on the agenda of a General Meeting of Shareholders that may result in a change of the company’s strategy, the Board of Management is entitled to a reasonable period in which to respond, which shall not exceed 180 days.

The Central Works Council of PostNL has the right to form an opinion on proposals to determine or modify the policy on the remuneration of the Board of Management, proposals that entail a significant change in the identity or character of the company or its business and proposals to appoint a member of the Supervisory Board. The Central Works Council has the right to explain its position during the General Meeting of Shareholders.

General Meetings of Shareholders are convened at least 42 days in advance by a notice published on the company’s website.

Each shareholder is entitled to attend a General Meeting of Shareholders, either in person or by written or electronic proxy, to address the meeting and to exercise voting rights, subject to the provisions of PostNL’s articles of association. An eligible shareholder has the aforementioned rights if registered as a shareholder on the applicable record date to the extent described by Dutch law.

Each PostNL share carries the right to cast one vote. Unless Dutch law or PostNL's articles of association stipulate otherwise, resolutions are passed by a simple majority of votes cast by the shareholders present or represented at the meeting. Pursuant to PostNL’s articles of association, there are no limitations to the rights of Dutch, non-resident or foreign shareholders to hold or exercise voting rights in respect of PostNL’s securities.

General Meeting of Shareholders 2025

On 15 April 2025, PostNL held its Annual General Meeting of Shareholders in The Hague, the Netherlands. The attendance rate was 38.48% of the total outstanding share capital. The agenda, resolutions and voting results for each resolution, the presentations given during the meeting and a webcast of the meeting are available on our website in Dutch and English. Minutes of the meeting are available in Dutch only.

Liquidation rights

In the event of PostNL’s dissolution and liquidation, the assets remaining after payment of all debts and liquidation expenses are to be distributed in the following order of preference: firstly, to the holders of all outstanding preference shares B (if any), the nominal amount paid up on these shares plus accumulated dividends for preceding years that have not yet been paid; and secondly, to holders of ordinary shares in proportion to their shareholdings.

Changes to the rights of shareholders

Rights of shareholders may change by way of an amendment to the articles of association, a statutory merger or demerger within the meaning of book 2 of the Dutch Civil Code, or dissolution of the company. A resolution of the General Meeting of Shareholders is required to effect these changes. Under PostNL's articles of association, such a resolution may only be adopted upon a proposal by the Board of Management that has been approved by the Supervisory Board.

Major shareholders

To PostNL’s knowledge, it is not directly or indirectly owned or controlled by another company or by any government. PostNL does not know of any arrangements of which the operation might, at a subsequent date, result in a change of control, except as described under ‘Foundation Continuity PostNL and preference shares B’ below.

The Financial Markets Supervision Act (Wet op het financieel toezicht) imposes a duty to disclose percentage holdings in the capital and/or underlying financial instruments and/or voting rights in the company when such holding reaches, exceeds or falls below 3%, 5%, 10%, 15%, 20%, 25%, 30%, 40%, 50%, 60%, 75% and 95%. Such a disclosure must be made to the Dutch Financial Markets Authority (AFM) without delay. The AFM then notifies the company and discloses the (change in) holding on its website.

Articles of association, share acquisition, reduction and increase of issued share capital

Amendment of the articles of association

The company’s articles of association can be amended upon a proposal by the Board of Management, approved by the Supervisory Board and adopted by the General Meeting of Shareholders. A proposal to amend the articles of association must be stated in a notice convening a General Meeting of Shareholders and announced in such a manner as permitted by law at the time. The proposal shall be passed upon an absolute majority of the votes cast in the General Meeting of Shareholders. PostNL’s articles of association are available on our website.

Ability of the company to acquire its own shares

Under its articles of association, PostNL may acquire its own shares, provided that they are fully paid up. If such shares are acquired for consideration, the following conditions apply:

PostNL’s shareholders' equity less the purchase price may not fall below the sum of the paid-up capital and any reserves required to be maintained by Dutch law or pursuant to the articles of association.
Following the share acquisition, PostNL may not hold shares with an aggregate nominal value exceeding half of its issued share capital. The Board of Management is authorised to decide to acquire PostNL shares. Such a resolution requires the approval of the Supervisory Board. In addition, the Board of Management requires prior authorisation by the General Meeting of Shareholders. This authorisation may be valid for a period not exceeding 18 months and must specify:

The number of shares that may be acquired
The manner in which shares may be acquired
The price limits within which shares may be acquired.

Authorisation by the General Meeting of Shareholders is not required if the PostNL shares are acquired for the purpose of transferring those shares to PostNL employees pursuant to any arrangements applicable to such employees.

Reduction of issued share capital in general

The issued share capital may be reduced by the cancellation of shares following a repurchase. PostNL’s issued share capital may also be reduced if the nominal value of its shares is reduced by amendment of PostNL’s articles of association. The resolution to reduce PostNL’s issued share capital requires the approval of the General Meeting of Shareholders. Pursuant to PostNL’s articles of association, such a resolution may be adopted pursuant to a proposal of the Board of Management that has been approved by the Supervisory Board. The latter requirement is more stringent than Dutch law.

Increase of issued share capital by issuance of shares/pre-emptive rights

PostNL’s Board of Management has been designated as the body authorised to resolve on the issuance of shares and to grant rights to subscribe for shares, including options and warrants. Such a resolution is subject to the approval of the Supervisory Board. The scope and duration of this authority of the Board of Management are determined by the General Meeting of Shareholders. The Board of Management cannot be authorised to issue more shares than the number of authorised shares that have not been issued (i.e. the number of authorised shares minus the number of issued shares). The authority may not be granted for a period longer than five years.

The term of designation of the Board of Management as the body authorised to resolve on the issuance of shares may also be extended by amendment of PostNL’s articles of association.

If no extension is given, the issue of shares or granting of rights to subscribe for shares requires a resolution of the General Meeting of Shareholders. Such a resolution may only be adopted pursuant to a proposal by the Board of Management that has been approved by the Supervisory Board. In principle, each holder of ordinary shares has a pre-emptive right in case of any issue of ordinary shares or the granting of rights to subscribe for these shares.

Pursuant to PostNL’s articles of association, shareholders’ pre-emptive rights may be restricted or excluded by a resolution of the Board of Management, provided and as long as the Board of Management has been designated as the body authorised to resolve on the issuance of shares. Such a resolution is subject to the approval of the Supervisory Board. Pursuant to PostNL’s articles of association, the provisions relating to the scope and duration of the authority to issue shares and grant rights to subscribe for ordinary shares are also applicable to the scope and duration of the authority to exclude or restrict pre-emptive rights.

Dividend

The Board of Management may determine, subject to approval by the Supervisory Board, that any dividend on ordinary shares will be paid wholly or partly in PostNL ordinary shares instead of cash, or that any dividend will be paid by giving shareholders the option to choose between PostNL ordinary shares or cash (optional dividends).

If and when dividends are declared, PostNL pays dividends out of its profits, or by exception out of the distributable part of its shareholders’ equity as shown in PostNL’s financial statements. PostNL is not allowed to pay dividends if the payment would reduce shareholders’ equity below the sum of the paid-up capital and any reserves required by Dutch law or the company's articles of association.

The Board of Management may, subject to approval by the Supervisory Board and to provisions of Dutch law, distribute interim dividend. No dividend shall be paid on shares held by PostNL. Such shares shall not be included for the calculation of the profit distribution, unless the Board of Management resolves otherwise. Such a resolution is subject to the approval of the Supervisory Board.

Under PostNL’s articles of association, if preference shares B have been issued, PostNL must pay dividends on the paid-up portion of the nominal value of the preference shares B. Payment is made at a rate of the average 12-month EURIBOR (Euro Interbank Offered Rate), weighted to reflect the number of days for which the payment is made, plus a premium to be determined by the Board of Management, subject to approval by the Supervisory Board, of at least one percentage point and at most three percentage points. The Board of Management then determines, subject to the approval of the Supervisory Board, the part of the remaining profits to be appropriated to reserves. The profit that remains after appropriation is at the disposal of the General Meeting of Shareholders.

More information about PostNL’s Dividend Policy can be found in the PostNL on the Capital Markets chapter, and on our website. Any changes to these guidelines shall be explained in a separate agenda item at the Annual General Meeting of Shareholders.

Foundation Continuity PostNL and preference shares B

Stichting Continuïteit PostNL (Foundation Continuity PostNL) was formed to safeguard the interests of PostNL, the undertaking connected with PostNL and all parties involved. It does this by, among other things, preventing any influences that could threaten PostNL’s continuity, independence and identity, as far as possible. Foundation Continuity PostNL is an independent legal entity and is not owned or controlled by PostNL or any other legal person.

PostNL’s articles of association provide for protective preference shares B that can be issued to Foundation Continuity PostNL. The preference shares B have a nominal value of €0.08 and have the same voting rights as PostNL’s ordinary shares.

PostNL and Foundation Continuity PostNL have entered into a call option agreement, which enables Foundation Continuity PostNL to acquire a number of preference shares B not exceeding the total issued number of ordinary shares minus one and minus any shares already issued to Foundation Continuity PostNL. The call option agreement is meant as a preventive measure against influences that might threaten the continuity, independence and identity of the company. Preference shares B will be outstanding no longer than strictly necessary. As at 31 December 2025 and at the date of this Annual Report, there were no preference shares B issued. The exercise price with respect to the call option is the nominal value of €0.08 per preference share B, although upon exercise only €0.02 per preference share B is required to be paid.

The additional €0.06 is due when the Board of Management, subject to the approval of the Supervisory Board, requests payment. Foundation Continuity PostNL has a credit facility in place to enable it to exercise the call option.

Six months after the issuance of preference shares B, Foundation Continuity PostNL may require PostNL to convene a General Meeting of Shareholders to discuss cancellation of these shares. However, if within these six months Foundation Continuity PostNL should receive a demand for repayment under the credit facilities referred to above, it may also require PostNL to convene a General Meeting of Shareholders. In accordance with PostNL’s articles of association, a General Meeting of Shareholders must be convened no later than 12 months after the first date of issuance of any preference shares B to Foundation Continuity PostNL. The agenda for that meeting shall include a resolution regarding the repurchase and/or cancellation of the preference shares B.

PostNL has granted Foundation Continuity PostNL the right to file an application for an inquiry into the policy and conduct of PostNL’s business with the Enterprise Chamber of the Amsterdam Court of Appeal (Ondernemingskamer). Should such an inquiry be granted, the Enterprise Chamber may impose immediate provisions.

At 31 December 2025, the members of the Board of Foundation Continuity PostNL were Mr M.P. Nieuwe Weme (chair), Ms Y.C.M.T. van Rooy, Ms C.M.C. Mahieu and Mr P.S. Overmars. All members of the Board of Foundation Continuity PostNL are independent from PostNL. This means that Foundation Continuity PostNL is an independent legal entity as referred to in section 5:71 paragraph 1 sub c of the Dutch Financial Markets Supervision Act (Wet op het financieel toezicht).

Integrity Committee

The Integrity Committee advises and assists the Board of Management in developing, implementing, and monitoring group policies and procedures aimed at enhancing integrity and ethical behaviour as well as preventing fraud, corruption and bribery. The Integrity Committee is composed of the director Audit & Security (chairman), the manager Integrity Office, the Corporate Security Officer, the director Legal, the director HR Legal & Reward, the director Communications, the director Strategy Mail, and the managing director E-commerce Operations.

The Integrity Committee oversees investigations based on reports of possible breaches filed under the PostNL Code of Conduct, the PostNL Group procedure on whistleblowing and the PostNL Group procedure on fraud prevention, anti-bribery, and anti-corruption.

The Director of Audit & Security engages in regular discussions with the Board of Management on a quarterly basis, and semi-annually with the Audit Committee. These discussions cover the activities of the Integrity Committee, providing an overview of all significant reported and investigated misconduct cases, as well as updates on the progress of the annual PostNL Integrity Plan. This plan addresses key areas such as governance, training and awareness, and response and maintenance. Insights gained from these activities are leveraged to recommend improvements, supporting PostNL in its ongoing efforts to mitigate potential integrity risks across its value chain.

Integrity Reporting to Board of Management, Executive Committee, and Supervisory Board

PostNL’s administrative, management, and supervisory bodies are instrumental in fostering a robust corporate culture. The Integrity Report is shared quarterly with the Integrity Committee, Board of Management, and Executive Committee, and semi-annually with the Audit Committee and Supervisory Board.

This report provides a detailed account of the activities undertaken by the Integrity Committee, offering a comprehensive overview of irregularities related to misconduct and loss prevention. It also outlines the actions taken by the Integrity Office and security investigations, along with updates on the progress of the Integrity Plan. This plan includes governance developments, training and awareness initiatives, and response and maintenance activities, such as analysis, root cause assessments, and continuous improvement efforts.

The responsibility for executing, implementing, and monitoring this group policy has been delegated by the Board of Management to the Director Audit & Security. This delegation includes ownership of the PostNL Code of Conduct, the PostNL Group fraud prevention procedure, and the PostNL Group whistleblowing procedure. Monitoring processes are supported by continuous review and reporting by the Corporate Security Officer, regular audits, compliance checks, and incident reporting. The Integrity Committee reviews these reports and processes on a quarterly basis.

Business conduct and integrity approach

The focus of our integrity approach is to regularly ensure our employees are familiar with and are working in accordance with the PostNL Code of Conduct.

Our Code of Conduct informs how we act and make our decisions and, as early as 2012, PostNL signed up to the ten principles of the United Nations Global Compact on such issues as human rights, labour, climate and anti-corruption. We further endorse the OECD guidelines for multinational enterprises on responsible business conduct, while our sustainability strategy aligns us with the United Nations’ Sustainable Development Goals (SDGs). At the same time, our Code of Conduct influences our behaviour and helps us steer our organisation in the way we want to do business, supporting us as we create the right environment for people to carry out their work effectively and feel connected.

Our business conduct and integrity approach is laid down in the following group policies and procedures:

PostNL Code of Conduct
Group Policy on Integrity
Group Policy on Security
Group Procedure on Incident Reporting
Group Procedure on Whistleblowing
Group Procedure on Conflict of Interest
Group Procedure on Gifts and Hospitality
Group Procedure on Fraud Prevention - Guidance on anti-bribery and anti-corruption
Code of Conduct for the use of business assets.

All integrity related incident reports are received at a single point by designated and trained staff and are checked for whether an alleged breach of the law has occurred, a formal whistleblowing report is received, or any other type of reported breach or indicator. These other reports and signals are evaluated for further handling by responsible functions (such as Security, line management or HR). This provides a smoother follow-up of reported incidents, cases and indicators, and ensures the best care for our employees. Our whistleblowing procedure, updated in August 2025, reinforces confidentiality, safeguards identity and reiterates our zero-tolerance approach to retaliation. The process provides a clear framework for stakeholders to report concerns and for investigations to be conducted in a structured and impartial manner.

Any PostNL stakeholder who reports suspected misconduct, which the PostNL stakeholder reasonably believes, or may reasonably believe, to be true, will be given protection for such reporting. This protection means that PostNL will not discharge, demote, suspend, threaten, harass or in any manner discriminate against any PostNL stakeholder in the terms and conditions of employment. PostNL does not tolerate any form of threat, retaliation or other action against a PostNL stakeholder who has made or assisted in the making of a report of suspected misconduct. Any such threat, retaliation or other action must immediately be reported to the director of Audit & Security. Any person entitled to protection from retaliation who considers themself to be a victim of or is threatened with reprisals may submit a reasoned complaint to the local authorities, who will initiate an extrajudicial protection procedure.

During the year, we initiated 586 investigations in response to integrity-related issues. These investigations covered issues such as the theft of parcels or mail, bribery and corruption, or failure to follow workplace practices. The investigations resulted in 226 discontinued work relationships. At year-end 2025, 62 investigations were ongoing.

Integrity-related investigations include cases of alleged (sexual) harassment and discrimination. For more information about reported incidents and complaints please see Measures against violence and harassment in the workplace in the Our workforce section of the Social disclosures.

PostNL continuously works to raise awareness of integrity-related topics. This includes supporting employee communication on inappropriate conduct, encouraging dialogue with line management and HR representatives, and following up on reported integrity incidents. Our main business conduct and integrity policies and procedures are embedded in the onboarding process for new employees. In addition, we use insights from the Employee Engagement Monitor, investigation outcomes, and other signals to identify opportunities for continuous improvement of our integrity approach and related activities across PostNL Group companies. In October 2025, PostNL launched a new integrity e-learning programme aimed at educating both management and employees on our Code of Conduct, expected behaviours, and available reporting channels, including the whistleblowing procedure.

Our Code of Conduct and integrity-related policies form part of our contractual agreements with suppliers and contractors. For delivery partners in the Netherlands and Belgium, we have implemented a dedicated due diligence process aligned with a specific business conduct guideline for delivery partners. The rollout of this due diligence process was supported by targeted communication and awareness activities.

We continuously work to foster a company environment in which people feel safe and empowered to speak up. In addition to conducting case-specific investigations, we perform trend analyses of all reported incidents to identify structural issues and determine where further preventive actions are required. Information on alleged bribery and corruption cases is included in the Governance performance disclosures within our sustainability statements. More information about our business conduct is included the Business conduct section of the governance disclosures in the sustainability statements.

Prevention of fraud, bribery and corruption

PostNL recognises the importance of maintaining robust fraud prevention, anti-bribery, and anti-corruption policies, procedures, and reporting mechanisms. These measures are essential for safeguarding the integrity of our business and ensuring compliance with all applicable laws and regulations. Our policies are particularly focused on employees in key risk areas such as executive and general management, sales (including government-related sales), procurement (capex and opex), temporary labour sourcing, delivery partnerships, transport charters, people management within operations, and finance and accounting. For employees in these at-risk functions, the integrity e-learning programme is mandatory. Additionally, pre-employment screening procedures are in place for these functions to further mitigate risks. More information on how we institute and monitor integrity e-learning can be found in the Our actions section of the governance disclosures in the sustainability statements.

Compliance with anti-bribery and anti-corruption legislation, both domestically and internationally, is a top priority for PostNL as we conduct business on a global scale. Any incidents of actual or suspected bribery or corruption involving our employees, suppliers, or delivery partners are promptly investigated and handled appropriately.

The Integrity Committee plays a vital role in advising the Board of Management and line management on mitigating fraud risks and ensuring adherence to ethical standards, anti-bribery, and anti-corruption practices. The Committee provides quarterly reports to the Board of Management and submits a comprehensive report to the Supervisory Board every six months.

All alleged breaches of our anti-bribery and anti-corruption policies are investigated by Audit & Security. Our security investigators are recruited based on a clearly defined job profile and undergo regular training to ensure they possess the necessary skills to carry out thorough investigations. In addition, Internal Audit systematically addresses fraud, corruption, and bribery risks during the execution of internal audits.

Cybersecurity

PostNL places cybersecurity at the heart of its operations. As our business and customer services continue to digitalise, protecting critical systems and data is essential to maintaining continuity, trust, and regulatory compliance. In 2025, we strengthened our governance, risk management, and control environment, prepared for upcoming NIS2 obligations, and further advanced our cybersecurity capabilities across both IT and operational technology (OT), ensuring a resilient and secure foundation for the organisation’s ongoing growth. In line with this approach, our Board actively oversees cybersecurity as a strategic enterprise risk, with the Audit Committee receiving regular reporting on threats, incidents, remediation progress, and third-party risk, ensuring robust oversight and alignment with our organisational priorities.

Our cybersecurity operating model is structured around a multi-layered approach, designed to protect the critical information, systems, and applications that underpin our business. The first line continuously assesses the cyber-risk posture of key IT assets, implements secure-by-design principles, and updates risk treatment plans in response to emerging threats and evolving business priorities. In 2025, we further strengthened the first line by expanding our Business Information Security Officer (BISO) community, ensuring that every business unit now has a dedicated BISO to drive local execution and alignment with our central cybersecurity governance. The second line provides independent oversight, challenge, and monitoring, verifying that risk assessments, controls, and remediation initiatives meet both our organisational standards and the latest regulatory expectations. This layered structure ensures that cybersecurity is not only embedded across all levels of the organisation but also continuously adapted to the dynamic threat landscape, safeguarding our resilience, reputation, and long-term value creation.

Governance and Risk Management

In 2025, we advanced our risk-based approach with the launch of a new Cyber Security Control Framework, aligned with the international standards ISO/IEC 27001/27002 and the NIST Cybersecurity Framework, reinforcing the resilience of our critical systems and processes. Simultaneously, we implemented a Cyber Risk Management Framework, based on IRAM2 and ISO 27005, establishing a consistent and structured process to identify, assess, and mitigate cyber risks across the organisation. Also in 2025, we transitioned to a central Governance, Risk, and Compliance (GRC) platform, providing a unified view of risk, improving reporting and oversight, and embedding cyber-risk management consistently across all business segments.

NIS2 readiness

In anticipation of the EU’s NIS2 Directive, expected to take effect in the Netherlands with the Cybersecurity Act in 2026, PostNL has proactively strengthened its cybersecurity posture and is actively preparing for ISO/IEC 27001 certification of critical IT services, targeting completion in 2026 with expert guidance. As part of this effort, many NIS2 requirements have already been implemented, while additional measures are being embedded to ensure full and sustainable compliance once the legislation comes into force. Throughout the year, the boardroom training programme continued, with NIS2 awareness sessions delivered to executives and senior managers across IT and business functions. In countries where NIS2 has already entered into force and is applicable to PostNL, measures have been implemented to align with the NIS2 requirements. These initiatives demonstrate that PostNL is fully on track to meet regulatory obligations and strengthen overall cybersecurity resilience.

Cybersecurity Capability assessment

In 2025, we further advanced our cybersecurity capabilities by expanding our knowledge, expertise, team, and supporting tools. At the same time, we progressed with the cybersecurity programme launched in 2024, a structured two-year initiative with its own dedicated governance. Within this programme, we defined several workstreams to provide focused attention on the areas where we aim to excel or achieve significant improvements.

The workstreams are focused on key areas including:

Asset management: enhancing visibility and control over our digital and physical assets.
Access management: strengthening identity and access controls by expanding Single Sign-On and completing Privileged Access Management rollout to secure appropriate access across the organisation.
Network security and monitoring: improving network resilience and real-time monitoring for proactive threat detection.
Vulnerability and patch management: a harmonised vulnerability management process is now in place across all business segments. We improved coverage for both cloud and traditional IT environments and introduced a more risk-based prioritisation model to accelerate remediation of critical vulnerabilities.
Operational technology (OT) security: we implemented a dedicated OT security governance framework and defined minimum standards for all sorting and logistics systems. Network segmentation and monitoring work has begun and will be rolled out to all locations per the implementation plan.
Third-party risk management: oversight of our critical suppliers was strengthened through a new monitoring process tracking cybersecurity posture and NIS2 readiness. Risk assessments for key IT vendors were completed, with targeted follow-ups in 2026 to ensure timely implementation of agreed improvements.

Incident landscape and assurance

In 2025, we observed an increase in detected security events, reflecting both a more advanced threat landscape and improved monitoring and classification capabilities. Our layered security controls and response processes remained effective, and no cyber incidents with a material impact on the financial statements were identified.

Outlook

In 2026, we will focus on completing the remediation actions from the 2025 risk assessments and control testing, achieving ISO/IEC 27001 certification in support of NIS2 compliance, and accelerating progress on OT security. We will also strengthen continuous control monitoring and third-party oversight. These efforts will further enhance our resilience, support regulatory readiness and safeguard the trust of our customers and stakeholders as we continue our digital transformation.

Protecting data and privacy

PostNL believes that it is vital to handle the personal data of its customers and consumers with due care and adheres to applicable laws and regulations. The most notable of these is the General Data Protection Regulation (GDPR) and its Implementation Act.

We have established a Group Policy on Privacy which outlines the fundamental principles we adhere to as a company regarding the use of personal data. These principles are in line with PostNL's Code of Conduct. We strive to provide high-quality services, in which reliability is an important factor. We therefore view the protection and careful handling of personal data as an important precondition for further innovation and development of our services. To help achieve this, we have set up governance, processes, and procedures to adequately implement 'accountability' in the field of the protection of personal data. This includes a processing register, a reporting process for data breaches, process for handling the rights of the person concerned, implementation of data privacy impact assessments, and the application of the Privacy by Design principle in development of new processes and systems.

PostNL also established a Data Governance Board to provide oversight on how we use and protect data and in which different data-related topics are discussed.

Asset protection and loss prevention

In order to prevent any threat which could adversely affect the business of PostNL and its stakeholders, PostNL focuses on ensuring its operations are secure. The Group Policy on Security outlines the mandate of the security function within PostNL and to define the responsibilities relating to security matters. In other words, to ensure that adequate measures, procedures, checks and balances are in place, regarding asset protection, loss prevention and security information management.

The PostNL programme on loss prevention is focused on addressing the specific commercial and operational aspects that may impact the rate of missing parcels. In our continuing efforts to lower the number of missing parcels, the commercial and operational management of Parcels works closely together with PostNL Security to develop and implement dedicated fraud and theft-risk mitigating actions.

Regulatory compliance management

PostNL believes that laws and regulations are essential tools that govern behaviour, protect rights and promote fairness. Laws and regulations are fundamental to the functioning of society in general, and large companies such as PostNL. Compliance forms part of our internal risk management and control systems and governance framework, and we operate in a sector that is defined by continually developing regulations. In this paragraph we outline our approach, our focus, and the main regulatory developments in 2025.

Our Approach to compliance

We manage compliance as part of our internal risk management and control systems. These systems cover explicit controls connected to business conduct, postal law, human rights and labour conditions, environmental laws and regulations, transportation laws and regulations, NIS2 and GDPR. With these controls, we aim to provide a level of comfort we deem sufficient to properly fulfil the duty of the Board of Management to assume accountability for the management of the related compliance risks identified within our risk appetite.

Business management is responsible for the compliance risk management ensuring adherence to regulatory requirements as well as monitoring performance for the mentioned compliance areas, and is supported by staff functions. Management is required to confirm its responsibility for the compliance with laws and regulations by its legal entities. As a final step, we assess and report the status of compliance on a quarterly basis as part of our regular risk management and internal control reporting to our governance bodies.

Focus areas in 2025

Based on our internal control assessments and internal audit findings, for the vast majority of laws and regulations we did not identify significant deficiencies relating to compliance mitigating activities that require follow-up. Our focus areas for 2025 were implementation of the risk management statement (‘Verklaring Omtrent Risicobeheersing’) and compliance in our value chain with a particular focus on delivery partners and transport partners.

Risk Management Statement

In 2025, as part of the implementation of the risk management statement we continued to strengthen our internal control framework (ICF) for sustainability reporting. The ICF already covered for the main operational risks, covering key business processes, business resilience and continuity and cybersecurity. We also transitioned towards a more holistic and structured approach to compliance risk management covering multiple areas - Business conduct, Postal law, Environment, Human rights and labour conditions, Transport laws and regulations, Cybersecurity and Privacy.

By focusing on these areas, PostNL aims to strengthen its internal controls, enhance accountability, and meet the growing expectations of our stakeholders regarding transparency and ethical conduct.

Compliance in our value chain

Stakeholders increasingly expect large companies such as PostNL to lead by example through their influence on value chains. Responsibility along the value chain is a relevant topic in the public arena. As a large company, we proactively contribute to improvements in our value chain across a broad range of topics, even when this goes beyond our own responsibility under applicable laws and regulations.

This applies to areas such as the transport and handling of dangerous goods, environmental compliance, responsible (international) procurement, Foreign Nationals Employment Act (Wet Arbeid Vreemdelingen), and the Labour Market Fraud Act (Wet Aanpak Schijnconstructies).

In 2025, we focused on streamlining and optimising the due diligence process for delivery partners across the business segments and phase-wise implementation of a Third-party Risk Management IT system.

Summary of instances of non-compliance

PostNL operates in a sector with a wide variety of compliance topics, where both the number and complexity of laws and regulations is increasing. While this requires a robust approach to compliance (as described earlier in this chapter) we are, on occasion, confronted with instances of noncompliance. When these instances are discovered, we take immediate steps to remedy them.

While there are a number of cases ongoing linked to PostNL’s compliance with laws and regulations, there were no significant reportable instances of non-compliance identified. We did incur two lower fines from the Labour Inspectorate for violations of the Foreign Nationals Employment act which took place in 2022, in the amounts of EUR 8,000 and EUR 12,000. In both cases, the foreign nationals in question were hired by an Employment Agency.

We have implemented measures to improve our processes in order to prevent these violations from occurring, and we will continue to monitor, evaluate and update our processes on a regular basis. For the purpose of this report, we did not take relatively small fines such as traffic-related fines into account.

Insider trading – share ownership

Members of the Supervisory Board, the Board of Management and PostNL’s senior management are subject to the PostNL Group Policy on Prevention of Insider Trading, which sets rules to prevent insider trading in our financial instruments and in securities other than PostNL’s financial instruments.

Under the current remuneration policies, share ownership is mandatory for members of the Board of Management and not required for members of the Supervisory Board. Further details are provided in the Remuneration Report, which also discloses the total number of PostNL shares held by each member of the Board of Management. At the date of this Annual Report, none of the members of the Supervisory Board holds PostNL shares, with the exception of Martin Plavec, who holds 6,000 PostNL shares.

Internal audit

PostNL's internal audit function provides independent and objective assurance to the Board of Management and the Supervisory Board on the effectiveness of the internal risk management and control systems, and performs financial, IT, sustainability and operational audits for the various units within the PostNL Group. Each audit is followed by a formal audit report to the management responsible. Adequate follow-up on audit findings is assured. A summary report of audit-related topics (findings, follow-up, and so on) is issued every quarter to the Board of Management and the Audit Committee. Audit planning, the quality and professionalism of the audit team and the effectiveness and efficiency of the execution of the audits are supervised by the Board of Management and approved by the Audit Committee. The internal audit function reports to the CEO, with open communication to the CFO and the Audit Committee.

Transparent reporting

Transparency is a cornerstone of our corporate responsibility. We understand that clear, comprehensive, and truthful reporting is essential for maintaining trust with our stakeholders, including investors, employees, customers, and the communities in which we operate. This is reflected in our approach to integrated reporting, where we aim to provide a holistic view of our financial and sustainability performance. More information on how we use the Integrated Reporting framework and align with other standards and frameworks is included in Basis for preparation section of the General disclosures in the sustainability statements.

In 2025, we were once again ranked as one of the most sustainable companies in the transport and logistics sector worldwide by the Dow Jones Sustainability Index (DJSI). This benchmark evaluates listed companies on economic, social and environmental transparency and performance. We also achieved an A score in the CDP benchmark, a global environmental disclosure system and we were awarded a Platinum rating by EcoVadis, placing the company in the top 1% of the postal, courier and multi-modal freight transport activities industry surveyed globally in terms of sustainability performance and corporate social responsibility with a focus on sustainable procurement.

External auditor

PostNL’s external auditor, KPMG Accountants NV, is appointed by the General Meeting of Shareholders. The lead partner rotates after a maximum period of five years, and the key assurance partners rotate after a maximum period of seven years. Mr Roland Smeets is the lead audit partner since the financial year 2022. The Supervisory Board recommends to the General Meeting of Shareholders the appointment or replacement of the external auditor. In doing so, it considers the Audit Committee’s advice regarding the external auditor’s nomination for appointment/reappointment or dismissal. The Audit Committee prepares the selection of the external auditor. The Audit Committee reports annually to the Supervisory Board on the functioning of, and relevant developments in the relationship with the external auditor. The Audit Committee gives due consideration to the Board of Management’s observations in this respect. At the Annual General Meeting of Shareholders held on 20 April 2021, KPMG Accountants NV was appointed as the external auditor for PostNL for the financial years 2022, 2023 and 2024. At the Annual General Meeting of Shareholders held on 16 April 2024, KPMG Accountants NV was appointed as the external auditor for PostNL for the financial years 2025 and 2026.

The Audit Committee, supported by the internal audit function, is required to pre-approve all services the external auditor provides to ensure these do not impair the auditor’s independence from PostNL. The Audit Committee grants a general pre-approval for certain routine services every year. By Dutch law, the external auditor is in principle prohibited to render non-audit services.

Conflicts and potential conflicts of interest between the external auditor and PostNL are settled in accordance with the terms of reference of the Audit Committee and Dutch law. See note '2.3.4 Other operating expenses' to the Consolidated financial statements for more information.

The Audit Committee requires a formal written statement from the external auditor confirming its independence.