4 Responsible business (combating corruption & safeguarding human rights)

Business Conduct (ESRS G1)

4.1 Materiality assessment

Business conduct was assessed as material in the double materiality assessment. Ethical business practices create both impact materiality (affecting stakeholdersʼ rights and trust) and financial materiality (regulatory compliance, reputational risks, and license to operate).

Governance: The Board of Directorʼs Audit and Risk Committees oversee business conduct with annual reviews of the ethics program effectiveness, investigation outcomes, and key performance metrics.

4.2 Business Conduct Policies and Corporate Culture (G1–1)

• Code of Conduct: Bystronicʼs Code of Conduct (updated 2023) establishes ethical principles covering anti-corruption, fair competition, human rights, environmental responsibility, data privacy, conflicts of interest, and accurate reporting.
• Coverage: Mandatory for all employees, Board members, and contractors.
• Corporate culture: Bystronic fosters an ethical culture through leadership commitment, speak-up culture, ethics guidance, and recognition of ethical behavior. Violations result in disciplinary action up to termination.
• Training:
  • New employees: mandatory Code of Conduct training
  • Functions-at-risk: enhanced anti-corruption training for Sales, Procurement, Government Affairs, Finance

• Whistleblowing mechanism: Independent third-party hotline (EthicsPoint) accessible 24/7 in 40+ countries via telephone, web portal, mobile app, email, and in-person reporting.
• Scope: Corruption, bribery, fraud, conflicts of interest, discrimination, harassment, environmental violations, data breaches, human rights violations, supplier code violations, and retaliation.
• Protections: Confidential and anonymous (where permitted by law).
• Zero-tolerance for retaliation: Investigation process: report → assessment → investigation (30–60 days) → findings → remediation → report to governance.
• 2025 performance: Three total reports received; all investigated and closed as unfounded. Zero retaliation incidents.

4.3 Management of Relationships with Suppliers (G1–2)

• Supplier Code of Conduct: Establishes minimum requirements for labor practices, human rights, environmental responsibility, business ethics, and management systems. Contractually binding through purchase agreements.
• Risk-based due diligence: Suppliers categorized by risk (spend, geography, product category, strategic importance):
  • High risk: comprehensive ESG assessment (EcoVadis) required
  • Medium risk: self-assessment questionnaire
  • Low risk: standard contractual requirements

• Supplier development: Corrective action plans for low performers, capability building support, re-assessment after 12–18 months, recognition for high performers.
• Engagement: Annual supplier summit, quarterly webinars, carbon disclosure program (target 50% key suppliers by 2030), collaborative innovation (SSAB partnership on recycled/fossil-free steel).
• Human Rights Due Diligence (HRDD): First HRDD conducted in 2023. Zero confirmed violations among assessed suppliers. Human Rights Policy published in 2024.

4.4 Prevention and Detection of Corruption and Bribery (G1–3)

• Anti-Corruption Policy: Zero-tolerance for all forms of corruption including bribery, facilitation payments, kickbacks, political contributions, charitable donations as bribes, and improper gifts/hospitality.
• Gift & Hospitality Policy: Must not exceed the local limit (Max CHF 100/gift in Switzerland).
• Third-party due diligence: Comprehensive screening of agents, distributors, and consultants, including integrity questionnaires, sanctions checks, adverse media reviews, and verification of beneficial ownership.
• Internal controls:
  • automated payment system controls
  • management review of high-value transactions

• Training: Anti-corruption training mandatory for at-risk functions (Sales, Procurement, Government Affairs, Finance).

4.5 Confirmed Incidents of Corruption or Bribery (G1–4)

Performance: Zero confirmed incidents of corruption or bribery for four-year period (2022–2025).

Analysis: Three allegations reported and investigated; concluded unfounded

4.6 Political Influence and Lobbying Activities (G1–5)

The company participates in industry associations relevant to its business activities. These memberships are primarily aimed at technical exchange, market development, and regulatory monitoring. During the reporting period, the company did not engage in material political influence or lobbying activities, nor did it make political contributions or mandate industry associations to lobby on its behalf.

• Key associations: VDMA (German machinery manufacturers), Swissmem (Swiss engineering), CECIMO (European machine tools), AMT (U.S. manufacturing technology), CMTBA (China machinery).
• Governance: Association policy positions reviewed for alignment with Bystronic values.

4.7 Payment Practices (G1–6)

Standard payment terms: Standard payment terms from Bystronic to suppliers are typically net 60 days from the invoice date, though this can vary by contract and location. In some cases, payment terms are net 30 days from the invoice date for specific types of agreements. To be paid, suppliers must first meet prerequisites like providing signed lien waivers and properly executed invoices.

4.8 Data Privacy and Cybersecurity (G1–7)

Bystronic manages data privacy and cybersecurity as core components of its governance and risk management framework. The company complies with the EU General Data Protection Regulation (GDPR) and maintains privacy notices in line with local legal requirements, outlining the purposes and legal basis for personal data processing as well as data subject rights. Dedicated privacy documentation, including a business partner data protection notice, is publicly available on Bystronicʼs website.

Cybersecurity is overseen by the Group IT and Security function and regularly reviewed by the Audit Committee of the Board of Directors. Bystronic has implemented ISO 27001-aligned information security controls covering access management, endpoint protection, network segmentation, and multi-factor authentication. The company partners with external specialists such as NanoLock Security to strengthen machine-level and operational technology (OT) protection. Independent audits and assessments are carried out to evaluate IT resilience and the effectiveness of cybersecurity measures.

In 2025, the company reported no material data privacy breaches or confirmed cybersecurity incidents. Employee awareness remains a central preventive measure, supported by mandatory information-security training and periodic phishing simulations. Bystronic continues to enhance its cyber risk management through regular monitoring, continuous improvement, and quantification of cyber risk exposure using external benchmarking tools.