WithSecure in 2024 – Becoming a European flagship of cyber security

Digital services are an integral part of society – they are expected to work seamlessly without any disruptions. Cyber security, together with the institutions offering physical security, has become a pillar of a secure society. The fast-evolving industrial-scale cybercrime means cyber security is a must for every company, regardless of their size. For the past year, WithSecure has been focusing its strategy on solving the cyber security challenges of mid-market companies. Our aim is to offer our customers a selection of software and services that provide cyber resilience and trust in digital society, efficiently and in compliance with regulation. In the changing geopolitical environment, we take pride in providing a European alternative for cyber security, and uncompromising reliability in the trust business. 

With the increasing complexity of cyber security risks, an effective protection of our customers is always a result of collaboration between WithSecure, our partners and end-customers. We are in a continuous dialogue to ensure that our products meet both the cyber security needs of the end-customers and create meaningful portfolio items for the partners who are selling them as part of their own offering. 

In 2024, the economic growth in the European markets was modest and continued to be impacted by the geopolitical uncertainties. On the other hand, previously surging inflation subsided, and the unemployment rates remained at low levels. Positive development in the markets outside Europe offset some of the impacts, but WithSecure’s main markets are mostly located in Europe. Despite the economic headwinds, WithSecure’s revenue of Continuing operations grew by 6% in 2024, and the company was adjusted EBITDA profitable for the past financial year.

We expanded the offering by an important product in 2024: WithSecure Exposure Management was launched in May, and it became generally available in the third quarter. It provides continuous scanning of the customer’s attack surface, with estimated impacts of the attack paths and recommendations for remediations generated by AI. Customer interest on Exposure Management has been high, and we expect it to be a growing product in the next few years. We also added Identity security to our product portfolio and introduced the AI assistant Luminen, which has been providing its advice to all our Elements customers since September 2024.

Elements Cloud revenue grew by 9.4% in 2024 and was EUR 83.3 million (EUR 76.1 million). Annual Recurring Revenue (ARR) growth in the same period was 6.2%. Total Elements Company segment revenue grew by 4.5% in 2024 and was EUR 105.7 million (EUR 101.1 million). 

Cloud Protection for Salesforce (CPSF) is a software product ensuring scanning of external content for potential malware, before it is loaded to Salesforce. The CPSF team’s continuous, systematic efforts to improve sales execution are providing strong results. The ARR growth of the business was 52% from the previous year-end. The growth is driven by both new customers – we were glad to welcome many new international enterprise customers in the past year – and expansions to existing customers. We continue to develop the CPSF as an independent business inside WithSecure, while keeping the strategic review options open.  

On 23 January 2025, WithSecure signed an agreement intending to divest the Cyber security consulting business. Consulting is reported as part of the Discontinued operations result in the 2024 financials. WithSecure consultants are offering world-class offensive security services to some of the most demanding customers in the world. We are very happy to have a new owner who will continue to develop the business as an independent company. The divestment is expected to close during the second quarter of 2025. 

For the past two years, WithSecure has been focusing on profitable growth. The full company adjusted EBITDA (Continuing and Discontinued operations total) of 2024 was EUR 3.1 million (EUR -16.1 million). Full-year operative cash flow before financial items and taxes was EUR 2.1 million. We are pleased to report the improvement in profitability, demonstrating that the cost structure has been adjusted to a level that can sustain some volatility of revenue.

WithSecure, as a company, went through many changes in 2024. We had a sudden change of CEO in April, when the previous CEO Juhani Hintikka stepped down from his position. I was first appointed as interim CEO, and on 1 July 2024 as the CEO of WithSecure. I have had the pleasure of looking at the company from a new perspective, and appreciate the diversity, capabilities and excellence of our teams and partners. In May, we arranged our third SPHERE event for customers and partners. The event was marked by launches of our new products, but also by joyful meetings and inspirational speakers – even a detective story on cyber security was published at SPHERE. In October, our Helsinki team moved to our new Wood City headquarters that provide an environmentally sustainable and inspiring environment for working. 

At the closing of my first financial year as the WithSecure CEO, I would like to thank our personnel for their great work and change resilience. I also want to thank the WithSecure partners, customers, shareholders, and other stakeholders for your collaboration. We are looking forward to a great continued partnership with you in 2025.

Antti Koskela

Contents

Board of Directors’ report

Year 2024 was marked by modest growth rates and economic uncertainty in WithSecure’s main markets in Europe. Geopolitical situation remained tense and unpredictable. Increasing complexity of system landscapes, together with the rise of new technologies, are setting continuously new challenges for the cyber defenders.

After its strategy update in October 2023, WithSecure has been focusing strongly on the “mid-market playbook”, ensuring a comprehensive offering of cyber security products and services that enable small- and medium-sized companies to protect themselves from the complex threats, and to ensure they are prepared for the increasing regulatory requirements such as the NIS2 directive that is currently being implemented in the EU countries.

WithSecure’s Elements Company segment revenue grew by 4% from previous year and was 105.7 million. The growth is driven by the cloud-based security products and services, where the annual growth rate was 9%. Revenue from the on-premise and other legacy products declined by 12%, which is according to the company expectations.

Cloud Protection for Salesforce (CPSF), disclosed as a separate segment, is a software product ensuring scanning of external content for potential malware, before it is loaded into Salesforce. Customers are primarily enterprise-sized companies, with extensive use of Salesforce platforms. Its sales developed well in 2024, leading to a revenue growth of 14%. WithSecure continues to develop the CPSF as an independent business inside the group,in order to be prepared for future options.

On 23 January 2025, WithSecure announced that it has entered into an agreement intending to divest the Cyber security consulting business. Consulting is reported as part of the Discontinued operations result in the 2024 financials. As an exception from this rule, the segment reporting is based on the calculation principles applied during 2024, to ensure comparability.

Market overview

The global cybersecurity market is a rapidly evolving industry driven by increasing digitalization, growing cyber threats and the widespread adoption of cloud-based technologies. In 2024, the market experienced increasing security demands across industry verticals and sectors. Factors driving market expansion were among other things rising data breaches due to identity-based attacks, ransomware, increasing regulatory requirements and increasing adoption of AI. The global geopolitical tensions are also creating increased activity and threats for private and public organizations.

Constantly evolving attack vectors require continuous innovation in organization of all sizes. Overall economic uncertainty and IT budget constraints have slowed down the adoption of the latest cyber security technologies, especially among small and medium-sized enterprises (SMEs). At the same time third-party breaches across the supply chain and a global shortage of skilled cybersecurity professionals remain as pressing issues.

Globally organizations are investing in cyber defenses to combat growing threat levels in a digitized economy. North America holds the largest market share due to significant investments in cybersecurity infrastructure whereas in Europe the increased awareness of regulatory requirements has been contributing to steady growth.

AI capabilities have been increasingly introduced to improve productivity and reduce threat detection and response times. Stolen or compromised credentials remain the most prevalent attack vector that is addressed by emerging Identity Security solutions. Cloud Security continues as a high-growth segment as companies seek to protect their modern IT environments and cloud-based services. Organizations have started to recognize the need of moving their focus from reactive to proactive security approach that is fueling the demand for emerging exposure management solutions. There is also increasing demand for securing IoT devices and operational technology against vulnerabilities and cyberattacks. Managed security services will continue to address the skills and resource shortages.

The cybersecurity market is poised for sustained growth as organizations prioritize cyber resilience and compliance. With advancements in AI, cloud-native security, and exposure management, the industry is set to address increasingly complex threats while capturing new opportunities in emerging sectors.

Financial performance and key figures

Total revenue of Continuing operations increased by 6% to EUR 116.0 million from the previous year (EUR 109.9 million).

In 2024, WithSecure started to report its revenue split into three segments. Elements Company segment is split further to Elements Cloud products and services, On-premise products and Other revenue. Cloud Protection for Salesforce is a software product that is reported as a separate segment.

Third segment, Cyber security consulting, is reclassified to Discontinued operations, following the signing of a divestment agreement in January 2025. As a deviation from this rule, it is still presented as a segment in the segment reporting, following the previously applied calculation principles.

Elements Cloud products’ and services' revenue grew by 9% to EUR 83.3 million (EUR 76.1 million). The growth was driven by both new customer acquisition as well as expansion of existing customers to new products, especially Endpoint Detection and Response (EDR). Exposure Management and Identity security were launched in 2024 as new modules to the platform. Elements Cloud platform is regularly updated with new features to provide a comprehensive and up-to-date cyber security protection to the customers.

For cloud and on-premise products, WithSecure reports the Annual Recurring Revenue (ARR) on a quarterly basis to reflect the latest status of recurring revenue sales. The ARR is calculated by multiplying the monthly recurring revenue of the last month of the quarter by twelve. Monthly recurring revenue includes recognized revenue within the month excluding non-recurring revenues. In 2024, Elements Cloud ARR grew by 6% from previous year and was EUR 83.3 million (EUR 78.4million).

On-premise security products’ revenue declined by 12% to EUR 21.4 million (EUR 24.4 million). The decline is in line with WithSecure's expectations, it is a consequence of the customers moving their data processing to cloud environments.

CPSF revenue grew by 14% to EUR 9.4 million (EUR 8.3 million). ARR grew by 52% to EUR 12.8 million (EUR 8.4 million). Revenue growth was driven by both acquisition of new customers and expansions to existing customers.

Gross margin of Continuing operations for 2024 increased to EUR 92.6 million (EUR 86.8 million) and was 70.2% (65.1%) of sales. Continuous work on aligning technology platforms of the MDR solutions, as well as optimizing data processing costs has resulted in improved profitability.

Operating expenses, excluding items affecting comparability (IAC) as well as depreciation and amortization, declined to EUR 92.6 million (EUR 103.1 million). The development is mostly a result of cost savings and other efficiency measures taken by WithSecure in the past two years.

Items affecting comparability (IAC) were EUR -0.9 million (EUR -9.0 million). Of this, EUR -0.6  million is related to restructuring activities, EUR  -0.5 million to restructuring costs related to HQ relocation, EUR -1,0 million relates to  other strategy projects,  EUR +0.8 million to earn-outs and EUR +0.4 million to divestments.

Continuing Operations Adjusted EBITDA was EUR 2.0 million for 2024 (EUR -14.8 million in 2023. The improvement of profitability is partly related to the improved Gross margin. In addition, WithSecure has carried out cost savings and other efficiency measures to bring the operating expenses to a level that allows profitable growth.

Discontinued Operations result includes the Cyber security consulting segment result, adjusted to correspond with the scope of the divested business. In addition, the direct costs related to divestment, as well as impairment of the consulting-related goodwill are included in the Discontinued Operations results. A bridge between the segment and Discontinued Operations result is presented in the company's fourth quarter financial release.

Cash flow from operating activities before financial items and taxes was EUR 2.1 million (EUR -19.9 million). Negative operative cash flow in 2023 was driven by operative result as well as significant restructuring related costs. Improvement of cash flow is a result of revenue growth and cost efficiency measures.

Total change in cash was EUR -9.4 million (EUR -17.9 million), after deducting the payments of lease liabilities.

Acquisitions and financial arrangements

WithSecure did not carry out acquisitions during 2024.

Changes in the group structure

WithSecure did not have any changes in its group structure during 2024.

Capital structure - Combined operations

The Group’s liquid assets of EUR 27.3 million (EUR 36.6 million) consisted of cash and cash equivalents. Cash and cash equivalents include bank deposits with maturity of less than three months.

Research and development

WithSecure research and development expenditure in 2024 was EUR 35.0 million (EUR 36.3 million), representing 30% (33%) of revenue. Capitalized development expenses were EUR 1.7 million (EUR 3.0 million). WithSecure is a cyber security technology company for which the ability to innovate is imperative.

In 2024, WithSecure products have been recognized in third party technology evaluations. We believe this is for providing the best protection, advanced detection and effective response capabilities and high customer satisfaction. Gartner® yet again included WithSecure in their September 2024 Magic Quadrant™ for Endpoint Protection Platforms¹. During 2024, WithSecure achieved top marks in the scoring for Protection and Usability in AV-TEST’s continuous evaluation of the Elements portfolio. We feel this is a strong statement to the value of our solution that protects our customers effectively without sacrificing its precision. For the sixth consecutive year, WithSecure participated in MITRE’s ATT&CK® Enterprise evaluation. This year's evaluation was more sophisticated than before, featuring a revised methodology and challenging participants with multiple emulated threat actors. WithSecure's performance was impressive and showed a significant improvement from last year. WithSecure Elements effectively detected threat actor activity in a way that was actionable and minimized unnecessary alerts and false positives, ensuring user productivity was not disrupted.

As a leading European cybersecurity vendor, WithSecure is dedicated to continuously monitoring the evolving threat landscape and tracking malicious actors and adversaries. In 2024, WithSecure made significant strides in exposing threat actor activity through groundbreaking research on KrustyLoader and Kapeka, effectively weakening their tools and operations. The company also published reviews addressing key aspects of the threat landscape, including the trend of mass exploitation of Edge Services and Infrastructure, the state of the ransomware landscape, and the cyber threats facing the 2024 Olympic Games. Furthermore, successful collaboration with law enforcement officials in cyber security related matters has been part of WithSecure’s activities, reflecting the company’s unwavering dedication to making the world safer.

WithSecure also focused extensively on the topic of Large Language Models (LMM) and the challenges and opportunities that they bring to cybersecurity, resulting in several highly visible publications. WithSecure team have advised many high-profile entities and media outlets on the topic and plans to continue researching what happens at the intersection of cybersecurity and AI. The results of the research are regularly shared on the WithSecure™ Labs website.

Year 2024 brought along advancements to the WithSecure product and service offering. Building on the Elements launches of the previous year, WithSecure continued to further develop the unified capabilities of its Elements Cloud platform. WithSecure launched Elements Exposure Management, a completely new product enabling organizations to proactively identify cyber security exposures and mitigate them to reduce risk and ensure compliance. Elements Exposure Management builds on WithSecure’s decades of cyber security research and expertise, incorporating new technologies and approaches such as the heuristic attack path engine that emulates how a real-world cyber attacker would attempt to breach an organization.

WithSecure further strengthened its offering in Extended Detection and Response (XDR) by launching Elements Identity Security to detect and respond to identity-based threats. For organizations with limited cyber security skills and resources, WithSecure launched WithSecure Managed Detection and Response (MDR) tailored to the needs of mid-size companies being served by local IT partners and managed service providers.

A testament to WithSecure’s continued innovation was the launch of W/Luminen, WithSecure’s AI assistant that utilizes advanced artificial intelligence and large language models (LLMs). W/Luminen provides users with immediate, actionable, and context-specific analysis of any security events in their organization as well as recommendations on how to resolve and proactively mitigate cyber security threats.

1. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. The Gartner content described herein (the “Gartner Content”) represents research opinion or viewpoints published, as part of a syndicated subscription service, by Gartner, Inc. ("Gartner"), and is not a representation of fact. Gartner Content speaks as of its original publication date (and not as of the date of this Annual Report), and the opinions expressed in the Gartner Content are subject to change without notice.

Organization and management

At the end of 2024, WithSecure had 961 employees (1,087). Of this, 731 (813) are employees of the Continuing operations, and 230 (274) are employees of the Discontinued operations. Reduction of employees is partly resulting from normal attrition, partly from the restructuring at the end of 2023.

On 8 April 2024, Juhani Hintikka, President and CEO of WithSecure, announced that he steps down from his position in the company. The decision to step down follows the Supreme Court ruling of 5 April 2024 where Juhani Hintikka was found guilty of abuse of inside information related to a matter dating back to 2014, years before he joined WithSecure. The Board of Directors appointed Antti Koskela to act as the interim CEO of the company. As of 1 July 2024, Antti Koskela was appointed as President and CEO of WithSecure. Pilvi Tunturi was appointed as interim Chief Product Officer.

As of 1 November 2024, following the organizational updates of WithSecure, Scott Reininga’s position ceased to be a part of the Global Leadership Team.

At the end of the year, the composition of the Global Leadership Team was the following: Antti Koskela (President and CEO), Christine Bejerasco (Chief Information Security Officer), Lasse Gerdt (Chief Customer Officer), Charlotte Guillou (Chief People Officer), Tom Jansson (Chief Financial Officer), Tiina Sarhimaa (Chief Legal Officer), Pilvi Tunturi (interim Chief Product Officer), and Ari Vänttinen (Chief Marketing Officer).

On 1 January 2025, following the organizational updates of WithSecure, Charlotte Guillou became Chief Culture and Performance Officer, Lasse Gerdt became Chief Revenue Officer, and Pilvi Tunturi became Chief Customer Officer. Nina Laaksonen and Artturi Lehtiö are sharing the Chief Product Officer responsibilities as interim arrangement. On 1 January 2025, Ari Vänttinen left the company and the Global Leadership Team.

Shares, Shareholders’ equity, Own shares

WithSecure has one share class. The total number of company shares is currently 176,098,739. The company’s registered shareholders’ equity is EUR 80,000. The company held 81,890 of its own shares at the end of the financial year.

The company holds its own shares to be used in the incentive compensation plans, for making acquisitions or implementing other arrangements related to the company’s business, to improve the company’s financial structure or to be otherwise assigned or cancelled.

In January–December, 32,248,332 (59,951,540) of WithSecure’s shares were traded on the Helsinki Stock Exchange. The highest trading price was EUR 1.25 (1.74), and the lowest price was EUR 0.70 (0.74). The volume weighted average price of WithSecure’s shares in 2024 was EUR 0.95 (1.28). The share’s closing price on the last trading day of the year, 31 December 2024, was EUR 0.76 (1.04). Based on that closing price, the market value of the company’s shares, excluding the treasury shares held by the company, was EUR 133.2 million (182.2 million).

The company currently has share-based incentive plans covering management and key personnel of the Group, as well as a share savings plan available to all employees. Information on the programs is provided in note 16 Share-based payment transactions of the Financial Statements, as well as the Remuneration Report.

Risks and uncertainties

WithSecure operations are subject to risks and uncertainties that can impact the business performance, profitability, financial position, market share, reputation, share price or the achievement of its short-term and long-term objectives. These risks and uncertainties described here should not be considered as an exhaustive list.

The objective of WithSecure risk management is to identify various risks that could have an impact on the business, and to implement appropriate measures to mitigate the risks. In assessing the risks, WithSecure considers both the probability and the potential impact of each risk, as well as the resources required to manage and mitigate the risk. Ensuring business continuity in all situations is an essential part of the risk management. WithSecure risk management principles and process are described in the Corporate Governance Statement. The sustainability-related risks and uncertainties have been discussed in the Sustainability Report. Financial risks are discussed in more detail in the note 18 Management of financial risks to the Financial statements.

Risks related to cyber security market

The cyber security market is scattered to many providers of software and services. The large market participants are investing heavily in the development of embedded security and winning market share. Market consolidation is considered a likely development. WithSecure must succeed in its chosen strategy as well as in finding the right acquisition targets, and in integrating the acquired companies into its operations. As one of the smaller players in the market, the company must always keep itself relevant to the customers, by ensuring both up to date technology and good quality, timely services. Additionally, WithSecure must address brand recognition among the target audience to effectively differentiate itself from competition

Geopolitical uncertainties, such as the war in Ukraine, have significantly increased the risk of unexpected disruptions of the world economy and security stability. Likelihood of acts of terror impacting societal infrastructures has increased with this development.  Any such events could also impact WithSecure’s ability to run its business. The increasing activity of nation-state cyber criminals will continue to impose business interruptions also during 2025.

For corporate responsibility reasons, WithSecure is not conducting business with any Russian or Belarussian parties, even in cases where it would be permitted by the export control regulations.

WithSecure operates in different countries and is therefore exposed to country risks of each location. Changing circumstances and regulation in different operating countries is exposing WithSecure to compliance risks, such as unfavorable tax treatment or export controls.

As part of the sustainability materiality analysis, WithSecure has assessed the impact of the environmental risks, especially climate change, on its business. The company is a provider of software and services, and as such not significantly impacted by the environmental risks. Business continuity planning covers scenarios related to unavailability of resources due to natural disasters or other hazards, including potential supply chain disruptions.

Risks related to WithSecure operations and products

Unavailability of skilled personnel may result in inability of providing high-quality products and services to customers. Competition for skilled personnel is increasing and there is structural undersupply of talent in the cyber security industry. WithSecure is continuously developing and adopting new ways of recruitment, building its own talent and knowledge pools, and investing in training and development of personnel to attract and retain talent.

WithSecure’s cyber security products and services market model is very dependent on a functioning partner channel and network.  It is critical for WithSecure to ensure it has the right partners in the regions and that the partners receive the needed support, and that WithSecure’s cyber security offering is made available accordingly to the local demand. Not being able to serve the needs of the partners needs could result to negative impact on WithSecure’s business performance.

WithSecure operates in a highly competitive market. Cybercrime is growing fast and becoming more innovative and professional. Large vendors make significant investments in their development and marketing activities, while new vendors are emerging in the market, and the operating system manufacturers are increasing their focus on built-in security features. WithSecure must succeed in maintaining in-depth understanding of cyber security threat landscape, following the hacker techniques and technologies, as well as continuing to innovate in defensive technologies.

Investments in new technologies and products come with the risk of not meeting the future requirements of the market. Agile methods are applied by WithSecure to ensure that its decisions regarding future technologies are aligned with the best information and expectations of the market developments.

Exposure to cyber security incidents threatens the confidentiality, integrity, and availability of WithSecure products and services, and their mitigation is considered as high priority in all parts of the company. WithSecure builds cyber resilience by continuously improving its capability to identify, protect, detect, and respond to relevant threats. Continuous efforts are taken to protect sensitive data of the company and its customers.

WithSecure protects its technologies and innovations through copyrights, patents, trademarks, and technology partnerships. While WithSecure uses all available protection mechanisms, the businesses are exposed to risks relating intellectual property claims, particularly in the US markets.

Financial risks

Cost inflation in the countries where WithSecure operates increases the risk for negative development of the cost structure. This is monitored very closely, and inflation will also most likely require mitigation actions to retain workforce in the company. Increasing interest rates could limit the possibilities of external funding.

As a company still improving its profitability, WithSecure must focus on accurate cash planning and prompt collections to ensure liquidity of all group companies and to avoid needs of short-term financing.

Increasing volume of operations outside the Euro zone in different currencies exposes WithSecure to an increased risk related to currency fluctuations. To mitigate the impact of currency fluctuations on future cash flows, the group can use forward contracts. 

Annual General Meeting

The Annual General Meeting (AGM) of WithSecure Corporation was held on 20 March 2024. The meeting confirmed the financial statements for the financial year 2023 and reviewed the remuneration report for governing bodies. The members of the Board and the President and CEO were discharged from liability.

The meeting approved the proposal of the Board of Directors that no dividend will be paid for the financial year 2023 due to the loss-making net result of the year. The company will focus on funding its growth and developing the business.

The AGM decided that the annual remuneration of the Board of Directors will remain unchanged: EUR 80,000 for the Chair of the Board of Directors, EUR 48,000 for the Committee Chairs, EUR 38,000 for the members of the Board of Directors, and EUR 12,667 for the member of the Board of Directors employed by the Company. Approximately 40% of the compensation will be paid in company shares.

The AGM decided that the number of Board members shall be seven. The following current Board members were re-elected: Risto Siilasmaa, Tuomas Syrjänen, Kirsi Sormunen and Ciaran Martin. Amanda Bedborough, Niilo Fredrikson and Harri Ruusinen who belongs to the personnel of WithSecure Corporation, were elected as new members of the Board of Directors.

The Board elected Risto Siilasmaa as the Chair of the Board. Tuomas Syrjänen was nominated as the Chair of the Personnel Committee and Risto Siilasmaa and Niilo Fredrikson as members of the Personnel Committee. Kirsi Sormunen was nominated as the Chair of the Audit Committee and Ciaran Martin, Amanda Bedborough and Harri Ruusinen were nominated as members of the Audit Committee.

Audit firm PricewaterhouseCoopers Oy was re-elected as Auditor of the Company. Mr. Jukka Karinen, APA, acts as the responsible auditor. 

The sustainability audit firm PricewaterhouseCoopers Oy was elected as the Company’s sustainability auditor. Mr. Jukka Karinen, ASA, will act as the responsible sustainability auditor.

The AGM authorised the Board of Directors to resolve upon the repurchase of a maximum of 17,609,870 of the Company's own shares in total. The maximum amount equals to approximately 10% of all the shares in the Company, in one or several tranches with the Company's unrestricted equity. The AGM authorised the Board of Directors to resolve on the issuance of a maximum of 17,609,870 shares in total through a share issue as well as by issuing options and other special rights entitling to shares pursuant to chapter 10, section 1 of the Companies Act in one or several tranches. The maximum number of shares corresponds to 10% of all shares in the Company. The authorisation concerns both the issuance of new shares and the transfer of treasury shares held by the Company.

Full disclosure of the AGM resolutions, as well as the organizing meeting of the Board of Directors held on the same day, has been provided in the Stock Exchange release of 20 March 2024.

Outlook for 2025

Annual Recurring Revenue (ARR) for Elements Cloud products and services will grow by 10-20% from the end of 2024.
At the end of 2024, Elements Cloud ARR was EUR 83.3 million.

Elements Company segment's Adjusted EBITDA will be 3-7% of revenue.

Annual Recurring Revenue (ARR) for Cloud Protection for Salesforce (CPSF) will grow by 20-35% from the end of 2024.
At the end of 2024, CPSF ARR was EUR 12.8 million.

Cyber security consulting business will be divested in 2025. Elements company and CPSF will have their own guidance going forward. Both are recurring, subscription-based businesses, which is reflected in the new guidance.

Over the next three years (2025-2027), WithSecure will become a “Rule of 30+” company. The components of the target are

• Annual revenue growth as percentage

• Adjusted EBITDA as percentage of revenue
  WithSecure is targeting to reach a sum of the components that exceeds 30.

Sustainability reporting

WithSecure has prepared its Sustainability report in accordance with the Corporate Sustainability Reporting Directive (CSRD) and the related Finnish legislation. Full Sustainability report is attached to this report of the Board of Directors.

Board of Directors’ proposal for disposal of distributable funds

WithSecure’s dividend policy is to pay approximately half of its profits as dividends. Subject to circumstances, the company may deviate from this policy. On 31 December 2024, WithSecure Corporation’s distributable funds totaled EUR 77.5 million of which net result for the financial year was EUR -44.0 million. No material changes have taken place in the company’s financial position after the balance sheet date. WithSecure’s Board of Directors proposes that no dividend will be paid for 2024. The company will focus on funding its growth and developing the business. Net loss for the year is retained in the shareholders’ equity.

Events after period-end

After the end of the financial year, on 23 January 2025, WithSecure announced the sale of its Cyber security consulting business to Swedish investment firm Neqst. The transaction is executed by the sale of shares of the parent company of a to-be-established WithSecure cyber security consulting group, to which the consulting business will be transferred prior to the completion of the transaction. As a result of the agreement, total of approximately 250 employees located in Finland, UK, Sweden, Denmark, Singapore, Italy, and US are expected to transfer to the buyer. Cyber security consulting is presented as Assets and liabilities held for sale in the financial reporting of 2024, and the financial result is classified as Discontinued operations.

Key figures

1. For years 2024-2023, the figures have been restated to reflect continuing operations only according to IFRS 5.
2. For years 2024-2021, the figures have been restated to reflect continuing operations only according to IFRS 5.
3. From 2021 onwards, the figure is presented without investments to leased assets.

1. Board proposal

Calculation of key ratios

Reconciliation of alternative performance measures

Classification of adjusted income in other operating income

Shares and shareholders

Shares and share ownership distribution, Dec 31, 2024

Largest shareholders and administrative register

Ownership of management

The Board of Directors and executive team owned a total of 60,660,847 shares on December 31, 2024. This represents 34.4 percent of the Company's shares and 34.5 percent of votes.

General information

BP-1 General basis for preparation of sustainability report

WithSecure reports in accordance with the EU Corporate Sustainability Reporting Directive (CSRD) (2022/2464), which guide the contents of this sustainability report. This report is referred to as WithSecure’s Sustainability Report (also “report”), as determined according to the Finnish Accounting Act (1336/1997). The report is compiled with reference to the European Sustainability Reporting Standards (ESRS) issued by the European Financial Reporting Advisory Group (EFRAG). The report is prepared in accordance with the Finnish Accounting Act Chapter 7.

The report has been prepared on a consolidated basis, according to the same principles as the financial statements. The accounting policies applied for the sustainability report have been applied consistently in the financial year and for comparative figures, when those are presented.

Information pertaining to the material risks, impacts and opportunities takes WithSecure’s upstream and downstream value chain into account. The disclosed data points and sustainability matters have been assessed according to the conducted Double Materiality Assessment (DMA). Please see the section on “Business model and value chain” for more details about WithSecure’s value chain and the section “SBM-3 Material sustainability-related impacts, risks and opportunities” for more details about the methodology and outcome of the Double Materiality Assessment.

WithSecure has not used the option to omit a specific piece of information corresponding to intellectual property, know-how or the results of innovation.

WithSecure has chosen to use the transitional provision for presenting comparative information for the report’s metrics and will thus not be presenting comparative information. The exception to this is the Greenhouse Gas (GHG) emission calculations, where comparative and base year figures will be presented.

Additionally, WithSecure will omit data points on work-related ill-health cases and days lost to injuries, accidents, fatalities, and work-related ill health for the first year of the sustainability report. The company will also omit information on anticipated financial effects for the first year of the sustainability statement.

BP-2 Disclosures in relation to specific circumstances

WithSecure announced the intention to sell of the company's Consulting business in January 2025. This divestment is reflected in the financial statements, which include the accounting treatment of the business as discontinued operations. However, this divestment does not significantly impact the information presented in the sustainability report, as there is no change in the identified material impacts, risks, and opportunities. The main business model of WithSecure remains unchanged. The metrics presented in the sustainability report reflect the situation at the end of 2024, with the divestment set to be realized in 2025. An exception to this is in the section “S1-6 Characteristics of the undertaking’s employees”, where all employee-related figures are presented separately for continued and discontinued operations. This distinction is made as these figures impact certain personnel-related KPIs included in the financial statements.

GHG emissions are presented and accounted for in full for the entire company, including the discontinued operations, as they occurred before the divestment, and would otherwise be partially unreported. The personnel-related metrics in sections S4 and G1, such as the employee training rate metrics, are relative to the total number of employees, so changes are not material as they reflect the status of 2024. Similarly, most of the S1 metrics are either relative to the total amount of employees or contain sensitive information, making it impractical to differentiate which entity those figures belong to without infringing on the privacy of WithSecure's continued and discontinued operations' employees.

The time horizons used for the impact and financial materiality assessments align with the time horizon definitions of the ESRS. Short term is within 1 year, medium term is 1-5 years, and long term is beyond 5 years.

Unless otherwise specified, none of the metrics presented in this report are subject to external assurance beyond the audit assurance provided for this report. The comparable figures are not within the scope of this audit assurance. In case a metric is subject to external assurance, it is clearly stated. The targets presented in this report are not science-based.

The information presented in this report is mainly based on internal data and estimations derived from such data. Assessments and estimates are used in the reporting of some data points, which are updated based on newer estimates and judgements when needed. Changes are recognized in the period when the estimate is updated. The use of assessments and estimates based on indirect sources, as well as the associated possible measurement uncertainty have been disclosed and described in connection to those datapoints specifically. In the case of this report, the use of such external information is limited to the Greenhouse Gas (GHG) emission calculations. Such instances where indirect sources are used are described in greater detail in the GHG emissions calculation methodology descriptions per each emission category. They are presented in the respective sections in the report section “E1-6 Gross Scopes 1, 2, 3 and Total GHG emissions”.

Disclosures stemming from other legislation or generally accepted sustainability reporting standards and frameworks include the analysis of business activities under the Taxonomy Regulation (2020/852) of the European Union.

In addition, WithSecure’s carbon footprint is calculated for the third consecutive year. The GHG data points for scopes 1-3 are reported based on the Greenhouse Gas Protocol. WithSecure’s results and plans on the company’s strategy’s sustainability program are presented in their own section of the report.

The results of the Taxonomy analysis and the GHG calculations are presented in the “Environmental information” section of this report, under “EU Taxonomy” and “E1-6 Gross Scopes 1, 2, 3 and Total GHG emissions” respectively.

In terms of disclosures incorporated by reference to other parts of the Annual report, there is no referencing to other parts of the Annual report.

GOV-1 – GOV-5 Sustainability governance

This section of the sustainability report provides information about WithSecure’s sustainability governance. This includes descriptions of the governance processes, controls and procedures put in place to monitor, manage and oversee sustainability matters. The information covers the administrative, management and supervisory bodies of WithSecure. This section also outlines the general duties, composition, diversity and relevant experience of the members of these bodies.

WithSecure established governance principles for its sustainability program in 2022. In 2023, the Sustainability policy was approved as the basis of the company’s sustainability work. In 2024, WithSecure has actively worked to implement the objectives of the sustainability policy in the company’s operations.

An overview of the material ESRS topics and their assessment method for the identified material impacts, risks and opportunities are detailed under the section “SBM-3 Material sustainability-related impacts, risks and opportunities”. A detailed descriptions of these impacts, risks and opportunities per each ESRS topic can be found in the beginning of the respective ESRS topic sections in this report. The accompanying table showcases the material impacts, risks and opportunities addressed by the administrative, management and supervisory bodies, or their relevant committees during the year 2024.

GOV-1, GOV-2 The role of, information provided to and sustainability matters addressed by the administrative, management and supervisory bodies

Board of Directors and Board Committees

WithSecure’s administrative body is the Board of Directors ( “the board”). The Board of Directors has seven members, of which six are non-executive. The one executive member is a member elected from WithSecure’s personnel.

The Board of Director’s Audit Committee is the supervisory body of WithSecure. The Audit Committee is neither a decision-making nor an executive body. The Board of Directors appoints from among itself the members and the Chair of the committee. The Audit Committee has four members, of which three are non-executive. The independence of the members is determined based on their independence of the company, not independence of major shareholders.

In terms of the Board of Directors’ roles and responsibilities, WithSecure’s Board of Directors is the highest administrative body in charge of sustainability matters in the company. As sustainability is incorporated into WithSecure’s business strategy in form of the sustainability program, sustainability matters are a scheduled agenda item in Board of Directors’ meetings annually. The Board of Directors approves the high-level priorities and objectives regarding sustainability. The Sustainability report is approved by the Board of Directors, as part of the approval of the Board of Directors report.

The Board of Directors is also involved in approving the identified sustainability-related impacts, risks and opportunities and determining that their mitigation and management has been adequately integrated into the company’s sustainability program. The Global Leadership Team (GLT) members set and accept the sustainability-related targets on an operational basis. The progress in targets is presented to the Board of Directors annually. The Board has the final authority to approve these targets when they review and approve the full annual report. By having the authority for the final approval of sustainability related targets, they are also inherently involved in setting these targets.

Similarly, the most senior level accountable for WithSecure’s material sustainability-related policies is the Board of Directors. The most senior level accountable for the implementation of these policies are the GLT members of each business unit most closely associated with the respective policy. They approve the updates to the policies. From there, the implementation of the policies is further delegated to individuals, teams or functions within WithSecure.

The Audit Committee oversees this progress by reviewing and monitoring the status of the company’s strategic sustainability related targets. As the Audit committee members are also members of the Board of Directors, they are also involved in setting the sustainability related targets. In addition to overseeing these targets and sustainability reporting, the Audit Committee also reviews policies and makes recommendations to the Board of Directors, who have the authority to approve these policies.

Risk management and internal control processes at WithSecure seek to ensure that risks related to business operations and the related sustainability matters of the company are properly identified, evaluated, monitored and reported in compliance with the applicable regulations. The risk assessments are updated on regular intervals to be in line with current information at the time of evaluation.

WithSecure’s Board of Directors defines the principles of risk management, internal controls and business conduct, which are followed within the company. The President and Chief Executive Officer (“CEO”) of WithSecure is accountable for ensuring that the risk management principles are implemented and applied constantly and consistently across the organization.

The Audit Committee assists the Board of Directors in the supervision of WithSecure’s risk management function. The Audit Committee’s roles and responsibilities include reviewing, instructing and evaluating risk management, internal supervision systems, IT strategy and practices, financial and sustainability reporting as well as auditing of the accounts and internal auditing.

The Board of Directors and the Audit Committee are kept informed of the relevant sustainability-related issues and they are expected to maintain relevant knowledge to manage and oversee sustainability-related matters. The Board members possess a mix of diverse backgrounds, expertise and experience, which strengthens the Board’s performance and promotes creation of long-term shareholder value. The sustainability-related expertise that they either directly possess or can leverage is gained through access to both internal and external experts and training. This ensures that the members are well-equipped to handle these responsibilities. This sustainability related expertise includes but is not limited to for example the S4 sub-topic “Information related impacts for consumers and end-users”.

The Board of Directors also regularly reviews sustainability-related matters, presented by both internal and external experts. These reviews enable the Board members to stay informed and maintain their competences. In the section "GOV-4 Statement on due diligence" it is described how WithSecure's governance structure engages in sustainability efforts, including how the administrative bodies are informed about the implementation of due diligence. This description also includes the monitoring of the results and the effectiveness of policies, actions, metrics, and targets adopted that address the identified material impacts, risks, and opportunities.

The Group’s CEO and Global Leadership Team

WithSecure’s management body is the CEO and the Global Leadership Team (GLT). The GLT supports the CEO in the daily operative management of the company. The GLT has seven members, of which all are executive members from WithSecure’s personnel.

The Global Leadership Team (GLT) is responsible for the implementation and supervision of the strategy, including sustainability program. WithSecure’s Chief Financial Officer (CFO) oversees the sustainability coordination and ensures that the sustainability program is appropriately resourced and working on the right areas, supporting the program’s priorities. Each program topic has a “home team” which executes the program as part of their other work. The GLT owner of each home team is responsible for achieving their area's sustainability objectives. Any sustainability-specific topics are the CFO’s responsibility. The GLT members are considered as the most senior level accountable for the implementation and supervision of the sustainability-related policies and actions.

The GLT is represented in the sustainability team that engages in the day-to-day sustainability operations. Thus, the GLT members have an active role in determining and overseeing how the identified material impacts, risks and opportunities manifest in the company’s ground-level operations. GLT members who are responsible for specific sustainability areas have taken part in the double materiality assessment. They also hold responsibility for following internal analysis of how the sustainability program is implemented and any possible implications of both external and internal sustainability matters.

In regard to experience related to WithSecure’s identified impacts, risks and opportunities, the GLT members exhibit relevant skills and expertise. Several members hold prior working experience and knowledge gained through additional training on matters related to the identified material impacts, risks and opportunities. This enables them to also keep the Board of Directors informed of relevant matters.

GOV-3 Integration of sustainability-related performance in incentive schemes

Sustainability-related performance – including climate-related considerations – has not been integrated into WithSecure’s incentive schemes. The incentivising metrics and methods need to be adequately functioning and serve WithSecure’s business model and operational industry. WithSecure explores potentially suitable metrics and inclusion methods of sustainability-related matters into incentive schemes.

GOV-4 Statement on due diligence

WithSecure’s Board of Directors and the President and CEO are responsible for the company’s governance. WithSecure’s corporate governance practices are based on applicable Finnish laws, the rules of Helsinki Stock Exchange (NASDAQ Helsinki Oy) and the regulations and guidelines of Finnish Financial Supervisory Authority as well as the company’s Articles of Association.

WithSecure’s sustainability due diligence process ensures that the company identifies, prevents, mitigates and accounts for how WithSecure addresses the actual and potential negative impacts the company might have both in its own operations as well as within the value chain.

Due diligence has been embedded in the governance, strategy and business model of WithSecure. This is showcased through the level of information provided to and the sustainability matters addressed by the company’s administrative, management and supervisory bodies, as is described in greater detail under the section “GOV-1, GOV-2 The role of, information provided to and sustainability matters addressed by the administrative, management and supervisory bodies”. The administrative, management and supervisory bodies have also participated in the double materiality analysis through which the material impacts, risks and opportunities were determined. This ensures that they are deeply engaged with the foundation for sustainable conduct at WithSecure.

Affected stakeholders are engaged with in all key steps of the due diligence process. Their views were integrated in the double materiality analysis to identify WithSecure’s material impacts, risks and opportunities ensuring that they have had the possibility to influence and guide the company’s conduct. The stakeholders’ perspectives are also continuously taken into account in periodic policy updates. They have the possibility of informing the company of their views through various channels, including public-facing contacts like investor relations and the whistleblowing channel. Additionally, they can use direct internal contacts available to, for instance, the suppliers and partners in WithSecure’s value chain.

As part of the due diligence process, WithSecure has taken great care in identifying and assessing the impacts, risks and opportunities related to people and the environment through the double materiality analysis. The identified material impacts and their assessment processes have been detailed in the section “IRO-1 Description of the process to identify and assess material impacts, risks and opportunities“ that is under the section “SBM-3 Material sustainability-related impacts, risks and opportunities”.

To mitigate the risks and to emphasize the positive impacts and opportunities identified in the double materiality analysis, WithSecure engages in various courses of action per each material topic, sub-topic and sub-sub-topic. The effectiveness of these actions is tracked through a set of metrics and targets. These actions, metrics and targets are detailed separately for each topical standard section in this report.

WithSecure’s due diligence is an ongoing process that responds to changes both in the company’s operations as well as the surrounding environment and society. The company is planning on updating its double materiality analysis during the year 2025 to ensure that the most current information and stakeholder views are taken into account.

GOV-5 Risk management and internal controls over sustainability reporting

Risk Management

Risk management and internal control processes at WithSecure seek to ensure that risks related to the business operations of the company are properly identified, evaluated, monitored and reported in compliance with the applicable regulations.

WithSecure’s Board of Directors defines the principles of risk management and internal controls which are followed within the company. The Audit Committee assists the Board of Directors in the supervision of WithSecure’s risk management function. The CEO is accountable for ensuring that the risk management principles are implemented and applied constantly and consistently across the organization.

The primary goal of WithSecure’s risk management principles is to empower the organization to identify and manage risks more effectively. The potential negative impact and probability of different situations arising from WithSecure’s business operations on the company, its customers, or its partners are monitored as part of the risk management process. Another objective of the risk management is to constantly monitor and pro-actively control the impact and/or probability of situations derived from WithSecure’s business operations which may have a negative impact on WithSecure, its customers, or its partners. Proactive monitoring, risk simulation and stress testing also allows building strategic resilience in the company and its business operations. Risk management may also be utilized to identify opportunities for benefit.

WithSecure promotes continuous risk evaluation by the company’s personnel. The relevant operational risks identified through the risk management process are regularly reviewed by the CEO and Global Leadership Team. Risk Management is an integrated part of WithSecure’s governance and management, and the risk management process is aligned with the ISO-31000 standard. The Audit Committee regularly conducts a review of top operational risks and evaluates the effectiveness of the risk management system.

Internal Control

Internal Control, supported by Risk Management, is an important element of WithSecure’s management system. The Board of Directors is responsible for ensuring that the operating principles for internal control have been defined, and that the company monitors the functioning of internal control.

WithSecure has defined its objectives for internal control based on the globally applied principles. Internal control consists of e.g. policies, processes, procedures as well as control and monitoring activities. Internal Control is designed to provide a high level of assurance regarding the achievement of WithSecure’s objectives in following categories:

• Effectiveness, efficiency and transparency of operations on all levels in accordance with the WithSecure strategy

• Reporting, including financial and non-financial, external and internal, to the Board, management, shareholders and stakeholders being complete, reliable, relevant and timely

• Compliance with applicable laws, regulations and WithSecure policies and instructions

WithSecure’s Internal Control Operating Principles define the roles, design and practices of internal control. The principles provide guidance on how internal control is implemented at different levels, systems and amongst employees and outsourced functions. Internal control over financial reporting consists of risk identification and assessment, processes and internal control points and internal control monitoring and reporting.

Sustainability Reporting

In WithSecure’s sustainability reporting, the role of internal control is important to ensure transparency and accountability. The internal control catalogue and Internal Control Operating Principles include dedicated sections to ensure that WithSecure’s sustainability reporting is conducted timely and accurately, following the relevant regulations. Sustainability-related matters are regularly addressed by the administrative, management and supervisory bodies.

SBM-1 Strategy, business model and value chain

As part of WithSecure’s strategy, WithSecure has implemented a sustainability program, to ensure that sustainability issues are addressed in the company’s strategy. The leading guideline of WithSecure’s sustainability program is Maximizing Net Impact – on the planet, people and society. The objective of the program is to ensure that sustainability is embedded in all the company’s decisions. WithSecure also wants to ensure transparency of the company’s activities to the users of its reporting.

WithSecure offers cyber security products and services for business customers globally. The company’s role of protecting the digital society and preventing damages and losses caused by cybercrime is its most important contribution to a more sustainable world. With this role, WithSecure’s activities will always generate a positive impact on society. By preventing cyberattacks, WithSecure helps businesses to avoid financial losses and data breaches, which supports economic stability and trust in digital society. A well-functioning digital society is a major enabler of sustainability. Through its efforts, WithSecure helps create a secure digital society, reducing the need for materials and transportation. This supports a more sustainable world. As businesses become more data-driven and vulnerable to attacks, WithSecure’s work in protecting them remains its most important contribution to sustainability.

However, WithSecure’s aims to go further. The company strives to ensure its activities positively impact the planet, people and society. WithSecure wants to share the accumulated knowledge and support parties who cannot always defend themselves.

In terms of environmental impact, WithSecure’s carbon footprint is not high, as is described in more detail in the section “E1-6 Gross Scopes 1, 2, 3 and Total GHG emissions”. Nevertheless, WithSecure recognizes that the company must do its part in minimizing the environmental impacts of company’s products as well as its own activities.

People are also at the heart of WithSecure’s sustainability endeavours. WithSecure employs highly skilled experts around the world and want to support their wellbeing and growth opportunities. The company’s aim is to reach the sustainability goals with the support of the 961 employees divided between the 15 offices globally. The headcount of employees by geographical areas is described in the section “S1-6 Characteristics of the undertaking’s employees”. The major office locations are Helsinki (Finland), London (UK), Kuala Lumpur (Malaysia) and Poznan (Poland). The rest of the global offices are scattered across Europe, North America, Japan, and Asia Pacific. All offices respond to the requests of WithSecure’s international partners, customers and other stakeholders.

WithSecure does not operate in the fossil fuel sector or with chemical production, controversial weapons, and cultivation and production of tobacco.

WithSecure’s internal operations must always follow high ethical standards. None of WithSecure’s products and services are banned in certain markets. For corporate responsibility reasons, WithSecure has however chosen to not conduct business with any Russian or Belarussian parties, even in cases where it would be permitted by the export control regulations.

WithSecure’s sustainability related goals are followed on group level, which aligns with the financial reporting being followed based on one segment. Due to the nature of the business, revenue is reviewed at group level. There are no separate sustainability goals per individual product or service group, customer category, geographical area or stakeholder relationship.

Business model and value chain

WithSecure’s business model is based on providing cyber security software and services to its customers. The company’s clientele consists of other companies, mainly sales partners and their customers who then make up the end-user base of WithSecure’s services.

Defining WithSecure’s value chain ensured that the materiality assessment considered sustainability topics, sub-topics and sub-sub-topics broadly and throughout the value chain. All the ESRS Standard topics have been screened throughout WithSecure’s value chain.

WithSecure’s upstream value chain consists of equipment and materials manufacturing, where for example hardware and data transmission networks for WithSecure’s suppliers is processed. The value chain continues to WithSecure’s suppliers who provide WithSecure with software and cloud services, equipment and third-party services, such as marketing. Moving downstream from WithSecure’s own operations, which consist of digital product design and cyber security solutions, are WithSecure’s sales partners. Lastly in the downstream value chain are WithSecure’s customers companies and end users, including WithSecure’s customer companies and their employees.

SBM-2 Interests and views of stakeholders

WithSecure has identified six different groups of stakeholders. Three stakeholder groups – namely the employees, the partners, and the investors and financial analysts – have participated in the company’s double materiality analysis directly. This ensures that their views have been integrated in WithSecure’s material impacts, risks and opportunities related to the scope of the standard topics ESRS S1 “Own workforce” and ESRS S4 “Consumers and end-users”.

Other stakeholders’ views were gathered through different means, such as surveys and interviews. As a part of the information gathering, the stakeholder groups’ expectations for WithSecure were determined, the engagement and their possibilities of communicating with WithSecure were evaluated, and the expected outcomes as well as activities were also identified.

WithSecure’s stakeholder inclusion in the double materiality analysis process highlights the company’s commitment to actively listen to and engage with its stakeholders. To enable the understanding of the stakeholders’ expectations and concerns, an ongoing engagement is maintained. The continuous dialogue facilitates the communication of WithSecure’s sustainability efforts and processes. This enables WithSecure to align its sustainability-related efforts with the interests and views of the company’s stakeholders.

The administrative, management and supervisory bodies of WithSecure are informed about the views and interests of affected stakeholders regarding WithSecure’s sustainability-related impacts. Most recently, the views and interests of affected stakeholders were thoroughly determined as part of the double materiality analysis. The comprehensive stakeholder interviews that were held ensured that the views and interests of the stakeholders were acknowledged. Through the identification of the material impacts, risks and opportunities, these views have been integrated into the WithSecure’s sustainability program.

The table below exemplifies WithSecure’s different stakeholder groups and their sustainability-related expectations for WithSecure. The table also outlines different engagement methods and examples of sustainability related expected outcomes and activities that WithSecure undertakes.

SBM-3 Material sustainability-related impacts, risks and opportunities

As a step towards preparing for the CSRD reporting and to identify WithSecure’s material sustainability-related impacts, risks and opportunities, the company conducted a double materiality assessment (DMA) during the year 2023. The assessment was conducted against the EFRAG ESRS (European Sustainability Reporting Standards). This assessment and the related DMA assumptions have been updated during the year 2024 to reflect new insights, stakeholder feedback, and changes in the regulatory environment. An analysis of the short-term financial effects for the material ESRS topics was conducted during the year 2024, and no material impacts were identified. By regularly updating the DMA, WithSecure can better manage sustainability-related impacts, risks and opportunities, enhancing its overall sustainability performance.

The DMA includes topics where WithSecure could have a material impact (inside-out approach) and those posing financial risks or opportunities (outside-in approach). Following CSRD requirements, only material topics are included in the sustainability report. Both internal and external stakeholders participated in the assessment to identify material sustainability topics across the value chain. The effects have been quantified where applicable and supplemented with qualitative assessments where appropriate. The scope of the analysis covers all of WithSecure’s workforce. WithSecure is committed to upholding human rights and strictly prohibits the use of child labour, forced labour, or any other human rights violations, including human trafficking.

The following chapter details an overview of the DMA analysis outcome and WithSecure’s methodologies. Detailed descriptions of these impacts, risks and opportunities per each ESRS topic can be found in the beginning of the respective ESRS topic sections in this report.

WithSecure believes that the DMA presented fairly reflects the impacts, risks and opportunities WithSecure faces. As outlined in the “GOV-1 – GOV-5 Sustainability governance” section, risk management and internal control processes at WithSecure seek to ensure that risks related to the sustainability-related matters and business operations of the company are properly identified, evaluated, monitored and reported in compliance with the applicable regulations. The risk assessments are updated on regular intervals to be in line with current information at the time of evaluation. This also applies for WithSecure’s DMA assessment, which will be further developed to align with best practices and the global situation.

Through the DMA, WithSecure identified its material sustainability-related impacts, risks, and opportunities. Stakeholder views and interests were integrated into this assessment and the outcomes. The administrative and supervisory bodies oversee and determine that the operational strategy includes appropriate measures for the sustainability program. The sustainability team and specific GLT members are responsible for aligning daily operations with the sustainability program as well as managing and mitigating the identified impacts, risks, and opportunities.

IRO-1 Description of the process to identify and assess material impacts, risks and opportunities

Background

The Double Materiality Assessment has been carried out as an iterative process with the support of third-party advisors. The initial materiality assessment was conducted in 2022. It was expanded into a double-materiality analysis in 2023 which again was complemented in 2024, to align with the updates of the regulation.

The Double Materiality Assessment topics were selected on the basis of European Sustainability Reporting Standards (ESRS), valid drafts and published standards at the time of each assessment round.

First the value chain perspective was considered. The time horizons were defined and WithSecure’s upstream and downstream value chains were assessed. Stakeholders – including silent stakeholders – were engaged in this value chain assessment. Defining WithSecure’s value chain ensures that the materiality assessment considered sustainability topics broadly and throughout the value chain. WithSecure’s own operations were also included as part of the value chain assessment.

After scoping the value chain, the ESRS topics were evaluated holistically to assess possible material themes based on the scope of the value chain and own operation’s assessments. Additionally relevant legal and regulatory landscape was considered.

The assessments, analyses and material have been screened against the CSRD requirements and the European Sustainability Reporting Standards (ESRS) to ensure all relevant topics and perspectives are considered. For the double materiality assessment, the ESRS topics were considered on a topic, sub-topic and sub-sub-topic levels where applicable.

Parameters used and scope of analysis

The same assessment methodology and assumptions were used for assessing all the ESRS topics, possible impacts, risks, and opportunities as well as their materiality, as detailed in this section. As part of double materiality assessment process, the board gathered to discuss these topics and possible material implications and features, ensuring diverse perspectives and strategic decisions that integrate sustainability into the company's governance and reinforce WithSecure's commitment to responsible business practices. As described in section “SBM-2 Interests and views of stakeholders”, other stakeholders were included in the assessment process as well.

The process of assessing the materiality of the risks and opportunities is multifaceted. The pre-determined time horizon defines the timeframe in which the identified risk or opportunity will occur. The likelihood of the financial risks or opportunities is assessed. The scale goes from 25% indicating that the event is more likely not to happen, to 50% indicating there is a 50/50 chance, further on to 75% indicating that it is more likely to happen than not, with the scale ending at 100% which indicates an actual risk or opportunity. The value of the likelihood was freely determinable within this scale. The third determinant is the magnitude of the risk or opportunity. This is based on the magnitude of the impact it can potentially have on related revenue, related costs and group EBITDA.

The process for impact materiality assessment goes even more in depth. For impact materiality, the assessment uses 3 dimensions – scale, scope and irremediability – in addition to time horizon and likelihood. In addition to these, the part of the value chain where the impact is expected to materialize is indicated.

Scale determines how significant the positive or negative impact of WithSecure is on the topic. For example, in regard to work conditions, when the magnitude of the impact is small, there might be momentary stressful work and short sick leaves. High magnitude could mean long sick leaves and severe health hazards or work accidents.

Scope shows how widespread the company's impact is. When low, the impacts are limited in scope and emerge only in a few parts of the value chain, in only few divisions and locations, or affect only few stakeholders. Vice versa, for high scope the impacts emerge across the entire value chain, in all divisions or affect all stakeholders. An example could be pollution limited to geographically a very limited area or manifesting as several polluted areas.

Irremediability indicates to what extent the negative impacts can be remedied and restored relatively easily or in short-term to their original state, or whether the impact is non-remediable resulting in fatal accidents or environmental disasters.

The process for identifying climate-related hazards at WithSecure considers one general high-emission across its own operations, upstream, and downstream value chain. Separate scenarios for low, medium and high emission scenarios were not utilized. This assessment covers short-term and medium-term horizons, evaluating the likelihood of these events among other aspects as mentioned above. WithSecure has also assessed the extent to which its assets and business operations are exposed and sensitive to transition events, ensuring awareness of potential risks. No material climate-related hazards or risks were identified.

The single high-emission scenario used provides a suitable base for the assessment of potential impacts. This approach ensures the incorporation of climate risks and opportunities, aligning with WithSecure's overall risk management strategy. The sustainability report is prepared on a consolidated basis, following the same principles as the financial statements, as stated in section “BP-1 General basis for preparation of sustainability report”.

Due to the nature of WithSecure’s business, the industry it operates in as well as the locations of its offices as a cybersecurity company, its business activities have been assessed to have a limited impact on pollution, water and marine resources, biodiversity and ecosystems, and circular economy. Consequently, WithSecure has not held consultations with affected communities of the company’s possible material environmental impacts, as there are none. WithSecure has also conducted a screening of its locations, which are all rented offices in established big cities, and found they are not near biodiversity-sensitive areas. Similarly, due to no material negative impacts or risks being identified for any of the environmental topics, a further analysis of systemic risk impacts on WithSecure’s operations or value chain was not conducted.

Outcome

WithSecure’s double materiality assessment consists of impact materiality and financial materiality. Through the impact materiality assessment, WithSecure’s impacts on the environment and society have been identified. The financial materiality assessment covers the sustainability-related risks and opportunities WithSecure is exposed to.

The material impacts, risks and opportunities for WithSecure fall under the following four ESRS topics; E1 Climate change, S1 Own workforce, S4 Consumers and end-users and G1 Business conduct. Seven different ESRS sub-topics were identified in WithSecure’s materiality assessment process. These sub- topics are Climate change mitigation (E1), Working conditions (S1), Equal treatment and working opportunities for all (S1), Information-related impacts for consumers and/or end-users (S4), Corporate culture (G1), Protection of whistleblowers (G1) and Management of relationships with suppliers including payment practices (G1).

Climate change (E1) mitigation is important for WithSecure. The company optimizes energy use in its products, benefiting its value chain and supporting digital climate solutions. WithSecure’s low-emission business model limits its climate impact, with most emissions being upstream scope 3. WithSecure’s operations also have limited negative climate-related impacts and financial risks, and as such they have not been identified as material. An identified material opportunity is the continuous shift to cloud-based IT environments, which aligns with WithSecure's sustainability goals and supports digital climate solutions.

Business conduct (G1) is also assessed as material for WithSecure. WithSecure promotes ethical practices. The company focuses on corporate culture, whistleblower protection, and ethical supplier management, positively affecting its value chain. No significant financial opportunities were identified. Short-term risks include corporate culture and privacy issues, while medium-term risks involve the costs of maintaining ethical supplier practices.

More information about these and the other identified material sustainability-related impacts, risks and opportunities per each identified sustainability topic, sub-topic and sub-sub-topic have been presented under their respective sections.

Other non-material environmental impacts from WithSecure’s upstream value chain and circular economy

WithSecure has assessed various environmental impacts within its upstream value chain and circular economy. The ESRS topics of “E2 Pollution”, “E3 Water and Marine Resources”, “E4 Biodiversity and Ecosystems”, and “E5 Circular Economy” have not been identified as material topics for the company. The assessment methodology and assumptions made for assessing all of the ESRS topics, possible impacts, risks, and opportunities, and their materiality are detailed before this section under “Parameters used and scope of analysis”.

Other environmental impacts, including pollution (E2), water and marine resources (E3), and biodiversity and ecosystems (E4), have been evaluated. These impacts are considered to be of low significance, narrow in scope, and have a low likelihood of occurrence for WithSecure’s operations. Even though these possible impacts are not easily remediable, WithSecure can have indirect positive effects for the environment by ensuring its products are efficiently made. This in turn reduces the need for new devices. However, these positive impacts are quite small and limited, rendering the other ESRS environmental impact topics immaterial to WithSecure.

Similarly, the ESRS topic of circular economy (E5), encompassing WithSecure’s sustainable value chain, recycling, and waste management, has not been identified as a material topic. The environmental impacts related to the circular economy are also considered to be of low significance, narrow in scope, and have a low likelihood of occurrence. WithSecure can have a small impact on the circular economy and resource efficiency by ensuring its products are efficiently built, improving the lifetime of users’ devices, and minimizing the use of data centers. However, this impact is limited due to the company's size and product scope. Negative impacts on resource efficiency can occur if WithSecure's products require more resources and energy, and waste from operations can negatively impact the circular economy unless managed well. These negative impacts can be mitigated through proper product planning and recycling measures, thus mitigating the impacts.

IRO-2 Disclosure requirements in ESRS covered by the undertaking’s sustainability report

Content index list of the material Disclosure Requirements

The tables below describe all the ESRS disclosure requirements in ESRS 2 and the identified material topics E1, S1, S4 and G1 that have set the framework for the preparation of the sustainability report.

List of datapoints in cross-cutting and topical standards that derive from other EU legislation

The table below describes all the datapoints that derive from other EU legislation as listed in ESRS 2 appendix B. It is indicated where the datapoint can be found in the report and which data points have not been included due to them being assessed as “not material”.

Environmental information

EU Taxonomy

General

WithSecure has performed an analysis of the EU Taxonomy Regulation (2020/852), Commission Delegated Regulation (2021/2139) on Taxonomy screening criteria (Climate Delegated Act), Commission Delegated Regulation (2021/2178) on Taxonomy disclosures (Disclosures Delegated Act) and other related guidance from the European Commission, on reporting the activities that qualify as contributing substantially to climate change mitigation or climate change adaptation, i.e., being taxonomy aligned. This review included the EU Commission Delegated Regulation (2022/1214) (Complementary Climate Delegated Act), the EU Commission Delegated Regulation (2023/2486) (Environmental Delegated Act), and the EU Commission Delegated Regulation (2023/2485) (Amendments to the Climate Delegated Act).

In 2023, a delegated act for economic activities was published by the EU, and four new objectives were added. These objectives are; pollution prevention and control, sustainable use and protection of water and marine resources, protection and restoration of biodiversity and ecosystems, and transition to a circular economy. Modifications to the climate-related delegated act were approved, leading to updates in the environmental objectives for climate change mitigation and adaptation, and changes in the assessment criteria. From 2024 onwards, in addition to reporting the taxonomy eligibility of these activities, companies must also report the taxonomy alignment of their activities.

In short, the EU taxonomy is a classification system that defines which economic activities are environmentally sustainable. WithSecure has applied components from the delegated acts into the analysis to ensure taxonomy eligibility and alignment. This included analysing WithSecure’s operations in relation to various components of the delegated acts, including economic activities that contribute to non-climate environmental objectives, as well as nuclear and gas energy related activities. WithSecure has not identified any taxonomy-eligible economic activities, and therefore has not identified any activities for which taxonomy alignment could be determined.

The EU Taxonomy develops constantly and WithSecure closely follows the new information of taxonomy reporting requirements. WithSecure has not identified any significant changes impacting WithSecure’s analysis of EU taxonomy. The analysis has been performed in collaboration between the WithSecure product team, financial controlling and sustainability team.

Cyber security software, while supporting a wide range of activities in becoming digital and therefore reducing the need of physical materials and transportations of goods and people, as well as reducing the incremental cost of cybercrime to the society, is not an activity addressed by the current climate change mitigation and climate change adaptation taxonomy, hence it is not taxonomy eligible.

According to the European Commission, the purpose of the current Taxonomy Climate Delegated Act is to include the sectors producing the largest emissions. As a company operating in a low-emission sector, WithSecure business activities are not listed in the current EU Taxonomy, and therefore they are not considered to be taxonomy eligible.

WithSecure will closely follow the further developments of the taxonomy reporting requirements and complete the assessments when new legislation is published or when new information regarding its application becomes available. New activities, with new environmental targets in future versions of the taxonomy might be more relevant for WithSecure and trigger a need of re-assessing both eligibility and alignment.

Taxonomy-eligible turnover

Taxonomy-eligible turnover is defined as the proportion of net turnover derived from products or services, including intangibles, associated with Taxonomy- eligible economic activities. A more in-depth description of the turnover can be found in section “1 Segment information” of the financial statements.

Based on the analysis of the current economic activities listed in taxonomy, WithSecure business activities fall under Activity 8.2 Computer programming, consultancy and related activities (NACE J62) of the Commission Delegated Regulation (2021/2139). Within the Taxonomy, Activity 8.2 is not defined as enabling. According to the definition of turnover in Annex I of the Commission Delegated Regulation (2021/2178), cannot be defined as eligible or aligned.

Additionally, Activity 8.2 is categorized as an ‘adapted’ activity within the Taxonomy. This means it cannot be considered eligible unless the reporting entity can demonstrate that a climate risk and vulnerability assessment has been conducted and an expenditure plan has been established to implement adaptation solutions that mitigate the most significant physical climate risks, as outlined in Appendix A to Annex II of the Delegated Regulation (2021/2139).

WithSecure’s primary activities do not directly contribute to the environmental objectives outlined in the Annex I of the Commission Delegated Regulation (2021/2178). WithSecure’s services focus on protecting digital infrastructure and data, which, while crucial to businesses, does not exactly align with the specific environmental criteria set out in the Taxonomy. As a result, WithSecure reports 0% of its revenue as taxonomy eligible. Consequently, no technical screening criteria apply, and the revenue cannot be considered taxonomy aligned.

Taxonomy-eligible operating expenses

The Operating expenses (7.78MEUR) included in the taxonomy assessment are defined as direct non-capitalised costs that relate to research and development, building renovation measures, short-term lease, maintenance and repair, and any other direct expenditures relating to the day-to-day servicing of assets of property, plant and equipment by the undertaking or third party to whom activities are outsourced that are necessary to ensure the continued and effective functioning of such assets (2021/2178).

According to the Delegated Regulation (2021/2178), the operating expenses to be considered as eligible must be any of the following:

(a) related to assets or processes associated with Taxonomy-aligned economic activities, including training and other human resources adaptation needs, and direct non-capitalised costs that represent research and development;

(b) part of the CapEx plan to expand Taxonomy-aligned economic activities or allow Taxonomy-eligible economic activities to become Taxonomy-aligned within a predefined timeframe;

(c) related to the purchase of output from Taxonomy-aligned economic activities and to individual measures enabling the target activities to become low-carbon or to lead to greenhouse gas reductions as well as individual building renovation measures as identified in the delegated acts adopted pursuant to Article 10(3), Article 11(3), Article 12(2), Article 13(2), Article 14(2) or Article 15(2) of Regulation (EU) 2020/852 and provided that such measures are implemented and operational within 18 months.

WithSecure’s OpEx has been assessed using these three approaches. WithSecure has conducted calculations in terms of assets including operating expenses related to rental of premises (including depreciations for leased premises accounted for under IFRS 16 standard), maintenance of premises as well as other expenses related to the functioning of the leased and owned property, plant and equipment. These were not identified as taxonomy-eligible. Additionally, the CapEx plan does not currently include expansions of Taxonomy-aligned activities or transitions of eligible activities to become aligned within a set timeframe. WithSecure utilizes third-party cloud platforms of Amazon Web Services (AWS) and Microsoft Azure for majority of its operations. Cloud hosting costs are not included in the Operating expense subject to taxonomy assessment. Taxonomy eligibility of WithSecure operating expense is therefore 0%.

Taxonomy-eligible capital expenses

The Capital expenses included in the taxonomy assessment are defined as additions to tangible and intangible assets during the financial year considered before depreciation, amortisation and any re-measurements, including those resulting from revaluations and impairments, for the relevant financial year and excluding fair value changes (2021/2178). A more in-depth description of the capital expenses can be found in section “Statement of cash flows January 1 – December 31, 2024” of the financial statements.

WithSecure capital expenses (5.93MEUR) include capitalizations of long-term IT projects and development expenditure on new products or product versions with significant new features, according to IAS 38 accounting standard.

According to the Delegated Regulation (2021/2178), the capital expenses to be considered as eligible must be any of the following:

(a) related to assets or processes associated with Taxonomy-aligned economic activities, including training and other human resources adaptation needs, and direct non-capitalised costs that represent research and development;

(b) part of the CapEx plan to expand Taxonomy-aligned economic activities or allow Taxonomy-eligible economic activities to become Taxonomy-aligned within a predefined timeframe

(c) related to the purchase of output from Taxonomy-aligned economic activities and to individual measures enabling the target activities to become low-carbon or to lead to greenhouse gas reductions as well as individual building renovation measures as identified in the delegated acts adopted pursuant to Article 10(3), Article 11(3), Article 12(2), Article 13(2), Article 14(2) or Article 15(2) of Regulation (EU) 2020/852 and provided that such measures are implemented and operational within 18 months.

WithSecure’s CapEx has been assessed using these three approaches. Accordingly,  WithSecure’s research work relates to developing the current activities that are considered as non-eligible for taxonomy reporting (see paragraph Taxonomy-eligible turnover above). WithSecure’s CapEx plan does not currently include expansions of Taxonomy-aligned activities or transitions of eligible activities to become aligned within a set timeframe. A minor part of capital expenses relates to capitalization of employee laptops and other hardware, as well as office renovation expenses, however these are not taxonomy eligible, as they are not measures aimed at reducing GHG emissions. Taxonomy eligibility of WithSecure capital expense is therefore 0%.

Proportion of turnover from products or services associated with Taxonomy-aligned economic activities – disclosure covering year 2024

Proportion of OpEx from products or services associated with Taxonomy-aligned economic activities – disclosure covering year 2024

Proportion of CapEx from products or services associated with Taxonomy-aligned economic activities – disclosure covering year 2024

ESRS E1 - Climate change

SBM-3 Material impacts, risks and opportunities related to climate change

WithSecure has identified the material impacts, risks and opportunities related to climate change based on the double materiality assessment introduced in its own section. Climate change and specifically climate change mitigation has been identified as a material topic for the company.

The impact possibilities on climate change are considered limited in scope, due to the nature of the business and emissions structure of WithSecure. WithSecure’s business model is not emission intensive, as is with most companies operating in the software sector. Most of the emissions WithSecure’s operations generate are scope 3 emissions in the upstream value chain. The direct emissions from both scope 1 and 2 are relatively limited.

Simultaneously, the possible climate-related risks WithSecure could face are low in magnitude, likelihood or both. WithSecure has not identified itself to be vulnerable to any material climate-related physical or transition risks, rendering the need for climate change adaptation actions redundant. Consequently, no assets have been recognised to be exposed or vulnerable to climate-related risks.

WithSecure has identified the ongoing shift of customers to cloud-based IT environments as a significant, continuing opportunity. This financial opportunity aligns with WithSecure’s broader sustainability program. By providing cybersecurity software and services, WithSecure can indirectly support digital climate solutions for mitigation and adaptation, fostering trust and security in the digital world. This opportunity is assessed to materialize in the medium term.

WithSecure aims to advance its management of climate change related impacts, risks and opportunities during the coming years. The plan is to update the double materiality analysis and re-evaluate the material impacts, risks and opportunities. WithSecure will explore next steps and possible related science-based targets that could be suitable and reasonable for WithSecure’s business model and impacts.

E1-1 Transition plan for climate change mitigation

Due to WithSecure’s limited impact on climate change, the company does not currently have a transition plan in place for climate change mitigation. For the same reason, WithSecure has not conducted a resilience analysis in the identification process of the material impacts, risks and opportunities. One general scenario was implemented. Separate scenarios for low, medium or high emission scenarios were not utilized. The climate change related targets are not analysed in relation to limiting global warming to 1.5°C in line with the Paris Agreement. WithSecure is not excluded from the EU Paris-aligned benchmarks. As WithSecure progresses in its sustainability journey, it will aim to enhance the monitoring and assessment of the company’s activities. The intention is to enhance the company’s adherence to the provisions of the Delegated Act (EU) 2021/2139, supporting efforts in climate change mitigation.

E1-2 Policies related to climate change mitigation and adaptation

WithSecure has a Sustainability policy which addresses climate change mitigation. The policy is publicly available on WithSecure’s website. Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. Thus, the stakeholders have been involved and their views have been included in the policy. The most senior level accountable for the implementation of this policy are the GLT members of each business unit most closely associated with the respective policy.

The purpose of WithSecure’s Sustainability Policy is to define the objectives for sustainability-related matters at WithSecure, demonstrate the company’s commitment to operating sustainably and establish an effective sustainability governance. The policy serves as a framework for continually improving WithSecure’s performance and integrating sustainable practices into the company’s daily operations.

The policy outlines WithSecure’s commitment to maximizing the company’s net impact on the planet, people, and society. WithSecure aims to embed sustainability into all the company’s decision-making processes and ensure transparency of WithSecure’s activities to the company’s stakeholders.

The sustainability policy applies to WithSecure's own operations and all persons working for WithSecure, anywhere WithSecure operates globally.

The policy is publicly available on WithSecure's website.

E1-3 Actions and resources in relation to climate change policies

WithSecure does its share in reducing the amount of waste and emissions produced by the company’s operations, whenever it is reasonably possible. WithSecure has committed to reducing its carbon footprint as the company’s main action to mitigate the climate change related negative impacts and risks, while emphasizing the possibilities for positive actions and supporting positive impacts as well as opportunities.

WithSecure’s carbon footprint analysis includes the company’s own operations and as well as both upstream and downstream activities. The scope of WithSecure’s carbon footprint reduction actions is the company’s own operations and upstream activities, as no material emissions were identified in the downstream activities. A more detailed description of the different material GHG emissions are described in the section "E1-6 Gross Scopes 1, 2, 3 and Total GHG emissions". The carbon footprint reduction is an ongoing process. No significant expenditures are allocated for this action.

The Sustainability Policy provides the framework and guidelines for the actions WithSecure takes to reduce its carbon footprint. These actions are designed to address the specific areas where the company can make the most significant impact. The carbon footprint reduction is completed through a variety of different measures. These measures involve for example the company’s offices, employee commuting and business travel. These are some of WithSecure’s main avenues for reducing the company’s carbon footprint.

• Offices

  WithSecure has 15 offices globally, the major locations being Helsinki (Finland), London (UK), Kuala Lumpur (Malaysia) and Poznan (Poland). WithSecure offices are leased premises, and therefore the company does not have full control of the decisions taken by landlords on the energy efficiency of the buildings. However, WithSecure strongly encourage the company’s landlords to take all available measures to optimize heating, cooling, lighting, and waste management at the company’s office premises. WithSecure strives to minimize the company’s ecological footprint by providing sustainable offices that enhance WithSecure’s employees’ wellbeing. To facilitate this, WithSecure has “Sustainable Workplace Guidelines” for all the 15 offices across the globe. WithSecure believes that by building for the future and implementing these guidelines it can make a positive difference for the planet and its people.

  During the year 2024 , the Helsinki office moved to new headquarters in Wood City, where the building has a LEED Platinum certification and A class energy rating. The exact impact of this relocation has not been evaluated beyond the calculation of total scope 2 emissions of all offices.

• Commuting

  Green commuting of the employees is supported through various measures. In three of WithSecure’s locations, the company offers a bicycle benefit for the employees to encourage cycling to work. In three locations, WithSecure provides commuting allowances to support the use of public transportation.

• Business travel

  WithSecure Travel Policy continues to provide a unified and simplified travel process to ensure safe, efficient and environmentally friendly business travel. It aims to reduce the environmental impact of traveling, aligned with the company sustainability targets. Employees are encouraged to use digital meeting tools when collaborating with internal and external stakeholders, and to travel only when needed, using environmentally friendly options and combining travel when possible. Due to the nature of WithSecure’s business and the company’s multi-location teams, the company will always require some travelling.

E1-4 Targets related to climate change mitigation and adaptation

WithSecure’s actions for climate mitigation are measured through an intensity metric following the tons of CO2 emissions per million EUR revenue emitted in WithSecure’s operations and value chain. The methodology for the CO2 emission calculations have been detailed in the section "E1-6 Gross Scopes 1, 2, 3 and Total GHG emissions". The business flight emissions are followed as a separate metric from the total CO2 emissions. Their calculation methodology is also detailed in that section.

The footprint reduction target is a total amount of tons of CO2 per million EUR of revenue, making the target relative to revenue. The measured unit is the amount of CO2 emissions in WithSecure's own operations and value chain. These total emissions include the emission from flights. This intensity target will allow the company growth but without a similar increase to the carbon footprint. The business flight related target is relative to the base year level. The scope for business flight emissions are people working for WithSecure. In addition to these informal targets, WithSecure is exploring the implementation of possible science-based targets suitable for WithSecure’s business model and impacts.

The baseline value for the total carbon footprint is 75 tons of CO2 emissions per million EUR of revenue. The baseline year for CO2 emissions including the business flights is 2022. WithSecure’s GHG reduction initiatives impact upstream value chain. These targets are measured continuously, at least annually. The targets are not science-based.

Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. Thus, the stakeholders have been involved and their views have been included in the setting and choosing of the targets.

Performance in the year 2024 is in line with the targets as the overall CO2 emissions have decreased. Compared to the baseline emissions, the 2024 emissions have decreased by -36% for location-based emissions and -38% for market-based emissions. Compared to the year 2023 there is also a clear decrease in total emissions of -14% for both the location- and market-based emissions.

WithSecure reached the goal of reducing the company’s carbon footprint to below 75 tons of CO2 per million EUR of revenue. This GHG intensity figure for the year 2024 is 69.2 tCO2eq / MEUR. In terms of the business flight emissions, those have also decreased from the 1,084 tCO2eq baseline level to 891 tCO2eq for the year 2024. Thus, both targets have been reached.

The mentioned methods have contributed to the carbon footprint reduction during the year 2024. In terms of business travel (flights), WithSecure has encouraged virtual meetings and limited non-essential travel, reducing travel-related emissions, resulting in the carbon footprint being -33% lower. Employee commuting has been addressed by promoting remote work options, supporting the use of public transportation, and encouraging the employees to cycle to work, decreasing the carbon footprint by -10%. These measures reflect WithSecure’s sustainability policy to support sustainable commuting practices. These actions collectively contribute to the overall reduction in emissions, although no specific decarbonisation levers have been used.

The CO2 and business travel emission outcomes have been described in more detail in the section "E1-6 Gross Scopes 1, 2, 3 and Total GHG emissions".

E1-6 Gross Scopes 1, 2, 3 and Total GHG emissions

Baseline

WithSecure’s carbon footprint consists primarily of indirect emissions. Most of WithSecure’s emissions were identified as Scope 3 (indirect, others) emissions. WithSecure’s upstream leased assets were identified as Scope 2 (indirect, purchased electricity, steam, heating, and cooling) emissions in 2024, and the company did not identify any Scope 1 emissions (from own offices, vehicles, and fugitive emissions).

WithSecure’s CO2 emissions baseline is 2022, with adjustments made in 2023 to include heating estimates for Scope 2 emissions and additional spend-based emissions for Scope 3, specifically in Category 1 – Goods and services. The baseline emissions are 15,935 tons of CO2e for location-based emissions and 15,883 tons of CO2e for market-based emissions.

There was a slight adjustment to Scope 2 emissions for 2023, as the square meterage of the Helsinki, Poznan and Stockholm offices was determined more precisely. Additionally, the emissions allocation per area in use for WithSecure in the old Helsinki office building, which was shared with other tenants, was refined. Furthermore, district heating for the Oulu offices was added to the calculations separately. This increased the scope 2 emissions from 564 tons of CO2e to 850 tons of CO2e. There was also a minor correction to the Scope 3 emissions for 2023, decreasing the total scope 3 emissions from 11,080 tons of CO2e to 11,068 tons of CO2e, due to cloud computing originally being accounted for twice.

Calculation methodologies

The calculations are conducted based on the Greenhouse Gas (GHG) Protocol. The GHG calculation methodology follows the financial control consolidation method. There have been no changes to the GHG protocol consolidation methodology or significant changes to the organisational structure that would impact the GHG emissions calculation.

WithSecure’s GHG emissions are calculated in the following manner: the total annual CO2 emissions are determined based on actual emissions from January to November, with December emissions included as a forecast. For primarily the year end months, the scope 2 emissions have been estimated using forecasts and historical data due to insufficient reliable data from the local service partners. The calculation principles for the comparable figures are the same. Biomass or biogenic emissions are not separately calculated or taken into account for any of the emissions. WithSecure’s GHG figures are not externally assured beyond the audit assurance of this report. The comparable figures are not within the scope of the audit assurance.

Scope 2 – Purchased electricity, heating, and cooling

The calculation followed the GHG protocol, consisting of both the location-based and market-based emissions. The methods included the electricity consumption by location and the appropriate emission factor.

The emission factor represents the GHG intensity of the electricity consumption in the location. For the location-based emission factor, the CO2 emissions of electricity generation have been calculated using appropriate CO2 residual mix emission factors for the office locations sourced from AIB for European locations and for non-European locations from local authorities’ websites, including DEFRA, SEDA, EMA, Climate Transparency, and EPA.

The market-based emissions have been estimated using the emission factors published on the websites of the companies that provide electricity to WithSecure’s office locations. This includes the Helsinki offices’ electricity emissions from the base year 2022 onwards and for the London office for the year 2024. In other locations where no specific emission factor is provided by the local electricity providers, the same residual mix factor used for the location-based calculation was applied. There are no contractual obligations or other agreements related to WithSecure’s Scope 2 emissions.

The average consumption of WithSecure’s offices per square meter was used to estimate the consumption in locations where electricity consumption data was not available. The office electricity consumption corresponds with WithSecure’s proportion of each office, when WithSecure shares office space with external parties. Heating consumption was included in the energy consumption of the offices which are located in countries where district heating is common. These countries are Finland, Sweden, Denmark and Poland. Statistical data was used to estimate the heating consumption, and the consumption was calculated in cubic meters. Cooling of the offices is included in the electricity consumption.

Scope 3

Category 1 – Goods and services

The category 1 emissions are based on the actual usage related footprint, as collected directly from the service providers, such as the suppliers of cloud computing services. In the absence of such activity-based data for other purchases, WithSecure has used the GHG Protocol’s spend-based method to calculate the emissions from goods and services. The emission factor (sourced from Exiobase3) has been applied for the collected economic value of goods and services purchased. The spend-based method is based on estimated averages, and therefore includes significant uncertainty regarding data accuracy. However, WithSecure’s purpose is to include the full inventory of emissions in the footprint calculation.

Category 5 – Waste emissions

WithSecure used GHG Protocol’s average-data method in the calculations. First, the average annual waste produced per employee was determined and then the amount of waste was calculated by estimated treatment method. Landfill and combustion were the treatment methods included in the calculations. The applicable emission factor by country (sourced from DEFRA) was used for each waste amount by waste treatment type. 

Category 6 – Business travel (flights)

Applicable emission factors (sourced from DEFRA) were used based on the flight type, distance, and cabin class. The data was collected from internal travel data and third-party data provided by travel agencies. The category only includes the flights booked for the year 2024. The same cut-off method has been consistently applied on the previous year. Other business travel expenses, such as train tickets and hotel expenses, are included in Category 1.   In 2022, WithSecure used the applicable emission factors from DEFRA and EPA-US. For 2023 and 2024, all flights were calculated using DEFRA emission factors.

Category 7 – Employee commuting

GHG Protocol’s distance-based method was used in the calculations per employee. WithSecure determined the travel method (car, train, bus, cycling, and walking) and used the applicable emission factor (sourced from DEFRA) in the calculations. The average distance to work, estimated office days per week and the estimated split of travel method per country were determined. The calculations included the bicycle, car, and public transportation benefits, as well as estimates of travel mode per country.

Year 2024

The total location-based emissions for 2024 were 10,205 tons of CO2e, corresponding to the annual emissions of 2,219 typical petrol passenger cars. The total market-based emissions for 2024 were 9,908 tons of CO2e, corresponding to the annual emissions of 2,154 typical petrol passenger cars. The GHG intensity based on net revenue for 2024 is 69.2 .

For 2024 scope 2 location-based emissions were 928 tons of CO2e (9% of total location-based GHG emissions), while the market-based emissions were 630 tons of CO2e (6% of total market-based GHG emissions). Scope 2 emissions include the energy consumption of WithSecure’s offices. Heating emissions have been estimated for offices in Finland, Sweden, Denmark and Poland. In these countries district heating has a significant share of the total heat market. Cooling of the offices is included in the electricity consumption.

Scope 3 emissions were 9,278 tons of CO2e (91% of total location-based GHG emissions, 94% of total market-based GHG emissions). Four categories were identified as Scope 3 indirect emissions. These categories are Category 1 – Goods and services, Category 5 – waste emissions, Category 6 – business travel (flights), and Category 7 – employee commuting. The content, calculation methods and reporting boundaries used for each category are briefly explained per each category.

WithSecure’s carbon footprint currently excludes emissions from third-party devices running WithSecure software (Category 11 – Use of sold products). An estimate for customer device energy use is not included due to the significant variances related to the assumptions. For example, variations in device types, usage patterns, and energy efficiency make it challenging to provide an accurate estimate. Based on the current analysis and assumptions, emissions from this category are not considered significant due to the variability in device energy consumption and their relatively small share of total emissions. However, as part of WithSecure’s sustainability initiatives, the company has started collecting real-life endpoint energy-usage data. When reliable, validated measurements are available, WithSecure will consider adding Category 11 to the company’s carbon footprint.

WithSecure has also excluded the following categories from the CO2 calculations as these categories are not applicable for WithSecure’s business model and operations, or WithSecure has no significant emissions that fall within these categories;

• Category 2 – Capital Goods

• Category 3 – Fuel- and energy-related activities

• Category 4 – Upstream transportation and distribution 

• Category 8 – Upstream leased assets 

• Category 9 – Downstream transportation and distribution 

• Category 10 – Processing of sold products 

• Category 12 – End-of-life treatment of sold products 

• Category 13 – Downstream leased assets

• Category 14 – Franchises

• Category 15 – Investments 

Metrics that include value chain and other data estimated using indirect sources are limited to the GHG emissions calculations. These indirect sources include sector-average data and other figures from recognized and reliable databases.

WithSecure has identified that the quantitative metrics related to Greenhouse Gas emission Scope 3 calculations are subject to measurement uncertainty due to the availability and quality of data from the company’s upstream and downstream value chains as well as the publicly available databases. WithSecure is dependent on the parties providing the requested information from the upstream and downstream value chains ensuring that the value chain data fulfils the information needs communicated to them. To detect and mitigate any major data discrepancies, WithSecure conducts internal comparison and analysis of the data from the value chain and updates used database sources regularly.

Scope 2 – Purchased electricity, heating, and cooling

The emissions for energy consumption of WithSecure’s offices were calculated for all of the company’s offices. 6% - 9% of WithSecure’s carbon footprint stems from energy consumption, depending on whether location- or market-based total emissions are used.

Scope 3

Category 1 – Goods and services

Goods and Services is the largest emission category for WithSecure, as 78% - 80% of the company’s total emissions were from Goods and services, depending on whether location- or market-based total emissions are used. Cloud data processing emissions are 0.27% - 0.28% of WithSecure’s total emissions.

Category 5 – Waste emissions

0.16% of WithSecure’s total emissions consist of waste emissions.

Category 6 – Business travel (flights)

Business travel (flights) amount to 9% of WithSecure’s total emissions. WithSecure used GHG Protocol’s distance-based method to calculate the emissions from flights.

Category 7 – Employee commuting

4% - 5% of WithSecure’s carbon footprint stem from the employee commuting category.

Social information

ESRS S1 - Own workforce

SBM-3 Material impacts, risks and opportunities related to own workforce

WithSecure has identified the material impacts, risks and opportunities related to own workforce based on the double materiality assessment introduced on its own section "SBM-3 Material sustainability-related impacts, risks and opportunities". The ESRS sub-topics of “Working conditions” and “Equal treatment and working opportunities for all” were identified as material topics for WithSecure. Although no material impacts were found for these topics, the company did identify significant financial risks and opportunities associated with them.

* This figure includes pay gaps that can be explained by differences in location or job levels

S1-1 Policies related to own workforce

The policies outlined below are adopted to effectively manage WithSecure's material impacts on its own workforce, as well as the associated material risks and opportunities. These frameworks are designed to address critical areas such as employee well-being, professional development, diversity, equity, and inclusion, and workplace safety, ensuring a supportive and thriving environment for everyone. By proactively mitigating risks like skill gaps, disengagement, or workplace inequities, and seizing opportunities to enhance talent retention and leadership capabilities, WithSecure ensures that its workforce remains a resilient and integral driver of the company’s long-term success. The most senior level accountable for the implementation of these policies are the GLT members of each business unit most closely associated with the respective policy.

Please see section “G1-1 Business conduct policies and corporate culture”.

Please see section “G1-1 Business conduct policies and corporate culture”.

The WIDE strategy (Wellbeing, Inclusion, Diversity, and Equity) aims to create a supportive, inclusive, and equitable workplace. It prioritizes employee wellbeing, fosters belonging, celebrates diversity, and ensures fair access to opportunities. Progress is monitored through regular employee feedback surveys.

The strategy applies organization-wide, and the accountability rests with Chief Culture and Performance Officer. The strategy is shared through internal communications and trainings to promote awareness.

The harassment prevention policy underscores WithSecure’s commitment to a workplace free from harassment and discrimination. It aims to foster a respectful, safe, and inclusive environment for all employees, regardless of position or location. The policy outlines the company’s zero-tolerance stance on harassment, serving as a key resource for awareness and prevention.

This policy applies globally to all WithSecure employees, without exclusions, ensuring consistent standards across locations. Accountability for implementation rests with Chief Culture and Performance Officer.

The Grievance Policy ensures employees have a clear and fair process for resolving employment-related concerns promptly and equitably. It promotes consistent and transparent handling of grievances, fostering trust and fairness in the workplace.

This policy applies to all workers ensuring broad accessibility and fairness. Local legislation and requirements are taken into consideration, and the policy is tailored and detailed in local HR handbooks. It is communicated through internal channels to ensure employees understand the process and their rights.

The Rewarding Philosophy Policy outlines WithSecure’s commitment to fair, transparent, and competitive compensation practices. Its objectives are to reward good performance, promote equity, enhance employee engagement, and align compensation with market benchmarks. The policy mitigates risks such as employee turnover and disengagement, while fostering opportunities to attract and retain top talent. Monitoring is conducted through structured processes like the Global Salary Review and performance-based incentive evaluations.

The policy applies to all employees globally, ensuring consistency across countries, business lines, and functions. There are no significant exclusions, as it is tailored to address local market conditions and practices. Accountability for implementation lies with the Chief Culture and Performance Officer, ensuring alignment with organizational goals.

The policy aligns with relevant external market benchmarks and standards to maintain competitiveness and fairness. Key stakeholder interests, such as employee feedback and market data, are central to its design. The policy is made accessible to all employees through the company intranet, ensuring transparency and understanding across the organization.

The Learning Philosophy Policy highlights WithSecure’s commitment to fostering personal and professional growth through equal access to diverse learning opportunities. Guided by the 70-20-10 model, it emphasizes learning through real-world experiences, collaboration, and structured programs, helping employees develop skills, stay competitive, and align personal goals with organizational priorities. Risks such as skill gaps and disengagement are mitigated, while opportunities for innovation and talent retention are enhanced. Progress is supported through performance and development planning, regular check-ins, and access to robust learning resources. The policy applies to all employees globally, ensuring inclusivity across geographies and roles. Accountability for the policy lies with the Chief Culture and Performance Officer, ensuring its alignment with organizational values. It is accessible through the company intranet, providing clear guidance on personal development processes and available learning resources.

WithSecure has not identified any specific groups within its workforce as being at particular risk of vulnerability. The company's policies and commitments are designed to ensure equity, inclusion, and well-being for all employees, fostering an environment where every individual is supported and treated fairly, regardless of their role, background, or circumstance. These principles underpin WithSecure’s dedication to creating a safe, inclusive, and empowering workplace.

WithSecure’s Code of Conduct outlines the ethical principles that guide the company’s operations, emphasizing integrity, transparency, and accountability. It sets clear expectations for employee behaviour, promoting a workplace culture of respect, fairness, and compliance with all applicable laws and regulations. These principles ensure that working conditions are conducive to retaining talent, fostering their well-being, and promoting equal treatment and opportunities for all. An in-depth description of the Code of Conduct is included in the section “G1-1 Business conduct policies and corporate culture”.

Respecting the human rights is a fundamental aspect of WithSecure’s business model. The Code of Conduct integrates the United Nations Guiding Principles on Business and Human Rights (UNGPs), which serve as a foundational framework for the company’s policies. While not explicitly outlined in the Code of Conduct, WithSecure upholds internationally recognised human rights standards, including the ILO Declaration on Fundamental Principles and Rights at Work and the OECD Guidelines for Multinational Enterprises. WithSecure ensures compliance with labour laws, fair wages, non-discrimination, and the provision of safe working environments.

WithSecure does not tolerate any use of child labour, any form of forced labour or any other human rights violations including human trafficking. WithSecure supports the fundamental human rights to good working conditions, and reasonable balance between working hours and leisure time for everyone. To support these commitments, the company has implemented policies such as anti-harassment and anti-discrimination policies, local health and safety policies, and a remote work policy, as well as strategies and guidances like the Well-being, Inclusion, Diversity, and Equity (WIDE) strategy, and rewarding and learning philosophies to ensure compliance and promote a positive workplace culture.

WithSecure has implemented employee feedback systems and grievance mechanisms to identify and mitigate human rights risks. These mechanisms, discussed further under “S1-3 Processes to remediate negative impacts and channels for own workforce to raise concerns,” allow employees to report issues confidentially and ensure timely, fair resolution.

WithSecure is committed to preventing discrimination in all its forms, including but not limited to race, gender, age, disability, sexual orientation, religion, and ethnicity, and the company promotes equal access to career development, fair treatment, and protection from harassment. The company’s harassment prevention policy includes clear reporting procedures. Employees can raise concerns with their line manager, HR, or Legal representatives, ensuring that incidents are promptly addressed. Disciplinary action is taken where necessary, and WithSecure complies with local laws and regulations requiring additional procedures to prevent discrimination.

To foster a safe and healthy working environment, WithSecure has begun developing a new global comprehensive health and safety policy, which includes a workplace accident prevention policy and management system. This system, set to be implemented in 2025, is designed to minimize risks, reduce workplace accidents, and ensure a safe environment by identifying, managing, and mitigating hazards that could lead to injuries, illnesses, or fatalities. These initiatives, along with remote work policies, collectively support the physical and mental well-being of employees worldwide.

S1-2 Processes for engaging with own workforce and workers’ representatives about impacts

WithSecure actively engages with its employees across all levels of the organization to ensure their voices are heard and integrated into decision-making processes. The company maintains open communication channels that encourage feedback and provide opportunities for meaningful participation in decision-making processes related to workplace conditions and organizational goals.

WithSecure has established regular touchpoints through various platforms:

• Electing an employee to the Board of Directors: Each year, WithSecure employees can apply to become a representative on WithSecure’s Board of Directors. This employee will have the chance to directly convey feedback from the employees to the Board. Additionally, the elected representative will be invited to HR Board meetings, where issues affecting Finnish employees are discussed on a monthly basis.

• Formal employee surveys: These surveys allow WithSecure to gather feedback on critical employee engagement-related matters such as diversity and inclusion, career development opportunities and overall wellbeing. In 2024, WithSecure conducted these surveys two times. The survey results are discussed in various decision-making forums where also actions are planned: in the global leadership team, function and unit specific leadership teams and local management teams. There’s a line manager guidance available to support discussing the results and plan actions also at the team level. The Objectives and Key Results framework is a transparent tool for documenting development priorities and actions.

• Employee Resource Groups (ERGs): WithSecure’s ERGs provide a space for employees from diverse backgrounds to share their experiences, collaborate on initiatives, and propose improvements related to our workplace culture and policies. In 2024, there were two active groups, one group focusing on wellbeing, inclusion, diversity, and equity (WIDE) related matters and one sub-group focusing specifically on mental health.

• Feedback channels: In addition to formal surveys, WithSecure’s quarterly held company-wide and monthly held function and unit specific townhalls provide regular opportunities to ask questions and express any concerns, suggestions, or ideas. There are also regular monthly meetings for line managers to address any concerns, ask questions, and provide feedback. These meetings are recorded and accessible afterwards.

Additionally, as part of WithSecure’s ongoing commitment to fostering a sustainable and inclusive work environment, ensuring excellent working conditions, and retaining top talent, the company has initiated the development of a company-specific collective agreement in Finland in 2024. This agreement will reflect WithSecure’s dedication to fair labour practices and ensures that the company’s employees are treated with respect, fairness, and transparency.

By engaging in open dialogue with employee representatives, WithSecure has tailored the agreement to meet the specific needs of the company’s workforce while aligning with technology industry standards. This initiative not only guarantees fair salary settlement but also promotes work-life balance, learning and development, and clearer working conditions.

Through this collaborative approach, WithSecure aims to foster a culture of mutual trust, ensure compliance with labour regulations, and contribute to the long-term sustainability of the workforce. The agreement marks a significant milestone in WithSecure’s commitment to create a trusted workplace for employees and in the company’s goal of being a preferred employer in the technology sector.

Operational responsibility for ensuring workforce engagement and incorporating the results into WithSecure's approach lies with the Chief Culture and Performance Officer, who holds the most senior role in this area. This individual leads the Operational Excellence function, driving initiatives to maintain meaningful engagement with the workforce and ensuring that feedback informs strategic decisions and policies effectively.

S1-3 Processes to remediate negative impacts and channels for own workforce to raise concerns

WithSecure is committed to fostering a supportive and transparent environment for its workforce, ensuring that negative impacts on employees are addressed in a timely and effective manner. WithSecure recognizes the importance of providing clear processes to remediate any adverse impacts the company’s business may have on its employees and offering accessible channels for employees to raise concerns.

WithSecure’s general approach to remediation involves investigating and addressing instances where the company has caused or contributed to material negative impacts on its workforce. The process includes conducting formal investigation to understand the underlying causes and the extent of the issue. This includes engaging with affected employees, gathering relevant information, and consulting with relevant stakeholders to develop an appropriate course of action. To ensure the effectiveness of remedies and to evaluate satisfaction with the outcomes, WithSecure employs a feedback loop with the affected individuals.

WithSecure provides two channels for its workforce to raise concerns confidentially and without fear of retaliation. These include line manager and HR access, and whistleblower. Employees are first encouraged to engage directly with their line managers or HR representatives to discuss concerns and needs. A dedicated whistleblowing mechanism, managed by a third party, has been established to allow employees to report any unethical, unlawful, or harmful practices anonymously and without fear of retaliation. More information about the whistleblowing channel and whistleblowing policy can be found in the section “Protection of whistle blowers” under the section "G1-1 Business conduct policies and corporate culture".

In addition to the whistleblowing channel, WithSecure is in the process of developing a new grievance mechanism that will cater specifically to a broader range of employee concerns. This mechanism will provide employees with a structured and transparent avenue for raising concerns and ensuring that they are addressed promptly. The new channel will also help the company to track and monitor issues raised and addressed in a more systematic way. This channel is planned to be opened during 2025.

The available channels are designed to be easily accessible to all employees across the workforce.

S1-4 Taking action on material impacts on own workforce, and approaches to managing material risks and pursuing material opportunities related to own workforce, and effectiveness of those actions

The company has implemented comprehensive initiatives to retain talent, to improve their well-being, promote diversity, equity, and inclusion (DEI), and provide equal opportunities for continuous learning and leadership development. These efforts include creating equal opportunities for continuous learning and leadership development, alongside strategic investments to build an inclusive and equitable workplace.

These initiatives cover a wide range of activities, including training programs, leadership development, and wellbeing and DEI initiatives. They extend across all of WithSecure’s locations globally, ensuring that employees in every region benefit from these initiatives. This global implementation ensures a consistent approach to training, leadership development, and DEI, while also allowing for regional adaptations to meet specific local needs and contexts. The scope of these efforts is WithSecure’s own operations.

WithSecure aims to increase the total hours spent on learning compared to the previous year, demonstrating its commitment to fostering continuous growth, providing meaningful development opportunities, and retaining talent.

In 2024, WithSecure introduced the LinkedIn Learning platform to all employees, reinforcing the company’s commitment to continuous growth and development. This platform provides curated content aligned with strategic capabilities, supporting employees in developing skills critical to business success. Regular monitoring of course participation ensures that the platform is actively leveraged. WithSecure plans to intensify its use in 2025.

Leadership development remains as another core focus in this area. The values-based leadership program continues to be a cornerstone, supplemented by an expanding leadership development portfolio.

The effectiveness of these initiatives is assessed through employee engagement surveys. These efforts encompass the entire workforce and are integrated into general operations, with no significant additional expenditures allocated to their implementation.

WithSecure aims for 90%of employees to have defined and documented personal development goals, promoting tailored growth opportunities. Line managers are supported through resources and training to conduct meaningful individual development discussions. The formal bi-annual discussions ensure equal access to growth opportunities while addressing employees' unique needs.

The effectiveness of this action is assessed by gathering employee feedback on development discussions conducted as part of the personal development plan process. This effort encompasses the entire workforce and is integrated into general operations, with no significant additional expenditures allocated to its implementation.

The focus is on enhancing the representation of female leaders among line managers and maintaining gender balance and nationality diversity within senior leadership roles. To achieve these targets, WithSecure has enhanced its WIDE strategy through a newly developed DEI dashboard, enabling data-driven management discussions to promote diversity across all levels. Additionally, a dedicated taskforce organizes initiatives throughout the year to strengthen DEI awareness and action.

The effectiveness of this initiative is measured through quarterly monitoring to ensure progress and alignment with the targets. It applies to the entire workforce and is embedded within general operations, requiring no significant additional expenditures.

WithSecure has established a goal to reduce the gender pay gap to a maximum of 5% by the end of 2027. To achieve this, the company will conduct a comprehensive gender pay gap analysis during the regular 2025 salary review process. This analysis will take into account geographical differences and job grading structures to ensure a nuanced and equitable approach. The initiative applies to the entire workforce and is integrated into general operations, requiring no significant additional expenditures.

WithSecure remains committed to systematically driving positive outcomes through these efforts, proactively addressing potential risks and mitigating any negative impacts to ensure sustainable progress.

S1-5 Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities

The effectiveness of these learning and development initiatives is assessed through employee engagement surveys and by tracking the utilization rates of mental health and learning resources. Feedback gathered through surveys and other channels is used to identify and implement timely, targeted actions throughout the year. More details about how WithSecure engages directly with its own workforce or workers' representatives in tracking the undertaking's performance and in identifying any lessons or improvements as a result of this performance can be found from the section “S1-2 Processes for engaging with own workforce and workers’ representatives about impacts”.

The new Diversity and Inclusion dashboard will offer insights into representation metrics, enabling ongoing progress monitoring and the identification of further actionable opportunities. It will also help the company identify any possible gaps and biases in hiring and promotions, mitigating risks of inequity.

In 2025, WithSecure is committed to continuing improving employee retention by prioritizing enhanced working conditions and promoting equal treatment and opportunities for all. The WIDE taskforce continues to serve as a key driver of well-being and DEI initiatives. An example future action is a series of well-being webinars planned for the year to support all members of WithSecure’s workforce.

Additionally, recognizing the critical role of skills development in maintaining a competitive edge, WithSecure remains dedicated to addressing skill gaps and nurturing leadership potential across the organization. In 2025, the company plans to launch a SaaS Academy as a key initiative to support its ongoing transformation. The academy focuses on reskilling and upskilling employees, ensuring that the company’s workforce has the necessary capabilities aligned with WithSecure’s strategy.

The targets related to these measures are increasing the total hours employees spent on learning from the previous year. Additionally, it is followed that 90% of employees have personal development goals defined and documented.

WithSecure has also established clear, outcome-oriented, and time-bound targets to reduce negative impacts, advance positive impacts, and manage material risks and opportunities within its workforce. These targets reflect the company’s commitment to fostering a learning culture, promoting diversity, and ensuring equal opportunities for all employees.

The baseline values for these targets are the 2024 reportable figures. No scenarios were used to define the targets. These targets are not science-based.

Gender Balance Among Line Managers: By the end of 2027, WithSecure aims to increase the representation of women among line managers across the company. This target reflects the company’s commitment to gender equity in leadership roles and ensures that decision-making processes are enriched by diverse perspectives.

Diversity Among Senior Leaders: WithSecure is committed to maintaining diversity among senior leaders, with a particular focus on maintaining both the number of nationalities represented and the proportion of female leaders within this group. This target emphasizes the importance of cultural and gender diversity in driving innovation and broadening the leadership perspective.

Gender Pay Gap: The company is committed to reducing the gender pay gap to a maximum of 5% by the end of 2027, focusing specifically on eliminating any unjustifiable differences in pay. This target underscores WithSecure’s dedication to equitable compensation practices.

The process for setting these targets involved members of company’s senior leaders, and the WIDE taskforce was consulted during the identification and validation of these targets. Insights from employee feedback channels were used to ensure that the targets reflect the workforce’s priorities and expectations.

WithSecure’s performance against these targets is tracked through quarterly reporting, and the company regularly evaluates progress to identify areas for improvement. Lessons learned from the company’s performance are incorporated into future goal setting to ensure continuous progress.

These initiatives reflect WithSecure’s commitment to advancing positive impacts on the company’s workforce, reducing any negative impacts, and managing material workforce-related risks and opportunities in alignment with WithSecure’s broader sustainability program.

S1-6 Characteristics of the undertaking’s employees

The data represents employee characteristics as of the end of the reporting period, measured by headcount regardless of employees' full-time or part-time designation.

During the reporting period, a total of 270 employees left the company, resulting in a turnover rate of 26.5 %. The turnover rate is calculated by dividing the total number of employees who left during the reporting period by the average number of employees employed during that same period. Our voluntary employee turnover rate is 16.2 %. The higher total turnover rate is a result of the operating model change and related reorganization in late 2023.

The disclosed total employee figures correspond to those in the most representative workforce-related section of WithSecure’s financial statements for the reporting period, ensuring alignment between sustainability and financial disclosures.

Employees by contract type, broken down by gender (headcount)

Employee head count in countries where the undertaking has at least 50 employees representing at least 10% of its total number of employees.

S1-7 Characteristics of non-employees in the undertaking’s own workforce

WithSecure classifies non-employee workers into three groups based on their roles and contracts.

• Contingent workers are self-employed individuals operating through their own companies, providing services under tailored agreements aligned with WithSecure’s standards.

• Consultants through frame agreements are professionals employed by larger firms with group-level agreements, offering resources and expertise while adhering to WithSecure’s policies.

• Non-information workers (no IT access) are workers under group-level agreements who perform operational roles without needing IT tools, governed by security-focused contracts.

At the end of the reporting period, WithSecure’s workforce included 158 non-employees, reported in headcount. This figure is based on the total number of non-employees at that time. When tracked and monitored monthly during the year 2024, the number of non-employees ranged from a minimum of 104 to a maximum of 160, based on the status at the end of each month.

S1-8 Collective bargaining coverage and social dialogue

WithSecure is committed to ensuring that the terms and conditions of employment for its workforce are shaped by fair and inclusive processes, fostering a positive work environment and sustainable business practices.

42.6 % of WithSecure’s total employees were covered by collective bargaining agreements during the reporting period. This percentage is due to the collective bargaining agreement in place for employees in Finland, where coverage is 92.7 %. Employees in other locations are not covered by collective bargaining agreements. WithSecure supports its employees’ rights to organize and engage in collective bargaining, where applicable under local laws and practices.

WithSecure aligns with internationally recognized labour standards and is dedicated to maintaining open dialogue with employee representatives to address workplace matters collaboratively. However, the company does not collect information on whether its employees are members of any labour unions to respect their privacy and uphold principles of non-discrimination and neutrality regarding union membership.

WithSecure does not have any agreements in place for employee representation through a European Works Council (EWC), a Societas Europaea (SE) Works Council, or a Societas Cooperativa Europaea (SCE) Works Council.

Like described under the section S1-1, WithSecure is strengthening collective bargaining coverage and social dialogue to foster a sustainable and inclusive work environment. In 2024, in Finland, WithSecure began developing a company-specific collective agreement, ensuring fair labour practices and treating employees with respect and transparency. By collaborating with employee representatives, the company has tailored the agreement to address workforce needs and industry standards, covering areas such as salary, work-life balance, and career development. This initiative supports mutual trust, regulatory compliance, and long-term workforce sustainability, reinforcing WithSecure’s commitment to being a trusted, preferred employer in the technology sector.

Collective bargaining coverage and social dialogue

S1-9 Diversity metrics

WithSecure is committed to fostering a diverse and inclusive workforce.

Senior leaders at WithSecure includes the CEO and the two organizational layers directly below the CEO, along with leaders holding specific job grades. At this level, 45 individuals are represented, with 33.3 % women and 64.4 % men. These figures are calculated based on the total number of individuals in top management and their respective gender distribution.

Regarding the overall workforce distribution, 15.1 % of employees are under 30 years old, 70.0 % are between 30 and 50 years old, and 14.9 % are over 50 years old. These percentages are derived from the total number of employees and their age groups.

S1-10 Adequate wages

All WithSecure employees are paid an adequate wage, aligned with applicable benchmarks. The company conducts annual salary reviews, utilizing relevant external global benchmarks to assess and implement any necessary adjustments. This process ensures that wages remain adequate for all employees, in line with market standards, and are consistently adjusted to reflect changing economic conditions, ensuring fairness across the entire workforce.

S1-11 Social protection

WithSecure ensures that all its employees are covered by social protection against the loss of income due to sickness, unemployment, employment injury and acquired disability, and parental leave. This coverage is provided either through public social protection programs or through benefits offered by the company.

• Sickness: All employees are covered and have access to healthcare and support in case of illness.

• Unemployment: In the event of unemployment, WithSecure is committed to providing support for reemployment, including partnerships with external organizations during company restructuring.

• Employment Injury and Acquired Disability: Employees are covered by insurance and appropriate social programs that ensure income security in the event of injury or disability incurred during employment.

• Parental Leave: WithSecure provides paid parental leave to all employees to support them during family-related events.

• Retirement: All employees are covered for income security in retirement, either through public pension programs or employer-sponsored private benefit plans, depending on the country.

WithSecure is committed to ensuring comprehensive social protection for its employees, fostering financial security and well-being during critical life events. By providing coverage through public programs or company-offered benefits, WithSecure upholds its responsibility to support employees across all regions.

S1-12 Persons with disabilities

WithSecure does not collect information on employees’ disabilities, reflecting its commitment to inclusivity and non-discrimination. This approach is consistent with the General Data Protection Regulation (GDPR), which emphasizes safeguarding personal data and protecting privacy.

By refraining from collecting sensitive information such as disability data, WithSecure minimizes potential privacy risks and ensures compliance with GDPR’s principles of data minimization and purpose limitation. Instead, the company fosters an inclusive work environment through proactive initiatives and policies that support diversity and equal opportunity.

S1-13 Training and skills development metrics

WithSecure provides equal opportunities for everyone to learn, grow, and succeed, with a strong focus on increasing employee engagement and retaining top talent. This commitment is crucial for attracting and retaining talent, as well as maintaining high competence levels within the organization. WithSecure believes that continuous learning and professional development are vital for both individual and organizational success.

WithSecure’s learning philosophy is grounded in the 70-20-10 model, a widely recognized framework for effective skill acquisition. By integrating this approach, the company empowers its employees to learn dynamically, fostering an environment where real-world application and collaboration are prioritized alongside structured learning.

In 2024, WithSecure has placed a strong emphasis on upskilling activities that align with the company’s strategic capabilities. These focus areas include leadership development, artificial intelligence, Software-as-a-Service, customer success management, and partnership management. By honing these essential skills, WithSecure is preparing its workforce for the evolving demands of the industry and ensuring that the company’s employees are equipped to navigate the complexities of today’s business landscape.

To further enhance learning opportunities, WithSecure has introduced LinkedIn Learning as a valuable resource accessible to all employees. Also, non-employees who have access to company resources are provided an access to this learning platform. LinkedIn Learning offers a vast array of courses across various topics, enabling WithSecure’s workforce to pursue their interests and develop new skills at their own pace. With thousands of learning modules available, the company’s employees can customize their learning journeys, fostering a culture of self-directed growth and continuous improvement.

WithSecure also remains committed to the company’s values-based leadership program that is designed to cultivate leaders who not only excel in their roles but also embody the values and principles that define WithSecure. By focusing on values-driven leadership, WithSecure creates a cohesive and motivated leaders that inspire and guide the company’s people toward shared goals.

Supporting career development is another critical aspect and WithSecure recognizes that line managers play a vital role in this process, which is why the company has trained them to conduct meaningful development talks with their team members. These discussions empower employees to set personal development goals and create tailored plans that align with their aspirations. By fostering open communication and providing guidance, WithSecure ensures that its employees feel supported in their career growth and are equipped to reach their full potential.

During the reporting period, WithSecure followed the company management's plans by conducting both a performance review and a career development review for each employee. 75.9 % of employees participated in the annual performance review conducted during the first quarter of the year. This participation rate, when broken down by gender, was 74.8 % for women and 76.5 % for men. 78.8 % of employees participated in the annual career development review conducted during the third quarter of the year. This participation rate, when broken down by gender, was 72.9 % for women and 81.4 % for men. The participation rates are calculated based on the completion of the review task by employees’ line managers in the performance management tool, using the employee headcount at the end of the reporting period.

To further support employee development, the average number of training hours per employee was 6.3 , with women averaging 6.4 hours and men averaging 6.3 hours. These figures include a combination of training hours logged through virtual and in-person courses recorded in the learning management system, as well as hours spent on the other available learning platform. Additionally, WithSecure encourages ongoing learning by providing opportunities for both individuals and teams to engage in external training programs. Notably, the hours dedicated to these external training opportunities are not included in the reported averages.

A key metric tracked by WithSecure to assess the effectiveness of its development programs is employees' perception of having opportunities to learn and grow within the company. In the most recent employee engagement survey, 73% of respondents agreed or strongly agreed that they had sufficient opportunities for learning and growth.

Training and skills development metrics

S1-14 Health and safety metrics

WithSecure is deeply committed to the health, safety, and wellbeing of its workforce, recognizing that the company's success is intrinsically linked to the wellbeing of its employees. The company adheres rigorously to all local regulations and requirements in every country where it operates, ensuring that its health and safety management system is comprehensive, robust, and effective. Currently, all workers are covered by local health and safety practices. This commitment will be formalized through a new global health and safety policy, which will be published in early 2025. The policy ensures that 100% of employees are covered by the health and safety management system that is regularly reviewed and updated to ensure its effectiveness and ensure continuous improvement. Local policies will align with applicable local laws and legislation. It reflects WithSecure's proactive approach to fostering a safe, supportive, and inclusive workplace, going beyond mere compliance with legal standards.

WithSecure’s WIDE strategy includes not only physical health and safety measures but also mental health support programs to ensure the holistic wellbeing of employees. These programs include self-care tips, access to community support networks, and resources to address mental health challenges, making it a core part of the company’s health and safety framework.

During the reporting period, three workplace accidents were reported. The information was gathered from employees responsible for recording workplace accidents within their respective regions. All reported incidents were thoroughly reviewed and investigated internally, with necessary procedures implemented to ensure compliance with safety regulations. This process supports accurate documentation and comprehensive analysis of workplace safety.

In accordance with the ESRS standard, WithSecure has exercised its option to omit data on cases of work-related ill health and the number of days lost to injuries, accidents, fatalities, and work-related ill health during the first year of preparing its sustainability report.

Table: Health and safety incidents

* WithSecure has chosen to use the transitional provision related to omitting the data points on number of cases of work-related ill-health and on number of days lost to injuries, accidents, fatalities and work-related ill health for the first year of preparation of its sustainability report.

S1-15 Work-life balance metrics

WithSecure is committed to supporting its employees' work-life balance, ensuring that everyone in the workforce has access to family-related leave and benefits that help accommodate family needs. The company offers a range of family-related leave entitlements, including parental leave, paid compassionate leave, and flexible working arrangements, which are essential components of WithSecure’s approach to creating a supportive and inclusive work environment.

Entitlement to Family-Related Leave

100% of WithSecure employees are entitled to take family-related leave, including parental leave, paid compassionate leave in the event of the death of a close family member, and flexible working arrangements. The percentage of entitled employees who took family-related leave is calculated based on records in the HR system, which is used to document all absences.

WithSecure provides flexible working arrangements that allow employees to manage family-related matters, such as flexible hours and remote work options. The company also has a remote work policy and a remote work abroad policy to further support employees in balancing work and personal commitments.

Utilization of Family-Related Leave

WithSecure ensures that all employees are entitled to take family-related leave and is committed to fostering a workplace where everyone feels equally supported in utilizing these benefits. Utilization rates are monitored through the HR system, which records the number of employees taking family-related leave and the types of leave utilized.

Work-life balance metrics

S1-16 Compensation metrics (pay gap and total compensation)

WithSecure is committed to promoting equal pay and reducing pay disparities across its workforce. To provide further transparency and ensure alignment with its principles of fairness and equity, the company will start monitoring key remuneration metrics, including the gender pay gap and the ratio between the highest paid individual and the median remuneration of its employees during 2025. WithSecure takes a proactive approach to managing compensation and ensuring fairness across its workforce. The company uses global benchmarks and industry standards to assess and adjust compensation regularly.

Gender Pay Gap

The gender pay gap at WithSecure is calculated as the percentage difference between the average pay levels of female and male employees, expressed relative to the average pay level of male employees. To ensure comparability, the annual salaries of employees who work part-time have been adjusted to full-time equivalent figures. In addition to base pay, the analysis includes short-term incentives and sales incentives at their target levels for eligible individuals. The short-term incentive program is provided equally to all employees at certain job grades, while the sales incentive plan applies to everyone in sales roles. Long-term incentive plans are not included in this calculation. As of the most recent reporting period, the gender pay gap at WithSecure stands at 16.2 %. The company has consistently prioritized addressing potential gender pay disparities, considering factors such as geographical differences and job grading structures. WithSecure remains committed to fostering pay equity by regularly reviewing and refining its compensation practices to support fairness and inclusivity.

Total Remuneration Ratio

WithSecure also discloses the ratio of the remuneration of the highest-paid individual to the median total remuneration of all employees (excluding the highest-paid individual). This ratio for the current reporting period is 7.2. The annual total remuneration is calculated as a combination of base salary, the target-level payout for short-term incentives (STI), and the target-level payout for sales incentives, where applicable. Additionally, the monetary value of the actual long-term incentive (LTI) payouts made in 2024 is included. The calculation is based on 961 employees, representing the global workforce of WithSecure as of the end of 2024. The median remuneration is determined by averaging the total remuneration of the two employees situated at the midpoint of the remuneration distribution.

S1-17 Incidents, complaints and severe human rights impacts

WithSecure is committed to maintaining a respectful, inclusive, and safe work environment for all employees. All complaints of discrimination, harassment, or any form of workplace misconduct are taken seriously, and grievance mechanisms in place to ensure that all employees have the opportunity to raise concerns in a safe and confidential manner.

During the reporting period, five (5) complaints were filed through these mechanisms, which were handled with due diligence and in compliance with WithSecure’s company policies. This figure is calculated based on the records maintained by the HR department and includes all complaints received through formal mechanisms. All complaints were thoroughly investigated in accordance with WithSecure’s internal grievance procedures, with appropriate actions taken to address the concerns raised. The investigation process involves a detailed review of each complaint by the HR team, interviews with relevant parties, and documentation of findings and actions taken. No incidents of discrimination, including harassment, were reported, no severe human rights violations were identified and no fines, penalties, or compensation payments were incurred during the reporting period. WithSecure remains committed to continuously monitoring, enhancing, and reinforcing its policies and procedures to foster a respectful, inclusive, and ethical work environment.

Discrimination and Human Rights Incident Metrics

ESRS S4 - Consumers and end-users

SBM-3 Material impacts, risks and opportunities related to consumers and end-users

WithSecure is in the business of providing software and related cyber security services. WithSecure has identified the material impacts, risks and opportunities related to business conduct based on the double materiality assessment introduced in its own section “SBM-3 Material sustainability-related impacts, risks and opportunities”. The ESRS sub-topic of “Information related impacts for consumers and end-users” and specifically the sub-sub-topic of “Privacy” was recognised as of importance.

As WithSecure provides services to other companies, the scope of interest in the S4 standard covers the end-users of WithSecure’s software and services, as WithSecure has no offering to consumers. These end-users have been identified as the employees of WithSecure’s customer companies.

WithSecure operations have a major positive impact on society through its end-users. The positive implications of WithSecure’s core business of enabling a well-working digital society and the related privacy and cyber security considerations are significant. This positive impact has been assessed to materialize in short term in the downstream value chain.

On the other hand, these same topics are also associated with both financial risks and opportunities for WithSecure. The opportunity of answering to end-user’s needs as well as the risk of increased investment needs due to developing legislation have been assessed to materialize in the short term, while the risk of being a target for malicious activities has been assessed as a medium-term risk.

As WithSecure is in the business of cyber security, the privacy and security of the personal data related to the end-users trusted in the company’s care is of utmost importance. Mitigating significant impacts on end-users is integrated into the strategy and business model of WithSecure by constantly elevating the company’s privacy and security posture to minimize the risk of data breaches. Simultaneously, a strong cyber security posture is essential for WithSecure and thus WithSecure’s own related processes and assets have a fundamental role in elevating the internal security posture. It is also important to recognize that security is a prerequisite of privacy, one cannot fully exist without the other.

These topics are strongly linked to WithSecure’s core business. The interests, views, and rights of WithSecure’s end-users are key drivers of the company’s strategy. WithSecure’s business model is built on understanding and addressing the needs of its end-users. By prioritizing these aspects, WithSecure ensures that its products and services are aligned with the expectations and requirements of those it serves. This alignment not only enhances customer satisfaction but also strengthens the company’s market position and long-term sustainability.

S4-1 Policies related to consumers and end-users

End-users are at the heart of WithSecure’s privacy and security processes, due to the information-related impact WithSecure is able to exert. Due to this impact, WithSecure has a set of policies guiding the company’s information related conduct. WithSecure has separate policies for cyber security and privacy related matters. The most senior level accountable for the implementation of these policies are the GLT members of each business unit most closely associated with the respective policy.

WithSecure’s privacy principles together with the WithSecure Personal Data Policy make up the basic pillars of WithSecure’s privacy practices. WithSecure’s privacy principles are available on the company’s website.

WithSecure’s first and foremost privacy principle reiterates the data minimisation principle that the company only asks for personal data if it is needed to serve the customer. WithSecure also carefully partners with service providers who share the company’s commitment to privacy and security. These principles are there as a reminder of the basic privacy principles relevant for WithSecure’s business and ultimately ensure compliance with relevant applicable laws and regulations and to ensure and respect data protection as a fundamental right, more specifically ensuring the right to privacy of WithSecure’s end-users. WithSecure also adheres to the data protection principles set out in the GDPR. To ensure privacy by design these principles are reiterated in the WithSecure Personal Data Policy.

The policies related to privacy are designed to respect the privacy of WithSecure’s end-users while allowing the use of personal data for the delivery of the company’s services. For example, WithSecure does not take into use any tools or offer services without having conducted a robust privacy impact assessment, if the tool or service is used to process personal data. The WithSecure Personal Data Policy is reviewed annually at a minimum and updated when needed. As per the WithSecure Privacy Strategy the privacy processes and documentation are meant to be as simple as possible to maximise compliance scalability, so that each individual employee can uphold the level of privacy expected from employees of a cyber security company.

WithSecure’s policies related to consumers and end-users ensure that WithSecure’s operations and value chain activities align with the company’s commitment to sustainability, privacy, and human rights. By integrating these principles into both upstream and downstream activities, WithSecure aims to create a positive impact across its entire value chain, fostering a culture of responsibility and ethical conduct.

For upstream impacts in the value chain, WithSecure conducts supplier assessments and reviews that they abide by WithSecure’s standards of business conduct. This is described in more detail in the section “G1-2 Management of relationships with suppliers”. In terms of own operations, WithSecure provides comprehensive training to employees on data protection and privacy, ensuring they handle data responsibly. Downstream activities involve delivering services to end-users, maintaining privacy and security practices, and engaging with customers to address any concerns. To support both up- and downstream activities, WithSecure regularly reviews and updates its privacy and security policies to reflect the latest regulatory requirements and industry best practices.

Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. WithSecure has considered the interests of key stakeholders, including employees, customers, suppliers, and investors, in the formulation of its policies. This was achieved through for example discussions to gather their input and ensure their concerns are included and addressed. For example, WithSecure conducted stakeholder meetings to collect feedback on privacy and security practices, which were then incorporated into the policy development processes. Thus, the stakeholders have been involved and their views have been included in the policy.

WithSecure ensures that all its employees are aware of and comply with its internal policies by including them in the mandatory onboarding process and as part of mandatory trainings. All policies are accessible to WithSecure employees for example in WithSecure’s intranet and any changes to them are communicated group wide. Certain policies are also publicly available. Especially policies relevant to affected stakeholders, such as the Code of Conduct and Whistleblowing policy, are readily available on WithSecure’s website. More information about these can be found in the section “G1-1 Business conduct policies and corporate culture”. In terms of third parties, WithSecure ensures compliance with relevant internal policies by including them in the contractual framework as appendices to agreements. All WithSecure policies are regularly reviewed and monitored to ensure compliance and identify areas for improvement. These measures help ensure awareness of and adherence to the policies.

In respect to human rights regarding WithSecure’s policies in general, WithSecure is committed to honouring internationally recognized human rights standards as is outlined in the company’s Code of Conduct. No severe human rights issues and incidents connected to WithSecure’s end-users have been reported within WithSecure’s own operations, where the UN Guiding Principles on Business and Human Rights, the ILO Declaration on Fundamental Principles and Rights at Work, or the OECD Guidelines for Multinational Enterprises would not have been respected.

As a software and services provider, WithSecure has limited capabilities of impacting the human rights of its end-users. This is primarily because WithSecure's products and services are designed to support business operations rather than directly interact with individuals in a way that could affect their fundamental rights.

In case of any observed discrepancies in the downstream value chain, the end-users can engage with WithSecure through various channels, including public-facing contacts and direct internal contacts. These have been detailed in the section “S4-2 Processes for engaging with consumers and end-users about impacts”.

WithSecure continuously assesses the impact of privacy regulations in its operations and identifies key regulatory requirements arising from them. This policy addresses the requirements by implementing relevant compliance processes and controls. 

Compliance with data protection principles is ensured for example by the privacy impact assessment process.

This policy applies to all employees and contractors at WithSecure or any of its subsidiaries. The policy is reviewed annually, where stakeholder consideration and feedback can be implemented.

This document aims to outline the main focus areas for WithSecure’s privacy management activities, and specify a common ambition level and risk appetite for all WithSecure privacy activities.

The primary audience for the policy are all employees whose duties require an understanding of the company's strategic privacy ambitions.

The policy is reviewed regularly, where stakeholder consideration and feedback can be implemented.

This process describes how suspected personal data breaches are reported, investigated and notified to the authorities and data subjects.

The policy applies to all employees at WithSecure. The policy is reviewed annually, where stakeholder consideration and feedback can be implemented.

The purpose of this document is to describe WithSecure’s internal process regarding the handling of data subject requests to comply with its obligations and ensure fulfilment of data subject rights as set out in the GDPR.

All employees at WithSecure need to be aware of the process. The functions/employees that need to abide by the process are Customer Care, GDPR Coordinators, system owners and Managers.

Cyber Security Principles defines the objectives of cyber security management, roles and responsibilities, and the principles for the implementation of those objectives. The document applies to all employees and any third parties that have access to WithSecure data. 

To ensure the fulfilment of WithSecure’s cyber security objectives, the management of information security integrated to the mandate of WithSecure Chief Information Security Officer (CISO). The CISO reports to the CEO and the Audit Committee of the Board of Directors. Software security is led by the Chief Architect who reports to the Chief Product Officer (CPO). Privacy is led by the Data Protection Officer (DPO) who reports to the Chief Legal Officer (CLO).

Cyber Security Principles is reviewed after major changes in the company direction, strategy or organization.

Lifecycle Security Policy (LSP) ensures that privacy and security requirements are covered within all products and services throughout the states of the lifecycle: design, development, and operation.

The policy includes requirements such mandatory access control analysis, threat modelling and privacy impact analysis (In case of a system processing personal information).

This policy applies to all systems, products, and services used and sold by WithSecure. The policy is reviewed annually, where stakeholder consideration and feedback can be implemented.

Information Security Classification Policy describes the requirements for processing information throughout its lifecycle. It provides rules on how to classify the information and how the information is to be accessed, stored, transferred, and destroyed per the classification. The classification has four levels: public, internal, confidential and restricted access documents.

The policy applies to all employees, temporary staff, consultants, contractors, and suppliers working for, or on behalf of the company, who have access to any company information. The policy is globally applicable and applies to any location where information assets can be found or accessed from.

All company information assets have an owner. The owner is responsible for proper classification of information. The owner and their seniority vary per information asset. The policy is reviewed annually, where stakeholder consideration and feedback can be implemented.

Acceptable Use Policy defines the acceptable use of the company information and other assets. It includes information security requirements for example for remote and mobile work, removable media use, taking assets off-site, usage of external services as well as the clear desk and screen policy.

This policy applies to all employees, temporary staff, consultants, contractors, and suppliers working for, or on behalf of the Company and have access to any Company information systems and assets. This is globally applicable and applies to any location where the information systems and assets reside or are accessible from.

Personnel are responsible for keeping the devices, and the company’s information systems and assets safe. The policy is reviewed annually, where stakeholder consideration and feedback can be implemented.

This policy defines rules for accessing applications, systems, equipment, networks, facilities, and information, based on business requirements. It describes how users authenticate to WithSecure systems and services, and how passwords are managed. The principles of access control are the rule of least privilege/need to know.

This policy applies to all employees designing, maintaining, and/or giving access to company applications, systems, networks or services. The policy is globally applicable. Every WithSecure employee is required to implement the Access Control Policy into their system management and operation. The principles of access control are the rule of least privilege/need to know.

The policy is reviewed annually, where stakeholder consideration and feedback can be implemented.

Baseline Security Policy describes the requirements for system operations. This policy defines requirements for as an example for operations security (such as vulnerability management, intrusion detection, anti-malware system, system hardening, backups), user access management (e.g. session security) and access control (e.g. limiting the access to management ports), usage of cryptography (e.g. encrypted connections), data protection (e.g. pseudonymization), Logging and monitoring.

The policy applies to all employees, temporary staff, consultants, contractors, and suppliers working for, or on behalf of the company, who and have access to any company information. The policy is globally applicable.

The policy is reviewed annually, where stakeholder consideration and feedback can be implemented.

Business Continuity Management Policy defines the principles for business continuity management at WithSecure, including roles and responsibilities and objectives. It also describes the business continuity management framework where the foundation is the company risk management, followed up with the business analysis of the main threads stemming from the risk management activity and the preparation measures as business continuity and recovery plans. The policy also sets the requirement for annual review/training/testing of the recovery plans.

The policy is intended for employees responsible for business continuity management and disaster recovery and implementation of related practices at the company. The policy is reviewed annually, where stakeholder consideration and feedback can be implemented.

S4-2 Processes for engaging with consumers and end-users about impacts

WithSecure’s end-users’ perspectives have been integrated into impact, risk and opportunity management holistically. The end-users of WithSecure’s software and service were interviewed as part of the stakeholder interviews conducted for the double materiality analysis.

The end-users have been involved and their views have considered in identifying the material impacts, risks and opportunities related to them and in managing these aspects. An extensive analysis of the perspectives of WithSecure’s partners and customers was conducted during the double materiality analysis. Stakeholder views and feedback were thoroughly investigated and integrated into WithSecure’s operations. These perspectives inherently included the views of the end-users they represent.

In terms of ongoing engagement between WithSecure and end-users, there are feedback and engagement channels available that for example WithSecure’s partners can use to engage in dialogue or that the software and service end-users can use to send in feedback through the support services provided. The sales function at WithSecure is particularly committed to delivering the feedback from the company’s end-users and making sure that their concerns and needs are met.

The publicly available privacy policies provide access to support channels. For certain privacy and cyber security related internal policies, there is a WithSecure Trust Center-website, where the end-users can validate requests for security evidence. There is also separate contact information available for the end-users to be in contact directly with WithSecure’s data protection officer. In terms of privacy specifically, WithSecure has a customer support channel for privacy and data subject related requests and a data subject access (DSAR) process which sets out the process for any data subject request made by end-users or their representatives. The whistleblowing channel is an engagement channel also available for everyone, including WithSecure’s end-users.

S4-3 Processes to remediate negative impacts and channels for consumers and end-users to raise concerns

As general approach to contribute to remedy identified negative impacts for end-users in instances where they have raised concerns, WithSecure has a customer care and support channel in place. These channels enable a timely response to concerns flagged by WithSecure’s end-users.

The responsibility receiving end-user feedback and engaging in dialogue is shared across various departments at WithSecure, including sales, customer service, and specific contacts for privacy and other matters. This ensures comprehensive engagement and timely delivery of key information to end-users, enabling prompt internal decision-making.

In terms of information security, monthly Information Security Management System (ISMS) meetings are held to report relevant security and privacy matters to upper management. This process ensures that appropriate and timely actions can be taken to address potential negative impacts for WithSecure’s end-users.

There are several internal functions and senior roles connected to these engagements. For example, the CISO office representative presents a monthly operational review. Here the monthly privacy reports, concerns and activities are assessed. The CISO reports to the Board’s Audit Committee twice a year. In these instances, the CISO gives an overview of the then current situation, including possible – if any – material incidents and risks impacting security and privacy in the company. The Data Protection Officer (DPO) reports a privacy overview (including the current state of WithSecure’s privacy posture) to the Security Steering Group once per year. This group includes the Global Leadership Team (GLT) and convenes on quarterly basis.

As part of the continued work to building the end-users’ awareness and trust in WithSecure’s data protection efforts and commitment to transparency, WithSecure has in place engagement methods that can be accessed by publicly available privacy policies and privacy principles. As a method to increase trust, WithSecure has a whistleblowing channel managed by a third party. This also ensures a level of protection against retaliation. More information about the whistleblowing channel and whistleblowing policy can be found in the section “Protection of whistle blowers” under the section “G1-1 Business conduct policies and corporate culture”.

S4-4 Taking action on material impacts on consumers and end-users, and approaches to managing material risks and pursuing material opportunities related to consumers and end-users, and effectiveness of those actions

The main actions through which WithSecure is able to mitigate possible negative impacts and risks while simultaneously maintaining possible externalities from positive impacts and opportunities is through raising awareness internally and externally as well as keeping chosen policies and certifications up to date. One of the aims of these actions is to avoid causing or contributing to negative impacts on WithSecure’s end-users through its own practices. By maintaining employee awareness and up-to-date operational practices, these impacts can be minimized. As WithSecure operates in the cyber security industry, the interest in staying on top of these matters is shared by the business while simultaneously being closely connected to the interests of WithSecure’s stakeholders, including WithSecure’s end-users.

WithSecure is committed to increasing privacy awareness and supporting its partners and end-users in a privacy and cyber security perspective. This includes maintaining privacy and cyber security awareness of WithSecure’s workforce. The awareness raising through dedicated trainings is continuous. Mandatory trainings on Privacy and Cyber Security Awareness are a part of the onboarding process of new employees. Retaking the Cyber Security Awareness training annually is mandatory to all employees. No significant expenditures are allocated for these trainings, as they are considered to be a part of general operation.

The DPO arranges additional internal privacy trainings on an ad hoc basis with focus on specific business units or internal functions for WithSecure employees. Any WithSecure employee that manages tools, products or services that are used to process personal data, are expected to complete a privacy impact assessment training. The completion of these trainings is followed to ensure compliance.

As mentioned, keeping internal controls and policies up to date is another action WithSecure engages in to manage the identified material impacts, risks and opportunities. The scope is WithSecure’s own operations. The internal controls and policies are continuously managed. They are reviewed as needed, most of them at least annually. WithSecure has in place privacy and security documentation, including internal policies and processes that are updated and reviewed on a regular basis. For identifying actions needed in the event of a suspected data breach, WithSecure has a dedicated personal data breach management process. No significant expenditures are allocated for the awareness raising or keeping chosen policies and certifications up to date, as they are considered to be a part of general operation.

S4-5 Targets related to managing material negative impacts, advancing positive impacts, and managing material risks and opportunities

For the Privacy training, the completion rate target is 90% for all employees and 95% for new employees. For the annually mandatory Cyber Security Awareness training the completion rate targets are similarly 90% for all employees and 95% for new employees. A full 100% is not always attainable, as due to possible issues with statistics and reporting systems as well as personnel changes and leaves of absence, an error margin of sorts has to be tolerated.

The awareness raising about Privacy and Cyber Security Awareness is measured through following the completion rate of both of these trainings. The target for these metrics showcases the degree of which the employees have been made aware of the Privacy and Cyber Security Awareness related information and expected standard of operations at WithSecure. The target is a percentage and relative to the number of employees the company has. The measured unit is number of employees who have completed these trainings.

The targets' scope are all persons working for WithSecure, anywhere WithSecure operates. The targets are measured continuously, and the rate is reviewed at least annually. The Cyber Security Awareness training completion rate is reported internally on a monthly basis. These completion rates are available directly from the training platform. Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. Thus, the stakeholders have been involved and their views have been included in the setting and choosing of the targets.

The baseline values for these targets are the 2024 reportable figures. Milestones and interim targets include reviewing the stated target completion rates continuously, so that they are achieved at a minimum annually, and maintaining these rates at or above the targets in subsequent years. For the Privacy training, the completion rates for 2024 were 93% for new employees and 92% for all employees. For the Cyber Security Awareness training the completion rates for 2024 were 100% for new employees and 96% for all employees. The performance is in line against the target for the cyber security training and very close to target for the privacy training. The training completion rates have stayed at appropriate levels. This indicates that WithSecure’s efforts to maintain high training completion rates are quite effective, enhancing compliance and security awareness within the company. WithSecure explores methods to improve the privacy training completion rate during the year 2025.

The status of the internal controls and policies being kept up to date is measured through the number of major security incidents WithSecure has faced during the year as well as whether WithSecure has maintained achieved cyber security certifications and assurance statuses. In terms of the major security incidents, they are categorized as major according to NIS2 directive requirements.

The target showcases the degree of which the company has been able to avoid significant cyber security incidents, indicating proper cyber security management and measures. The measured unit is an absolute amount of major cyber security incidents that WithSecure has faced during the fiscal year. The target's scope is WithSecure operations. The target is measured continuously, at least annually. Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. Thus, the stakeholders have been involved and their views have been included in the setting and choosing of the targets. The target is no major incidents. Performance is in line with the target, as there were no major security incidents during the year 2024. The incidents are categorized as major according to NIS2 directive requirements.

For the cyber security certification action, the metric is that the achieved certification is maintained. In particular, it is expected that WithSecure receives the globally recognised ISO 27001 certification that is audited annually by an external party. The target demonstrates how well WithSecure’s conduct aligns with internationally recognised ISO 27001 certification, indicating compliance with a specific standard for information security management systems. The target is to maintain the ISO 27001 certification annually. The measurement unit is whether the certification is upheld or not. This target applies to selected WithSecure operations and is monitored continuously, with at least an annual review. Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. Thus the stakeholders have been involved and their views have been included in the setting and choosing of the targets. Performance is in line with the target. The ISO 27001 certification was maintained for the year 2024.

Governance information

ESRS G1 - Business conduct

SBM-3 Material impacts, risks and opportunities related to business conduct

WithSecure has identified the material impacts, risks and opportunities related to business conduct based on the double materiality assessment introduced on its own section “SBM-3 Material impacts, risks and opportunities related to business conduct”. The ESRS sub-topics of “Corporate culture”, “Protection of whistle blowers”and “Management of relationships with suppliers including payment practices” were identified as material topics for the company.

Impact-wise. WithSecure is able to exert a positive impact on business conduct through well-managed business practices and safeguards, such as the company’s whistleblowing channel. WithSecure has a positive impact on supplier management, through the company’s emphasis on ethical business practices. Both of these positive impacts are present throughout the value chain and the impacts are identified to materialize in the short term.

WithSecure has not identified any material financial opportunities related to business conduct. The company believes that the positive effects of its business conduct are primarily external, as indicated by the material positive impacts.

Here the company sees that the positive implications of the company’s business conduct are more external, as the identified material positive impacts indicate.

The possible business conduct-related financial risks the company could face are related to corporate culture and supplier management. The implications of privacy risk and its impact on WithSecure’s reputation are heightened due to the industry the company operates in. This risk has been identified to impact the company in the short term. The other material financial risk pertains to supplier management and the investments that proper and ethical supplier practices require. This second risk has been assessed to occur in the medium term.

G1-1 Business conduct policies and corporate culture

WithSecure has determined a set of policies that are applied to the company’s conduct and complied with, for mitigating the identified material risks and emphasising the identified positive impacts. These integral policies are reviewed and accepted by the administrative and supervisory bodies after the inspection and approval of individuals from the management body. If there is a specific senior level accountable for the implementation of the specific policies, this is presented in the policy description. An in-depth description of the general role and expertise of the administrative, management and supervisory bodies is included in the “General information” section under the topic “GOV-1 – GOV-5 Sustainability governance”.

Several of the policies are publicly available, to ensure that WithSecure’s stakeholders have access to the information guiding WithSecure’s business conduct practices.

Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. Thus, the stakeholders have been involved and their views have been included in the policy.

The most senior level accountable for the implementation of these policies are the GLT members of each business unit most closely associated with the respective policy.

WithSecure has not identified any specific functions at risk. All new WithSecure employees are subject to a vetting process conducted by a third party. The scope of the vetting will be determined by the role and rights that the role has.

To ensure ethical business conduct from as many perspectives as possible, WithSecure has procedures to investigate business conduct incidents, which follow the same methodology as the whistleblowing channel. More information about the whistleblowing channel and whistleblowing policy can be found in the section “Protection of whistle blowers”.

Information about possible instances of unethical business conduct, such as instances related to corruption and bribery or whistleblowing reports of unethical conduct, are relayed to WithSecure’s Board of Directors through outcome reviews once per month, or more frequently is necessary. The process follows the same structure of procedure and recommended actions as the whistleblowing instances. When there is an incident that requires a response, WithSecure has an investigation process. There is no internal investigating body, but rather when suspicious activities are flagged, WithSecure engages in audit and assurance processes with external service providers.

In terms of procedures to promptly, independently, and objectively investigate business conduct incidents, WithSecure’s Audit Committee considers the need for and appropriateness of a separate Internal Audit function on a regular basis. To date, the Audit Committee has concluded that, due to the size, organizational structure and largely centrally controlled financial management of the company, a separate Internal Audit function is not necessary. In the absence of an Internal Audit function, attention is paid to periodical review of the written guidelines and policies concerning accounting, reporting, documentation, authorization, risk management, internal control and other relevant matters in all departments. Related controls are also tested annually. The guidelines and policies are coordinated by the company’s finance department with active involvement by the legal department.

WithSecure also has specific mechanisms in place to prevent corruption and bribery. One of the methods is monitoring expenditure related details. The company has a comprehensive invoice and payment management processes in place, to detect any attempted wrongful usage. Proper and comprehensive invoice management is in an important role. Another method for preventing, detecting and investigating possible acts of corruption or bribery is the whistleblowing channel that is discussed later in this section of the report under “Protection of whistle blowers”.

There have been no confirmed incidents of corruption or bribery, nor any related convictions or fines in 2024.

The main action for WithSecure to both remediate and mitigate the identified material risks while simultaneously promoting and emphasizing the positive impacts, is through raising awareness both internally to own employees as well as externally to stakeholders and other interested parties. This includes information related to both ethical business conduct as well as the protection of whistleblowers. The expected outcome of these actions is to create a well-informed workforce that understands and adheres to ethical business practices, thereby reducing risks and enhancing positive impacts. The awareness raising is continuous process that manifest in short, medium and long term. WithSecure maintains these actions through a selection of methods.

In terms of corporate culture and whistleblowing protection, one of the key methods for raising awareness is through the company’s Code of Conduct and related mandatory training. The Code of Conduct sets the high-level aims and ethical business standards that the company complies with. It also includes a dedicated section about the whistleblowing policy and whistleblowing channel for raising awareness about the protection of whistleblowers. During the year 2024 the Code of Conduct and the related training were updated. 

As privacy also appears in the material impacts risks and opportunities, WithSecure has implemented a mandatory privacy training for all employees. More information about the mandatory privacy training is presented in the S4 section "S4-4 Taking action on material impacts on consumers and end-users, and approaches to managing material risks and pursuing material opportunities related to consumers and end-users, and effectiveness of those actions".

All employees are required to complete these trainings. The Code of Conduct training is also completed by the Board of Directors. There are additional trainings for specific functions or groups related to other relevant policies, such as the export control policy related training. The financial resources for these actions are a part of general operations, with no significant expenditures related to sustainability specified. Other resources include the time and effort of WithSecure's internal experts. The costs are absorbed within the overall operational budget and are not separately itemized for sustainability purposes.

The awareness raising about ethical business practices and whistleblowing channel are measured through following the completion rates for the mandatory Code of Conduct and Privacy trainings. The completion rates for these trainings are available directly from the training platform. The training completion rate results are aggregated to show the completion rates of new employees and all employees. The expected outcome of these trainings is comprehensive training coverage across all levels of the organization, indicating widespread awareness and understanding of the company's ethical and privacy standards and ensuring that everyone is equipped with the necessary knowledge to uphold the company's standards.

Future actions will include regular updates to training materials and continuous engagement with employees and stakeholders to ensure ongoing awareness and adherence to these principles. This includes periodic reviews of the Code of Conduct and other relevant policies, along with updates to the related training materials. These efforts aim to address the emerging regulatory and internal policy changes, which will help in maintaining high standards of compliance.

Simultaneously in terms of employee engagement, a specific action continued in future periods is that the training completion rates are regularly monitored to ensure high level of participation and adherence. Additionally, WithSecure aims to enhance internal communication strategies to keep the company’s employees informed about updates and changes to the policies and training materials. These planned actions are designed to support in achieving policy objectives by ensuring that all employees are continuously informed and educated about the company's ethical standards.

Regular updates and reviews will help the company to adapt to new challenges and regulatory requirements, while targeted training sessions will address specific risks and compliance needs, while simultaneously enhancing the positive impacts WithSecure is able to attain through their business conduct. Through these actions, WithSecure aspires to promote a culture of continuous improvement and proactive risk management, supporting the achievement of its policy objectives.

Other efforts to provide remedies include ensuring thorough investigations and responses to the negative impacts. This may include protection, possible compensation and remedies to those impacted, for example through the externally managed whistleblowing process.

In terms of the value chain coverage of these actions, WithSecure engages with suppliers and partners in the upstream value chain to ensure they are aware of and adhere to its ethical standards and privacy practices. This includes providing resources such as WithSecure’s policies to support compliance and mitigate risks throughout the supply chain. Many of these policies include detailed guidelines for appropriate and acceptable business conduct. For the downstream value chain, WithSecure ensures that end-users are informed about the company’s ethical standards and privacy practices through clear communication and feedback channels, including a specific contact persons for privacy matters. These efforts aim to extend the positive impacts of WithSecure’s policies beyond the immediate organization.

One method for WithSecure to track the effectiveness of its business conduct related policies and actions specifically in relation to the material impacts, risks and opportunities, is through monitoring the completion rates for Code of Conduct training and the Privacy training. The company uses quantitative indicators to evaluate progress. The defined targets for tracking the effectiveness are set to ensure continuous improvement and alignment with industry best practices.

The methodologies used to define these targets include analysing historical training completion data and consulting with internal stakeholders. Significant assumptions made during target setting process include the availability of training resources, employee engagement levels and the reliability of the training platforms. No specific sustainability scenarios were used to define the targets.

These targets align with national, EU, and international policy goals by promoting ethical business conduct and data privacy, which are key components of regulatory frameworks, such as the EU GDPR. The targets also consider broader context of sustainable development by ensuring that all employees are equipped with the knowledge to uphold WithSecure’s ethical standards and privacy practices, thereby contributing to a more responsible and sustainable business environment.

In terms of targets, WithSecure follows that the completion rates for both of these trainings are 95% for new employees and 90% for all employees. A full 100% is not attainable always, as due to possible issues with statistics and reporting systems as well as personnel changes and leaves of absence, an error margin of sorts has to be tolerated. The scope of these targets is WithSecure’s own workforce.

The target showcases the degree of which the employees have been made aware of the Code of Conduct and WithSecure's ethical business conduct principles. The target is a percentage and relative to the number of employees the company has. The measured unit is number of employees who have completed the Code of Conduct and Privacy trainings. The target's scope are all persons working for WithSecure, in all locations WithSecure operates. The target is measured continuously, and the rate is reviewed at least annually. These completion rates are available directly from the training platform.

Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. Thus, the stakeholders have been involved and their views have been included in the setting and choosing of the targets.

The baseline values for these targets are the 2024 reportable figures. Milestones and interim targets include reviewing the stated target completion rates continuously, so that they are achieved at a minimum annually, and maintaining these rates at or above the targets in subsequent years. For the Code of Conduct training the completion rates for 2024 were 100% for new employees and 95% for all employees. For the Privacy training the completion rates for 2024 were 93% for new employees and 92% for all employees. The performance is in line against the target for the Code of Conduct training and very close to target for the privacy training. The training completion rates have stayed at appropriate levels. This indicates that WithSecure’s efforts to maintain high training completion rates are effective, contributing to a well-informed and compliant workforce, supporting in ethical business conduct. WithSecure explores methods to improve the privacy training completion rate during the year 2025.

Corporate culture

In addition to the Code of Conduct, WithSecure has various other company-wide and role-based compliance trainings, as well as guidelines and policies to support the decision-making in different situations. Of these, the following policies have been identified as important for WithSecure’s corporate culture in terms of the identified material impacts, risks and opportunities.

WithSecure’s Code of Conduct’s aim is to foster a culture that supports ethical conduct. The foundation of all activities at WithSecure is the Code of Conduct; it guides everything done at the company. It reflects the company’s business culture for ethical conduct, sets clear expectations on business conduct, and provides guidance for critical risk areas.

WithSecure’s Code of Conduct covers the following areas:

• Building and sustaining digital trust, confidence and equity

• Privacy and Security

• Intellectual Property Rights and Confidentiality

• Responsible use of A.I.

• Wellbeing, Inclusion, Diversity, and Equity (WIDE)

• Protecting Human Rights

• Sustainability

• No Bribery or Corruption

• Preventing Conflicts of Interest

• Securities Markets Compliance

• Trade Compliance

• Fair Competition

• Working with Responsible Suppliers

• Whistleblowing

The Code applies universally across the workforce, including employees, contractors, and business partners, ensuring adherence to consistent high ethical standards. Training and regular updates to the Code of Conduct are mandatory to ensure that everyone understands their responsibilities and the implications of non-compliance.

The Code of Conduct is publicly available on WithSecure’s website.

Please see section “S4-1 Policies related to consumers and end-users”

For fostering ethical business practices, WithSecure has committed to actions against corruption and bribery. The company’s anti-bribery policy is consistent with the UN convention against corruption.

The anti-bribery policy covers situations of WithSecure’s employees not giving or accepting gifts or hospitality that would exceed a certain level considered to be identifiable as corruption. An acceptable monetary level has been established.

The Anti-bribery policy applies to all persons working for WithSecure, anywhere WithSecure operates. The policy is available internally.

WithSecure has prepared an Insider Policy aligned with the Insider Guidelines of NASDAQ Helsinki. Inside information is defined as: “Information of a precise nature, which has not been made public, relating, directly or indirectly, to one or more issuers or to one or more financial instruments, and which, if it were made public, would be likely to have a significant effect on the prices of such financial instruments or on the price of related derivate financial instruments”.

The policy applies to all insiders. Anyone who has inside information is considered an insider, regardless of how the information has been obtained or whether the person has been included on a specific insider list. The policy is available internally.

Through the Modern Slavery Statement, WithSecure is committed to ensuring that there is no modern slavery or human trafficking in its supply chains, employment practises, or in any part of the business. This is also apparent in the Code of Conduct, which all suppliers are required to abide by, that states that WithSecure does not tolerate any use of child labour, any form of forced labour or any other human rights violations. While the policy requires suppliers to pass on compliance and contractual requirements to their sub-contractors, WithSecure does not have the means to monitor the compliance of the sub-contractors or suppliers' suppliers directly.

The guidance available to employees reflects the commitment to acting ethically in business relationships and to implementing and enforcing effective controls that ensure slavery and human trafficking is not taking place.

The statement applies to all employees, temporary staff, consultants, contractors, and suppliers working for, or on behalf of the WithSecure. The policy is globally applicable. The statement is available to employees as well as both internal and external stakeholders. It is approved by the Board of Directors of the UK entity, WithSecure Limited.

WithSecure’s Remuneration Policy describes the remuneration for the Board of Directors and CEO and the considerations of determining the policy and operation of the policy. Remuneration Policy of WithSecure complies with the recommendations of the Finnish Corporate Governance Code for listed companies, Shareholders’ Rights Directive legislation and any other regulations and guidelines concerning remuneration in listed companies.

Executive remuneration is designed to support business objectives and long-term profitability, based on performance and competencies. It aims to be competitive, foster commitment, and ensure consistency across the organization. WithSecure strives to offer market-level base salaries to attract and retain talent, with incentive schemes aligning with the interests of shareholders and key employees for strong performance and long-term value creation.

Employee remuneration is regularly reviewed to ensure fair compensation based on market standards, individual competencies, and performance. The CEO’s remuneration follows the same principles as other employees.

The Remuneration Policy applies to all WithSecure employees and the Board of Directors. The Policy is available to employees as well as both internal and external stakeholders, as it is a public policy available on WithSecure’s website. It is approved in the General Meeting is normally held once a year as an Annual General Meeting (AGM).

As WithSecure Corporation is registered in Finland, its technology and solutions are mainly exported to customers and end users from Finland, and thus the export control regulations of the European Union are the ones that are primarily relevant for WithSecure. Additionally, in many circumstances also United States’ export control regulations and sanctions apply to the activities of WithSecure, including when selling products through US-based app stores or other distribution channels connected to the United States.

The main restrictions of the applicable export control laws and regulations are dual-use items and sanctions. Dissemination of dual-use items to destinations and persons outside the European Union (known as “export”), as well as in certain cases also within the European Union, has been regulated by the European Union export control laws. Distribution across borders from operators and servers located in the United States is in turn subject to US export control laws, and software developed in the United States often remains subject to US export control laws its entire lifecycle.  Regulation (EU) 2021/821 of the European Parliament and of the Council (“EU Export Control Regulation”) in particular is applied in the operations of WithSecure as is of the US Export Administration Regulations, 15 C.F.R. 730 et seq. (the “EAR”). The European Union and the United States have adopted restrictive measures (sanctions) which prohibit or restrict transactions with countries, companies, groups, organizations or individuals who are involved in malign behaviour, such as armed aggression, internal repression, human rights violations, or cyber-attacks. The sanctions may include arms embargoes, travel bans, asset freezes or other economic measures such as restrictions on imports and exports, including of various kinds of software products and related services.

This policy applies to all WithSecure employees, contingent workers and subcontractors globally. Special attention should be given to the content of this policy by anyone who works in connection with sales, product management, technical product management, R&D and IT/production systems. WithSecure continuously assesses the impact of export control and sanctions regulations in its operations and identifies key regulatory requirements arising from them. This policy addresses the requirements by implementing relevant compliance processes and controls. The policy is available internally.

Protection of whistle blowers

The protection of whistleblowers was identified as the second material sub-topic, making, the whistleblowing policy an integral part of WithSecure’s policies related to ethical business conduct, especially due to the possible positive impact the company is able to exert to the society. The whistleblowing channel functions as the main mechanism for reporting unlawful behaviour and managing business conduct incidents.  The channel is available to both internal and external stakeholders.

Comprehensive information about the whistleblowing channel is readily available on the company intranet and is included as a core element of the Code of Conduct training. While the company does not actively monitor employees’ trust in the channel, it ensures robust protections for whistleblowers.

WithSecure’s Whistleblowing Policy is an important tool in discovering undesirable conduct, such as corrupt or illegal conduct. WithSecure strongly encourages individuals to speak up if they suspect or witness any such behaviour, activities or conduct. WithSecure will take all reports made under this policy seriously

This Policy sets out how WithSecure provides individuals with an effective, objective, confidential and secure reporting channel, Whistleblowing channel, allowing them to express their concerns or suspicions openly and safely. On the Whistleblowing Channel the individuals are also advised how to make a report, how they are informed on the follow-up actions and how they are protected. WithSecure reviews the Policy and the Whistleblowing Channel from time to time in order to ensure their accuracy and proper and reliable functioning.

The breaches to be reported through the Whistleblowing Channel include actual or potential crimes, serious omissions or misconduct, as well as other breaches of the applicable laws and regulations.

The whistleblowing policy applies to all internal and external persons. An individual’s right to report on the whistleblowing channel is unlimited and cannot be, for instance, restricted or waived by any agreement, policy or form or conditions of their employment. Summaries of the whistleblowing channel reports are reported to the Chief Legal Officer by the third party managing the channel. The Whistleblowing Policy is publicly available on WithSecure’s website for all interested parties to see.

Whistleblowing Channel.

The main principles of WithSecure’s whistleblowing channel prioritize confidentiality, anonymity, and impartial handling of reports. Employees are encouraged to report any unethical, unlawful, or harmful activities without fear of retaliation, as the channel ensures complete anonymity for those who choose to remain unidentified. All reports are handled with strict confidentiality by an independent team, ensuring that the identity of the whistleblower is protected throughout the process. The system guarantees a fair and transparent investigation, with follow-up provided to ensure appropriate action is taken while safeguarding the whistleblower’s privacy.

Stakeholders can file a report on suspected breach and its potential perpetrator anonymously through WithSecure’s Whistleblowing Channel.

All reports coming through the Whistleblowing Channel are confidential, meaning that WithSecure will protect and keep the whistleblower's identity and the identity of any third party possibly mentioned in the report confidential. The reporting service is entirely independent of the organization to ensure that it is impossible to find out who is behind a report.

After the report has been initially received and handled by the third-party Service Provider, the Service Provider may further report the case to at least two (2) representatives of WithSecure which are defined in the Whistleblowing Policy. The Service Provider will make the decision whether the report is further investigated and to whom at WithSecure such report is then delivered with the objective that there cannot exist any conflict of interest between the chosen representative of WithSecure, whistleblower and the person(s) mentioned in the report or related the possible breaches mentioned in the report.

The chosen representative(s) of WithSecure will decide on the required further investigations and actions to be taken by WithSecure. All such investigations and possible follow-up actions will be performed diligently and by preserving confidentiality. In case criminal activity is revealed, WithSecure will report it to the police. The Audit Committee will also receive regular reports on the whistleblowing process, including statistics and information on a general level on the reported topics, and depending on the case, may be involved in reviewing individual cases when it is deemed necessary.

Protection against retaliation

Whistleblowers will receive protection against retaliation, i.e. negative consequences, threats and attempts of retaliation that may result from the report if the conditions in the Whistleblowing Policy are fulfilled.

In short, the protection provided to eligible whistleblowers includes:

• identity protection; and

• protection from retaliation and possible reversal of the burden of proof in the handling of claim related to retaliation in the courts and other authorities; and

• possible compensation and remedies e.g. due to retaliation; and

• possible protection against civil, criminal and administrative liability.

In addition to protection provided to the whistleblower, WithSecure provides protection also to person(s) who are suspected of having committed the Breach. Such protection includes, for instance that such person is treated in an equal and non-discriminating manner and the consequences of the Breach are based on WithSecure’s policies and the applicable laws. Such person is also granted a possibility to review and comment the alleged Breach and the relevant material. Further, such persons may be entitled to compensation due to deliberate false report.

To ensure that WithSecure’s employees stay informed about the Whistleblowing Channel, a section related to it and the whistleblowing policy are included in the mandatory Code of Conduct training.

G1-2 Management of relationships with suppliers

Supplier management was identified as a topic where WithSecure has a possible positive impact while simultaneously facing a possible financial risk. WithSecure is committed to ethical supplier practices. The company holds their suppliers to the same ethical standard.

At the centre for WithSecure’s supplier management are a set of minimum requirements that all suppliers need to reach, the Corporate Procurement Policy. WithSecure requires all of the company’s suppliers to be registered companies that abide by local laws. As an additional measure, the companies are also required to abide by WithSecure’s Code of Conduct and other case by case determinable requirements related to for example data privacy and security. In terms of third-party standards and initiatives that WithSecure commits to, the Code of Conduct includes commitment to local laws and regulations and the Ten Principles of the Un Global Compact, which cover areas such as human rights, labour standards, environmental protection, and anti-corruption.

The Corporate Procurement Policy outlines how supplier relationships are managed and goes more in depth into the need assessments in terms of suppliers.

It sets out the principles for purchase related responsibilities and gives guidance to persons and teams who may be able to assist in specific cases. WithSecure’s aim is to achieve the best value (price, quality, service) for materials, goods and services the company purchases from the market. The company also wants to maintain the ethical standards and sustainability in dealing with the suppliers.

The scope of the policy includes all procurement activities within WithSecure’s own operations. This encompasses all supplier categories, regardless of the suppliers’ industry or geographic location. The policy applies to all stakeholder groups involved with procurement decisions including suppliers, partners, and internal teams. There are no specific exclusions mentioned in the policy, ensuring comprehensive coverage of procurement decisions. While the policy requires suppliers to pass on compliance and contractual requirements to their sub-contractors, WithSecure does not have the means to monitor the compliance of the sub-contractors or suppliers' suppliers directly. The policy is reviewed annually where possible updates based on feedback received from stakeholders, for example through periodical supplier management reviews held with strategically significant suppliers, can be integrated.

The business owners themselves have the direct responsibility over sourcing from suppliers. Their decisions are based on the corporate procurement policy. The initial assessment by the business owners is followed by steps that need to be taken with both the financial and legal departments, before any procurement decisions can be made. For major procurement decisions there is also an internal template that needs to be filled.

The corporate procurement policy is available internally to all WithSecure employees, enabling the maintaining of high-quality management of supplier relationships. It binds all employees.

For screening suppliers against sustainability-related risks, WithSecure uses several different platforms. Other risk mitigation actions that WithSecure takes is limiting engagement to those suppliers that pass the internal cyber security review and overall scrutiny of appropriate business conduct. In the case of WithSecure this means abstaining from engaging with suppliers that do not meet WithSecure’s data privacy and information security requirements. WithSecure follows that a set number of suppliers have been subjected to an information security auditing. Financial risks related to suppliers are monitored constantly.

WithSecure has not yet implemented an official internal supplier selection criteria related to social and environmental matters, beyond the requirement that the suppliers must abide by WithSecure’s Code of Conduct and all local legislative requirements. In terms of social criteria this includes compliance with labour laws and human rights standards, as well as commitment to diversity, equity and inclusion, and ethical business practices. Correspondingly the environmental criteria consists of implementation of sustainable practices, adherence to environmental regulations and use of energy-efficient and eco-friendly materials and processes. The evaluation of the suppliers meeting these requirements is at the discretion of the business owners and the supporting financial and legal departments, when conducting the supplier selection process.

During the year of 2024, WithSecure has been further developing the internal risk screening process for supplier management. WithSecure is also in the process of developing further a supplier management policy to improve identification and managing of risks related to suppliers.

For mitigating the risks and emphasizing the positive impact of WithSecure’s supplier relationship management, WithSecure has concluded that an effective measure is raising awareness about ethical supplier management, especially informing the company’s own employees who are in supplier-facing roles. No significant expenditures are allocated for this action, as it is considered to be a part of general operation. The expected outcome of this actions is to create a well-informed workforce that understands and adheres to ethical supplier relationship management. The awareness raising is continuous process that manifest in short, medium and long term.

The awareness raising about ethical supplier management is measured through hosting periodical supplier management reviews held with strategically significant suppliers.

In terms of the value chain coverage of this action, WithSecure engages directly with suppliers in the upstream value chain. For WithSecure’s this means ensuring that suppliers adhere to the company’s ethical business conduct standards and privacy practices. Simultaneously, the periodically conducted interviews with suppliers ensure, that their views are heard and addressed. These interviews provide a platform for suppliers to voice their concerns, share feedback discuss any challenges they might be facing. By engaging in this dialogue, WithSecure can better understand the suppliers’ needs and support in building a collaborative relationship. Additionally, these interviews help in identifying issues requiring remedies, allowing WithSecure to take appropriate actions, such policy revisions to address the root causes or corrective actions to rectify issues, to address grievances and mitigate risks affectively

WithSecure tracks the effectiveness of its supplier relationship management related policies and actions specifically in relation to the material impacts, risks and opportunities through monitoring the completion of periodical supplier management reviews. The company uses qualitative indicators to evaluate progress. The defined targets for tracking the effectiveness are set to ensure continuous improvement and fostering stronger, more collaborative relationships with suppliers.

In terms of targets, WithSecure follows that these reviews are held at least annually. The target showcases the significance given to ethical management of relationships with suppliers. The target is a status relative to the amount of identified strategically significant suppliers that the company has. The measured unit is that periodical supplier management interviews are held with strategically significant suppliers at least annually. The scope of the target are strategically significant suppliers. The strategically significant suppliers are defined through their significance and their impact on WithSecure's operations, both in customer facing systems and internal operations, and the risks to WithSecure's operations and the company's ability to continue business without interruptions.

Stakeholder views were thoroughly investigated in the course of determining the material impacts, risks and opportunities for the double materiality analysis. This involved engaging with various stakeholders, including suppliers. Supplier engagement is the foundation for determining these determinants. For example, as part of WithSecure’s ISAE 3000 certificate verification and audit process, the company needs to have a process for the main supplier management actions in the scope of the service. WithSecure has achieved this certificate for 2024. Thus, stakeholders are inherently involved in target setting and management.

The baseline value for this target is the 2024 status. Milestones and interim targets include reviewing the stated periodical supplier engagement continuously, so that the annual minimum engagement target is achieved and maintained in subsequent years. For the year 2024, supplier management reviews were held with strategically significant suppliers. The performance is in line against the target. This indicates that WithSecure is effectively meeting its goal for supplier engagement, ensuring timely review of the suppliers’ need. It demonstrates WithSecure’s commitment to maintaining strong, collaborative relationship with key suppliers and continuously improving its supplier management practices.

G1-6 Payment practices

WithSecure practises a Fair Payment Terms Policy which is WithSecure’s Corporate Procurement Policy, to ensure transparent, fair, and sustainable payment practices that support the financial stability and growth of WithSecure’s suppliers in all purchasing categories and supplier segments, particularly small and medium-sized enterprises (SMEs). Payments will be made within 30 days from the date of receipt of a valid invoice, unless otherwise agreed in writing.

Payment terms are applied consistently across different supplier categories and regions, ensuring fairness and transparency. There are no separate policies for small and medium-sized enterprises (SMEs), however some discretion is shown to small companies’ payment terms on a case-by-case basis. The payment terms are a standard 30 days. The average time it takes to pay an invoice from the moment the contractual payment period begins is on average about 25 days for all invoices, and 24 days excluding intercompany invoices.

58.52% of payments adhere to the payment terms. This figure is influenced by WithSecure’s set payment schedule, where invoices are paid once per week on a designated day. 70.76% of invoices are paid by or within a week from the due date. Some invoices were paid late due to various delays, such as late receival or delays in approval process. These percentages also include intercompany invoices, which tend to be paid less frequently within payment terms, which affects the overall percentage. Additionally, WithSecure is working on improving the reporting process and the accuracy of this figure. There are no outstanding legal proceedings for late payments.

The percentage of payments aligned with standard payment terms can be derived from the invoice management data for the annual year as a whole. Representative sampling was not required, as the full data for the 2024 fiscal year can be analysed. This data includes detailed records of invoices received, their statuses and payment times. From this information the proportion of payments made within 30 days can be determined.

Statement of comprehensive income January 1 – December 31, 2024