ESRS G-Company-specific Cybersecurity [G-Company-specific]

Our impacts, risks, and opportunities [SBM-3] Material impacts, risks, and opportunities and their interaction with strategy and business model

The digital transformation is advancing the healthcare market worldwide. Among other things, it makes it possible to optimize processes and improve the quality of patient care. The use of digital technologies at Fresenius is associated with impacts, risks, and opportunities. We use central management systems to identify, evaluate and manage these.

Robust cybersecurity management is the basis for the continuity of ongoing operations and the digitization of business processes. By making our digital processes as secure as possible, we are having an actual positive impact on the care of increasing numbers of patients, as digitalization can improve access to and the quality of healthcare services – e.g. through telemedicine services, electronic patient files (EPA), or the more efficient analysis of medical data with the help of artificial intelligence. It also helps to expand our care network. This results in short-term opportunities for us, because a secure digital transformation not only enables us to expand our patient pool, it also leads to better patient care, greater patient loyalty, and thus improved competitiveness. In the long-term, our cybersecurity management helps us to increase the resilience of our business model and our IT infrastructure in the face of an ever-changing cyber threat landscape. The resulting financial opportunities for Fresenius arise from the trust that our various stakeholders place in us, e.g. patients who entrust us with their data, and investors and lenders who provide financial resources for the Group or invest in our shares. The actions we take in the area of cybersecurity strengthen this trust as well as the reputation of our company – and thus promote lasting business relationships.

Insufficient cybersecurity actions could have a potential negative impact on our operational business: As a large healthcare Group, we are part of the critical infrastructure. Operational failures and the loss of sensitive data could jeopardize the care of our patients. Damage to health could occur due to incorrect treatment if essential data in patient files is missing or incorrect or treatment could be delayed as a result of system failures. A cyberattack can also pose serious financial risks for Fresenius. These include direct financial losses as a result of responding to incidents and restoring operating processes, the loss of intellectual property and fines for breaches of regulatory requirements, such as data protection and information security regulations. In addition, such incidents could lead to a loss of trust among our stakeholders, which could damage our reputation in the long-term. This loss of reputation can in turn lead to competitive disadvantages and cause further financial damage.

Our approach [MDR-P] Policies adopted to manage sustainability matters

Cybersecurity policies

Our Cybersecurity Policy Framework consists of a set of policies, requirements, and procedures that we use to address the impacts, risks, and opportunities that digital transformation brings to Fresenius. It forms the common basis for cybersecurity in all business segments and Group functions. Within this framework, the protection requirements of confidentiality, integrity, and availability of information, technologies and systems form the central objective of Fresenius’ cybersecurity efforts. We have defined these minimum security standards for all of our risk domains.

Fresenius has adopted a cybersecurity strategy to be implemented by the end of 2025 that sets targets for the Group and the individual business segments. The main focus areas are reducing risks, increasing resilience to cyberattacks, standardizing the organization, processes, and technologies, and improving the Group-wide level of maturity.

We derive our activities based on maturity assessments and cyber-risk analyses. These help us to prioritize the most relevant measures to buy-down risk and carefully track both the progress as well as the effectiveness of implemented measures in our cybersecurity programs.

Our strategic approach applies to the geographies in which we operate production sites or healthcare facilities. We also consider the upstream and downstream value chain if required due to contractual or regulatory provisions, e.g. in the aftersale service of medical technical equipment. Our stakeholder groups are explained in standard ESRS 2, section SBM-2 Stakeholders and partnerships.

Dealing with cyber risks

To manage Group-wide cybersecurity and the associated risks, we have determined five risk domains. The Group Cybersecurity Office (GCSO) functions manage the development and implementation of cybersecurity requirements and the coordination of risk management activities with the experts in the business segments within these risk domains. The cross-functional teams also have the task of promoting the exchange of expertise and knowledge in all areas of cybersecurity within the Group.

In line with a defined system for cybersecurity metrics, we have established a variety of effectiveness metrics in recent years. We use these key figures to determine whether security controls are operating as intended. This helps us understand cybersecurity risks and how well prepared or resilient we are in terms of defending against cyberattacks. The respective risk domain managers record the key figures in all relevant risk domains of the Group and report them regularly to the Cybersecurity Board and the Cybersecurity Steering Committee. In addition, they are visualized in a scorecard that supports the cybersecurity management to steer Group-wide cybersecurity initiatives. We also compare metrics with those of relevant interest groups, e.g. other DAX companies, and communicate these to the Management Board and the Supervisory Board.

Our main objective is to prevent cyber risks from materializing. This is where our investments into the early detection of cyber threats are paying off: Recurring analyses and defense processes are automated in order to react even more efficiently to incidents and limit potential damage to the company. Every incident is thoroughly investigated in order to derive additional measures to improve our overall safety.

Insurance

At business segment level, cybersecurity insurance policies are in place where they were available on the insurance market and where they cover the risks appropriately. In 2024, cybersecurity insurance at Group level was evaluated again, but has not yet been taken out, as the cost and benefit assessment has not yet been completed.

In addition, there are certifications such as ISO / IEC 27001 for our information security management system (ISMS) at Group and business segment level. The international standard is used to implement, maintain, and continuously improve an ISMS to ensure the confidentiality, integrity and availability of information through a systematic approach.

Risk assessments

We regularly evaluate the strategic cybersecurity risks along the value chain. As part of these bi-annual assessments, we analyze the evolving cyber threat landscape to consider arising threats in order to derive our cybersecurity measures and effectively mitigate our risks.

Audits and monitoring

The Corporate Audit Group function perform independent and risk-oriented audits to continuously improve the effectiveness of the risk management, control and governance processes at Group level and in the business segments. These audits were also carried out in 2024. In the process, they took into account cybersecurity measures such as policies and procedures and their implementation. In 2024, Corporate Audit conducted six audits (2023: nine) with a focus on information security.

If weaknesses are identified during the audits, Internal Audit monitors the implementation of the remedial measures defined by management as part of systematic follow-up reviews.

Reporting paths

If Fresenius employees suspect cyber threats, they can contact CERT@fresenius.com or CyberAware@fresenius.com, as well as any cybersecurity employee. To improve reporting efficiency, suspicious emails may be reported through the Phish Alert Button, which starts an automated analysis and involves the Cyber Emergency Response Team (CERT), if required. Our CERT investigates potential threats and incidents in our IT, production and health facility environments and follows up on suspected violations. If a malicious phishing attempt is detected, the sender is blocked and the security protocols are adapted accordingly.

If there is knowledge of a potential cyber threat within our value chain – but outside our own workforce – third parties can use the publicly available reporting channels or grievance mechanisms of Fresenius.

Organization and responsibilities

The Chief Financial Officer (CFO) of the Management Board oversees cybersecurity governance and receives direct reports – weekly and as needed – from the Group Head of Cybersecurity. The latter acts as the Group-wide Chief Information Security Officer (CISO), has overall responsibility for the governance of cybersecurity within the Group, and leads the GCSO. In this role, he defines the Group-wide cybersecurity strategy and coordinates this strategy with the respective cybersecurity heads in order to ensure a consistent approach across all business segments. The Group Head of Cybersecurity reports quarterly to the Management Board and at least annually to the Supervisory Board.

The GCSO manages cybersecurity within the Group. It is intended to ensure that cybersecurity is considered and coordinated holistically from a Group perspective, defines its baseline requirements, and monitors its compliance. In addition, it controls the execution of the measures to combat risk. Where necessary, the GCSO advises and supports the business segments in their activities.

Within the Group, overarching committees complement the existing organizational structure. The Cybersecurity Board meets on a monthly basis. It ensures the exchange of information on Group-wide cybersecurity, defines criteria for evaluating and monitoring the development of cybersecurity across the Group, and reviews the progress and results of cybersecurity measures and initiatives. The Cybersecurity Board also monitors the adoption and implementation of the Group-wide cybersecurity policies. It verifies whether the baseline requirements of the measures to combat risk are met.

The CFO and the respective CFOs of the business segments form the Cybersecurity Steering Committee which meets quarterly. The steering committee formally enacted the Governance Charter to emphasize the strategic objectives, the scope, and the responsibilities of the Cybersecurity program.

Accordingly, the Cybersecurity Steering Committee acts as a governance body and as an escalation and decision-making authority for various overarching measures. These include, for example, those for identifying and protecting critical, highly relevant information assets or those for optimizing the development of an appropriate cybersecurity structure.

Cybersecurity organizational structure

As part of the Group-wide #FutureFresenius transformation, the Management Board decided to further develop the organizational structure of cybersecurity in line with the Group and cybersecurity strategy, starting in the fourth quarter of 2023, which was implemented in 2024. The focus is on standardizing the organizational and operational structure of the cybersecurity functions and revising the cybersecurity framework to adequately reflect these changes. The revised cybersecurity framework was adopted by the Management Board in 2024.

Our actions [MDR-A] Actions and resources in relation to material sustainability matters

We want to ensure compliance with our Cybersecurity Policy Framework and prevent, mitigate and remedy the actual and potential negative effects described. It is also important to us to address the risks and opportunities that arise for us in relation to cybersecurity. We are therefore implementing a large number of individual projects as part of our cybersecurity programs. In the reporting year, we took specific measures to improve the existing security infrastructure in the production area and continued our training program.

Training

At Fresenius, we seek to imbed a human-centered risk model, combining this with our already-implemented Cybersecurity Training & Awareness Program (CTAP), which we carry out on an ongoing basis. We aim to share knowledge about emerging trends immediately. To this end, we introduce different cybersecurity activities at Fresenius, as well as providing helpful tips on the secure use of devices, be that in the office or at home.

In addition to mandatory training on cybersecurity fundamentals, CTAP offers various courses, videos, and other learning content, for example via the different digital CTAP learning platforms and intranets. As part of the CTAP, we regularly simulate phishing attacks to internalize the required behavior to be triggered if phishing is suspected. We calculate a personal risk score for all employees enrolled in these training courses, based on their behavior in phishing tests and the number of cybersecurity training sessions they have completed. All CTAP activities are tailored toward Fresenius’ specific risks and are available in several languages. We measure the success of the CTAP activities by using predefined success criteria, e.g., the target phishing simulation click rate and the number of training sessions carried out per employee.

The offerings are available to all employees worldwide. We regularly inform them through various channels, e.g. via intranet articles or posters in production facilities and clinics, in order to sensitise them to current cyber risks and new types of cyber threats. In addition, we organize an annual Cyber Awareness Month to encourage employees to discuss cyber security issues. In doing so, we use the knowledge derived from daily phishing attempts, for example, which is analyzed and evaluated by the CERT. With their help, we can design customized awareness content and roll out training campaigns.

Continuous training on cybersecurity is also part of the variable compensation of all employees who participate in Fresenius’ SHARE profit-sharing program. The program is explained in the topical standard S1 Own workforce, section S1-1 Our approach, Employee retention.

In 2024, we offered new training modules to the majority of our employees. The training focus was on raising employee awareness of social engineering, phishing, new threats related to the use of mobile devices, Acceptable Use Policy, and strengthening fundamental cybersecurity knowledge. Additionally, simulated phishing attempts were again sent to employees via email. The overall majority of employees were successful in detecting our phishing simulations.

Our measures are part of a long-term cybersecurity program. The various independent projects are aimed at improving the cybersecurity structure in our Group. Through continuous training, we ensure that our employees are confident in dealing with phishing attempts and that cyber risks are reduced as a result.

The costs for the training planned or carried out as part of the cybersecurity programme amount to a low single-digit million euro amount, which extends over a period up to the end of 2024. The costs for the continuous cybersecurity training measures in accordance with the holistic cybersecurity programme amounted to around €400,000 (OpEx) in the 2024 reporting year.

Our goals and ambitions [MDR-T] Tracking effectiveness of policies and actions through targets

It is our ambition that both our patients and our customers can rely on the cybersecurity of our products and services. Our stakeholders have a high level of trust in the cybersecurity of our products and services. We continuously strive to meet their expectations by strengthening our resilience against cyberattacks, reducing our cyber risks and thus preventing harm to our patients, customers, or the company. Beyond this, there is no overarching Group objective in connection with cybersecurity.

We measure the effectiveness of our cybersecurity strategy by evaluating resilience metrics, as shown in the following section.

Metrics [MDR-M] Metrics in relation to material sustainability matters

Fresenius assesses the effectiveness of cybersecurity management on the basis of effectiveness indicators and cyber security maturity assessments. In doing so, we evaluate whether patients are affected. Overall, our resilience indicators suggest that only a few serious incidents occurred in the reporting period. From a Group perspective, these had no significant impact on our business processes. In the reporting year, no serious cybersecurity incident was reported that resulted in the loss of patient data or had a significant impact on the reputation or financial position of our Group.

In principle, a cyber security incident occurs when a security report is classified as critical. This is the case if a cyber security incident could potentially result in the loss of data or restrict the Fresenius Group in the provision of its services. The dual control principle is applied when assessing criticality. All incidents are then further assessed to determine whether there has been a breach of at least one of the cybersecurity protection goals of confidentiality, integrity and availability. If this is the case, the corresponding incident is classified as serious.

Incidents are reported to the Group Cybersecurity function, the reporting paths and process structure are explained in the section Our approach.