ESRS G-Company-specific Cybersecurity [G-Company-specific]

Impacts, risks, and opportunities [SBM-3] Material impacts, risks, and opportunities and their interaction with strategy and business model

Impacts, risks, and opportunities

Within the scope of the materiality analysis, Fresenius has identified a material impact and material risks related to Cybersecurity:

Approach [MDR-P] Policies adopted to manage material sustainability matters

Group approach to cybersecurity

Fresenius aims to identify cyber risks at an early stage, prevent their occurrence as far as possible, and ensure compliance with regulatory requirements. The Cybersecurity Policy Framework of Fresenius consists of a set of policies, requirements, and procedures. With those the company addresses the impacts and risks associated with digital transformation. Central to this are the protection principles of confidentiality, integrity, and availability of information, technologies and systems.

In the reporting year, the Management Board adopted a revised Cybersecurity Policy to strengthen the Group’s cyber-resilience in accordance with the new organizational structure. The policy establishes a unified foundation for cybersecurity across all Operating Companies and Group functions, supporting a consistent and robust approach to information security. This is intended to ensure that the cybersecurity framework is always aligned with current industry standards and regulatory requirements.

Fresenius’ cybersecurity strategy sets targets for the Group and the Operating Companies. The following aspects are the main focus: reducing risks, increasing resilience to cyberattacks, standardizing the organization, and improving processes and technologies. This is intended to increase the Group-wide level of maturity regarding cybersecurity and mitigate potential negative impacts on patient care, disruptions to own operations and medical supply chains, as well as the associated financial risks for Fresenius.

The current cybersecurity strategy is being revised to align with the company’s strategic development in the context of the #FutureFresenius transformation. The revised strategy is scheduled to be implemented starting in 2026.

To mitigate risks and increase the efficiency of processes, four group-wide cybersecurity programs are being implemented, consolidating various initiatives. The activities are managed based on maturity assessments and cyber risk analyses. These help to prioritize steps to buy-down risk and carefully track both the progress as well as the effectiveness of implemented measures.

The strategic approach applies to the entire Group, including all geographical areas in which the Group operates production sites or healthcare facilities. Fresenius also considers the upstream and downstream value chain if required due to contractual or regulatory provisions, e.g., in the aftersale service of medical technical equipment. This is intended not only to prevent cyberattacks within own business operations but also those affecting medical supply chains.

The stakeholder groups are explained in standard ESRS 2 General disclosures, section SBM-2 Stakeholders and partnerships.

Dealing with cyber risks

The enhanced cybersecurity organization is intended to help identify new requirements more quickly, coordinate activities across the group, and promote the consistent implementation of security measures.

In recent years, effectiveness, progress, and performance metrics for cybersecurity have been established. With these metrics, among others, Fresenius verifies whether security controls are operating as intended and manage the overall cybersecurity efforts. This helps the company identify potential cybersecurity risks and gain clarity on how well it is prepared or resilient in terms of defending against cyberattacks. The metrics are reported regularly to the Cybersecurity Board and, if necessary, to the Cybersecurity Steering Committee. In addition, they are visualized in a scorecard that supports the cybersecurity management to steer Group-wide cybersecurity initiatives. Fresenius also compares selective metrics with those of relevant interest groups, e.g., other DAX companies, and communicates these to the Management Board and the Supervisory Board.

Fresenius regularly evaluates strategic cybersecurity risks along the value chain. As part of these bi-annual assessments, the Group analyzes the development of the cyber threat landscape to identify emerging risks and derive appropriate precautions to mitigate cybersecurity risks.

To prevent cyber risks Fresenius invested into the early detection of cyber threats: Recurring analyses and defense processes are automated in order to react even more efficiently to incidents and limit potential damage to the company. Every incident is thoroughly investigated in order to derive additional initiatives to improve the overall safety.

The information security management system (ISMS) at Group and Operating Company level is certified, among others, as according to ISO / IEC 27001. The international standard is used to implement, maintain, and continuously improve an ISMS to promote the confidentiality, integrity, and availability of information through a systematic approach. These and other certifications help unifying the management of cybersecurity at Fresenius.

Audits and monitoring

The Corporate Audit Group function performs independent and risk-oriented audits to continuously improve the effectiveness of the risk management, control, and governance processes at Group level and in the Operating Companies – most recently in 2025. In the process, cybersecurity processes were taken into account, such as policies and procedures and their implementation. Overall, eight audits (2024: six) relating to information security were conducted in the reporting year.

If weaknesses are identified, Internal Audit monitors the implementation of the remedial measures defined by management. This happens as part of systematic follow-up reviews.

Reporting paths

If Fresenius employees suspect cyber threats, they can contact CERT@fresenius.com or CyberAware@fresenius.com, as well as any cybersecurity employee. Suspicious emails may be simply reported through the Phish Alert Button. This starts an automated analysis and involves the Cyber Emergency Response Team (CERT), if required. The CERT investigates potential threats and incidents in the IT, production, and health facility environments and follows up on suspected violations. If a malicious phishing attempt is detected, the sender is blocked and the security protocols are adapted accordingly.

If there is knowledge of a potential cyber threat within the value chain – but outside the own workforce – third parties can additionally use the publicly available reporting channels or grievance mechanisms of Fresenius.

Training

Fresenius seeks to imbed a human-centered risk model. To immediately share up-to-date information with employees, the company implements various cybersecurity activities and provide employees with helpful tips on the secure use of devices, be that in the office or at home. Fresenius regularly informs them through different channels, including intranet articles or posters in production facilities and clinics, to raise awareness of cyber risks and emerging cyber threats.

A central component of this awareness effort is the Cybersecurity Training & Awareness Program (CTAP), which is conducted on an ongoing basis. In addition to mandatory basic training on cybersecurity fundamentals, CTAP offers various courses, videos, and other learning content, for example via the different digital CTAP learning platforms and intranets.

As part of the CTAP, the Group regularly simulates phishing attacks to internalize the required behavior to be triggered if phishing is suspected. Fresenius calculates a personal risk score for all employees enrolled in these training courses, based on their behavior in phishing tests and the number of cybersecurity training sessions they have completed. The Group measures the success of the CTAP activities by using predefined success criteria, e.g., the target phishing simulation click rate and the number of training sessions carried out per employee.

All CTAP offerings are tailored to Fresenius’ specific risks and are available in multiple languages. The offerings are accessible to all employees worldwide.

In 2025, Fresenius offered new training modules to the majority of its employees. The training focused on raising awareness of social engineering, phishing, AI-driven impersonation, authentication fraud, and the Acceptable Use Policy, as well as strengthening fundamental cybersecurity knowledge. Additionally, specialized sessions led by experts in cyber psychology were held on topics such as cyber mindfulness and cyber safety. Simulated phishing attempts were also conducted via email, and the vast majority of employees successfully identified these phishing simulations.

In addition, Fresenius organizes an annual Cyber Awareness Month to encourage employees to discuss cybersecurity issues. In doing so, Fresenius uses the knowledge derived from daily phishing attempts, for example, which is analyzed and evaluated by the CERT. With their help, the company can design customized training content and roll out training campaigns.

Continuous training on cybersecurity is also part of the variable compensation of all employees who participate in Fresenius’ SHARE profit-sharing program. The program is explained in the topical standard S1 Own workforce, section S1-1 Approach, Employee retention.

The trainings are part of a long-term cybersecurity program. The various independent projects are aimed at improving the cybersecurity structure in the Group. Through continuous training, the company ensures that the employees are confident in dealing with phishing attempts and that cyber risks are reduced as a result.

Organization and responsibilities

Cybersecurity organizational structure

The Chief Financial Officer (CFO) of the Management Board oversees cybersecurity governance and receives direct reports – bi-weekly and as needed – from the Group Head of Cybersecurity. The latter acts as the Group-wide Chief Information Security Officer (CISO), has overall responsibility for the governance of cybersecurity within the Group, and leads the Group Cybersecurity Office (GCSO) and CISOs of the Operating Companies. In this role, he defines the Group-wide cybersecurity strategy and coordinates its execution with the cybersecurity leadership team in order to ensure a consistent approach across all Operating Companies.

The Group Head of Cybersecurity reports quarterly to the Management Board and at least annually to the Supervisory Board. Information on responsibilities and requirements for the Management Board as well as the Supervisory Board are explained in standard ESRS 2 General disclosures, section GOV-1 Sustainability organization.

The GCSO provides Group-wide capabilities, strategy, and functional leadership to ensure consistent approaches and processes across the Group. The Group functions facilitate the collaboration and exchange among segment-specific cybersecurity requirements and ensure the implementation of Group-wide standards for the respective function.

Within the Group, overarching committees complement the existing organizational structure. The Cybersecurity Board, comprising the Group CISO, CISO of the Corporate / Other segment, and CISOs of the Operating Companies, governs and aligns the Group’s cybersecurity strategy, initiatives, and investments. It ensures a coordinated, risk-based approach by setting priorities, monitoring progress, and fostering collaboration across all Operating Companies. The Cybersecurity Board meets on a monthly basis.

The CFO of the Management Board and the respective CFOs of the Operating Companies form the Cybersecurity Steering Committee, which meets quarterly. The Steering Committee serves as the Group’s strategic decision-making and escalation body for cybersecurity. It oversees risk exposure, investment decisions, and capability maturity to ensure alignment, funding, and strategy execution across all Operating Companies.

The Cybersecurity Steering Committee receives quarterly updates on cybersecurity programs involving key projects from across the company.

Actions [MDR-A] Actions and resources in relation to material sustainability matters

The existing Group-wide approach to cybersecurity already demonstrates a high level of maturity. This is particularly evident in the systematic, annually conducted recording and analysis of cybersecurity incidents, which enables continuous monitoring of the risk profile. In the 2025 reporting year, there were no events that required Group-wide or segment-specific adjustments to the existing management systems.

Regardless of this, Fresenius systematically reviewed the Group’s overall cyber risk position during the reporting year and explored the insurance market. The goal was to assess whether – and to what extent – risk transfer through a cyber insurance policy could help strengthen resilience. Based on the analysis, it was recommended to introduce a Group-wide insurance concept. Following a recent market review and subsequent discussions with international insurance providers, the Management Board approved a Group-wide cyber insurance policy. The insurance coverage will take effect in 2026.

The associated annual insurance premiums are classified entirely as OpEx and, like other insurance premiums, are recorded in the consolidated statement of income under the line-item Employers liability.

Goals and ambitions [MDR-T] Tracking effectiveness of policies and actions through targets

It is Fresenius’ ambition that patients and customers can rely on the cybersecurity of the company’s products and services. The Fresenius Group continuously strives to meet their expectations by strengthening its resilience against cyberattacks, reducing its own cyber risks and thus preventing harm to its patients, customers, or the company. Beyond this, there is no overarching Group objective in connection with cybersecurity.

Fresenius measures the effectiveness of its cybersecurity strategy by evaluating resilience metrics, as shown in the following section.

Metrics [MDR-M] Metrics in relation to material sustainability matters

Cyber incidents

Fresenius monitors cybersecurity performance by assessing key dimensions such as risk exposure, maturity level, progress of initiatives, attainment of objectives, allocation of resources, external ratings, and effectiveness of controls. This provides a comprehensive view of cybersecurity management and supports data-driven insights, facilitating decision-making. No serious incidents occurred during the reporting period, which had a significant impact on business processes, patient data, reputation, or the financial position of the Group.

A cybersecurity incident generally occurs when a security report is classified as critical – for example, if it could potentially lead to data loss or impair the ability of the Fresenius Group to deliver services. The dual-control principle is applied when assessing criticality. All incidents are then further assessed to determine whether there has been a breach of at least one of the cybersecurity protection goals of confidentiality, integrity, and availability. If this is the case, the corresponding incident is classified as serious.

Incidents are reported to the Group Cybersecurity function; the reporting paths and process structure are explained in this standard, section Approach, Reporting paths.