Business conduct

Business conduct refers to PolyPeptide’s values, principles for ethical behavior and compliance with legal and regulatory requirements. It includes the sub-topics Corporate culture, Protection of whistleblowers and Corruption and bribery.

Impacts, risks and opportunities

PolyPeptide’s commitment to ethical conduct and compliance with legal and regulatory requirements safeguards its assets and protects the interests of its stakeholders across the value chain, including customers, employees, investors, and suppliers. By prioritizing customer needs and upholding the highest standards of quality and responsibility, PolyPeptide aims to contribute positively to the well-being of patients and the communities in which it operates.

The Group recognizes that violations of business ethics and compliance not only undermine stakeholder trust but also distort healthy competition. To prevent such risks, PolyPeptide maintains a robust compliance framework to prevent, detect, and remediate potential misconduct, reinforcing its role as a responsible and trusted industry leader.

By living up to its core values —Innovation, Excellence, and Trust— PolyPeptide promotes adherence to its Code of Business Conduct and Ethics and safeguards accountability through established whistleblower programs. These measures strive to uphold integrity across its value chain, strengthen ethical business practices, and protect both its assets and stakeholder interests. Failure to comply with applicable laws, rules, regulations, ethical standards, internal policies and procedures, or the loss of sensitive data, may put the Group at risk of business interruptions and legal prosecution with adverse impacts on financial performance and reputation.

Policies

All employees, including managers and the members of the Board of Directors, are subject to the Code of Business Conduct and Ethics, which emphasizes the Group’s commitment to ethics and compliance, sets forth the basic standards of ethical and legal behavior, provides reporting mechanisms for known or suspected ethical or legal violations, and helps to prevent and detect wrongdoing. Supplementing the Code of Business Conduct and Ethics and the Supplier Code of Conduct, the Global Anti-Corruption and Anti Bribery Policy sets out PolyPeptide’s principles for integrity and against corruption and bribery.

PolyPeptide fosters an agile, open, and collaborative work environment with an atmosphere of honest and open communication. In addition, PolyPeptide maintains Group-wide whistleblower programs as essential tools for detecting, preventing and mitigating potentially corrupt, illegal or other unethical conduct, ensuring the trustworthiness of PolyPeptide as a business partner. Whistleblowers, including any current or past employees and any other external party with a connection to PolyPeptide, are encouraged to report any such concerns and suspicions via the designated, autonomous and independent whistleblower hotlines, knowing that they can do so without fear of intimidation, harassment, retaliation, reprisals, discrimination or adverse consequences because of such report.

PolyPeptide maintains a set of internal policies and procedures to ensure good corporate governance, including the Global Sanctions and Export Control Compliance Policy and Procedure, the Enterprise Risk Management Policy, the Risk Assessment and Reporting Procedure, a Disclosure Policy, and an Insider Dealing and Market Manipulation Policy.

In 2025, PolyPeptide advanced the development of its Artificial Intelligence governance framework, aligning with existing data privacy and information security frameworks to foster ethical AI practices, transparency, accountability, and regulatory compliance. The governance framework is built on key principles that prioritize patient safety, ethical and responsible application of AI models, transparency in decision-making, and data security.

As outlined in the section Workers in the value chain, PolyPeptide expects its suppliers to conduct their business ethically and in compliance with applicable local, national, and international laws and regulations, contractual agreements and consistent with internationally recognized sustainability standards.

Actions, prevention and detection of corruption and bribery

PolyPeptide has differentiated procedures in place to prevent, identify, assess and remediate any infractions of applicable laws, rules, policies, or guidelines, see also the section Compliance Controls in the Corporate Governance Report 2025. The Group’s Code of Business Conduct and Ethics is part of the onboarding of new employees and regular trainings, including annual e-learnings.

The Group maintains an ERM framework, providing a consistent, Group-wide perspective of identified key risks. The PolyPeptide Management Committee, together with the Chief Legal Officer and other internal stakeholders, annually conduct a risk assessment and evaluate strategies to address the risks and opportunities identified. A risk assessment report, including the probability and consequences of identified risks, is presented to the ARC and the Board of Directors annually for a deep-dive discussion. During the 2025 risk assessment process, the Group increased focus on and the integration of sustainability-related topics, ensuring that sustainability risks and opportunities as identified in the double materiality assessment process are also part of the Group’s risk management and strategic planning processes. Regular internal audits focus on areas including the Group’s control environment, aligned with the strategic priorities and risks identified.

Observations and corrective actions resulting from internal audits have defined owners and due dates, with the implementation progress of defined actions being systematically monitored and reported.

The Global IS/IT organization monitors and audits the digital environment to detect and respond to any potential threats or breaches that could compromise the confidentiality, integrity, or availability of sensitive data and business information. By providing the necessary infrastructure, software, and support, Global IS/IT supports and facilitates the digital transformation of PolyPeptide’s processes, products, and services.

To balance the risk of cyber security malicious events, while complying with regulatory requirements and maintaining customer trust, in 2025 PolyPeptide successfully completed certification of all sites according to ISO27001:2022 Information Security Management Systems.

In addition to regular digital and on-site trainings on business ethics, compliance, and cybersecurity, PolyPeptide seeks to embed relevant standards and procedures through targeted internal communications. These efforts ensure that employees are aware and knowledgeable about these standards and procedures, including the availability of whistleblower hotlines operated 24/7 by an independent third party in relevant local languages.

The Group regularly updates its e-learning modules to ensure relevance and effectiveness. In 2025, updates included the Whistleblower, Code of Conduct, IT-security awareness and Privacy awareness trainings. The results of trainings are examined for effectiveness and continued improvement. The generally positive feedback and outcomes from the Group-wide e-training efforts demonstrate the good acceptance and alignment with our corporate values and ethical standards. Some of the manufacturing sites provide further trainings to empower employees to recognize, prevent, and address inappropriate behavior in the workplace, including harassment and discrimination.

Targets and metrics

While PolyPeptide has not established quantitative targets for Business conduct at this stage, the Group is committed to maintaining and continuously strengthening a culture of integrity, transparency, and accountability across all levels of the organization.

Key compliance-related ambitions include:

• Global reach of all employees with targeted compliance and ethics training, with a particular focus on raising awareness around topics such as anti-corruption, data protection, harassment, and discrimination.
• Maintaining a zero-tolerance approach to corruption, with the clear objective of having no substantiated cases of corruption or serious ethical misconduct.
• Upholding high ethical standards in all business activities, ensuring that our operations support fair competition, regulatory compliance, and responsible business conduct.
• Extending our compliance culture across the value chain, by engaging suppliers and other business partners in our expectations for ethical behavior and responsible practices.

The following table presents the percentage of employees who have successfully completed key Business conduct e-learning activities

The Group received eight whistleblower reports in 2025 (2024: ten). During 2025, the investigation for seven reports has been closed and summarized to the ARC, with a summary to the Board of Directors. Of the seven closed cases, three were partially or fully substantiated with appropriate actions taken. The remaining four were not substantiated. The investigation of the one remaining report is still ongoing.

Incidents of corruption or bribery

In 2025, there were no legal actions, no convictions and no fines regarding anti-competitive behavior or violations of anti-trust, pending or otherwise, and PolyPeptide had no significant compliance violations. PolyPeptide considers significant compliance violations to be those that must be publicly reported.