F Secure

In this Sustainability Statement, 'supervisory bodies' refer to the F-Secure Board of Directors and its Audit Committee and Personal and Nomination Committee. 'Management body' is to be understood as the F-Secure Leadership Team including the CEO and the leadership team members. The Board of Directors oversees the administration of the company and appoints the CEO, who oversees the daily administration of the company in accordance with the instructions and orders given by the Board.

The highest decision-making body in F-Secure is the General Meeting of Shareholders, which elects the members of the Board of Directors. The Board of Directors is responsible for the administration of F-Secure Group and appropriate organization of its operations. The duties and responsibilities of the Board of Directors of F-Secure are, inter alia, defined according to the Articles of Association of F-Secure, the Finnish Companies Act and other applicable laws and regulations. As such, the Board oversees F-Secure's business conduct and compliance, and approves the most significant governance-related policies, such as the Anti-Bribery and Corruption Policy.

The Board of Directors appoints the CEO. The CEO, assisted by the Leadership Team, is responsible for managing the company's business and implementing its strategic and operational targets. Both the CEO and the Leadership Team also play a significant role in ensuring that employees comply with the relevant policies and procedures, including those related to business conduct.

To enhance the efficiency of its work, the Board of Directors has established an Audit Committee and a Personnel and Nomination Committee. The Audit Committee functions as a preparatory body, and the matters it addresses are brought to be decided on by the Board of Directors. The Audit Committee monitors and evaluates risk management, internal controls, IT strategy and practices, sustainability, and financial reporting, as well as auditing. The majority of members of the Audit Committee shall be independent of the company and at least one member shall be independent of the company's significant shareholders. Additionally, any substantiated investigations of incidents related to corruption or bribery are reported to the Audit Committee for evaluation. The Personnel and Nomination Committee prepares material and instructs on issues related to the composition and compensation of the Board of Directors and remuneration of the other members of the top management of the company. The Committee prepares proposals for shareholders related to the Board composition and remuneration. The duties of the Personnel and Nomination Committee include actively seeking and identifying new individuals qualified to become members of the Board.

The Board of Directors and the Leadership Team are supported by the Legal Team that maintains the business conduct-related policies and procedures, as well as offers internal training on such issues.

Expertise related to business conduct matters

The Board members have international experience in different roles in global companies operating in different businesses and geographical market areas. Additionally, the company ensures that all members of the Board of Directors have access to sufficient information about F-Secure's business operations, operating environment, and financial position, and that new members are properly introduced to the operations of F-Secure.

Members of the Audit Committee must have broad business knowledge, as well as sufficient expertise and experience concerning the committee's area of responsibility and the mandatory tasks relating to auditing, including risk management related to business conduct issues. The Audit Committee invites experts to its meetings when necessary for the issues to be discussed. External auditors are permanent invitees to the meetings of the Audit Committee.

When seeking and identifying new individuals qualified to become members of the Board, the Personnel and Nomination Committee takes into account the expertise on business conduct matters of such individuals to ensure that all Board members have sufficient experience and knowledge of business conduct matters.

The Leadership Team members are chosen based on their expertise and experience suitable to their respective roles. The Leadership Team members also supervise the implementation of business conduct-related policies and procedures in their respective business functions.

The number of executive and non-executive members

As of 31 December 2024, F-Secure had 9 executive members in its management body and 6 non-executive members in its supervisory body (Board of Directors), while noting that the latter figure used in this statement also includes F-Secure employee Board member.

Representation of employees and other workers

One member of the Board of Directors is elected from among F-Secure personnel. An election is arranged annually for F-Secure personnel and each permanent employee is eligible to stand as a candidate. The representatives of the Board of Directors interview three to four persons who have obtained the highest number of votes in the elections and choose a candidate from amongst them to be proposed for election as a member of the Board by the Annual General Meeting. The term of office of members of the Board of Directors ends at the close of the Annual General Meeting of shareholders following their election.

Experience relevant to the sectors, products and geographic locations of the company

F-Secure's Board members have international experience and diverse backgrounds from international companies in business sectors and geographical markets (including Europe, North America, APAC and Japan) relevant to F-Secure:

• Pertti Ervi is a seasoned international IT-business leader and Board professional with over 30 years of experience. As Co-President of Computer 2000 AG, Europe's largest IT distributor, he managed global operations across 38 countries. Pertti has extensive Board experience with publicly listed companies like F-Secure, Comptel, Teleste and Efecte, and has worked closely with tens of growth companies, providing expertise in strategy, internationalization, and corporate development. He co-founded Mintly Oy and has successfully led numerous high-value exits. A Finnish citizen living in France, Ervi holds a B.Sc. in Electronics and has completed advanced business studies at INSEAD and Hanken.

• Risto Siilasmaa is the founder of F-Secure and WithSecure Corporations and the Chair of the Board of Directors of WithSecure having served as President and CEO of the company in 1988-2006. He is also an active venture capital investor with over 30 active investments via First Fellow Partners, a fund management company where he is both a general partner and the only limited partner. Previously Risto was the Chair of the Board of Directors of Nokia Corporation in 2012-2020 and of Elisa Corporation in 2008-2012. Risto is the Chair of the Board of Upright and a Board member of F-Secure, Futurice, Pixieray, Quanscient, Hamina Wireless and CybExer Technologies. Since 2019 Risto has been a member of the International Advisory Board at IESE Business School, University of Navarra.

• Thomas Jul is a seasoned Danish executive with over 30 years of global leadership in high-tech, telecom, and fintech sectors. With a history of driving growth and transformation, he held prominent roles at Ericsson and Nokia, including President & CEO of Ericsson Indonesia and West Europe Region Head at Nokia. As co-founder of MATTA Group and former CEO of payments scale-up Inpay, Thomas continues to excel in leading innovative organizations. Currently, he serves as Group CEO of Danish IT leader KMD. Thomas holds an M.Sc. in Software Engineering and has completed advanced business programs at Henley, Wharton, Columbia, Harvard, and London Business Schools.

• Petra Teräsaho is a senior finance executive and Board professional with wide international experience from various industries: forest, telecom, mining, IT, automotive/electric batteries & consumer goods. In addition to finance, Petra has held leadership positions in marketing, strategy and business development. Besides Finland, Petra has worked and lived in India, Belgium, France and Sweden. Her current main occupation is CFO of Transmeri Group. Her earlier employers are UPM, Nokia, Outotec, Stora Enso, Enfo Group and Valmet Automotive. Petra is Board member and Audit committee chair in F-Secure and Paulig Group. She is a Finnish citizen and holds a Masters Degree in Accounting & Finance.

• Tommi Uitto has worked in Nokia's network equipment business for thirty years, from 2G/GSM to 5G/NR and early research of 6G. He is currently leading Nokia's Mobile Networks Business Group, the largest of Nokia's four businesses, and is a member of Nokia Group Leadership Team. He also serves in the Board of Directors and Working Committee of the Board of Technology Industries of Finland (TIF). At Nokia, he has held various executive and managerial positions across several functions from business unit management to sales and region management, from product management to product development, and from production planning to quality management. Before Nokia, he worked in forestry equipment manufacturing. Besides Finland, he has lived in France and the United States.

• With extensive experience in quality assurance, software development management, and portfolio governance, Katja Kuusikumpu is a respected leader in the IT industry. As the Director of Portfolio Governance & Operations at F-Secure, she oversees strategic product initiatives and drives the company's portfolio transformation. She is also currently a Member of the Board of Directors at F-Secure, contributing to the company's strategic direction. Previously, Katja has held several R&D leadership roles at F-Secure and in other Finnish and international companies. Katja is a Finnish citizen and holds a Master of Science degree from Aalto University.

Percentage by gender and other aspects of diversity

According to Diversity Principles established by the Board of Directors, an optimal mix of diverse backgrounds, expertise and experience strengthens the Board's performance and promotes the creation of long-term shareholder value.

The Diversity Principles of the Board of Directors strives towards appropriately balanced gender distribution. At the Annual General Meeting in 2024 six members representing two different nationalities were elected to the Board. The age structure of the Board members is 47–67 years. Two Board members are female and four are male, giving a ratio of 2:4 (female/male) and thus females represent 33.3% and males 66.7% of all members of the Board.

Percentage of independent board members

The majority of the 2024 Board members are independent from the company and from its major shareholders. Two Board members are considered not independent on grounds of share ownership or working for the company meaning ~67% are independent.

The F-Secure Board has ESG on the agenda at minimum once a year, while during 2024 the F-Secure Audit Committee had ESG on the agenda in 4 out of 5 meetings. Updates on ESG topics to the Board, the F-Secure Leadership team, and the Audit Committee have been presented by the SVP of Corporate Development responsible for creating and implementing F-Secure ESG plans, policies and targets and report on their progress as well as implementation of due diligence, based on input from the ESG Council and its members.

The F-Secure ESG Council typically meets monthly including the CFO, CPO, Legal Counsel, SVP of Corporate Development, and the ESG function lead reporting to the SVP of Corporate Development. In addition, the ESG Council includes participants from other functions for further collaboration like sales and product management while the ESG Committee leads provide updates on progress, when topical. Moving to 2025, Committees will also participate in the bi-annual assessment of the DMA/IROs and will track the effectiveness of actions and metrics related to them.

Consideration of IROs when overseeing company strategy and risk management

Sustainability-related risks and adverse impacts are managed as part of F-Secure's risk management process. In short, the primary goal of F-Secure's risk management policy is to enable the organization to identify and manage risks more effectively. The risk management process monitors the potential negative impact and likelihood of various situations arising from the company's operations, its markets, its customers, or its partners.

F-Secure encourages continuous risk assessment by the company's personnel. The relevant operational risks identified through the risk management process are regularly reviewed by each function, including the twice-a-year review with the President and CEO, the Leadership Team, and the Audit Committee. Positive impacts and opportunities, on the other hand, are embedded into the strategy process and considered when reviewing F-Secure's operating plans and related objectives, developing plans and allocating resources to execute said plans.

Evaluating trade-offs related to IROs is an important part of the strategy process, as it involves making decisions about where to allocate resources and prioritize initiatives. This involves weighing the costs and benefits of different options and making choices that align with the organization's overall goals and stakeholder expectations. This ensures that trade-offs are considered relative to the company objectives, while weighing the potential risks and opportunities associated with different options.

Furthermore, during 2024, updates on the DMA including IROs have been presented to the ESG Council and Audit Committee. These impacts, risks and opportunities include topics listed below and are addressed by the administrative, management and supervisory bodies described earlier:

• Protecting consumers' digital moments • Attracting, developing, and retaining talent • Company working conditions and employee well-being • Critical strategic competencies and DEI (equal treatment and opportunities for all) • Privacy and security related to, e.g., how we use and protect consumer or partner data • Cyber security threats related to end-customers, partners, and our operations • Business-conduct topics including anti-bribery, anti-corruption and whistleblowing channels • Development and launching of a new company culture • Climate change mitigation risks, roadmap and strategy

The F-Secure Leadership Team is eligible for the non-sales Short-Term Incentive (STI) Plan. The purpose of the STI Plan is to reward participants for achieving the financial and operational objectives of the Company, to focus on execution of the business plan, and to foster a performance culture.

The Leadership Team is also eligible for the share-based long-term incentives (LTI) to align the interests of the shareholders and the Leadership Team. Part of our administrative and supervisory bodies' renumeration is tied to LTIs similar to the Leadership Team.

Role of sustainability-related targets in incentive schemes

The goals of F-Secure's 2024 non-sales STI Plan included the Company Business Results (combined growth % and profitability %) and the Company Employee Engagement (eNPS). These STI elements are tightly connected to our material sustainability drivers as growth is a proxy number for the number of consumers that we protect globally ("building trust in digitality and society"), while eNPS represents the importance of our employee well-being and satisfaction.

The non-sales STI Plan is included in the remuneration policy, and the goals of the non-sales STI Plan as described here are approved by the Board annually. Similarly, performance against the targets is reviewed regularly while any pay-outs take place annually.

Share-based LTI programs can be based on long-term financial and/or strategic performance or on the company's share value increase. In performance-based LTI programs, the criteria for the performance period are based on strategic financial targets.

STI or LTI plans do not contain any climate-related targets.

Proportion of variable remuneration dependent on sustainability-related targets and approvals

The non-sales STI consists of the Business Results (combined growth % and profitability %) with 60-80% weight, a function-specific target with 0-20% weight that may link to sustainability related targets and the Company Employee Engagement (eNPS) goal with 20% weight. The Long-Term Incentive criteria for the performance period are based on strategic financial targets.

The annual non-Sales STI design and the company-level targets are approved by the Board of Directors based on a proposal made by the Leadership Team. For the LTI programs, the Board of Directors decides on the terms and conditions for the plans and the possible performance criteria and objectives for each performance/vesting period.

As part of F-Secure due diligence we identify, mitigate, and account for how we have addressed actual and potential negative impacts connected to our business, our operations and value chain, our offering and business partners. Due Diligence is an ongoing practice that responds to and may trigger changes in our ESG governance, strategy, business model, activities and processes, business partners, operations, or sourcing. For further details, also see chapter on ESG governance and the role of administrative, management and supervisory bodies and the section on Governance.

Engagement with stakeholders

Through mapping all relevant stakeholders and conducting regular stakeholder engagement, F-Secure ensures an effective corporate sustainability due diligence process. The mapping includes employees, customers, suppliers, investors, and government bodies. We will review the stakeholder map when significant changes in the business model and strategy occur or if new impacts are identified as part of our IRO reviews and as described further under IRO-1 section.

On adverse impacts

Addressing and taking action on adverse impacts is conducted in alignment with F-Secure's risk management policy, where risks have an owner to drive mitigation activities. F-Secure uses risk modeling and quantification methods to identify and manage risks effectively. Risks are mitigated and proactively monitored, also building strategic resilience in the Company and its business operations where applicable. F-Secure has not identified any adverse impacts as described under the "F-Secure impacts on people and the environment" section.

Risk management is an integrated part of F-Secure's governance and management, and the risk management process is aligned with the ISO-31000:2018 guidelines. Each function is responsible for tracking the effectiveness of the mitigation activities and aligning with relevant internal or external stakeholders. The Leadership Team and Audit Committee review the risks bi-annually, while the Audit Committee regularly evaluates the effectiveness of the risk management process (internal controls).

Control over sustainability matters is organized and formalized through policies, procedures, and processes, as described in this sustainability statement. ESG-related policies and procedures are proposed and developed by the ESG Council or relevant functions and approved by the CEO, the Board or a member of management depending on the policy. The Audit Committee reviews the policies presented to the Board and the Code of Conduct is approved by the Board.

F-Secure has internal control operating procedures in place which apply to the entire company. Principles and recommendations introduced in the Finnish Corporate Governance Code for listed companies are reflected in our Internal Control Framework. Based on risk assessment the key processes are identified. For the identified processes key risks and related internal control points have been defined and documented in internal control matrices. ESG has been identified as one of the key processes and we've developed internal controls for material ESG topics. Internal Control definition as adopted by F-Secure consists of e.g. policies, procedures, control activities, and monitoring, executed by F-Secure's Board of Directors supported by the Audit Committee, the CEO, F-Secure's Leadership Team and other operative management, and all F-Secure employees, designed to provide assurance regarding the achievement of F-Secure's objectives.

Main risks, mitigation plans and controls

F-Secure has analyzed the risks for each material topic including sub and sub-sub-[text appears cut off]