CHARTING A COURSE FOR A RESILIENT FUTURE

GLOBAL SUSTAINABILITY RISKS ARE OUR OPPORTUNITY

Sustainability Report 2023

SPAN GROUP'S THIRD SUSTAINABILITY REPORT

Span's 30: Ambition for growth, focus on partnerships	7
A word from the President of the Management Board	12
Sustainability Strategy 2030 for Span's 30	15
Environmental	16
Social	16
Governance	17
Trust in our practices	19
Materiality assessment for 2023	20
Discussions with those who know us best	21
Span's material topics in 2023	22
Contribution to the UN Sustainable Development Goals	25
Solutions focused on security and resilience	31
Strengthening cybersecurity at all levels	31
Building the most advanced cyberinfrastructure	32
Expanding cybersecurity awareness	34
Increasing energy efficiency through cloud solutions	36
Successful cooperation and a high level of customer trust	36
Satisfaction with issue resolution	37
Successful projects	37
Opinions of key customers	37
Our people	39
New steps to understanding diversity	41
Span Voices: Developing an inclusive culture	42
Open dialogue	42
In the words of Span employees	43

LifeSpan: new initiatives directed towards well-being, health and life balance	43
Good habits for health	44
Creating life balance	44
Offering help when needed	45
Opportunity for professional development	45
Education – a key to success	45
Successful development programs	46
The future in the hands of our youth	47

Good habits for health	44
Creating life balance	44
Offering help when needed	45
Opportunity for professional development	45
Education – a key to success	45
Successful development programs	46
The future in the hands of our youth	47

Sharing and multiplying knowledge: Our strongest social contribution 49

Span's growing volunteer commun
Old and new acquaintances
Span for the education of the futu

Governance organization
Changes in the Supervisory Boo
Workers represented in the Sup
Managing key impacts, risks and a
Risk management
Ethical operations
Continued expansion and preserva
Supply chain management
Data protection
Climate and environment
EU Taxonomy report

Span's growing volunteer community	49
Old and new acquaintances	50
Span for the education of the future	51
Transparent and efficient governance	53
Governance organization	53
Changes in the Supervisory Board	54
Workers represented in the Supervisory Board	54
Managing key impacts, risks and opportunities	55
Risk management	56
Ethical operations	57
Continued expansion and preservation of business stability	58
Supply chain management	58
Data protection	59
Climate and environment	60
EU Taxonomy report	61
Span in numbers	69
Report profile	75
GRI content index	77

SASB index 81

Span's 30: Ambition for growth, focus on partnerships

Span is one of the leading providers of software asset management and licensing services, infrastructure design and maintenance services for information systems, cloud and cyber security business, information technology services and technical support management, as well as software and business solutions development.

Agile and reliable, we have successfully followed trends in the business digital transformation in our work for 30 years. Our goal is not only to achieve business success but also to act as an example of responsible and sustainable business in Croatia, the region and the world, firmly based on our values and ethical principles.

Building long-term partnerships with our customers is in our business focus. We apply this principle in all our business relationships and all markets where we operate. Our affiliated companies operate in Great Britain, Slovenia, the United States of America, Azerbaijan, Germany, Ukraine, Switzerland, Moldova, and, since 2023, in Georgia and Estonia.

Span Group

MANAGEMENT

Span d.d.

We are the leading regional Microsoft partner, with Microsoft Gold Partner status. In 2023, we had 12 Microsoft advanced specializations, became holders of all six Microsoft Solution Partner statuses, and received the Microsoft Partner of the Year award in Croatia and Ukraine. Following our market expansion and growth strategy, in 2023 we took over the company GT Tarkvara, the leading Estonian Microsoft partner. With Microsoft as the main partner, we continue cooperating with Google, Amazon and other service providers.

The structure of the Span Group as of December 31, 2023

On 31 December 2023, Span d.d. (Span or Company) had business shares in the following companies:

Mission

Through our expertise and experience, we deliver IT solutions that power up your business.

Together with our customers, we create a digital future.

Knowledge. We are constantly evolving, advancing, and applying new trends, knowledge, and skills. The people of Span have the opportunity to learn from the best, experience cutting-edge technologies, and thrive in a team of experts with international connections.

Excellence. We always give our best for all our customers and partners – it is one of our main attributes and company ethos. We are proud that we do not give up until we deliver optimal solutions to our clients.

Responsibility. Span aspires to be a safe harbor in the storm and a solid cornerstone of our customers' business. Our experts look after the security of customers' data and resources while being at their service at any time and in any

place.

Trust. Trust is the most valuable currency, and we have learned how to build and keep it - hence, we are always there for all our stakeholders. We retained the same values we had when we were a small company with a handful of employees.

Management and certificates

Seven ISO certificates

We operate according to the highest international standards that ensure our customers' trust. We have certified quality management systems, information security and IT services, environment and energy, business continuity management and anti-bribery management systems (ISO 9001, ISO 27001 and ISO 20000, ISO 14001 and ISO 50001, ISO 22301, ISO 37001).

All six Microsoft Solution Partner statuses

Infrastructure (Azure)

Security

Modern Work

Digital & App Innovation (Azure)

Data & AI (Azure)

Business Applications

12 advanced Microsoft specializations

SAP on Azure

Azure Virtual Desktop

Adoption and Change Management

Meetings and Meeting Rooms for Microsoft Teams

Teamwork Deployment

Modernize Endpoints

Infra and Database Migration SAP on Azure

Cloud Security

Identity and Access Management

Information Protection and Governance

Threat Protection

New Microsoft advanced specialization in 2023.: Low Code Application Development

Employer Partner Certificate

Health-Friendly Company

Memberships and initiatives

Croatian Independent Software Exporters (CISEx)

American Chamber of Commerce in Croatia (AmCham)

Microsoft Intelligent Security Association (MISA)

Croatian Business Council for Sustainable Development

UN Global Compact

Croatian Employers' Association

Awards, recognitions and events in 2023

Cooperations

Microsoft Partner of the Year for 2023, for Croatia and Ukraine

All six Microsoft Solution Partner statuses

Hewlett Packard Enterprise (HPE) Gold Partner status

Cyber security

High information security management system maturity scores as assessed by CyberGRX, cyber risk management platform

Safety Grand Prix in the media promotion of safety category for the "SAFETY NET - battle for safety" campaign

Span on the stock market

Entry of the share as one of the 10 most liquid on the Zagreb Stock Exchange into the CROBEX10® and CROBEX10tr® indices, as well as into the MSCI Frontier Market Small Cap index of the leading global stock index provider MSCI.

Zagreb Stock Exchange: award for the share with the largest increase in turnover

Saviynt: Fastest Transaction in 2022 award for the fastest concluded contract

Span in the community

Volunteer Oscar award presented by the Volunteer Center Zagreb for actions in cooperation with the Project O2, as well as Hrabri telefon and Nisi sama associations

A WORD FROM THE PRESIDENT OF THE MANAGEMENT BOARD

Our Span Cyber Security Center conducts specialist cybersecurity training for experts who want to improve their knowledge and awareness training for all those who want to learn something new and protect their organization, as well as themselves from cyberattacks

2023 BROUGHT OPPORTUNITIES FOR INNOVATION AND FURTHER DEVELOPMENT IN CYBER SECURITY AND ARTIFICIAL INTELLIGENCE

Global sustainability risks are our opportunity

Today, it is impossible to imagine a world without digital technologies. We rely on them daily and saw a significant increase in the need for information and communication solutions during the pandemic. The IT industry grew globally, as did Span, until it reached saturation in 2023. A more careful investment of customers in IT projects, along with various other factors, led to a slowdown in the industry growth. But 2023 also brought opportunities for innovation and further development in cybersecurity and artificial intelligence.

At the same time, both phenomena have become global sustainability issues threats as well as opportunities. In their development, we see an opportunity to ensure our business and social relevance, but also to be a leader in their development on the Croatian market and a reliable provider of value in all markets where we operate.

The frequency of cyberattacks, their scope and the damage they cause are increasing and are a matter of personal and national security as well as social and economic stability. Proof of this are the two ongoing wars, in Ukraine and Israel, which are being fought in parallel both on the classic battlefield and in cyberspace. The cyber war is global and has not spared the territory of Croatia either.

In addition to providing excellent solutions to our customers, we are aware that education is the first step in defense against cyberattacks. That's why our Span Cyber Security Center conducts specialist cybersecurity training for experts who want to improve their knowledge and awareness training for all those who want to learn something new and protect their organization, as well as themselves, from cyberattacks.

Span continuously works to strengthen the resilience of its business as well. In 2023, we acquired the new ISO 22301 certificate, which defines business continuity management. In addition, we are also developing a risk management system in our entire value chain, we have strengthened ourselves for better daily management and response to all the challenges that may come before us.

Greater investments in solutions based on artificial intelligence, which opened the door to new opportunities in value creation and innovation, are also expected.

In the year in which we celebrated 30 years of successful work, we also worked on a careful assessment of all our impacts, risks and opportunities related to the environment, society and governance. We involved a wide range of experts and jointly defined priority areas in which we could set goals for progress. In light of changes in the market, our sustainability strategy is focused on innovations that contribute to cyber resistance, the transition to the cloud as an environmentally more efficient solution for business systems, the development of solutions based on artificial intelligence, but also on the further development of our social engagement. We do all this to ensure longterm and multiplying value for all our stakeholders.

Nikola Dujmović President of the Management Board

Sustainability Strategy 2030 for Span's 30

To ensure we respond to the demands of the global business environment and the needs of our investors, customers, employees, and the communities in which we operate, in December 2023 Span Group adopted a Sustainability Strategy for the period up to 2030. We approached the development of this strategy to thoroughly consider and understand the global economic, social, and environmental impacts within the IT and software industry. We identified environmental, social, and governance (ESG) matters critical to successful business and cooperation with our stakeholders, setting measurable and achievable goals in line with Span's long-term development vision.

Identifying Span's priority sustainability areas involved researching and analyzing the practices of companies similar to Span based on their activities that have already developed sustainability strategies. This step was followed by an in-depth analysis of Span's past material sustainability areas and a comprehensive analysis of environmental, social, and governance data gaps. We used various global sources of information and guidelines for this purpose, including research on global risks by the World Economic Forum, international treaties and agreements, guidelines for integrating sustainability criteria into business operations, and international frameworks such as the UN Sustainable Development Goals and the principles of the UN Global Compact, as well as the requirements of the European Sustainability Reporting Standards (ESRS).

The analysis identified potential goal-setting areas focused on developing solutions that enable customers to operate more securely and energyefficiently, advancing Span's business practices, and contributing to the individuals, groups, and communities we collaborate with. Based on the results of the analysis, Span's Management Board defined the priority strategic sustainability areas that require active management in the short, medium, and long term (defined as periods up to one year, one to three years, and more than three years). The Management Board named a working group of Span experts and individuals from key departments responsible for each priority area to review ongoing activities and formulate sustainability goals. Goals, activities, and performance indicators identified during the working group's thematic meetings were systematized and forwarded to specialists responsible

TO 2030

Environmental

Based on the contextual and material impacts analyses, we have determined that Span's environmental impacts can be categorized into two broad groups: in-house ecology, which includes managing energy efficiency and resource consumption within the organization, and cloud energy efficiency and greenhouse gas emissions. Responsible resource consumption includes issues that Span has been addressing for years, such as reducing material consumption, recycling, and reuse, as well as the safe disposal of electronic waste.

Reducing greenhouse gas emissions is a significant environmental matter for large companies in the IT and software industry. In this area, our priority is to continue progress in reducing energy consumption and greenhouse gas emissions from Span's operations. We will also assess our climate impacts across the value chain in the coming years.

In addition to reducing our emissions by increasing energy efficiency and transitioning to renewable energy sources, we have identified solutions that contribute to our customers' green transition such as migration to the cloud and optimizing solutions as an important matter.

Circular economy

• Ensuring efficient resource and waste management at Span

Energy and greenhouse gas emissions

• Increasing energy efficiency and reducing greenhouse gas emissions from Span's operations

Energy efficiency of products and services

• Enhancing energy efficiency of solutions and improving customers' energy efficiency by using Span's solutions

Social

In the social segment, the most important matters relate to developing a corporate culture in which every Span employee is accepted as an individual and actively engages within the collective, creating opportunities and jobs that support the advancement and well-being of employees, and spreading positive technological impacts in society.

While Span already boasts a well-developed organizational structure that fosters the professional and personal growth of our employees, we are constantly pushing for progress. We aim to cultivate a diverse organizational culture where every member of the Span team feels comfortable expressing their personality, achieving a healthy work-life balance, and leveraging their unique traits to bring fresh perspectives to the organization. Our goals in this area revolve around establishing processes and mechanisms that align with Span's values, fostering effective collaboration, balance, and alignment at all levels of the organization.

As an IT company with specific organizational and individual digital competencies, we have identified areas where our expertise can contribute to community development. We collaborate with academic, educational,

CLIMATE ACTION AFFORDABLE AND CLEAN ENERGY DECENT WORK AND ECONOMIC GROWTH INDUSTRY, INNOVATION AND INFRASTRUCTURE

and humanitarian organizations and institutions to support social entrepreneurship, youth, students, and disadvantaged individuals and groups, and contribute to environmental protection and restoration through technology.

Organizational culture, promoting diversity and inclusion

• Creating working conditions that promote equal opportunities, diversity, and inclusion

Employee development

• Building an organization that develops its employees, cares about their well-being, and effectively utilizes internal knowledge

Contribution to community development

• Expanding Span's positive impact in communities by launching its programs and joining social and environmental initiatives with a technological component

Governance

Achieving and maintaining the highest standards in cybersecurity, privacy, data protection, responsible supply chain management, and ethical conduct are our priorities in corporate governance, which we consider crucial for Span's successful operations.

Given the increasing cyber threats, we aim to use our expertise and solutions in cybersecurity to help customers ensure the continuity of successful and secure business operations and to support the business community and society in developing resilience to cyber threats. To achieve our goals in this area, we are committed to continuously developing the organization's internal capacities and the competencies of our cybersecurity experts.

In managing our business, we focus on maintaining the highest level of ethics in business relationships, protecting data in compliance with regulatory requirements and standards, and systematically verifying the alignment of our suppliers' business practices with our values, ethical standards, and sustainability goals. This forms the foundation for future collaboration in achieving common objectives.

Cybersecurity

• Developing and implementing solutions, and educating customers and the community on cybersecurity issues

Ethical business conduct and suppliers

Ensuring ethical, transparent, and legal conduct in all Span's business relationships
Cooperation with suppliers on achieving both Span's and their own ESG goals
Supplier assessment based on ESG criteria

Data protection

• Ensuring the highest level of all stakeholders' data protection and compliance with GDPR requirements

Trust in our practices

We approach building a sustainable Span with a desire for continuous learning, growth, and progress. From our first sustainability report for 2021, we set out to strengthen the trust of our stakeholders in Span and our long-term cooperation through transparent and relevant communication. We inform all stakeholders about our contribution to sustainable development by issuing sustainability reports. To better understand our business environment and identify sustainability issues important to Span, we conduct an annual assessment of our impacts on the economy, the environment, and people, including their human rights.

Our approach to assessing material topics considers the impacts arising from our core business, business operations, and relationships with Span employees and the community. We rely on internal processes and interaction with our stakeholders to assess them. In determining material topics for 2023, we took a step further in deepening our understanding of impacts along the value chain arising from our relationships with partners and the consequences of activities we might be indirectly connected to.

In addition to our commitment to socially and environmentally responsible business practices that consider our impacts on the business environment, in our previous sustainability report we reported on sustainability issues relevant to the software and IT services industry from the financial materiality perspective for the first time. We continued this approach based on the double materiality principle in preparing the 2023 Sustainability Report to provide users of our sustainability reports as much information as possible for making business decisions and to prepare for reporting in accordance with the European Sustainability Reporting Standards (ESRS) from 2024.

We continued the approach based on the double materiality principle in preparing the 2023 Sustainability Report to provide readers of our sustainability reports as much information as possible for making business decisions and to prepare for reporting following the European Sustainability Reporting Standards (ESRS) from 2024

grievance mechanisms, ensuring an adequate number of experts, while issues of supplier assessment and engagement were identified as most significant from the combined severity and likelihood of occurrence perspectives.

Considering our continuous organizational growth, the most likely impacts were related to our corporate culture and work, which could affect individuals or groups of our employees. Succession planning, managerial competencies, equitable conditions, equal opportunities, and the well-being of all Span employees are areas in which expectations and Span's responsibilities are the highest. Regarding community-related matters, the most significant are those not arising from Span's activities and business relationships but from broader societal trends, such as increasing digital equality, competencies, and literacy. Our direct impacts relate to contributions to cybersecurity in society and our socially responsible initiatives, but there were no negative impacts on individuals, groups, communities, or society recognized in this process.

Discussions with those who know us best

Interaction with stakeholders and gathering their opinions on critical business issues is integral to Span's operations. The Code of Business Conduct defines the ethical principles governing relationships with customers, suppliers, and employees, as well as the channels they can use to report concerns on illegal, unethical, or any other actions that constitute a violation of our rules, procedures, the Code, or the law. Sustainability reporting enabled us to expand communication with them and include all sustainability issues that may affect their interests. In addition to using grievance mechanisms that ensure anonymity and different stakeholder engagement methods for specific groups, such as employee work experience surveys or customer satisfaction surveys, they can also submit their comments and suggestions to our sustainability email address [email protected].

We made a significant breakthrough in understanding how our business intertwines with the interests and views of different stakeholder groups through ten thematic, in-depth interviews and focus groups covering all potential material topics for Span, changes in the regulatory framework, and business trends. Conversations with representatives of Span's Supervisory Board, investors, the Zagreb Stock Exchange, banks we cooperate with, customers, business partners, suppliers, and employees allowed us to gather diverse perspectives on Span's business practices, trends, sustainability reporting, stakeholder expectations and needs, and sustainability aspects that are their focus. This method provided insights into their views on Span's management of recognized potential adverse impacts, our contribution to sustainability, and the risks and business opportunities related to sustainability.

In-depth interviews with informed stakeholders confirmed that Span has correctly identified material topics included in our sustainability reports in recent years. Stakeholders highlighted the significance of governance issues such as transparent, ethical and responsible corporate governance, data protection and privacy, and providing quality IT solutions for customers while mentioning the increasing importance of our services in the cybersecurity segment. Alongside governance criteria, stakeholders emphasized the

Materiality assessment for 2023

Based on the results of previous materiality assessments, the due diligence of potential and actual adverse impacts on people and the environment (initiated in 2022 involving over 240 representatives from our key stakeholder groups), and the analysis of trends and practices in 2023, we mapped potential impacts, risks, and opportunities along Span's value chain.

The internal materiality assessment for 2023 and the identification of 145 potential adverse impacts on people and the environment that may arise along Span's value chain was carried out by the Management Board and experts from 18 key Span departments. Span experts assessed the significance of potential and actual impacts on the economy, environment, or people within each material topic on a scale from 1 "insignificant" to 10 "absolute," as well as the severity of consequences of potential impacts on a scale from 1 "no consequences" to 10 "catastrophic" and the likelihood of its occurrence on a scale from 1 "impossible" to 10 "already occurring". In addition to previously identified material topics and impacts, members of the working group could identify additional potential or actual positive effects on the environment or business risks and opportunities associated with each material topic.

The analysis of the internal assessment revealed that no individual adverse impact was classified as actual or inevitable, indicating that for the second consecutive year, all impacts on people and the environment related to Span's operations were assessed as potential. The working group identified individual impacts that could have severe consequences if they occurred, including those deemed moderately likely to occur and requiring proactive preventive measures or that Span is already actively managing. Several potential negative impacts with a moderate severity level were classified as probable, but Span is already planning or implementing mitigation measures.

Ensuring an adequate level of Span's cybersecurity and business continuity has been identified as crucial for uninterrupted operations, data protection, and maintaining customer trust seeing our operations involve handling customer data and considering providing services that ensure their cybersecurity is one of Span's most important business segments. Maintaining high levels of expertise among our people, continuously enhancing Span's cyber resilience, and cooperating to strengthen the resilience of stakeholders in our value chain have been recognized as priority areas for preventing negative consequences. The likelihood of adverse impacts arising from Span's core business has mostly been assessed as low or very low, with moderate but less severe consequences identified related to implementing energy efficiency features in our solutions.

Preventing the consequences of insufficient data and privacy protection has been identified as the most critical area within Span's business operations, although the likelihood of the most severe incidents occurring ranges from minor to very low. Given that human activity inevitably impacts the natural environment, the most likely consequences identified include insufficient energy efficiency and sustainability of our infrastructure, using fossil fuel in our vehicles, and waste management issues. These impacts have less severe implications because our operations are not resource or environmentally intensive. Negative impacts that could arise from our business practices and corporate governance, such as business ethics and transparency issues, were also mostly rated as unlikely. Building trust in the effectiveness of Span's

importance of social issues such as raising awareness and Span's contribution to developing competencies and elevating public discourse on cybersecurity, matters relating to organizational culture, employee satisfaction, quality of customer relations, diversity in managing bodies, and employee attraction and development. While stakeholders acknowledged the importance of environmental protection and combating climate change, they did not consider environmental issues as critical to Span's operations. However, they recognized business opportunities in applying Span's solutions to increase the energy efficiency of customers' operations and the responsibility to reduce harmful environmental impacts in daily operations.

Although we are considered a company that regularly and credibly reports on its operations, our external stakeholders emphasized the importance of Span publishing information about its sustainability goals, achievements, and areas for improvement. On the other hand, our employees consider well-organized business processes and the practical application of organizational values the most important matters. Overall, disclosures related to responsible corporate governance, supply chain management, and culture and values, including the diversity of management bodies specifically, were identified as areas for improvement in reporting.

Span's material topics in 2023

We determined the final list of material topics based on the internal quantitative assessment of the significance of impacts on the economy, environment, and people and the qualitative inputs on impacts, risks and business opportunities collected from expert stakeholders within each area. The final prioritization results from a numerical assessment on a scale from 1 to 10, where each quantitative rating has a corresponding qualitative value. Topics assessed as material have at least a moderate level of impact, i.e., a rating above 5.0. Material topics in the category of very high impact were rated above 7.50; high impact topics were rated between 6.50 and 7.50; significant impact topics were rated between 5.50 and 6.50; and moderate impact topics were rated between 4.50 and 5.50.

Span's material topics in 2023

High impact

Ethical business conduct, anticorruption, and responsible corporate governance
Contribution to the development of digital competencies, cybersecurity, and availability of technology in society
Well-being, health and safety, and life balance
Culture and values (diversity, inclusion, and equal opportunities)
Quality of solutions and customer relations
Opportunities for professional development (work on projects, promotion, and advancement)

Significant impact

Responsible supply chain management
In-house ecology (circular economy, energy efficiency and greenhouse gas emissions)

Moderate impact

• Energy efficiency and greenhouse gas emissions of solutions

Very high impact

- Cybersecurity

significant breakthrough in understanding how our business intertwines with the interests and views of different stakeholder groups through ten thematic, indepth interviews and focus groups covering all potential material topics for Span, changes in the regulatory framework, and business trends

Contribution to UN Sustainable Development Goals

The United Nations Sustainable Development Goals (SDGs) align with our ambition to build a sustainable and secure digital future by developing IT solutions and partnerships with stakeholders. We recognized numerous areas where we contribute to the UN Agenda in the IT services and solutions we offer customers, our daily operations, and our relationships with our employees and communities. By developing an ESG strategy, we took a further step forward at the end of 2023 by linking our ESG strategic priority areas with the targets within the 12 Sustainable Development Goals most relevant to Span.

We contribute to the sustainability of our customers' operations

24 Sustainability Report 2023 Sustainability Report 2023 25

Contribution of Span's ESG Strategy to the Sustainable Development Goals

ENVIRONMENTAL

Circular economy

SDG 12 12.2. At its business locations, Span is improving waste separation and prevention practices, introducing sustainable office materials, and raising employee awareness about the efficient use of resources, including electronic equipment and office supplies.

12.5. Span's ESG strategy aims to reduce the total amount of generated waste and increase the recycling rate.

Energy efficiency of products and services

SDG 7	7.3. Span's solutions enable the optimization of business processes and increase energy efficiency.
	SDG 8 8.2. With innovative solutions, Span enables customers to increase productivity and adopt new forms of work.
	SDG 9 9.4. Span's solutions and migrations to the cloud enable more environmentally sustainable business infrastructure development, with lower energy consumption, reduced carbon footprint, and greater energy efficiency.
	SDG 13 13.1. The digitalization of business operations and the technologies behind Span's services help customers reduce energy consumption and greenhouse gas emissions.

Energy and greenhouse gas emissions

SDG 7	7.2. At the Savska cesta location, where Span rents office space, "green" energy is used. The goal of the ESG strategy is to increase the share of energy from renewable sources in Span Group's total energy consumption.
	7.3. By implementing the ISO 50001 energy management standard, we continuously work to increase energy efficiency.
	SDG 13 13.2. Span incorporates climate protection into its policies and processes, and one of the goals of its ESG strategy is to reduce Span's greenhouse gas emissions.

We are continually improving our business practices

Through collaboration, we create better living conditions

SDG 15 15.1. In collaboration with Project O2, Span carries out annual smart forest planting actions that contribute to the preservation of local biodiversity and will help mitigate the harmful effects of climate change in the future.

GOVERNANCE

Cybersecurity and data protection

SDG 4	4.4. Span provides cybersecurity education and training, teaching our clients' employees about methods of defense against cyber attacks.
	SDG 8 8.2. Span is the leader in providing cybersecurity services that enable customers to conduct their business securely.
	SDG 9 9.1. Span's solutions and services facilitate the creation of secure and resilient digital infrastructure.
	SDG 16 16.4. Span helps customers timely detect and eliminate cybercriminal threats.

Ethical business conduct and supplier assessment

	SDG 8 8.7. Span's suppliers are committed to adhering to the Code of Business Conduct, which includes prohibiting forced labor and child labor, as well as respecting human rights.
	8.8. Span's Code of Business Conduct ensures ethical business practices for all Span Group companies, our employees, and business partners, including clients, suppliers, consultants, external partners, shareholders, and other business associates.
	SDG 12 12.6. Span transparently, regularly, and publicly reports on its business and sustainability practices.
	12.7. Span assesses the business practices of its suppliers according to a range of criteria, and by entering a business relationship, partners commit to respecting human and labor rights, operating legally, and establishing systems of internal control and prevention of conflicts of interest and illegal activities by their employees and subcontractors.
	SDG 16 16.3. Span operates fairly and legally, and the Code of Business Conduct obligates the company and its partners to respect the fundamental human rights defined in the UN Universal Declaration of Human Rights and internationally recognized principles and guidelines, including the International Labour Organization's Declaration on Fundamental Principles and Rights at Work.
	16.5. Span complies with anti-corruption laws in all countries where it operates and is the first IT company in Croatia to certify an anti-bribery management system according to ISO 37001.
	SDG 17 17.6. Span collaborates with international partners in developing services and solutions that rely on cutting-edge technologies. The ESG strategy also establishes a framework for collaboration with suppliers and communities to contribute to common sustainability goals.

SOCIAL

Organizational culture, promoting diversity and inclusion

SDG 5	5.1. Span is working on empowering and increasing the percentage of women in technical positions.
	5.5. Span is working on increasing the percentage of women on the Supervisory Board and in executive positions while providing equal opportunities for all employees.
	SDG 8 8.5. The starting wage at Span is significantly higher than the minimum wage in the countries in which it operates. Regardless of whether it concerns wages, working hours, benefits, or training, Span provides all employees with the opportunity to discuss the best model for them and actively works to ensure fair compensation according to the principle of "equal pay for equal work."
	8.8. Span respects the right of employees and workers to a safe and healthy working environment, freedom of association, and the right to collective bargaining. In all the countries where it operates, Span complies with all legal regulations and standards in the field of human and labor rights.
	SDG 10 10.3. Span adopts non-discriminatory policies and processes with the aim of developing a culture of understanding, acceptance, and respect for diversity, inclusion, and equal opportunities. It provides all employees with development opportunities and actively works to eliminate the gender pay gap.

Development of employees

SDG 3	3.8. Span continuously works on improving well-being programs
	and training with a focus on personal development for employees.

SDG 8 8.2. Span is developing a mentorship system that, along with defining career paths, enables employees to acquire new skills and competencies, work in cross-departmental teams, and engage with the latest technologies.

8.6. Span implements internal talent development programs and student programs to educate future Span employees, supporting both current employees and young people in developing their knowledge and skills.

Contribution to community development

SDG 4	4.4. At Span, we believe in sharing knowledge and that is why we implement various youth education programs in STEM.
	4.5. Span implements programs to empower women and girls in IT.
SDG 5	5.5. One of Span's long-term goals is to increase the percentage of women in IT positions, which we aim to achieve by providing opportunities for education and employment. Therefore, we place great importance on educational opportunities through programs like the "Work in Tech" project.
SDG 8	8.6. We implement programs that enable students and young people to gain work experience and develop their knowledge and skills.
SDG 9	9.1. Span develops partnerships with organizations to provide them with comprehensive technological support and help them utilize all the opportunities that technology offers in their daily operations.

Solutions focused on security and resilience

By developing comprehensive IT solutions, we aim to create multiple benefits for as many people as possible. The increasing number of cyber threats and customers' focus on combating climate change are creating a need for technologies that enable them to operate securely and responsibly. We aim to help them address their challenges by implementing the most advanced technologies and providing top-notch service. We continuously improve our practices, educate ourselves, and share our knowledge with others to strengthen society's capacity to face the challenges of the digital age.

Strengthening cybersecurity at all levels

Cybersecurity continues to be a pressing issue for all companies recognizing that as technology evolves, so does cybercrime. Increasingly frequent and sophisticated attacks have contributed to a growing sense of insecurity. Therefore, it is not surprising that cyber risks have climbed to the top of the list of the most significant current, short-term, and long-term global risks, according to the World Economic Forum1 , especially in the public and private sectors. Research conducted by Cybersecurity Ventures2 predicts that the costs of cyber-attacks will grow exponentially, reaching \$10.5 trillion by 2025.

The European Union has taken a significant step to bolster cyber resilience with the adoption of the NIS2 Directive. Compared to the 2016 NIS Directive, this update considerably broadens its reach to encompass a significant number of companies and organizations that were previously exempt. This includes not only EU enterprises but also international companies operating in EU member states. The implementation challenges are particularly expected for new entities and companies that have yet to prioritize information security in the past. As a result, there is a high demand for management and compliance services to ensure readiness for the NIS2 Directive implementation.

1 World Economic Forum Global Risks Report 2024 2 2023 Cybersecurity Almanac: 100 Facts, Figures, Predictions, And Statistics

Building the most advanced cyberinfrastructure

At Span, we are always committed to excellence. By maintaining our management systems, we strive to continuously improve the systems we have already implemented and seek opportunities for further advancement and the implementation of new ones. In line with these values, since 2011, we have been developing our IT security solutions based on the ISO/IEC 27001 information security management standard, and we continue to implement best practices in this aspect in other Span Group members. In 2023, Bonsai d.o.o., in addition to certifying its quality management system according to ISO 9001, became the second Group member to be certified according to the ISO 27001 standard. During the year, Span Ljubljana also began its alignment activities and is expected to pursue certification in 2024. Given the similarities, these experiences will help us build competencies to assist our customers in implementing the requirements of the NIS2 Directive in the coming years, demonstrating our readiness to support and guide our customers through these changes. The most significant step forward in 2023 was our alignment with the ISO 22301 requirements. These requirements define best practices related to business continuity processes and ensure resilience to disruptions, safeguarding key business processes and customer trust. Completing the certification audit marked the seventh ISO certificate awarded to us.

The main threats we face in our and our customers' operations include data and service availability, data loss, unauthorized access, financial loss, and reputational risk. The mitigation measures we apply include risk analysis and assessment, continuous monitoring of security events, and the implementation of security technologies. In addition to renewing existing and introducing new certifications, we implemented ISO 31000 recommendations during 2022 and 2023, enabling more efficient risk management. We also consider the importance (confidentiality, integrity, and availability) of the information we use daily, which is crucial to ensuring information security.

Our unwavering commitment to information security and compliance is evident in our continuous efforts to improve and introduce new security controls. In 2023, as in previous years, we have diligently focused on multiple areas, each of which plays a crucial role in our overall security strategy:

Implementing Azure Lighthouse and Privileged Identity Management for accessing our customers' cloud environments
Introducing the Least Privilege Access concept for accessing internal Azure cloud environments
Strengthening Entra ID Conditional Access policies and blocking access to cloud resources from private and unmanaged devices
Enhancing Entra ID multi-factor authentication by introducing hardware security keys for all highly privileged cloud roles
Creating an automated procedure for revoking unused access rights to cloud resources
Implementing a system for backing up documents and emails in the cloud to increase availability and business continuity

Our customers are increasingly concerned with how we manage information security given our services. As a result, we receive an increasing number of inquiries about our business processes (hiring, access rights assignment, incident management, etc.) and technical solutions related to data protection. To give them insight into an impartial assessment of our practices, we completed the CyberGRX questionnaire for the second time to evaluate the maturity of our business processes and third-party security measures, receiving high ratings for the maturity of our information security management system. By accessing the CyberGRX digital platform, our customers can easily verify Span's competencies.

In addition to quality processes and robust systems, it is crucial to have enough experts with the preparedness, expertise, and knowledge necessary to respond to cyber threats and implement the NIS2 Directive successfully. The shortage of specialists is the second-largest cyber threat in the European Union3, and in Croatia, the share of ICT specialists among employees is below the EU average4. We successfully anticipated growing customer needs and have recently invested significantly in hiring cybersecurity experts. More than 200 cybersecurity specialists work at Span, protecting large systems and solving real cyber challenges daily. Span's team of trained cybersecurity experts, with extensive knowledge and expertise in cybersecurity, strengthens Span's and our clients' capacities to combat cyber threats effectively by providing training and sharing their wealth of real-world experiences. These experiences, gained from handling real cyber challenges, are invaluable in our collective efforts to maintain a secure digital environment.

Our Red team consists of qualified cybersecurity experts who simulate realworld cyber-attacks to test and improve an organization's security defenses. Their primary goal is identifying weaknesses in the security infrastructure, processes, applications, and personnel before malicious attackers can exploit them. The service portfolio has been enhanced based on involvement in high-complexity penetration tests in our region and globally, making them aware of the global threat environment and the tactics, techniques, and procedures of global attackers (TTP). The Red team's services are tailored to the organization's specific needs, providing the best protection for its most valuable resources.

The Blue team comprises highly skilled experts responsible for maintaining and improving the organization's security defense posture to prevent and detect security incidents, ensuring compliance with security policies and regulations. They have extensive experience in incident response services, forensic analysis, and malware detection on a global level. In the event of a high-severity incident, our Incident Response Management team plays a crucial role in coordinating response efforts and mitigating the incident's impact. Additional efforts in 2023 have focused on enhancing our services in line with the NIS2 Directive to help clients structure and implement a coherent security program aligned with the directive's requirements and legislation.

The Governance, Risks, and Compliance (GRC) department ensures that the organization operates within regulatory frameworks, effectively manages risks, and maintains compliance with internal policies and external regulations. It plays a crucial role in establishing and maintaining robust security management practices. Span's GRC team has developed an extended set of services related to policy development and implementation, compliance with the NIS2 Directive, risk management by ISO 31000 recommendations, the ISO 27001 standard, security management, and various audits and security assessments.

Span's Security Operations Center (SOC) operates 24/7 globally. We provide all three levels of SOC services, including continuous monitoring and analysis, incident detection and response, threat intelligence, security tool management, incident triage, and investigation. Our SOC team participates in post-incident security activities and lessons learned to identify areas for improving security processes, procedures, and technologies. We upgraded processes and tools to reduce operational engagement, allowing the team to focus on the most critical security threats and alarms. Tools have been selected so the team can use them efficiently, tailored to their needs and skills. The most significant step forward in 2023 was our alignment with the ISO 22301 requirements. These requirements define best practices related to business continuity processes and ensure resilience to disruptions, safeguarding key business processes and customer trust

³ 2023 Report on the state of the Digital Decade 4 Foresight Cybersecurity Threats for 2030 (enisa.europe.eu)

The Span Security Architecture team designs and implements security infrastructure for networks, systems, applications, and environments in cloud and physical infrastructures. The Security Architecture team aligns security solutions with organizational goals, assesses security requirements, and conducts architecture reviews. They evaluate existing controls, advise on new technologies, and establish standards and best practices. The team defines security patterns and principles to ensure consistent security across the organization. They developed services and competencies to adapt to new trends by understanding attackers' tactics, techniques, and procedures, thereby successfully helping prevent attacks by implementing security tools.

At the beginning of 2023, we established the Cloud Security team to strengthen security competencies in cloud security. Their services include analyzing and reporting on the current state of the customer's cloud environment from a security perspective and implementing security solutions specialized in protecting data, applications, and identities in the cloud. The Private and Hybrid Cloud team is responsible for implementing solutions primarily intended for hosting data and applications in the customer's data center that support all the characteristics and features of cloud solutions. This preparation aligns with the trend where corporations today do not exclusively use a private data center or a public cloud but rather hybrid solutions that offer flexibility.

Expanding cybersecurity awareness

We are continuously building internal capacities and training our team to defend against cyber threats. In 2023, we introduced new awareness training programs, including Cyber Security Essentials for employees and Tabletop education for management, which is part of the Span Management Academy. The Cyber Security Essentials training familiarizes Span employees with cybersecurity, provides an overview of how it applies to Span, and educates them on best practices for maintaining cybersecurity.

This training has become a mandatory part of onboarding for all Span employees except those in the Cyber division, who already possess this knowledge at an advanced level. In its first year, 154 employees (27.9%) attended the workshop. On the other hand, employees in our Cyber division upgrade their cybersecurity expertise through certifications, external training, and conferences such as Black Hat & Defcon, Cyber Week, Croatian Security Days, and many others. In 2023, 65 employees of Span's Cyber division (69.9%) obtained at least one certification or attended an external training/ conference.

In line with our strategic goals, we continue to expand our offer of training for clients and contribute to strengthening cybersecurity, building capacity, and protecting our digital future. During 2023, the Span Cyber Security Center developed additional training programs that provide a comprehensive and tailored approach to cybersecurity education for employees, regardless of their function or background. These training sessions include both theoretical and practical instruction for various levels of employees, such as management training, regular workforce training, technical specialist training, and more.

We have also designed a SOC Analyst Academy to meet the growing market demand for SOC analysts, an intensive course expected to further increase due to the introduction of the NIS2 Directive and the escalating risks and frequency of cyber-attacks. The academy provides participants with basic knowledge of information security, operating systems, and computer networks with a comprehensive overview of cybersecurity. It focuses on identifying, analyzing, and responding to potential digital security threats and includes specially designed labs that ensure participants gain practical knowledge, as well as specially designed virtual environments where they answer questions and tasks analyzing the virtual environment.

In addition to internal training and customer training, the Span Cyber Security Center participates in activities to spread cybersecurity awareness and knowhow within the community. In 2023, we conducted several private training sessions for companies to help them acquire practical skills specific to their organizations. We also contributed to protecting the most vulnerable members of society by transferring cybersecurity knowledge to the Center for Missing and Exploited Children. Throughout the year, we regularly hosted CISO events. In collaboration with Span, the Span Cyber Security Center organized the NIS2 conference, providing participants with a platform to familiarize themselves with the NIS2 Directive. We actively work on raising cybersecurity awareness in society and have conducted numerous activities aimed at promoting this topic to the public:

During the European Cybersecurity Month, in collaboration with CERT. hr, we organized joint social media posts and an additional NIS2 event for all interested parties to raise awareness about the importance of cybersecurity
In collaboration with the Agency for Vocational Education and Training, we conducted a two-day workshop on cybersecurity for professors and teachers at vocational schools, contributing to the education and training of cybersecurity professionals
Our experts raised awareness and shared cybersecurity advice in articles and interviews published in relevant Croatian media, including Tportal, Večernji list, Poslovni dnevnik, Lider Media, ICT Business, Bug. hr, Index.hr, Bloomberg Adria, and others
We participated in the public consultation on Croatia's Cybersecurity Act, contributing to shaping legislation in this critical area
By participating in the Croatian Defense Industry Competitiveness Cluster (CDICC) and jointly presenting on the global defense technology market in collaboration with the CDICC, we have strengthened the cybersecurity sector globally and can offer our services to all relevant actors in the EU

In 2023, we conducted several private training sessions for companies to help them acquire practical skills specific to their organizations. We also contributed to protecting the most vulnerable members of society by transferring cybersecurity knowledge to the Center for Missing and Exploited Children

Increasing energy efficiency through cloud solutions

Corporate investments in cloud services are expected to exceed \$1 trillion for the first time in 20245. One of the most significant benefits of the cloud is its accessibility and the extensive range of services available in IaaS, PaaS, and SaaS models. These services allow companies to focus on their business and achieve goals while leaving the technical details of implementing and maintaining complex services to dedicated experts.

Moving from traditional data centers to the public cloud generally results in improved energy efficiency. The typical power usage effectiveness (PUE) of cloud data centers is 1.10, compared to 1.57 for on-premises data centers. With planned migration and optimized cloud usage, companies can significantly increase their energy efficiency, and by using sustainable cloud solutions, they can also reduce their indirect greenhouse gas emissions. At Span, we have already migrated part of our systems to energy-efficient data centers, and in 2023, we moved additional systems from on-premises data centers to the public cloud. In 2024, we plan to migrate other services to the cloud, and for some services already in the public cloud, we plan to move them to more energy-efficient data centers that source 100% of their electricity from renewable energy.

To help our customers achieve energy savings through cloud migration and solution optimization, we recognized the potential to assist them in choosing cloud solutions with higher energy efficiency and a lower carbon footprint. In 2023, we migrated at least three clients from traditional data centers to our partners' public cloud, and in 2024, we expect an increase in such engagements. In the coming years, we plan to explore integrating energy consumption and greenhouse gas emissions calculation solutions into our products and services.

Successful cooperation and a high level of customer trust

We are committed to making the customer satisfied with every project. By approaching business this way, we build foundations for long-lasting relationships, trust, and the quality of the service provided. We collect customer feedback on their experience with Span through various types of surveys that we analyze annually to monitor our progress. Our Solutions Consulting department assesses customer satisfaction at the end of each project, the Solutions and Services Management department conducts a satisfaction survey after closing each ticket, and we periodically survey our key customers. The Sales department is responsible for customer interactions and addressing any potential issues.

Satisfaction with issue resolution

We check customer satisfaction after ticket closure, and customer ratings are part of Management's Quality Management System (QMS) assessment. The evaluations include factors such as response speed, reporting, solution quality, approach, business communication methods, and overall satisfaction with the resolution process. The average rating in 2023 was 4.95 out of 5. Although there were no significant changes compared to the previous year, when the average rating was also exceptionally high at 4.91, scores increased in all categories.

In 2023, we successfully resolved over 202,000 incidents, providing quick and effective responses to our customers. The implementation of the Service Desk tool in 2023 ensured a high response rate from customers – 2,221 tickets were rated, up compared to 1,979 tickets processed last year. In 2023, 791 internal Span tickets (35.6%) were also rated, which is 11.7% fewer than the previous year. Survey requests are sent for 50% of closed tickets, meaning the actual response rate is 2.4%, consistent with last year's response numbers.

Successful projects

We measure customer satisfaction at project completion based on seven criteria, including assessments of change and error control, project management, time matrices, satisfaction with the provider, the project itself, and an overall project rating. Projects are evaluated according to Span's methodology with a standard set of questions, allowing for trend analysis over calendar years.

In 2023, customers rated 78 projects using this method, and the average score of 5.59 on a scale from 1 to 6 indicates a balanced and high degree of customer satisfaction with implemented projects, consistent with the previous year's average of 5.68.

Opinions of key customers

At the beginning of 2023, we completed an analysis of the data collected from periodic surveys assessing the key customers' satisfaction, including ratings of Span representatives' professionalism and ability on a scale of 1 to 5. High average scores (above 4.78 in all categories, consistent with last year's ratings) indicate that the professionalism and ability of Span's representatives are very high.

A total of 26 customers were surveyed. Remarkably, 81% of the key customers surveyed responded that they would gladly initiate another project with Span, 69% believe that Span creates good value that corresponds to the invested funds, matching the investment made, 72% rate Span's services as excellent or very satisfactory, and 12% said that Span delivered outstanding value. All key customers reported that compared to the previous year, the quality of service was better or the same, confirming the continuous improvement of Span's services.

RECOGNITION

Our people

Span's employees are the foundation of our business, cocreators of our values and organizational culture and the key to achieving our common goals. By creating an environment in which we encourage individuality, teamwork, and a sense of belonging, providing them with adequate conditions for personal and business development, we contribute to the company's development.

Throughout the whole reporting period, we have seen continuous growth in the number of our employees, which is an indicator of the business growth, but also recognition of Span as a desirable employer that offers quality working conditions to its employees. The number of employees of Span has increased by 6% in comparison to 2022, and at the Span Group level, this number increased by 8%.

Span throughout the years

Span d.d.

Span Group

New steps to understanding diversity

Awareness of the importance of fostering diversity and inclusion in organizations brings a wealth of perspectives, experiences and ideas which encourage creativity and innovation. By encouraging an inclusive environment, organizations contribute to the creation of a sense of acceptance and support for all our team members, and ensure equal opportunities, resulting in greater engagement and productivity.

Progress in diversity and inclusivity awareness builds stronger teams and strengthens the organization's reputation as a driver of positive social change.

For years we have been trying to observe all the opportunities diversity has to offer us for our internal development, while also seeking new ones to create a more inclusive work environment. Our core documents, which regulate our approach to values and behavior are Employment Rules of Procedure, Whistleblower Protection Procedure and Code of Business Conduct. In 2023, we implemented a new regulation, which regulates the procedure and measures for the protection of workers' dignity. One of the novelties that appears in this regulation is the appointment of new commissioners for the protection of worker's dignity. We have opted to entrust this role to the external legal experts, to ensure impartiality in the decision-making process. We aim to further develop a culture of equality, respect and understanding with the implementation of this regulation while ensuring zero tolerance for discrimination, harassment, or abuse in the workplace. When it comes to reports of discrimination or other forms of irregularities in terms of equality, and inclusivity, no instances of such behaviors were reported in 2023.

We promote equality through all categories of our employees, whether it is gender or age, and in all managerial positions, we are an example of a positive trend in the IT industry. The dynamics of employee fluctuations correspond to trends and developments in the labor market, moreover, it is the lowest in the last two years, both in Span, but also at the Group level.

Apart from our permanent employees, we continuously offer opportunities to students interested in IT. In this way, we strive to bring young people closer to the world of business and prepare them to work in the industry. Furthermore, during the reporting period, we maintained a steady percentage of women in the Management Board (20%), while the share of women in managerial positions has continuously increased over the last three years and in 2023 amounted to 33.68%. Our goal is to continue to work on increasing this percentage, which is already significantly higher than the industry average1 .

For years we have been trying to observe all the opportunities diversity has to offer us for our internal development, while also seeking new ones to create a more inclusive work environment

At Span, we continuously strive to find solutions whose application would provide our colleagues with work experience in which their health, well-being, life balance and quality working conditions are taken care of. The area of care for the health and well-being of our employees is determined by the rules and internal processes described in the Labor Regulations and the Code of Business Conduct, which also cover the areas of safety at work.

In the process of obtaining the "Health-Friendly Company" certificate which started in 2022, we continued the efforts by conducting a comprehensive analysis of the well-being of our employees under the LifeSpan umbrella program. This program covers all internal initiatives and channels related to the well-being of employees. In 2023, 14 initiatives were implemented as a part of this program, with more than 370 participants, covering topics such as healthy eating, the importance of physical exercise and mental health care. Initiatives were implemented in the areas of physical and mental health and support to parents and children. All the activities and initiatives we launched have proved to be beneficial because in June 2023 we earned the "Health-Friendly Company" certificate.

We also invested great effort in promoting our LifeSpan channel on our internal social network, which serves to inform employees about initiatives, events and activities in this segment. Its 60% reach and engagement rate of 3.94% served us as indicators of the success communication success for this content. We made effort to cover all topics important for the health and wellbeing of employees and include all offices in Croatia, as well as other members of Span Group.

Span Voices: Developing an inclusive culture

By joining the Croatian Business Council for Sustainable Development (HR PSOR), a business association that promotes a culture of balanced business success, social well-being, and environmental protection, we have gained new knowledge on issues of diversity and inclusion in organizations. One of the activities organized by HR PSOR was the training program called Workplace Inclusion Champion (WIC). This was an opportunity to gain further knowledge about ways in which we can empower the company in the field of diversity management, knowledge, tools for setting up an inclusive mentoring program, and the general creation of inclusive internal and external communication. Consequently, we decided to launch an internal survey on the topic of diversity understanding among employees of Span to gain clarity on the position of this topic within our organizational culture.

The first survey of the perception of diversity in Span, called Span Voices, was focused on general perception in the company, and the perception of specific diversity topics such as gender equality, religious freedom and beliefs, rights of parents and children, health difficulties and disability, and the topics of the LGBTQIA+ population. As part of the survey, we also assessed satisfaction, i.e. perception of non-discrimination and inclusion in the organization, which resulted in a high 83.26%. Results were used as a starting point for further development of diversity and inclusion in Span, writing of the Diversity and Inclusion Policy and the beginning of the development of action programs aimed at the specific aspects of importance for Span.

Open dialogue

Communication is the key to good cooperation. We try to be transparent in our relationships and enable channels of two-way communication. Informing our employees efficiently, and promptly on important events is crucial to us, and we appreciate their feedback, which allows us to continuously work on creating a good work experience. For this reason, we provide various communication channels, but the most important information and notifications concerning all employees are communicated via official e-mail addresses. We use internal Span TV and the newsletter Span Chronicles, which was launched in 2023. In addition, the internal social network Viva Engage offers several channels such as All Company, LifeSpan, Sustainably Span and others in which we communicate all the most important information.

Direct channels include in-person or online meetings, conference calls, annual live with the Management Board, as well as other activities as part of individual employee monitoring such as interviews on work performance and career development, orientation programs, inbound interviews, "stay" interviews, or informal meetings such as virtual and working coffees. Indirect channels are primarily informative and in digital form, such as official e-mail, folders on SharePoint or OneDrive platforms, internal social media and collaborative platforms, internal websites (intranet), video calls, newsletters and surveys.

All these channels are available to all Span d.d. employees and Span Group members. The internal communication satisfaction survey as a part of the

LifeSpan: new initiatives directed towards well-being, health and life balance

organizational culture survey showed high employee satisfaction of 81.11% in this segment, while the average general satisfaction of Span's employees is a high 75%.

In the words of Span employees

In 2023, the organizational climate survey was conducted at the level of the Span Group, and as many as 93.5% of employees took part in it. We examined four main areas: job satisfaction; life satisfaction; aspects of the work situation and the five dimensions of personal experience. We have recognized growth in satisfaction compared to 2022 in segments related to the image of the organization, the organization of work, management, organizational climate, proactivity and issues of life balance such as ensuring sufficient time for rest and work-life balance. Room for improvement was recognized by the employees in the segments of leadership, job satisfaction and job security, although these segments are generally highly rated as well.

To gain insight into the interest, satisfaction and usefulness of our initiatives among employees, this year, for the first time, as a part of the organizational climate survey, we assessed the satisfaction with well-being programs in Span. The results showed a high degree of satisfaction of 85%.

Good habits for health

Living in times when working very often entails spending eight hours at the computer, encouraging physical activity has become more important than ever. Through a series of projects that we implemented internally, as well as educational programs that we implement in cooperation with the Croatian Institute of Public Health (HZJZ), we are trying to encourage employees to move more. Everyone's favorite activity, which we repeated in 2023, is the internal competition Fit Happens. In 2023, more than 250 employees of Span joined in, and recorded steps, worked on creating their healthy habits, and encouraged their colleagues to get involved in the initiative. We also participated in activities such as the B2Run race but did not neglect our cyclists either; we organized the Bike2Work initiative and bicycle servicing education to encourage commuting by bike. This not only has a beneficial health effect but is a more environmentally efficient way to travel.

In addition to physical activity, we encouraged other good habits such as a balanced diet and health prevention. Together with HZJZ, we organized two education courses on physical activity and proper nutrition in Osijek and Zagreb, offering consultations with health experts and nutritionists. Furthermore, with the help of external associates, we held training that dealt with prevention measures that men and women can take to detect health issues in time and thus increase the chances of a better outcome. On Women's Day, we provided education on breast cancer prevention and the importance of self-examination, while we marked the month of November with a project Movember@Span within which we provided colleagues with a series of content with a focus on men's health.

Creating life balance

In addition to physical health, in 2023 we emphasized mental health issues and support in ensuring a good work-life balance. In Rijeka and Zagreb, and in cooperation with the HZJZ, we organized a lecture on effective strategies for coping with stress and raised awareness of this aspect of mental health offering articles on the regulation of emotions in our internal communication channels. In addition to all the initiatives in our internal communication, we continue to provide psychological counselling in five meetings for all employees of Span.

We place special focus on parents, due to the challenges they face. in cooperation with our partner Hrabri telefon (Brave Phone) Association, we organized lectures for our employees on various topics, from learning, through creating relationships with teenagers to surfing the Internet safely, based on strengthening family relationships, but also the safety of children. In cooperation with external experts, we also conducted a lecture on engaged fatherhood, wanting to contribute to the motivation and education of fathers in child raising.

Offering help when needed

We are constantly improving the system of benefits provided in Span, which includes previously introduced and retained benefits such as physical checkups, different bonuses, paid days off for various purposes, more favorable loan conditions in certain banks, payments to a voluntary pension fund or opportunities for training. In 2023, we added financial support in difficult life situations and provided assistance when it is most needed, whether it is health costs, education or other important needs. Additionally, we increased the amount of the bonuses for recommending new employees for each of the three existing categories of employees.

Opportunity for professional development

Education is extremely important in all companies, especially in the IT industry known for its rapid development. By improving the knowledge and skills of Span's employees, we offer them the possibility of personal development and the ability to increase their competence, as a key to continuous development. In 2023, we continued with existing professional development and training initiatives and improved them where necessary.

Performance Evaluation (PE) interviews, i.e. performance assessment, provide employees with the opportunity to get and exchange feedback on the past period with their supervisor in a structured manner. This conversation aims to agree on individual plans, goals and development direction for the employee to follow in the coming period. Interest areas, motivation and ability of employees are considered, as well as contribution to Span's business goals and strategy. All Span employees are included in the PE interviews, and in this way, the employee development strategy ties into a whole with the strategic decisions and goals of the company.

Education – a key to success

Continuous education and monitoring of trends and innovations are key to the development of IT at the global level. That is why we strive to provide our employees with an environment in which they are constantly learning and opportunities for specialization in different areas. For the development of technical and professional competencies of Span employees, various certifications are required, which depend on the specifics of the project itself. PE interview aims to agree on individual plans, goals and development direction for the employee to follow in the coming period

The assessment of the number and types of certificates required for the operation of each organizational unit is determined by directors in accordance with projects, customers and their needs, market trends and new technologies, but also the interest of employees. Although the largest number of education hours is spent on various specializations, education is carried out as early as onboarding, and we also cover topics related to the promotion of health and well-being, sustainability and equal opportunities.

The average number of hours of education in 2023 was 117 per employee; this average is slightly reduced compared to the previous year due to a lower number of new hires in 2023, which has reduced the number of hours of onboarding education and mentoring. All employee categories are included in the education in Span, and the number of hours of education for people in managerial positions has significantly increased compared to the previous year.

Successful development programs

Span Management Academy is an excellent tool for remote development of competencies of our talented employees, which is why we continued with it in 2023. A total of 15 employees who were recognized as high-potential individuals for further competency development were engaged in the program, which would help them perform the functions of team leaders and managers or help them advance to these positions in the first place. The academy program consists of three modules; the first relates to the development of business skills within the company itself and works to promote the skills needed for management positions. Senior management and management hold workshops and lectures in this module and share their knowledge and experience with the participants. The second module deals with the development of so-called "soft" skills that are recognized as equally important for the development of managerial competencies. The third module includes a mentoring program in which employees are helped to adapt to business expectations and development. In addition to colleagues from Span d.d., in 2023, two colleagues from Ekobit, one from bonsai.tech and one from Span Slovenia were included in the academy program, thus covering not just the company but the Span Group as well.

At the beginning of 2023, as part of the training and development of employees, we launched Span Learning Hub, a system of internal education. In this way, we responded to the needs of management and employees for the development of skills and competencies. During 2023, we conducted various trainings, from topics of awareness of the importance of security, through the skills of meeting, time and project management, or assertive communication, to training sessions on understanding and accepting differences or onboarding mentoring. The positive reactions of the participants were an excellent indicator to continue with the same and similar topics in 2024. In the first year of activity of this program, as many as 75% of the total number of employees at the level of Span d.d. attended the training sessions.

To ensure the continuity of good practices, we continued with other useful activities, formerly introduced. Every other Monday, our engineers or designers hold training courses on new technologies and solutions they work on. The training is conducted through the Microsoft Teams collaboration platform, and for those who cannot participate, a video recording is uploaded on our

internal site Viva Engage. This education is focused on technical solutions or the usage of various tools, and the employees can suggest or even prepare a topic that they wish to present to the other departments if they conclude that this knowledge could be beneficial to them. Transferring knowledge that our colleagues have acquired at various conferences or external education is also practiced. Once a week, colleagues from the Sales department prepare short presentations on new products, services and solutions that Span offers on the market so that everyone is familiar with our offer for customers.

Our LMS (Learning Management System) portal contains a series of technical and non-technical training courses available to employees. We use it when it is necessary to ensure that employees thoroughly master certain content. After completing a video lecture or reading material, participants must pass a test to complete their education.

Finally, as a company whose core business is cybersecurity, we regularly organize various activities for our employees to increase their knowledge, as well as security in this area. In 2023, training sessions for employees and external participants were held at the Span Cybersecurity Center. With these trainings, we also offer the experience of a real attack on systems that imitate the existing IT infrastructure of an organization. In this way, we work on the competencies of the future both in our employees and users. Also, with the development of technologies and artificial intelligence, identity theft is becoming an increasing danger in the digital world. That is why this year we organized a series of phishing campaigns to educate and raise awareness of this problem.

The future in the hands of our youth

In 2023, Span started two projects to present itself as a top-tier employer to the students at higher education institutions in Croatia. One of the projects for student education was SpanIT Gym, an educational program that lasts for a month, and teaches students of technical faculties the basics of IT technologies with an emphasis on IT infrastructure. Eight students participated in the program, out of which as many as six were employed in Span upon completion of the program.

Apart from that, Work in Tech program was, once again, implemented in collaboration with the Algebra University College, which covers knowledge and skills related to systematic administration, getting to know networks and server IT infrastructure, areas of IT security and providing customer support in solving incidents and requests. The targeted group for this education is young women without preexisting knowledge or education in the field of IT, to contribute to the increase of women in the industry. Upon completion of the program and when they acquire all the necessary skills, the participants of the program often end up becoming Span employees.

By launching Span Learning Hub, we responded to the needs of management and employees for the development of skills and competencies

Sharing and multiplying knowledge: Our strongest social contribution

Regarding philanthropic activities, at Span we maintain our usual approach: we work on deepening and building relationships, long-term cooperation and partnerships with civil society organizations. This is visible in the multiyear collaborations that we achieve with our partners in the communities, which go beyond one-off collaborations or initiatives, that are becoming fewer and fewer. We are upgrading our activities in society in the direction of raising our capacities for corporate volunteering, setting the framework for further cooperation in volunteer actions, and also skillsbased volunteering with different associations.

Span's growing volunteer community

We have always tried to contribute to the community and the common good and consider it our duty and responsibility to help those in need. Guided by this philosophy, at Span we have helped and volunteered practically from the very beginning of the company. Thirty years later, we are stronger in numbers and can do even more in terms of community contribution. A few years ago, we took several steps to improve our corporate volunteering and expand the circle of our people.

As our volunteer initiatives developed, so did the need to make the volunteering framework at Span official. In 2023 we published the Policy on Corporate Volunteering which clearly defines what corporate volunteering entails, so that all people involved in corporate volunteering programs would feel comfortable, their rights respected, and their health and safety protected. Deciding to further strengthen our commitment and support for volunteering activities, we also signed the Employee Volunteering Charter, the goal of which is to encourage and introduce a systematic approach to volunteering, create a suitable environment for volunteering, and adopt volunteering standards.

In the development of our programs, we have particularly focused on finding opportunities for skills-based volunteering projects, i.e. projects where our experts can provide support to those who need their IT skills and knowledge. We already achieved such cooperation with Hrabri telefon (Brave Phone) in 2022, and in 2023 we extended it to the Nismo same association (We Are Not Alone).

The campaign of the Association of Women Patients and Treated with Cancer Nismo same for the project "You are not alone - come with us!", a project that was about to be shut down due to insufficient funds, was an incentive for us to help the project with a donation. However, the financial assistance for taxi transportation of oncology patients to chemotherapy, one of the most famous in the series of projects of this association, was only the first step. In the wake of a similar corporate volunteering project that we carried out with Hrabri telefon, a team of Span experts whose skills best suited these tasks got to work and helped replace the Excel spreadsheets that the association used to track activity records, with an application that will automate the necessary calculations and facilitate entry and record of all data that the association monitors. Additionally, as a non-profit organization, the association is entitled to free Microsoft licenses that were required to be installed. Training on the use of Microsoft tools was also held, and two laptops were installed, which we also donated to the association.

In addition to spending time in front of the computer, we also spent our volunteer hours in nature. In 2022, Span joined forces with Project O2 for the first time and participated in forest restoration through socially driven tree planting with the help of advanced reforestation systems. We have supported this green action in 2023 with an even larger number of volunteers. During our visit to Grubišno Polje, we planted 130 saplings of sedge oak and helped deliver 2,500 seed bombs of various secondary species from the air. About fifty Span volunteers not only made sure that the oak was not left neglected, but also learned more about the importance of the forests they plant and about the new technologies used for it in two workshops. One session was related to the topic of using drones in planting and their advantages compared to traditional plantings, and the other to the importance of preserving existing forests and planting new ones.

Finally, although awards are not the point of volunteering, we are happy to be awarded the Volunteer Oscar for these initiatives. This award is presented by the Zagreb Volunteer Center to companies and individuals for their contribution to volunteer practices.

Old and new acquaintances

Span has been cooperating with the RTL pomaže djeci association (RTL Helps Children) for several years. In 2023 projects were realized with the Day Rehabilitation Center Veruda - Pula and the Ludbreško sunce (Ludbreg Sun) association.

The Veruda Day Rehabilitation Center - Pula has been doing great things for little patients with motor disabilities since 2000. As a day center for the rehabilitation of children, youth and adults with developmental disabilities, they established the first cabinet for the rehabilitation of children and adults using assistive technology in Croatia. The beneficiaries of the project are children of early and preschool age who deviate in neuromotor and psychomotor development, children of school age with motor and multiple difficulties in development, and children of early and preschool age with visual and hearing impairments and additional sensory impairments. Within the "Window into the World" project, we helped finance the instrument Quha ZONO, which scans changes in head position or airflow from the nostrils or mouth and converts them into precise commands on the communicator screen, which are used for communication and control of the environment and the computer/communicator. The project aims to provide support to children with severe motor difficulties so that they can communicate, read, write and control their environment with the help of the mentioned instrument. Many little beneficiaries of the Veruda Center - Pula are aware of their surroundings and understand everything but cannot adequately express themselves. This is where assistive technology comes in, and as many as 60 beneficiaries of the Center will benefit directly from this device.

In addition to Pula, we also visited Ludbreg and helped the Ludbreško sunce association get a new professional kitchen for their day center. This association for people with developmental disabilities has been operating for almost three decades, and one of its main goals is to raise the quality of life of people with developmental problems and their families. From casual gatherings at the very foundation of this community in 1996, they have moved into a day center where today three meals are served to more than hundreds of beneficiaries. Thanks to the cooperation with Span, beneficiaries of the association's services can now easily eat meals prepared by their industrious cook every day.

We also continued cooperation and support for the Mali Lošinj Educational Home, which includes several activities - from user education to corporate volunteering.

Span for the education of the future

Investing in STEM is key to developing innovation, economic growth and solving global challenges. Therefore, as a bronze partner, we continued to support the work of the STEMwave - School of the Future project. The goal of the project is to make the Croatian school system a world leader in bringing modern knowledge from the industry within the artificial intelligence, robotics and Internet of Things school programs for primary and secondary schools. In addition to this project, we also supported the work of other associations and initiatives in the STEM field, including the Zagreb Computer Association, the Association of Young Gifted Mathematicians "Marin Getaldić", the Croatian Society for Robotics, Crobotics Rijeka and Science Park.

Creating schools of the future without gender stereotypes is the goal of the campaign called "Who will tell them?", which was launched in several cities across Croatia as part of the "Let's Encourage Equality" project, with Span as the sponsor in Čakovec. Workshops, forums and various events include a dozen other Croatian cities to emphasize the importance of upbringing and education in which everyone has equal opportunities and encouraging children to choose education and careers following their preferences and abilities. By encouraging children, both boys and girls, to take an interest in and participate in STEM, we open the door to unlimited opportunities for their personal and professional development and build the foundations for an inclusive and sustainable society.

In Grubišno Polje, we planted 130 saplings of sedge oak and helped deliver 2,500 seed bombs of various secondary species from the air

COMMUNITY

Transparent and efficient governance

The enforcement of responsibility at all levels and the transparency of reporting on our financial and sustainability information guarantees corporate governance at Span. In doing so, we apply the Code of Corporate Governance of the Zagreb Stock Exchange and the Croatian Financial Services Supervisory Agency (HANFA).

Governance organization

Following the provisions of the Statute and the Law on Companies, the management structure in Span includes three key bodies: the Management Board, the Supervisory Board and the General Assembly, which consists of the company's shareholders. Details on the work of the General Assembly, its powers, shareholders' rights and the manner of their realization are prescribed in the company's Statute, which is publicly available on the internet. The Supervisory Board, appointed by the General Assembly, is responsible for supervising the company's operations, and makes decisions under legal regulations, the Statute and the Rules of Procedure of the Supervisory Board. The Audit Committee and the Appointments and Remuneration Committee operate within the Supervisory Board. The activities of both committees are aimed at supporting the work and activities of the Supervisory Board, and their members are appointed to a four-year term. The Appointments and Remuneration Committee of the Supervisory Board supervises the processes of appointments to the Supervisory Board and the Management Board to ensure transparency, with a special emphasis on determining the independence of the members of the Supervisory Board.

The management of Span is guided by the principles of corporate governance that emphasize transparency, efficiency and clearly defined powers and responsibilities, along with the implementation of supervisory mechanisms and care for sustainability and business progress. The powers of the Management Board and the Supervisory Board are determined by the Law on Companies. The board is appointed for five years, with the possibility of re-appointment, with no limit on the number of mandates. The number of members of the Management Board is determined by the Supervisory Board of the company. All members of the Management Board are experts with many years of experience in management positions in their fields, with diverse profiles and experiences. No member of the Management Board was previously a member of supervisory boards within the Span Group.

The Management Board is obliged to act for the benefit of the company and shareholders, taking into account the impact of activities on external and internal stakeholders, the environment and the community. Also, the members of the Management Board may not take part in decision-making or make decisions that are based on personal interests, or the interests of persons

connected to them, that is, the interests of individual shareholders or other parties. To prevent conflicts of interest, the members of the Management Board are guided by the rules prescribed by the Rules of Procedure of the Management Board following the Code of Corporate Governance of the Zagreb Stock Exchange and HANFA and the Law on Companies, and especially the Conflict-of-Interest Management Policy.

Management Board members in 2023:

Nikola Dujmović - president Marijan Pongrac - member Dragan Marković - member Antonija Kapović* – member Saša Kramar - member

*Antonija Kapović resigned as a member of the Management Board on December 31, 2023

Changes in the Supervisory Board

President of the Supervisory Board Jasmin Kotur and member Zvonimir Banek resigned from their positions in the Supervisory Board, and at the session of the General Assembly of the Company, held on June 14, 2023, Ivana Šoljan and Mirjana Marinković were elected as new members of the Supervisory Board of Span. The aforementioned members of the Supervisory Board were elected for the period from the adoption of the decision of the General Assembly until the expiration of the mandate of the other members of the Company's Supervisory Board, that is, until September 30, 2024.

After the session of the General Assembly on June 14, 2023, at which new members of the Supervisory Board were appointed, the constituent session of the Supervisory Board of Span was held, where Ante Mandić was appointed as the new president of the Supervisory Board by unanimous decision. As of June 14, 2023, the Supervisory Board of Span consists of four members:

Ante Mandić, president of the Supervisory Board Aron Paulić, deputy president of the Supervisory Board Ivana Šoljan, member of the Supervisory Board Mirjana Marinković, member of the Supervisory Board

Workers represented in the Supervisory Board

Following the proposal of the Span workers, at the end of November 2023, a decision was made to convene a meeting of workers, which was held on December 8, 2023, and at which the conditions for the election of worker representatives to the Supervisory Board were established, and the Election Committee was appointed.

Two candidates collected enough signatures for candidacy, and voting was held electronically. The final election results showed that Barbara Gradečak was elected as the employee representative in the Supervisory Board and was appointed to this position on December 29, 2023.

Managing key impacts, risks and opportunities

By adopting the Policy of Assessment of Company Impact on the Environment and Community and Management of Associated Risks, Span assumed the obligation to consider and assess the impact of its activities on external and internal stakeholders and the environment, as well as managing related risks in all business segments. To achieve this goal, we are committed to providing our services in a manner that is safe, reliable, sustainable, environmentally and socially responsible and efficient. We also ensure that all managers and employees are aware of their organizational and individual responsibilities regarding the impact on the environment and society, and we encourage active participation in the development of new technologies and processes that can further improve environmental and social efficiency.

Following the Policy of Assessment of Company Impact on the Environment and Community and Management of Associated Risks, the management of environmental and social impacts is the responsibility of the company's Management Board. It ensures that in all aspects of its operations, Span considers and assesses the effects of its business activities on external and internal stakeholders, the environment and the community, as well as the management of related risks and opportunities. The Supervisory Board is responsible for supervising the implementation of these activities and this policy.

The Management Board of the company ensures the implementation of the due diligence procedure and other processes for identifying and managing impacts on the economy, environment and people (more on due diligence of impacts on pages 20-21). The Supervisory Board and the Management Board jointly identify key stakeholders, and the Management Board ensures the existence of effective mechanisms for regular interaction with stakeholders, as well as for informing the Supervisory Board about the results of these communications. Experts for responsible operations are in charge of the implementation of these processes, coordinating all activities and regularly reporting on them to the Management Board and the Supervisory Board. Based on the findings of the due diligence process carried out in 2023 and the analysis of our business processes, at Span we started a several-monthlong process of creating a Sustainability Strategy that we adopted at the end of 2023. Along with the adoption of the strategy, the analysis showed the need for the adoption of additional policies in the aspects of social impact management. Thus, during the year, the Policy on Corporate Volunteering and the Diversity and Inclusion Policy were adopted, and the Management Board of Span joined the Croatia Diversity Charter, strengthening its commitment to contributing to the creation of equal opportunities for all.

We continuously work to raise awareness of a responsible attitude towards the environment and society among our employees, customers, partners, suppliers, regulators and public institutions, as well as other relevant stakeholders. We ensure an open exchange of information and opinions and effectively address any type of irregularity by providing mechanisms for raising complaints, expressing concerns and making suggestions about our activities and practices. In addition, Span's Code of Business Conduct is a framework of values and principles that guide our business and relations with various stakeholders. These fundamental principles affect all aspects of our business policies, guidelines, rules and procedures. At Span, we deeply respect human rights as defined in the United Nations' Universal Declaration of Human Rights, as well as internationally recognized principles and guidelines, including the International Labor Organization's Declaration on Fundamental Principles and Rights at Work.

We encourage active participation in the development of new technologies and processes that can further improve environmental and social efficiency

Considering that the responsibility for the implementation of corporate policy obligations related to sustainable and responsible business lies primarily with the Management Board, which ensures that all business and other relationships and ventures initiated by Span are based on these principles, for the year 2023 the KPIs of the Management Board in this area included are:

Calculation of the organization's carbon footprint, which considers Scope 1 and 2 emissions, and the creation of an action plan to reduce the carbon footprint (weight 5%)
Adopting the Diversity and Inclusion Policy and signing the Diversity Charter, which commits us to implementing a diversity and nondiscrimination policy in the working environment and business environment (weight 5%)
Creating a business strategy that includes environmental, social and governance impacts and agreeing on an action plan (weight 5%)

In sustainability reporting, the Management Board is responsible for reviewing and approving published information, including material topics (more on the materiality determination process on pages 20-23).

Risk management

At Span, we recognize risks for business in various domains - strategic, economic, political and social, ethical, technological, security, legal, management, market, as well as risks related to projects and changes, business continuity, environment and climate, employment and relations in value chain. Therefore, during 2022 and 2023, a risk management system was implemented and further improved according to the recommendations of ISO 31000. The new Risk Management Policy defines the method of identifying and managing risks arising from business relationships and the environment.

Following the principles of this policy, Span undertook to achieve the goals of its business by respecting high standards of business ethics and sustainability, preserving the financial performance of the company and protecting the interests of users. Also, the system is aimed at ensuring that the business is fully compliant with legislative and regulatory requirements and maintaining the system of internal controls to preserve and maintain business continuity and security.

During 2023, we improved the risk management system by defining the context with the influences of the most important stakeholders, assessed and documented risk appetite, and developed a risk management methodology based on the methodology of the Information Security Management System. In addition, we focused on risk identification activities, conducted training and education, and encouraged the systematic application of controls, thereby continuing to build a culture of awareness and responsibility in risk management.

Risks are presented to the Management Board twice a year, as well as the application of controls and the plan for treating more important risks. At these meetings, corrections are made, and tasks are assigned to individual team members. The goal of such a system is for the organization to learn how to manage existing and recognized risks, regulating their importance and impact.

We approach the evaluation of the success of this management approach by looking at the reduction in the level of residual risks, compared to the initial ones, as a result of the applied controls, and we define treatment plans for unacceptable levels of key risks. In the further development of the system, special attention will be paid to defining risks according to the objectives of the sustainability strategy adopted at the end of 2023.

Ethical operations

Effective risk management, compliance and creating fair relationships with customers, suppliers and other business partners are the basis of Span's Anti-corruption Policy and Code of Business Conduct. The provisions of the Code include Span d.d. and all members of the Span Group and bind all our employees and business associates, including clients, suppliers, consultants, external associates, shareholders and other business partners associated with Span, following local legal norms and regulations.

We expect suppliers and business partners to respect human rights and act in accordance with the law, especially when it comes to corruption and unfair market competition. They are expected to have internal controls, risk and conflict of interest management systems in place and to promptly notify us of a conflict of interest that could directly or indirectly affect Span. However, we also carry out an in-depth analysis of the risk of bribery and control of buyers and suppliers on a specific sample.

Addressing internal corruption risk assessments, we systematically assess those workplaces that have a higher risk of bribery. We include analysis when hiring, and monitor the implementation of projects or activities, including financial and non-financial controls, controls on giving and receiving gifts and hospitality. In 2023, we did not record any cases of corruption or unethical behavior in business relations.

If employees find themselves in a situation to suspect illegal or unethical actions or any actions or procedures that violate our rules, procedures, the Code or the law, they are obliged to immediately report any suspected violation. As a first step, we encourage you to contact your superior, but if this is not possible for any reason, you should contact the compliance monitoring officer at [email protected] or the worker's dignity protection officer at [email protected], by phone at SPAN LINE: +385 1 6690 240 and at the address of our headquarters in Zagreb. All our stakeholders can also submit a complaint anonymously, using the application form on our website.

When it comes to training employees on this topic, cooperation with Microsoft continued, and employees with a risk of bribery higher than low for the Microsoft partner Code of Conduct were educated. In 2023, we also conducted anti-corruption training for students of the Management Academy.

We expect suppliers and business partners to respect human rights and act in accordance with the law, especially when it comes to corruption and unfair market competition

Continued expansion and preservation of business stability

Following a business strategy that implies growth and strengthening of business activities with high added value and expansion into new markets with strong cooperation with key partners and international clients, in 2023 we added two new companies to the consolidation - the acquired company GT Tarkvara from Estonia and the established company Span LLC in Georgia.

As in previous reporting periods, the support of the Ministry of Economy and Sustainable Development enables us to be exempt from paying profit tax in the period from 2015 to 2025. This support amounts to 50% of the tax base, up to the maximum threshold established according to the Investment Promotion Act (Official Gazette 63/22), with an additional 50% in the period from 2021 to 2031, also up to the maximum threshold of the total investment. In addition, as part of the incentives approved by the Law on Investment Promotion and the Regulation on Investment Promotion, we were also granted an incentive measure for the justified costs of creating new jobs related to the investment project.

Supply chain management

In our daily business, we cooperate with about three hundred suppliers from Croatia, the European Union and the world, depending on the supplier's coverage and the location of the customer for whom a certain project is being implemented. The share of domestic suppliers in the total turnover with suppliers in 2023 was 47%, and the share of obligations for domestic suppliers in total obligations to suppliers at the end of 2023 reached 51%.

In 2023, we started developing an improved supplier evaluation system. We systematically evaluate over 60 suppliers across categories, from suppliers delivering technology platforms, through internet services and telephony, to hardware, materials and services. Driven by continuous improvements in risk assessments throughout our value chain, the intention was to set additional criteria in supplier verification as well. In addition to earlier assessments of issues of quality, fair business practices and information security as part of certified management systems, a working group composed of experts from various fields, from cyber security, through privacy and protection of personal data to sustainability, participated in the creation of a questionnaire that includes additional verification criteria such as environmental practices, management practices, working conditions and human rights, as well as personal data security. The first assessments according to the new system will be carried out in 2024, while audit procedures are also planned for key suppliers.

Like all other stakeholders with whom we create a business relationship, our partners also undertake to comply with all our regulations specified in the Code of Business Conduct. To maintain integrity, our suppliers and other partners can report any suspected illegal or unethical practices, as well as any behavior that violates our policies, procedures, the Code or the law, by sending a report to the Compliance Officer at [email protected].

Data protection

Span disposes of the personal data of employees, customers and partners, using them for different, clearly and in advance-defined purposes as part of a particular type of relationship and in accordance with the law. For example, we use the personal data of employees for salary management, insurance, tax and contribution administration and other purposes related to employment.

Policies and procedures for the protection of employee personal information include collection, use, retention, data protection, and access and correction of data. Span has a clear policy on how data will be used, who has access to data and how data is securely stored. We also ensure that all employees are familiar with the policies and procedures related to data security. We collect data actively, for example when an individual voluntarily provides information when registering on websites or when contracting projects. We use passive collection of information exclusively through tracking technology, such as cookies on websites, or if the customer or partner provides the data of their employees or contact persons that are necessary to provide the service.

Customer data privacy policies and practices provide a high level of security and privacy for customers in advertising. This protects users from unwanted advertising activities and possible violations of data privacy. Some of the ways we ensure user privacy in advertising are collecting only necessary data, providing clear information about data processing, providing opportunities for control, data protection, and monitoring and compliance checks to detect potential deficiencies in data security and processing processes.

Information is used for purposes such as advertising, sending marketing content and information related to business and activities or for purposes that are necessary for the execution of contracted services, legal obligations or legitimate interests. Information use practices that are not in accordance with the expectations of individuals may violate their privacy, so we prevent such use of information. Information is retained for a defined period, but only as long as it is necessary for the execution of contractual, legal or legitimate reasons. Unnecessary retention of information may pose a risk to the privacy of individuals, as information may be misused or compromised in the event of a data leak, so we avoid retaining information for unnecessary reasons. The final stage of the information life cycle is destruction. This includes deleting, destroying or encrypting data in accordance with the expectations of individuals and their privacy. Span does not disclose information except on a lawful basis.

In addition to earlier assessments of quality issues, fair business practices and information security, the new questionnaire for suppliers includes additional screening criteria such as environmental and management practices, working conditions and human rights, as well as personal data security

All Span Group members based in the European Union have established management systems that may be marginally different from each other depending on local legislation. Non-EU member states also follow local legislation in establishing data protection management systems. Our Privacy Policy is a publicly available document, and it may differ minimally between the countries in which the Span Group has its companies, depending on local legislation.

To systematically raise awareness of the importance of data management and data protection, we regularly conduct training for new employees and occasional team training. Also, education on personal data protection is a regular part of the Management Academy program. Data protection officers in the Span Group also regularly receive education and training in this area.

No data protection complaints were recorded in the reporting period. Any complaints can be sent to the address [email protected] or in writing to the address of Span's headquarters, or to the addresses of individual members of the Span Group.

Climate and environment

Following our ambition to reduce potential and actual negative impacts in every aspect of our business, at Span we systematically consider our impacts on the environment and climate. Although compared to some other types of industries they are not that significant, we regularly monitor, evaluate and apply measures to reduce them.

On the other hand, we also see opportunities to improve our services in this area, and therefore we are working on creating a value proposition that includes careful consideration of energy consumption, which can ultimately benefit both us and our customers when it comes to the impact on climate change. We are also aware of the impact that changes in the climate can have on our business, and as part of the certification of the business continuity management system according to the ISO 22301 standard, we also assessed the sensitivity of our buildings to physical risks.

Considering climate protection, the process of calculating the Scope 1 and 2 greenhouse gas emissions and the action plan we adopted in 2023 for Span d.d. we immediately expanded to the Group level. Our ambition is to start the most demanding process, that of establishing carbon emissions of Scope 3, so that we can set measurable, concrete and achievable goals and action plans to reduce all emissions from our business.

In 2023, we successfully checked the environmental and energy management systems according to ISO 14001 and 50001 standards and continued monitoring energy and water consumption at our locations in Zagreb. The location in Savska Street already procures energy from renewable sources, and the plan is to extend the procurement of such energy to our other locations as well. In addition, to improve energy efficiency, the existing lighting in the building in Koturaška Street was replaced by LED lighting, as well as part of the lighting during the renovation of part of the office space in Savska Street.

As before, we continued with activities of education and raising awareness of the importance of environment and climate protection among the residents of Span, recording the educational series ESGym, which is available in the internal communication channels of Span.

EU Taxonomy report

The Taxonomy Regulation (EU) 2020/852 is a classification framework to facilitate environmentally sustainable economic activities and a vital tool for achieving the strategic goals of the European Green Deal. In its 2023 report, Span Group discloses the proportions of environmentally sustainable economic activities aligned with the taxonomy related to the first two taxonomy objectives: climate change mitigation and climate change adaptation; taxonomy-eligible activities related to all six taxonomy objectives; and taxonomy-non-eligible activities in its group turnover, capital expenditure (CapEx), and operational expenditure (OpEx).

In calculating the key indicators, we used the following interpretations: taxonomy-eligible economic activities are those described in the delegated acts supplementing the Taxonomy Regulation, regardless of whether they meet any or all of the technical screening criteria established in the delegated acts. Taxonomy-aligned economic activities meet the criterion of significant contribution to one or more environmental objectives; do not cause significant harm to any of the environmental objectives; are conducted in compliance with minimum safeguards; and comply with the technical screening criteria in the delegated acts supplementing the taxonomy. A taxonomy-uneligible economic activity is any economic activity not described in the delegated acts supplementing the Taxonomy Regulation. Key performance indicators (KPIs) include turnover, capital expenditure, and operational expenditure.

Eligibility analysis

The proportion of taxonomy-eligible economic activities in our turnover is calculated as the share of turnover derived from products and services related to taxonomy-eligible economic activities (numerator) divided by total turnover (denominator) for the reporting year 2023. The numerator of the turnover KPI is defined as the revenue generated from products and services related to the taxonomy-eligible economic activity Computer programming, consultancy, and related activities.

The capital expenditure KPI is defined as the share of taxonomy-eligible CapEx (numerator) divided by total capital expenditures for the reporting year 2023. Capital expenditures include the acquisition/commissioning of new fixed assets, capitalized internal software development, and capitalized long-term leases. In this segment, we identified the internal development of software solutions, ownership of vehicles, and ownership and use of property, as taxonomy-eligible economic activities described in the sections for Computer programming, consultancy, and related activities, Transport by motorcycles, passenger cars and light commercial vehicles, and Acquisition and ownership of buildings.

The operating expenditure KPI is defined as the total taxonomy-eligible operating expenditures (numerator) divided by our total operating expenditures (denominator) in the reporting year 2023. According to the taxonomy definition, total operating expenditures consist of direct noncapitalized costs related to research and development, building renovation measures, short-term leases, maintenance and repairs, and all other direct expenses related to the day-to-day servicing of property, plant, and equipment. In our case, this includes costs for the maintenance of the Group's business premises, maintenance and car rentals related to taxonomy-eligible activities Transport by motorcycles, passenger cars and light commercial Vehicles, and Acquisition and ownership of buildings.

We are working on creating a value proposition that includes careful consideration of energy consumption, which can ultimately benefit both us and our customers when it comes to the impact on climate change

Analyzing Span's business activities in accordance with EU taxonomy requirements, we identified that our only taxonomy-eligible turnover pertaining to IT services falls under the category of Computer programming, consultancy, and related activities. The total turnover generated from taxonomy-eligible IT services in 2023 amounted to €43.69 million (30.6%), and the capital expenditures related to internal development costs associated with these services amounted to €0.40 million (7.3%).

Considering that the EU taxonomy is not limited to activities related to our core business, we recognized taxonomy-eligible activities in our capital expenditures and operating expenses under the categories of Transport by motorcycles, passenger cars and light commercial vehicles, and Acquisition and ownership of buildings. Capital expenditures related to the Transport by motorcycles, passenger cars and light commercial vehicles activity include car purchases in 2023, amounting to €0.42 million (7.6%), while the operating expenses totaled €0.8 million (57.3%), including car maintenance and rental costs. The taxonomy activity Acquisition and ownership of buildings, specifically the right-of-use assets, accounted for 9.8% of total capital expenditures (€0.54 million) and 17.7% of operating expenses (€0.25 million) for the maintenance and rental of right-of-use properties.

Alignment analysis

We subjected the identified eligible activities to a taxonomy alignment assessment, following the prescribed evaluation steps. For taxonomyeligible activities Computer programming, consultancy and related activities and Acquisition and ownership of buildings, we determined whether they significantly contribute to climate change adaptation, considering that, according to the EU taxonomy, both groups of activities can contribute to this taxonomy objective. For economic activities related to Transport by motorbikes, passenger cars and light commercial vehicles, we examined whether they significantly contribute to climate change mitigation. Next, we verified whether these activities met the technical screening criteria for doing no significant harm to other taxonomy objectives and checked their alignment. Finally, we ensured that we met the minimum safeguards in their implementation, in alignment with the OECD Guidelines for Multinational Enterprises and the UN Guiding Principles on Business and Human Rights, including the principles and rights set out in the eight core conventions defined in the ILO Declaration on Fundamental Principles and Rights at Work and the International Bill of Human Rights.

A prerequisite for determining that an economic activity contributes to the goal of climate change adaptation for recognized taxonomy-eligible IT services and real estate is conducting a process of analysis and assessment of physical climate risks. The evaluation of physical climate risks for the critical infrastructure we manage and for buildings we own and operate was carried out in 2022 as part of the ISO 22301 Business Continuity Management certification process (for which we received the certification in April 2023). However, the assessment included a limited number of physical climate risks and was not carried out using location-based climate projections and impact assessments, considering the latest scientific advancements in sensitivity and risk analysis and related methodologies in line with the latest reports from the Intergovernmental Panel on Climate Change (IPCC). Until we conduct a comprehensive physical climate risk assessment that includes climate projections based on various climate scenarios for all our locations, we cannot assert that our activities are aligned with this technical screening criterion.

In 2023, we invested in two new vehicles that meet the criteria for emissions from light vehicles and road vehicle tires. These new cars, manufactured in the European Union, comply with the recyclability criteria and will be given back to the leasing company at the end of the lease period.

Span's Code of Business Conduct outlines the values and ethical principles we rely on in our operations. At Span, we respect the fundamental human rights defined in the United Nations Universal Declaration of Human Rights and internationally recognized principles and guidelines. As an employer, Span is committed to working in accordance with the International Labour Organization's Declaration on Fundamental Principles and Rights at Work.

In 2023, we conducted a due diligence assessment of our potential and actual adverse impacts on the environment and society, including human rights, and did not encounter any cases of human rights violations. We will continue to strengthen our responsible policies and practices regarding human rights protection by examining the impacts of our activities across our entire value chain.

Taxonomy-aligned economic activities constitute 1% of our capital expenditures and 0.3% of our operational expenditures.

Turnover

(EUR)

Yes/No/EYes/No/EYes/No/EYes/No/EYes/No/EYes/No/E

Yes/No Yes/No Yes/No Yes/No Yes/No Yes/No Yes/No

A. TAXONOMY-ELIGIBLE ACTIVITIES

Turnover of environmentally sustainable activities

(Taxonomy-aligned) (A.1)	0.00	0.0%	0.0%	0.0%	/	/	/	/	0.0%
A.2 Taxonomy-Eligible but not environmentally sustainable activities (not Taxonomy-aligned activities)
8.2. Computer programming, consultancy and related activities	43,688,446.72	30.6%		E					38.9%
sustainable activities (not Taxonomy-aligned activities) Turnover of Taxonomy-eligible but not environmentally (A.2)	43,688,446.72	30.6%	0.0%	30.6%	0.0%	0.0%	0.0%	0.0%	38.9%
Total (A.1+A.2)	43,688,446.72	30.6%	0.0%	30.6%	0.0%	0.0%	0.0%	0.0%	38.9%
B. TAXONOMY-NON-ELIGIBLE ACTIVITIES
Turnover of Taxonomy-non-eligible activities	99,147,216.05	69.4%

Total turnover (A+B)

142,835,662.77

100.0%

Capital expenditure Operating expenditure

	Economic activities		6.5. Transport by motorbikes, passenger cars and light commercial vehicles	Capital expenditure of environmentally sustainable activities (Taxonomy-aligned) (A.1)	6.5. Transport by motorbikes, passenger cars and light commercial vehicles	7.7. Acquisition and ownership of buildings	8.2. Computer programming, consultancy and related activities	not environmentally sustainable activities (not Capital expenditure of Taxonomy-eligible but Taxonomy-aligned activities) (A.2)	Total (A.1+A.2)	Capital expenditure of Taxonomy-non-eligible activities (B.)	Total capital expenditure (A+B) Economic activities
											Absolute operating expenditure
	Absolute capital expenditure	(EUR)	55,024.86	55,024.86	364,996.96	541,389.32	404,629.06	1,311,015.34	1,366,040.20	4,171,927.15	5,537,967.35 Proportion of operating expenditure
	Proportion of capital expenditure	%	1.0%	1.0%	6.6%	9.8%	7.3%	23.7%	24.7%	75.3%	100.0% Climate Change Mitigation
	Climate Change Mitigation	No/E Yes/	Yes	1.0%	E	E		16.4%	17.4%		Substantial Contribution Criteria Climate Change Adaptation
Substantial Contribution Criteria	Climate Change Adaptation	No/E Yes/		0.0%			E	7.3%	7.3%		Water and marine resources
	Water and marine resources	No/E Yes/	/	/				0.0%	0.0%		Circular Economy
	Circular Economy	No/E Yes/	/	/				0.0%	0.0%		Pollution
	Pollution	No/E Yes/	/	/				0.0%	0.0%		Biodiversity and ecosystems
	Biodiversity and ecosystems	No/E Yes/	/	/				0.0%	0.0%		Climate Change Mitigation
DNSH criteria ('Does Not Significantly Harm')	Climate Change Mitigation	Yes/No	/								DNSH criteria ('Does Not Significantly Harm') Climate Change Adaptation
	Climate Change Adaptation	Yes/No	Yes								Water and marine resources
	Circular Economy Water and marine resources	Yes/No Yes/No	Yes /								Circular Economy
	Pollution	Yes/No	Yes								Pollution
	Biodiversity and ecosystems	Yes/No	/								Biodiversity and ecosystems
	Minimum Safeguards	Yes/No	Yes								Minimum Safeguards
	proportion of capital expenditure in the previous period (2022)	%	0.0%	0.0%	3.1%	15.5%	27.9%	46.5%	46.5%		Taxonomy eligible and aligned proportion of operating expenditure in the previous period (2022)
	Enabling activity Taxonomy eligible and aligned	E		0.0%							Enabling activity
	Transitional activity	T		0.0%							Transitional activity

(EUR)

Yes/No/EYes/No/EYes/No/EYes/No/EYes/No/EYes/No/E

Yes/No

A. TAXONOMY-ELIGIBLE ACTIVITIES

A.1. Environmentally sustainable activities (Taxonomy-aligned)

6.5. Transport by motorbikes, passenger cars and light commercial vehicles	3,754.62	0.3%	Yes		/	/	/	/	0.0%
environmentally sustainable activities Operating expenditure of (Taxonomy-aligned) (A.1)	3,754.62	0.3%	0.0%	0.0%	/	/	/	/	0.0%	0.0%	0.0%
A.2 Taxonomy-Eligible but not environmentally sustainable activities (not Taxonomy-aligned activities)
6.5. Transport by motorbikes, passenger cars and light commercial vehicles	794,699.50	57.0%	E						47.0%
7.7. Acquisition and ownership of buildings	246,293.00	17.7%	E						33.3%
sustainable activities (not Taxonomy Operating expenditure of Taxonomy eligible but not environmentally aligned activities) (A.2)	1,040,992.50	74.7%	75.0%	0.0%	0.0%	0.0%	0.0%	0.0%	80.3%
Total (A.1+A.2)	1,044,747.12	75.0%	75.0%	0.0%	0.0%	0.0%	0.0%	0.0%	80.3%
B. TAXONOMY-NON-ELIGIBLE ACTIVITIES
Operating expenditure of Taxonomy non-eligible activities (B.)	348,628.79	25.0%

Total operating expenditure (A+B)

1,393,375.91

100.0%

Span in numbers

Span's people
Disclosure					2023
Employees, Span Group	M	F	M	F	M	F
Employees, total	427	147	571	231	604	261
Fixed term contract, no.	15	4	14	3	3	2
Permanent contract, no.	412	143	557	228	601	259
Full-time, no.	427	146	570	230	603	261
Part-time, no.	0	1	1	1	1	0
Students, %					4.31
Employees, Span d.d.	M	F	M	F	M	F
Employees, total	353	116	439	169	459	185
Fixed term contract, no.	15	4	14	2	2	1
Permanent contract, no.	338	112	425	167	457	184
Full-time, no.	353	116	438	169	458	185
Part-time, no.	0	0	1	0	1	0
Students, %					3.59
Diversity, Span Group	M	F	M	F	M	F
< 30 years of age	135	45	212	86	210	88
30-50 years of age	274	97	339	137	367	165
> 50 years of age	18	5	21	7	27	8
Diversity, Span d.d.	M	F	M	F	M	F
< 30 years of age	112	34	167	58	162	55
30-50 years of age	226	79	258	106	279	124
> 50 years of age	15	3	14	5	18	6
			2021 6.79 6.57		2022 8.73 7.87

401-1	New hires (31/12/23), Span Group	M	F	M	F	M	F
	< 30 years of age	56	25	89	46	51	26
	30-50 years of age	33	20	54	35	29	20
	> 50 years of age	0	1	1	1	1	1
	Departures (31/12/23), Span Group	M	F	M	F	M	F
	< 30 years of age	17	5	18	11	24	6
	30-50 years of age	40	15	30	10	27	12
	> 50 years of age	3	0	3	0	2	2
	New hires (31/12/23), Span d.d.	M	F	M	F	M	F
	< 30 years of age	46	19	75	34	32	16
	30-50 years of age	29	17	45	29	21	16
	> 50 years of age	0	0	1	1	1	1
	Departures (31/12/23), Span d.d.	M	F	M	F	M	F
	< 30 years of age	14	3	11	7	15	5
	30-50 years of age	31	8	23	7	17	9
	> 50 years of age	3	0	3	0	1	2
202-1	Ratio of standard starting salary to minimum wage, Span d.d.	M	F	M	F	M	F
	Zagreb	1.96	2.18	2.21	2.21	2.07	2.29
	Osijek	2.07	n/a	2.13	n/a	1.96	n/a
	Rijeka	2.94	3.06	2.35	n/a	n/a	2.11
405-2	The ratio of salaries of women and men, Span d.d.		F/M		F/M	F/M
	Zagreb		0.91		0.89	0.89
	Osijek		0.89		0.98	0.92
	Rijeka		1.31		1.37	1.22
406-1	Cases of discrimination, Span Group		0		0	0
404-1	Education, Span d.d.
	Number of hours spent on education		56.171		84.956	75.311
	Average hours per employee		120		140	117
	Education by gender and position, Span d.d. (Statistics are managed by gender as of 2022)	M	F	M	F	M	F
	Management, no. hours	-	-			5,939 3,288 10,395	8,144
	Average management, no. hours	-	-	121	164	160	255
	Employees, no. hours	-	-			53,215 23,177 40,024	16,748
	Average employees, no. hours	-	-	136	156	102	109

404-3	Performance assessment, Span Group	M	F	M	F	M	F
	Fixed-term contract	100	100	100	100	100	100
	Permanent contract	100	100	100	100	100	100
	Full-time	100	100	100	100	100	100
	Part-time	100	100	100	100	100	100
403-9	Injuries at work, Span d.d.
	Number of injuries at work	0		1		1
	The rate of injuries at work	0		0.1		0.1
	Lost working hours	0		120		192
	Lost working days	0		15		24
401-3	Maternity and parental leave, Span d.d.	M	F	M	F	M	F
	Employees entitled to parental leave*, no.	353	116	439	169	459	185
	Employees who have exercised the right to parental leave, no.	5	6	2	10	4	7
	Employees who returned to work after completing parental leave, no.	5	2	1	3	4	6
	Return of employees who have exercised the right to parental leave**, %	100	33.3	50	30	100	100
	Employees who returned to work after completing parental leave and remained employed and 12 months after returning to work, no.	1	0	0	0	19	8
	Retention at work of employees who have exercised their right to parental leave***, %	20	0	0	0	95	88.9

Corporate Governance

GRI	Disclosure	2021	2022	2023
2-21	The ratio of the total annual compensation for the highest paid individual of the organization and the average of the annual total compensation for all employees	5.62	5.98	8.16
2-21	Ratio of percentage increase in total annual compensation for the highest paid individual of the organization against the percentage increase in the total average annual compensation for all employees	1.02	1.07	2.49
2-9	Women in the Management Board, %	20	20	20
405-1	Women in managerial positions, %	26.4	30.1	33.68
2-27	Cases of non-compliance with laws and regulations	0	0	0

Economic Impact

GRI	Disclosure (EUR)	2021	2022	2023
201-1	Revenues	103,697,293.51	116,001,526.14	144,826,213.06
	Operating expenses	13,377,633.03	19,939,653.06	18,338,250.42
	Salaries and benefits of employees	18,418,436.66	25,798,972.06	32,196,696.49
	Payments to capital providers	204,715.23	1,490,060.48	2,835,237.50
	Government-by-state payments (taxes)*	4,383,737.03	4,663,259.08	6,779,616.80
	Community investments (donations)	89,460.61	193,617.26	181,329.38

*Government payments by taxes: VAT, profit tax, income tax and surtax

Products and services

GRI	Disclosure	2021	2022	2023
416-2	Cases of non-compliance with regulations concerning the impact of products and services on health and safety	0	0	0
417-2	Cases of non-compliance with regulations and voluntary codes for declaring and labelling products and services	0	0	0
417-3	Cases of non-compliance with regulations concerning marketing communications	0	0	0

GRI	Disclosure	2021	2022	2023
302-1	Energy consumption, Koturaška, Zagreb
	Electricity (kWh)	329,772	342,586	337,710
	Thermal energy (kWh)	144,869	125,680	139,539
	Energy consumption, HOTO tower, Zagreb	2021	2022	2023
	Electricity (kWh)	80,119	99,373	136,679
	Thermal energy (kWh)	80,722	192,937	188,744
	Airconditioning (kWh)	16,343	129,730	143,515
302-3	Energy intensity, HOTO + Koturaška, Zagreb (kWh/m2)	135.20	184.67	190.51
	Fuel consumption, motor vehicles (Zagreb)	2021	2022	2023
	Petrol and diesel (l)	67,806	103,141	143,845
	Total, km	968,664	1,473,442	2,054,926
	Consumption (l/100km)	7	7	7
	Energy (kWh)	678,065	1,031,409	1,438,448
303-5	Water consumption, Koturaška, Zagreb	2021	2022	2023
	Water (m3)	924	1,199	1,291
305	Emissions of greenhouse gases*	2021	2022	2023
305-1	Scope 1 (t CO2 e)	-	312.59	454.93
305-2	Scope 2 (t CO2 e)	-	173.30	220.12
305-4	Emission intensity (t CO2 e)	-	0.80	0.81
306-3	Waste	2021	2022	2023
	Hazardous waste (total) (electronic), kg	810	400	900
	Non-hazardous waste (total) (paper, cardboard), kg	700	2,100	1,560

* Data on GHG emissions for 2022 pertain to Span d.d., while data for 2023 pertain to Span Group.

Report profile

The Sustainability Report for the year 2023 covers Span Group's operations and activities for the period from 1 January to 31 December 2023. It has been prepared in accordance with GRI standards and SASB standards for disclosure of financial material information on sustainability. The contents of the report are not subject to external verification.

All questions and suggestions related to this report can be directed to [email protected] or Span d.d., Koturaška cesta 47, Zagreb.

GRI content index

GRI standard Disclosure		Page	Comment
GRI 1 Foundation 2021
GRI 2 General Disclosures 2021
	Organization and its reporting practices
2-1	Organizational details	7
2-2	Entities included in the organization's sustainability reporting	8
2-3	Reporting period, frequency, and contact point	75
2-4	Restatements of information		There was no re-publication of information compared to 2022
2-5	External assurance	75
Activities and workers
2-6	Activities, value chain and other business relationships	7-8
2-7	Employees	7, 39-40, 69-71
2-8	Workers who are not employees	69
Governance
2-9	Governance structure and composition	53-54, 72	More details in the 2023 Annual Report
2-10	Nomination and selection of the highest governance body	53	More details in the 2023 Annual Report
2-11	Chair of the highest governance body	54	More details in the 2023 Annual Report
2-12	Role of the highest governance body in overseeing the management of impacts	55-56
2-13	Delegation of responsibility for managing impact	15, 55-56
2-14	Role of the highest governance body in sustainability reporting	56
2-15	Conflict of interest	57	More details in the 2023 Annual Report
2-16	Communication of critical concerns	53-54
2-17	Collective knowledge of the highest governance body	53-54
2-18	Evaluation of the performance of the highest governance body	53-54
2-19	Remuneration policies	53, 56	More details in the 2023 Annual Report
2-20	Process to determine remuneration	53	More details in the 2023 Annual Report
2-21	Annual total compensation ratio	72
	Strategy, policies and practices
2-22	Statement on sustainable development strategy	13, 15-17, 55-56
2-23	Policy commitments	55-56
2-24	Embedding policy commitments	55-56
2-25	Processes to remediate negative impacts	55-56
2-26	Mechanisms for seeking advice and raising concerns	55
2-27	Compliance with laws and regulations	72
2-28	Membership associations	10
Stakeholder engagement
2-29	Approach to stakeholder engagement	21-22
2-30	Collective bargaining agreements	39

8
75
	information compared to 2022


7-8
69-71


72	More details in the 2023 Annual Report
53	More details in the 2023 Annual Report

55-56
15, 55-56
56


53-54
53-54




13, 15-17, 55-56



55

GRI standard	Disclosure	Page
GRI 3: Material topics 2021
3-1	Process to determine material topics	19-22
3-2	List of material topics	23
Cybersecurity
GRI 3: Material topics 2021	3-3 Management of material topics	31
	Energy efficiency and greenhouse gas emissions solutions
GRI 3: Material topics 2021	3-3 Management of material topics	36
Quality of solutions and customer relations
GRI 3: Material topics 2021	3-3 Management of material topics	31, 36
GRI 416: Customer health and safety 2016	416-2 Incidents of non-compliance concerning the health and safety impacts of products and services	72
GRI 417: Marketing and labeling 2016	417-2 Incidents of non-compliance concerning product and service information and labeling	72
	Culture and values (diversity, inclusion, and equal opportunities)
GRI 3: Material topics 2021	3-3 Management of material topics	41
GRI 202: Market presence 2016	202-1 Ratios of standard entry level wage by gender compared to local minimum wage	70
GRI 401: Employment 2016	401-1 New employee hires and employee turnover	70
GRI 405: Diversity	405-1 Diversity of governance bodies and employees	72
and equal opportunity 2016	405-2 Ratio of basic salary and remuneration of women to men	70
GRI 406: Non discrimination 2016	406-1 Incidents of discrimination and corrective actions taken	70
Well-being, health, safety and life balance
GRI 3 Material topics 2021	3-3 Management of material topics	43
GRI 3 Material topics 2021	401-3 Parental leave	71
GRI 403: Occupational	403-1 Occupational health and safety management system	43
health and safety 2018	403-2 Hazard identification, risk assessment, and incident investigation	44
	403-3 Occupational health services	43-45
	403-4 Worker participation, consultation, and communication on occupational health and safety	43
	403-5 Worker training on occupational health and safety	43
	403-6 Promotion of worker health	44
	403-7 Prevention and mitigation of occupational health and safety impacts directly linked by business relationships	44
	403-8 Workers covered by an occupational health and safety management system	43
	403-9 Ozljede na radu	71
Opportunities for professional development (projects, educations and advancement)
GRI 3: Material topics 2021	3-3 Management of material topics	45
GRI 404: Training and	404-1 Average hours of training per year per employee	70
education 2016	404-2 Programs for upgrading employee skills and transition assistance programs	45-46
	404-3 Percentage of employees receiving regular performance and career development reviews	71

GRI standard	Disclosure	Page
	Contribution to the development of digital competencies, cybersecurity, and availability of technology in society
GRI 3: Material topics 2021	3-3 Management of material topics	49
GRI 413: Local communities 2016	413-1 Operations with local community engagement, impact assessments, and development programs
	Ethical business conduct, anti-corruption, and responsible corporate governance
GRI 3: Material topics 2021	3-3 Management of material topics	57-58
GRI 201: Economic performance 2016	201-1 Direct economic value generated and distributed
	201-4 Financial assistance received from government	58
GRI 205: Anticorruption 2016	205-1 Operations assessed for risks related to corruption
	205-2 Communication and training about anti-corruption policies and procedures
	205-3 Confirmed incidents of corruption and actions taken	57
Responsible supply chain management
GRI 3: Material topics 2021	3-3 Management of material topics	58
GRI 308: Supplier	308-1 New suppliers that were screened using environmental criteria	58
environmental assessment 2016	308-2 Negative environmental impacts in the supply chain and actions taken	58
GRI 414: Supplier	414-1 New suppliers that were screened using social criteria
social assessment 2016	414-2 Negative social impacts in the supply chain and actions taken	58
Privacy and data protection
GRI 3: Material topics 2021	3-3 Management of material topics	59
GRI 417: Marketing and labeling 2016	417-2 Incidents of non-compliance concerning product and service information and labeling
GRI 418: Customer Privacy 2016	418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data
	In-house ecology (circular economy, energy efficiency and greenhouse gas emissions)
GRI 3: Material topics 2021	3-3 Management of material topics	60
	GRI 306: Waste 2020 306-1 Waste generation and significant waste-related impacts	60
	306-2 Management of significant waste-related impacts	60
	306-3 Waste generated	73
	GRI 302: Energy 2016 302-1 Energy consumption within the organization
	302-3 Energy intensity	73
GRI 303: Water and	303-1 Interactions with water as a shared resource
effluents 2018	303-2 Management of water discharge-related impacts	60
	303-5 Water consumption	73
GRI 305: Emissions	305-1 Direct (Scope 1) GHG emissions	73
2016	305-2 Energy indirect (Scope 2) GHG emissions	73
	305-4 GHG emissions intensity	73
	305-5 Reduction of GHG emissions	60

SASB index

In the 2023 Sustainability Report, for the second year in a row, we used the Software and Information Technology (IT) Services guidelines of the Sustainability Accounting Standards Board (SASB). The following table refers to public announcements that include information consistent with SASB's metrics for the year ended December 31, 2023.

Environmental Footprint of Hardware Infrastructure
Accounting metric	Category	Unit of measure	SASB code	Disclosure
1) Total energy consumed,	Quantitative kWh, %			TC-SI-130a.1 Climate and environment
(2) percentage grid electricity,				Span in numbers
(3) percentage renewable
1) Total water withdrawn, (2) total water consumed, percentage of each in regions with High or Extremely High Baseline Water Stress	Quantitative m3, %			TC-SI-130a.2 Span draws and consumes water for the needs of sanitary facilities in its office spaces. Given this, the quantities of drawn water are not material for Span.
Discussion of the integration of environmental considerations into strategic planning for data center needs	Discussion and Analysis			TC-SI-130a.3 Span works with data center providers in the processes of migrating customers to the cloud. We cooperate with service providers that respect all world standards of energy and environmentally efficient business.

Data Privacy and Freedom of Expression
Accounting Metrics	Category	Unit of measure	SASB code	Disclosure
Description of policies and practices relating to behavioral advertising and user privacy	Discussion and Analysis			TC-SI-220a.1 Span's policies and procedures for the protection of employees' personal data include collection, use, protection, retention, access and correction of data in accordance with the GDPR. The full Privacy Policy is available on the Span website. More about data protection on page 59
Number of users whose information is used for secondary purposes	Quantitative Number			TC-SI-220a.2 Span has established policies and practices regarding the privacy of user data that provide a high level of security and privacy to users in advertising. The information is used for purposes such as advertising and sending marketing and information content related to the business and activities of Span Group. Information usage practices that are inconsistent with individuals' expectations may violate their privacy, and Span prevents such use of information. More about data protection on page 59
Total amount of monetary losses as a result of legal proceedings associated with user privacy	Quantitative Currency			TC-SI-220a.3 There were no such proceedings.
(1) Number of law enforcement requests for user information, (2) number of users whose information was requested, (3) percentage	Quantitative Number,	percentage		TC-SI-220a.4 There were no such requests.

Total amount of monetary losses as a result of legal proceedings associated with user privacy
(1) Number of law enforcement requests for user information, (2) number of users whose information was requested, (3) percentage resulting in disclosure
List of countries where core products or services are subject to government-required monitoring, blocking, content filtering, or censoring	Discussion and Analysis

TC-SI-220a.5 N/A

Data security
Accounting Metrics	Category	Unit of measure	SASB code	Disclosure
1) Number of data breaches, (2) percentage involving personally identifiable information (PII), (3) number of users affected	Quantitative Number,	percentage		TC-SI-230a.1 There were no data breaches.

Recruiting & Managing a Global, Diverse & Skilled Workforce
Accounting Metrics	Category	Unit of measure	SASB code	Disclosure
Percentage of employees who are (1) foreign nationals and (2) located offshore				Quantitative Percentage TC-SI-330a.1 Span d.d. employs 0.5% of foreign nationals in the total number of employees, and the percentage is the same for Span Group.
				Employees who stayed abroad (Croatia) for a longer period of time in 2023 are employees of the company TOV Span from Ukraine (6 employees, 0.7% of the Group's employees).
Employee engagement as a percentage				Quantitative Percentage TC-SI-330a.2 In 2023, 93.5% of employees of Span Group participated in the employee satisfaction survey.
Percentage of gender and racial/ ethnic group representation for (1) management, (2) technical staff, and (3) all other employees				Quantitative Percentage TC-SI-330a.3 Span monitors the workforce structure by gender. The data is available in Span in numbers chapter.

Intellectual Property Protection & Competitive Behavior
Accounting Metrics	Category	Unit of measure	SASB code	Disclosure
Total amount of monetary losses as a result of legal proceedings associated with anti-competitive behavior	Quantitative Currency			TC-SI-520a.1 There were no such proceedings.

regulations

Managing Systemic Risks from Technology Disruptions
Accounting Metrics	Category	Unit of measure	SASB code	Disclosure
Number of (1) performance issues and (2) service disruptions; (3) total customer downtime	Quantitative Number			TC-SI-550a.1 There were no problems with the delivery of services or interruptions in the delivery of services.
Description of business continuity risks related to disruptions of operations	Discussion and Analysis			TC-SI-550a.2 During 2023, we complied with the requirements of the international standard ISO 22301 in Span d.d. The specified standard defines the best practices related to business continuity processes. In addition, during 2023, we worked on alignment with the requirements of the ISO 31000 international standard, which defines risk management at the level of the entire company. Groups of services critical for supporting business processes are defined, as well as key risks that can affect business continuity. Time sensitive processes are covered by BIA analysis and strict SLA. During 2023, two successful location change exercises were carried out for them.

Other measures include BIA by services that support key business processes, risk processing, creation of DR scenarios for the outage of key processes and services, inclusion of procedures in the business continuity plan, and execution of exercises covering parts or whole scenarios.

Activity Metrics
Accounting Metrics	Category	Unit of measure	SASB code	Disclosure
(1) Number of licenses or subscriptions, (2) percentage cloud-based				Quantitative Number, % TC-SI-000.A The performance indicators used by Span are available in the 2023 Annual Report.
(1) Data processing capacity, (2) percentage outsourced				Quantitative Number, % TC-SI-000.B The performance indicators used by Span are available in the 2023 Annual Report.
(1) Amount of data storage, (2) percentage outsourced				Quantitative Number, % TC-SI-000.C The performance indicators used by Span are available in the 2023 Annual Report.

IMPRESSUM

Published by: Span d.d. Reporting consultants: Hauska & Partner d.o.o. Graphic design: Hand Studio d.o.o.

AI Terminal

Span d.d.

2101_rns_2024-06-26_2636da28-b981-43bf-8a9f-8107d0a15d53.pdf

CHARTING A COURSE FOR A RESILIENT FUTURE

SPAN GROUP'S THIRD SUSTAINABILITY REPORT

TABLE OF CONTENTS

Sharing and multiplying knowledge: Our strongest social contribution 49

Span's 30: Ambition for growth, focus on partnerships

The structure of the Span Group as of December 31, 2023

Mission

Management and certificates

Seven ISO certificates

All six Microsoft Solution Partner statuses

12 advanced Microsoft specializations

Employer Partner Certificate

Health-Friendly Company

Memberships and initiatives

Awards, recognitions and events in 2023

Cooperations

Cyber security

Span on the stock market

Span in the community

A WORD FROM THE PRESIDENT OF THE MANAGEMENT BOARD

Global sustainability risks are our opportunity

Sustainability Strategy 2030 for Span's 30

Environmental

Circular economy

Energy and greenhouse gas emissions

Energy efficiency of products and services

Social

CLIMATE ACTION AFFORDABLE AND CLEAN ENERGY DECENT WORK AND ECONOMIC GROWTH INDUSTRY, INNOVATION AND INFRASTRUCTURE

Organizational culture, promoting diversity and inclusion

Employee development

Contribution to community development

Governance

Cybersecurity

Ethical business conduct and suppliers

Data protection

Trust in our practices

Discussions with those who know us best

Materiality assessment for 2023

Span's material topics in 2023

Span's material topics in 2023

High impact

Significant impact

Moderate impact

Very high impact

- Cybersecurity

Contribution to UN Sustainable Development Goals

Contribution of Span's ESG Strategy to the Sustainable Development Goals

ENVIRONMENTAL

Energy efficiency of products and services

Energy and greenhouse gas emissions

GOVERNANCE

Cybersecurity and data protection

Ethical business conduct and supplier assessment

SOCIAL

Organizational culture, promoting diversity and inclusion

Development of employees

Contribution to community development

Solutions focused on security and resilience

Strengthening cybersecurity at all levels

Building the most advanced cyberinfrastructure

Expanding cybersecurity awareness

Increasing energy efficiency through cloud solutions

Successful cooperation and a high level of customer trust

Satisfaction with issue resolution

Successful projects

Opinions of key customers

Our people

New steps to understanding diversity

Span Voices: Developing an inclusive culture

Open dialogue

LifeSpan: new initiatives directed towards well-being, health and life balance

In the words of Span employees

Good habits for health

Creating life balance

Offering help when needed

Opportunity for professional development

Education – a key to success