Key Figures

secunet Group overview (according to IFRS)

Key operating figures (in million euros)	2023	2022	Change
Sales revenue	393.7	347.2	13 %
Earnings before interest and income taxes (EBIT)	43.0	47.0	-9 %
EBIT margin	10.9 %	13.5 %	-2.6 Pp
Earnings before taxes (EBT)	42.1	46.7	-10 %
Group profit for the period	29.0	31.3	-7 %
Earnings per share (in euros)	4.51	4.84	-7 %
Dividend per share (in euros, subject to resolution of the Annual General Meeting)	2.36	2.86	-17 %
Key cash flow figures (in million euros)	2023	2022	Change
Cash flow from operating activities	51.9	-4.0	>100 %
Cash flow from investing activities	-8.8	-54.5	>100 %
Cash flow from financing activities	-23.3	-39.5	+41 %

Key balance sheet figures (in million euros)	31 December 2023	31 December 2022	Change
Balance sheet total	328.6	315.4	+4 %
Equity (including non-controlling interests)	137.8	127.8	+8 %
Equity ratio	41.9 %	40.5 %	1.4 Pp
Cash and cash equivalents	41.3	21.5	+92 %
Liabilities	190.8	187.6	+2 %
Liabilities to banks	0.2	0.5	-60 %
Order book	190.2	197.6	-4 %
Permanent employees	1,043	958	+9 %

Key share figures (in million euros)	31 December 2023	31 December 2022	Change
Shares outstanding	6,469,502	6,469,502	– %
Closing price (Xetra, in euros)	146.80	196.40	-25 %
Market capitalisation (in billion euros)	0.9	1.3	-25 %

Long-term development of sales and EBIT

Public Sector

Digital sovereignty for state and society

A holistic IT security concept is essential for public authorities and armed forces. secunet's Public Sector supports the digital transformation of administrations, authorities and armed forces in Germany and abroad. Trustworthy security solutions assure resilient digital infrastructures and the utmost protection for data, applications and digital identities. Consulting, security analyses and training round out secunet's cybersecurity portfolio. This enables public organisations to leverage the latest technologies while retaining their digital sovereignty.

Business Sector

Secure digitalisation in industry and healthcare

The digital transformation is spawning new business models, accelerating communication and creating more efficient processes in existing value chains. However, increased networking and new technologies simultaneously amplify the risk of cyberattacks, malware, data misuse and espionage. secunet's Business Sector supports companies and the healthcare sector in safeguarding information and communication technologies. The core competence lies in consulting as well as in the development and production of trustworthy security solutions that integrate seamlessly into existing IT landscapes and protect them effectively.

secunet – protecting digital infrastructures

secunet is Germany's leading cybersecurity company. In an increasingly connected world, the Company's combination of products and consulting assures resilient digital infrastructures and the utmost protection for data, applications and digital identities. secunet specialises in areas with particular security requirements – such as eGovernment, eHealth as well as IIoT and cloud computing. With security solutions from secunet, companies can maintain the highest security standards in digitalisation projects and thus expedite their digital transformation.

Annual Report 2023

1. To the Shareholders

8 Spotlight
26 Foreword by the Management Board
30 Supervisory Board report
38 The secunet share
42 Corporate Governance Statement

2. Management Report

54 Principles of the Group
60 Economic report
74 Risk and opportunity report
81 Forecast
83 Risk reporting in relation to financial management
84 Risk management and internal control system
86 Description of the key features of the accounting-related internal control and risk management system
88 Takeover-related information pursuant to Section 289a, sentence 1 and Section 315a, sentence 1 HGB
89 Management and control reference to the Corporate Governance Statement pursuant to Sections 289f HGB and 315d HGB
90 Combined non-financial statement of the Company and the Group
114 Management Board report pursuant to Section 312 (3) AktG

3. Consolidated Financial Statements

116 Consolidated balance sheet
118 Consolidated income statement
119 Statement of comprehensive income
120 Cash flow statement
122 Statement of changes in equity
124 Notes to the Consolidated Financial Statements
178 Independent auditor's report
190 Responsibility statement

4. Annual Financial Statements

192 Balance sheet
193 Income statement
194 Notes
212 Independent auditor's report
224 Responsibility statement

5. Other Information

226 Report on gender equality and equal pay pursuant to Section 21 of the Transparency in Wage Structures Act (EntgTranspG)
228 Remuneration report pursuant to Section 162 AktG
260 Independent auditor's report on the audit of the remuneration report pursuant to Section 162 AktG
262 Independent practitioner's report on a limited assurance engagement of the combined non-financial statement
266 Service

5. Other Information

4. Annual Financial Statements

3. Consolidated Financial Statements

1.To the Shareholders

8 Spotlight
26 Foreword by the Management Board
30 Supervisory Board report
38 The secunet share
42 Corporate Governance Statement

SPOTLIGHT

The sovereign cloud for authorities and administration Efficiency without dependence

The digitisation of the administration will only be viable if it combines efficiency, sovereignty and security. This is especially true for cloud transformation, which is currently at the top of many German public authorities' agendas. Since the large hyperscalers' cloud offers often leave questions about transparency and data protection unanswered, there is a great need for cloud solutions "made in Germany". These are intended to combine security and digital sovereignty. secunet is currently building an ecosystem of trustworthy solutions and services that enable cloud use even in security-sensitive areas and can also be combined with solutions from hyperscalers. In this inter-

view, Norbert Müller, who is responsible for secunet Cloud Solutions, talks about the meaning and purpose of the sovereign cloud, the role of open source and the newly founded industry association ALASCA.

Mr Müller, why are public authorities striving for the cloud in the first place?

Norbert Müller: In private life and in the business world, digital processes are already part of everyday life and are predominantly based on applications that run in the cloud. Authorities and administrations have so far remained largely excluded for security reasons. But they also want the flexibility and efficiency that new cloud services bring. This will enable them to set up their IT in a more agile way and thus meet the great digitalisation pressure that is weighing on German authorities: Processes are to be accelerated, and citizens and companies also want more digital services. But the challenge remains that public authorities cannot compromise on security when it comes to cloudification. Personal and tax data are highly sensitive and must be completely protected. This applies all the more to classified information. Last but not least, there is the issue of digital sovereignty.

Why does the cloud for public authorities have to be not only secure but also sovereign? Is digital sovereignty perhaps a mere buzzword, as some observers think?

The value of digital sovereignty becomes clear when you imagine the opposite, namely digital dependency – for example, on certain providers that make it difficult to switch to another provider, or on the internationally dominant IT companies. The latter can become problematic, for example, when providers operate under US legislation with at least unclear influence on data security. For these and similar reasons, traditional cloud

Norbert Müller, Vice President Cloud Solutions, secunet

solutions, such as those offered by hyperscalers, often did not meet the requirements of authorities and security-sensitive companies. Sovereign cloud offerings, on the other hand, aim to change precisely this. Digital sovereignty therefore definitely makes a key difference for public authorities and administrations.

What are the key building blocks of a sovereign cloud?

First of all, the security level must of course be right as a basic prerequisite. Any cloud solution that comes into question for public authorities should work with highly secure encryption technology. It should be modular and include and combine different operating models – from "on premise" to "as a service". For example, data requiring special protection can be located in one's own IT infrastructure, while other applications are completely outsourced. The standardisation of resources in so-called containers and their orchestration in Kubernetes then ensure that all parts of the cloud infrastructure interlock seamlessly. For German public authorities, it is also important that the infrastructure can be certified according to IT-Grundschutz and the Cloud Criteria Catalogue C5 of the German Federal Office for Information Security (BSI) as well as being approvable for classified information. Another important point is the use of open source building blocks.

The open source idea implies joint software development in a cross-provider community. What do the cloud customers get out of that?

The main issue here is transparency and verifiability. Proprietary software that is kept secret by the provider is like a black box for cloud customers. No one but the provider can judge whether it is really secure or not. No authority in security-sensitive areas can afford that. Open source software, on the other hand, is freely accessible and can be checked by anyone at any time. For this reason, by the way, we at secunet have been involved in open source technology for a long time and contribute to its further development – also beyond the cloud.

In the cloud transformation, resources can be standardised in so-called containers. Using Kubernetes, these containers are then orchestrated across all parts of the cloud infrastructure.

What is the core of the secunet cloud portfolio and when will it be available?

We will offer customers an independent cloud offering from a single source that is also very broadly positioned so that it can serve a wide variety of customer requirements in terms of technology stack as well as operating model. It is also designed to cover all security levels from GDPR-compliant to the high German secrecy level GEHEIM (SECRET).

The portfolio will include a combination of German public and private cloud offerings in the areas of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).

The basis of the secunet cloud is already available today: We introduced our security-hardened cloud platform SecuStack in 2018. In 2022, we acquired the cloud-native specialist SysEleven, which brings special expertise in the orchestration of standardised containers using Kubernetes as well as its own infrastructure with data centres in Germany. The public cloud offering based on this has already proven itself with several hundred customers. The secunet cloud portfolio will now be expanded building block by building block over the next one to two years. The building blocks are modular and interoperable, which is why we call it an ecosystem. The next milestones we are aiming for are the very first approval of a cloud stack for classified information by the BSI, up to and including GEHEIM (SECRET), as well as a test certificate according to C5.

Can third-party offers also be integrated?

Our offering is designed as a hybrid cloud ecosystem that can securely incorporate solutions from partners and combine them into resilient multi-cloud offerings. Even solutions from hyperscalers can play a role, for example in less security-sensitive areas. This creates optimal freedom of choice for customers – but at a high level of security and with great transparency.

"In a few years, many IT security products that today are still based on hardware boxes will also be available 'as a service'."

In what way does secunet's expertise in traditional IT security contribute to the cloud offering?

For more than 25 years, we have been securing digital infrastructures that require special protection, for example in ministries and security authorities. In the process, we have built up unique expertise in high-quality encryption technology, which now forms the basis for the secunet cloud.

In addition, our cloud offering incorporates established secunet solutions: for example, with our high-security solution SINA, which is the de facto standard for secure networks and workstations in German public authorities and public administration, we also enable customers to secure the access points to the cloud.

This enables us to offer an entire IT infrastructure from a single source.

Together with other European IT companies, secunet has founded ALASCA, a new association that aims to promote open source in the cloud context. What is this all about?

An innovative industry has emerged around the sovereign cloud in recent years that can offer society something crucial. Now is the time – with all the necessary competition – to exploit synergies, strengthen the open source community and thereby further advance technology development. In addition, the players in the new industry should sometimes speak with one voice so that knowledge about the sovereign cloud spreads. These are the goals of the new association. ALASCA stands for "Alliance for Sovereign Cloud Infrastructures". secunet is one of the seven founding members. The association is open to other European companies that live the guiding principle of open source in the cloud environment as well as digital sovereignty.

What will the administrative IT landscape look like in five years' time?

The cloud will then have become a self-evident, central component of public authority IT. IT managers will select very different cloud offerings according to the respective technology and security requirements and integrate them into the existing multi-cloud. The user experience will nevertheless be seamless. Furthermore, in a few years, many IT security products that today are still based on hardware boxes will also be available "as a service". The cloud transformation is complete when it permeates all areas of government, business and society.

Norbert Müller is responsible for secunet Cloud Solutions. Previously, he was decisively involved in the successful expansion of secunet's cooperation with public administration with regard to classic cyber security.

SPOTLIGHT

Security against quantum computers Cryptography 2.0

Future quantum computers pose a considerable threat to cryptographically protected data. This not only applies to everyday communication on the internet, but especially to highly sensitive data, including state secrets. New, quantum computer-resistant algorithms that have been developed in recent years promise a remedy. secunet has been dealing with this post-quantum cryptography (PQC) from an early stage. Today, several SINA components used by authorities and the German Armed Forces to handle classified information are already equipped with PQC. The German Federal Office for Information Security (BSI) has approved these

devices for the high classification level GEHEIM (SECRET). This makes Germany a pioneer in Europe when it comes to PQC.

The security of digital infrastructures relies heavily on cryptographic algorithms and protocols. Common encryption methods such as the Diffie-Hellman key exchange used in many internet protocols such as Transport Layer Security (TLS) and Internet Key Exchange (IKE) assume that certain mathematical problems are practically unsolvable due to limited computing capacities. Digital signatures based on the RSA method, which are used e. g. for authentication in web browsers, are considered secure as long as there is no efficient algorithm for factorisation.

This could be relied on for decades. But when experts discussed the first concepts for quantum computers several years ago, it quickly became clear that the days of conventional cryptography are numbered. It will probably still take some time before the new type of computer can pose a threat to conventional algorithms. So far, quantum computers exist only as room-filling experimental setups in research labs, and their performance is currently limited to solving simple computational tasks. But it is expected that in just a few years, advanced quantum computers will be clearly superior to classical computers in many areas. This includes solving mathematical problems that serve as the basis for conventional cryptography.

Computing with qubits

Quantum computers are based on a completely different technology than conventional systems. Instead of being limited to binary arithmetic with zeros and ones, their fundamental information units, the qubits, can also work with gradations in between. This is because the qubits are based on quantum mechanical states and therefore do not have to assume exactly one of the values zero or one. Rather, the two values can overlap, with varying probabilities then applying to them. If numerous qubits are connected, logical operations can be carried out, which, however, are more similar to the processes in neuronal networks than to serial computing in classical computers. Quantum computers do not proceed step by step, but take many possible solution paths at the same time and may also find several solutions. In this case, algorithms have to limit the computing operations in a sensible way so that usable results emerge.

As soon as it was foreseeable that the new type of computer would threaten conventional cryptography, the search began for alternative crypto methods that are resistant to quantum computers. For it is not only because of the rapid development of the new technology that haste is required. The challenge is also that attackers can already record and store encrypted data today in order to decrypt it later, when sufficiently powerful quantum computers are available. This is a very serious scenario, because particularly sensitive data, for example with the classification SECRET, should often remain protected not only for years, but for decades. Thus, even before its development has reached the required level of maturity, quantum computers are already a significant threat to the information security of states and international organisations.

PQC in use

To counter this threat, the US National Institute of Standards and Technology (NIST) is currently conducting a process to standardise PQC and recently selected the first algorithms to be standardised by 2024. However, since possible attacks along the lines of "record now and decrypt later" require immediate preventive measures, secunet has decided, in consultation with the BSI, to implement PQC even before standardisation by NIST.

As an IT security partner of the Federal Republic of Germany, secunet produces technology that protects highly classified data up to the classification level GEHEIM (SECRET) and is used, among others, by the German Federal Armed Forces and federal ministries with special security requirements, such as the Federal Ministry of Defence. Since 2002, a total of around 30,000 SINA encryption devices approved for GEHEIM or SECRET have been delivered in Germany and other EU and NATO countries. In Germany, SINA represents the de facto standard for encryption at this high security level. secunet has already equipped three key products in this portfolio with PQC elements: the SINA Communicator H, which offers tap-proof voice communication as well as many other modern communication features, the highly secure VPN gateway SINA L3 Box H and the SINA Workstation H Client V, which delivers a unique combination of high-performance cryptography and high computing power.

The BSI has approved these three SINA components as the first encryption products with PQC in Germany for the GEHEIM (SECRET) level. In a European comparison, Germany is thus a pioneer in crypto devices that already work with PQC. And with the SINAWorkstation H R RW14, the latest generation of hardened laptops designed for use under extreme conditions is already waiting in the wings to enter the PQC era.

Hybrid methods

In the three SINA components with PQC so far, the key exchange is implemented in a quantum-resistant manner. What does this mean? In order to guarantee the confidentiality of data during transmission against quantum computers, both the encryption algorithm and the key exchange procedure used to derive the key must be quantum resistant. Usually, the encryption algorithm is already quantum resistant if it is used with sufficiently large keys. Yet the conventional key exchange methods are potentially vulnerable to quantum computers. Since the PQC algorithms are still in the final stages of standardisation, the BSI recommends the use of so-called hybrid methods: By combining conventional cryptography and PQC, an attacker would have to break each algorithm to break the hybrid solution. The three SINA products with PQC support a hybrid quantum-resistant key exchange with the BSI-recommended algorithm FrodoKEM. In the course of the next few years, secunet will implement all critical functionalities of the entire SINA portfolio for the GEHEIM / SECRET level, but also for lower classification levels such as VS-NUR FÜR DEN DIENSTGEBRAUCH (RESTRICTED), with PQC.

In this context, hybrid modes can serve not only as a temporary migration strategy towards PQC, but as a contribution to long-term security and agility with regard to encryption methods. In general, the use of PQC marks the beginning of a new cryptographic era, characterised not only by resistance to quantum computing, but also by increased cryptographic agility. In response to the threat, cryptography is thus reinventing itself – and gaining strength.

The SINA L3 Box H (left), the SINA Workstation H

SPOTLIGHT

Biometrics and artificial intelligence Fairness, robustness and security for AI

Artificial intelligence (AI) holds great potential for applications in the field of homeland security. One example is the live analysis of facial images for security purposes, for example at airports. However, there is one major challenge: statistical distortions in the data basis can lead to biased results, which in the worst case can disadvantage or favour certain groups of people. secunet is researching solutions that counteract this dangerous and momentous effect and

thus help to ensure that AI applications work fairly and are trustworthy.

In order to guarantee the security and fairness of AI applications, the EU is currently developing the so-called EU AI Act, which will divide AI applications into different risk categories and prescribe certain tests. In Germany, the Federal Office for Information Security (BSI) established a framework for testing criteria for AI applications early on with the AIC4 catalogue.

An important component of these tests is the question of whether and to what extent a trained AI model is subject to statistical distortions – a so-called bias. A bias arises, for example, from insufficiently balanced training data or from an overrepresentation of certain combinations of characteristics, which are then learned and generalised by the AI model. Thus, in the worst case, it can happen that certain groups of people or also individuals are disadvantaged or favoured in the application of the AI model. Especially in AI applications that work with images or videos of people, a bias would have serious consequences.

The problem is a deep-seated one: image-processing AI models with architectures like CNNs (Convolutional Neural Networks) are designed to identify patterns. Even if features such as age, gender or ethnicity are not explicitly labelled in the training data, an AI model can construct an indirect representation of such or similar characteristics based on the available image information. Such a so-called indirect bias is difficult to detect and even more difficult to correct.

Initial situation: Potential bias

Fairness analysis

Generation of arti
cial identitites

Re-training of the model

Result: Fair model

An analysis requires a very large, differentiated data set. To test all combinations of characteristics for bias in the conventional way, thousands of new images must be produced, which is simply not possible in relation to the time and cost required.

secunet has intensively studied the topic of bias in images and AI models with human reference and has developed a solution that not only detects bias in the data, but for the first time can also test the AI model for bias. With this solution, it is possible to further develop a model so that bias is eliminated. For this purpose, the training data is adjusted so that all features are fairly distributed and present and, as a consequence, a possible bias is mitigated in the model. Incidentally, this not only ensures fair and discrimination-free AI models, but also increases the security and robustness of the models. With additional functions such as the adjustment of environmental and surrounding factors, the limitations of the AI model can be determined and solutions can be developed.

The analysis and solution of the bias problem takes place in three steps:

1) The training and test data are analysed for bias in relation to characteristics such as age, gender and ethnicity. This allows problems to be identified at an early stage, which would later be reflected in the AI model.
2) secunet's solution performs a test of the AI model. In the process, it generates a large number of photorealistic artificial identities that differ in age, gender and ethnicity, for example. The original identities of the test data are exchanged with the artificial identities with the intention of testing the recognition performance of the AI model. In the process, arbitrary combinations of characteristics are generated; after all, the actual human diversity is also very large. There is no specification of a certain number of ethnicities, as this would lead to a new bias. The customised identities with fluid transitions in the characteristics thus represent the entire human diversity.
3) If a bias is detected, new identities can be created for the training data and the model can be re-trained. This process is repeated until no bias is detectable.

These synthetic faces were assembled from a variety of possible features and then used as the basis for virtual images showing the faces in different situations. Such images are also used to check AI models for bias.

The process is simple and quick. Once an AI model has gone through the process, there is proof that it is fair and free from discrimination. This creates confidence in the AI application – on the part of the public, but also on the part of the operators, because the latter can now assume with confidence that their model is fair.

Furthermore, the analysis of AI models is not only about bias. Other important aspects that are also reflected in the EU AI Act as well as in the BSI's AIC4 are robustness and security of recognition performance. For example, there is a risk that an AI application will fail to recognise relevant characteristics under certain weather conditions or lighting conditions, which would result in security risks. With secunet's research and development, various environmental factors can be tested to show the limits of an application's recognition performance and identify potential risks.

The risks of AI are debated a lot in the public, including in the context of its use for homeland security. A thorough and impartial examination and optimisation of the relevant AI models is the best way to respond to this discussion and to increase the acceptance of AI applications.

SPOTLIGHT

Working securely with the smartphone at RESTRICTED level As mobile as today's world

Articles can also be found on https://secuview.secunet.com/

More than half of global internet traffic is now generated by mobile devices such as smartphones. The smartphone has become an integral part of our everyday lives. However, in a professional context, there has always been the question of security: what happens if sensitive data ends up on a mobile phone and attackers are able to access or manipulate it? Especially when classified information is involved, the question is more than justified.

The world is moving faster than ever before. The basis for this acceleration of private and business life is the mobile networking of every individual. The smartphone as a constant companion ensures that most people are constantly connected and exchanging data for most of the day. Today, 73% of online retail sales and 62% of all online banking transactions are carried out via mobile devices. It is easy to lose sight of the fact that the mobile digital world is associated with risks.

And these risks are blatant: without security measures, every tap on a smartphone, every message and every call is exposed to curious eyes. Potentially, every transaction can be intercepted, every detail spied on and exploited. Insecure smartphones expose our digital lives and pave the way for identity theft, financial fraud and breaches of privacy.

"Mobile devices are particularly vulnerable to the methods of cyber criminals or other actors who are interested in sensitive data without authorisation," says Mustafa Alaa Eddine, who is responsible for mobile products at secunet. "Companies are therefore well advised to secure their smartphone communications. For many public authorities, the challenge of mobile security also arises in a more stringent form, namely when dealing with classified information, for which special security requirements apply." In Germany, the Federal Office for Information Security (BSI) is responsible for approving software, end devices or network components for classified information.

With SINA Mobile, commercially available smartphones can now be raised to a security level that is also suitable for classified information on the VS-NfD level (the German equivalent of RESTRICTED).

SINA Mobile on a standard smartphone.

Expertise in high security

Since the turn of the millennium, secunet has been developing IT products under the name SINA (Secure Inter-Network Architecture) in co-operation with the BSI, which are approved for classified information of various levels. These range from high-security solutions for the German Federal Armed Forces, which fulfil the strict criteria for the GEHEIM (SECRET) classification level, to workstation computers approved for VS-NfD (RESTRICTED), which have been rolled out in numerous German federal ministries and ensure security there.

"Since SINA is highly successful with desktops or laptops as clients, it made sense to extend the technology to smartphones," says Eddine. "That's how the idea for SINAMobile, our new application suite for secure working with smartphones – at RESTRICTED level – was born."

This level of security is made possible by seamlessly integrating the SINA Mobile app on the smartphone into an existing SINA infrastructure with all its security features. Data transmissions as well as messages and calls are secured with the same powerful encryption that is used in conventional SINA solutions at RESTRICTED level and has been tried and tested for many years. As with SINA laptops, encrypted VPN tunnels ensure that data does not fall into the wrong hands. The smartphone can even be used privately at the same time without compromising the security of the content protected by SINA Mobile. Only the latter is then transmitted via the secure VPN, in strict isolation, while the usual, non-specifically secured connections are available for all other data.

Data does not remain on the device

Even if the smartphone is lost or stolen, users do not have to worry about any data leaks: SINA Mobile does not store any critical data on the smartphone. The data will only be retrieved from the data centre during use. After that, it is no longer available on the device.

In addition to secure working on the move, SINA Mobile offers even more application options: Users can also work fully remotely with the application suite. "This means that my laptop stays in the office while I use SINA Mobile to connect my smartphone to my working environment in the cloud when I'm working from home," explains Eddine. "Alternatively, I can also access the SINA Workstation directly if necessary. I can display the screen content on a monitor in standard format. This turns the smartphone into a fully-fledged working station – wherever I need it."

SINA Mobile for Android and iOS

SINA Mobile is already available for Android. This version is currently in the BSI approval process for VS-NfD. Approval is expected by the third quarter of 2024 at the latest. SINA Mobile will initially run on the Android smartphones of the Samsung Knox Enterprise Edition, because on these devices the necessary security anchor can either be inserted via microSD token or the embedded secure element already present in the device can be used. German public authorities are expected to be able to purchase SINA Mobile via the SINA framework agreement from autumn 2024. Development for an iOS version is already running in parallel. In future, all devices that are approved within the framework of iOS INDIGO will be supported.

"SINA Mobile will change the way we work with sensitive and RESTRICTED-level content," says Mustafa Eddine. "The smartphone now has the ability to be used in these areas without any concerns – and in the usual way. Thus, SINA Mobile is also helping to narrow the gap in user comfort that used to exist between regular and specially secured IT. Although high security requirements naturally entail some technical effort, users can now benefit from all the advantages of the digital world – and still have confidence in the security of their work content at all times."

Almost like cinema: collaboration with the SINA supported whiteboard

The SINA product portfolio will be expanded in 2024 to include a digital whiteboard that ideally complements SINA Mobile. The whiteboard is an interaction and collaboration medium for the meeting room. It makes VS-NfD-(RESTRICTED) compliant meetings, conferences, workshops and training courses fully digital. With its large touch screen, the whiteboard offers plenty of space and countless display options. Collaboration tools can be used optimally on the whiteboard, for example to create large-scale mind maps. Whether on site or working from home, employees can use the whiteboard to develop ideas and concepts together and visualise them in a variety of ways. Depending on the collaboration software used, it is also possible to edit content remotely on the whiteboard in real time.

SPOTLIGHT

Resilience and efficiency for secure IT networks Network, manage yourself

Articles can also be found on https://secuview.secunet.com/

When it comes to ITnetworks, security is good – but security and resilience are even better in the event of an emergency situation. An airline or airport that has to maintain flight operations, for example, will agree with this. However, large and complex networks with particularly high security requirements, such as those used by public authorities, previously had to be configured manually at great expense. This not only impairs efficiency, but also resilience. SINASOLID puts an end to this: In the event of a change or disruption, the network automatically

reorganises itself. Individual SINA workstations can now also automatically connect to their peers in this way, for example to maintain a connection in the event of a crisis.

Mid-February 2023: Thousands of passengers have to put up with delays and flight cancellations due to a global IT glitch at a major airline. At least the cause was quickly recognised: An excavator had cut through several fibre optic cables during construction work on a railway line not far from a major German airport.

Such failures are annoying and can sometimes have serious consequences, for example if administrative or government sites are affected. Companies also have to fear economic damage. In general, disruptions in redundant IT networks can be mitigated or avoided altogether through automatic routing, i. e. the self-organised reconfiguration of network components. However, highly secure, IPsec-protected virtual private networks (VPN) were previously excluded from this: In these networks, security relationships had to be set up in pairs between the participating gateways – manually.

This not only had disadvantages in the event of a crisis, but also in day-to-day IT operations: whenever an element was removed or added, it had to be reconfigured. As the number of IPsec gateways in the network grew, so did the administrative effort. The procedure was also prone to errors.

The ring structure of SINA SOLID.

Developed in university research

Finally, the Technical University of Ilmenau took up the problem in a research co-operation with secunet. Prof Dr Günter Schäfer, then Head of the Department of Telematics / Computer Networks and now Dean of the Faculty of Computer Science and Automation, drove the topic forward. The question was: How can a flexible configuration procedure for IPsec-secured VPN be designed in such a way that it reacts dynamically to changes in the network status while minimising manual administration work? The security properties must not be compromised and the process should be scalable to very large VPNs with several thousand security gateways.

The central idea of the Ilmenau research team led by Professor Schäfer was to arrange the gateways in a ring structure with additional cross-connections so that indirect scenarios (security gateways behind security gateways) were also supported. This was the birth of SINA SOLID.

BSI approval

SOLID stands for "Secure OverLay for IPsec Discovery". The process was developed by secunet into a ready-to-use product and for several years has been part of the secure communication solution SINA, which secunet developed in cooperation with the German Federal Office for Information Security (BSI). SINA is a portfolio of security components, from gateways to laptops, which can be used to set up secure IT infrastructures for classified data of different levels of secrecy up to and including SECRET. SINA SOLID is approved for the level VS-NfD, the German equivalent of RESTRICTED.

Automatic routing with SINA SOLID fully retains all the security features of IPsec and SINA. The process enables the network to react dynamically to changes. If, for example, the connection between two sites is interrupted, SOLID will automatically re-route – via another site, for example – without the administration having to take any manual action. If a new SINA L3 Box (a security gateway) is installed, the network will reorganise itself.

Geo-redundant clusters

SINA SOLID can also ensure that all SINA L3 Boxes in a network are on standby, even across multiple remote locations, in the event of system failure. This allows geo-redundant clusters to be set up to increase resilience.

These clusters can also be very helpful in conjunction with an innovation in SINA SOLID. In addition to the gateways, the clients – SINA Workstations as specially secured laptops at RESTRICTED level – can now also reconnect on their own. "This is particularly advantageous in the event of a crisis," says Armin Wappenschmidt, Head of Innovations and Product Management at secunet, who is responsible for the further development of SINA SOLID. "Usually, all data traffic runs via the access gateways. This is problematic in the event of a central system failure: if these gateways are not accessible despite the redundancies in place, employees can no longer connect to the intranet or at least use any central services."

Clever routing instead of a bottleneck

With SINA SOLID, on the other hand, the SINA Workstations at RESTRICTED level can now also connect to a geo-redundant cluster at another location. "As there are now many potential paths, no central bottleneck occurs," explains Wappenschmidt. "With the constant increase in data traffic, this is an important step towards greater resilience."

In addition, the RESTRICTED-level SINA Workstations can also connect to each other for the first time (so-called "peer-to-peer communication"). This also relieves the centralised access points, as telephony and video data no longer have to pass through the bottleneck. In addition, even if the connection between the locations is interrupted, the clients can still communicate with each other. This means that, if configured accordingly, phone calls can still be made and bilateral video calls and applications that work without a central server are still available.

"These are utilisation scenarios that make crisis communication much easier in the event of a central server failure," says Wappenschmidt. "But it's not just in crisis situations that a self-organising network pays off. Administrators will appreciate the fact that they don't have to take action for every new network component that is added – such activities can quickly become a Sisyphean task in large networks. SINA SOLID is another example of how highly secure networks for special purposes such as classified information can now be used and managed just as easily as insecure or commercial networks."

HEAT accelerates the pace of network encryption

SINA's architecture allows many of the sophisticated security measures to run in the background without users having to worry about them. This is also the case with the central measure of network encryption. In direct comparison with conventional, insecure network components, however, it is noticeable that network encryption requires significantly more computing power. This is in the nature of things, but can certainly slow down everyday computing processes. To counteract this effect, the Faculty of Computer Science and Automation at TU Ilmenau has developed HEAT together with secunet.

HEAT stands for "High-Speed Encryption Acceleration Track" and gives network encryption a real boost. This is achieved, among other things, by the fact that some of the processor units (CPU cores) that work in the hardware are now reserved exclusively for network encryption, while the others perform other tasks.

A good analogy might be the branch of a parcel service that wants to increase the number of parcels sent each day. Until now, the branch's 20 employees have taken care of everything equally: Parcel deliveries, but also numerous other products and services offered in the branch. The administrative workload was high because new work equipment had to be constantly fetched and the desks had to be cleared after each process – after all, the next customer could have a completely different request. However, 16 of the 20 employees now only process parcels, and there are different queues for customers who want to send parcels and those with other requests. Since the reorganisation, the branch has handled significantly more parcels per day and has even been named "Branch of the Year" for this reason.

HEAT is available with the latest software version of the SINA L3 Box in conjunction with SINA SOLID.

Foreword by the Management Board

Dear shareholders, customers, business partners and friends of the company,

the 2023 financial year was another very successful year for secunet Group: we exceeded our sales revenue targets and achieved record sales for the tenth year in a row. This performance is particularly remarkable as we achieved it during a budget crisis in the public sector – secunet Group's most important customer group – and under challenging economic conditions. This once again emphasises the strength of our business model and the robust operational and financial position of our company.

The general business risks increased noticeably in the past year. Nevertheless, our structural growth drivers such as advancing digitalisation and the growing need for IT security remain intact. Their urgency has increased further in view of the geopolitical upheavals and the rapidly growing threat of cybercrime. It is becoming increasingly clear that the digital transformation cannot succeed without trustworthy and innovative protective measures.

We want to actively utilise the resulting opportunities. For this reason, we have systematically driven forward our strategic initiatives over the past few months. These advances not only create a strong foundation for the future, but also open up promising growth prospects for the coming years. In this way, we are positioning ourselves in the best possible way to benefit sustainably from the dynamic development in the IT sector.

Financial year 2023 closed with record sales revenue

secunet Group recorded pleasing sales revenue performance in the 2023 financial year: Group sales revenue increased significantly to 393.7 million euros and exceeded our sales forecast of around 375 million euros published in the 2022 Annual Report. Compared to the already very successful previous year (347.2 million euros), we were able to achieve revenue growth of 13 percent. This not only enabled us to consolidate our strong market position as Germany's leading cybersecurity company, but also led to new record sales revenue – for the tenth time running.

Axel Deininger Torsten Henn Dr Kai Martius Thomas Pleines

As usual, the last quarter of the year once again played a decisive role: in the months from October to December, we generated sales revenue of around 155 million euros. This corresponds to almost 40 percent of annual sales revenue. Earnings before interest and taxes (EBIT) also reached an outstanding figure of just under 33 million euros in the final quarter, accounting for more than 75 percent of the annual result. In terms of both key indicators, the fourth quarter of 2023 was the most successful in the company's history to date.

Nevertheless, we must also note some unfavourable developments in 2023: at 43.0 million euros, we were able to achieve an EBIT that was slightly above our forecast of around 42 million euros, which was adjusted in October. However, we achieved neither the target of around 50 million euros published at the beginning of the financial year nor the previous year's figure of 47.0 million euros. As a result, the Group profit for the period also fell to 29.0 million euros (previous year: 31.3 million euros), meaning that earnings per share totalled 4.51 euros (previous year: 4.84 euros).

As you have come to expect from secunet, we would once again like you, dear shareholders, to share appropriately in the Company's success of the past year. We will therefore propose a dividend for the 2023 financial year of 2.36 euros (previous year: 2.86 euros) to the Annual General Meeting on 23 May 2024. With this proposal, we are continuing our long-standing dividend policy of distributing around half of the net income for the year.

Strategic highlights

secunet Group pursues a clear strategy that is based on sustainable and profitable growth in core markets, but also includes targeted investments in promising growth areas. The primary focus is on strengthening the market position, utilising future opportunities and creating value for all stakeholders.

In the 2023 financial year, we made further good progress in implementing our strategic focus areas:

Together with our subsidiary SysEleven, we are working intensively on the development of a secure cloud ecosystem that is specifically geared towards the requirements of ministries, public authorities and security organisations. This system will be tailored to sensitive information and processes and will cover all security levels up to the high classification level SECRET. In this way, we are enabling industries and institutions that were previously excluded from cloud computing due to strict security requirements to migrate to this technology and utilise cloud-native solutions. We have already laid the foundations for this ecosystem and are gradually integrating further building blocks. By the end of 2024, we plan to release the first product in Germany that ensures the legally compliant processing of classified information in a multitenant cloud solution. But we are already receiving a very positive response from customers and business partners now. This strengthens our conviction that we are on the right course.

An important step towards diversifying our business with regard to target sectors and customer groups is the expansion of our product portfolio in the healthcare market. As a leading provider with over 84,000 installed connectors, we ensure that medical practices, hospitals, pharmacies and other medical service providers are reliably connected to the telematics infrastructure – the data highway of the healthcare system. To consolidate our leading position, we launched a high-speed connector on the market in 2023. In December, we achieved another success by becoming the first manufacturer in the market to receive the required approval for a product of this type. As a powerful server-based software solution, the high-speed connector forms the basis for cloud-based and future-proof access to the telematics infrastructure. In this way, we are ensuring that the transmission and processing of sensitive health data in the context of digital health applications, such as the electronic health record (EHR) and the electronic prescription (e-prescription), remains secure in the future.

Another innovation is that our tried-and-tested IT security solution SINA, which is already in use at many public authorities, now also secures smartphones. To this end, we have developed the SINA Mobile application suite, with which sensitive data can be processed and transferred securely on standard mobile devices. The areas of application are diverse and range from secure official voice, e-mail and messenger communication to the transmission of sensitive image material, for example by police officers in the field.

In addition to developing new products, we have also improved our existing portfolio. One example of this is the increase in the performance and resilience of SINA through the integration of various innovative modules. At the same time, we are looking to the future, which is why we started working on innovative, quantum computer-resistant algorithms at an early stage. Some SINA components are already equipped with such algorithms and are approved up to the "SECRET" classification level.

Looking ahead

secunet Group is strategically, operationally and financially successful and resilient. We can therefore recognise far more opportunities than risks for our industry in the dynamically changing market environment. For this reason, we expect demand for our products and solutions to remain strong. This positive assessment is also reflected in the order book, which totalled over 190 million euros in firm orders at the start of the 2024 financial year. On this basis, we are confident about the 2024 financial year and are planning sales revenue of around 390 million euros.

Last year, we achieved important milestones at a strategic level. We successfully expanded and diversified our portfolio with substantial investments. Although we are proud of our successes to date, we see them as a stepping stone on an ongoing journey. In 2024, we will continue to deploy resources in a targeted manner in order to build consistently on the progress we have already made. As in the previous year, this deployment will have an impact on profitability. As announced in October last year, we expect EBIT of around 42 million euros for the current financial year.

Expression of thanks

Dear shareholders, thank you very much for the trust you have placed in secunet. We would also like to express our sincere thanks to our 1,161 employees – 94 more than in the previous year (1,067 employees). Together with this dedicated, ambitious and excellently trained team, we look forward to continuing the secunet story. It is a future-oriented company history of which we are proud and that makes us curious about what lies ahead.

The Management Board of secunet Security Networks AG

Axel Deininger (CEO) Thorsten Henn (COO)

Dr Kai Martius (CTO) Thomas Pleines (CFO)

Supervisory Board report

Dear Shareholders, Ladies and Gentlemen,

the world was once again faced with economic challenges and geopolitical upheaval in 2023. Yet again, however, the strength and resilience of secunet's business model has been demonstrated. It is by no means a matter of course that a company can achieve such high growth and once more present record sales in such a challenging environment. One key factor is undoubtedly secunet's stable and growing customer base, whose demand for trustworthy cyber security solutions remains high – especially in times such as these.

With the increasing importance of digitalisation, this demand will continue to rise. Against this background, secunet's continuous investments in the expansion and diversification of its product portfolio deserve special attention. These strategic advances not only create a strong foundation for the future, but also open up promising growth prospects for the coming years. We are firmly convinced that secunet will continue on its successful path. The Supervisory Board is helping to shape this successful path responsibly and very consciously as part of its remit.

In the reporting year, the Supervisory Board continuously, diligently and conscientiously performed the tasks assigned to it by law and by the Company's Articles of Association and Rules of Procedure. We continuously monitored and regularly advised the Management Board in its management of secunet Security Networks AG on the basis of the Management Board's detailed written and oral reports and, in the course of performing our duties, satisfied ourselves that the work of the Management Board was lawful, expedient and proper. Between the Supervisory Board meetings, there was also a regular exchange of information (for example, on current business transactions) between the Chairman of the Supervisory Board and the Chairman of the Management Board as well as the other members of the Management Board. The Management Board always informed us quickly and comprehensively about all events and measures of material importance to the Company, in particular about the strategy, corporate planning including financial, investment and personnel planning, the profitability and the sustainable business development of the Company and the Group.

All members of the Supervisory Board had the opportunity at all times to attend to the Management Board's suggestions and reports in detail and to make their own proposals. Insofar as the approval of the Supervisory Board was required for decisions or measures of the Management Board in accordance with laws, the Articles of Association or the Rules of Procedure, the members of the Supervisory Board issued this after intensive examination and discussion.

Supervision and examination methods

The Supervisory Board has mainly based its examination on

» the regular reports of the Management Board as provided for by law and the Management Board's rules of procedure,
» the separate reports submitted by the Management Board on occasion and
» the supplementary explanations provided by the Management Board and the auditors.

Each of the reports was submitted to all members of the Supervisory Board. Where the Management Board submitted business measures to the Supervisory Board for approval, the Supervisory Board's copy was in each case accompanied by a presentation of the main points to be considered in taking a decision.

Meetings of the Supervisory Board

In the reporting year, four regular meetings were held on 22 March (presence), on 31 May (presence), on 20 September (presence) and on 6 December 2023 (video conference). Furthermore, the Supervisory Board convened for an extraordinary meeting on 19 October 2023 (video conference). The Supervisory Board also regularly met without the Management Board.

During the past financial year, all members of the Supervisory Board attended all meetings of the Supervisory Board.

In addition, the Supervisory Board passed written circular resolutions between the meetings as required. The Management Board also kept the Supervisory Board informed about events and projects of particular importance to the Company in the periods between the meetings, by means of detailed reports in text form. The Supervisory Board discussed with the Management Board any financial information arising over the course of the year, before its publication. In all of the ordinary meetings, the Supervisory Board addressed the current business performance of secunet Security Networks AG. In all ordinary meetings, it also dealt in detail with the relevant issues concerning business and investment planning, and the development of earnings and liquidity. Furthermore, the Supervisory Board members examined in detail the Management Board's assessments regarding market events and long-term strategy focus of the Company, and discussed the main organisational and personnel-related changes in depth with the Management Board. The focal points of the 2023 financial year were the longer-term strategy focus of the Company, the transformation of the product portfolio and the development and further integration of SysEleven GmbH into secunet Group.

In all ordinary Supervisory Board meetings, the members of the Supervisory Board received reports on the business development, the risk situation, the opportunity and risk management as well as the compliance of the company.

About the individual meetings and their contents:

At the meeting on 22 March 2023, the Supervisory Board dealt in detail with the business performance in 2022 and the discussion of the financial statements and the combined Management Report for secunet Security Networks AG and the Group as at 31 December 2022 and the report of the Supervisory Board for the 2022 financial year. The Supervisory Board reviewed and finally approved the report of the Supervisory Board, the Annual and Consolidated Financial Statements and the combined Management Report of the Company and the Group. The auditors took part in the discussions on 22 March 2023 and reported on the key results of their audit. The Supervisory Board's proposed resolutions to the Annual General Meeting of secunet Security Networks AG were also adopted at the meeting on 22 March 2023. Succession planning for the position of Chief Financial Officer was also discussed at this meeting.

In the meeting on 31 May 2023, the Supervisory Board discussed with the Management Board the current business performance and the situation regarding the succession of the Chief Financial Officer. Furthermore, the Chairman announced a prospective revision of the remuneration system for the Management Board, whereby the current remuneration benchmarks will be determined.

In the meeting on 20 September 2023, the business situation and the financial position of the Company were discussed. The meeting focused on an update on secunet Group's strategy by the Management Board and the ongoing restructuring of the business. The new elections of shareholder and employee representatives at the 2024 Annual General Meeting were also discussed. The Management Board presented the planned dissolution of secustack GmbH, which the Supervisory Board approved after discussion. Furthermore, after discussion, the Management Board mandates of Mr Henn and Dr Martius were extended for a further five years until May 2029. Ms Jessica Nospers was appointed as a new member of the Management Board for three years from June 2024. Subsequently, the corresponding ad-hoc release was also approved and published. Finally, the remuneration of the Management Board was revised and the employment contracts of the Management Board members adjusted accordingly.

In the video conference on 19 October 2023, the Supervisory Board held a preliminary discussion of the Management Board's 2024 budget planning. The decision to approve the planning should be made at the next ordinary meeting.

In its meeting on 6 December 2023, the Supervisory Board addressed the current business situation It discussed the revised budget planning for 2024 with the Management Board and approved it. The Supervisory Board also approved the target values for variable Management Board remuneration for 2024. The Supervisory Board approved the establishment of a secunet representative office in Dubai, UAE.

Corporate Governance

The Supervisory Board and Management Board act in the knowledge that good corporate governance is an important basis for the success of the Company. Great importance is placed on implementation of the German Corporate Governance Code, and the application and further development of corporate governance standards within the Company are closely monitored by the Supervisory Board and Management Board.

The Supervisory Board adopted the 2023 Declaration of Conformity on 30 November 2023. Further information on the corporate governance of the Company and the Group can be found in the Corporate Governance Statement in this Annual Report. The current Declaration of Conformity is reproduced there and on the Company's website (www.secunet.com) under >> About Us >> Investors >> Corporate Governance.

In 2022, the Supervisory Board established concrete appointment targets for its own composition and approved a skills profile for the full Supervisory Board. This is described in further detail in the Corporate Governance Statement.

The Supervisory Board strives to continually improve the effectiveness and efficiency of its activities. On an annual basis, the review of the Supervisory Board's efficiency is included as a separate item on the agenda for the meetings of the Supervisory Board. In the 2023 financial year, the efficiency review or self-assessment was conducted at the meeting on 22 March 2023 on the basis of a catalogue of questions evaluated by an external service provider.

The members of the Supervisory Board are responsible for the training and further development measures required for their tasks, such as those relating to changes in the legal framework and new technologies, and are appropriately supported in this by the Company.

The members of the Management Board and the Supervisory Board notify the Supervisory Board immediately of any conflicts of interest. The members of the Management Board and Supervisory Board were not notified of any conflicts of interest in the 2023 financial year.

Committee work

Audit Committee

The Audit Committee convened for three meetings during the year under review: two in person and one in the form of a video conference. All committee members participated in the meetings. At all meetings, the Audit Committee dealt with issues relating to the effectiveness of the internal control system, the risk management system and compliance and monitored the independence, qualifications and efficiency of the auditor as well as the quality of the audit.

The meeting on 22 March 2023 focused on the auditor's report for the annual audit for the 2022 financial year and the preliminary audit of the annual financial statement documents. After discussion, the Audit Committee recommended that the Supervisory Board approve the audited annual and consolidated financial statements. The completion of the project to carry out the selection process for the 2023 auditor was also presented. The Audit Committee also consulted without the presence of the Management Board.

At the meeting on 20 September 2023, the 2023 audit, which was carried out for the first time by the auditors from BDO, was presented.

The meeting on 6 December 2023 focused on the report on the annual and financial statement audit by the appointed BDO auditors. The internal audit department also presented its annual report and annual audit planning for 2024.

Technology and Innovation Committee

The Technology and Innovation Committee convened for three meetings during the year under review: two in person and one in the form of a video conference. All committee members participated in the meetings. In all meetings, the committee members dealt with the operational development, the strategy and the new products of secunet Group.

The meeting on 22 March 2023 focused on the final report on the secunet 2.0 project and the transition to two new initiatives, a strategic growth initiative and an operational implementation initiative. Updates on secunet's platform and portfolio strategies were also discussed. A live presentation of the "SINA Mobile" product also took place during the meeting.

At the meeting on 20 September 2023, discussions focused in particular on the competitive situation in the areas of eHealth and Cloud as well as the modular principle pursued by secunet in the Industry sector with a modular, standardised technology and method platform. The focal points of the 2023 / 2024 investment planning were also discussed.

An update on post-quantum cryptography and quantum computing was discussed at the meeting held on 6 December 2023. Products from the Border Control portfolio were also presented.

Personnel changes on the Management Board

Changes to the composition of the Management Board were resolved in the financial year.

The mandates of Management Board members Torsten Henn and Dr Kai Martius, who have both been members of secunet's Management Board since June 2019, were extended for a further five years until the end of May 2029.

The mandate of Mr Thomas Pleines will expire at the end of May 2024. The Supervisory Board would like to thank Mr Pleines for his many years of successful service to the Company. Ms Jessica Nospers has been appointed as the new CFO from 1 June 2024. Ms Nospers has extensive expertise and experience in financial management and most recently worked as Chief Financial Officer for an international IT provider.

Annual Financial Statements and Consolidated Financial Statements for 2023

The auditor, BDO AG Wirtschaftsprüfungsgesellschaft, headquartered in Hamburg, Essen branch, was appointed by the Annual General Meeting on 31 May 2023, following the public selection procedure, as auditor of the Company and the Group for the 2023 financial year and for the review of the condensed financial statements and the interim management report. The Chairman of the Audit Committee was also in regular contact with the auditor outside of the Audit Committee meetings.

BDO AG Wirtschaftsprüfungsgesellschaft audited the Annual Financial Statements prepared by the Management Board in accordance with the German Commercial Code (Handelsgesetzbuch, HGB) and the Consolidated Financial Statements prepared in accordance with International Financial Reporting Standards (IFRS), as applicable in the European Union, for the 2023 financial year as well as the combined Management Report of the Group and the Company, including the accounting records, and issued an unqualified audit opinion in each case.

With regard to the existing majority shareholding of Giesecke + Devrient GmbH, Munich, the auditors examined the report on relations with affiliated companies prepared by the Management Board for the 2023 financial year in accordance with Section 312 AktG and issued the following unqualified opinion: "Based on our audit and evaluation conducted in accordance with our professional duties, we hereby confirm that: 1. the factual information contained in this report is correct, 2. the consideration provided by the Company in respect of the legal transactions mentioned in the report was not inappropriately high." The Supervisory Board also examined this report and raised no objections to the final declaration of the Management Board contained in the report or the results of the audit.

The Audit Committee and the Supervisory Board dealt with the combined non-financial statement prepared by the Management Board and the remuneration report. The auditors conducted a limited assurance engagement on the non-financial statement and a substantive audit of the remuneration report and issued an unqualified auditor's report in both cases. The documents were comprehensively reviewed by the Audit Committee and the Supervisory Board on 20 March 2024. The Supervisory Board approved the remuneration report and took note of and approved the non-financial statement.

The annual financial statements prepared by the Management Board, the consolidated financial statements, the combined management report for the 2023 financial year, the Management Board's proposal for the appropriation of the balance sheet profit and the audit reports were discussed in detail and debated intensively at the Audit Committee meeting on 20 March 2024. The auditors reported on the key audit matters and the main findings of their audit. On the basis of these findings, the Audit Committee decided to recommend that the Supervisory Board approve the submitted financial statements and support the intended profit appropriation.

At the meeting of the Supervisory Board on 20 March 2024, the annual financial statements prepared by the Management Board, the consolidated financial statements, the combined management report and the Management Board's proposal for the appropriation of the balance sheet profit as well as the audit reports were available to the Supervisory Board. The Chair of the Audit Committee gave a detailed explanation of the committee's recommendations. Furthermore, all significant issues relevant to the financial statements and the audit, including the key audit matters, were discussed in detail with the auditor and subjected to a separate review by the Supervisory Board. The Supervisory Board also reviewed the Management Board's proposal for the appropriation of profits, which provides for a regular dividend of 2.36 euros per dividend-bearing share.

After detailed discussion and intensive deliberation, the members of the Supervisory Board came to the conclusion that there were no objections to the financial statements and the audit by the auditor. In the opinion of the Supervisory Board, the combined Management Report of the Company and the Group complies with all legal requirements. It agrees with the statements in the Management Report on the further development of the company and has approved the result of the audit and the Annual Financial Statements of the Company and the Consolidated Financial Statements for the 2023 financial year; the Annual Financial Statements of secunet Security Networks AG were thus adopted on 20 March 2024. The Supervisory Board also endorsed the Management Board's proposal for the appropriation of profits.

Expression of thanks

The Supervisory Board would like to thank the members of the Management Board and all employees for their outstanding performance and good results in the 2023 financial year.

Essen, 20 March 2024

For the Supervisory Board

Dr Ralf Wintergerst

The secunet share

Stock market development

The national and international stock markets mainly performed positively in 2023. The leading German index DAX closed the year at 16,751 points. This corresponds to a decline of 20% on the year-end figure for 2022. The MDAX and TecDAX rose by 8% and 14% respectively. The SDAX, to which secunet belonged until December 2023, closed the year at 13,960 points – an increase of 17%.

secunet share

The secunet share started the year 2023 at a price of 197.60 euros. The secunet share reached its highest value for the year of 256.00 euros on 15 June 2023. The lowest value was a share price of 124.40 euros recorded on 2 November 2023. On the last trading day on 29 December 2023, the secunet share closed at a price of 146.80 euros.

The secunet share is listed in the Prime Standard of the Frankfurt Stock Exchange and traded on all German stock exchanges. The secunet share was listed on the SDAX from September 2021 to December 2023. In the ranking of all listed companies in Germany, secunet ranked 169th at the end of the year.

In 2023, an average of 3,083 secunet shares were traded daily via the Xetra electronic trading system (previous year: 4,694 shares). The average daily turnover on Xetra decreased to 0.6 million euros (previous year: 1.4 million euros) due to the decline in the share price.

Dividend and proposed dividend

secunet generally pursues a policy of continuous and appropriate dividend payments. The aim is to distribute 50% of the earnings after tax attributable to the shareholders of secunet Security Networks AG.

In accordance with the dividend policy, a dividend of 2.86 euros per dividend-bearing share was paid in 2023. The distribution totalled 18.5 million euros. secunet thus paid a dividend for the tenth consecutive year.

In view of the results achieved in the 2023 financial year, the Management Board and Supervisory Board will propose to the Annual General Meeting to be held on 23 May 2024 to distribute 15.3 million euros to the shareholders by paying a dividend of 2.36 euros per dividend-bearing share. With a payout ratio of 50% of the net income for the year, this is in line with the company's dividend policy.

Annual General Meeting

secunet Security Networks AG held its Annual General Meeting on 31 May 2023. After the company had only held virtual Annual General Meetings in the past three years, this was the first time that an event was once again held with the shareholders physically present. A total of around 85% of the share capital with voting rights was represented at the Annual General Meeting (previous year: 83%). The items on the agenda were approved by a great majority. Among other things, the proposal to appoint BDO AG Wirtschaftsprüfungsgesellschaft as the new auditor of the company and the Group was approved. The resolution on the appropriation of profit, which provided for the distribution of a dividend of 2.86 euros per share, was adopted with 99.99% of the votes.

Shareholder structure

The share capital of secunet Security Networks AG amounts to 6,500,000 euros and is subdivided into 6,500,000 no-par-value bearer shares. The number of shares outstanding remained unchanged, at 6,469,502 shares. Each share grants the holder one vote at the Annual General Meeting and, in the event of a distribution, an equivalent dividend entitlement. There are no share option programmes or convertible bonds that could dilute the shareholding.

Giesecke + Devrient GmbH, Munich, has held a direct stake in secunet AG since 2004. The shareholding amounted to 75.12% as at 31 December 2023. The free float on the same reporting date was 24.41%. It was distributed among a regionally broadly diversified shareholder structure with an increasing share of international investors, primarily from the USA, UK and Scandinavia. A further 0.47% of shares (30,498 shares) are held by secunet AG itself.

Shareholder structure
Giesecke + Devrient GmbH	75.12 %
Treasury shares	0.47 %
Free float	24.41 %

Information according to voting-right notices available as at 31 December 2023

In 2023, we received no voting-right notice. In 2023, we did not receive any notifications from members of the Management Board and Supervisory Board or their relatives subject to reporting requirements regarding acquisition transactions of financial instruments of secunet AG (so-called managers' transactions).

Communication with the capital market

secunet attaches great importance to open and reliable communication with investors and other stakeholders and maintains a timely and transparent dialogue with them. In 2023, there were numerous contacts with existing and potential investors. secunet took the opportunity to present itself in one-on-one conversations and at roadshows and investor conferences. Additionally, on the occasion of the publication of the annual, half-year and quarterly results, telephone conferences with online streaming were organised in which the Management Board reported on past and future business development and answered questions from analysts and investors. All information relevant to the capital markets is published promptly in German and English and made available on the Company's website (www.secunet.com). This includes annual and quarterly results, press releases and ad hoc releases, as well as information about the Annual General Meeting and voting-right notices. The financial calendar with all relevant publication and event dates can also be found there.

Analyst coverage

One key element of capital market communication is continuous and transparent dialogue with analysts. As at 31 December 2023, secunet AG was covered by four analysts from various banks and research companies. Of these, three analysts issued a buy recommendation as at 31 December 2023, while one analyst issued a sell recommendation.

Institute	Analyst	Recommenda tion	Target price in euros
Alster Research	Alexander Zienkowicz	Buy	197
Dr Kalliwoda Research	Dr Norbert Kalliwoda	Buy	318
Hauck Aufhäuser	Finn Kemper	Sell	100
Warburg Research	Felix Ellmann	Buy	320

Information as at 31 December 2023

Share price development from 1 January 2023 to 31 December 2023

Index, share price 1 January 2023 = 100

Key figures and trading data

	2023	2022
in euros	197.60	417.50
in euros	146.80	196.40
	256.00	465.00
in euros	(15 June 2023)	(22 Mar 2022)
	124.40	163.80
in euros	(2 Nov 2023)	(28 Sep 2022)
%	-29	-53
in billion euros	0.9	1.3
No. of shares	3,083	4,694
in euros	597,794	1,425,731

Master data and indices

ISIN / WKN	DE0007276503 / 727650
Share capital	6,500,000 euros
Number of shares in circulation	6,469,502
Class of share	Ordinary bearer shares with no par value
Start of listing	9 November 1999
Stock exchange segment	Prime Standard Frankfurt Stock Exchange
Designated sponsor	ODDO BHF Corporates & Markets AG, Frankfurt am Main
Paying agent	Commerzbank AG, Frankfurt am Main

Corporate Governance Statement

An effective and transparent organisation, as well as responsible and reliable corporate governance is very important at secunet Security Networks AG. The Company's Management Board and Supervisory Board firmly believe that good corporate governance is key to the long-term success of the Company on the market.

The term Corporate Governance describes the regulatory framework for the management and supervision of companies. In a general sense, this framework must be designed in such a way that the Management Board and Supervisory Board work to ensure that the company continues to exist and creates value sustainably. Recommendations and proposals for how this requirement can be implemented in the management and supervision of companies are summarised in the German Corporate Governance Code (Deutscher Corporate Governance Kodex, DCGK). The Code serves the purpose of increasing trust in companies listed on the German stock exchange.

The Management Board and Supervisory Board therefore regularly check the implementation of the GCGC at secunet Security Networks AG. In the 2023 financial year, the Management Board and Supervisory Board of the Company once again carefully deliberated on the recommendations and proposals of the GCGC, in the version as amended on 28 April 2022. The Declaration of Conformity set out below regarding the GCGC was agreed on the basis of these deliberations. This declaration is permanently available on the Company's website (www.secunet.com) and will be updated immediately if required.

secunet Security Networks AG issues the following Corporate Governance Statement in accordance with Sections 289f HGB and 315d HGB:

Management and supervisory structure

secunet Security Networks AG is subject to German stock corporation law and its own Articles of Association. As a German public limited company, it has a dual management and supervisory structure consisting of a Management Board and a Supervisory Board.

The Management Board and Supervisory Board work together closely and on the basis of mutual trust in their management and supervision of the Company. The Annual General Meeting is responsible for fundamental decisions in the Company.

Supervisory Board

In accordance with Article 9 (1) of the Articles of Association, the Supervisory Board comprises six members, four of whom are elected by the Annual General Meeting and two by the employees in accordance with the German One-Third Participation Act. In accordance with the recommendations of the GCGC, the shareholder representatives were elected by a single ballot. The current members of the Supervisory Board are Dr Ralf Wintergerst (Chairman of the Supervisory Board), Dr Peter Zattler (Vice Chairman of the Supervisory Board), Dr Elmar Legge, Jörg Marx (employee representative), Gesa-Maria Rustemeyer (employee representative) and Professor Dr Günter Schäfer. Further information about the members of the Supervisory Board, including their term of office, can be found on the Company's website (www.secunet.com) under >> About us >> The company.

The Supervisory Board monitors and advises the Management Board with regard to the management of the Company. At regular intervals, the Supervisory Board discusses business performance and planning, as well as the strategy and its implementation. It discusses the half-year financial reports and quarterly updates with the Management Board before their publication, and approves the Annual Financial Statements of secunet Security Networks AG and the Group, taking into consideration the audit reports prepared by the auditors, the preliminary audit conducted by the Audit Committee, and its own examination. The Audit Committee monitors the accounting process, the effectiveness of the internal control, risk management and internal audit, as well as the auditing of the financial statements.

The tasks and responsibilities of the Supervisory Board also include appointing members to the Management Board. The Supervisory Board decides on the remuneration system for members of the Management Board and sets the specific remuneration in accordance with the system. It sets the targets for the variable remuneration components and regularly reviews the appropriateness of the Management Board remuneration. Management Board decisions of fundamental importance, such as major acquisitions, disposals and financial measures, require the consent of the Supervisory Board. An extraordinary meeting of the Supervisory Board is convened as and when necessary should significant events arise. The Supervisory Board has drawn up rules of procedure for its work, which are published on the Company's website (www.secunet.com).

The Chair of the Supervisory Board is elected by the Supervisory Board from among its members. The Chair coordinates the work carried out within the Supervisory Board, chairs its meetings and represents its interests externally. The Supervisory Board strives to continually improve the effectiveness and efficiency of its activities. The efficiency review or self-assessment of the Supervisory Board is carried out at the start of each financial year. For the purposes of self-assessment, each member of the Supervisory Board answers a structured questionnaire on the individual aspects of efficiency. The results, including any possible proposals for improvement, are discussed at the first meeting of the financial year, at which the annual financial statements are adopted.

The knowledge, skills and professional experience required to fulfil the remit are taken into account when drawing up the nominations for election to the Supervisory Board. The Supervisory Board of secunet Security Networks AG has also specified concrete targets for its composition, with due consideration given to diversity and relevant expertise. At least 30 percent of Supervisory Board members should be women in future. The purpose of the skills profile is to ensure that the members of the Supervisory Board possess all the knowledge and experience considered essential in light of the activities of secunet Group. One or more Supervisory Board members should also have many years of special experience abroad, acquired as a result of working abroad or due to a foreign country of origin. The skills profile for the board as a whole also includes expertise requirements in sustainability issues. Furthermore, an age limit of 70 years is planned for members of the Supervisory Board.

Nominations by the Supervisory Board to the Annual General Meeting shall take into account the aforementioned targets for the composition of the Supervisory Board and, at the same time, endeavour to meet the requirements of the skills profile for the board as a whole. In the reporting period, the Supervisory Board did not submit any proposals to the Annual General Meeting for the election of Supervisory Board members (shareholder representatives). The composition of the Supervisory Board complied with the specifications of the skills profile both before and after the Supervisory Board elections in 2019, with the exception of the gender quota of 30 percent. The Supervisory Board members possessed and possess the professional and personal qualifications deemed necessary. They were and are all familiar with the sector in which the Company is active and had and have the essential knowledge, skills and experience for the Company.

The qualification matrix below shows the implementation status of the objectives of the Supervisory Board's skills profile.

	Interna tionality and capital market	Research & devel opment / technology	Production / marketing / sales / digi talization	Sectors / markets	Accounting	Controlling / risk man agement	Govern ance / compliance	Sustaina bility
Dr Wintergerst	X	X	X	X			X	X
Dr Zattler	X			X	X	X	X	X
Dr Legge	X			X	X	X	X	X
Prof Dr Schäfer		X	X	X				X
Rustemeyer				X	X		X	X
Marx		X	X	X				X

Furthermore, in accordance with Section C.6 of the GCGC, the Supervisory Board should include what it considers to be an appropriate number of members on the shareholder side who are independent of the Company, its Management Board and the controlling shareholder. Taking into account particularly the ownership structure and the size of the board as a whole, the Supervisory Board has come to the conclusion that one independent shareholder representative as per the above definition is appropriate and that Supervisory Board member Dr Elmar Legge meets these requirements. Dr Legge thus also complies with the recommendation in Section C.9 of the GCGC. This states that in the case of a controlling shareholder (this criterion being fulfilled here by the majority holding of Giesecke + Devrient GmbH, Munich, in secunet Security Networks AG) and a Supervisory Board size of six or fewer members, at least one shareholder representative should be independent of the controlling shareholder.

Furthermore, according to Section C.7 of the GCGC, more than half of the shareholder representatives should be independent of the Company and the Management Board. A Supervisory Board member is deemed to be independent of the Company and its Management Board if he or she has no personal or business relationship with the Company or its Management Board that could constitute a material and not merely temporary conflict of interest. In accordance with Section C.7 of the GCGC, the shareholder side shall, when assessing the independence of its Supervisory Board members from the Management Board and the Company, in particular take into account whether the Supervisory Board member or a close family member of the Supervisory Board member (i) was a member of the Management Board of the Company in the two years prior to the appointment, (ii) currently has or has had a material business relationship with the Company or a company dependent on it (for example, as a customer, supplier, lender or consultant), either directly or as a shareholder or in a responsible function of a company outside the Group, in the year leading up to the appointment, (iii) is a close family member of a Management Board member, or (iv) has been a member of the Supervisory Board for more than twelve years.

If one or more of the aforementioned indicators applies and the Supervisory Board member in question is nevertheless considered to be independent, this shall be justified in the Corporate Governance Statement pursuant to Section C.8 of the GCGC. According to the Supervisory Board's assessment, more than half of the shareholder representatives are independent of the Company and the Management Board pursuant to the recommendation under Section C.7 of the GCGC, namely Dr Ralf Wintergerst, Dr Peter Zattler and Dr Elmar Legge. In this assessment, the Supervisory Board also took into consideration the fact that Dr Zattler has been a member of the Supervisory Board since 2004 and Dr Legge since 1999. Both therefore fulfil one of the aforementioned indicators with a length of service of more than twelve years, so that – in accordance with the recommendation under Section C.8 of the GCGC – reasons are to be given in the Corporate Governance Statement as to why both Supervisory Board members are nevertheless considered independent. Dr Zattler and Dr Legge perform their duties with great diligence and consistently in line with the corporate interests of secunet Security Networks AG. With the exception of their respective length of service, Dr Zattler and Dr Legge have no other personal or business relationships with the Company or its Management Board, nor are there any other indications that could be construed as constituting a material and not merely temporary conflict of interest. In the opinion of the Supervisory Board, it would therefore be wrong to conclude a lack of independence from the Company and the Management Board based solely on the length of service.

The Supervisory Board has established an Audit Committee and a Technology and Innovation Committee. Each committee consists of two shareholder representatives and one employee representative. The chairs of the committees report regularly to the Supervisory Board on their respective activities.

As at 31 December 2023, the Audit Committee comprised the following members: Dr Elmar Legge (Chairman), Dr Peter Zattler and Ms Gesa-Maria Rustemeyer. The Chairman of the Audit Committee, Dr Legge, has special knowledge and experience in the application of accounting principles and internal control and risk management systems due to his many years of experience as a member of the Management Board of the RWTÜV Group of Companies and is also to be considered independent. Another member of the audit committee, Dr Zattler, also has expertise in the field of accounting and auditing, including sustainability reporting and auditing, due to his many years of service as CFO of Giesecke + Devrient GmbH. The Audit Committee reviews the accounting and monitors the accounting process, deals with the effectiveness of the internal control system, the risk management system, the internal audit system and compliance. On the basis of the auditors' report, the Audit Committee recommends approval of the annual and consolidated financial statements and submits proposals to the Supervisory Board concerning the appointment of the auditors. It issues the audit mandate for the annual and consolidated financial statements and for the audit review of interim financial reports to the auditors elected by the Annual General Meeting, determines the focal points of the audit together with the auditors and reviews the quality of the audit and the independence of the auditors. The Audit Committee decides on the admissibility and scope of non-audit services and issues any audit mandate required for the non-financial statement.

As at 31 December 2023, the Technology and Innovation Committee comprised the following members: Dr Ralf Wintergerst (Chairman), Prof Dr Günter Schäfer and Mr Jörg Marx. The Technology and Innovation Committee deals with business strategy, new products and key technology issues.

The Supervisory Board has not formed a Nomination Committee. In the opinion of the Supervisory Board, this is not necessary, as the Supervisory Board consists of only six members and the establishment of a separate Nomination Committee would not increase efficiency with regard to the nomination of suitable candidates for the election of Supervisory Board members.

Management Board

The Management Board consists of four members, namely the Chairman of the Management Board, Mr Axel Deininger, Mr Torsten Henn, Dr Kai Martius and Mr Thomas Pleines.

The Management Board, as the body responsible for managing the Company, conducts the Company's business under its own responsibility and in the Company's interests. Its aim is to increase the enterprise value on a sustainable basis. In particular, it determines the principles of the Company's policy and is also responsible for developing the Company's strategy, for planning and setting the Company's budget, for allocating resources, and for controlling and managing the Company's corporate and business divisions. Specific measures described in the Management Board's rules of procedure require the approval of the Supervisory Board. The Management Board is responsible for preparing the Company's quarterly updates and half-year financial reports, the Annual Financial Statements of secunet Security Networks AG, and the Consolidated Financial Statements.

The Management Board works closely with the Supervisory Board. It informs the Supervisory Board regularly, comprehensively and without delay – by means of written and verbal reports – of all issues important to the Company as a whole with regard to strategy and strategy implementation, planning, business performance, the financial and earnings situation, and entrepreneurial risks. The Supervisory Board is involved without delay in all decisions fundamental to the Company.

Targets for the appointment of women

At its meeting on 25 May 2022, the Supervisory Board established a target of 33 percent for the proportion of women on the Board, relating to the implementation period to 30 June 2027, which corresponds to the goal of electing two female members to the Supervisory Board.

At its meeting on 25 May 2022, the Supervisory Board decided on a target figure of one woman on the Management Board of the Company for the implementation period until 26 May 2027. There are currently no women on the Management Board. However, the Supervisory Board has now appointed Ms Jessica Nospers as a new member of the Management Board with effect from 1 June 2024.

In its meeting on 15 June 2022, the Management Board set the following targets for the two management levels below the Management Board for the period until 30 June 2027: for the first management level 25 percent and for the second management level 15 percent.

It remains challenging for the Company to attract more women into management positions. In the business area of IT Security, the relative proportion of women is lower than in other sectors. In view of the size of the Company, the limited number of management positions and the associated low level of fluctuation, the Management Board is of the opinion that more ambitious targets would currently not be realistic. However, the Management Board reiterates its intention to move towards a higher proportion of management positions being held by women to the greatest extent possible.

Diversity and long-term succession planning for the Management Board

At secunet Security Networks AG, diversity is understood as a broad approach that covers not only age and gender, but particularly also professional qualifications and experience as well as cultural background. A diverse composition of the Management Board serves the goal of ensuring the sustainable success of secunet Security Networks AG by taking into account diverse, complementary characteristics. Furthermore, the Supervisory Board has decided on an age limit of 67 years for members of the Management Board. In the opinion of the Supervisory Board, the current composition of the Management Board implements to the greatest extent possible the diversity concept described above; in particular, the members of the Management Board cover a broad range of knowledge and experience as well as educational backgrounds that are considered essential in view of the Company's business activities. Only the goal of electing a woman to the Management Board had not yet been achieved as at the reporting date of 31 December 2023. This target will be met by 1 June 2024. For the Supervisory Board, reference is made to the skills profile already presented.

The Supervisory Board works together with the Management Board to ensure the longterm succession planning for the Management Board. In addition to the requirements of the German Stock Corporation Act and the GCGC, the targets set by the Supervisory Board for the proportion of women on the Management Board are taken into account as well as the above diversity concept. Taking these criteria and specific qualification requirements into account, the Supervisory Board develops a requirement profile on the basis of which a selection of possible candidates is made. In a further step, structured discussions are held with these candidates, on the basis of which the Supervisory Board makes its decision, if necessary with the assistance of external advisers.

Corporate governance guidelines

The Articles of Association of secunet Security Networks AG form the basis of our Company. The Company's Articles of Association, together with the current and previous Declarations of Conformity and further corporate governance documents can be found online at www.secunet.com under >> About us >> The company.

The Management Board has introduced separate Codes of Conduct for employees, suppliers and business partners of secunet Group, which are available on the Internet at www.secunet.com under >> About us >> The company >> Corporate Governance. The Codes of Conduct summarise the business principles, ethos and values of secunet Group and are a crucial part of how secunet Group sees itself, and of the expectations that it strives to meet. The Codes of Conduct set down standards of conduct for dealing with all the economic, legal and moral challenges that we face in our day-to-day business activities, and are intended to serve as a benchmark and guide when working together within the Group, with customers, suppliers and other business partners, as well as for our conduct towards our competitors. They also govern our conduct when trading in secunet shares, their derivatives and other financial instruments. The Company has set up a compliance office for questions arising in connection with the Codes of Conduct.

With a Group-wide compliance management system, the Company bundles measures to comply with legal regulations and self-imposed standards of conduct in the areas of antitrust law, prevention of corruption and money laundering, conflicts of interest and fraud / embezzlement. The compliance management system aims to prevent, detect and sanction – systematically and permanently – violations of rules in the above-mentioned areas within the Company. The Company regularly identifies conduct-relatd compliance risks and consistently documents and manages the risks. The Company has an electronic whistleblowing system that gives employees the opportunity to provide information about legal violations in the Company in a protected environment. This option is also available to third parties.

Transparent corporate governance and corporate values

Transparency in corporate governance is very important to the Management Board and Supervisory Board of secunet Security Networks AG. Shareholders, all participants in the capital market, financial analysts, shareholder associations and the media are provided with comprehensive, regular and up-to-date information regarding the Company's position and key changes to the Company's business.

secunet Security Networks AG reports to its shareholders four times a year on business performance and on the financial and earnings situation, and makes all reports and information permanently available to shareholders on the Company's website (www.secunet.com). The dates for regular financial reporting are listed in the financial calendar. If any circumstances arise at secunet Security Networks AG that might significantly influence the stock market price of the Company, these are disclosed in ad hoc announcements in accordance with the legal requirements. The financial calendar and ad hoc announcements are available to view on the website of secunet Security Networks AG (www.secunet.com) under >> About us >> Investors >> Financial News.

Shareholders and Annual General Meeting

The shareholders of secunet Security Networks AG may exercise their rights, including voting rights, at the Annual General Meeting. Shareholders can exercise their voting rights at the Annual General Meeting themselves or choose an agent or Company proxy bound by their instructions to exercise the voting rights. The Annual General Meeting takes place in the first eight months of the financial year. The Chairman of the Supervisory Board normally chairs the Annual General Meeting. Ahead of the Annual General Meeting, shareholders receive comprehensive information about the past financial year and about the individual items on the agenda of the upcoming meeting by way of the Annual Report and invitation to the meeting. All relevant documents and information on the Annual General Meeting, together with the Annual Report, are also available on our website (www.secunet.com).

In accordance with the provisions of law, the auditors are appointed by the Annual General Meeting. Following a selection procedure conducted in accordance with Art. 16 EU Audit Regulation, BDO AG Wirtschaftsprüfungsgesellschaft, registered office in Hamburg, Essen branch, was selected by the Annual General Meeting on 31 May 2023 as auditors for secunet Security Networks AG and Group auditors for secunet Group for the 2023 financial year and as auditors for an audit review of the Consolidated Financial Statements and the Interim Management Report of secunet Security Networks AG and secunet Group as at 30 June 2023.

Shareholders are notified of important dates by means of a financial calendar published in the Annual Report, in the quarterly updates and on the Company's website (www.secunet.com).

Further detailed information about secunet Security Networks AG is available on our website (www.secunet.com).

Management Board and Supervisory Board remuneration

The applicable remuneration system for the members of the Management Board pursuant to Section 87a (1) and (2), sentence 1 of the German Stock Corporation Act (AktG), which was approved by the Annual General Meeting on 12 May 2021, as well as the resolution adopted by the Annual General Meeting on 12 May 2021 pursuant to Section 113 (3) of the German Stock Corporation Act (AktG) on the remuneration of the Supervisory Board is publicly available at www.secunet.com under >> About us >> Investors >> Corporate Governance. The remuneration report for the 2023 financial year with the auditor's report can also be found in the aforementioned section.

Disclosures on share-based incentive schemes

In the reporting year, a tranche of virtual shares (performance shares) was allocated to each Management Board member as part of the long-term variable Management Board remuneration (Performance Share Plan). The main performance categories and performance targets as well as the achievement of targets in the reporting year are presented in the remuneration report pursuant to Section 162 of the German Stock Corporation Act (AktG) for the 2023 financial year.

There are no stock option programmes or similar securities-based incentive systems for employees of the Company.

Notification of transactions under Article 19 of the European Market Abuse Regulation (managers' transactions)

Article 19 of the European Market Abuse Regulation (EU) No. 596 / 2014 requires members of corporate bodies (Supervisory Board / Management Board) and certain executives, as well as closely related parties, to disclose transactions in secunet shares or related financial instruments where the sum total of such transactions reaches or exceeds 20,000 euros within a single calendar year. Relevant disclosures are also published on the Company's website (www.secunet.com) under >> About us >> Investors >> Corporate Governance. No managers' transactions were reported in the 2023 financial year.

Accounting and auditing of the financial statements

secunet Security Networks AG prepares its Consolidated Financial Statements and Consolidated Interim Financial Statements in accordance with the International Financial Reporting Standards (IFRS) as applicable in the European Union. The Annual Financial Statements of secunet Security Networks AG are prepared in accordance with German commercial law (HGB) and the German Stock Corporation Act. The Annual and Consolidated Financial Statements are compiled by the Management Board and audited by the auditors, the Audit Committee and the Supervisory Board. Quarterly updates and the half-year financial report are discussed by the Management Board and Supervisory Board prior to their publication.

secunet Security Networks AG's Consolidated and Annual Financial Statements have been audited by BDO AG Wirtschaftsprüfungsgesellschaft, registered office in Hamburg, Essen branch, the auditors appointed by the 2023 Annual General Meeting. The audits were performed in accordance with Section 317 HGB and with due consideration for the generally accepted standards for the audit of financial statements in Germany promulgated by the Institute of Public Auditors in Germany (IDW). The undersigned auditors for the Annual Financial Statements and Consolidated Financial Statements of secunet Security Networks AG are Mr Marc Fritz and Dr Marcus Falk.

It was also contractually agreed with the auditors that they inform the Supervisory Board and Audit Committee without delay of any potential grounds for exclusion or bias and of any findings or occurrences of significance to the Supervisory Board's remit that came to light during the auditing of the financial statements.

The Condensed Consolidated Interim Financial Statements and the Interim Group Management Report as at 30 June 2023 were subjected to an audit review by BDO AG Wirtschaftsprüfungsgesellschaft.

Declaration of Conformity under Section 161 of the German Stock Corporation Act dated 30 November 2023

The management and supervisory boards of companies listed on the German stock exchange are legally obliged, in accordance with Section 161 of the German Stock Corporation Act (Aktiengesetz, AktG), to annually declare whether the official recommendations of the Government Commission on the German Corporate Governance Code applicable at the time of making the declaration have been fulfilled and will be fulfilled. The Company is furthermore required to disclose which recommendations of the Code have not been applied or will not be applied and to explain the reasons for this. This Declaration of Conformity is printed in full below, with explanations. The Declaration of Conformity can also be found on secunet Security Networks AG's website (www.secunet.com) under >> About us >> Investors >> Corporate Governance. The Declarations of Conformity issued in the last five years are permanently available on the website.

The Management Board and Supervisory Board of secunet Security Networks AG hereby submit the following Declaration of Conformity regarding the recommendations of the Government Commission on the German Corporate Governance Code in accordance with Section 161 of the German Stock Corporation Act (Aktiengesetz, AktG):

Declaration of Conformity with the GCGC 2023

Since submission of the last Declaration of Conformity in November 2022, secunet Security Networks AG has complied with the recommendations of the Government Commission on the German Corporate Governance Code, as amended in the version in force on 28 April 2022 (GCGC 2022) and published by the German Ministry of Justice in the official part of the Federal Gazette on 27 June 2022, with the following exceptions:

Committees of the Supervisory Board

Recommendation D.4: The Supervisory Board shall form a Nomination Committee, composed exclusively of shareholder representatives, which names suitable candidates to the Supervisory Board for its proposals to the General Meeting.

Explanation: The Supervisory Board of secunet Security Networks AG has no Nomination Committee. In the opinion of the Supervisory Board, this is not in fact necessary, as the Supervisory Board comprises only six members. Due to the number of Supervisory Board members and the composition of the Supervisory Board, setting up a separate Nomination Committee would not increase the efficiency of the work performed by the Supervisory Board with regard to the nomination of suitable candidates for the Supervisory Board's proposals to the Annual General Meeting for the election of Supervisory Board members. An additional Nomination Committee has therefore not been set up.

Determination of the amount of the variable remuneration components (Management Board remuneration)

Recommendation G.8: Subsequent changes to the target values or comparison parameters shall be excluded.

Explanation: The remuneration system for members of the Management Board of secunet Security Networks AG provides for the possibility of the Supervisory Board deviating temporarily from the stipulations of the remuneration system, even after the relevant performance criteria and targets have been set, if this is necessary in the interests of secunet Security Networks AG, particularly in the event of far-reaching changes to the general economic conditions. Possible deviations may include, among others, the performance criteria of the variable remuneration elements, the total maximum remuneration as well as the relation between fixed and variable remuneration components. This provision takes into account the fact that secunet Security Networks AG operates in a volatile and innovative market environment and that a change in the corporate strategy – and thus the performance criteria for Management Board members – must also, in the interests of the sustainable development of the Company, be possible within an assessment period for the variable remuneration components. Furthermore, the remuneration system is designed to provide an incentive for Management Board members even in the event of profound changes in the general economic conditions. The Supervisory Board is therefore of the opinion that, contrary to the recommendation in G.8, this flexibility is appropriate with regard to the targets and comparison parameters of Management Board remuneration.

Remuneration of committee members

Recommendation G.17: Remuneration for Supervisory Board membership shall take appropriate account of the larger time commitment […] of the Chair [...] of committees.

Explanation: The members of the Supervisory Board committees of secunet Security Networks AG receive remuneration for their work on the committees that appropriately takes into account the larger time commitment incurred in the course of their work. The chairs of the committees formed by the Supervisory Board do not receive any separate remuneration beyond this. secunet Security Networks AG does not expect the role of committee chair to involve any significant additional work, particularly as the size of the committees is manageable with three members in each case. Against this background, secunet Security Networks AG is of the opinion that it is not necessary to grant additional remuneration to the committee chairs in order to ensure appropriate remuneration for their work as chairs of the Supervisory Board committees.

secunet Security Networks AG

Munich, 30 November 2023

For the Management Board For the Supervisory Board Axel Deininger Dr Ralf Wintergerst

2.Management Report

Combined Management Report on the position of the Company and the Group for the 2023 financial year of secunet Security Networks Aktiengesellschaft, Essen

54 Principles of the Group
60 Economic report
74 Risk and opportunity report
81 Forecast
83 Risk reporting in relation to financial management
84 Risk management and internal control system
86 Description of the key features of the accounting related internal control and risk management system (Section 289 (4) and Section 315 (4) HGB)
88 Takeover-related information pursuant to Section 289a, sentence 1 and Section 315a, sentence 1 HGB
89 Management and control reference to the Corporate Governance Statement pursuant to Sections 289f HGB and 315d HGB
90 Combined non-financial statement of the Company and the Group
114 Management Board report pursuant to Section 312 (3) AktG

Principles of the Group

This Management Report combines the Management Report of secunet Security NetworksAG (hereinafter "secunet AG") and the Management Report of secunet Group (hereinafter "secunet"). This is because the risks and opportunities of the parent company as well as the expected development and the main activities in the area of research and development are inextricably linked to the Group. The Management Report of secunet AG is therefore consistent with the situation of secunet Group.

Business model

secunet is one of the leading cybersecurity companies in Germany. In an increasingly connected world, the Company's combination of products and consulting assures resilient digital infrastructures and the utmost protection for data, applications and digital identities. A central component of the portfolio are network components that have highly developed encryption technologies and are approved by the German Federal Office for Information Security (BSI) up to the highest national security level. secunet is an IT security partner to the Federal Republic of Germany and a partner of the German Alliance for Cyber Security.

secunet's business covers the entire value chain from analysis and design to development, integration, operation, maintenance and support of the solutions. Flexible, scalable and highly secure solutions are implemented through the extensive use of open source software and a large number of coordinated security mechanisms. These are generally customised for specific application scenarios in industries with particularly high information security requirements. This primarily includes the public sector, including national and international governments, ministries and authorities as well as quasi-governmental organisations. The focus is also on the German armed forces and organisations in the defence sector as well as organisations with security tasks such as the police and border guards. The company also addresses areas in which there are special IT security requirements – such as healthcare and industry.

Group organisation

Legal structure of the Group

secunet Security Networks AG is the parent company of secunet Group. The company has its registered office in Essen, Germany. It acts as the strategic and financial management of the Group and comprises the majority of the operating divisions. In addition, Group-wide central functions such as Finance, Accounting, Controlling, Internal Audit, Legal and Compliance, Human Resources, IT, Investor Relations, Sustainability and Corporate Communications are organised centrally and are the direct responsibility of the Management Board.

secunet AG holds all shares in the subsidiaries SysEleven GmbH (based in Berlin), secunet International GmbH & Co. KG (Essen), secunet International Management GmbH (Essen) and stashcat GmbH (Hanover). The Group companies also include the non-operational secunet Inc. (Texas, USA) and finally safe GmbH (Essen).

International marketing activities for the SINA product family are bundled in secunet International GmbH & Co. KG. As the general partner of secunet International GmbH & Co. KG, secunet International Management GmbH is responsible for the management of secunet International GmbH & Co. KG.

SysEleven GmbH is a German provider of cloud infrastructure, cloud services, managed services and managed Kubernetes. The company has its own open source-based cloud infrastructure with data centre locations in Germany certified to ISO 27001 (Infrastructure as a Service) and provides MetaKube, a platform for the efficient management and optimisation of computing, storage and network resources based on Kubernetes (managed Kubernetes).

stashcat GmbH offers a Business Messenger that enables messaging that is secure as well as data protection-compliant and GDPR-compliant and includes additional security-optimised collaboration and video conferencing functions.

secustack GmbH (i. L., registered office Dresden) was liquidated as at 31 December 2023. The company focused on the development and sale of the SecuStack cloud operating system, a security-hardened cloud software. From 1 January 2024, SecuStack will become part of the SINA Cloud and will be further developed by SysEleven GmbH. secunet AG held 51% of the shares in secustack GmbH, while the remaining 49% were held by CLOUD & HEAT Technologies GmbH (Dresden).

Giesecke + Devrient GmbH, headquartered in Munich, is the majority shareholder with a direct holding of 75.12%, and is the parent company of secunet AG. As a strategic holding company, the owner-managed Giesecke + Devrient GmbH manages its affiliated companies, including secunet AG. The group of companies is internationally oriented and active in the field of banknote and securities printing as well as the development and production of security paper and banknote processing systems. In addition, the group of companies develops and manufactures magnetic strip and chip cards, predominantly for the telecommunications industry, banks and the healthcare sector.

Group management

As a German stock corporation, secunet AG has a two-tier management system consisting of a Management Board and a Supervisory Board. The Management Board is responsible for managing the company and is advised and monitored by the Supervisory Board.

Changes to the composition of the Management Board were resolved in the 2023 financial year. The mandates of Management Board members MrTorsten Henn (COO) and DrKai Martius (CTO), who have both been members of Management Board of secunetAG since June 2019, were extended for a further five years until the end of May 2029. The mandate of Mr Thomas Pleines (CFO) will expire at the end of May 2024. Ms Jessica Nospers will succeed him from 1 June 2024. The contract has an initial term of three years. Ms Nospers has extensive expertise and experience in financial management and most recently worked as CFO for an international ITprovider. From 1 June 2024, the Management Board will consist of MrAxel Deininger (CEO), MrTorsten Henn (COO), Dr Kai Martius (CTO) and Ms Jessica Nospers (CFO).

For further information on the composition and allocation of responsibilities of the Management Board and Supervisory Board, please refer to the Corporate Governance Statement, which forms part of this report and is available on the company website. This also includes the Declaration of Conformity in accordance with Section 161 AktG.

Locations

At the end of 2023, secunet Group had twelve locations in Germany.

Business activities

secunet Group's operating business is divided into two divisions: Public Sector and Business Sector. In its financial reporting, secunet reports on the operational business development in addition to the overall assessment of the Group on the basis of these divisions. Within the divisions, the organisation has a process-oriented design and aims to optimise operations for the relevant markets and customers.

Public Sector

The Public Sector division serves clients in the public sector, including national and international governments, ministries and public authorities as well as quasi-governmental organisations. This customer group also includes the German armed forces and organisations in the defence sector as well as organisations with security tasks such as the police and border guards.

A central component of the product range is the IP-based cryptosystem SINA ("Secure Inter-Network Architecture"), which was developed in cooperation with the German Federal Office for Information Security (BSI). SINA serves to protect electronic information from unauthorised access and enables the protected processing, storage and transmission of classified information via the Internet. SINA fulfils maximum security standards with approvals from the BSI up to the high national classification level SECRET.

The SINA product family comprises a constantly growing number of modular components such as clients, gateways, servers and software tools. These components are used to secure a wide range of application scenarios. Special SINA components are available for military and official high-security networks, which place particularly high demands on data security and equipment resilience. These are based on a hardened hardware platform and are designed for extreme operating conditions.

The public sector also includes activities in the areas of digital identities and biometrics. The range of products and services includes solutions for personal identification and authentication of users on web portals as well as for biometric capture and verification in connection with official identity documents. This also includes automated border control systems that ensure a smooth and secure flow of passengers at airports and other border control stations.

The business activities of the subsidiaries SysEleven GmbH and stashcat GmbH are also integrated into the Public Sector division. In addition to the range of products, the division also offers a broad spectrum of consulting services, ranging from security assessments (known as penetration tests) via security consulting (for security guidelines and their implementation, for example) up to support for certification projects.

Business Sector

The Business Sector division addresses two markets in the private sector: healthcare and industry.

In the healthcare market, secunet's services are aimed at medical service providers, including doctors, hospitals and pharmacies. The focus of the range is on the provision of various connectors. These offer secure access to the telematics infrastructure (TI) and provide interfaces to applications such as the electronic health record (EHR) and the electronic prescription (ePrescription). The connectors also perform important security functions such as encrypting and signing medical documents. This ensures the secure transmission and processing of sensitive health data in the context of digital health applications.

For industry, secunet offers solutions for secure edge computing and early warning systems for the prevention and detection of cyber attacks. The focus is particularly on manufacturing companies with high security requirements. Critical infrastructures (CI) are also addressed, i. e. organisations and facilities that are important to the state and society, including those in the energy, transport, traffic, water, finance and insurance sectors.

As in the Public Sector division, the Business Sector division also includes a wide range of consulting services.

International business

In both divisions, the geographical focus of sales is primarily on Germany. secunet's sales activities abroad are focused on the countries of the European Union, EU organisations as well as defence and space organisations (including organisations such as NATO) and the Middle East.

Procurement

secunet Group does not have its own production facilities. secunet works with a large number of manufacturing partners for the value creation and manufacture of hardware products. secunet purchases both standard products from computer manufacturers, which are then refined in terms of security technology, and special products that are ordered and manufactured to secunet's specifications. For particularly security-critical components, secunet favours partners from Germany or the European Union. When procuring software components that are used as part of products, secunet focuses primarily on open source, i. e. software whose source code is freely available and may be used commercially depending on the underlying licence.

It is particularly important to secunet Group that fundamental labour, social and environmental standards are observed in the manufacture and transport of the products sold by secunet. The company also respects and supports the principles of the International Labour Organisation (ILO), the Supply Chain Act and the UN Global Compact. secunet passes on to its suppliers its principles of conduct with regard to human rights, working conditions, environmental protection and business practices that comply with the law and are based on integrity. These principles of conduct are defined in the Code of Conduct for Suppliers and Business Partners, which was updated in 2022 and is binding for all suppliers and business partners. With this Code, secunet obliges its partners to orientate themselves with our principles of conduct, to comply with them and to pass them on in their supply chain. This is an essential building block for fulfilling social, ecological and economic responsibility in the supply chain.

Management system and key performance indicators

Internal Group management system

secunet Group and secunet AG are managed in accordance with the long-term strategy and the short and medium-term targets. The Management Board bears joint responsibility for overall planning and for realising the formulated targets as part of the company's strategic development.

The Management Board primarily uses financial management and performance indicators to assess current business performance and make decisions on future strategies and investments. In the annual strategy process, an internal plan is drawn up for a medium-term period and a planning calculation for the coming year. At the same time, a forecast for the current financial year is regularly prepared on the basis of current business performance. Target achievement is monitored by the Management Board by means of a target /actual comparison and the forecasts. In addition, the progress made in achieving the strategic targets is regularly reviewed and analysed at meetings of the Management Board.

The financial management and performance indicators are also used in the financial reporting. A detailed presentation of their development can therefore be found in the section "Economic report".

The company is not managed exclusively on the basis of financial indicators, but also takes into account non-financial performance indicators as well as industry and company-specific early indicators.

There were no changes in the key performance indicators compared to the previous year.

Key financial performance indicators

The most significant financial performance indicators for corporate management and financial reporting are sales revenue and earnings before interest and taxes (EBIT). EBIT represents the net profit for the period before interest income, interest expenses or financial result, income from equity investments (in particular annual financial statements) and income taxes. It presents the operating result without the influence of effects from internationally inconsistent taxation systems and varying financing activities.

The key financial performance indicators are recorded and monitored both at Group level and in the individual segments. They form the basis for management processes and decision-making at strategic and operational level, for example for investment and acquisition decisions.

The remuneration of the members of the Management Board includes a variable component that depends on the achievement of targets for the key financial performance indicators. This is described in detail in the separate "Remuneration report in accordance with Section 162 AktG", which also forms part of this Annual Report.

Other key financial performance indicators

secunet Group also uses other key financial performance indicators to assess its economic performance, both in its corporate management and in its financial reporting. In contrast to the aforementioned, the financial performance indicators are only of secondary importance. For this reason, no forecast is provided for these key performance indicators.

2. Management Report

These key performance indicators include gross profit and operating expenses in particular. Gross profit, derived from the difference between sales revenue and cost of sales, serves as an indicator of the company's value creation. Operating expenses include expenses incurred in the course of normal business activities. A distinction is made between selling expenses, research and development costs and general administrative costs.

Key non-financial performance indicators

In addition to the financial management and performance indicators, the Group is also managed on the basis of non-financial performance indicators, although these are of secondary importance. The Supervisory Board sets various sustainability and ESG targets each year, usually up to three. In 2023, these included increasing customer satisfaction compared to the reference group through a Net Promoter Score survey, increasing employee satisfaction through the implementation of appropriate projects and reducing CO2 emissions, measured in tons per employee.

A planned value of 2 was envisaged for the Net Promoter Score in 2023, but a better value of 33 was achieved. The planned amount of CO2 emissions was 3.74 tonnes per employee, but a significantly better figure of 1.12 tonnes per employee was achieved. The forecast for employee satisfaction was 2.59 (based on an employee survey), but a better value of 2.35 was achieved.

The Supervisory Board has set the following targets for 2024: A Net Promoter Score of 2 and CO2 emissions of 3.55 tonnes per employee. To increase employee satisfaction, the decision was taken to develop concepts for implementation based on the results of the employee survey from 2023.

The remuneration of the members of the Management Board includes a variable component that depends on the achievement of targets for the non-financial performance indicators. This is described in detail in the separate "Remuneration report in accordance with Section 162 AktG", which also forms part of this Annual Report.

Sector and company-specific early indicators

According to the Management Board's assessment, the key company-specific early indicators are incoming orders and the order book. These key performance indicators are recorded on a monthly basis and serve as an indication of expected capacity utilisation and the anticipated sales revenue and earnings performance.

In order to gain an overview of market conditions, management continuously monitors and analyses statistics and forecasts on general economic trends and the dynamics of the IT and IT security markets.

Research and development

The research and development activities of secunet Group, secunet AG and SysEleven GmbH are aimed at identifying technological trends at an early stage and addressing them in a targeted manner. This is intended to provide optimum support for the achievement of strategic corporate goals. The focus is on developing new products, opening up new markets and acquiring new customers. The research and development activities are carried out both for our own purposes and also within the framework of individual customer projects.

Innovation management

Strategically, secunet bases its innovation efforts on three pillars:

» Promoting the culture of innovation by incentivising new developments as well as through regular and intensive internal technical exchange and by building an infrastructure for knowledge management;
» Cooperation and partnerships with customers, suppliers, universities and associations to achieve synergies in research and development;
» Organisational bundling of competences in product management that support developments from innovation management through to the creation of market-ready products.

Employees of secunet Group are members of numerous national and international standardisation bodies and committees. Active participation enables innovations in IT to be tested, recognised and implemented at an early stage. The Management Board believes that this not only promotes the valuable exchange of expertise, but also contributes to the continuous qualification of own workforce.

Economic report

General economic environment

With a revenue share of around 91% in the 2023 financial year, Germany is secunet Group's key sales market.

The German economy recorded a decline last year. According to calculations by the German Federal Statistical Office (Destatis), price-adjusted gross domestic product (GDP) fell by 0.3%. The previous year had seen growth of 1.8%. Experts attribute the reasons for the weakening economic performance to the crisis-ridden environment and new uncertainties caused by the Middle East conflict and the recent budget crisis in Germany.

Sector-specific framework conditions

Market for information and communication technology (ICT)

In addition to the general economic development in Germany, the overall market for information technology and telecommunications (ICT) forms an essential framework and comparative basis for the assessment of secunet Group's economic development. Market statistics are compiled by the digital association Bitkom.

Last year, expenditure on information technology and telecommunications (ICT) rose by 2.0% to 215.0 billion euros. The business climate in the digital economy developed positively, bucking the trend in the economy as a whole. A key factor in this development was the market for information technology (IT), which is particularly relevant for secunet Group and grew by 2.2% in 2023. This market comprises IT hardware, software and IT services. With growth of 9.6% to 41.5 billion euros, expenditure on software recorded the largest increase in this segment. Despite a decline of 5.4%, IT hardware continued to make up the largest share of the IT market with a volume of 52.0 billion euros, ahead of IT services, for which expenditure rose by 5.1% to 49.4 billion euros.

Market for IT security

According to Bitkom (as at October 2023), expenditure on IT security in Germany exceeded 9 billion euros for the first time in 2023, climbing by 13% to 9.2 billion euros. The market for IT security thus grew relatively faster than the overall market for information technology and telecommunications (ICT) and than the German economy as a whole. Investments in IT security software accounted for the largest share of expenditure at around 4.3 billion euros (up 18%). This was closely followed by expenditure on IT security services, which increased by 12% to 4.0 billion euros. IT security hardware continued to account for just under 0.9 billion euros.

Business risk of cyberattacks

Cyberattacks have become one of the biggest threats to the German economy. These attacks can completely paralyse a company's business activities, prevent vital operations in hospitals, shut down power stations or bring airports and railway lines to a standstill. In 2023, economic crime caused total losses of 206 billion euros, with around 150 billion euros attributable to cyberattacks. These figures are based on a survey conducted by Bitkom, for which more than 1,000 companies from various sectors were questioned. Around three quarters (72%) of all companies stated that they had been affected by analogue and digital attacks.

The public impact of these cyberattacks is also increasing awareness of security, particularly with regard to IT security, cybersecurity and data protection. Companies in the private sector are becoming increasingly sensitised. The Allianz Risk Barometer 2024 revealed that cyber incidents are perceived as the greatest business risk both globally and in Germany – ahead of risks such as business interruptions, natural disasters or changes to laws and regulations.

Increasing regulation

The topic of IT security is receiving additional support through increasing regulation. This is playing a key role in ensuring that IT security is no longer seen as a mere technical necessity, but as a fundamental business requirement. Companies and the state are motivated to invest in their security measures and thus strengthen their resilience to digital threats.

With the digital strategy and the cybersecurity strategy, the German Federal Government is strengthening the security requirements that companies and the state must meet. The introduction of a right to encryption is intended to increase the acceptance and use of encryption technologies among the population, businesses and public institutions. In addition, the principle of "security by design /default" is being introduced, which means that digital applications must take IT security aspects into account from the outset.

Other national and international initiatives underscore the increasing importance of IT security. The German IT Security Act 2.0 tightens the requirements for critical infrastructures by expanding the group of affected companies and making the catalogue of minimum requirements more comprehensive. For example, all security-relevant network and system components must now only come from trustworthy manufacturers, and companies must implement systems for the early detection and defence against cyberattacks.

At the European level, the European Union will be introducing a large-scale planned IT system for monitoring the travel movements of third-country nationals at the external borders of the Schengen area (Entry /Exit System EES). This will make the required level of security for border infrastructures stricter and significantly increase the need for trustworthy solutions for the secure capture and processing of biometric data.

Business performance in 2023

Business performance of secunet Group

In the 2023 financial year, secunet Group recorded positive development despite challenging economic conditions and a budget crisis in its most important customer group, the public sector. Group sales revenue increased significantly to 393.7 million euros and exceeded the sales forecast of around 375 million euros published in the 2022 annual report. Compared to the previous year, which was already very successful (347.2 million euros), the figure achieved represents an increase of 13%. The increase in sales is due to a significant rise in the trade goods business, particularly with the SINA family and biometric border control solutions. In contrast, the software licences and services business recorded a significant decline compared to the previous year. These developments led to a change in the product mix and a less favourable margin profile.

Furthermore, in 2023 secunet Group systematically continued the investments that were started in the previous year. The primary goal of these investments is to expand and diversify the product portfolio and tap into new markets. Significant progress was made in the implementation of the strategic focus areas. One central project was the development of a sovereign cloud ecosystem that is specifically tailored to the requirements of ministries, public authorities and companies with the highest security requirements. In addition, SINA Mobile was developed, an application suite that enables the secure processing and transfer of sensitive data on standard mobile devices. In the healthcare market, a high-speed connector was developed as a powerful server-based software solution that forms the basis for cloudbased and future-proof access to the telematics infrastructure.

As in the previous year, these extensive investments led to an increase in the cost base. Together with the changed product mix, this meant that earnings before interest and taxes (EBIT) fell much more sharply than expected at the beginning of the financial year. The Management Board originally forecast EBIT of around 50 million euros in the 2022 annual report, but revised this estimate to around 42 million euros in October. EBIT of 43.0 million euros was actually achieved. In the previous year, operating profit totalled 47.0 million euros.

As in the past, business performance during the year was characterised by particularly strong year-end business. In the months from October to December 2023, secunet Group generated sales revenue of around 155 million euros. This corresponds to almost 40% of annual sales revenue. EBIT also reached a very high level of around 33 million euros in the final quarter, accounting for more than 75% of the annual result. In terms of both key indicators, the fourth quarter of 2023 was the most successful in the company's history to date.

The Management Board assesses the business performance in 2023 as positive overall. The increase in sales revenue proves that secunet Group can continue to achieve significant growth. The company has also successfully expanded and diversified its product portfolio. Although the Management Board is not satisfied with the decline in EBIT and the failure to meet the initial earnings targets, it believes that secunet Group remains extremely profitable. The change in the product mix and the investments made are considered as having a shortterm negative impact on the margin.

The Management Board is convinced that the investments represent an essential step that is necessary for the medium and long-term growth of the company and opens up additional growth potential.

Business performance of secunet AG

secunet AG is managed on the basis of secunet Group's key performance indicators. The economic development of the company depends directly on the development of the Group as a whole. Accordingly, the forecast for secunet AG for the 2023 financial year was subject to the same risks and opportunities as those of secunet Group. Sales revenue of around 344 million euros was anticipated and an EBIT of around 48 million euros.

In the 2023 financial year, secunet AG recorded sales revenue of 372.4 million euros and EBIT of 43.4 million euros. Sales revenue thus significantly exceeded both the forecast (around 344 million euros) and the previous year's figure (329.5 million euros). As at group level, secunet AG's EBIT was both below expectations (around 48 million euros) and below the previous year's figure (51.2 million euros). Details of these developments can be found in the section "Business performance of secunet Group".

The Management Board assesses the business performance of secunet AG in the 2023 financial year as good overall.

Results of operations

Results of operations of the Group

The income statement for secunet Group in accordance with IFRS, as applicable in the EU, is presented according to the cost of sales method.

Sales revenue performance

In the 2023 financial year, secunet Group recorded sales revenue of 393.7 million euros, which corresponds to a significant increase of 13% compared to the previous year (347.2 million euros). The product business, which comprises the sale of hardware, software, maintenance and support, generated 349.7 million euros in the 2023 financial year (previous year: 297.7 million euros). While business with trade goods developed very positively, business with software licences and services fell short of expectations. The provision of services generated 44.0 million euros (previous year: 49.5 million euros).

secunet Group's business focus remained on German federal ministries, national and international government institutions and organisations in the defence sector. 88% of Group sales revenue in the 2023 financial year were attributable to this target group (previous year: 86%). The Public Sector division, which covers these activities, achieved sales revenue of 344.8 million euros in the reporting period, which corresponds to an increase of 15% compared to the previous year (300.3 million euros). Successful product business with the SINA family was a key factor in sales growth. A significant increase in the area of biometric border control solutions also contributed to this positive development.

The remaining 12% of Group sales revenue were attributable to the Business Sector division (previous year: 14%). This division serves two markets in the private sector: healthcare and industry. The Business Sector generated sales revenue of 48.9 million euros in the 2023 financial year, slightly above the previous year's level (46.9 million euros) due to a moderate increase in sales revenue in the healthcare sector.

secunet Group recorded positive growth both on the German market and in its international business in the 2023 financial year.

In Germany, sales revenue rose by 13% from 316.4 million euros in the previous year to 358.5 million euros in the current reporting period. In its international business, secunet achieved sales revenue of 35.1 million euros, compared to 30.9 million euros in the previous year, which corresponds to an increase of 14%. The share of international business in total sales revenue remained unchanged at 9%.

The increase in Group sales revenue resulted from higher sales volumes and increased prices. As secunet Group mainly operates in the eurozone, currency effects were insignificant. At 2.8 million euros, sales revenue from projects with the Giesecke + Devrient Group, i. e. with the parent company or sister companies of secunet AG, remained at an unchanged low level (previous year: 1.2 million euros).

Order book

As at 31 December 2023, secunet Group's order book amounted to 190.2 million euros, which roughly corresponds to the high level on the previous year's reporting date (197.6 million euros). The order backlog mainly comprises orders from public-sector customers as well as orders for the 2024 financial year and subsequent years.

Earnings performance

In the 2023 financial year, secunet Group generated a gross profit on sales of 87.4 million euros, which corresponds to a gross margin of 22.1%. The change on the previous year – in which a gross profit on sales of 90.2 million euros or a gross margin of 26.0% was achieved – is attributable to the development of the cost of sales (sales cost). This rose from 257.1 million euros in the previous year to 306.3 million euros in the reporting period, which led to a corresponding reduction in the gross margin.

The cost of sales is the most significant cost item in secunet Group and includes personnel expenditure as well as materials expenses for the product business. The changes in the product mix, as explained in the "Sales revenue performance" section, led to higher costs for the realisation of sales. The increase in the trade goods business in particular resulted in a higher cost of materials ratio, while growth in the consulting business required additional personnel resources. The Group-wide expansion of the workforce also contributed to the increase in personnel expenditure. In addition, higher scheduled amortisation of intangible assets and depreciation of property, plant and equipment affected the cost of sales, including scheduled amortisation of assets identified as part of the purchase price allocation for the acquired SysEleven GmbH. This effect was only partially recognised in the previous year, as SysEleven GmbH was not consolidated until 1 June 2022.

In 2023, the selling expenses of secunet Group rose to 26.1 million euros in connection with increased marketing and sales activities (previous year: 22.7 million euros). The ratio of selling expenses to sales revenue was 6.6%, sand thus remained virtually unchanged from the previous year (6.5%).

General administrative expenses totalled 10.6 million euros. The slight increase compared to the previous year (10.3 million euros) is due to higher personnel and material costs for management and administrative offices. The ratio of administrative expenses to sales revenue decreased from 3.0% in the previous year to 2.7% in the reporting period. In the previous year, this item also included one-off costs in connection with the acquisition of SysEleven GmbH.

Research and development costs, i.e. expenses in connection with operational research and development for product developments, totalled 10.3 million euros in 2023 (previous year: 9.8 million euros). This expenditure was incurred in connection with various projects, which are explained in more detail in the "Investments" section. The ratio of research and development costs to sales revenue amounted to 2.6% after 2.8% in the previous year.

In the 2023 financial year, the payout clause contractually agreed in conjunction with the acquisition of SysEleven GmbH was revalued. The revaluation resulted in an impairment of the payout clause of 2.6 million euros. This led to a corresponding one-time positive effect on earnings in the reporting period, which was recognised as other operating income.

Due to the developments described above, earnings before interest and taxes (EBIT) fell to 43.0 million euros. This corresponds to an EBIT margin of 10.9%. In the previous year, secunet Group achieved an operating profit of 47.0 million euros and a margin of 13.5%.

The Public Sector division recorded a decline in EBIT to 42.5 million euros in the 2023 financial year compared to 46.1 million euros in the previous year. At 0.5 million euros, EBIT in the Business Sector division remained almost unchanged compared to the previous year (0.9 million euros). Both divisions were impacted by an increase in the respective cost of sales and functional costs.

Interest income remained negligible in the 2023 financial year (0.0 million euros, previous year: 0.0 million euros). Interest expenses totalled 0.9 million euros after 0.5 million euros in the previous year. In addition to the interest on pension provisions, the increase in interest expenses resulted mainly from the interest for a temporary current-account credit facility as well as expenses within the scope of lease accounting in accordance with IFRS 16.

secunet Group achieved earnings before taxes (EBT) of 42.1 million euros in the 2023 financial year after 46.7 million euros in the previous year. Due to the lower EBT, tax expenses fell to 13.1 million euros (previous year: 15.4 million euros). The tax ratio in the 2023 financial year was around 31% (previous year: around 33%).

As a result, secunet Group recorded a consolidated net income of 29.0 million euros compared to 31.3 million euros in the previous year. Of this amount, 29.2 million euros (previous year: 31.3 million euros) was attributable to the shareholders of secunet AG, while non-controlling interests accounted for -0.1 million euros (previous year: 0.0 million euros, minority shareholders of secustack GmbH). Diluted and undiluted earnings per share amounted to 4.51 euros, compared to 4.84 euros in the previous year.

Results of operations of secunet AG

In the annual financial statements of secunet AG issued pursuant to commercial law, the income statement is presented using the nature of expense method.

In the 2023 financial year, secunet AG generated sales revenue of 372.4 million euros, compared to 329.5 million euros in the previous year. The increase in sales revenue is attributable to the same reasons as at Group level. Other operating income totalled 1.2 million euros compared to 4.5 million euros in the previous year. This included government project grants, reimbursements from damages, income from the release of provisions and other income. Unfinished services as well as work in progress and finished goods decreased by 1.0 million euros in 2023, compared to an increase of 0.7 million euros in the previous year.

Materials expenses totalled 209.9 million euros compared to 176.8 million euros in the previous year. The increase was mainly influenced by sales growth in the product business. At the same time, personnel expenditure increased to 80.1 million euros due to the growth in the workforce, compared to 71.8 million euros in the previous year.

At 4.3 million euros, depreciation and amortisation of intangible assets and property, plant and equipment remained unchanged in the 2023 financial year compared to the previous year (4.3 million euros). These again resulted mainly from the company's property, plant and equipment, with office equipment and IT infrastructure being the main components. Other operating expenses increased to 34.9 million euros compared to 30.6 million euros in the previous year. This increase resulted from various cost items, including rental costs for office space, advertising costs, ancillary personnel expenses and company car costs.

Income from equity investments totalled 2.7 million euros in the reporting period compared to 3.3 million euros in the previous year. This income mainly resulted from the net income for the year of secunet International GmbH & Co. KG.

At 43.4 million euros, secunet AG's earnings before interest and taxes (EBIT) in the 2023 financial year were significantly lower than in the previous year (51.2 million euros). The financial result is reported at -1.1 million euros, compared to -0.4 million euros in the previous year. This increase is due in particular to the interest expense resulting from a temporary currentaccount credit facility. Accordingly, the earnings before income taxes were 45.0 million euros (previous year: 54.1 million euros).

After deducting income taxes of 14.2 million euros (previous year: 17.1 million euros) and other taxes of 0.3 million euros (previous year: 0.1 million euros), the net income for the year was significantly lower at 30.5 million euros (previous year: 36.9 million euros).

Financial and net asset situation

Financial and net asset situation of the Group

The secunet Group balance sheet is presented in accordance with IFRS, as applicable in the EU.

Capital structure of the Group

secunet Group's balance sheet total as at the reporting date of 31 December 2023 amounted to 328.6 million euros, which represents an increase compared to the figure as at 31 December 2022 (315.4 million euros). On the liabilities side of the balance sheet, equity accounted for 137.8 million euros (31 December 2022: 127.8 million euros) and debt capital for 190.7 million euros (31 December 2022: 187.6 million euros). The equity ratio thus rose to 41.9% compared to the previous year's reporting date (40.5%). The debt ratio fell accordingly to 58.1% compared to 59.5% on the previous year's reporting date.

As at the reporting date, short-term loans and the current portion of long-term loans totalled 1.2 million euros, compared to 0.5 million euros on the previous year's reporting date. Ongoing business and necessary replacement investments were financed primarily from the operating cash flow in the reporting period.

in euros	31 Dec 2023	31 Dec 2022
Current assets
Cash and cash equivalents	41,269,674.54	21,479,549.36
Trade receivables	88,896,835.69	75,818,259.18
Intercompany financial assets	1,234,850.54	304,018.98
Contract assets	2,872,998.07	2,596,942.21
Inventories	48,033,717.04	72,298,654.03
Other current assets	4,234,838.59	6,084,621.52
Income tax receivables	6,047,856.47	1,174,591.64
Total current assets	192,590,770.94	179,756,636.92

Non-current assets
Property, plant and equipment	11,492,598.69	10,720,417.00
Right-of-use assets	17,376,742.30	18,288,681.46
Intangible assets	35,690,375.98	39,006,599.04
Goodwill	47,627,601.69	47,627,601.69
Non-current financial assets	6,438,407.00	6,549,879.00
Deferred taxes	3,241,252.60	2,547,651.27
Other non-current assets	14,180,063.10	10,922,602.38
Total non-current assets	136,047,041.36	135,663,431.84
Total assets	328,637,812.30	315,420,068.76

Balance sheet of secunet Group, assets

Assets

The assets side of the consolidated balance sheet showed current assets of 192.6 million euros as at 31 December 2023, which corresponds to an increase on the 179.8 million euros as at the previous year's reporting date.

Cash and cash equivalents increased due to the cash inflow from operating activities to 41.3 million euros compared to 21.5 million euros on the previous year's reporting date. This was offset by investments in intangible assets and property, plant and equipment as well as the dividend payment, which had the opposite effect.

Trade receivables increased from 75.8 million euros as at the previous year's reporting date to 88.9 million euros as at the current reporting date. The increase was primarily attributable to the high sales volume in the year-end business.

Also due to the high sales volume in year-end business, inventories fell to 48.0 million euros. In the previous year (31 December 2022: 72.3 million euros), secunet Group had built up more inventories to take account of the global shortages in the supply of semiconductor products.

Contract assets as at 31 December 2023 amounted to 2.9 million euros, compared to 2.6 million euros as at the same reporting date in the previous year. These values represent services that have already been rendered under service or employment contracts, but for which no unconditional claim to payment has yet arisen.

Income tax receivables totalled 6.0 million euros as at the reporting date compared to 1.2 million euros as at the previous year's reporting date. The increase is mainly due to a tax receivable resulting from the decline in EBIT.

Non-current assets totalled 136.0 million euros as at 31 December 2023 and were therefore at the same level as at the previous year's reporting date (135.7 million euros).

Goodwill totalled 47.6 million euros, unchanged from the previous year. Intangible assets recorded a moderate reduction to 35.7 million euros, compared to 39.0 million euros as at the previous year's reporting date due to scheduled amortisation. Property, plant and equipment, which mainly consists of office equipment and IT infrastructure, increased to 11.5 million euros compared to 10.7 million euros as at the previous year's reporting date.

Right-of-use assets amounting to 17.4 million euros (31 December 2022: 18.3 million euros) changed only insignificantly and resulted primarily from leases for buildings, offices and company cars. The corresponding items on the liabilities side are the lease liabilities.

Current and non-current other assets increased to 18.4 million euros (31 December 2022: 17.0 million euros). These consist mainly of other receivables from suppliers, advance payments for travel expenses, prepayments for future services and other receivables.

Debt and equity

At 112.9 million euros as at 31 December 2023, the liabilities side of the consolidated balance sheet showed higher current liabilities, i. e. liabilities with a remaining term of less than one year, than on the previous year's reporting date (103.3 million euros). Non-current liabilities, on the other hand, fell from 84.3 million euros to 77.9 million euros. As at the reporting date, short-term loans and the current portion of long-term loans totalled 1.2 million euros, compared to 0.5 million euros on the previous year's reporting date.

Balance sheet of secunet Group, liabilities

in euros	31 Dec 2023	31 Dec 2022
Current liabilities
Trade accounts payable	32,354,865.81	36,185,965.84
Intercompany payables	173,410.58	79,789.82
Lease liabilities	5,032,943.46	3,947,364.31
Short-term loans and current portion of long-term loans	1,161,643.18	312,500.00
Other provisions	18,660,695.33	17,211,643.67
Income tax liabilities	51,235.23	3,068,902.97
Other current liabilities	22,938,684.64	12,290,604.69
Contract liabilities	32,522,556.53	30,231,243.38
Total current liabilities	112,896,034.76	103,328,014.68

Non-current liabilities
Leasing commitments	12,897,754.89	14,709,981.23
Other non-current liabilities	2,977,256.29	12,638,551.04
Deferred taxes	11,006,351.21	11,999,696.98
Provisions for pensions	6,575,285.00	5,604,437.00
Other provisions	1,686,058.24	1,585,725.88
Contract liabilities	42,755,799.98	37,562,964.37
Liabilities to banks	0.00	156,250.00
Total non-current liabilities	77,898,505.61	84,257,606.50

Equity
Subscribed capital	6,500,000.00	6,500,000.00
Capital reserves	21,922,005.80	21,922,005.80
Other reserves	-701,105.06	-211,218.99
Retained earnings	110,026,191.28	99,378,962.70
Equity attributable to parent company shareholders	137,747,092.02	127,589,749.51
Non-controlling interests	96,179.91	244,698.07
Total equity	137,843,271.93	127,834,447.58
Total liabilities	328,637,812.30	315,420,068.76

Against the backdrop of reduced inventories, trade payables also decreased as at the reporting date. They stood at 32.4 million euros as at 31 December 2023 after 36.2 million euros as at the previous year's reporting date.

Lease liabilities totalled 17.9 million euros after 18.7 million euros in the previous year. They mainly resulted from leases for buildings, offices and company cars. On the assets side, these liabilities are offset by the corresponding right-of-use assets.

Contract liabilities increased to 75.3 million euros as at 31 December 2023 (31 December 2022: 67.8 million euros) and comprised customer prepayments that will be recognised as sales revenue after the reporting date. This item contains transactions where secunet generates cash inflow in advance due to multiple-year maintenance and support contracts and extended warranties or receives advance payments for later supplies or services. The increase is mainly due to the growth in the product business.

Due to the moderate decline in the general interest rate level and the corresponding adjustment of the actuarial interest rate, there was an increase in pension provisions without effect on income. As at 31 December 2023, they amounted to 6.6 million euros, after 5.6 million euros as at the previous year's reporting date.

Other provisions increased to 20.3 million euros as at the reporting date (31 December 2022: 18.8 million euros). This increase was mainly due to the creation of provisions for variable remuneration components for the workforce.

Other current liabilities increased significantly to 22.9 million euros compared to 12.3 million euros as at the previous year's reporting date. This increase was attributable, firstly, to an increase in value-added tax payable due to the high sales volume in the year-end business. Secondly, the performance-related purchase price component agreed as part of the acquisition of SysEleven GmbH is now recognised as other current liabilities, as the payment is scheduled for the 2024 financial year. Other non-current liabilities fell accordingly to 3.0 million euros, compared to 12.6 million euros as at the previous year's reporting date.

Deferred tax liabilities were 11.0 million euros, changed only insignificantly compared to the previous year' reporting date (12.0 million euros). These included in particular the deferred tax liabilities from intangible assets in the course of the acquisition of SysEleven GmbH.

secunet Group's equity increased from 127.8 million euros as at the previous year's reporting date to 137.8 million euros as at 31 December 2023. This is primarily attributable to the increase in retained earnings, which rose from 99.4 million euros to 110.0 million euros, in particular as a result of the Group profit for the period attributable to the shareholders of secunet AG less the dividend payments in 2023. In relation to the balance sheet total, this results in a slightly improved equity ratio of 41.9% after 40.5% as at the previous year's reporting date.

Cash flow and liquidity

In the 2023 financial year, secunet Group recorded a cash flow from operating activities of 51.9 million euros. This represents a significant improvement on the same period of the previous year (-4.0 million euros). This positive development was achieved by reducing working capital, partly due to the reduction in inventories. This more than compensated for the effects of the lower earnings before taxes.

Cash flow from investing activities amounted to -8.8 million euros in the reporting period and mainly comprised investments in intangible assets and property, plant and equipment. These were, in particular, expenditures for the new acquisition and replacement of hardware, software and other operating equipment. In comparison, the corresponding figure of -54.5 million euros in the previous year was strongly influenced by the acquisition of SysEleven GmbH. No acquisitions were made in the current reporting period.

The cash flow of -23.3 million euros from financing activities (previous year: -39.5 million euros) essentially reflects the dividend payment of 18.5 million euros (previous year: 34.8 million euros) and repayments of lease liabilities in the amount of 6.0 million euros (previous year: 4.7 million euros).

After the end of the 2023 financial year, there was an overall inflow of cash and cash equivalents totalling 19.8 million euros, compared to a cash outflow of 98.0 million euros in the same period of the previous year. Cash and cash equivalents amounted to 41.3 million euros as at 31 December 2023 and were therefore significantly higher than the figure as at the previous year's reporting date (21.5 million euros). In order to ensure additional financial flexibility, secunet has a credit line of 30 million euros.

Financial and net asset situation of secunet AG

The annual financial statements of secunet AG were prepared in accordance with German commercial law. The accounting measurement methods in the Annual Financial Statements of secunet AG pursuant to commercial law differ from those for secunet Group (prepared in accordance with IFRS), as applicable in the EU, primarily with regard to the presentation of receivables, inventories, provisions for pensions and deferred taxes.

A different measurement method is also used for goodwill, which according to the German Commercial Code (HGB) is amortised on a straight-line basis, while IFRS only provides for unscheduled impairments following an annual impairment test.

in euros	31 Dec 2023	31 Dec 2022
A. Fixed assets
I. Intangible fixed assets	1,154,060.00	2,014,574.00
II. Property, plant and equipment	6,879,027.69	7,581,236.00
III. Financial assets	80,499,152.04	82,107,718.80
Total fixed assets	88,532,239.73	91,703,528.80

B. Current assets
I. Inventories	50,521,853.28	75,080,274.00
II. Receivables and other assets	96,583,853.94	80,493,079.36
III. Cash in hand and balances with credit institutions	35,177,432.79	15,884,905.00
Total current assets	182,283,140.01	171,458,258.36

C. Prepaid expenses and accrued income	16,727,936.08	13,246,918.09

Total assets	287,543,315.82	276,408,705.25

Balance sheet of secunet AG, assets

secunet AG's balance sheet total increased to 287.5 million euros as at 31 December 2023 compared to 276.4 million euros as at 31 December 2022. On the assets side of the balance sheet, fixed assets as amounted to at 88.5 million euros at the reporting date and thus remained almost unchanged compared to the previous year's reporting date (91.7 million euros). Financial assets amounted to 80.5 million euros (31 December 2022: 82.1 million euros) and comprised shares in affiliated companies and equity investments. Property, plant and equipment amounted to 6.9 million euros, down on the figure as at the previous year's reporting date (7.6 million euros) due to scheduled amortisation. Also due to scheduled amortisation, intangible assets decreased to 1.2 million euros (31 December 2022: 2.0 million euros).

Current assets increased to 182.3 million euros as at 31 December 2023, which corresponds to a slight increase compared to the previous year's reporting date (171.5 million euros). This increase was mainly due to an increase in receivables and other assets to 96.6 million euros (31 December 2022: 80.5 million euros) and in cash on hand and bank balances to 35.2 million euros (31 December 2022: 15.9 million euros). On the other hand, inventories fell from 75.1 million euros to 50.5 million euros. The reasons for these developments largely correspond to those within the Group.

Prepaid expenses and accrued income included accruals of 16.7 million euros (31 December 2022: 13.2 million euros), mainly due to advance payments for product services sold as part of customer projects.

in euros	31 Dec 2023	31 Dec 2022
A. Equity
Subscribed capital	6,500,000.00	6,500,000.00
Nominal value of treasury shares	-30,498.00	-30,498.00
I. Issued capital	6,469,502.00	6,469,502.00
II. Capital reserves	21,656,305.42	21,656,305.42
III. Retained earnings
Other retained earnings	91,616,863.84	76,360,410.84
IV. Net accumulated profit	15,268,024.72	18,502,775.72
Total equity	135,010,695.98	122,988,993.98

B. Provisions	29,489,300.64	30,252,570.03
C. Liabilities	60,609,157.99	66,301,648.49
D. Deferred income and accrued expenses	62,434,161.21	56,865,492.75

Total liabilities	287,543,315.82	276,408,705.25

Balance sheet of secunet AG, liabilities

As at the reporting date of 31 December 2023, secunet AG's equity amounted to 135.0 million euros, which represents an increase compared to the previous year's value (123.0 million euros).

Provisions amounted to 29.5 million euros as at the reporting date (31 December 2022: 30.3 million euros) and mainly comprised provisions for pensions and similar obligations as well as tax provisions and other provisions.

Liabilities also decreased due to the reduction in inventories. They stood at 60.6 million euros as at 31 December 2023 after 66.3 million euros as at the previous year's reporting date.

Deferred income and accrued expenses to 62.4 million euros as at the reporting date, compared to 56.9 million euros as at the previous year's reporting date. This is attributable to the growing product business, where increased income was recognised in connection with the provision of services after the reporting date.

Proposal for the appropriation of distributable earnings

The Management Board and Supervisory Board will propose to the Annual General Meeting to be held on 23 May 2024 that an amount of 15.3 million euros be distributed to the shareholders as a dividend on the 6,469,502 shares of share capital as at 31 December 2023, corresponding to 2.36 euros per share, from the balance sheet profit of secunet AG for the 2023 financial year in the amount of 15.3 million euros.

Investments

In the 2023 financial year, research and development activities covered various projects. In addition to the further development of the existing product portfolio, resources were also made available for new developments. One major project was the development of a sovereign cloud ecosystem that is specifically tailored to the requirements of ministries, public authorities and companies with the highest security requirements. In addition, SINA Mobile was developed, an application suite that enables the secure processing and transfer of sensitive data on standard mobile devices. In the healthcare market, a high-speed connector was developed as a powerful server-based software solution that forms the basis for cloudbased and future-proof access to the telematics infrastructure.

The expenditure for research and development amounted to 10.3 million euros in the 2023 financial year (previous year: 9.8 million euros). The ratio of research and development costs to sales revenue amounted to 2.6% after 2.8% in the previous year.

Employees

As at the reporting date of 31 December 2023, secunet had 1,043 permanent employees across the Group. This represents an increase of 85 people or 9% compared to the previous year's reporting date (958 people). In addition, secunet Group employed 118 temporary staff as at the reporting date (31 December 2022: 109 temporary staff). This means that a total of 1,161 people were working for secunet Group (31 December 2022: 1,067 people). The increase in the number of employees is mainly due to new hires.

At the end of the 2023 financial year, secunet AG employed 853 permanent employees (31 December 2022: 799).

Overall statement on the earnings, financial and net assets situation

The Management Board continues to assess the economic situation of the Group and the Company as good at the time of reporting.

The increase in sales revenue shows that secunet Group can continue to achieve significant growth. The company has also successfully expanded and diversified its product portfolio. Although the Management Board is not satisfied with the decline in EBIT and the failure to meet the initial earnings targets, it believes that secunet Group remains extremely profitable. The change in the product mix and the investments made are considered as having a short-term negative impact on the margin. The Management Board is convinced that the investments represent an essential step that is necessary for the medium and long-term growth of the company and opens up additional growth potential.

The positive results and the secunet Group's cash-generative business model have led to a pleasing cash flow from operating activities. This financial strength is also reflected in a strong balance sheet, in particular in a more than solid equity ratio of over 40%.

Risk and opportunity report

Goals and methods of risk and opportunity management

Risk and opportunity management (hereinafter ROM) is carried out in the same way and in parallel for secunet Group and for secunet AG. The function presented below and the description of individual risks and opportunities thus apply to both secunet Group and secunet AG.

ROM at secunet is carried out at various levels: Accordingly, the consideration of the risk and opportunity situation is fed from various sources.

Risks and opportunities relating to the targets set in the current annual planning are dealt with in a dedicated risk committee – the ROM Committee.

Recurring operational risks and opportunities are taken into account as part of the regular operational routines and risk minimisation or opportunity maximisation measures and are reduced or eliminated (risks) or supported (opportunities) to the fullest extent possible.

Risks and opportunities that are countered by means of strategic, medium to long-term measures are taken into account by the Management Board as framework conditions for medium-term strategic corporate planning.

The early risk detection system and the risk and opportunity management system of secunet AG are being continuously developed and improved.

Risk and opportunity management for the current planning and financial year

ROM relating to the targets set in the current annual planning is carried out at secunet by a risk committee, the ROM Committee. This comprises the members of the Management Board, the commercial manager and the departmental manager responsible for risk management. The ROM Committee holds regular meetings once a quarter. Developments that could jeopardise the fulfilment of objectives, or which may even threaten the survival of the Company, are subjected to intense analysis, scrutiny and assessment by the risk committee. The aim of doing this is to ensure that information about risks, and the associated financial implications, is detected as early as possible in order to be able to implement suitable measures. The existing opportunities and associated potential for earnings are to be identified and leveraged.

As part of the preparation for meetings of the risk committee, a comprehensive risk and opportunity inventory takes place in each area of the Company. Following a bottom-up approach, the significant risks/opportunities are identified as well as assessed and aggregated according to their damage extent or earnings contribution and probability of occurrence. Significant risks and opportunities are to be recorded, for which the materiality threshold was defined as a deviation of 1% or more from the respective target figure. In principle, all risks can be included; for risks above the materiality threshold, this is mandatory. In parallel with the inventory of risks and opportunities, the plausibility of this information is checked by comparing it with the current sales and earnings projections, which are maintained by the sales management and financial controlling departments. The results of the plausibility check are also included in the risk and opportunity inventory.

The Company-specific risks and opportunities surveyed in this manner are then discussed at the risk committee meetings, implementing a top-down approach, and revalidated. A net presentation is shown when evaluating the potential damaging effects of risks, or the effects on earnings of opportunities, in other words the effects of any risk minimisation / opportunity improvement measures already taken are considered as part of the evaluation. Depending on the probability-weighted damage value of the risks /earnings value of the opportunities (risk value / opportunity value), the further treatment of the risks and opportunities is then determined according to standardized maxims for action. These range from pure documentation where the value is negligible (the probability-weighted damage value / opportunity value for secunet Group in the 2023 financial year amounting to less than around 0.3 million euros in EBIT losses; "low risk / low opportunity") and further observation and monitoring of existing measures (for a damage value / opportunity value for secunet Group in the 2023 financial year in the amount of under around 2.0 million euros; "medium risk / medium opportunity") to the need to take and monitor measures immediately (reporting threshold – for a probability-weighted damage value / opportunity value for secunet Group in the 2023 financial year exceeding around 2.0 million euros "high risk / high opportunity").

The value limits defined above are re-determined annually based on the planned annual result. Insofar as the identified risks / opportunities are quantifiable, the corresponding risk / opportunity values (relating to the reporting date) are adopted in the reporting system.

If required, proposals for countermeasures are then drawn up in the case of risks and support measures in the case of opportunities. The Management Board reviews these measures and ensures that they are implemented in a timely manner.

The operating risks and opportunities considered in this part of ROM for secunet Group and thus also for secunet AG as the parent company of the Group are primarily classified according to their origin in the functional areas of secunet as follows:

» Sales risks / sales opportunities: these are risks and opportunities in all areas connected with distribution. They relate primarily to the functions purchasing and inbound logistics, sales and outbound logistics as well as distribution and marketing.
» Product risks / opportunities: these are the risks and opportunities that can arise in connection with products and solutions from secunet. They relate primarily to risks from technical defects or potential security weaknesses in the components used. Also included in this category are risks from the divisions responsible for planning and coordinating the market-readiness of products and solutions from secunet Group.
» Project risks / opportunities: these are the risks and opportunities that can arise in connection with development and consulting projects. They mainly include the risks relating to budget planning and subsequent budget compliance. Opportunities can arise when projects are completed better than planned.
» Structural risks / opportunities: these are the risks and opportunities arising from support functions such as finance and controlling, legal and human resources, and IT. Risks from M & A activities and compliance risks are also recorded here.

At the time of preparing this report, the risk and opportunity situation with regard to operational risks is as follows:

» Sales risks primarily include risks from the postponement of major projects, for example as a result of budget cuts by major customers. These sales risks are compensated by sales opportunities that arise, for example, from large new projects or the expansion of existing major projects in the public sector. Sales risks also include risks from supply bottlenecks. These are mitigated by means of active supply chain management (for example through a build-up of inventories and continuous close coordination with the most important suppliers).
» Product risks result primarily from higher than expected time expenditures for the development and approval of new products. This indirectly influences the sales opportunities through these products.
» The project risks mainly consist of budget deviations. These are mitigated by means of coordination with the customers (adjustment of the budget, change requests in the project planning) and by including the risks in the forecast (adjustment of results).
» Structural risks for example, impending value adjustments on inventories or other unplanned expenses – are more than compensated for by opportunities in this category.

Operational risk and opportunity management

Operational risks and opportunities are risks / opportunities affecting ongoing business operations that can arise repeatedly. They are recorded, evaluated and, as far as possible, excluded or exploited through specific risk minimisation or opportunity improvement routines. These control mechanisms are applied at various points in the value creation process.

Distribution or sales risks are discussed within the framework of distribution coordination via risk committees. Risk committees must be held in the case of orders that exceed a defined value. These committees are made up of at least the representatives of the responsible (sales) department, the division / business unit expected to be entrusted with the desired order, the commercial manager, representatives of the legal department and purchasing as well as a member of the Management Board. The goal of the risk committees is to decide for the respective order or invitation to tender, on the basis of transparent criteria, whether and how a bid can be submitted or an order accepted. A standardised synoptic presentation of the risks and opportunities of the respective tender object serves this purpose.

Since a discussion of the risks, including an assessment of their acceptability, is conducted by the risk committees in each case, and the decision recognises the risks as acceptable, they are considered to be low at the time of writing this report.

There is a general project management risk when it comes to major projects. In addition, there are specific risks for long-term major projects. At secunet, such project risks are identified and evaluated in the higher-level project coordination and mitigated by means of appropriate measures. The project management risk arises after the commissioning of major projects: these projects are characterised by multiple uncertainties in their implementation due to the sheer fact of their size. The risk may consist, for example, of a failure to maintain schedules and project budgets. secunet takes these risks into account by means of a comprehensive project management system, which is used to create regular management reports for project managers, division heads and the Management Board. The risks arising from major projects are continuously monitored – in the same way as development risks – with comprehensive project planning and control mechanisms, in conjunction with a risk-oriented reporting system. In the event of deviation from the set targets, measures to reduce the risk are resolved and implemented immediately. These can consist of making additional capacity available for processing the project or discussing deviations with the customer in order to bring expectations into line with the altered framework conditions. The risks arising in the course of project management are sufficiently mitigated by the corresponding measures. Accordingly, the project risks outlined are considered low at the time of writing this report.

There were no significant project risks as at the end of 2023; accordingly, this risk class was assessed as low.

Product risks can arise in various forms. They are largely mitigated within the framework of operational management processes, with the effect that they are considered low at the time of preparing this report.

Product risks can arise in the individual phases of a product life cycle. In conjunction with the development of new products – including corresponding major projects – the following risks are discussed and evaluated regularly:

» Risk of a possible decline in demand: the product fails to prove itself on the market.
» Risk of undesirable technical developments: the product contains defects that lead to warranty claims.
» Risk of failure to complete the product in time: the development project takes considerably more time than estimated.

At the time of preparing this report, there is no market risk and no risk of undesirable technical development. Only the latter development risks are taken into consideration. These have an impact mainly as a sales risk within the framework of the risk assessment for the current financial year.

In the past, secunet primarily developed products and solutions in response to orders to cover specific security needs in the public sector. Its high-security IT solutions were tailored precisely to customers' needs; secunet products were generally not designed without a specific requirement in mind. Most of the products developed by secunet were made to order and were accordingly financed by the customer. Therefore, no development risks existed in terms of potentially waning demand. The risks associated with developing new products that subsequently prove unsuccessful on the market have therefore not been of primary significance for secunet in most product areas.

The development of secunet's own products, such as the secunet konnektor, SINA Communicator and easykiosk, has increased the volume of related internal investments. This has brought development risks more into the focus of risk evaluation. The focus here is less on the sales prospects associated with the products than on the duration of development and certification. The greatest risk for development projects may be underestimation of the time required before they are ready for acceptance. This can lead to expenditure of time and personnel, which limits the profitability of these projects. In order to keep these risks as low as possible, secunet uses extensive project planning and control mechanisms in different locations, paired with a dedicated reporting line. This part of the risk analysis and risk management is identical to the activities that apply for major projects. In the area of development projects, the risk at the time of creating this report is classified as low.

The secunet AG product portfolio is concentrated on solutions in the area of cybersecurity. In the case of the SINA product family in particular, these solutions are protected and approved at a high level in cryptographic terms. One risk that is evaluated on an ongoing basis in connection with the technical properties of these products is the effect of any possible – as yet undetected – security weaknesses. In this context, the focus is on the question of whether and to what extent the security promise made to its customers by secunet in connection with the solution as a whole is compromised as a result of security holes in individual components. This is the task of operational incident management, another component of risk management at secunet. A comprehensive process of ongoing risk identification and assessment takes place in this area for the purposes of risk minimisation. As part of this process, secunet collects and evaluates findings about potential security risks from a wide range of sources. Even if potential vulnerability of the systems merely seems possible as a result of this evaluation, customers are informed immediately and supported in closing the potential security hole. This process of monitoring and solving potential technical security risks is implemented in close collaboration with the Company's development and certification partner, the German Federal Office for Information Security (BSI). In view of the risk minimisation measures in use, the economic risk connected with technical product security is believed to be low.

Strategic risk and opportunity management

Medium and long-term risks and opportunities for secunet are taken into account in the course of strategic planning. They are summarised in the risk and opportunity categories of strategic risks (macroeconomic framework conditions, market dynamics and the development of the competitive situation as well as risks in investments and M & A activities and capital market risks) as well as risks relating to sustainability and compliance risks. These framework conditions and the consequences for the strategy are regularly discussed as part of the planning process with the Supervisory Board, which approves and follows up on this planning.

The risks considered here include the following:

Macroeconomic developments such as economic trends (possible recession), inflation and interest rate trends are included in the analysis, but are not considered material for secunet. This is due to the fact that secunet products have so far mainly been used in infrastructure projects of public authorities, which are much less susceptible to economic cycles than projects in the private sector. Inflation expectations are included in the planning. Beyond this, secunet has only taken out short-term loans and is thus relatively independent of interest rate developments.

As a special matter, the Management Board discussed the impact of the war in Ukraine during strategic planning. There are no risks from supplier or customer relationships. Indirect effects are considered to be low.

Market risks are more than offset by market opportunities. Rapid technological change, which creates a high pressure to innovate and increases competitive pressure due to the attractiveness of the market for IT security, are seen as risks. Opportunities arise from fundamental market growth as a result of growing digitalisation, complemented by the desire for digital sovereignty and cyber resilience. Trustworthy IT security products made in Germany are thus in demand. Regulatory requirements, for example from the German IT Security Act, are additionally driving demand.

The concentration of secunet's business on the German market, the target group of public sector users with relatively few large customers who are essentially served with one product family (SINA) are seen as potential risks. In addition to the fact that these aspects can equally be interpreted as a stable basis for sustainable business, secunet's strategy is to exploit growth opportunities in the private sector (Business Sector) and in international markets.

As with the operating divisions, supply risks are considered very significant in the strategy. Geopolitical developments ("America First" orders, the war in Ukraine, the war in the Gaza Strip, the changes in procurement relationships) exacerbate the fundamentally tense supply situation on the international market for semiconductors. This is reinforced especially for secunet by the fact that often only single suppliers are approved for the high-security sector. The single-source dependency makes it almost impossible to switch to alternative suppliers. Permanent risk-minimising supply chain management is thus important both operationally and strategically. Previous experience in the operating divisions has shown that secunet can deal with these challenges and gives us confidence for medium term.

On the procurement side for personnel, the shortage of skilled workers as well as demographic change create challenges for the future. As a result, secunet strives to continue to be recognised as an attractive employer.

Growth through acquisitions continues to be seen as an opportunity in strategic areas. The acquisition of SysEleven GmbH in the financial year 2022 has shown that secunet can carry out successful transactions. secunet also actively continues to identify suitable and commercially viable acquisition targets.

Overview of risks and opportunities

An overview of risks and opportunities which could impact on the further development of secunet Group shows a positive evaluation overall. The assessment revealed that the risks at the time of creating the report can be controlled overall, and the identified risks do not threaten the continued existence of the Group and the Company in terms of illiquidity or excessive debts in the reporting period of at least one year. The overall risk position has not changed significantly compared to the previous year. The opportunities identified support this assessment. In the operational management of the Group, measures are continuously being taken to prevent a worsening of the risk situation. At the same time, the utilisation of the opportunities described above is being driven forward by a number of activities. No material risks are present as at the balance sheet date.

The business development of secunet AG is subject to the same risks and opportunities as those of the Group. The presentation and evaluation of risks and opportunities thus also apply in the same way for secunet AG.

Forecast

Premises of the forecast

The forecasts for the secunet Group and secunet AG include all information known to the Management Board at the time of preparing this report that could impact business performance. The outlook is based, among other things, on the expectations described below for economic development as well as the development of the IT and IT security market.

With regard to secunet Group as well as the individual Public Sector and Business Sector divisions, unforeseeable events could influence the currently expected development of the company or individual divisions.

The developments forecast for the key financial performance indicators apply exclusively to the development of the secunet Group in the Group structure as at the reporting date of 31 December 2023 (consolidated Group). Any acquisitions in the 2024 financial year are not taken into account.

General economic environment

With a revenue share of around 91% in the 2023 financial year, Germany is secunet Group's key sales market.

The Kiel Institut für Weltwirtschaft (IfW Kiel) reports increasing downside risks in its winter forecast. The economic outlook for the coming years has clouded over due to impending budget consolidation.

The economic consequences are largely dependent on the specific austerity measures and the strength of the knock-on effects, about which there is great uncertainty. This uncertainty is also affecting the behaviour of economic players and leading to a reduced willingness to invest. The IfW Kiel forecasts economic growth of 0.9% for 2024, while an increase of 1.2% is expected for 2025. However, the experts point out that an even weaker development is possible, particularly if the savings have a greater impact on the economy or are more extensive. A recession in 2024 is considered unlikely, but cannot be ruled out.

Sector-specific framework conditions

Market for information and communication technology (ICT)

In addition to the general economic development in Germany, the overall market for information technology and telecommunications (ICT) forms an essential framework for secunet Group's economic development. Market statistics are compiled by the digital association Bitkom.

Bitkom expects spending on information technology and telecommunications (ICT) to increase by 4.4% compared to 2023 to a volume of 224.3 billion euros in 2024. The market for information technology (IT), which is particularly relevant for secunet Group, is expected to grow by 6.1% to 151.5 billion euros. This market comprises IT hardware, software and IT services. The forecast indicates that expenditure on software is likely to record the strongest growth, with an increase of 9.4% to 45.4 billion euros. Expenditure on IT hardware is expected to rise by 4.6% to 54.4 billion euros, while expenditure on IT services is expected to increase by 4.8% to 51.7 billion euros.

Market for IT security

According to current data from Bitkom (as at October 2023), expenditure on IT security in Germany is forecast to increase by around 13% to 10.3 billion euros in 2024. Expenditure is thus expected to exceed the 10 billion euro mark for the first time. This confirms the continued growth momentum of the IT security market, following growth of around 13% in the previous year.

Company-specific framework conditions

Strategy

One focus is on expanding the public customer base and on the continuous further development of key technologies, such as the SINA product family. In doing so, secunet Group always pursues the guiding principle of further intensifying the transformation of its core business models towards the cloud. In addition, secunet aims to expand the business segment with a clear focus on the healthcare industry and critical infrastructures, while at the same time expanding its international presence.

Market position

The Management Board is of the opinion that secunet's products and solutions enjoy an excellent reputation. The company is recognised as a provider of high-quality and trustworthy IT security that meet the highest demands. The IT security partnership that has existed with the Federal Republic of Germany since 2004 underscores this assessment. This puts secunet Group in an excellent position to meet the increasing demand resulting from market growth.

IT security solutions "Made in Germany" enjoy an excellent reputation around the world due to their quality and trustworthiness. The international demand for high-quality solutions such as those offered by secunet is increasing. In addition to the German market, secunet focuses on countries in the European Union, EU organisations as well as defence and space organisations (including organisations such as NATO) and countries in the Middle East. The Management Board sees secunet Group as being optimally positioned to exploit growth potential in foreign markets. The employees in international distribution have extensive experience in the Group and in dealing with international customers.

Acquisitions

secunet Group strives for sustainable and profitable organic development, which is complemented by value-enhancing acquisitions. This will enable us to close gaps in our portfolio and further strengthen our technological expertise. Thanks to a stable balance sheet, secunet Group is in a position to finance the planned future growth through acquisitions, cooperation projects and partnerships.

Forecast for secunet Group

In view of the general conditions described above, the Management Board expects demand for secunet Group's products and solutions to remain strong. This assessment is also reflected in the order book, which totalled 190.2 million euros in firm orders at the start of the 2024 financial year. The risks as described in the risk and opportunity report are considered manageable by the Management Board, with the opportunities outweighing the risks. The Management Board is therefore positive about the expected development of secunet Group: it is planning sales of around 390 million euros for the 2024 financial year (previous year: 393.7 million euros).

At the same time, the Management Board plans to continue its strategic initiatives, which remain unchanged. In 2024, resources will therefore continue to be deployed in a targeted manner in order to build on the progress already made. These planned investments will also have an impact on profitability in the current financial year. As announced in October last year, the Management Board expects EBIT of around 42 million euros for the current financial year (previous year: 43.0 million euros).

Forecast for secunet AG

secunet AG is managed on the basis of secunet Group's key performance indicators. The future economic development of the company is directly dependent on the development of the Group as a whole. The statements from the Group's forecast report accordingly apply.

For the 2024 financial year, the Management Board expects sales revenue to amount to around 363 million euros (previous year: 372.4 million euros) EBIT is estimated at around 46 million euros (previous year: 43.4 million euros).

Risk reporting in relation to financial management

The financial management of the Company and the Group has a clear focus on the regulations and requirements applicable under corporate law. This ensures that all Group companies can operate as going concerns.

secunet Group and its associated companies were in a position to fulfil their payment obligations at all times. The investment of liquid funds occurs on a strictly risk-minimising basis. The ongoing monitoring of liquid funds and the coordination with liquidity demands serve to ensure the ongoing ability to pay. This is also the main objective of financial management.

As at the reporting date of 31 December 2023, there was a temporary credit line of 30 million euros with CommerzbankAG, Frankfurt am Main. This served to proactively hedge the Group's liquidity.

Risk management and internal control system

An internal control system (hereinafter referred to as ICS) exists for secunet Security Networks AG and secunet Group, which specifically pursues the following three objectives:

» Reporting: Ensuring the accuracy and reliability of internal and external financial and non-financial reporting,
» Efficiency: Ensuring the effectiveness and efficiency of business processes
» Compliance: Supporting compliance with laws, regulations, contracts and internal policies

The ICS is divided into the following sub-areas:

» Controlling environment and objective of the ICS
» ICS process with risk assessment, controlling activities and reporting
» Information and communication
» Monitoring and improvement

The ICS comprises the principles, procedures and measures to ensure the effectiveness and efficiency of business activities, the correctness and reliability of internal and external accounting, and compliance with the legal regulations relevant to the Company. It also serves to detect risks arising from potential breaches of the law and /or endangering the Company's assets or targets. It is also an information system that supports the Management Board and all stakeholders in fulfilling their tasks.

The ICS organisation is integrated into secunet Group's corporate governance system. In addition to the ICS, which is primarily geared towards managing process risks, secunet Group maintains the other corporate governance systems of the risk management system, compliance management system and internal audit system. These systems are essentially operated in parallel with the ICS. The necessary integration is carried out by the respective system managers, among other things through the exchange of information in regular meetings as well as at the level of the responsible members of the Management Board.

All relevant (essential) processes and functions are included in the ICS. Roles and responsibilities are clearly defined within the ICS.

The ICS process is designed as a cycle:

» New creation of processes including description of processes, risks and controls
» Implementation and performance of control activities in the operational processes
» Regular effectiveness assessment and reporting
» Control self-assessment: The currently valid processes and process risks as well as the current status of the documentation in the ICS are compared. This determines whether the documented ICS corresponds to operational reality and whether the defined controls sufficiently cover the process risks. If this is not the case, the process owner must define additional controls or adapt the existing controls accordingly.
» Implement possible improvements from the effectiveness assessment and the control self-assessment in the controlling activities.

The ICS process is communicated within the Company by the ICS coordinator appointed by the Management Board. An IT solution is used for documentation of the ICS, the control confirmations and the self-assessment. Those responsible for the ICS process are trained in its use by the ICS coordinator.

Statement on the appropriateness and effectiveness of the governance systems 1

In accordance with principles 4 and 5 of the German Corporate Governance Code (GCGC 2022), appropriate and effective governance systems (internal control system, risk management system and compliance management system) are required in the Company in order to deal responsibly with the risks of business activities.

As part of its ongoing internal steering and monitoring activities, the Management Board received and discussed regular reports on the governance systems during the 2023 financial year. In addition to the fulfilment of management tasks, these regular processes contribute to the continuous optimisation of these internal processes in the sense of a continuous improvement process. The Management Board is also supported in this by the internal audit department. The Management Board is not aware of any circumstances arising from its discussions of the governance systems that would call into question the appropriateness and effectiveness of these systems.

1 The section "Statement on the appropriateness and effectiveness of the governance systems" is not part of the management report and was not subjected to a substantive audit by the auditor.

Description of the key features of the accounting-related internal control and risk management system (pursuant to Section 289 (4) and Section 315 (4) HGB)

secunet Group's internal control and risk management system includes all principles, procedures and measures for ensuring the effectiveness, efficiency and correctness of the accounting system and also assures compliance with the applicable legal provisions. Risk identification and risk mitigation for the accounting-related internal control system (ICS) is carried out in the same way as for secunet's entire ICS.

secunet Group's internal control system consists of an internal steering system and an internal monitoring system. The Management Board of secunet AG – in its function as the managing body of the Company – has assigned responsibility for the internal steering system in secunet Group to the Risk Management department in secunet AG.

Process-integrated and process-independent monitoring measures are the cornerstone of secunet Group's internal monitoring system. In addition to manual process controls – such as the dual control principle – automatic IT process controls are also a key feature of the process-integrated measures. Furthermore, process-integrated monitoring is assured by means of committees such as the risk committee (ROM Committee) and by specific functions within the Group such as the Legal department. The internal audit department of secunetAG is involved in secunet Group's internal monitoring system through process-independent auditing functions.

The risk management system presented here primarily focuses on avoiding the occurrence of damage through risks.

Use of IT systems

In secunet Group, accounting processes are mainly recorded by the ERP system provided by the manufacturer SAP.

Specific Group accounting-related risks

Specific risks related to Group accounting may result, for example, from the conclusion of unusual or complex transactions and from business transactions that are not routinely performed.

Key regulatory and controlling activities for ensuring the correctness and reliability of accounting within the Group

The controlling activities for assuring the correctness and reliability of the accounting system include tasks such as the analysis of circumstances and developments using specific analyses of key indicators. The separation of administrative, executive, billing and approval functions, and their performance by different individuals, reduce the possibility of fraudulent actions. The organisational measures also focus on recording restructuring or changes in the business activities of individual divisions in the Group accounting promptly and properly. They also ensure that in the event of changes to the IT systems for the underlying accounting in the affiliated companies, for example, the accounting processes are recorded in their entirety for the relevant periods. The internal control system also ensures the mapping of changes in the economic or legal environment of secunet Group and ensures that the Group accounting is adjusted in line with new legal provisions or amendments to such provisions.

The secunet Group accounting principles, which include compliance with International Financial Reporting Standards (IFRS), ensure that the companies included in the Consolidated Financial Statements of secunet AG follow consistent accounting and measurement policies.

The internal control system measures, which focus on the correctness and reliability of Group accounting, ensure that business transactions are recorded in good time and in accordance with the law and the Articles of Association. It is also ensured that inventories are carried out correctly and that assets and debts are reported, measured and declared appropriately in the Consolidated Financial Statements. Regulatory activities also ensure that reliable and transparent information is made available in the accounting documents.

The German subsidiaries and the parent company prepare their annual financial statements in accordance with German commercial law. As part of the consolidation process, the financial statements are reconciled by Group Accounting to commercial balance sheet II in accordance with IFRS as applicable in the EU, using uniform standards. The Consolidated Financial Statements are determined by consolidating capital, liabilities, expenses and income, as well as eliminating intra-Group results, in the aggregate balance sheet and income statement.

Restrictive details

In spite of the aforementioned internal organisation, control and monitoring structures, individual discretionary decisions, defective controls, criminal actions and other circumstances cannot be ruled out. This may lead to limited effectiveness and reliability of the internal control and risk management system used, to the extent that the Group-wide application of the system cannot absolutely guarantee security regarding the correct, complete and timely recording of facts in the Group accounting and in the annual financial statements of the individual companies.

Takeover-related information pursuant to Section 289a, sentence 1 and Section 315a, sentence 1 HGB

The Management Board of secunet AG provides the following information for the 2023 financial year in line with Section 289a, sentence 1 and Section 315a, sentence 1 HGB:

1. The share capital of secunet AG remains unchanged at 6,500,000 euros and is divided into 6,500,000 bearer shares with no par value. Each share entitles the holder to one vote at the Annual General Meeting of secunet AG.
1. A restriction on the transfer ofshares of secunet AG may apply pursuant to the Foreign Trade and Payments Act (Außenwirtschaftsgesetz, AWG), owing to the products supplied by secunet AG. Section 5 (3), sentence 1, no. 2, AWG stipulates that "Restrictions … can in particular be imposed with reference to the acquisition of domestic companies or shares in such companies by foreigners in order to guarantee the essential security interests of the Federal Republic of Germany if the domestic companies … manufacture products with IT security functions to process classified state material or components essential to the IT security function of such products, or have manufactured such products, and still dispose of the technology if the overall product was licensed with the knowledge of the Company by the Federal Office for Information Security." Apart from the restrictions under the AWG, the shareholders of secunetAG are not restricted either by German law or by the Company's Articles of Association in their decisions on the acquisition or disposal of the Company's shares.as licensed with the knowledge of the Company by the Federal Office for Information Security. In particular, the acquisition and disposal of shares does not require the approval of the Company's corporate bodies or other shareholders in order to be valid. The voting rights of shareholders are not subject to any restrictions arising either from legislation or the Articles of Association of the Company. The Management Board is not aware of any agreements between shareholders that give rise to restrictions on the transfer of the Company's shares.
1. To the knowledge of the Management Board, 24.41% of the Company shares are free floating. To the Management Board's knowledge, direct and indirect capital holdings exceeding 10% of voting rights are held by Giesecke + Devrient GmbH, Munich, which had a direct stake of 75.12% as at 31 December 2023. MC Familiengesellschaft mbH, Munich, has an indirect holding of 75.58% in secunet AG (including the treasury shares held by secunet AG) via its participation in Giesecke + Devrient GmbH. In turn, Verena von Mitschke-Collande, Germany, likewise has an indirect holding of 75.58% in secunet AG via her majority holding in MC Familiengesellschaft mbH. On 8 February 2024, secunet AG was informed that Verena von Mitschke-Collande no longer had a controlling majority of voting rights and that Celia von Mitschke-Collande, Marian von Mitschke-Collande, Sylvius von Mitschke-Collande and Gabriel von Mitschke-Collande now hold the voting rights.
1. secunet AG has not issued any shares that grant special rights.
1. Like the rest of the Company's shareholders, employees and members of the Management Board who hold some of its capital also make their own decisions on the exercise of their voting and control rights and therefore exercise their control rights directly.
1. The Management Board of secunet AG is appointed and dismissed in accordance with the applicable legal provisions, in particular Sections 84 and 85 of the German Stock Corporation

Act (Aktiengesetz, AktG). The Articles of Association do not contain any special provisions governing the appointment and dismissal either of individual members or of the entire Management Board. The Supervisory Board has sole responsibility for its / their appointment and dismissal. It appoints members of the Management Board for a maximum term of five years. Members may be reappointed or have their term of office extended, in each case for a maximum of five years. In accordance with Section 179 AktG, changes to the Articles of Association require a decision by the Annual General Meeting; changes that only affect the wording may also be conferred to the Supervisory Board. The amendment becomes effective upon entry in the Commercial Register. In accordance with Article 22 of the Articles of Association, the resolutions of the Annual General Meeting require a simple majority of the votes cast, insofar as the Articles of Association or statutory legal provisions do not specify anything to the contrary. Article 10 (5) of the Articles of Association entitles the Supervisory Board to decide on amendments to the Articles of Association that only affect the wording.

1. The Management Board is not authorised to issue new shares. The Articles of Association of secunet AG do not provide for a contingent capital increase, nor do they include any authorisation for the Management Board to increase the share capital by issuing new shares in return for capital contribution (approved capital). Furthermore, as set out in Section 71 (1), no. 8, AktG, there is no authorisation to purchase treasury stock. As at 31 December 2023, the Company held 30,498 bearer shares, which it purchased on the basis of an authorisation issued during the Annual General Meeting held on 29 May 2001. As per resolution of the Annual General Meeting on 27 May 2009, the Management Board is entitled to divest these shares on a stock exchange with the agreement of the Supervisory Board. As at 31 December 2023, the Management Board of secunet AG had not made use of this authorisation.
1. The Company has no significant agreements that are contingent upon a change of control due to a takeover bid.
9.,The Company has concluded no compensation agreements with any members of the Management Board or employees in the event of a takeover bid.

Management and control – reference to the Corporate Governance Statement pursuant to Sections 289f HGB and 315d HGB

As a German public company limited by shares, secunet AG has a dual management and control structure. The Company and the Group are managed by the Management Board, whose members are appointed by the Supervisory Board. The Supervisory Board advises the Management Board and monitors its conduct of business.

A detailed explanation of the management of secunet Group can be found in the Corporate Governance Statement pursuant to Sections 289f HGB and 315d HGB, which is made available in this Annual Report and on the Company's website (www.secunet.com) under >> About us >> Investors >> Corporate Governance.

In accordance with Section 317 (2), sentence 6 of the German Commercial Code (HGB), the information in the Corporate Governance Statement is not included in the audit of the annual and consolidated financial statements.

Combined non-financial statement of the Company and the Group

About this statement

With this combined non-financial statement of the Company and the Group, secunet is meeting its obligation to disclose non-financial information for the 2023 financial year as set forth in the "Act to strengthen non-financial reporting by companies in their management reports and group management reports (CSR Directive Implementation Act, CSR-RUG)" pursuant to Sections 315b, 315c in conjunction with 289c – 289e of the German Commercial Code (HGB) and REGULATION (EU) 2020 / 852 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 18 June 2020 on the establishment of a framework to facilitate sustainable investment, and amending Regulation (EU) 2019 / 2088. The present statement is accessible to the public together with the combined Management Report on the position of the Company and the Group on the Company's website (www.secunet.com) under >> About Us >> Investors >> Financial publications.

In accordance with Section 317 (2), sentence 4 of the HGB, the information in the combined non-financial statement of the Company and the Group is not included in the audit of the combined Management Report. Instead, the combined non-financial statement of the Company and the Group has been audited with limited assurance by BDO AG Wirtschaftsprüfungsgesellschaft in accordance with the requirements of the International Auditing Standard ISAE 3000 (Revised).

When preparing the non-financial statement, secunet adheres to the classification based on the statutory requirements pursuant to Section 289c HGB in the selection of relevant aspects and the description of concepts. We have refrained from using a framework. In order to focus on the clarity of reporting in relation to the requirements of the German Commercial Code (HGB), we have retained the following breakdown by overarching governance issues, responsible corporate governance, employee issues, social issues and environmental issues from previous years. The section on "respect for human rights", which has gained in importance at least due to the implementation of the Supply Chain Due Diligence Act, has been added. Within these matters, we have included the topics deemed to be material on the basis of the materiality analysis. A separate internal process has been set up to prepare the non-financial statement. In addition to the relevant specialist departments, the Company management is also involved in this process.

The basis for selecting the content of the material sustainability topics for the statement was a materiality analysis conducted in 2023. This analysis was performed through a dialogue with key stakeholders with regard to these matters within the Company: These are the CTO Office, Marketing, Compliance, Corporate Law, Human Resources and Quality and Environmental Management. In preparation for the upcoming reporting obligation under the CSRD, the concept of dual materiality has already been applied accordingly. For this year's report, however, the topics analysed were brought back into line with the requirements of the CSR Directive Implementation Act (CSR-RUG): Those topics were deemed to be material that have a relevant impact on the respective aspects and on the business performance, the operating result and the position of secunet AG and secunet Group. Following this methodology, environmental matters and human rights were also assessed as material to the Group this year. The following topics were deemed to be material to the non-financial statement for the 2023 financial year:

» Overarching governance issues
- Risk management
- Control systems
- Role of the Company's administrative, management and supervisory bodies
» Responsible corporate governance (compliance), combating corruption and bribery
- Corruption & bribery
- Anti-competitive behaviour, political engagement & lobbying
- Business conduct
» Respect for human rights
- Workers in the value chain
» Social matters
- Consumers / end users
» Employee matters
- Working conditions
- Equality / anti-discrimination
- Other work-related rights
» Environmental matters
- Energy
- Climate protection (emissions)
- Circular economy

secunet's goal is to generate a positive impact on the individual aspects with its business activities and with its products and services and to minimise negative consequences continuously to the greatest extent possible. The materiality analysis therefore also includes an impact and risk analysis for the issues under consideration. In preparation for the upcoming reporting obligation under the CSRD, the impacts (effects of business activities on the issues), risks and opportunities (IROs – Impacts, Risks and Opportunities) associated with the aspects of the material topics were assessed. For this year's reporting in accordance with the CSR-RUG, the risks associated with the aspects of concern were assessed in the same way as in the previous reporting year using the method for determining corporate risks. Principal risks are defined in Section 289c (3), no. 3 and 4 HGB, as risks that are associated with the business activity and business relationships of the Company and the Group and are highly likely to have a severely negative impact on the aspects of the matters. The risk assessment did not identify any significant non-financial risks.

Business model

The business model of secunet Group and secunet AG as well as their resilience are described in detail in the "Principles of the Group" section of this combined Management Report for 2023. Responsible and sustainable conduct, social acceptance and a high degree of integrity are essential preconditions for the economic success of our Company. With this in mind, secunet, as one of the leading German providers of sophisticated IT security, has set itself the goal of contributing to sustainable economic, environmental and societal development.

Overarching governance issues, control systems

secunet has recognised the strategic relevance of sustainability issues and the increasing demands of external stakeholders. For this reason, sustainability issues have been incorporated into the strategic planning process for secunet Group. In addition, the Supervisory Board of secunet AG has adopted a remuneration system for members of the Management Board that takes into account non-financial performance targets and ESG targets and has been in force since 2021. The ESG targets, their weighting and the respective target achievement are determined by the Supervisory Board for each assessment period. The remuneration system for members of the Management Board of secunet AG is described in detail in the remuneration report pursuant to Section 162 of the German Stock Corporation Act (AktG).

The Supervisory Board and Management Board also deal with issues of sustainability and sustainability reporting and seek expert advice in this regard. When decisions are made on measures and management concepts relating to sustainability, relevant non-financial topics are reported to and discussed by the Management Board of secunet AG.

secunet's control systems and risk management system, which are described in detail in this management report, also already take sustainability issues into account in various forms. The integration of sustainability issues into risk management and control systems is to be expanded further.

An ESG Committee was established in March 2023 for the internal coordination of ESG topics across all departments at secunet AG and within secunet Group; all departments with a connection to ESG topics are members of this committee. The ESG Committee presents and discusses current developments and activities as well as sustainability reporting.

Membership of the UN Global Compact

secunet joined the United Nations Global Compact in 2023. secunet AG is thus committed to supporting the ten principles of the United Nations Global Compact in the areas of human rights, labour, the environment and anti-corruption. Furthermore, secunet is committed to integrating the UN Global Compact and the principles into its corporate strategy, corporate culture and day-to-day business and to participating in cooperation projects that promote the general goals of the United Nations, in particular the Sustainable Development Goals.

Responsible corporate governance (compliance), combating corruption and bribery

Tone from the Top – Corporate Culture

Integrity is our industry's highest asset. We live diversity, tolerance and openness and treat everyone with respect. We always act in accordance with legal regulations. In order to live these values and corporate principles, secunet has implemented a Compliance Management System that applies throughout the Group. With this, secunet defines uniform standards for key compliance issues across the Group.

The Management Board has the overall responsibility for ensuring that applicable laws are observed and compliance risks are monitored and mitigated. The Compliance Officer is responsible for coordinating the Compliance Management System. She reports directly to the Chief Financial Officer on a weekly basis and to the Audit Committee and Supervisory Board of secunet AG on an annual basis. In addition to further developing the Compliance Management System, she draws up policies, advises employees, reviews contracts and codes, receives complaints and tip-offs, and coordinates the clarification of compliance cases.

In 2022, the appropriateness and effectiveness of the Compliance Management System was certified by an external audit in accordance with IDW Auditing Standard 980. For 2023, the appropriateness and effectiveness were reviewed by means of a self-assessment in a cross-check with Internal Audit. This did not result in any findings.

In order to meet our responsibility towards our stakeholders and at the same time act as a business partner with integrity and responsibility towards our stakeholders, risks are identified and assessed both inside and outside the company.

Within the framework of the Compliance Management System, compliance risks are reassessed (compliance risk assessment), particularly in the areas of corruption and antitrust law. Qualitative compliance risks were recorded for the first time in 2023. From this, preventive and / or required measures are derived, summarised as a compliance programme and implemented in the current financial year.

The compliance programme includes training and communication measures relating to individual risk areas, business partner audits, implementation and maintenance of processes and tools, policies and general advice on compliance issues.

The compliance programme was expanded in 2023 to include the following points:

» Expansion of the sales-supporting business partner process (business partner due diligence)
» Expansion of the compliance ICS
» Expansion of the whistleblower system to include the requirements of the Whistleblower Protection Act (HinSchG)
» Establishment of a complaints mechanism in accordance with the Supply Chain Due Diligence Act (LkSG)
» Preparatory measures and process development for the implementation of the Supply Chain Due Diligence Act (LkSG) in the coming financial year
» Clarification of the regulations for handling donations

Code of Conduct

One of the central elements of our Compliance Management System is the Code of Conduct for employees. A new Code of Conduct for employees was adopted at the end of 2022. Every employee of secunet Group is obliged to comply with the principles of conduct. Since August 2022, new employees have received a copy of the applicable Code of Conduct as an annex to their employment contract. The Code of Conduct is supplemented by several Group and company policies. This binding framework helps employees to make the right decisions in their day-to-day work and follow secunet values.

Training Courses

All employees are obliged to take part in digital training courses on compliance issues every two years. The second year of training began in the year under review, with SysEleven GmbH employees also being trained using the digital training tool for the first time.

Whistleblower System

secunet Group's whistleblower system enables all employees, business partners and third parties to report breaches of regulations. Information can be submitted by e-mail, via the electronic whistleblowing system, by post, in person and / or by telephone. Anonymous reports can also be submitted.

The whistleblower system serves to make secunet Group aware of potential risks and to avert damage to the Group and its stakeholders and to protect people harmed by violations.

In 2023, rules of procedure were drawn up with the aim of ensuring a fair and transparent procedure that takes into account both the principle of proportionality for the persons concerned and also the protection of the whistleblower.

Furthermore, the whistleblower system has been adapted to the requirements of the Whistleblower Protection Act (HinSchG) and the Supply Chain Due Diligence Act (LkSG).

The reporting criteria have been expanded to give complainants the opportunity to point out suspected human rights violations, report breaches of the rules and demand remedial action. This also helps with the identification and assessment of corporate risks.

In the 2023 reporting year, the Compliance Office received four reports that were considered relevant. However, following thorough investigation, no reportable offence was identified. Furthermore, no reports were recorded by the authorities responsible for secunet and forwarded to secunet.

Anticorruption

As an active participant in the UN Global Compact, we are committed to fighting and counteracting corruption and bribery in all its forms. Part of the Code of Conduct is a zero tolerance policy with regard to any form of corruption and bribery. This principle is also laid down in the separate Anticorruption Policy that applies throughout the Group. The aim is to minimise the risk of corruption as far as possible.

The Code of Conduct and the Group Anticorruption Policy expressly prohibit all forms of corruption and bribery. This prohibition also applies to our business partners who conduct business for us, together with us or on our behalf.

In addition to instructions on dealing with donations in the private sector or to / from public officials, the Anticorruption Policy sets out binding requirements for the commissioning of sales-supporting business partners.

The Anticorruption Policy also identifies reporting channels for reporting suspected violations or obtaining further advice.

Employees of secunet Group are taught how to behave with integrity and in compliance with the rules in mandatory training courses held in a two-year cycle. The corruption prevention training courses cover the topics of anticorruption and dealing with conflicts of interest. Furthermore, information on these topics is made permanently available on the intranet. The Compliance Office uses various communication channels (intranet, e-mails or an internal compliance blog) to inform the workforce about compliance-relevant requirements or innovations.

In 2023, the process for dealing with sales-supporting business partners (due diligence) was reorganised and event planning was regulated under consideration of compliance aspects.

In 2023, secunet Group did not receive any convictions or penalties for violations of anticorruption laws.

Antitrust Law

A zero-tolerance policy also applies to behaviour that restricts competition. This principle is laid down in the separate Antitrust Law Policy that applies throughout the Group.

Mandatory employee training also includes the topic of antitrust law. Here, employees are sensitised and receive advice on conduct with a view to avoiding activities that are questionable under antitrust law.

Respect for human rights

Compliance with internationally applicable human rights and labour standards is a matter of course for secunet. We respect and support the principles and obligations of the International Labour Organisation (ILO), the Supply Chain Act and the UN Global Compact. We do not tolerate any form of slavery or human trafficking. Any employment relationship entered into with secunet Group shall be on a voluntary basis and may be terminated by the contractual partner subject to a reasonable period of notice. The workforce is remunerated in accordance with the applicable German wage legislation as well as taking into account the minimum wage and legally prescribed fringe benefits.

The Code of Conduct reflects the ethical principles and defines the requirements, for example, in the areas of health and safety at work, non-discrimination as well as human rights and equal treatment. Via the whistleblower system, which is available on secunet's website for employees, suppliers, business partners and third parties, violations of human rights or labour rights or cases of discrimination can be reported personally or anonymously. Material violations would be reported to the Management Board.

There were no serious human rights violations or incidents related to our workforce during the reporting period. We pride ourselves on maintaining a working environment that ensures respect for the human rights of all our employees.

From 1 January 2024, secunet AG will fall within the scope of the LkSG. Measures have already been taken accordingly. The Compliance Officer has been appointed Human Rights Officer of secunet Group by the Management Board. The Human Rights Officer is supported by the LkSG Board, which deals with both human rights issues and ESG aspects along the supply chain. The LkSG Board consists of members from the Sustainability, Compliance and Purchasing departments and meets on a monthly basis. From 2024, the LkSG Board will be expanded to include Supply Chain Management and Environmental Management. The Human Rights Officer is responsible for monitoring risk management. In the future, appropriate measures will be taken to integrate this further into the relevant business processes. Industry-specific features will be incorporated accordingly with the publication of the Bitkom LkSG handout at the beginning of 2024. From 2024, the Human Rights Officer will inform the Management Board about the LkSG risk management system at least once a year and, if relevant, on an ad hoc basis. For the implementation of LkSG risk management, the LkSG Board undertook the initial risk analysis in the form of identification and assessment of risks both within its own area of business and at direct suppliers with the aid of various stakeholders as contributors.

By means of its Code of Conduct, secunet passes on to its business partners and suppliers its principles of conduct with regard to human rights, working conditions, environmental protection and business practices that comply with the law and are based on integrity.

This is an essential building block for fulfilling our social, ecological and economic responsibility in the supply chain.

Further detailed implementation of contractual assurances with regard to compliance and realisation of expectations along the supply chain will be expanded in the 2024 financial year.

Employee matters

The creativity, motivation and integrity of our employees are decisive factors and contribute significantly to the corporate success of secunet AG. Their commitment, flexibility and expertise are part and parcel of the strengths our Company has been shown to possess.

The staff members at secunet are permanent salaried employees working in Consulting, Development, Sales, Product Management, Administration and Services. They are joined by student trainees and interns and, in rare cases where there is a specific need, external staff (e. g. temporary workers) as stand-in personnel in administration departments. On account of the uniformity of these groups, the measures described below apply to all employees.

Department	Permanent employees	Apprentices	Students, temporary workers, etc.	Total
Group Services	214	5	33	252
Operational Services	834	0	94	928
Total	1,048	5	127	1,180

Remark: The employee figures shown in the table include all active contracts, including those on parental leave, employees who are currently not receiving a salary and managing directors of subsidiaries. This ensures a comprehensive overview of the company's entire workforce.

In addition to the permanent employees, secunet also engages freelancers in certain productive areas in order to overcome capacity bottlenecks or if highly specific expertise is required. Considering that the number of freelancers is low in relation to the permanent employees, the following statements concerning measures or key indicators apply exclusively to the permanent employees defined at the outset.

The overall responsibility for managing HR-specific topics lies with the relevant specialist department, which reports directly to the Chairman of the Management Board who is responsible for the HR department.

secunet is intent on being an appealing employer and maintaining an attractive image in the future too. To achieve this goal, secunet is pursuing a number of measures under the leadership of the HR department.

One of the means of doing so is through a continuous dialogue with the individual employees and the workforce as a whole:

In order to measure the satisfaction of the workforce (and to involve them in the design of working conditions), employee surveys were conducted in 2021 and 2023. This survey is well received by the workforce, with a participation rate of 72% in the last survey.

Concrete projects were derived from the findings of the survey in 2021. The projects for the improvement of collaboration and processes, as well as leadership were launched in 2022. They are each under the sponsorship of a member of the Management Board and are staffed by employees from all departments. The implementation of the first results and measures from these projects was carried out in 2023.

Two key findings were transformed into the "Leadership" and "Cross-divisional collaboration & processes" projects. The "Leadership" project aims to sharpen and improve the leadership image and understanding of secunet managers. By analysing operational versus strategic management, identifying potential for improvement and developing management concepts, the following results, among others, were achieved:

» Cooperative management style as the basic orientation for secunet
» Success factors for a "good" secunet manager
» Further concepts are still under development

The aim of the "Cross-divisional collaboration & processes" project is to establish a cross-divisional and cross-departmental platform in order to create a better understanding of the concerns and approaches of the other divisions and thus promote dialogue between them.

The detailed evaluation of the survey from 2023 has not yet been completed; projects are also to be initiated here as part of a continuous improvement process.

Conduct of the survey and implementation of the results are included as a non-financial component in the remuneration of the Management Board.

In the area of personnel development, secunet is focusing on strengthening the feedback culture in all directions – which is intended to allow for more in-depth, higher-quality feedback with regard to the respective activities. One essential component is the annual review meeting. The review meeting is a standardised, structured dialogue during which the employee and the supervisor assess each other in a form of performance evaluation. This enables individual advice and the possibility to find solutions for various issues with the involvement of line managers. At the same time, questions are asked about the employee's level of satisfaction with their work situation, any potential work overload and the desire for personal development. From the information provided it is possible to deduce, amongst other things, whether the employees require training. The range of education and training activities has been expanded. All employees of secunet AG took part in the annual review meetings. The participation quota is thus 100%.

In 2023, an average of about 1,244.15 euros was invested in training measures for each employee, compared to an average of around 1,197 euros in 2022 (excluding SysEleven GmbH). This includes both internal training courses on topics such as presentation and negotiation skills, as well as obtaining qualifications as a project manager, and specific external specialised training courses. Additionally, secunet provides managers with targeted training in personnel management issues.

A further channel for dialogue with the workforce is the information events organised by the CEO several times a year, known as "All Hands Meetings", where information on business development and corporate strategy is shared and employees have the opportunity to ask questions. Further information is permanently available on the company's intranet.

It is a matter of course for secunet to comply with all relevant regulations and recognised standards on employee rights. Various measures that have an impact on the occupational health and safety of the workforce are in place. These include statutory occupational health and safety provisions. The occupational health and safety officers and the HR department of secunet, supported by the occupational physician service, carry out a number of measures in order to minimise work-related physical and mental stress. It is inherent in secunet's business model that most of the workforce's tasks are carried out at the employees' desks. Our entire workforce is covered by our occupational health and safety measures.

Accident prevention is another important aspect of health promotion to which secunet attaches great importance in its organisation. In the 2023 reporting year, a total of five occupational accidents were registered in secunet Group (2022: eight) and reported to the relevant employers' liability insurance association.

secunet also enables its employees to have a free health check with the occupational physician service. In the 2023 reporting year, flu vaccination campaigns were also carried out at secunet's major locations.

secunet offers its workforce the opportunity to structure and develop their own working hours to meet their individual needs. This allows every employee, within the framework of what is operationally possible, to organise their working hours, for example, to suit their needs with regard to their family, individual life situation or an appropriate work-life balance. Employees are also largely free to determine their place of work.

In Germany, the Federal Parental Allowance and Parental Leave Act (BEEG) entitles our employees to take time off for their family after the birth of a child.

secunet also offers an Employee Assistance Service for its employees: The services include childcare, care and support for elderly relatives as well as support in acute crisis situations and all personal circumstances. The contracted service provider has the task of assisting and supporting employees in balancing their work and private lives. The services are free of charge for employees and are provided in strict confidence.

The IT sector is growing at a far greater rate than the number of qualified workers available. Competition for the recruitment of experienced employees and junior staff talent is therefore fierce.

Junior staff development and recruiting are thus key factors in developing secunet:

secunet operates sites in the vicinity of universities, providing opportunities for contact with potential employees of the future. secunet is able to secure employees for the coming years by offering students work placements during their studies, supporting them in writing their final dissertations and much more. Cooperation projects with universities are a further means of establishing networks and expanding the qualified workforce of secunet. Beyond this, secunet once again awarded a so-called Deutschlandstipendium (German Scholarship) in 2023 to promote young IT talent.

secunet successfully participated in numerous job fairs, both virtually at Job I/O and on site at the universities of Paderborn, RUB Bochum, TU Munich and TU Ilmenau. Particularly noteworthy is the participation in the Women4Tech events as part of the Job I/O virtual job fairs, with which the company emphasises its commitment to diversity and the promotion of women in technical professions. With its presence at the aforementioned universities, secunet AG has significantly increased its reach and visibility among potential applicants. Through participation in these widely varied events, secunet was able to address talented students and graduates directly.

secunet is also active in vocational training. In 2023, two apprentices in the commercial sector and three apprentices in the technical sector went through the corresponding training stages. In addition to these, there is one participant in the trainee programme aimed at young graduates.

secunet not only sees diversity in its workforce as a source of enrichment, it also sees potential for success in the plurality of its employees. It is important to secunet that diversity and equal opportunities are lived out responsibly by all employees and the management and supervisory bodies in all areas of the Group and across all hierarchical levels, genders, religious views and nationalities. There were no incidents of discrimination or harassment at secunet in the current reporting period. This underscores our commitment to a respectful and appreciative working environment for all our employees.

By treating each other with trust and respect, secunet aims to create the necessary basis for enabling each individual employee to realise his or her potential to the full. All employees, including management and supervisory bodies, must observe the secunet-wide principles of conduct and values of the Code of Conduct. Violations of these principles of conduct and values can be communicated to the appropriate bodies via internal reporting channels.

Social matters: Digital sovereignty and data protection

Through its product portfolio, secunet makes a contribution to societal issues with regard to the needs for data protection, information security and digital sovereignty. Data protection or informational self-determination is one of the fundamental rights of citizens in the European Union. Information security is an essential building block for ensuring effective data protection. Digital sovereignty refers to all efforts to achieve successful digitalisation without new structural, economic and political dependencies. Information security plays an essential role in this area as well.

secunet is one of the leading German providers of high-quality IT security. Our products and services are designed to assure information security, in particular by using cryptographic methods. Information security is, in itself, an essential precondition for digitalization based on trust.

Moreover, information security lays a foundation for effective data protection. The applicable technical requirements, as set out in the EU GDPR for example, are supplemented by consultative approaches and coupled with organisational measures. We have structured our own internal processes to ensure a high level of data security and data protection. To this end, we have integrated comprehensive measures in our business processes and implemented due diligence processes. We pursue our corresponding objectives with the assistance of the IT security officer and the secunet data protection officer. secunet AG is certified according to ISO / IEC 27001:2017 and thus meets stringent quality standards with regard to in-house information security. The continuous refinement of associated technical and organisational security measures is indicative of our commitment to providing the greatest possible data protection. We communicate requirements on data security and data protection to our suppliers via the General Terms and Conditions, which form the basis for the provision of services.

Information security and data protection are of paramount importance in all our dealings with customers. Our IT security partnership with the Federal Republic of Germany as well as the extensive number of secunet products and solutions that have been approved and certified by the Federal Office for Information Security are good indicators of this. secunet also works towards ensuring data security and data protection by providing consultative services in the fields of information security systems and data protection. The increase in revenue and the growing proliferation of secunet solutions from year to year, particularly in the public sector, are proof that the number of customers who place their trust in secunet in this regard is rising.

One example of how secunet makes a positive contribution to society is the provision of secure mobile workstations that are needed for public authorities. In order not to jeopardise their security, public authorities have often opted for the SINA Workstation S. The SINA Workstation S is part of the SINA crypto system, which secunet developed on behalf of the German Federal Office for Information Security (BSI). The solution allows existing systems to be easily migrated to the secure SINA environment. Users then continue to work without restrictions in their familiar environment, for example in MS Windows, and access the public authority network securely.

Another contribution made by secunet to society is the equipment of medical providers with the healthcare connector. With the development and certification of the secunet konnektor, secunet has applied its experience in IT security to the healthcare sector. The secunet konnektor serves as a central element for medical practices, pharmacies and hospitals, for example, to connect their computer networks to the telematics infrastructure (TI). In the future, the resilient security infrastructure of the secunet konnektor will contribute, among other things, to enabling secure and fast retrieval of personal health data (such as previous illnesses), which are immediately required especially in emergency situations.

The SINA Communicator, a multicrypto telephone with a SECRET classification level, also makes an important contribution by securing communications at government level or for particularly affected organisations, especially in times of crisis with an even greater need for confidentiality and security.

The debate concerning digital sovereignty has its origins in the discussion about the security of 5G networks. The same situation has now emerged with cloud services. The focus here is on the dependencies that have already arisen and the difficulties of still providing a secure and available infrastructure despite this degree of dependency. Technological building blocks for digital sovereignty – such as a cloud operating system, encryption, virtualisation and operational competence – are available at any rate. Harnessing and scaling them is predominantly a political decision.

Here, in particular, secunet translates the term "digital sovereignty" as freedom of choice for users who require cloud infrastructures for sensitive data (authorities, eHealth, critical infrastructures). Until now, these customers have often only been able to use large cloud operators from America or China. SINA Cloud extends the tried-and-tested SINA security architecture to include a modern cloud platform and meets the need for digital sovereignty. With this, we are developing a certifiable and transparent solution with a high level of security as a cloud operating system that allows customers to build their own cloud infrastructure with a ready-to-use on-premise solution. Certification of the trustworthy operation at secunet subsidiary SysEleven is also planned.

Our products and solutions are primarily tailored to the needs of our customers. We attach corresponding importance to customer satisfaction. This has therefore been included in the non-financial components as an element of the variable Management Board remuneration since 2021. To measure customer satisfaction, Net Promoter Score surveys have been conducted on multiple occasions.

secunet pays particular attention to anticipating technological developments. The research and development activities of secunet aim at improving and innovating processes, products and solutions. In this way secunet stays abreast of the growing need of its customers for higher security in existing infrastructures as well as for solutions dealing with threats in new technological environments.

Environmental matters: Environmental management

This year's materiality analysis has shown that environmental issues are material for secunet. There are various reasons for this assessment: Although secunet does not operate any energy-intensive production facilities, there is still an environmental impact. This includes, for example, the consumption of fossil resources for the necessary IT equipment for employees, emissions from business trips and company vehicles as well as the energy consumption for the company's own data centres and secunet sites. The use of packaging material when selling hardware and the generation of electronic waste at the end of the product life cycle must also be taken into consideration. These factors show that environmental issues are linked to secunet's business activities and can thus also be categorised as material.

With a fundamental commitment to sustainable business practices, secunet AG undertakes to protect the environment, use resources sparingly and protect the living conditions of mankind in the course of its business activities. A Code of Conduct, to which all employees are bound, and a Code of Conduct for Suppliers define the company's fundamental requirements with regard to environmentally friendly behaviour.

In 2023, secunet introduced an environmental management system in accordance with DIN EN ISO 14001. This is based on a comprehensive environmental policy: In this way, the Management Board of secunet is thus setting additional guidelines with regard to individual environmental issues such as energy efficiency, renewable energies and greenhouse gas emissions, water quality and water consumption, air quality, management of natural resources and waste avoidance, responsible handling of chemicals and compliance with relevant legal requirements.

The key environmental aspects of secunet are systematically monitored, evaluated and, where possible, tracked using suitable indicators. Targets relating to selected environmental aspects are agreed annually with the Management Board of secunet. Measures for achieving targets are systematically tracked and evaluated at the end of the annual cycle. The Management Board member responsible for environmental matters is accountable for achieving the environmental objectives.

Since 2022, secunet has been using more than 99% green electricity. This means that corresponding supply contracts have been concluded with the power utilities supplying the twelve locations. secunet Group is obliged to perform an energy audit pursuant to DIN EN 16247-1. The most recent audit was carried out in 2023. The next audit will take place in 2027 in accordance with the specified four-year cycle.

Greenhouse gas emissions are a key environmental aspect. secunet applies the international standard of the Greenhouse Gas Protocol (GHG Protocol) for its accounting. secunet aims to record, as far as possible, all greenhouse gas emissions of the Kyoto Protocol for Scope 1 and 2. At present, full recording of all categories from Scope 1 and 2 has not yet been realised. At the same time, the company is working on determining its Scope 3 emissions and steadily establishing an increasingly solid data footing for the values, some of which are still based on estimates. It is to be assumed that this will remain an ongoing challenge as part of the continuous improvement process of the environmental management system.

Since the 2021 financial year, the reduction of CO2 emissions has been set as a target within the variable remuneration of the secunet Management Board. The target for the 2023 financial year was 3.74 tonnes of CO2 per employee 1 . In fact, 1.12 tonnes of CO2 were emitted per employee. The target was thus achieved in full. Further information on the remuneration of the Management Board can be found in the remuneration report, which is part of this Annual Report.

secunet is currently evaluating ways of ensuring that the special requirements of environmental protection are also taken into account in the development, production and use of new products. The use of raw materials, the use of packaging, energy consumption, recyclability and environmentally friendly disposal are highlighted under the keywords green IT or green products.

secunet always applies pragmatic rules in its efforts to protect the environment. While compliance with the legal requirements is binding in any case, all other environmental protection activities are subject to their economic feasibility and the level of their expected benefit. secunet reserves the right to prioritise environmental protection activities. We take the utmost care when collecting data, but we can never completely rule out the possibility that individual gaps may remain in the data collection or that incorrect data may be collected. Where such circumstances are identified, they are corrected as quickly and transparently as possible.

¹ In accordance with the agreements on variable remuneration, the following emission categories from Scope 1, 2 and 3 are included in this key performance indicator: Scope 1: Mobile and stationary combustion; Scope 2: Market-based electricity emissions; Scope 3: Business trips by plane and train of secunet AG, secunet International GmbH and stashcat. Furthermore, only the number of employees of secunet AG as at the reporting date of 30 June 2023 is included in the calculation and not that of the entire Group.

EU Taxonomy

As part of its Action Plan on Financing Sustainable Growth, the European Union (EU) aims to redirect capital flows towards sustainable investment. Against this backdrop, the EU Taxonomy Regulation 2020 / 852 came into force in mid-2020, classifying which economic activities are considered environmentally sustainable in the EU.

The EU has now published guidelines on sustainable economic activities within the meaning of the Taxonomy Regulation for all six environmental objectives (climate change mitigation, climate change adaptation, sustainable use and protection of water and marine resources, transition to a circular economy, pollution prevention and control, and protection and restoration of biodiversity and ecosystems). The description of economic activities in the delegated acts determines which economic activities may, in principle, be regarded as "taxonomy-eligible economic activities". Only taxonomy-eligible economic activities may be considered environmentally sustainable upon meeting certain technical screening criteria and in compliance with minimum social protection. If an economic activity meets the screening criteria specified in the delegated acts, it is to be classified as environmentally sustainable and thus taxonomy-compliant.

Delegated Regulation 2022 / 1214 of 9 March 2022 on nuclear power and natural gas is not applicable. Therefore, the reporting forms specific to these activities are not provided.

In the reporting year 2021, only the shares of taxonomy-eligible and non-taxonomy-eligible economic activities in sales revenue, capital expenditure (CapEx) and operating expenditure (OpEx) had to be disclosed for the first two environmental objectives "Climate change mitigation" and "Climate change adaptation" in accordance with the relief granted by the EU. For the reporting year 2022, the extent to which the taxonomy-eligible economic activities meet the technical assessment criteria also had to be disclosed for these two environmental objectives in order to be able to demonstrate taxonomy compliance.

Additional disclosure requirements have been added for the 2023 reporting year. On the one hand, the two environmental objectives "Climate change mitigation" and "Climate change adaptation" have been supplemented by the "Amended Climate Delegated Act" with additional economic activities and their technical assessment criteria, which must be reviewed for the 2023 reporting year with regard to their taxonomy eligibility. Moreover, Delegated Regulation C(2023)3851 – also known as the "Environmental Delegated Act" (EnvDA) – was published on 27 June 2023. For the first time, this contains the technical assessment criteria for the economic activity of environmental goals 3 to 6, namely "Sustainable use and protection of water and marine resources", "Transition to a circular economy", "Pollution prevention and control", and "Protection and restoration of biodiversity and ecosystems". Here, too, it is planned that the new environmental objectives and their associated economic activities will be reviewed with regard to their taxonomy eligibility for the 2023 financial year.

In principle, all fully consolidated Group companies are included in this analysis with regard to their sales revenues, capital expenditure and operating expenditure. Further information on the fully consolidated Group companies can be found in the economic report.

Analysis of taxonomy eligibility

In an increasingly connected world, secunet's combination of products and consulting assures resilient digital infrastructures and the utmost protection for data, applications and digital identities. secunet specialises in areas with particular security requirements, such as eGovernment, eHealth as well as IIoT and cloud computing. With security solutions from secunet, companies can maintain security standards in digitalisation projects and thus expedite their digital transformation.

In order to identify secunet Group's taxonomy-eligible economic activities, those activities that correspond to secunet's business model were first identified on the basis of a list of potentially taxonomy-eligible activities. These were then checked for plausibility using key financial indicators. Both the items reported in the consolidated income statement and internal financial KPIs were used for this purpose.

As a result of the analysis, economic activities 6.5 "Transport by motorbikes, passenger cars and light commercial vehicles", 7.7 "Acquisition and ownership of buildings" and 8.1 "Data processing, hosting and related activities" were classified as taxonomy-eligible. Due to the publication of the EnvDA on 27 June 2023, the economic activities of the four environmental objectives 3 to 6 (sustainable use and protection of water and marine resources, transition to a circular economy, pollution prevention and control, and protection and restoration of biodiversity and ecosystems) had to be examined for their taxonomy eligibility for the first time in this financial year. This was implemented accordingly, but no economic activity relevant to secunet could be identified.

secunet's EU Taxonomy KPIs

	Taxonomy eligible proportion	Non-taxon omy-eligible proportion
Sales revenue	3 %	97 %
Capital expenditure (CapEx)	57 %	43 %
Operating expenses (OpEx)	2 %	98 %

Key figures on taxonomy-eligible economic activities

On the basis of Section 289 (1) of the German Commercial Code (HGB), secunet is obliged to apply the regulatory provisions of the Taxonomy Regulation. Pursuant to Section 315e (1) HGB, the Consolidated Financial Statements of secunet as at 31 December 2023 have been prepared in accordance with IFRS. The amounts used for calculation of the turnover, CapEx and OpEx KPIs are correspondingly based on the figures reported in the Consolidated Financial Statements. Based on an analysis of the economic activities, the proportion of taxonomy-eligible turnover / capital expenditure (CapEx) and operating expenses (OpEx) in the respective secunet Group values is stated for the 2023 financial year.

Sales revenues:

The sales revenue reported in the consolidated income statement is quantified for the reporting year 2023 in the amount of 393.7 million euros. This amount is the denominator under the EU Taxonomy Regulation. The sum of the sales revenues of the taxonomy-eligible economic activities for the financial year 2023 constitutes the numerator. The taxonomy-eligible sales revenue identified in this reporting year 2023 is attributable to the business activities of SysEleven GmbH. SysEleven GmbH operates its own cloud infrastructure and rents it out to business customers, supplemented by other cloud services, including the Kubernetes platform MetaKube, as well as consulting and IT services.

Capital expenditure (CapEx):

At secunet, the CapEx indicator shows the share of capital expenditure that is either associated with a taxonomy-eligible economic activity (CapEx a), or is associated with a plan to expand a taxonomy-compliant activity / to make a currently non-taxonomy-eligible activity eligible (CapEx b), or relates to the acquisition of products and services from a taxonomyeligible economic activity (CapEx c). There is currently no CapEx plan, according to which CapEx b does not apply. The basis of the capital expenditure comprises the additions to property, plant and equipment and intangible assets and right-of-use assets from leases (including rent adjustments) during the financial year under review, before depreciation and any revaluations for the financial year concerned and excluding changes in fair value. This also applies to corresponding additions resulting from business combinations.

The reported capital expenditure (CapEx) calculated in this way and presented in sections "3. Property, plant and equipment", "4. Intangible assets" and "5. Leases" in the notes to the consolidated financial statements totalled 14.1 million euros for the 2023 reporting year.

The sum of the additions reflecting taxonomy-eligible investments form the numerator of the CapEx KPI. Outside its core business, secunet can potentially make a contribution to climate change mitigation with its investments in the vehicle fleet (6.5. Transport by motorbikes, passenger cars and light commercial vehicles (Annex I)), in buildings (7.7. Acquisition and ownership of buildings (Annex I)) and in data processing (8.1. Data processing, hosting and related activities (Annex I)).

Operating expenses (OpEx):

At secunet, the key performance indicator OpEx indicates the proportion of operating expenses associated with taxonomy-eligible economic activities (OpEx a), non-capitalised R & D expenses (OpEx b), or with the acquisition of products from a taxonomy-eligible economic activity (OpEx c). To calculate the taxonomy-eligible OpEx share, those accounts of financial accounting that reflect the direct, non-capitalised costs for research and development (R & D) expenses, building refurbishment measures, short-term leasing, maintenance and repair expenses were used to determine the denominator.

The numerator results from an analysis of the recognised expenses that have been recorded with the above accounts and that are related to the assets with regard to their taxonomy eligibility. Of the total operating expenditure, data processing (8.1. Data processing, hosting and related activities (Annex I)) can be classified under taxonomy-eligible economic activities.

The following economic activities of secunet were classified as taxonomy-eligible for the environmental goal of climate protection:

Taxonomy-eligible activity	Description of the activity	Assignment at secunet
6.5 Transport by motorbikes, passenger cars and light commercial vehicles	Vehicle fleet	CapEx
7.7 Acquisition and ownership of buildings	Buildings	CapEx
8.1 Data processing, hosting and related activities	Cloud infrastructure and cloud services from SysEleven GmbH	Sales revenues, CapEx

Analysis of taxonomy compliance

Building on the identified taxonomy-compliant economic activities, secunet carried out an analysis of taxonomy compliance (alignment). It was assessed whether the economic activities make a significant contribution to the achievement of one or more environmental objectives and do not lead to a significant impairment of one or more environmental objectives. Finally, compliance with minimum social protection must be ensured. If the requirements are met, an economic activity can be classified as taxonomy compliant.

In connection with the analysis, documents were requested from our stakeholders and discussions were held against the background of the alignment.

Economic activity 6.5 (Transport by motorbikes, passenger cars and light commercial vehicles)

The Group incurs capital expenditure that is to be classified under the definition of CapEx c) (section 1.1.2.2. of Delegated Regulation 2021 / 2178). In order to analyse compliance, documentation was requested from various stakeholders, especially leasing providers, to assess the above criteria. No information was provided to secunet in sufficient detail for the 2023 financial year. An assessment of taxonomy compliance could therefore not be fully carried out on this basis.

Economic activity 7.7 (Acquisition and ownership of buildings)

The Group uses rented office properties and thus incurs capital expenditure that is to be classified under the definition of CapEx c) (section 1.1.2.2. of Delegated Regulation 2021 / 2178). To analyse compliance, the age of the buildings was first checked – properties that were completed before 31 December 2020 are to be classified as non-taxonomy-compliant. The properties used by secunet were either occupied before December 31, 2020 or are older than this date. This criterion therefore applies.

Economic activity 8.1 (Data processing, hosting and related activities)

SysEleven GmbH's data processing, hosting and related activities relate to CapEx a) and OpEx a) (sections 1.1.2.2. and 1.1.3.2. of Delegated Regulation 2021 / 2178). The technical assessment criteria are not met in the reporting year, as the refrigerants used in the cooling system of the data centres (for example F-gases) have a greenhouse gas potential higher than the limits prescribed by the regulations.

As a result, no economic activity currently meets the criteria, which is why it is not possible to report EU taxonomy compliance for secunet Group in the 2023 financial year.

Share of sales revenue from goods or services related to taxonomy-compliant economic activities – disclosure for the year 2023

			Criteria for a significant contribution
Economic activities (1)
	Code(s) (2)	Absolute sales revenue (3)	Sales revenue share (4)	Climate protection (5)	Adaptation to climate change (6)	Water and marine resources (7)	Environmental pollution (8)	Circular economy (9)	Biodiversity and ecosystems (10)
		Currency	(%)	(%)	(%)	(%)	(%)	(%)	(%)

Category (transitional activities) (21)

A TAXONOMY-ELIGIBLE ACTIVITY

A.1 Ecologically sustainable activity (taxonomy-compliant)
Sales revenue for environmentally sustainable activity (taxonomy-compliant (A.1))		0.00 €	— %
A.2 Taxonomy-eligible but not environmentally sustainable activities (not taxonomy-compliant)
Transport by motorbikes, passenger cars and light commercial vehicles	6,5	0.00 €	— %
Acquisition and ownership of buildings	7,7	0.00 €	— %
Data processing, hosting and related activities	8,1	13,695,448.67 €	3 %
Sales revenue for taxonomy-eligible but not environmentally sustainable activities (non-taxonomy-compliant activities (A.2))		13,695,448.67 €	3 %
Total (A.1 + A.2)		13,695,448.67 €	3 %

B NON-TAXONOMY-ELIGIBLE ACTIVITIES

Sales revenue for non-taxonomy-eligible activities (B)	379,989,457.95 €	97 %
Overall (A+B)	393,684,906.62 €	100 %

DNSH criteria ("no significant impairment")
Climate protection (11)	Adaptation to climate change (12)	Water and marine resources (13)	Environmental pollution (14)	Circular economy (15)	Biodiversity and ecosystems (16)	Minimum social standards (17)	Taxonomy compliant share of sales revenue for 2022 (18)	Taxonomy compliant share of sales revenue for 2021 (19)	Category (enabling activities) (20)	Category (transitional activities) (21)
(Y/N)	(Y/N)	(Y/N)	(Y/N)	(Y/N)	(Y/N)	(Y/N)	Percent	Percent	E	T

Share of sales revenue from goods or services

Economic activities (1)

A TAXONOMY-ELIGIBLE ACTIVITY

B NON-TAXONOMY-ELIGIBLE ACTIVITIES

Sales revenue for non-taxonomy-eligible

activities (B) 379,989,457.95 € 97 %

Overall (A+B) 393,684,906.62 € 100 %

related to taxonomy-compliant economic activities – disclosure for the year 2023

Code(s) (2)

Share of capital expenditure (CapEx) associated with taxonomy-compliant economic activities – disclosure for the year 2023

					Criteria for a significant contribution
Economic activities (1)	Code(s) (2)	Absolute sales revenue (3)	Sales revenue share (4)	Climate protection (5)	Adaptation to climate change (6)	Water and marine resources (7)	Environmental pollution (8)	Circular economy (9)	Biodiversity and ecosystems (10)
		Currency	(%)	(%)	(%)	(%)	(%)	(%)	(%)
A TAXONOMY-ELIGIBLE ACTIVITY

Category (transitional activities) (21)

A.1 Ecologically sustainable activity (taxonomy-compliant)
CapEx for environmentally sustainable activity (taxonomy-compliant (A.1))		0.00 €	— %
A.2 Taxonomy-eligible but not environmentally sustainable activities (not taxonomy-compliant)
Transport by motorbikes, passenger cars and light commercial vehicles	6.5	996,962.01 €	7 %
Acquisition and ownership of buildings	7.7	4,254,934.68 €	30 %
Data processing, hosting and related activities	8.1	2,714,749.95 €	20 %
CapEx for taxonomy-eligible but not environ mentally sustainable activities (non-taxono my-compliant activities (A.2))		7,966,646.64 €	57 %
Total (A.1 + A.2)		7,966,646.64 €	57 %

B NON-TAXONOMY-ELIGIBLE ACTIVITIES

CapEx for non-taxonomy-eligible activities (B)	6,093,024.22 €	43 %
Overall (A+B)	14,059,670.86 €	100 %

DNSH criteria ("no significant impairment")
Climate protection (11)	Adaptation to climate change (12)	Water and marine resources (13)	Environmental pollution (14)	Circular economy (15)	Biodiversity and ecosystems (16)	Minimum social standards (17)	Taxonomy compliant share of sales revenue for 2022 (18)	Taxonomy compliant share of sales revenue for 2021 (19)	Category (enabling activities) (20)	Category (transitional activities) (21)
(Y/N)	(Y/N)	(Y/N)	(Y/N)	(Y/N)	(Y/N)	(Y/N)	Percent	Percent	E	T

Share of capital expenditure (CapEx)

Economic activities (1)

A TAXONOMY-ELIGIBLE ACTIVITY

A.1 Ecologically sustainable activity

CapEx for environmentally sustainable activity

A.2 Taxonomy-eligible but not environmentally sustainable activities (not taxonomy-compliant) Transport by motorbikes, passenger cars and

B NON-TAXONOMY-ELIGIBLE ACTIVITIES

(taxonomy-compliant (A.1)) 0.00 € — %

light commercial vehicles 6.5 996,962.01 € 7 %

CapEx for non-taxonomy-eligible activities (B) 6,093,024.22 € 43 %

Overall (A+B) 14,059,670.86 € 100 %

(taxonomy-compliant)

associated with taxonomy-compliant economic activities – disclosure for the year 2023

Code(s) (2)

Acquisition and ownership of buildings 7.7 4,254,934.68 € 30 %
Data processing, hosting and related activities 8.1 2,714,749.95 € 20 %	— %	— %

CapEx for taxonomy-eligible but not environ	— %	— %
mentally sustainable activities (non-taxono 7,966,646.64 € 57 % my-compliant activities (A.2))
Total (A.1 + A.2) 7,966,646.64 € 57 %	— %	— %

Share of operating expenses (OpEx) associated with taxonomy-compliant economic activities – disclosure for the year 2023

					Criteria for a significant contribution
Economic activities (1)	Code(s) (2)	Absolute sales revenue (3)	Sales revenue share (4)	Climate protection (5)	Adaptation to climate change (6)	Water and marine resources (7)	Environmental pollution (8)	Circular economy (9)	Biodiversity and ecosystems (10)
		Currency	(%)	(%)	(%)	(%)	(%)	(%)	(%)
A TAXONOMY-ELIGIBLE ACTIVITY

Category (transitional activities) (21)

A.1 Ecologically sustainable activity (taxonomy-compliant)
OpEx for environmentally sustainable activity (taxonomy-compliant (A.1))		0.00 €	— %
A.2 Taxonomy-eligible but not environmentally sustainable activities (not taxonomy-compliant)
Transport by motorbikes, passenger cars and light commercial vehicles	6.5	0.00 €	— %
Acquisition and ownership of buildings	7.7	0.00 €	— %
Data processing, hosting and related activities	8.1	235,413.38 €	— %
OpEx for taxonomy-eligible but not environmen tally sustainable activities (non-taxonomy-com pliant activities (A.2))		235,413.38 €	— %
Total (A.1 + A.2)		235,413.38 €	— %

B NON-TAXONOMY-ELIGIBLE ACTIVITIES

OpEx for non-taxonomy-eligible activities (B)	10,991,678.25€	98 %
Overall (A+B)	11,227,091.63€	100 %

DNSH criteria ("no significant impairment")
Climate protection (11)	Adaptation to climate change (12)	Water and marine resources (13)	Environmental pollution (14)	Circular economy (15)	Biodiversity and ecosystems (16)	Minimum social standards (17)	Taxonomy compliant share of sales revenue for 2022 (18)	Taxonomy compliant share of sales revenue for 2021 (19)	Category (enabling activities) (20)	Category (transitional activities) (21)
(Y/N)	(Y/N)	(Y/N)	(Y/N)	(Y/N)	(Y/N)	(Y/N)	Percent	Percent	E	T

Share of operating expenses (OpEx)

Economic activities (1)

A TAXONOMY-ELIGIBLE ACTIVITY

A.1 Ecologically sustainable activity

OpEx for environmentally sustainable activity

A.2 Taxonomy-eligible but not environmentally sustainable activities (not taxonomy-compliant) Transport by motorbikes, passenger cars and

B NON-TAXONOMY-ELIGIBLE ACTIVITIES

(taxonomy-compliant (A.1)) 0.00 € — %

light commercial vehicles 6.5 0.00 € — %

Acquisition and ownership of buildings 7.7 0.00 € — %

OpEx for non-taxonomy-eligible activities (B) 10,991,678.25€ 98 %

Overall (A+B) 11,227,091.63€ 100 %

(taxonomy-compliant)

associated with taxonomy-compliant economic activities – disclosure for the year 2023

Code(s) (2)

Acquisition and ownership of buildings 7.7 0.00 € — % — % — %
Data processing, hosting and related activities 8.1 235,413.38 € — %
OpEx for taxonomy-eligible but not environmen — % — % tally sustainable activities (non-taxonomy-com 235,413.38 € — %

— % — % 235,413.38 € — %

Management Board reportpursuant to Section 312 (3) AktG

Pursuant to Section 312 (3) of the German Stock Corporation Act (AktG), the Management Board has issued a report on the relations with affiliated companies for the 2023 financial year. The report contains the following closing statement: "It is hereby declared that, according to the circumstances known to the Management Board in which the legal transaction was undertaken, our Company received an appropriate consideration for each of the legal transactions listed and was not disadvantaged. This assessment has been made on the basis of the circumstances known at the time of the reportable proceedings. There were no further reportable legal transactions, measures or omissions in addition to the activities reported."

Essen, 19 March 2024

Axel Deininger Torsten Henn

Dr Kai Martius Thomas Pleines

3.Consolidated Financial Statements

of secunet Security Networks Aktiengesellschaft, Essen

116	Consolidated balance sheet
118	Consolidated income statement
119	Statement of comprehensive income
120	Cash flow statement
122	Statement of changes in equity
124	Notes to the Consolidated Financial Statements
178	Independent auditor's report
190	Responsibility statement

115

Consolidated Financial Statements

of secunet Security Networks Aktiengesellschaft, Essen

Consolidated balance sheet

(according to IFRS) as at 31 December 2023

Assets

in euros	Note	31 Dec 2023	31 Dec 2022
Current assets
Cash and cash equivalents	1	41,269,674.54	21,479,549.36
Trade receivables	2, 11	88,896,835.69	75,818,259.18
Intercompany financial assets	2	1,234,850.54	304,018.98
Contract assets	2, 11	2,872,998.07	2,596,942.21
Inventories	7	48,033,717.04	72,298,654.03
Other current assets	2	4,234,838.59	6,084,621.52
Income tax receivables		6,047,856.47	1,174,591.64
Total current assets		192,590,770.94	179,756,636.92
Non-current assets
Property, plant and equipment	3	11,492,598.69	10,720,417.00
Right-of-use assets	5	17,376,742.30	18,288,681.46
Intangible assets	4	35,690,375.98	39,006,599.04
Goodwill	6	47,627,601.69	47,627,601.69
Non-current financial assets	8	6,438,407.00	6,549,879.00
Deferred taxes	9	3,241,252.60	2,547,651.27
Other non-current assets	2	14,180,063.10	10,922,602.38
Total non-current assets		136,047,041.36	135,663,431.84

Total assets 328,637,812.30 315,420,068.76