Skip to Content
CEZ Group

Business Conduct

Ethics and the value system in CEZ Group

Group Values

The cornerstone of CEZ Group‘s value system is the ethical framework that governs its operational activities, including relationships with stakeholders. CEZ Group‘s management emphasizes compliance with regulations in all actions of its employees and in the supply chain with the aim of ensuring full compliance with national and international standards. Transparent and responsible relationships with stakeholders are maintained through ethical business conduct that reflects the highest ethical standards. The legal and ethical compliance program is continuously revised to incorporate industry best practices. This also reflects CEZ Group‘s commitment to building trust and integrity while working toward a sustainable energy future.

CEZ Group values are the foundation of its corporate culture and represent shared beliefs and desirable behavior expected of all employees. Embedded in key governing policies, these values are naturally integrated into corporate management.

The following principles represent the corporate values of CEZ Group:

  • Safety
  • Performance
  • Innovation
  • Expertise
  • Cooperation

Employees are encouraged to integrate these principles into their daily work to help implement the strategy and vision of CEZ Group. These values and principles are the foundation for creating a healthy work environment and forming a strong team.

Training and Communication

CEZ Group has implemented a robust education system, which contributes to the maintenance, verification, and development of competencies required for the performance of a given position. Employees of CEZ Group companies are required to complete training in the area of ethical principles and requirements of the anti-bribery management systém upon joining the company and then once a year. The target is for at least 95% of employees to participate.

In 2025, 95.2% of employees across all CEZ Group companies completed the training.

The training covers a wide range of topics and provides a good understanding of our policy on proper business conduct, including anti-corruption and ethics principles and whistleblower protection (Whistleblowing Hotline training). The Board of Directors of ČEZ, a. s., undergoes training on the Code of Conduct and compliance with the rules of CEZ Group, including anti-corruption rules, at annual intervals, just like other employees.

In addition, individuals in relevant positions are regularly trained in policies and procedures to address other topics, e.g., anti–money laundering, competition rules, whistleblowing and regulatory compliance. In addition, the Audit and Compliance Department communicates compliance–related issues in the company magazine and on the intranet, based on an annual communication plan. The Audit and Compliance Department uses these communication channels to promote awareness, prevent unethical conduct, introduce key compliance topics, and explain their importance to the entire CEZ Group.

Beyond this regular training, there are a number of other specialized trainings focused on specific areas or groups of employees, e.g.:

  • General anti-corruption training, which is part of the Code of Conduct and compliance with the rules of CEZ Group, is assigned to 100% of employees working in positions that may be subject to an increased risk of corruption. Specifically, this concerns the Procurement department of ČEZ, a. s., and the Procurement Coordination department of ČEZ Distribuce. These departments are also assigned extended training on the issue of the anti-bribery management system according to ISO 37001.
  • Furthermore, selected employees participate in other specialized trainings, namely training on the requirements of anti-money laundering legislation and e-learning on competition compliance.
  • Furthermore, relevant persons according to the Whistleblower Protection Act undergo special training focused on applicable legal requirements and on ensuring whistleblower protection.

Relevant persons pursuant to Act No. 171/2023 Coll., on the Protection of Whistleblowers, and other persons involved in compliance within CEZ Group are additionally invited to regular meetings of the professional working group on corporate compliance, held every three months, where they are presented with current information in the field of compliance.

To ensure employee awareness and effective communication of CEZ Group‘s policies and actions, the Audit and Compliance department provides information on these topics in the company magazine PROUD and on the intranet in line with the annual communication plan.

External entities may review our ethical principles and anti-corruption policy via a specialized section on the website www.cez.cz. The Audit and Compliance department uses these communication channels to promote awareness, prevent unethical conduct, introduce key compliance topics, and explain their importance to the entire CEZ Group.

Anti-competitive Behavior

CEZ Group considers compliance with the rules of competition protection (pursuant to Act No. 143/2001 Coll., on the Protection of Competition and Articles 101–109 of the Treaty on the Functioning of the European Union) to be essential. Therefore, preventing violations of these rules is a priority on the CMS agenda. In practice, all employees must behave properly in business relations and safeguard the company‘s reputation as a fair market player. Employees must not only avoid anti-competitive behavior but also prevent it. This also refers to compliance with the unbundling rules. To act appropriately, employees learn about this topic and requirements in ethics training and through internal communication channels.

The Competition Compliance Unit of the Legal Services department of ČEZ, a. s., provides regular training for responsible employees focusing on specific risks of anti-competitive behavior of CEZ Group companies and consultancy on a continuously growing number of relevant business plans in terms of compliance with competition law. The Unit has also prepared a competition compliance e-learning module for a broad group of employees involved in relevant transactions.

In 2025, CEZ Group did not engage in any unlawful anti-competitive conduct or other violation of the rules of competition law. Procurement procedures of CEZ Group are subject to mandatory legal review focusing, among other things, on compliance with competition rules (e.g., prohibition of collusive practices in public procurement tendering – bid rigging).

Political Engagement 

CEZ Group upholds the highest standards of transparency and fully abides by its Code of Conduct. It is apolitical and party-neutral; it does not support any action or initiative with an exclusively or primarily political goal. It does not provide any donations to political parties and movements, or to organizations, foundations, associations, or other legal or natural persons that are in close relations with politically exposed persons. Any civic or political engagement of our employees must not harm CEZ Group’s reputation. Our employees must refrain from any conflicts of interest or activities that conflict with their work and activities performed for CEZ Group.

CEZ Group promotes its interests in the European Union through the Public Affairs Office in Brussels, which has two employees. It is registered in the EU Transparency Register under the number ČEZ 310282849811-01. CEZ Group follows the established lobbying rules in the standard manner in its efforts to promote interests in a democratic legal environment. All meetings are duly recorded, including relevant documents, as required by the register rules. The records can be found on the register website.

Tax Governance

We strive to be a good and trustworthy member of society. Fostering positive relationships with the community is the foundation of long-term sustainable development. Responsible and transparent tax administration is one way we fulfill our obligations to society.

Approach to Tax

CEZ Group‘s approach to tax management is embedded in internal policies and guidelines, which describe a general framework and details of responsibilities related to tax agenda. Domiciled in the Czech Republic, CEZ Group does not apply a consolidated corporate income tax because Czech tax laws disallow consolidated tax returns. From a tax perspective, CEZ Group companies are separate entities and independent taxpayers. Hence, the companies pay taxes locally according to valid legislation in each country of operation. The overview of total income tax paid forms a part of the consolidated Annual Financial Report, which is independently audited and is publicly available on our website.

The main responsibility for tax governance and stratégy lies with Chief Financial Officer (CFO), Martin Novák. The CFO subsequently delegates day-to-day operational tax responsibilities to the Tax Department. Analyses and reports from the Tax Department to the Board of Directors of ČEZ, a. s., support business investment decisions. The processes in the Tax Department are also reviewed annually by the Risk Management Department. At the end of 2025, no legal tax disputes concerning CEZ Group companies were pending.

Tax Integrity and Transfer-pricing

CEZ Group fully meets tax standards and regulations in all conduct and countries where it operates. CEZ Group‘s tax governance and risk management are subject to internal processes and aligned with a responsible, credible, and sustainable approach. CEZ Group does not adopt any tax mechanisms or business structures to alleviate its tax burden deliberately, nor does it participate, directly or indirectly, in tax avoidance schemes or use of tax havens. Taxation issues are not the primary driver of the Group‘s business decisions. Internal transfer pricing guidelines stipulate tasks, responsibilities, and procedures for transfer pricing in CEZ Group. Applying an arm‘s length principle, the Group transfer pricing fulfills the market standard, local tax legislation, and the concepts of the OECD Guidelines.

To mitigate transfer pricing risks and avoid disputes, CEZ Group employs an advance pricing agreement (APA) for the companies situated in the Czech Republic. APA represents a formal agreement with tax authorities to determine and use transfer prices with related parties for a certain period.

Cyber Security and Information Privacy

Information security is one of the major aspects of our operations. We go to great lengths to meet the highest security standards and manage the risks involved.

Data Protection Officer

CEZ Group pays special attention to the processing and protection of personal data and respecting the privacy of employees, customers, and business partners. Therefore, its internal management documentation takes into account the requirements of legal regulations related to personal data protection, specifically Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR Regulation), Act No. 110/2019 Coll., on the Processing of Personal Data, and other relevant EU or Czech legal regulations dealing with the issue of personal data processing.

Pursuant to Article 37 of the GDPR, CEZ Group has appointed a Data Protection Officer (hereinafter referred to as the DPO) who provides services to the members of the concern of CEZ Group and other selected companies. In 2025, the DPO provided its services to 37 companies in total. The Data Protection Officer (DPO) is an independent monitoring and advisory body. The DPO serves as a contact point for personal data subjects who are in contact with CEZ Group companies. The personal data subjects are mainly employees, customers, and business partners. It cooperates with supervisory authorities and is a member of major interest associations active in the field of law and personal data protection. In particular, the DPO is a member of the Association for Personal Data Protection, the Confederation of Industry of the Czech Republic, and the Czech Company Lawyers Association. Each CEZ Group company has a robust internal personal data protection system that ensures that daily, systematic processing of personal data is in accordance with the above legislation.

As part of the performance of their activities, the DPO reports cases of personal data breaches within the meaning of Article 33 of the GDPR. Furthermore, the DPO receives complaints from the supervisory authority (e.g., about unauthorized transfer of personal data or unsolicited commercial communication). The DPO ensures that corrective actions are always implemented within the specified time limit. The DPO provides training and e-learning for CEZ Group employees and specialists in the area of personal data protection and strengthens the protection of the rights and interests of data subjects.

In 2025, the DPO did not record any personal data security breaches subject to the obligation of reporting to the Czech Office for Personal Data Protection pursuant to Article 33 of the GDPR. In the same year, the DPO received 3 requests for information from the supervisory authority based on notifications from data subjects. The DPO ensured that the requested cooperation was always provided within the specified time limit. No financial penalties were incurred by CEZ Group companies in 2025 in connection with possible personal data protection breaches.

In 2025, data subjects submitted 796 requests to exercise rights, of which 70 were rejected for lack of merit, and 19 were subsequently found not to be an exercise of rights within the scope of the GDPR and were forwarded to the relevant administrators for resolution. In 2025, the DPO conducted a total of 10 monitoring activities aimed at verifying compliance of personal data processing with the GDPR.

The DPO‘s duties also include communicating with supervisory authorities and raising employee awareness of personal data processing, e.g., through training, e-learning, or newsletters. All employees undergo e-learning training every two years. In 2025, the DPO organized extended L2 training sessions for data processing and data protection specialists, attended by almost 760 employees. In autumn 2025, the DPO, in cooperation with the Categorized Information Protection Department, organized a two-day workshop for selected persons from all companies for which the DPO provides services, and during the year, a group of DPOs in the energy sector also met at three workshops. The DPO, in cooperation with the Categorized Information Protection Department, published a total of 6 editions of the newsletter in 2025. In addition, the DPO organizes a monthly meeting of the Data Protection Expert Working Group. The DPO also provides weekly press monitoring to the data processing and data protection specialists to inform them about new developments in the relevant area.

Cyber Security

The CEZ Group Protection Policy is a top-level document that sets out the commitment of the Board of Directors of ČEZ, a. s., and the statutory bodies of other affected companies in the CEZ Group, defining the vision, objectives and scope of the CEZ Group‘s protection management system in the areas of information and cyber security, protection of information, projects and interests, security of nuclear facilities and nuclear material, and ensuring business continuity and crisis management. It includes the Information and Cyber Security Policy, which was issued in 2017 and is publicly available on the website of ČEZ, a. s.

Assets within the scope of regulated services are managed in accordance with the Cybersecurity Act No. 264/2025 Coll. Compliance with this Act is annually checked by an internal audit. The computer systems used for nuclear safety management are also responsibly secured pursuant to Act No. 263/2016 Coll. (Atomic Energy Act). CEZ Group considers compliance with legislative requirements with an emphasis on risk management principles, enhanced protection of systems, and promotion of cybersecurity culture to be priorities of its cybersecurity strategy. During 2025, there were no cases of non-compliance with cybersecurity standards and regulations. 

CEZ Group’s vision in the area of information and cybersecurity (ICS) is to ensure an adequate level of ICS in accordance with applicable legislation and to ensure reliable provision of products and services to all customers and partners. The main target for 2026 remains the implementation and verification of the effectiveness of the established ICS actions across CEZ Group. These measures will enable CEZ Group to effectively manage and change the level of protection of key assets for the operation of crucial business processes using a tiered approach and in accordance with applicable legislation. The specific areas and activities for 2026 are detailed in the action plan.

CEZ Group operates the Integrated Security Operations Center (iSOC) team, which supervises the protection of CEZ Group in terms of physical safety, information security, and cybersecurity. The iSOC works to detect any potential threats or incidents and prevent their recurrence in the future. It also works closely with national security forces like the National Cyber and Information Security Agency (NÚKIB), Military Intelligence, and the Police of the Czech Republic. These efforts are producing tangible results – by reducing the risk of threats and eliminating attacks, economic losses are also prevented. In 2025, work continued to ensure the ability of CEZ Group companies to respond to computer security incidents by establishing a CSIRT team, making it easier for them to deal with major cyber threats better than ever before. The goal of CEZ Group is to become listed by the Forum of Incident Response and Security Teams.

CEZ Group nuclear power plants underwent an annual audit of their information security management system in September 2025; in 2025, this concerned a so-called surveillance audit to verify compliance with ISO/IEC 27001:2022. The subject of the audit was, among other things, verification of the settings of the information systems, compliance with legal requirements, and employee awareness. The new international certification is valid until October 2027. ČEZ, a. s., is thus one of the first companies in the world to receive this certification for its nuclear power plants. The certificate is available on the CEZ Group’s website.

At the end of 2022, the NIS2 Directive on actions to ensure a high common level of network and information systems security came into force in EU Member States. The directive significantly expands the range of obliged entities and the scope of cybersecurity obligations for existing regulated companies in EU Member States. In the Czech Republic, the directive is transposed into the new Cybersecurity Act, effective from November 1, 2025. About 36 CEZ Group companies are subject to it.

Many other companies outside the Czech Republic follow the legal requirements in the relevant EU countries in which CEZ Group companies operate. To meet these requirements, CEZ Group launched the NIS2 implementation program. The program will help all CEZ Group companies understand how to follow the new rules and make sure they are safe from cyber threats. In 2025, there was a major shift in terms of the design of a new management system and specific plans for building the necessary competencies in this area across all CEZ Group companies. The program includes a deeper review of CEZ Group‘s cyber strategy taking into account new cyber regulatory requirements and current cyber threats. The results of key phases and risks of the program are regularly presented to the members of the Board of Directors of the respective companies.

Great emphasis is placed on ensuring the security of information and technological systems. CEZ Group follows laws, international standards, and recommendations to keep its products and services reliable for customers and partners. CEZ Group views information and cybersecurity seriously by following a plan-do-check-act method (PDCA). The target is to balance the cost of protecting assets with their worth. For this purpose, an information and cybersecurity action plan has been created, which sets out ways to comprehensively address all aspects related to information security throughout the organization. By following this plan, it is possible to keep the business secure while reducing risks from potential threats or breaches.

CEZ Group employees are required to follow the Information and Cybersecurity User Manual. The Manual explains complicated cybersecurity issues and translates them into real-life situations. Every year, a Final report on the status of information and cybersecurity in CEZ Group is prepared, summarizing how CEZ Group is performing from a security perspective and what risks were identified through audits or other controls. The report includes details about compliance with industry standards and is submitted to the CEZ Group’s Security Committee for further discussion.

In 2025, the management system in the areas of information and cybersecurity was assessed as functional and meeting the organization’s requirements. Cyber threats did not change significantly year over year and their actual impacts on protected assets were within acceptable limits. Control and audit activities during 2025 did not result in any significant deviations from the defined level of cybersecurity or non-compliance with legislative requirements.

CEZ Group has established the CEZ Group Security Committee, which is an advisory body to the CEO of ČEZ, a. s. The Committee discusses, in particular, how to protect CEZ Group, what threats exist and how to deal with them, what security measures are most important and when they need to be implemented, which major projects require special attention, analyses of security incidents, and proposals for corrective measures. The Head of Security department keeps the CEO informed about information and cybersecurity in CEZ Group. The Head of Security department submits a report once a year or in case of extraordinary events. The Head of Audit and Compliance Department of ČEZ, a. s., provides an independent assessment on the state of ICS in ČEZ, a. s., and other CEZ Group companies to the Board of Directors of ČEZ, a. s., or to the statutory bodies of CEZ Group companies.

CEZ Group regularly strengthens its resilience in the online environment and carefully monitors potential security risks. In 2025, there were 2,961 incidents/events related to information or cyber security – a increase (12%) compared to the previous year caused by the application of new data loss prevention rules. Cybersecurity has also become an integral part of all CEZ Group investment projects.  Application development at CEZ Group is governed by strict rules based on the principles of secure software development and operation. Regular testing of ICT/OT equipment reveals weaknesses and, in the event of deficiencies, eliminates them. Before making any changes to live systems, they are always tested in a test environment first.

The implemented Security Awareness Development Plan aims to develop a culture of safe behavior and information handling, increase employee expertise, and reduce risks associated with the human factor. The plan also includes specific training for different user groups. It is regularly updated and adapted to current threats. It is based primarily on the requirements of the Cybersecurity Act. All employees are trained every two years so as to increase their awareness and understanding of cybersecurity. In 2025, almost 17,000 employees were tested using mock phishing campaigns, and this testing is planned to be further expanded in the coming years. Professional training is prescribed for specific groups involved in ensuring information and cybersecurity requirements, e.g., IT administrators and persons in security roles.

Selected CEZ Group employees are members of the ISACA or ISACA Czech Republic Chapter (CRC). This group is a part of an international organization that helps professionals with managing, auditing, controlling, and securing information systems. The local chapter has over 300 members from different parts of business and government administration.

CEZ Group employees must observe the Information and Cyber Security User Manual. The Manual explains complicated cybersecurity issues and translates them into real-life situations. Every year, a report is prepared that summarizes how CEZ Group is performing from a security perspective and what risks have been identified through audits or other controls. The report includes details about compliance with industrystandards and is submitted to CEZ Group‘s Security Committee for further discussion.

Security in relationships with suppliers in the area of information security and cybersecurity in CEZ Group is addressed in accordance with Act No. 264/2025 Coll., and related implementing regulations. Strict rules are set and implemented for CEZ Group companies, and compliance with these requirements is regularly monitored. Any violation is considered a serious issue and is addressed appropriately. When selecting suppliers, the decisions are based, among other things, based on a questionnaire aimed to assess the risks arising from cooperation with the supplier. Security requirements to ensure information security and cybersecurity and related instructions for suppliers are included in the respective contract. Selected minimum disclosure requirements (specifically targets and indicators) are not disclosed as they have been assessed as non-public under the Company‘s internal rules.