Business Conduct

Group Values

The cornerstone of CEZ Group‘s value system is the ethical framework that governs its operational activities, including relationships with stakeholders. CEZ Group‘s management emphasizes compliance with regulations in all actions of its employees and in the supply chain with the aim of ensuring full compliance with national and international standards. Transparent and responsible relationships with stakeholders are maintained through ethical business conduct that reflects the highest ethical standards. The legal and ethical compliance program is continuously revised to incorporate industry best practices. This also reflects CEZ Group‘s commitment to building trust and integrity while working toward a sustainable energy future.

CEZ Group values are the foundation of its corporate culture and represent shared beliefs and desirable behavior expected of all employees. Embedded in key governing policies, these values are naturally integrated into corporate management.

The following principles represent the corporate values of CEZ Group:

• Safety
• Performance
• Innovation
• Expertise
• Cooperation

Employees are encouraged to integrate these principles into their daily work to help implement the strategy and vision of CEZ Group. These values and principles are the foundation for creating a healthy work environment and forming a strong team.

Training and Communication

CEZ Group has implemented a robust education system, which contributes to the maintenance, verification, and development of competencies required for the performance of a given position. Employees of CEZ Group companies are required to complete training in the area of ethical principles and requirements of the anti-bribery management systém upon joining the company and then once a year. The target is for at least 95% of employees to participate. In 2024, 98.11% of employees of ČEZ, a. s., and other key subsidiaries were trained in this way. The training covers a wide range of topics and provides a good understanding of our policy on proper business conduct, including anti-corruption and ethics principles and whistleblower protection (Whistleblowing Hotline training). The Board of Directors of ČEZ, a. s., undergoes training on the Code of Conduct and compliance with the rules of CEZ Group, including anti-corruption rules, at annual intervals, just like other employees.

In addition, individuals in relevant positions are regularly trained in policies and procedures to address other topics, e.g., anti–money laundering, competition rules, whistleblowing and regulatory compliance. In addition, the Audit and Compliance Department communicates compliance–related issues in the company magazine and on the intranet, based on an annual communication plan. The Audit and Compliance Department uses these communication channels to promote awareness, prevent unethical conduct, introduce key compliance topics, and explain their importance to the entire CEZ Group

Beyond this regular training, there are a number of other specialized trainings focused on specific areas or groups of employees, e.g.:

• General anti-corruption training, which is part of the Code of Conduct and compliance with the rules of CEZ Group, is assigned to 100% of employees working in positions that may be subject to an increased risk of corruption. Specifically, this concerns the Procurement department of ČEZ, a. s., and the Procurement Coordination department of ČEZ Distribuce. These departments are also assigned extended training on the issue of the anti-bribery management system according to ISO 37001.
• Furthermore, selected employees participate in other specialized trainings, namely training on the requirements of anti-money laundering legislation and e-learning on competition compliance.
• Furthermore, relevant persons according to the Whistleblower Protection Act undergo special training focused on applicable legal requirements and on ensuring whistleblower protection.

Relevant persons pursuant to Act No. 171/2023 Coll., on the Protection of Whistleblowers, and other persons involved in compliance within CEZ Group are additionally invited to regular meetings of the professional working group on corporate compliance, held every three months, where they are presented with current information in the field of compliance.

To ensure employee awareness and effective communication of CEZ Group‘s policies and actions, the Audit and Compliance department provides information on these topics in the company magazine PROUD and on the intranet in line with the annual communication plan.

External entities may review our ethical principles and anti-corruption policy via a specialized section on the website www.cez.cz. The Audit and Compliance department uses these communication channels to promote awareness, prevent unethical conduct, introduce key compliance topics, and explain their importance to the entire CEZ Group.

Anti-competitive Behavior

CEZ Group considers compliance with the rules of competition protection (pursuant to Act No. 143/2001 Coll., on the Protection of Competition and Articles 101–109 of the Treaty on the Functioning of the European Union) to be essential. Therefore, preventing violations of these rules is a priority on the CMS agenda.

In practice, all employees must behave properly in business relations and safeguard the company‘s reputation as a fair market player. Employees must not only avoid anti-competitive behavior but also prevent it. This also refers to compliance with the unbundling rules. To act appropriately, employees learn about this topic and requirements in ethics training and through internal communication channels.

The Competition Compliance Unit of the Legal Services department of ČEZ, a. s., provides regular training for responsible employees focusing on specific risks of anti-competitive behavior of CEZ Group companies and consultancy on a continuously growing number of relevant business plans in terms of compliance with competition law. The Unit has also prepared a competition compliance e-learning module for a broad group of employees involved in relevant transactions.

In 2024, no prohibited anti-competitive behavior or other violation of the rules of competition protection occurred on the part of CEZ Group. The Office for the Protection of Competition conducted an on-site investigation at the business premises of ČEZ, a. s., during which the company provided full cooperation and which does not imply that any anticompetitive behavior occurred in the case. CEZ Group contracts are subject to mandatory legal review aimed, among other things, at compliance with the rules of competition protection (e.g., prohibition of bid rigging). Any findings lead to adequate actions.

Political Engagement 

CEZ Group upholds the highest standards of transparency and fully abides by its Code of Conduct. It is apolitical and party-neutral; it does not support any action or initiative with an exclusively or primarily political goal. It does not provide any donations to political parties and movements, or to organizations, foundations, associations, or other legal or natural people that are closely related to politically exposed people.

Any civic or political engagement of our employees must not harm CEZ Group‘s reputation. Our employees must refrain from any conflicts of interest or activities that conflict with their work and activities performed for CEZ Group. CEZ Group promotes its interests in the European Union through the Public Affairs Office in Brussels, which has two employees. It is registered in the EU Transparency Register under the number CEZ 429600710582–32. The established rules of lobbying are followed in the standard manner in order to promote interests in a democratic legal environment. All meetings are duly recorded, including relevant documents, as required by the registry rules. The records can be found on the relevant union registry website.

Oversight of the lobbying is the responsibility of the Head of Public Affairs, who reports directly to the CEO. In the Czech Republic, the Head monitors the draft legislation on lobbying so that the company fulfills all its obligations under the law when it is adopted. The Head of Public Affairs has never worked in public administration.

CEZ Group communicates its visions and policies externally in a transparent and open manner. It applies its attitudes to legislative drafts primarily within the associations of which it is a member. These include the Confederation of Industry of the Czech Republic and the Czech Chamber of Commerce and Eurelectric and NuclearEurope in Brussels.

Approach to Tax

CEZ Group‘s approach to tax management is embedded in internal policies and guidelines, which describe a general framework and details of responsibilities related to tax agenda. Domiciled in the Czech Republic, CEZ Group does not apply a consolidated corporate income tax because Czech tax laws disallow consolidated tax returns. From a tax perspective, CEZ Group companies are separate entities and independent taxpayers. Hence, the companies pay taxes locally according to valid legislation in each country of operation. The overview of total income tax paid forms a part of the consolidated Annual Financial Report, which is independently audited and is publicly available on our website.

The main responsibility for tax governance and stratégy lies with Chief Financial Officer (CFO), Martin Novák. The CFO subsequently delegates day-to-day operational tax responsibilities to the Tax Department. Analyses and reports from the Tax Department to the Board of Directors of ČEZ, a. s., support business investment decisions. The processes in the Tax Department are also reviewed annually by the Risk Management Department. At the end of 2024, no legal tax disputes concerning CEZ Group companies were pending.

Tax Integrity and Transfer-pricing

CEZ Group fully meets tax standards and regulations in all conduct and countries where it operates. CEZ Group‘s tax governance and risk management are subject to internal processes and aligned with a responsible, credible, and sustainable approach. CEZ Group does not adopt any tax mechanisms or business structures to alleviate its tax burden deliberately, nor does it participate, directly or indirectly, in tax avoidance schemes or use of tax havens. Taxation issues are not the primary driver of the Group‘s business decisions. Internal transfer pricing guidelines stipulate tasks, responsibilities, and procedures for transfer pricing in CEZ Group. Applying an arm‘s length principle, the Group transfer pricing fulfills the market standard, local tax legislation, and the concepts of the OECD Guidelines.

To mitigate transfer pricing risks and avoid disputes, CEZ Group employs an advance pricing agreement (APA) for the companies situated in the Czech Republic. APA represents a formal agreement with tax authorities to determine and use transfer prices with related parties for a certain period.

Tax and Other Payments

In 2024, CEZ Group‘s corporate income tax payable was CZK 50.9 billion, of which CZK 49.9 billion in the Czech Republic and CZK 1 billion abroad, of which CZK 38 million in Slovakia, CZK 133 million in Germany, CZK 69 million in the Netherlands, CZK 488 million in Poland, CZK 178 million in Hungary, CZK 6 million in Romania, CZK 16 million in Israel, CZK 59 million in Malta, and CZK 1 million in the United Kingdom. ČEZ, a. s., regularly ranks among the largest corporate income taxpayers in the Czech Republic. The Czech corporate income tax rate enacted for 2024 was 21%.

In the wake of the energy crisis in Europe in 2022, countries took special actions to reduce the impact of high commodity prices on end customers. In the Czech Republic, a windfall tax was introduced for the period of 2023 to 2025 in the amount of 60% above the regular income tax on the portion of income achieved exceeding the average income achieved by CEZ Group in 2018–2021.

For 2024, CEZ Group paid over CZK 29.9 billion to the Czech state in windfall tax. In addition, the regular corporate income tax, which is 21%, amounted to CZK 14.2 billion in 2024, including balance due on advanced tax payments for 2023. In total in 2024, CEZ Group paid more than CZK 63 billion to the Czech state in dividends, income taxes, and windfall tax. Total government budget revenues of the Czech Republic in 2024 were calculated at CZK 1,940 billion, i.e., CEZ Group companies paid more than 3% of all revenues to the state budget. Every year, CEZ Group companies rank among the best tax entities based on the amount of corporate income tax paid, as per announcement by the Financial Administration. In 2024, ČEZ, a. s., was ranked 1st, having paid corporate income tax of CZK 24,505 million. Severočeské doly was in the 20th place, having paid corporate income tax of CZK 954 million. The data pertains to the financial year 2023.

Apart from the corporate income tax, ČEZ, a. s., also declared CZK 2.620 billion in health and social insurance (11.55% increase year over year) as a mandatory contribution of the company to health and social systems organized by the Czech government. In addition, ČEZ, a. s., collected CZK 1.192 billion in employment taxes (16.31% increase year over year). ČEZ, a. s., collects employment taxes from employees on behalf of the Czech government.

Selected CEZ Group companies provide a wide range of extra welfare benefits, including nontaxable contributions to employee pension savings and life insurance. In 2024, ČEZ, a. s., contributed CZK 101.9 million to employee pension savings and life insurance (2.7% increase year over year).

CEZ Group pays special attention to the processing and protection of personal data and respecting the privacy of employees, customers, and business partners. Therefore, its internal management documentation takes into account the requirements of legal regulations related to personal data protection, specifically Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR Regulation), Act No. 110/2019 Coll., on the Processing of Personal Data, and other relevant EU or Czech legal regulations dealing with the issue of personal data processing.

Pursuant to Article 37 of the GDPR, CEZ Group has appointed a Data Protection Officer (hereinafter referred to as the DPO) who provides services to the members of the concern of CEZ Group and other selected companies. In 2024, the DPO provided its services to 26 companies in total.

The Data Protection Officer (DPO) is an independent monitoring and advisory body, serving as a contact point for personal data subjects who have interacted with CEZ Group companies. The personal data subjects are mainly employees, customers, and business partners. The DPO cooperates with supervisory authorities and is a member of major interest associations active in the field of law and personal data protection. Specifically, the DPO is a member of the Association for Personal Data Protection, the Confederation of Industry of the Czech Republic, and the Czech Company Lawyers Association. Each CEZ Group company has a robust internal personal data protection systém that ensures that daily systematic processing of personal data is in accordance with the above legislation.

As part of the performance of their activities, the DPO reports cases of personal data breaches within the meaning of Article 33 of the GDPR. At the same time, they may receive complaints from the supervisory authority (e.g., regarding unauthorized transfer of personal data or unsolicited commercial communications). The DPO ensures that corrective actions are always implemented within the specified time limit. The DPO provides training. and e-learning for CEZ Group employees and personal data protection specialists and strengthens the protection of the rights and interests of data subjects.

As part of their activities, the DPO reported one case of personal data breaches within the meaning of Article 33 of the GDPR in 2024. It concerned an error that occurred when changing the settings of the IT system; in consequence, the personal data of a total of 2,421 customers was included in the energy supply bills that were sent to other customers. The DPO ensured that corrective actions were implemented. The supervisory authority did not initiate an inspection in this case. In the same year, the DPO did not receive any grievances from the supervisory authority, only one request for cooperation and two requests for additional information. The DPO ensured that the requested cooperation was always provided within the specified time limit. No financial penalties were incurred by CEZ Group companies in 2024 in connection with possible personal data protection breaches.

In 2024, data subjects submitted 1,116 requests to exercise rights, of which 167 were rejected for lack of merit, and 25 were subsequently found not to be an exercise of rights within the scope of the GDPR and were forwarded to the relevant administrators for resolution. In 2024, the DPO conducted a total of 11 monitoring activities aimed at verifying the compliance of personal data processing with the GDPR.

The DPO‘s duties also include communicating with supervisory authorities and raising employee awareness of personal data processing, e.g., through training, e-learning, or newsletters. All employees undergo e-learning training every two years. In 2024, the DPO organized a total of 14 extended L2 training sessions for data processing and data protection specialists, attended by 697 employees. In the spring of 2024, the DPO organized a two-day workshop for DPOs of cooperating companies, including from outside the energy sector, and in the fall, the DPO, in cooperation with the Classified Information Protection Section, organized a two-day workshop for designated persons of all 26 companies served by the DPO. The DPO, in cooperation with the Categorized Information Protection Section, published a total of 6 issues of their newsletter in 2024. In addition, the DPO organizes a monthly meeting of the Data Protection Expert Working Group. The DPO also provides weekly press monitoring to the data processing and data protection specialists to inform them about new developments in the relevant area.

Cyber Security

The CEZ Group Protection Policy is a top-level document that sets out the commitment of the Board of Directors of ČEZ, a. s., and the statutory bodies of other affected companies in the CEZ Group, defining the vision, objectives and scope of the CEZ Group‘s protection management system in the areas of information and cyber security, protection of information, projects and interests, security of nuclear facilities and nuclear material, and ensuring business continuity and crisis management. It includes the Information and Cyber Security Policy, which was issued in 2017 and is publicly available on the website of ČEZ, a. s.

Critical information infrastructure and information systems are managed in line with the Cybersecurity Act No. 181/2014 Coll. Compliance with the Act is verified annually by an internal audit. Computer systems used for nuclear security management are responsibly secured pursuant to Act No. 263/2016 Coll., the Atomic Energy Act. CEZ Group considers compliance with legislative requirements with an emphasis on risk management principles, enhanced protection of systems, and promotion of cybersecurity culture to be priorities of its cybersecurity strategy. During 2024, there were no cases of noncompliance with cybersecurity standards and regulations.

A team called Integrated Security Operations Center (hereinafter referred to as iSOC) operates as part of CEZ Group, looking after CEZ Group‘s physical safety, information security, and cybersecurity. The task of the iSOC is to detect potential threats or incidents and prevent their recurrence in the future. There is also close cooperation with national security authorities like the National Cyber and Information Security Agency, Military Intelligence, and the Police of the Czech Republic. These efforts are paying off – by reducing the risk of threats and eliminating attacks, economic losses are prevented. In 2024, work continued to ensure the ability of CEZ Group companies to respond to cyber security incidents by establishing a CSIRT team, making it easier for them to deal with major cyber threats better than ever before. The goal of CEZ Group is to become listed in the Forum of Incident Response and Security Teams.

CEZ Group nuclear power plants underwent an annual audit called the Information Security Management System Audit in September 2024; in 2024 it was a so-called recertification audit to verify compliance with the ISO/IEC 27001:2022 standard. Among other things, the audit was aimed at verification of information system settings, compliance with legal requirements, and employee awareness. The new international certification is valid until October 2027. This makes ČEZ, a. s., one of the first companies in the world whose nuclear power plants received this certification. The certificate is published on the website of CEZ Group.

At the end of 2022, the EU NIS2 Directive on measures to ensure a high common level of cybersecurity came into force in EU Member States. This directive significantly expanded the range of obliged entities and the scope of cybersecurity obligations for existing regulated companies. The directive will be transposed in the Czech Republic into a new Cybersecurity Act, and approximately 47 CEZ Group companies will be subject to it. Many other companies outside the Czech Republic will be subject to the requirements of the laws of the EU countries where CEZ Group companies operate. To meet these requirements, an NIS2 implementation program was launched at CEZ Group. The program will help all our companies understand how to follow the new rules and make sure they are safe from cyber threats. In 2024, there was a significant shift in the design of the new management systém and of specific plans for building the necessary competencies in this area in all CEZ Group companies. The program includes a deeper review of CEZ Group‘s cybersecurity strategy taking into account new cyber regulatory requirements and current cyber threats. The results of key phases and risks of the program are regularly presented to the Members of the Board of Directors.

Great emphasis is placed on ensuring the security of information and technological systems. CEZ Group follow laws, international standards, and recommendations to keep its products and services reliable for customers and partners. In the area of information and cybersecurity, CEZ Group follows the PDCA method (plan-do-check-act). Its goal is to balance the cost of protecting assets with their worth. For this purpose, an Information and Cyber Security Action Plan has been created, which sets out ways to comprehensivelyaddress all aspects related to information security throughout the organization. By following this plan, it is possible to keep the business secure while reducing risks from potential threats or security breaches.

CEZ Group employees must observe the Information and Cyber Security User Manual. The Manual explains complicated cybersecurity issues and translates them into real-life situations. Every year, a report is prepared that summarizes how CEZ Group is performing from a security perspective and what risks have been identified through audits or other controls. The report includes details about compliance with industrystandards and is submitted to CEZ Group‘s Security Committee for further discussion.

In 2024, the management system in the areas of information and cybersecurity was assessed as functional and meeting the organization‘s requirements. Cyber threats did not change significantly year over year, and their actual impacts on protected assets were within acceptable limits. Control and audit activities during 2024 did not result in any significant deviations from the defined level of cybersecurity or non-compliance with legislative requirements.

The main target for 2025 remains the implementation and verification of the effectiveness of the established information and cybersecurity security measures across CEZ Group, thanks to which CEZ Group will be able to effectively manage and change the level of protection of key assets for the functioning of key business processes, using a tiered approach and in accordance with applicable legislation. The areas and activities for 2025 are detailed in the action plan. CEZ Group has established the CEZ Group Security Committee, which is an advisory body to the CEO of ČEZ, a. s. The Committee discusses, in particular, how to protect CEZ Group, what the existing threats are and how to deal with them, what security measures are most important and when they need to be implemented, which major projects require special attention, along with analyses of security incidents, and proposals for corrective measures.

The Head of Security department keeps the CEO informed about information and cybersecurity in CEZ Group. The Head of Security department submit a report once a year or in case of extraordinary events. The Head of Audit and Compliance of ČEZ, a. s., provides an independent assessment of information and cyber security in ČEZ, a. s., and other companies in CEZ Group, and reporting to the Board of Directors, and the statutory bodies of CEZ Group companies.

CEZ Group regularly strengthens its resilience in the online environment and carefully monitors potential security risks. In 2024, there were 2,938 incidents related to information or cyber security – a significant increase (11%) compared to the previous year caused by the application of new data loss prevention rules. Cybersecurity has also become an integral part of all CEZ Group investment projects.

Application development at CEZ Group is governed by strčit rules based on the principles of secure software development and operation. Regular testing of ICT/OT equipment reveals weaknesses and, in the event of deficiencies, eliminates them. Before making changes to live systems, they are always tested in a test environment first.

The implemented Security Awareness Program aims to develop a culture of safe behavior and information handling, increase employee expertise, and reduce risks associated with the human factor. The plan also includes specific training for different user groups, and is regularly updated and adapted to current threats. It is based primarily on the requirements of the Cybersecurity Act. All employees are trained every two years in order to increase their awareness and understanding of cybersecurity. In 2024, 16,000 employees were tested using mock phishing campaigns, and the testing is planned to be further expanded in the coming years. Professional training is prescribed for specific groups involved in ensuring information and cyber security requirements, such as administrators and persons in security roles.

Selected CEZ Group employees are members of ISACA or ISACA Czech Republic Chapter (CRC). This group is a part of an international organization that helps with managing, auditing, controlling, and securing information systems. Th elocal chapter has over 300 members from different parts of business and government administration.

Security in relationships with suppliers in the area of information and cybersecurity in CEZ Group is addressed in accordance with Act No. 181/2014 Coll., Section 3(c), (d), (f), and (g) and Decree on Cybersecurity, Section 8 – Obligations in Supplier Management. Strict rules are set and implemented in this area in CEZ Group companies, and compliance with these requirements is regularly monitored. Their violation is considered a serious issue, resulting in appropriate actions. When selecting suppliers, the decisions are based, among other things, on a risk assessment questionnaire. Security requirements to ensure information security and cybersecurity and related instructions for suppliers are included in the respective contract. Selected minimum disclosure requirements (specifically targets and indicators) are not disclosed as they have been assessed as non-public under the Company‘s internal rules.