Business Conduct

CEZ Group Code of Conduct

CEZ Group management promotes ethical values in all business activities and conduct. Management clearly states its objective in two primary documents: the Code of Conduct Policy (Code of Conduct) and the Compliance Management System Policy.

The Code of Conduct sets forth ethical rules for employees and members of CEZ Group’s statutory bodies. The Compliance Management System Policy sets out the responsibilities, conditions, and tools for ensuring compliance with legal obligations and ethical standards in CEZ Group. Details of practical measures (e.g., training, prevention of conflicts of interest, whistleblowing, investigations) are part of the subsequent internal guidelines.

The Board of Directors of ČEZ, a. s., accepts full responsibility for compliance with the adopted ethical standards. This responsibility includes, among other things, the creation of appropriate conditions, adequate resources, effective governance structures, and control mechanisms.

First published in 2015, the Code of Conduct exists in two publicly available versions. The basic version, the Decalogue, summarizes the most important principles regarding stakeholder relations. The unabridged version, the Alphabet, supplements the Decalogue with rules for observing the Code of Conduct. Both documents undergo regular reviews to reflect legislative demands and best practices.

The Code of Conduct is binding for all employees. New employees must review the Code upon hiring. Since 2022, subsequent training takes place annually (previously once every two years), with a target of at least 95% of staff participating. In 2023, 98.17% of employees of CEZ Group companies, whose training is provided by the Human Resources Development Department of ČEZ, a. s., received training on the Code of Conduct.

Discrimination and Human Rights

GRI 3-3, 406-1, 408-1, 409-1

Direct or indirect discrimination and harassment have no place in our corporate culture. The non–discrimination principles are set out in the Code of Conduct and the Ethical Conduct Policy. Practical anti–discrimination measures, procedures, and guidelines are in place to ensure compliance with these principles. The principles aim to create a culture of cooperation based on diversity, mutual respect, and protection of vulnerable groups. If employees suspect or know of illegal or unethical conduct in violation of the CEZ Group Code of Conduct, they can report it through the Whistleblowing Hotline without fear of any sanctions.

We strongly advocate diversity, equal opportunities, and a respectful working environment. We strongly promote diversity, equal opportunities and a respectful working environment. This stance is confirmed in the Diversity and Inclusion Policy adopted by the Board of Directors of ČEZ, a. s., in 2021. We create desirable conditions for employees to develop their full potential and career growth. When it comes to new hires, education, expertise, qualifications, and skills are the deciding factors for hiring a candidate.

We have respect for human rights and clearly declare our stance in the Code of Conduct as a UN Global Compact participant, we duly subscribe to its principles related to the rejection of forced or compulsory labor and the prohibition of child labor.

As an employer, we strive to maintain social peace. We recognize the importance of the right to freedom of association and collective bargaining, occupational health and safety, and fair and satisfactory working conditions. Therefore, we monitor employee satisfaction and meet their needs. At the same time, where possible, we only work with suppliers who also subscribe to these principles.

Training and Communication

GRI 205-2

Training and communication are two key elements of our CMS, designed to ensure that all our employees are aware of and comply with the principles and rules set out by our internal policies. Training on ethics (Code of Conduct) and anti–bribery rules is mandatory for all employees during on–boarding and at least once a year. The 45–minute training session on preventing corruption and conflicts of interest reflects the complexity of this topic.

In addition, individuals in relevant positions are regularly trained in policies and procedures to address other topics, e.g., anti–money laundering, competition rules, whistleblowing and regulatory compliance. In addition, the Audit and Compliance Department communicates compliance–related issues in the company magazine and on the intranet, based on an annual communication plan. The Audit and Compliance Department uses these communication channels to promote awareness, prevent unethical conduct, introduce key compliance topics, and explain their importance to the entire CEZ Group.

Anti-competitive Behavior

GRI 206-1

Competition creates a healthy economic environment and promotes sustainable growth. Being the largest energy group in Czechia, compliance with the rules of competition protection (pursuant to the Act on the Protection of Competition No. 143/2001 Coll. and Articles 101–109 of the Treaty on the Functioning of the European Union) is central to our business conduct. Therefore, preventing violations of these rules is a priority on the CMS agenda.

In practice, all employees must behave properly in business relations and safeguard the company’s reputation as a fair market player. Employees must not only avoid anti–competitive behavior but also prevent it. This also refers to compliance with the unbundling rules. To act appropriately, employees learn about this topic and requirements in ethics training and through internal communication channels.

The Competition Compliance Unit of the Legal Services Department of ČEZ, a. s., provides regular training for responsible employees focusing on specific risks of anti–competitive behavior of CEZ Group companies and consultancy on a continuously growing number of relevant business plans in terms of compliance with competition law. The Unit has also prepared a competition compliance e– learning module for a broad group of employees involved in relevant transactions which was implemented in 2023 and completed by more than 2,000 CEZ Group employees.

In 2023, no illicit anti–competitive behavior or other violation of the rules of competition protection occurred on the part of CEZ Group. One competition law litigation is currently pending between a CEZ Group company (Severočeské doly) and the Office for the Protection of Competition.

CEZ Group contracts are subject to mandatory legal review aimed, among other things, at compliance with the rules of competition protection (e.g., prohibition of bid rigging). Any findings lead to adequate measures.

Audits and Precautionary Approach

GRI 2-23, 3-3

Regular and systematic internal audits and compliance checks are performed to verify compliance with all the above– specified rules. They assure the governing bodies that the management and control systems are operational and that significant risks are covered. Internal audits are performed by the Internal Audit Department of ČEZ, a. s., whose independence and efficiency come under the scrutiny of the Audit Committee of ČEZ, a. s.

The Internal Audit Department of ČEZ, a. s., regularly undergoes a comprehensive external quality assessment to evaluate compliance with international internal auditing standards and the Code of Ethics for internal auditors issued by the Institute of Internal Auditors. The assessment repeatedly confirms full compliance of our internal audit activities with the standards and the Code of Ethics and the high efficiency of the Internal Audit Department of ČEZ, a. s.

The Internal Audit Department of ČEZ, a. s., systematically checks all key processes, segments, and risks of CEZ Group. The Board of Directors and the Audit Committee regularly receive a summary of the audit results and corrective actions taken.

In 2023, 35 audit investigations were performed: 10 in ČEZ, a. s., and 25 in its subsidiaries (including 4 audits of foreign holdings).

In addition to internal audits, we apply a precautionary approach. We do not pursue activities with uncertain or potentially hazardous effects. We take a precautionary approach at four levels:

• verification of selected information provided by the new employee/applicant (pre-employment screening)
• business entity screening before the potential acquisition of a company (due diligence)
• vetting suppliers before entering a contractual relationship
• compliance audit of selected suppliers during the business relationship.

Approach to Tax

CEZ Group is a multinational corporation comprised of over 200 entities operating in many countries, primarily in Central Europe. Despite the differences in tax laws of individual countries, CEZ Group’s tax principles and management closely follow the underlying rules of the Code of Conduct: ethics, integrity, responsibility, and transparency.

The CEZ Group’s approach to tax management is embedded in internal policies and guidelines, which describe a general framework and details of responsibilities related to tax agenda.

Domiciled in Czechia, CEZ Group does not apply a consolidated corporate income tax because Czech tax laws disallow consolidated tax returns. From a tax perspective, CEZ Group companies are separate entities and independent taxpayers. Hence, the companies pay taxes locally according to valid legislation in each country of operation. The overview of total income tax paid forms a part of the consolidated Annual Financial Report, which is independently audited and is publicly available on our website.

The main responsibility for tax governance and strategy lies with Chief Financial Officer (CFO), who is also a member of the Board of Directors and the Head of the Finance Division. The CFO consequently delegates tax daily operational authority to the Tax Department. The domain of the Tax Department is especially tax administration, tax advisory and opinions, preparation of tax returns, and tax assessment of contracts. Analyses and reports of the Tax Department to the Board of Directors lend support to business investment decisions.

The Supervisory Board and the Audit Committee check whether the Board of Directors exercised its powers in compliance with legislation, principles, and good practices. In 2022, the tax area was reviewed by the CEZ Group internal audit which expressed no reservations in its final statement. The processes in the Tax Department are also reviewed annually by the Risk Management Department.

The Tax Department’s agenda also includes communication with tax authorities. Typically, Czech companies come under the Tax Authority according to their place of operation. Due to its size, ČEZ, a. s., comes under the Specialized Tax Authority, which handles tax matters of large companies.

Tax Integrity, Transfer-pricing, and Grievance Mechanism

CEZ Group fully meets tax standards and regulations in all conduct and countries where it operates. CEZ Group’s tax governance and risk management are subject to internal processes and aligned with a responsible, credible, and sustainable approach. CEZ Group does not adopt any tax mechanisms or business structures to alleviate its tax burden deliberately, nor does it participate, directly or indirectly, in tax avoidance schemes or use of tax havens. Taxation issues are not the primary driver of the Group’s business decisions.

Internal transfer pricing guidelines stipulate tasks, responsibilities, and procedures for transfer pricing in CEZ Group. Applying an arm’s length principle, the Group transfer pricing fulfills the market standard, local tax legislation, and the concepts of the OECD Guidelines.

To mitigate transfer pricing risks and avoid disputes, CEZ Group employs an advance pricing agreement (APA) for the companies situated in Czechia. APA represents a formal agreement with tax authorities to determine and use transfer prices with related parties for a certain period.

The Whistleblowing Hotline serves as a tool for raising concerns or suspicions about illicit tax conduct. The Hotline offers various means to submit a concern (via Intranet/ Internet, email, or phone) and ensures whistleblowers’ anonymity to protect them from retaliation. The Audit and Compliance Department investigates all reports independently and takes remedial measures.

Facts and Figures

In 2023, the CEZ Group’s current corporate income tax amounted to CZK 45.8 billion, of which CZK 45.4 billion in Czechia and CZK 0.4 billion abroad, of which CZK 29 million in Slovakia, CZK 80 million in Germany, CZK 20 million in Netherlands, CZK 164 million in Poland, CZK 54 million in Hungary, CZK 9 million in Romania, CZK 15 million in Israel, CZK 39 million in Malta, CZK 1 million in the United Kingdom.

ČEZ, a. s., regularly ranks among the largest corporate income taxpayers in Czechia. The Czech corporate income tax rate enacted for 2023 was 19%.

In the wake of the energy crisis in Europe in 2022, nation states took special measures to reduce the impact of high commodity prices on end customers. In Czechia, windfall taxes were introduced: a levy on surplus revenues from generation from December 2022 to the end of 2023 and a levy on unexpected profits, which amounts to additional 60% above the normal income tax on the portion of profits gained in excess of the average profits earned by CEZ Group in 2018–2021.

For 2023, CEZ Group paid over CZK 43.8 billion to the Czech state due to the windfall taxes and levies. In addition, the regular corporate income tax, which is 19%, amounted to CZK 24.8 billion in 2023, including balance due on advanced tax payments for 2022.

In total, CEZ Group paid more than CZK 120 billion to the Czech state in dividends, income taxes, and levies on revenues from generation. Total government budget revenues of Czechia in 2023 were calculated at CZK 1,914 billion, i.e., CEZ Group companies paid more than 6% of all revenues to the state budget.

Every year, CEZ Group companies rank among the best tax entities based on the amount of corporate income tax paid, as per announcement by the Financial Administration. In 2023, ČEZ, a. s., was ranked 3rd, having paid corporate income tax of CZK 2,732 million. ČEZ Distribuce was in the 14th place, having paid corporate income tax of CZK 1,371 million.

Apart from the corporate income tax, ČEZ, a. s., also declared CZK 2.348 billion in health and social insurance (5.86% increase year–on–year) as a mandatory contribution of the company to health and social systems organized by the Czech government. In addition, ČEZ, a. s., collected CZK 1.025 million in employment taxes (36.14% increase year–on–year). ČEZ, a. s., collects employment taxes from employees on behalf of the Czech government.

CEZ Group provides a wide range of extra welfare benefits, including nontaxable contributions to employee pension savings and life insurance. In 2023, ČEZ, a. s., contributed CZK 99.2 million to employee pension savings and life insurance (4.3% increase year–on–year).

At the end of 2023, no legal tax disputes concerning CEZ Group were pending.

In CEZ Group, we pay special attention to processing and protecting personal data and respecting the privacy of our employees, customers, and business partners. Therefore, we duly reflect the provisions of the relevant personal data protection legislation in our internal directives, namely:

• Regulation (EU) 2016/679 of the European Parliament and the Council (GDPR)
• Personal Data Processing Act No. 110/2019 Coll.

We constantly monitor and adjust processes and measures to adapt to the current legislative developments and interpretative trends, mainly those of the courts, supervisory authorities, and the European Data Protection Board. Specifically, this means that we consistently ensure that the processing of personal data is always lawful, fair, and as transparent as possible towards the data subjects concerned. We only collect, store, and process personal data for a strictly necessary period of time, in limited quantities, in accordance with a clearly defined purpose, and on the basis of a predefined legal title. The data subjects are always duly informed of the processing method, of their rights, and of the principles and measures for the protection of personal data before and at any time during the processing of personal data.

Given CEZ Group’s strategic goal to digitize 100% of key customer processes by 2025, we see compliance with strict data protection standards as an imperative. Pursuant to Article 37 of the GDPR, CEZ Group has appointed a Data Protection Officer (DPO) who provides services to the members of the concern of CEZ Group and other selected companies. In 2023, the DPO provided its services for 26 companies in total.

The Data Protection Officer is an independent monitoring and advisory body. The DPO serves as a contact point for personal data subjects who are in contact with CEZ Group companies. The personal data subjects are mainly employees, customers, and business partners. Data subjects send requests to the DPO to exercise their rights electronically, by mail, or via data mailbox.

In 2023, data subjects submitted 819 requests to exercise rights, of which 159 were rejected for lack of merit, and 25 were subsequently found not to be an exercise of rights within the scope of the GDPR and were forwarded to the relevant administrators for resolution.

Other tasks of the DPO and his office are, in particular:

• to protect the rights and interests of data subjects
• to monitor compliance of personal data processing with the GDPR
• to cooperate with specialized departments of the concern members in dealing with security incidents and personal data breaches

The DPO’s duties also include communicating with supervisory authorities and raising employee awareness of personal data processing, e.g., through training, e–learning, or newsletters. All employees undergo e–learning training every two years. In addition, the DPO organizes a monthly meeting of the Data Protection Expert Working Group. The DPO also provides weekly press monitoring to the data processing and data protection specialists to inform them about new developments in the relevant area.

In 2021, the DPO reported to the supervisory authority one case of a completed serial external attack on our call centers to gain access to customers’ online accounts, which was investigated by law enforcement agencies during 2022 and closed in February 2023, with a total of 7 persons being charged with the offence of unauthorized access to a computer system and information carrier under section 230(2) of the Criminal Code, with a penalty of up to three years.

In performing his activities, the DPO reported a total of 12 personal data breaches in 2023 within the scope of Article 33 of the GDPR, 8 of which involved a single breach affecting 8 CEZ Group companies. In the same year, the DPO received a total of 2 complaints from the supervisory authority. One complaint related to the unauthorized transfer of personal data to a third party. The second complaint was related to an unsolicited commercial communication. The DPO ensured that corrective actions were always implemented within the specified deadline. In none of these cases did the supervisory authority initiate an inspection. No financial penalties were incurred by CEZ Group companies in 2023 in connection with possible personal data protection breaches.

Cyber Security

SASB IF-EU-550a.1

CEZ Group takes the security of its information assets very seriously. We are a leader in important infrastructure, and it is crucial that we protect ourselves from any potential dangers. Therefore, in 2017 the Board of Directors approved an Information and Cyber Security Policy, setting goals to achieve the objective. The policy is publicly available on the website of ČEZ, a. s. The Chief Security Officer is responsible for compliance with the policy.

We manage critical information infrastructure and information systems of essential services in line with the Cyber Security Act No. 181/2014 Coll. We check compliance with the Act annually by an internal audit. We also responsibly secure the computer systems used for nuclear safety management pursuant to the Atomic Act No. 263/2016 Coll We consider compliance with legislative requirements with an emphasis on risk management principles, enhanced protection of systems, and promotion of cyber security culture to be priorities of our cyber security strategy. During 2023, we have not experienced any incidents of non–compliance with cyber security standards or regulations.

In 2023, important developments in cyber security included: (1) We continue to increase the capacity and competence of our Integrated Security Operations Center. (2) International inspectors reviewed our nuclear power plants, including the cybersecurity process. (3) In the field of cybersecurity, a 24/7 on–call process has been initiated at both our nuclear power plants. (4) As part of the improvement of information and cyber security processes, as in the previous year, an exercise on the topic of the bringing in mobile devices was carried out in cooperation with supervisory authorities, suppliers and central departments. (5) We worked intensively on changes related to the new European legislation NIS2 and the upcoming new law on cyber security.

The team of the Integrated Security Operations Center (iSOC) looks after CEZ Group physical safety, information security, and cyber security. The iSOC works hard to detect any potential threats or incidents and prevent them. We also work closely with national security forces like the National Cyber and Information Security Agency, Military Intelligence, and the Czech Police.

In September 2023, our nuclear power plants went through an annual check–up called an audit of the information security management system. As per the EN ISO/IEC 27001:2017 standard, the audit assessed the setup of our computer systems, compliance with laws and regulations, and information security awareness among employees. The audit valued highly that nuclear facilities only allow contractors to maintain and configure security control systems using exclusively the nuclear operator’s computers.

We passed the audit successfully and retained our international certification which is valid until October 2024. This makes us one of the first nuclear power plants in the world to get this certification. You can see our certificate on the company website.

At the end of 2022, the EU Directive NIS2 on measures to ensure a high common level of network and information systems security came into force.

Requirements of the new Cyber Security Act should expand the number of obliged entities within CEZ Group: about 47 CEZ Group companies in Czechia and many others abroad will comply with the requirements of the transposition laws of the relevant countries within the EU in which CEZ Group companies operate. To meet these requirements, we launched a program for NIS2 implementation in CEZ Group. This program will help all our companies understand how to follow the new rules and make sure they are safe from cyber threats.

Every year, we prepare a report summarizing the security of our company and any risks identified by audits or other checks. The report includes details about compliance with industry standards and is submitted to the CEZ Group Protection Committee for further discussion.

CEZ Group has set up the CEZ Group Protection Committee that advises the CEO of ČEZ, a. s. This committee discusses the following topics in particular: (1) how to protect CEZ Group; (2) what threats there are and how to deal with them; (3) which security measures are most important and when they should be done; (4) which big projects need special attention; (5) important documents (plans, reports, etc.); (6) why it is important to follow security rules; (7) whether everything works well based on regular checks; and (8) analyses of security incidents and proposals for corrective measures.

We try to strengthen our online protection and pay attention to potential security risks. In 2023, we had 2,938 incidents related to information or cyber security – a significant increase (11%) compared to the previous year caused by the application of new Data Loss Prevention rules. We also ensure that cyber is an integral part of our investment projects. It is essential for our employees to understand safe internet use, and training sessions are provided every two years. Our goal is to train employees to spot suspicious and malicious emails and use phones and websites without any risk.