Regulatory Compliance Program

Regulatory Compliance Program

Regulatory Compliance Program

• 1. Introduction

  Critical Software is fully aware of its responsibility regarding the prevention of corruption and related offenses.

  Accordingly, Critical Software has sought to operate in accordance with principles of transparency and integrity, which remain a top priority for its shareholders, Board of Directors, and employees.

  Corruption risk management is regarded as a cross-functional responsibility shared by all Critical Software employees.

  Since 2021, the Critical Group Code of Conduct has been in force, clearly defining the ethical values and principles that guide the Critical community.

  The year 2023 marked the implementation of the new Regulatory Compliance Program, specifically the Corruption Risk Prevention and Related Offenses Plan (hereinafter referred to as the “PPR”), aimed at ensuring greater transparency in the monitoring and management of such risks.

  The 2025 Annual PPR Assessment Report primarily aims to present the results and conclusions of the risk assessment conducted across the various Critical Software clusters, as well as the preventive and response measures adopted regarding identified risks.

  The coordination of the preparation and drafting of the PPR Execution Report was carried out by the Legal Department. This document was approved by the Board of Directors.

• 2. Implementation of the Risk Management and Related Offenses Prevention Plan (PPR)

  Throughout 2025, Critical Software continued the implementation of its Corruption Risk Prevention and Related Offenses Program (PPR), strengthening integrity mechanisms and corporate governance best practices.

  • 2.1. Code of Conduct

    The Code of Conduct was updated on July 29, 2024, with the introduction of the Sustainable Value Chain section, ensuring that all relevant stakeholders are aware of our sustainability practices and expected standards of conduct. This revision reinforces the organization’s commitment to integrating sustainability into its ethical culture and relationships with external partners.

    In 2025, mandatory e-learning training on the Code of Conduct and Anti-Corruption policies was made available company-wide. The training recorded 1,380 completions out of a total workforce of 1,448 employees as of December 31, 2025, corresponding to a participation rate of 95.3%.

    This initiative aimed to strengthen employees’ understanding and awareness of the ethical principles and anti-corruption standards governing Critical Software’s operations, thereby contributing to an organizational culture grounded in integrity and regulatory compliance.

  • 2.2. Internal Whistleblowing Channel

    During the 2025 calendar year, no reports related to corruption or related offenses were submitted through the Internal Whistleblowing Channel or to the Critical Ombudsperson.

    This result reflects the organization’s broad commitment to the ethical values and integrity standards promoted by the Code of Conduct and the PPR.

    Critical Software continues to maintain the Whistleblowing Channel available and accessible to all employees, ensuring confidentiality and whistleblower protection in accordance with applicable legislation.

  • 2.3. Integrity Training and Communication

    In 2025, special emphasis was placed on the availability of mandatory company-wide e-learning training on the Code of Conduct and Anti-Corruption policies, which achieved 1,380 completions among 1,448 employees (95.3% participation rate), reinforcing the culture of integrity and corruption prevention.

    In addition, throughout 2025, Critical Software further strengthened its commitment to integrity by promoting several awareness sessions and workshops in strategic areas related to organizational culture. Topics covered included Diversity, Equity & Inclusion (DEI), Mental Health, Emotional Intelligence, Sustainability, and Workplace Moral and Sexual Harassment.

    These initiatives aimed to provide employees with opportunities to understand different perspectives, strengthen individual and collective well-being, and adopt practices aligned with the company’s values of responsibility and sustainability.

    A total of 2,787.59 training hours were delivered, with 1,275 participations recorded, particularly highlighting the strong engagement in DEI and Emotional Intelligence sessions.

    Simultaneously, the company maintained its active participation in business ethics reflection networks, reinforcing its commitment as a sponsoring member of the Católica Porto Business School Ethics Forum.

  • 2.4. Risk Matrix

    As 2025 represented the third year of implementation of the PPR, a full review of the Risk Matrix was carried out to ensure its alignment with emerging risks and best practices in preventive risk management.

    Following the completion of this review, it was concluded that no changes to the Risk Matrix were necessary, as the organization’s core operations had not undergone any modifications since the previous review, and no incidents were recorded during the period under analysis.

• 3. Identified Situations of High or Very High Risk of Corruption or Related Offenses

  During the period covered by this assessment, no incidents were recorded. Therefore, the preventive measures currently in place are considered adequate.

• 4. Preventive and Corrective Measures Implemented

  During the period covered by this assessment, no incidents were recorded. Consequently, no corrective measures were implemented.

• 5. Conclusions

  As of the present date, no records of corruption incidents or related offenses exist. Therefore, the preventive measures currently implemented under the PPR are considered adequate and sufficient.

  Without prejudice to the above, the individual responsible for the implementation, monitoring, and review of the PPR shall promote any measures deemed necessary should situations of high or very high risk of corruption or related offenses be identified in the future, thereby strengthening preventive controls.

  In compliance with the General Regime for the Prevention of Corruption, this Execution Report shall be published on Critical Software’s internal page as well as on its website.