As laid out in our Strategy 2030, our goal is to accelerate growth without compromising profitability or sustainability, including through automation and digital customer solutions. This is supported by reliable and resilient implementation, strict compliance with all applicable regulations and robust cybersecurity actions. We use, create and store a significant amount of data in the course of our business activities, including personal data, and must ensure that the confidentiality, integrity and availability of data is protected. We moreover require our suppliers to implement and maintain appropriate and effective safeguards and controls to ensure the security of our systems and information, including personal data, as specified in our Information Security Code of Practice for Partners.
Cybersecurity is of particular importance for the success of our business. We therefore subject ourselves to continuous independent assessment by BitSight, an external rating agency. The result of that assessment (“rating”) is steering- and remuneration-relevant for Board of Management members and upper management.
Material impacts and risks identified (ESRS 2 SBM–3)
As part of the materiality assessment, we identified potential positive impacts relating to cybersecurity as well as actual risks.
MATERIAL RISKS, OPPORTUNITIES AND IMPACTS IDENTIFIED
ESRS aspect
Impact on the business model1
Impact on the value chain
Entity-specific:
cybersecurity
IT and
information security
Cybersecurity incidents can disrupt global supply chains leading to negative financial impacts and business losses.
Risk
Yes
Safeguards to avoid fraud arising from phishing can improve employee awareness of cybersecurity and preventive actions. This helps to maintain and improve security and customer trust.
Positive impact (potential)
Yes
Cybersecurity can have spillover effects impacting the global stability
of the commodity trade and postal market.
Positive impact (potential)
Yes
Entity-specific:
data protection
Personal data
protection
Infringements of data protection laws can lead to significant fines, negative financial impacts and reputational damage.
Risk
Yes
1 The ESRS call for the following distinction: actual impacts occurred at least once during the fiscal year, whereas potential impacts did not.
Policies related to cybersecurity
Our cybersecurity management activities protect the information of the Group, our business partners and our employees as well as company IT systems from unauthorized access or manipulation and data misuse. Personal data is used ethically and responsibly, and the fundamental rights and freedoms of individuals are respected. Artificial intelligence (AI) opens up a wide range of possibilities, but it also comes with increasing risks for the Group due to its increasing use by cybercriminals. In addition, how to use generative AI in a compliant manner is a general compliance topic. In this regard we take continuous action to minimize risk, such as holding regular training courses for our employees and monitoring all of our networks and IT systems globally via our Cyber Defense Center, along with regular information security incident simulations.
The Group Chief Information Security Officer (Group CISO) reports directly to the CEO. The IT Board determines the cybersecurity strategy and defines and manages Group-wide actions for cybersecurity, the protection of systems and data, and digitalization processes.
The organization of the Group CISO protects the Group from cyber threats and supports cybersecurity activities. The focus is on both strategic and tactical aspects of security of relevance to the entire Group. Those actions include Group-wide frameworks covering cybersecurity, incident and risk management processes, awareness training and other training programs as well as solutions intended to ensure and improve the security and resilience of our operating processes. Our cybersecurity management activities protect the information of the Group, of our business partners and our employees as well as IT systems from unauthorized access or manipulation and data misuse. Cybersecurity management also ensures uninterrupted availability and operational reliability. Our internal guidelines and processes are based on ISO 27002 and our data centers are certified in accordance with ISO 27001.
We limit access to our systems and data such that employees can only access the data they need to perform their duties. All systems and data are backed up on a regular basis, and critical data is replicated across data centers. In addition, we fix potential security vulnerabilities and protect system functionality by updating our software on a regular basis.
A variety of communication actions and training sessions help our employees become more aware of possible cybersecurity risks. All employees and managers with a corporate email address are regularly sensitized via phishing simulations. We also draw management’s attention to current risks by means of IT crisis simulations. Participation in “Information Security Awareness” training is mandatory for all employees with a corporate email address. Employees who have already completed the training must update their certification every two years.
Handling personal data
Data protection is a fundamental component of our product and service quality. At the same time, efficient data protection management helps us to avoid the risk of statutory penalties and loss of reputation. Our Group Data Privacy Policy and our data protection management system set the standard for Group-internal global transfers of data and for handling personal data in line with data protection laws. Many countries around the world have already set out the requirements for processing personal information in data protection legislation. We hold mandatory online training for those of our employees with a computer workstation to familiarize them with how to conduct themselves in a manner compliant with data protection laws. The global review processes of the Group’s data protection function and those in place within the individual corporate divisions are aimed at ensuring adherence to data protection laws all over the world. In fiscal year 2025, the Group Data Protection Policy was revised and published in January 2026. The corresponding training formats were adjusted accordingly.
Targets related to managing material impacts, risks and opportunities
We also subject ourselves to an independent assessment by an external rating agency (BitSight); the resulting performance indicator (rating) is steering- and remuneration-relevant.
This rating is based on the technical analysis of any vulnerabilities and alerts the rated company to potential security risks; this is done daily by an automated service. Unlike self-assessments, an external cybersecurity rating offers greater transparency and enables comparison with other companies thanks to standardization. We compare our performance with DAX 40 companies as well as with key accounts and logistics companies that are not included in the DAX 40. The target value is determined by our aspiration to be within the upper quartile of our peer group. The result accounts for 10% of the annual bonus calculated for the Board of Management.
At the end of 2025, BitSight’s cybersecurity rating was 780 out of a possible 820 points (2024: 750 points). The rating agency adjusted its rating scale during fiscal year 2025. This resulted in a 10-point change; our target value was updated accordingly. The goal for 2026 is for the cybersecurity rating to remain in the upper quartile of the peer group and amount to at least 720 points. Should BitSight change its rating scale again, we will adjust this figure in line with the change.
