To address the material risk related to data privacy, our Data Privacy Code of Conduct and Data Privacy Policy are created to ensure that all GN employees have the knowledge to mitigate risks and to ensure that GN complies with relevant data protection regulations as the General Data Protection Regulation (GDPR). Our Data Privacy Code of Conduct guides how all employees process and protect the consumer and end-user data that GN handles. The Data Privacy Policy also describes processes for collecting, processing, and protecting consumer and end-user data and applies to all employees in GN.

A key ongoing initiative to ensure compliance with our Data Privacy Policy and GDPR regulation is a GDPR risk assessment. As part of this, questionnaires are sent to business process owners via our compliance application. The aim with the initiative is to assess data privacy risks across all business processes including alignment with the EU AI Act, where AI systems and models are used in connection with personal data.

Another ongoing initiative to contribute to compliance with our Data Privacy Policy and work procedures is 'zero trust technologies'. It assumes that individuals, devices, and services that are attempting to access company resources, even if inside the network, cannot automatically be trusted. The initiative has resulted in significantly reducing any intruders’ ability to breach GN systems and data.

As this positive impact is inherent to the core activity in our Hearing division, it is not covered in a policy as such. The core action towards maximizing our positive impact is growing our Hearing business, which is reflected in our expected organic growth of 5-8% annually until 2028. Beyond that, we seek to further increase our impact by introducing new product categories, such as over-the-counter hearing aids, as well as efforts to increase broader awareness of the benefits of hearing health provided by our products. For more information on this, see LISTEN TO THIS™ on page 11.

Besides compliance with international and local regulations, GN has not set targets related to data privacy. GN’s ambition is to ensure that all employees have the proper knowledge of data privacy and that GN protects all personal data. GN complies with privacy regulations such as GDPR, Health Insurance Portability and Accountability Act USA (HIPAA), Personal Information Protection Law (China) (PIPL), and The Personal Information Protection and Electronic Documents Act (Canada)(PIPEDA). GN continuously reviews internal procedures and follows regulations to protect consumer and end-user data and ensure the effectiveness of policies and actions implemented. In connection with CSRD implementation, the process is formalized from 2024.

GN develops, manufactures, and markets hearing aids, which are classified as medical devices. Ensuring product safety to manage the material risk related to this is fundamental to our business and we adhere to strict regulatory frameworks and safety standards to effectively manage product safety risks.

GN safety policies ensure that our hearing products meet and exceed safety and quality standards, safeguarding user health and well-being. The policies apply to all hearing aids and associated accessories designed and manufactured by the company, covering all aspects from development to post-market monitoring. The policies do not cover third-party accessories or components not designed or manufactured by GN, nor does it apply to non-medical electronics.

Our safety policies outline measures to identify, assess, and mitigate product safety risks throughout the product life cycle. The policies include details on adherence to medical device standards, quality control protocols, and post-market surveillance activities. Furthermore, policies cover risk management approaches focusing on design safety, usability, and compliance with regulations.

At GN, we utilize robust internal processes to monitor key aspects of product safety, regulatory compliance, and risk management. Our overarching ambition is to maintain compliance with regulatory requirements, while proactively mitigating risks associated with product safety.

Several product safety related initiatives were implemented in GN during 2024:

• GN is exposed to regular audits and inspections to assess compliance with internal and external safety requirements. In 2024, we had a total of 17 external audits, including 8 external audits by our Notified Body.

• GN performs and documents training and have continuous education programs for staff to stay informed of product safety best practices and regulatory changes. During 2024, we conducted training on the updated standard operating procedures in the Quality Management System. Specifically, GN’s hearing employees received training in Quality Methods and Cyber Security.

We have set a target on deviation response time, which we measure as the time taken to initiate corrective actions if we have three consecutive months of underperformance against our response time KPI. The ongoing target and baseline value was 20 days which was formally defined in 2024. The average response time was 16 days in 2024, which was within the target value.

To set this target, we utilized a combination of quantitative analysis (e.g., incident data trends, KPI metrics) and qualitative assessment (e.g., internal audits, stakeholder feedback). Cross-functional teams including Quality, Regulatory Affairs, Risk Management, and Product Development are involved in defining, monitoring, and refining our KPIs. Feedback from regulatory bodies and industry partners informs our approach, particularly for adjusting compliance timelines and addressing emerging risks.

Regular management review meetings ensure that the target and KPIs are continually aligned with regulatory requirements and industry best practices. Vigilance processes are aligned with national and international regulatory requirements, where specific deadlines dictate the timeline for reporting incidents. We employ a trigger-based monitoring approach for CAPA (Corrective and Preventive Actions), where certain thresholds (e.g., exceeding specific KPI limits) automatically initiate a root cause analysis.

Finally, we seek to help people with hearing loss without direct access to hearing health due to their circumstances through a variety of product donation efforts globally. In relation to our positive impact of improving hearing health, we set a target in 2021 to help 10 million people with hearing loss by 2025. We have already reached that milestone, as by the end of 2024, we estimate that we are helping 11.2 million people with hearing loss live healthier and happier lives.

GN uses data for various purposes, which leads to benefits for GN and its customers. GN is committed to act ethically responsible with data and comply with ethical principles. By actively considering data ethics, GN intends to ensure human dignity, equality, fairness, responsible use of data, transparency, and awareness by minimizing risk of algorithm bias and discrimination, lack of transparency, lack of control, and lack of responsibility and accountability. GN is implementing appropriate organizational and technical security measures to ensure that any use of data happens in a safe and secure manner. GN will periodically review the contents of GN data ethics taking into consideration input from employees and partners, development in trends, technology, legislation, and ethical data values.

At GN, we utilize robust internal processes to monitor key aspects of product safety, regulatory compliance, and risk management. Our overarching ambition is to maintain compliance with regulatory requirements, while proactively mitigating risks associated with product safety.

Several product safety related initiatives were implemented in GN during 2024:

• GN is exposed to regular audits and inspections to assess compliance with internal and external safety requirements. In 2024, we had a total of 17 external audits, including 8 external audits by our Notified Body.

• GN performs and documents training and have continuous education programs for staff to stay informed of product safety best practices and regulatory changes. During 2024, we conducted training on the updated standard operating procedures in the Quality Management System. Specifically, GN’s hearing employees received training in Quality Methods and Cyber Security.