IROs: G1-NI2 Time horizon: short-, medium- and long-term

IROs: G1-NI2 Time horizon: short-, medium- and long-term

HOCHTIEF procures considerable volumes of materials such as concrete, steel, and timber as well as services such as those of craft trades—corresponding to 74 % of Group work done—and places strong emphasis on responsibility and fair play in procurement processes.

HOCHTIEF has implemented a comprehensive, multi-level risk management process in procurement. This is designed to identify social and environmental sustainability risks and/or violations at an early stage and to mitigate these through suitable prevention and remedial measures—such as targeted training—in dialogue with the respective business partner.

The outcomes of the individual risk management steps are included in our supplier and subcontractor selection process.

HOCHTIEF aims to work primarily with local suppliers and subcontractors based in the vicinity of our project sites. In this way, we seek to ensure short transportation distances and strengthen local economies.

During implementation of its policies/actions, HOCHTIEF takes into account the requirements of ISO 27001 and thus of a structured information security management system (ISMS).

Following on from the annual reporting of our Scope 1 and 2 as well as selected Scope 3 emissions (3.1 Purchased products and services, 3.5 Waste generated in operations, and 3.6 Business travel) and publication of the first TCFD paper, we devised and rolled out the HOCHTIEF Sustainability Plan 2025 Group-wide in 2022. In this plan, alongside targets for all ESG dimensions, we notably formulated our climate targets and consolidated our Group-wide commitment to climate neutrality (net zero) by 2045. The reduction targets are science-based, align with the 1.5 degree target under the Paris Climate Agreement and the requirements of the Science Based Targets initiative (SBTi), and have been formally adopted by the HOCHTIEF Executive Board. Our climate change mitigation strategy and the associated transition plan are based on these commitments and the additional milestones set in 2023 for 2030.

Cybersecurity is part of our IT strategy and is embedded in our IT Directive by way of the Information Security Policy. The policy approach is likewise publicly documented in our information security guidelines. These frameworks have been approved by the Executive Board of HOCHTIEF Aktiengesellschaft. They are mandatory throughout the Group and their implementation is binding for all HOCHTIEF companies. During implementation of its policies/actions, HOCHTIEF takes into account the requirements of ISO 27001 and thus of a structured information security management system (ISMS). The policies and actions are continuously fine-tuned in consultation with the relevant stakeholders (such as our own workforce, business partners, and clients). To this end, positions, committees (such as the IT Steering Committee), and processes (such as for exception requests and concept approval requests) have been established to ensure that all requirements (relating, for example, to operations, investment spending, or information security) are addressed in a structured manner, taking the material impacts into account.

We focus on prevention to counteract risks. The first line of defense at HOCHTIEF is security by design. This means the use of technical measures where the implementation process ensures a safe working environment on the basis of system design or configuration. Where recourse is made to organizational measures, these are subject to structured, documented procedures backed up with checks and balances. The measures are flanked by technical analysis systems.

Employee training on cybersecurity is also geared to common and current threats.

Lessons learned from emerging developments are continuously incorporated into security objectives and/or the Information Security Policy.

Initiatives implemented throughout the Group in the reporting year to protect against cybersecurity risks include the following:

• Structured requirements management processes including the management of information security risks (check list, involvement of specified departments, risk assessment, etc.)
• Internal phishing campaign to identify specific action such as a need for employee training
• Automated and manual penetration tests to detect security vulnerability in Internet-facing systems
• Mandatory training for all employees on general information security topics, plus ad-hoc information in the form of newsletters and intranet articles on current threats
• Continuous automated detection of vulnerabilities in Internet-facing systems, with reporting to support structured response processes
• Patch management on the basis of structured technical and organizational processes
• Attack detection and tracking solutions in operation
• Attack surface minimization by using technical measures for global blocking of entry points
• Use of technical means to minimize access to recognized and permitted systems or identities (for example, conditional access or MFA)
• Assessment of cybersecurity risks extended to include business-critical suppliers and business partners
• Structured reporting of business-critical security incidents