Actions/Prevention and detection of corruption and bribery (G1-3)

In order to sustainably anchor our understanding of compliance both within DB Group and in our cooperation with our stakeholders, we use various tools preventively and work to continuously enhance them. In 2025, this included the following measures:

• Compliance risk analyses: These are a key component of DB Group risk management and are conducted in the business units, service entities and Group management functions. A systematic Group-wide inventory of compliance risks is conducted in accordance with the governance requirements set by Group management. The binding framework concept sets out minimum requirements for planning, implementation, reporting and follow-ups.
  Within a three-year cycle, all Group companies with operational activities must be audited for risks of corruption. At the level of the business units, service entities and Group management functions, reports on the relevant compliance risks are required to be published annually in a predefined format.
  Compliance risk analyses conducted in 2025 showed that the business units, service entities and Group management functions are affected by corruption risks in different ways. Some Group companies, in particular from DB E.C.O. Group and DB Cargo, are active in markets outside Germany that are highly susceptible to corruption. For Group companies with activities in the area of the rail infrastructure, the high procurement volumes give rise to risks that corruption or fraud will be committed by suppliers or subcontractors at the expense of DB Group.
  In 2025, the Management Board was informed about compliance risks in the annual compliance report. It separately set out the risk exposure of business units, service entities and Group management functions and highlighted existing risk-reducing factors and countermeasures.
• Compliance awareness and training: In order to be able to advise on compliance issues, executives and employees of the compliance organization must be informed about current developments. The Compliance Academy, a digital learning area, is available as a central knowledge transfer tool for regular training. The completion of centrally defined courses is mandatory.
  Executives have a particular role to play in shaping our corporate culture. Various programs have been implemented to train them in compliant conduct and hence protect DB Group and themselves from compliance risks. The mandatory training program for top management was expanded in 2025 to include a new module on conflicts of interest. This supplements the established compliance coaching provided by DB Groupʼs Compliance, Internal Audit and Legal functions.
  The Group-wide framework concept for compliance awareness follows a risk- and needs-oriented approach. Target groups with different levels of awareness are identified on the basis of a defined list of criteria and the respective training cycle is determined. The content of the training modules includes both standard knowledge on compliance requirements and specific knowledge derived from the respective business models for the business units, service entities and Group management functions. The content is communicated to executives and employees with a high and medium need for awareness by means of in-person events or e-learning. Over a period of two to two and a half years, we aim to achieve almost complete training coverage for executives and managers with high and medium risk. Executives and employees with a low need for awareness are made aware of compliance issues as part of their employment contracts and via Group-wide media and campaigns. Further information can be found under Metrics.
• Applicant checks: As part of the personnel selection procedure, pre-employment applicant checks were carried out for security-relevant functions of senior executives in 2025. For example, this applies to functional areas with budget responsibility of € 500 thousand or more, functions relevant to IT or operational safety and functions relevant to DB Group’s reputation. The checks cover areas such as corruption/white-collar crime and security-related offenses.
• Compliance organizational structure: In 2025, preparations were made to consolidate the previously decentralized compliance organization within the central compliance organization. The centralization planned for 2026 is intended to increase the efficiency of compliance work in DB Group, ensure the uniform interpretation and application of compliance standards and meet the constantly increasing regulatory requirements. Among other things, this is intended to enable the requirements of the Whistleblower Protection Act (Hinweisgeberschutzgesetz; HinSchG) and the extended external reporting obligations to be implemented even more effectively and in a coordinated manner across the Group.
• Digitalization: In 2025, compliance activities continued to be analyzed in terms of their digitalization potential. A new training format was used in cooperation with the University of Duisburg/Essen, in which an avatar conveys training content on a compliance topic. This was well received by the target group and additional formats are currently being developed. Furthermore, in which areas the use of large language models can usefully support compliance management in order to further improve automation and information transfer was examined. In addition, the Governance, Risk and Compliance (GRC) tool procured in the previous year has been used since 2025 to prepare the annual compliance reports and to track measures.
• Further development of compliance guidelines: In 2025, comprehensive preparatory measures were taken with regard to the amended framework guideline on sponsorship, which is expected to come into force in the first half of 2026. The aim of the revision is to anchor the procedure introduced at the beginning of 2024 for checking the compliance and integrity of all potential contractual partners in the Group-wide regulations. The check is carried out at an early stage by the responsible compliance unit. It is based on a compliance self-declaration to be completed by the contractual partner and includes, among other things, a sanctions list check.
  An amendment to the framework guideline on donations, including the application forms for donations, was also prepared. The amendment is expected to take effect in June 2026. It was triggered by the Group-wide introduction of compliance and integrity checks, including in connection with donations. The exclusion criteria set out in the framework guidelines are decisive.
• Business partner compliance checks: The Group-wide compliance checks of business partners were further advanced in 2025. Building on the existing concept, more than 22,000 existing and new suppliers were screened for corruption and other relevant compliance risks as part of an interim procedure. Where anomalies were identified, further measures were initiated, including obtaining statements from affected business partners. The transition to a standard process is scheduled for completion in 2027. It depends on the progress of a corporate IT project.
  In addition, measures were taken in 2025 to further standardize invoice-related documents and to automate billing checks in the area of security and construction-related services with the involvement of the compliance organization. The aim is to counteract potential misstatements at an early stage and to take the necessary legal steps to protect the Group’s assets even more effectively.
• Processing reports of corruption cases: There is a Groupwide whistleblower systemµ f. for obtaining information about potential violations of laws or internal regulations.
  Various organizational units of DB Group are involved in processing a report. While the central compliance organization is responsible for performing whistleblower management in connection with suspected cases of corruption, the Internal Investigations department, which is part of Group Security, is responsible for clarifying the facts.
  The Compliance Committee, which is chaired by the CCO of DB Group, was set up to ensure the transparent and consistent handling of reported cases of corruption, among other things. Regular members are the heads of the Compliance, Intra-Group Auditors, Group Security, Legal, and Employment Conditions, Social Policy departments. The Compliance Committee makes recommendations for business units, service entities and Group management functions based on the reports discussed in this committee. If serious misconduct involving executives from top management is identified, the Disciplinary Committee, which includes the Chief Executive Officer, the Management Board member for Human Resources and Legal Affairs and the heads of the Compliance, Intra-Group Auditors and Legal departments, meets and addresses the necessary sanctions. The activities of the two committees brought about improvements in processes and awareness in 2025 and, in individual cases, consequences under contract and labor law.

Action plans 2026

The aforementioned actions will continue as described. In 2026, the focus will be on the centralization of the compliance organization and the further systematic examination of the areas in which digitalization and AI can be expanded.