3.2 Risk management & internal controls

Risk management is an essential part of our business strategy. The primary objective is to identify and mitigate risks that have a potentially major impact on our ability to achieve our strategic and financial goals and, consequently, on the overall value of our business.

The Board of Directors has the overall responsibility for achieving our strategy and objectives and establishing adequate internal risk management and internal control systems. The implementation of our strategy, which is aimed at achieving market leadership in our key markets, is consistent with effective risk management, in which risks are identified in a timely manner and mitigating measures are taken where necessary.

We firmly believe that a sense of ownership leads to optimum risk management. Nedap’s culture balances personal responsibility and autonomy with risk awareness and provides a solid foundation for managing risks in both day-to-day operations and strategic decision-making. This culture is reinforced by our code of conduct. The Board of Directors, NLT, senior management, and the Supervisory Board all play an important role in safeguarding this culture and ensuring that long-term impacts are considered in decision-making. 

To support this approach, Nedap applies a three-lines model that fits the nature of the company and supports effective risk management across all risk categories.

  • First line
    The first line consists of employees. They are responsible for identifying, managing, and escalating risks as part of their day-to-day activities. By identifying and addressing risks within their areas of responsibility, employees act as the first line of defense and contribute directly to maintaining an effective risk and control environment.

  • Second line
    The second line consists of corporate expert functions and designated members of business unit leadership teams that provide guidance, support, and oversight to the first line. These functions include, among others, finance, IT, HR, legal, and compliance. Within the compliance domain, compliance theme owners and the compliance officer fulfill second-line roles by setting frameworks, monitoring developments, and supporting the organization in managing compliance risks.

  • Third line
    The third line is formed by the internal auditor, who provides independent assurance on compliance and the design and effectiveness of Nedap’s risk management and internal control systems. The internal auditor reports findings to the Board of Directors and the Supervisory Board.

In our open, informal culture, finding the right balance between rules and entrepreneurship requires continuous dialogue, particularly in light of increasing regulatory pressure. While the primary responsibility for managing risks lies within the business units, the alignment of supporting processes and expertise within the corporate teams enables the business units to remain focused on their core activities. In this way, risk management is embedded throughout the organization and integrated into strategic planning and daily operations. 

Sustainability continues to play a prominent role in our value creation model, presenting both risks and opportunities for Nedap. The increasing importance of sustainability, combined with the evolving laws and regulations introduced in recent years, has driven us to embed sustainability into our strategic planning and risk management processes.

Risk appetite

Nedap strives to strike the right balance between acceptable entrepreneurial risk and sustainable long-term value creation while remaining in control. Our risk appetite ranges from medium to high in terms of strategic risks, like solution development and commercial initiatives, and operational risks. When it comes to compliance with legislation and regulations, our risk appetite is low, with respect for both the letter and the spirit of the law. The table below shows Nedap’s risk appetite by risk category:

Category

Risk appetite

Strategic risks

Variable, majority medium to high

Compliance risks

Low

Reporting risks

Low

Operational risks

Variable, majority medium to high

Risk management and control systems

Nedap Risk Management Framework

Nedap has a solid system in place for responsible risk management. Our entrepreneurial culture leads to widespread interaction within and between teams, business units, and the Board of Directors, resulting in strong informal checks and balances. These are supplemented by formal procedures and controls where compulsory or deemed useful. These frameworks are based on the Nedap Risk Management Framework, which was adopted by the Board of Directors and the Supervisory Board. This framework identifies the connections between enterprise risk and the internal control system, contextualizing the Committee of Sponsoring Organizations (COSO) principles and linking them to business processes and procedures.

The Nedap Risk Management Framework is organized around our business processes. Risks that, due to their size, nature, and impact, could result in substantial losses, serious consequences for a business unit, or damage to the company as a whole, are reported to the Board of Directors. The Board of Directors then decides on follow-up actions in these situations.

As part of the strategic process, strategic risks and opportunities are included in the multi-year plan and discussed with the Board of Directors and the Supervisory Board. In addition, we organize annual risk sessions with business units and corporate teams to raise awareness, share knowledge, and identify Nedap-wide trends and developments to consider during the strategic process. Relevant risks for each business unit are identified and discussed. Specific sessions are held to raise awareness around fraud and integrity, including measures for detecting and preventing fraud. These risk sessions operate as an extra control mechanism, reinforcing the risk management principles of the business units and the Nedap Risk Management Framework. They also enable management to identify and share best practices within and across business units. We pay specific attention to identifying and prioritizing sustainability risks and opportunities in relation to the ESRS.

Risks that, due to their size, nature, and impact, could potentially have major consequences for Nedap, are included in the risk table at the end of this section. These risks have been classified into the following categories: strategic, operational, compliance, and reporting. The risk table includes a description of the associated impact and probability trend, as well as the key measures to mitigate the risk. Specific financial risks are addressed separately in the financial statements.

Strategic and financial management system

Nedap has an adequate and effective strategic and financial management system. Key components include the strategic calendar, which consists of the multi-year plan and the budget, and the financial reporting system, which tracks both the progress and actual outcomes of the company’s operating activities. The financial management system is designed to:

  • Set and align the right priorities and targets at the board and business unit level.

  • Test actual progress and performance against objectives.

  • Enable management to retain control over responsibilities delegated to others.

  • Manage cash and cash-equivalent flows within the organization.

  • Identify and restrict risks.

  • Detect and prevent fraud.

The Board of Directors and business unit leaders also hold consultations on significant market-related matters, major investments, the progress of research and development projects, and staff allocations that go beyond the budget. Their final decisions are made in the interest of Nedap as a whole.

The Group Controlling department in Groenlo plays a leading role in finance and risk management. The department’s role is to verify the data used in financial reporting and ensure the proper execution of administration and data processing tasks. It also ensures the correct, complete, and timely delivery of these reports, while overseeing other departments responsible for delivering data with a focus on detecting and preventing fraud. The Group Controlling department holds operational responsibility for financing, cash management, currency management, and taxes, and is responsible for risk management processes globally. Due to these responsibilities, the department is required to have regular and timely consultations with the Board of Directors and to work closely with employees in the Netherlands and abroad.

Operational risks

Operational risks are primarily managed within the business units as part of day-to-day operations. These risks relate, among other things, to people, processes, systems, supply chain activities, and the continuity and reliability of operations. Business units are responsible for identifying, assessing, and managing operational risks within the boundaries of Nedap’s risk appetite, supported by corporate expert functions and aligned processes. Where appropriate, operational risks that could have a significant impact on Nedap or require coordination across business units are discussed with the NLT.

Nedap Compliance Framework

The Nedap Compliance Framework describes the objectives, responsibilities, and scope of Nedap’s compliance management. The framework includes compliance-related communications, compliance monitoring and enforcement, and their integration within the organization. Subjects covered by the framework include supplier liability, information security, AI, privacy, insider trading, anti-bribery and corruption, competition, products and entities subject to sanctions under legislation and regulations, customs, HRM, health and safety, and product compliance, such as certifications.

Periodic meetings between the compliance theme owners and the compliance officer are held in the presence of the internal auditor to discuss relevant developments and progress. Significant or unusual compliance matters are escalated to the Board of Directors. Group privacy officers and group information security officers meet regularly to discuss developments, risks, and priorities within their respective domains.

The Board of Directors is responsible for the overall effectiveness of the Nedap Compliance Framework. The Audit & Risk Committee of the Supervisory Board oversees the functioning of the framework. The Supervisory Board is informed of material compliance matters.

The Nedap Compliance Framework is reviewed annually and updated as necessary.

Tax Control Framework

Nedap is exposed to tax risks that could potentially result in double taxation, penalties, and interest payments. These risks include, but are not limited to, transfer pricing risks on cross-border intercompany transactions and tax risks related to potential changes in tax laws that could result in higher tax expenses and payments.

Nedap’s tax policy corresponds with its global governance model. Our Dutch operations consist mainly of strategy design, product development, marketing, sales, supply chain management, legal affairs, compliance, and controlling. Activities at subsidiaries consist almost exclusively of local sales (support). A large part of the Group’s economic value is therefore generated in the Netherlands. Nedap neither engages in aggressive tax planning nor uses “tax havens” as defined by the Organization for Economic Cooperation and Development (OECD).

The Group Controlling department oversees and implements the global tax policy, formulates and implements the transfer pricing policy, and actively monitors compliance. Transactions between related entities are subject to the arm’s length principle and the relevant OECD Transfer Pricing Guidelines for Multinational Enterprises and Tax Administrations. Through its transfer pricing policy, Nedap aims for all its companies to post profits that are in line with the scale and risks of the activities in their respective countries. Such profits are subject to all applicable local taxes. All Nedap subsidiaries issue periodic reports on their tax position, including taxes charged and paid. In line with the OECD guidelines, a new benchmark study is conducted at least every two years. Most of the countries where Nedap operates have endorsed the OECD guidelines. However, these are not binding, and local tax authorities still have to sign off on a company’s transfer pricing system. Although Nedap complies with the OECD guidelines, local tax authorities may withhold their approval. Nedap does not foresee significant financial, compliance, or reputation risks as a result.

Nedap has implemented a Tax Control Framework that is regularly monitored and updated. It documents and formalizes material tax risks, tax control, and the monitoring of taxes. Tax risks and mitigation strategies are discussed in regular meetings across the organization. The Tax Control Framework serves as the foundation for the horizontal supervision agreement with the Dutch tax authorities, which was reconfirmed in 2023 and will remain in effect through 2026.

Nedap has one ruling with Dutch tax authorities concerning an agreement to apply the Innovation Box tax regime. The current agreement remains in effect through 2026. When Nedap deems it helpful to gain prior certainty on the application of tax laws and regulations, the company tries to secure a ruling with the tax authorities.

A specific measure was taken to control tax risks and other risks. The directors under the articles of association of most subsidiaries are controllers who spend a considerable part of their time working with the Group Controlling department in Groenlo. They are responsible for local compliance, including tax legislation and regulations. The managers of our subsidiaries are evaluated based on the operating results of their respective business entities. Taxes are not a factor in such evaluations.

Assessment of effectiveness

The Board of Directors regularly assesses the design and operating effectiveness of Nedap’s risk management and internal control systems. This assessment is based on management information and reporting, discussions within the Board of Directors and the NLT, the outcomes of annual risk sessions, insights from the business and second line corporate expert functions, reports from the internal auditor and the external auditor, and discussions with the Audit and Risk Committee of the Supervisory Board. Where relevant, incidents, near misses, and developments in laws and regulations are taken into account.

Risk table

The following risk table provides a summary of the main risks identified, the associated impact and likelihood trend, the developments in 2025 that relate to these risks, and the main measures taken to mitigate them.

Other than what is stated in the Directors’ Report (the full annual report without chapter 5 Financial statements), there have, to the best of the Board of Directors’ knowledge, been no exceptional events that are exempt from being taken into consideration in the financial statements.

Risk type

Risk description

Developments in 2025

Mitigation

Strategic

Speed of technological developments

The rise of generative AI is a development that can impact the markets that Nedap operates in and the solutions that we offer to our customers. Generative AI can lead to competitive disruption if competitors move faster in embedding AI into their product offering and create superior products or services. In addition, generative AI and automation may lead to changes in job roles and responsibilities, potentially resulting in job displacement, job losses or a shift in required skill sets. Nedap recognizes the dual nature of generative AI as both an opportunity and a risk, actively exploring its potential to both safeguard and enhance our market positions and solutions. Besides AI, Nedap continues to monitor the trends in current and upcoming technologies. Also, dedicated exploration teams in each key market assess and invest in potential new solutions.

• We are a Digital Twin Technology company with extensive expertise and a diverse technological stack that goes beyond RFID.
• Nedap has a strong track record in developing successful high-tech solutions and strong customer and partner relationships.
• Every year, new developers are hired with up-to-date knowledge of current and upcoming technologies. Nedap events are organized to share technological knowledge and the latest developments.
• Nedap explores potential new technologies that can threaten existing market positions.
• We have set up a core AI team with several expertise groups focused on both risks and opportunities of AI.
• Nedap has implemented an AI policy that promotes rapid and value-driven adoption of AI, while ensuring a responsible and risk-aware approach to its use.

Decreased relevance of Nedap’s core technologies leading to worsened competitive position.

Risk appetite

HIGH

Impact trend

Likelihood trend

Strategic

Unsuccessful solution and product development

We progressed in strengthening our portfolio through the implementation of a key markets strategy and establishing clear strategies for these positions, also taking into account our plans for realizing our sustainability ambitions. The progress on these strategies is tracked using a strategic calendar, and they are integral to the Create-Scale-Core methodology. We carefully monitor investments in explorations, ensuring they align with our key market strategy. This alignment allows us to make more informed decisions about scaling up or down as necessary.

• Research and development draws on various business units’ experience and knowledge, built up over many years.
• Periodic solution portfolio reviews and a clear process, and key performance indicators for solutions in various phases.
• The strategy to focus on four key markets creates leverage to extend our footprint in these markets through innovations and new solutions.
• Closely monitoring the development and potential of solutions and products in the exploration and create phase and the ability to scale up or down quickly if required.
• Increased focus on market intelligence in key markets.

Excessive strain on resources over a prolonged period without an instant prospect of returns, resulting in dependence on a limited number of growth factors and limited long-term growth perspective.

Risk appetite

HIGH

Impact trend

Likelihood trend

Strategic

Attracting, developing and retaining talent

We consistently invest in our workforce, recognizing our people as our enduring competitive edge. We enhanced our internal recruitment team to attract the right talent. This effort was bolstered by significant progress in cultivating our employer brand. To retain our skilled employees, Nedap offers a variety of training programs focused on both personal and professional growth. We organized events across different business units, covering topics such as business development, AI and technology. Additionally, we improved transparency regarding career opportunities within Nedap and we have developed programs to improve leadership across teams.

• The company offers a culture of entrepreneurship and competitive employment terms, including an employee depositary receipt scheme.
• Nedap provides an ecosystem in which talent can thrive by providing an easily accessible learning platform, focused academies and events, such as Tech Academy, TechKnow and bespoke development programs. Additionally, Nedap invests in maintaining a valuable network through Employer branding, University Career Days and business networking.
• In-house recruitment team takes a dedicated approach to serving each business unit’s needs.
• We develop leadership talent through a leadership program and an organizational structure that fosters leadership talent development.
• Our Diversity, Equity and Inclusion policy aims to ensure equal opportunities and treatment for all.
• There is a continuous focus on health and safety through training sessions, policies and resources.

Shortage of talented employees leading to a delay in the implementation of the strategy.

Risk appetite

LOW

Impact trend

Likelihood trend

Strategic

Cybersecurity and IT

Nedap continues to place strong emphasis on reducing the risk of cyberattacks. The overall threat landscape has intensified, particularly due to the growing use of AI in orchestrating such attacks. To strengthen our defenses, a specialized tool has been deployed across the organization to enhance endpoint security.
The implementation of the NIS2 directive is ongoing, building on the substantial groundwork laid in previous years. An incident response procedure has been established, and cyber crisis exercises have been conducted to test and improve preparedness for potential incidents. In addition, Nedap’s IT unit has been expanded, along with roles dedicated to information security.
To further reinforce its cybersecurity capabilities, Nedap has partnered with an external specialist to enhance its Security Operations Center (SOC) and Security Information and Event Management (SIEM) functions. This collaboration enables robust 24/7 monitoring, rapid detection, and effective response to potential threats.
As Nedap’s operations increasingly depend on secure supply chains—including EMS partners and various third-party (open-source) software tools and services—careful supply chain management remains essential to ensure both security and compliance with relevant regulations and standards.

• Audits and further roll-out of certifications (including SOC 2, ISAE 3402, ISO 9001, ISO 14001 and ISO 27001/NEN 7510).
• Increasing awareness in the organization through knowledge sharing, e-learning modules, including proactive communication about software risks and the importance of keeping systems up to date, supported by active monitoring 24/7.
• Implementation of an incident response procedure with standard operating procedures that are regularly tested and maintained, combined with our culture of empowered and engaged employees enabling quick responsiveness in case of an incident.
• Implementation of endpoint security protection.
• Quality IT organization, with up-to-date knowledge.
• Awareness in the recruitment process for new employees, including mandatory certificate of conduct for integrity-sensitive roles.
• To mitigate the risk of data breaches in Nedap solutions, internal- and external penetration tests are performed. Threat modeling and secure software development knowledge is shared across business units.
• Assessment and mitigation of supply-chain risks, including libraries and frameworks used in software applications.

A successful cyberattack could inflict great financial and legal damage on our company, as well as damage to our reputation (customer confidence).

Risk appetite

LOW

Impact trend

Likelihood trend

Strategic

Geopolitical conflicts in relevant areas

Growing protectionism and trade barriers between major economies are putting increasing pressure on competitiveness, margins and are directly affecting the resilience of our supply chain. In particular, rising tensions between US, China and the EU could impact our competitive position towards customers. From a supply perspective, the circumstances in Asia and Eastern Europe remain a point of attention. Nedap continues to depend on Taiwan for semiconductors, while many of our EMS providers have historically been located in Eastern Europe. In close collaboration with our strategic suppliers, efforts have been made to identify and qualify alternative sources in other regions to reduce concentration risk and enhance supply continuity.

• Further execution of geographically spread, dual-sourcing strategy.
• Sanction control systems and compliance monitoring.
• Scenario management to think through implications of risks materializing.
• Growth of SaaS cloud (recurring) revenue mitigates dependency on one-off hardware revenue.
• Nedap is often not the importer of record for products delivered to customers.
• Our competitive position, combined with long-term customer relationships and contracts, enables us to implement price adjustments.
• Our balanced portfolio of key markets and solutions reduces exposure to one or more sales regions.

Global conflicts and increasing political tension could lead to supply chain disruptions, trade restrictions, and rising import tariffs, all of which may impact business continuity and cost levels.

Risk appetite

MEDIUM

Impact trend

Likelihood trend

Strategic

Inability to achieve sustainability goals

The assessment of double materiality helps clarify our exposure from both a risk and opportunity perspective. We have made progress in establishing ambitions across all domains, translating them into clear, tangible and measurable objectives. This foundation enables us to actively pursue the realization of our goals. Our ongoing work to comply with the European Sustainability Reporting Standards (ESRS) further supports us in this process.

• We have set clear carbon footprint reduction targets and have the right plans to achieve these, linked to the remuneration of the Board of Directors.
• We committed to SBTi targets in 2024, and have validated these in 2025.
• Implementation of sustainability strategy to mobilize the organization and raise awareness around sustainability.
• Improving non-financial reporting structures that provide all relevant data needed to make the right decisions.
• Sustainability is integrated in all key market strategies, guided by our strategic calendar.
• We maintain a long-term perspective in the development of products and solutions to customers.

More material impact of the environment on our business and greater Nedap impact on the environment.

Risk appetite

MEDIUM

Impact trend

Likelihood trend

Operational

Supply chain dependence and imbalance

In recent years, component shortages have left several business units with excess inventory relative to short-term demand, while distributors faced challenges in servicing end-customers. In addition, recent geopolitical tensions and trade restrictions have renewed attention on the vulnerability of global supply chains. At Nedap, we are proactively managing relationships with key suppliers to mitigate risks and ensure the delivery of quality products at the right price and time. We continue to work closely with our customers and suppliers to achieve optimal stock levels, while further strengthening the flexibility and resilience of our supply chain. In response to the current global tensions, we have set up a dedicated company-wide team to monitor supply chain developments, availability of critical components and ensure timely responses to emerging risks.

• Nedap takes great care in selecting its production and logistics partners and sets the highest standards.
• Measures taken to improve the robustness of the supply chain include maintenance of buffer inventories, production partner audits, multiple suppliers for critical products and improved testing and measuring systems.
• Second sources were set up for many components and strategic relationships with suppliers were expanded.
• An effective forecasting process for all business units across Nedap ensures early warning and time to act.
• We ensure design flexibility to allow the use of alternative components in case of shortages.
• The continuous growth or recurring revenue reduces our dependency on hardware deliveries.
• We have set up a dedicated team that focuses on the availability of critical components.

Insufficient or late product availability resulting in delayed or even aborted delivery of products to our customers.

Risk appetite

MEDIUM

Impact trend

Likelihood trend

Compliance

Legislation and regulations

We continue to experience increasing compliance pressure and regulatory complexity in a broad range of areas. We are enhancing company-wide communication around compliance, ensuring that employees better understand the “why” behind our policies and “how” to apply them. Targeted training programs are developed for emerging topics, such as responsible use of AI. The Nedap-wide compliance committee will continue to monitor developments, with a focus on improving the effectiveness of soft controls and integrating compliance into day-to-day decision-making.

• The Nedap Compliance Framework is monitored by the Nedap-wide compliance committee of theme owners, which meets periodically to discuss, among other topics, regulatory developments and required actions, with the aim to ensure a consistent and proportionate approach to compliance.
• The framework is evaluated annually to ensure it remains effective and to identify areas for improvement.
• Tailored training and communication initiatives on key topics, including AI.
• Ongoing collaboration between the Legal & Compliance team and key markets to integrate into strategic and operational planning.
• Nedap’s culture and powerful soft controls support compliance and responsible and balanced decision-making.
• New legislation is monitored constantly to ensure that new designs meet relevant requirements.

Fines, sanctions and/or damage to reputation, and potential constraints on organizational agility and speed of decision-making due to increasing regulatory complexity.

Risk appetite

LOW

Impact trend

Likelihood trend

Compliance

Fraud and corruption

Fraud and corruption remain high on the agenda. As part of the risk management process, fraud is discussed and no cases were identified. As Anti-bribery and corruption is an identified compliance theme, it is also regularly discussed in the compliance committee.

• Zero tolerance for fraud and corruption.
• Strong informal system of checks and balances.
• Several formal rules and policies, including a whistleblower policy and a code of conduct.
• Nedap has implemented a risk management framework and process to identify, discuss, and report fraud risks on a regular basis.
• Nedap has implemented an annual fraud awareness and detection program.
• Centralized management from Groenlo.
• Monitoring control: controllers from Groenlo are appointed to management positions at international sites.
• Various e-learning programs are provided to employees and senior management.
• The company has an anti-bribery and corruption policy.

Fines, sanctions and/or damage to reputation.

Risk appetite

LOW

Impact trend

Likelihood trend

Reporting

Information provision

Nedap is experiencing continuous regulatory pressure when it comes to reporting. Examples are the EU Taxonomy, CSRD and ESEF.

• Reporting based on the International Financial Reporting Standards (IFRS) as adopted by the European Commission, which are compulsory standards for listed companies in the Netherlands, and the auditing of figures by an independent external auditor.
• The Group Controlling department in Groenlo plays a leading role in terms of financial management. This department has set up a reporting system designed to ensure the uniform and correct handling of all financial and business matters, with the added focus of preventing possible fraud.
• Implementation of best practices and principles of the Dutch Corporate Governance Code in our governance model.
• Dedicated team, supported by external professional advisers.

Inaccurate or incomplete information provided to shareholders and other stakeholders.

Risk appetite

LOW

Impact trend

Likelihood trend

Downloads & archive

2025

2024

2023