4.3  Social Information

As an employer, a business partner, and a provider of network infrastructures and internet services, United Internet has a significant social responsibility towards its customers, employees, and suppliers. This ranges from protecting sensitive data through fair, secure, and inclusive working conditions down to respect for human rights across the entire value chain.

The Company’s business success is based to a large extent on its employees’ commitment and qualifications, which ensure United Internet is fit for the future. Social security, stability, and satisfaction are becoming increasingly important given the large number of economic and societal changes. In line with this, the focus in fiscal year 2025 was on strengthening diversity, inclusion, and equal opportunities; promoting internal development paths; and enhancing employer attractiveness (see the “United Internet’s Workers” section).

United Internet also takes its social responsibility across the value chain seriously and demonstrates its commitment to fair and respectful working conditions through its actions and due diligence processes. Partnership-based business relationships are an important foundation for resilient supply chains (see the “Workers in the Value Chain” section).

United Internet’s digital services influence how people use and pass on information. The content provided by GMX and WEB.DE help the Company to ensure the dissemination of factual information and the formation of well-founded opinions. At the same time, United Internet is responsible for data privacy, cybersecurity, the ethical use of AI, and the reliable operation of technical systems – key elements of end-user trust. The relevant guidelines and actions are described in the “Consumers and End-users” section.

Introduction to Social Topics

Stakeholder Groups

United Internet has a responsibility to a number of core stakeholder groups under its definition of social sustainability. The Company aims to ensure fair, secure, and trustworthy working and business relationships across its direct value chain. Its activities focus on the following stakeholder groups:

• Own employees : These include everyone directly employed by United Internet. The focus here is on fair working conditions, equal opportunities, workplace health and safety, and opportunities for personal and professional development.
• Nonemployees : These comprise external workers who work for United Internet under contracts of service or contracts for work, and agency workers. The goal is to ensure that this group of people has socially responsible, secure, and respectful working conditions.

• Business partners and workers in the direct value chain : These comprise suppliers, service providers, and other partners across the value chain. United Internet believes in transparent, responsible, long-term business relationships and in compliance with standards for integrity, compliance, and sustainability. These are described in the Supplier Code of Conduct in the “Workers in the Value Chain” section.
• Customers : The undertaking provides customers with secure, reliable products and services that comply with data privacy requirements, and encourages the responsible use of digital technologies.

Whistleblowing Management System

United Internet has established a whistleblowing management system (“whistleblowing management” for short) that is based on the guidance contained in ISO 37002 and that enables internal and external whistleblowers to report breaches of human rights and environmental legislation and other relevant misconduct both in their own areas of business and across the value chain. Whistleblowing management incorporates the provisions of the EU Whistleblowing Directive, the relevant national implementing legislation, and the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz – LkSG). It applies to all the stakeholder groups mentioned.

The system performs two key functions. Firstly, it serves as an early warning system, enabling e.g., human rights risks to be identified at an early stage, while secondly it provides access to appropriate remedies.

Core elements of whistleblowing management are confidential reporting channels for receiving reports, clear processes for assessing and handling reports, protection for whistleblowers, ensuring confidentiality among staff processing reports, and measures to review the effectiveness of whistleblowing management. These aspects are discussed below. The question of how to deal with reports is also described in more detail in the “Governance Information – Policies and Guidelines” section.

United Internet has established confidential reporting channels which can be used to voice concerns. These include electronic reporting channels and supplementary in-person contacts for staff:

• Integrity Line electronic whistleblower system: The whistleblower system enables internal and external stakeholders to submit reports anonymously. It is accessible 24 x 7 in a number of languages both internally via the intranet and externally via the Company’s websites. Whistleblowers need only make a single click to switch to the publicly available whistleblower system from the footer of the Company’s websites. With this “one click solution,” United Internet makes it easy to access and use the whistleblower system. Whistleblowers need a case number and their case password to access their own, secure mailbox. All communication between whistleblowers and the Whistleblowing Office takes place via this secure, personal mailbox. The special button for reporting “misconduct in the supply chain” continues to give workers in the value chain the ability to address their interests and views as needed.
• Confidential contacts for own staff: In-person discussion with affected staff is a core component of the complaints management process. This inclusive integration process enables the Company to develop remedial actions reflecting the needs and expectations of those affected. United Internet attempts to resolve conflicts through mediation and negotiation, so as to arrive at sustainable and mutually acceptable solutions. Compliance managers and United Internet’s Vertrauenspersonen (“persons of trust”) offer employees a way of expressing their issues or concerns in person and in confidence outside of their direct working environment. United Internet’s Vertrauenspersonen offer particular support in the case of professional and personal challenges.

The “ Group Policy on Protecting Whistleblowers and Using ‘Integrity Line,’ the Electronic Whistleblowing System” (known for short as the “Whistleblower Protection Policy”) contains clear rules for ensuring whistleblower protection and applies to all whistleblowers across the entire value chain without geographical restriction. It describes the reporting channels for submitting confidential reports of compliance violations and complaints relating to human rights and environmental breaches. For example, all recipients of whistleblower reports (compliance managers and Vertrauenspersonen) sign special nondisclosure agreements to ensure whistleblower protection. The policy is available to all staff via the internal intranet.

Additionally, United Internet provides its own employees with extensive information about whistleblower protection and management. This includes the relevant guidelines, which are available from a dedicated guidelines portal on the intranet, a compliance wiki, and blog articles.

Moreover, the publicly available “Guidance for Reporting Misconduct at United Internet” describes the type of complaints or reports the grievance procedures can be used for, the complaints channels that can be used to submit complaints or reports, the steps in the grievance procedure, and how United Internet ensures effective protection against discrimination resulting from a complaint. The guidance is publicly available via the Integrity Line website and applies to all whistleblowers across the entire value chain, including employees in the Company’s own operations, without geographical restriction.

The effectiveness of the whistleblowing management system is assessed both at regular intervals and ad hoc. When reviewing its effectiveness, United Internet applies the effectiveness criteria set out in the UN Guiding Principles on Business and Human Rights. The insights gained are included in adaptations to the due diligence process.

Protecting Human Rights and Policy Statement

United Internet is committed to observing the United Nations’ Universal Declaration on Human Rights, and bases its activities on the UN Guiding Principles on Business and Human Rights.

• The overarching principles for respecting human rights and environmental due diligence obligations (“due diligence obligations” for short) are embedded in United Internet’s operational processes and described in the published Policy Statement. This applies to United Internet’s employees and nonemployees alike, as well as to business partners and workers in the direct value chain.

The Company has set up a two-tier system to effectively implement human rights risk management: The due diligence obligations are implemented at an operational level in the relevant business processes such as HR, procurement, and sustainability. Human rights coordinators there ensure smooth implementation of the due diligence obligations. United Internet’s Human Rights Officer is responsible for monitoring implementation.

Adequate implementation of the due diligence obligations is based on comprehensive risk analysis, in which United Internet examines the human rights and environmental risks from its own operations. The results of this risk assessment serve as the basis for identifying adequate preventive measures and remedial actions. These include, for example, targeted training measures, an effective grievance mechanism with confidential reporting channels, or actions focusing on specific business partners.

United Internet’s Workers

Material Impacts, Risks, and Opportunities

United Internet's activities can materially impact both its own employees and nonemployees deployed in its operations. Nonemployees include both self-employed people and workers supplied by third-party undertakings. United Internet identified the following impacts and risks for United Internet workers in its double materiality assessment. Unless otherwise stated, they apply to both groups of people.

Policies and guidelines, actions, and targets relating to the impact and risk of “Data privacy breaches affecting employee data” are reported in the “Consumers and End-users” chapter.

Inclusion of Own Employees

United Internet considers it extremely important to learn more about its own employees’ views. It uses a structured, comprehensive approach to systematically capture employee opinions and needs and include them in Company decisions such as setting social sustainability objectives. For example, employee viewpoints are continuously incorporated using workshops, feedback rounds, and employee surveys. In addition, employees are actively included when developing and tracking measures for improvement. This is done using segment-specific formats that are tailored to the individual areas’ requirements and specific features. These approaches include sounding boards, work in focus groups, and the “my ideas” process. They ensure that practical targets are set and that measures have an effect.

United Internet tailors information that is relevant to the Company to its target groups, preparing content for all employees. The intranet serves as the core information channel and is supplemented by e-mails and chat tools such as Microsoft Teams for rapid, direct communication. In-person communications channels such as meetings and town hall events facilitate direct exchanges and Company-wide updates. Opportunities for feedback in the form of digital surveys and Q&A sessions enhance this dialog. In addition, dialog formats such as focus groups and workshops are used to actively integrate employees in decision-making processes, to promote their identification with the Company, and to support sustainable corporate development.

United Internet commissioned a gender equity audit from a third-party diversity consulting firm in fiscal year 2025 so as to specifically illuminate on the views of women in the Company. Further details are to be found in the “Actions relating to the `Lack of Equal Opportunities and Inclusion’ Impact – Gender Equity and Female Empowerment” section.

Policies and Guidelines

This section presents policies and guidelines that serve to manage risks and avoid negative impacts, while simultaneously promoting positive impacts. The policies and guidelines apply to the Company’s own employees and, unless expressly excluded, to nonemployees within its own operations.

Compliance with the Code of Conduct, the Diversity Mission Statement, and the Policy on Gender-sensitive, Nondiscriminatory External Communication is supported and monitored using defined HR processes and by employees. A variety of reporting channels are available in the case of potential breaches; these are described in more detail in the “Introduction to Social Topics” section.

Code of Conduct for Employees

United Internet’s day-to-day work is based on defined Corporate Values, which are incorporated in its Code of Conduct and Leadership Principles.

The Code of Conduct serves as a bridge between the Corporate Values and the internal policies and guidelines. It shows how United Internet acts in accordance with its values, the law, and the policies and guidelines, gives clear examples illustrating the main principles, and recommends concrete actions. This information is made available permanently on the intranet and in some cases also on the Company’s website, so as to ensure transparency and easy access by all stakeholders. The contents of the Code of Conduct are broken down into greater detail and elaborated on in the operating segments.

Compliance with the Code of Conduct is facilitated using prevent measures such as e-learning courses, is ensured using detective measures such as confidential reporting channels, and is monitored using reactive measures. At present there is no policy or guideline governing training on compliance and the Code of Conduct throughout the Group, although this training is held at regular intervals.

The Code of Conduct was updated in fiscal year 2025 to reflect legislative updates and organizational changes, as well as undergoing editorial revision. For example, the topics of “respectful, appropriate interactions,” “fair working conditions,” “gender-sensitive and nondiscriminatory language,” “political communication and representation of employee interests,” “dealings with the environment, resources, and energy,” and “supply chain responsibility” were added.

Diversity Mission Statement

United Internet is aware that an inclusive corporate culture promotes social justice and the wellbeing of all employees. Equally, a lack of equal opportunities and inclusion can negatively impact corporate culture, collaboration, and performance, employees’ mental health, and society itself. Measures such as awareness-raising among employees promote equal opportunities, participation, and fair career opportunities for all, regardless for example of their gender, age, origin, or individual needs.

Since fiscal year 2020, a Group-wide project team headed by a central Diversity unit has coordinated and enhanced the diversity measures taken to abolish discrimination and harassment, and to promote equal opportunities, diversity, and inclusion.

A diversity strategy process was launched in fiscal year 2023. This resulted in a Diversity Mission Statement and three strategic focus goals for the Group’s ongoing diversity work (“diversity mindset,” “gender equity and female empowerment,” and “inclusion”). The process included the results of surveys conducted by the HR department; Management Board and Supervisory Board interviews; and surveys of the four internal Diversity Employee Resource Groups at the time (queer.united, Cross-generational Cooperation, the Part-time Network, and the International Community). The inclusion of a variety of different stakeholder groups helped boost inclusion of the views and interests of affected stakeholders.

The Mission Statement covers all the dimensions of diversity that are protected by the German General Act on Equal Treatment (AGG):

Policy on Gender-sensitive, Nondiscriminatory External Communication

United Internet attaches great importance to diversity. The Company aims to reflect this in its day-to-day communications with external stakeholders as well, and to use nondiscriminatory and gender-sensitive language. This is why the Policy on Gender-sensitive, Nondiscriminatory External Communication was introduced. It applies for example to websites, magazines, newsletters, press releases, marketing campaigns, and job adverts.

Compensation Policy

The Company’s Compensation Policy sets out binding principles for the fair, consistent, and transparent remuneration of its own employees. It defines core elements such as transparent decision logic, uniform assessment and classification criteria, due regard for responsibility, and principles for ensuring equal opportunities and nondiscrimination.

Implementation of and compliance with the policy is ensured using clearly defined HR processes and regular reviews. Executives and HR managers are obliged to follow the rules when taking HR decisions and to document the reasons for the latter. Updates to the Compensation Policy take the interests of all HR departments and corporate management (the Management Board) into account. The goal is a remuneration system that combines both strategic corporate needs and fairness, transparency, and market requirements.

Actions

United Internet has implemented processes to identify and address potential and actual negative impacts on workers. Comprehensive risk analyses are performed to systematically assess potential dangers in the areas of occupational health and safety, mental health, discrimination, and equal opportunities. In addition, sector and market analyses allow external trends such as regulatory changes or economic developments that could negatively impact the workforce to be anticipated. Moreover, metrics such as employee turnover rates and accident statistics are continuously analyzed so as to react to negative trends in good time.

These processes enable United Internet to take appropriate, necessary steps to ensure employees’ wellbeing and safety.

The effectiveness of the actions is reviewed continuously as part of existing processes and, in the case of employees, are managed and monitored using a wide range of metrics. These are described in greater detail in the “Targets” and “Metrics” sections .

Since no action plan for the Company’s own workforce was being implemented in fiscal year 2025, no current financial or other resources were made available for it.

Actions Relating to the “Social Security Through Fair Working Conditions” Impact

The Company is implementing a number of structural measures to strengthen social security and ensure fair working conditions; these focus on transparency, equal opportunities, and plannable employment relationships.

United Internet already uses regular remuneration benchmarks and equal pay analyses to ensure that fair remuneration is guaranteed in both internal and external employment relationships. In addition, United Internet regularly analyzes compliance with the statutory minimum pay requirements so as to ensure that all remuneration is not only market-driven but also complies with the law.

This analytical base will be expanded in the coming fiscal year with the implementation of the EU Pay Transparency Directive ((EU) 2023/970) and will be supplemented by expanded duties of information, reporting, and disclosure.

Furthermore, the successive introduction of salary bands at segment level by the end of fiscal year 2026 is planned with the aim of promoting transparent and nondiscriminatory remuneration structures.

Another focus is on introducing digital processes for appraising employees’ performance and potential so as to ensure fair, uniform, and documented bases for assessment. Digital tools and structured criteria reduce subjective bias, make assessments more transparent, and align career decisions more closely with development goals. This action also supports the goal of strengthening internal career paths and systematically establishing succession processes.

Additionally, the Company is aiming to reduce the number of temporary contracts of employment so as to increase employment security and promote long-term employee retention. The action supports the goal of creating stable, reliable employment relationships. Its scope covers all departments and areas of the Company in which temporary employment models have been used to date; the reduction is being implemented successively and is aligned with strategic HR requirements.

United Internet sees the actions listed here not just as a compliance issue but also as an opportunity to strengthen workforce trust and reinforce its positioning as a fair, values-based employer in the competition for talent.

Overall, these actions help to create fair, secure working conditions, reduce social risks, and enhance the Company’s attractiveness for the long term. They offer a structured foundation from which to achieve the social sustainability goals and are reviewed continuously as part of HR and compliance monitoring.

Actions Relating to the “Shortage of Specialist Staff and Employee Turnover due to Unattractive Working Conditions” Risk

The Company is implementing a number of interlocking measures to strengthen social sustainability and reduce HR risks. For example, by developing its organization and culture, United Internet is promoting both a modern management culture and a strong learning culture. Data-driven people analytics are used in this context to manage employee turnover, satisfaction, and development.

Employee and Executive Development

Actions to facilitate internal career paths and to establish systematic talent and succession management aim to boost internal opportunities for development and change, and to ensure that key positions can be filled in the long term. Another measure being taken in this context is executive development, and especially training in future skills and the introduction of standardized processes for strategic succession planning. The latter create reliable bases for making decisions and enhance leadership quality. Individual development plans tailored to positions that staff are aiming for going forward allow them to grow their skills and careers. A wide range of internal programs are used for this: The “MyWayTo” program supports up-and-coming executives in developing their careers in a variety of roles. The “Navigate” program helps talented employees develop an entrepreneurial mindset and essential soft skills at an early stage. The “Women Explore” program specifically helps women to become more visible in the Company, to network, and to deliberately enhance their individual strengths and their career and network strategies. The “Discovery & Development Camp” enables experienced senior-level employees to grow in their existing roles, to contribute their knowledge to the Company, and to increase their visibility within it. These strategic development programs underscore United Internet’s commitment to promoting skills development and enabling individual career paths. The associated actions support the goal of increasingly appointing own employees to management and other key positions, and to promote employability.

Digital Learning Platforms

The “UI-Campus” learning management platform is an important component of further training at the Company. It documents participation in training programs, qualifications that have been successfully obtained, and participation rates. In addition, all United Internet employees have access to LinkedIn Learning. LinkedIn Learning assists with obtaining professional qualifications and with acquiring and expanding digitalization skills. In addition, it aims to build and implement a structured knowledge management system so as to promote knowledge transfer throughout the organization. The ongoing rollout started at the beginning of 2025. Progress is monitored using defined milestones for the implementation process.

Feedback Culture

In addition, a pronounced feedback culture raises awareness of the need for lifelong learning and provides a motivation to develop further. Within the Company, employees have the opportunity to use a regular, structured, system-based process for their performance reviews and also to obtain additional feedback themselves. As a result, feedback becomes a natural part of everyday work and can be used for continuous personal development.

Learning Days

United Internet’s Company-wide Learning Days conference, which was held virtually for the fourth time, supports knowledge sharing by employees for employees.

Initial Training and Education and Activities to Attract Young Talent

Initial vocational and professional training has a high priority for United Internet. The Company trains future staff and gives young people a successful start to their careers. United Internet also works together with Baden-Württemberg Cooperative State University (DHBW) to offer twin-track degrees at Karlsruhe and Mannheim universities. The Company also deliberately and very successfully trains people with experience as refugees, particularly from Syria, Afghanistan, and most recently mainly Ukraine and Russia. Roughly one-quarter of the young people who successfully complete initial training and education or a twin-track degree at United Internet have experience as refugees. United Internet has held a “Best Place to Learn” accolade since June 2020. Recertification is performed every three years, with the last certification taking place in fiscal year 2023. United Internet also works together with schools so as to involve young talent early on. School students can use short internships to get to know the Company and the world of work in general. United Internet cooperates and holds events with schools, as well as offering careers advice and career discovery opportunities in the form of tours of its data center and logistics center, among other things. United Internet’s apprentices also offer extremely popular one-week programming courses for children and young people aged 13 and over during vacations.

Flexible Working Time Models such as Cover Days and Sabbaticals

The Company offers flexible working time models so as to promote a healthy work-life balance, individual responsibility, and employee satisfaction. This includes honor-based timekeeping and a cover day rule, which enables employees to work remotely up to two days per week so as to align individuals’ working needs and company requirements. In addition, the opportunity to take a sabbatical was introduced in fiscal year 2025. This offering assists employees looking to take time out for personal development or to recuperate, and contributes to long-term staff employability and retention.

At the same time as these actions, the Company is taking targeted employer branding measures to enhance its attractiveness as an employer, especially in the form of campaigns focusing on sustainability, diversity, and development opportunities.

Actions Relating to the ”Lack of Equal Opportunities and Inclusion” Impact

The Company-wide commitment to equal opportunities is underpinned by a central “Health & Diversity” unit, which works together with diversity officers in the HR units in all segments as the “United in Diversity” project team, which develops core measure and implements them throughout the Group. In addition, managers are required to actively live these principles in their areas of responsibility. Specialized workshops and training courses for managers raise awareness for diversity, inclusion, and a nondiscriminatory corporate culture.

• Diversity Mindset: Charta der Vielfalt

United Internet signed up to the Charta der Vielfalt (Diversity Charter) in 2021, committing itself to a respectful, nonjudgmental working environment. The Charta der Vielfalt is an employer initiative whose patron is the German Federal Government’s Integration Commissioner. It requires companies to promote all dimensions of diversity such as age, gender, a history of migration, religion or belief, disability, or sexual orientation and identity. By signing up to the charter, United Internet has taken a clear stand in favor of inclusion and equal opportunities in the Company.

• Diversity Mindset: “Diversity & Inclusion” E-learning Course

At the end of fiscal year 2024, United Internet developed a customized e-learning course on the topic of diversity and inclusion in line with its first strategic focus goal, and rolled it out to all segments with the exception of Business Applications. The e-learning course has been available to employees in the Business Access segment since January 2025. It comprises five “learning nuggets” on the topics of “Living diversity – a responsibility for us all,” “Becoming aware of unconscious perception biases,” “Understanding the AGG – fighting discrimination together,” “Organizing inclusion – promoting (dis-)ability awareness,” and “Sensitive language.” The course lasts approximately 60 minutes and is mandatory for all employees and executives. It was supplemented in fiscal year 2025 by suitable add-on modules for HR staff.

• Diversity Mindset: Diversity Days and Diversity Talks

In fiscal year 2025, United Internet held its fifth “Diversity Days” event, a virtual in-house conference with 26 sessions on the topic of diversity. Among other things, the program featured keynote speeches, interactive workshops, reports by staff on their own experiences and lessons learned, and panel discussions. The feedback from the 750 or so employees who took part was extremely positive and it is planned to continue the format in fiscal year 2026.

As in previous years, the Diversity Days were supplemented once a quarter in fiscal year 2025 by open, virtual Diversity Talks by external diversity experts. Topics covered included male allyship and neurodivergency and AI.

• Diversity Mindset: Internal Information Platform

The importance of diversity is already mentioned in the onboarding events for new employees and managers. Reference is also made to this topic on the internal information platform. Here employees and managers can find statements by the Management Board on the topic, practical tips for ensuring a nondiscriminatory daily working environment, and an overview of all internal diversity offerings. The platform also offers the enterprise-wide guidelines for ensuring nondiscriminatory, gender-sensitive visual imagery and language, plus extensive information about the AGG and the topic of sexual harassment. In fiscal year 2025, a diversity blog was launched on the intranet that regularly provides information on diversity topics, e.g., on commemorative occasions and memorial days such as International Women’s Day or the Visually Impaired People Day.

Gender Equity and Female Empowerment

In fiscal year 2025, United Internet conducted a gender equity audit in cooperation with an external consultancy. Questionnaires and focus groups were used to identify and verify hypotheses as to what currently prevents women from pursuing a management career at the Company. Existing measures were then evaluated in line with this, and potential actions for the coming fiscal years derived. The report on the findings provides United Internet with valuable pointers for suitable actions it can take in the coming fiscal years to achieve its goal of having more women in management positions. At the same time, United Internet continued implementing its proven female empowerment measures in the fiscal year. These include the “Women explore ” talent and networking program that is described in more detail in the “Actions Relating to the `Shortage of Specialist Staff and Employee Turnover due to Unattractive Working Conditions’ Risk” section, or its participation in careers fairs for women such as the “Women in Technology” event in Munich organized by e-fellows.net.

In January 2025, United Internet became a member of the “Klischeefrei” (“No Clichés!”) initiative, which advocates career and study choices that are free of gender stereotypes. In taking this step, the Company has underscored its commitment to gender equity by actively contributing to overcoming traditional role models and promoting equal opportunities for all genders. In addition, United Internet again took part in Germany’s Girls’Day and Boys’Day. This nationwide action enables school students to learn about professions that frequently do not correspond to classic role models.

• Inclusion: Development of an Action Plan
• United Internet commissioned myAbility, a social enterprise, to perform a comprehensive stocktaking exercise as the basis for an action plan for inclusion action plan. The work was performed in accordance with the international standards set out by the International Labour Organization’s Global Business and Disability Network. It included a number of different stakeholders, and particularly employees with disabilities. The results of the analysis serve as the basis for the draft inclusion action plan.

In addition, United Internet performed a status quo analysis of building accessibility. The goal was to assess the current status and identify concrete action areas and any necessary retrofitting for the action plan.

Actions Relating to the “Health Risks in the Workplace” Impact

Ensuring health and safety in the workplace is part of the Company’s duty of care towards employees. United Internet’s goal is to minimize accidents, sickness, and health risks as far as possible and to promote employees’ health. The focus is on two areas here: occupational health management (OHM), and occupational health and safety including data center safety.

All relevant issues relating to these two focus areas are discussed at the regular meetings of the Health and Safety Committee, both in relation to individual locations and at an overarching level.

The OHM measures are being implemented at all German locations and comprise the following:

• occupational medicine and first aid: Company medical service and check-ups, training of Company first aid staff
• exercise and ergonomics: Sport and health classes, events, videos and workplace assessment, mobile massages, and an ergonomics campaign
• stress prevention and crisis counseling: Relaxation and mindfulness training, coaching, and confidential contact points, including the Company’s mental health first aiders (MHFAs) and a stress prevention campaign

These offerings are based on a holistic health strategy that was developed as part of a comprehensive needs assessment. The Health & Care needs survey was not performed in the Business Access Segment.

The effectiveness of the OHM measures is reviewed at regular intervals. United Internet uses a variety of instruments including feedback surveys for this along with evaluating metrics such as usage and participation rates, so as to be able to make modifications as needed and to continuously improve its offerings. The flanking Health Sounding Board is a key way of discussing new ideas and policies directly with employees and obtaining valuable feedback on current projects.

Internal and External Contact Points Contact points such as the internal Occupational Health Management team, the United Internet Vertrauenspersonen or the external experts from the Employee Assistance Program (EAP) also provide employees and managers at German locations with in-person advice.

In the case of the EAP, United Internet works together with an external provider. Service provider contacts are available by phone around the clock to provide confidential free advice on childcare and care for relatives, plus life coaching to cope with personal challenges. The flexible working time models described in the “Actions Relating to the `Shortage of Specialist Staff and Employee Turnover due to Unattractive Working Conditions’ Risk” section are also classified as an action to avoid employee overwork. Other measures are hazard assessments, occupational medicine support, and the Health Week and Health Day with their wide range of courses and advisory offerings.

Occupational Health and Safety, Including Data Center Safety

Annual safety inspections in line with health and safety agency/statutory rules and regulations are performed at the Company’s German locations together with experts from external service providers (in the Business Access Segment, small locations with fewer than 20 staff are inspected every three years). In addition, reports are evaluated, measures implemented, and Health and Safety Committee meetings held at these locations.

Occupational Safety and First Aid Training

Health and safety activities are continuously enhanced on the basis of the statutory/health and safety agency rules and regulations. Only authorized employees have permanent access to the data centers. These employees are obliged to attend (digital) training courses that cover topics such as what to do in an emergency and first aid.

Courses and training are also organized for those employees who are responsible for powering up and booting servers in the abovementioned data centers. The Company works together with the Verwaltungs-Berufsgenossenschaft (VBG – the German occupational health and safety agency) to train safety officers for each operations team, who then attend regular training courses. In addition, United Internet is assisted by external occupational safety and fire protection specialists. An internal communications platform is used to provide employees with emergency manuals, work instructions, and the rules and regulations to be followed.

Contact Points for Mental First Aid

In fiscal year 2024, for the first time, United Internet trained 33 employees as “mental health first aiders” (or “psychological first aiders” in the Consumer Applications segment). These provide colleagues experiencing psychological stress with anonymous, confidential support, offer initial measures, and help organize professional help. A further 42 mental first aiders were trained in fiscal year 2025. Starting this fiscal year, quarterly meetings are held to refresh attendees’ knowledge and share experiences with colleagues.

Rules for “Mindful Company Parties”

The Company’s intranet provides Group-wide information on courteous and respectful behavior at Company parties, how this can be ensured, and the measures that can be taken if incidents occur. In addition, contact points (Vertrauenspersonen, the “Integrity Line”) exist for cases of sexual harassment, along with corresponding info pages on the intranet .

Targets

The targets in relation to United Internet’s workers were derived on the basis of defined base years and using quantitative and qualitative data such as human resources statistics. They are based on realistic estimates of resources, feasibility, and time horizons and are modified as needed as soon as conditions, regulatory requirements, or internal priorities change. Assumptions made relate to market forecasts, demographic trends, and the expected effectiveness of action programs, among other things.

Targets Relating to the “Social Security Through Fair Working Conditions” Impact

United Internet has set itself concrete targets for improving equal opportunities, social security, and the transparency of remuneration and HR processes, so as to further strengthen social security and fairness.

• It aims to ensure that all employees throughout the Group are protected by public programs or Company benefits against loss of earnings due to sickness, unemployment, employment injury, acquired disability, parental leave, and retirement. This target was reached in fiscal year 2025, which also serves as the base year when determining this metric, with the exception of protection against loss of earnings for employees on parental leave in the U.S.A.
• The goal is to permanently maintain the percentage of permanent employment contracts at a minimum of 85 % so as to promote long-term employment security and employee retention. The proportion in fiscal year 2025, which is also the base year, was 92%.

Targets Relating to the “Shortage of Specialist Staff and Employee Turnover due to Unattractive Working Conditions” Risk

• The rate of voluntary terminations in the permanent workforce should be kept permanently at an acceptable level. The desired target corridor for employee turnover should be between 5 % and 10%. The turnover rate during fiscal year 2025, which also serves as the base year, was 5.8 % .
• For fiscal years 2026 and 2027, United Internet is aiming to increase the retention rate of vocational trainees who are successfully completed their training to a target corridor of 60% to 70%. In fiscal year 2024, the base year, the retention rate was 48%.

Targets Relating to the “Lack of Equal Opportunities and Inclusion” Impact

United Internet pursues concrete targets for promoting diversity, equal opportunities, and employee inclusion. These targets contribute to the implementation of the Charta der Vielfalt, the Code of Conduct, and the Diversity Mission Statement, and are linked to the overall HR strategy.

• Diversity mindset: United Internet intends to define a Group-wide target implementation rate for the "Diversity & Inclusion” training in the coming fiscal year. This training course was developed and rolled out in fiscal years 2024 and 2025 in all segments with the exception of the Business Applications Segment.
• Gender Equity & Female Empowerment : The aim is to increase the proportion of women in management positions from 21.2% (2024) to approximately 25% by the end of fiscal year 2030. This target of approximately 25 % relates to active employees in the four management levels immediately below the administrative and supervisory bodies, including the Group Management Board.
• Inclusion: For 2026, United Internet is planning to start the implementation of an action plan to promote inclusion. Topical working groups will define measurable criteria for assessing actions and progress. This will be used as the foundations on which to establish structured reporting for the first time that will also incorporate feedback from employee surveys and other reporting channels.

Targets Relating to the “Health Risks in the Workplace” Impact

The OHM measures serve to protect employees’ physical and mental health in the workplace. Management is action-based and is not linked to aggregated or quantitative overall targets. Progress and the effectiveness of the actions implemented is monitored using a variety of metrics; see the “Metrics” section for further details.

Metrics

The underlying data pool for the number of employees was modified in fiscal year 2025. The modifications serve to holistically take into account employees who could be affected by the material social impacts and risks. The figures reported for fiscal year 2024 were amended retroactively in this year’s sustainability statement to reflect the new definition of the “own workforce”, and hence to enhance comparability.

• Change relating to inactive employees : Inactive employees were not disclosed in the previous year. When preparing the sustainability statement, the reporting logic used was modified to report all active and inactive employees.
• Change relating to management bodies : In the past fiscal year, members of the management boards and managing directors at Group level and at the subsidiaries were also classified as workers. This year’s sustainability statement does not include members of the management boards and managing directors who are not employees as defined by section 611a of the German Civil Code (Bürgerliches Gesetzbuch – BGB).

Consequently, unless otherwise stated the following definition of the own workforce applies to the metrics disclosed for 2024 and 2025 in the following tables: The own workforce comprises all persons who as of the December 31, 2025, reporting date had a valid contract of employment or apprenticeship contract with the Company, regardless of the nature of their employment, their working hours, or any temporary absence. Interns, working students, and trainees are included in addition to the permanent workforce. Equally, inactive employees (e.g., employees who are on parental or other leave, who are in the passive phase of early retirement, or who are on long-term sick leave) are included provided that a contractual employment relationship exists. Managing Board members, managing directors, and former employees (e.g., company pensioners) are not part of the own workforce. The definition of the own workforce is based on the national law and practice for the country in which United Internet is headquartered (Germany). In particular, section 611a of the BGB (employment contract) and the relevant provisions of labor and employment law (including the German Social Code (Sozialgesetzbuch – SGB), the German Maternity Protection Act (Mutterschutzgesetz – MuSchG), the Federal Parental Allowance and Parental Leave Act, (Bundeselterngeld- und Elternzeitgesetz – BEEG), the German Vocational Training Act (Berufsbildungsgesetz – BBiG), and the German Partial Retirement Act (Altersteilzeitgesetz – AltTZG) apply. This interpretation applies throughout the Group to all categories of employees, regardless of where they are deployed.

Characteristics of the Own Workforce

The following tables provide an overview of the material characteristics of United Internet’s workforce.

In contrast to the definition of the own workforce introduced above, the number of employees reported in the consolidated financial statements includes all active employees, including management board members and managing directors, adjusted for the number of employees from discontinued operations. The total number of employees given in the consolidated financial statements is 10,547.

^(*) Gender as specified by the emloyees themselves.

^(*) Gender as specified by the emloyees themselves.

Metrics Relating to the “Social Security Through Fair Working Conditions” Impact

The following metrics are used to manage the “Social security through fair working conditions” impact.

• Percentage of permanent employment contracts : This is calculated as the ratio of the total number of employees with permanent employment contracts to employees with permanent and temporary employment contracts, and amounted to 92% in fiscal year 2025. United Internet mainly uses temporary employment contracts to fill positions that are temporarily vacant, e.g., parental leave cover positions.
• Social protection : This metric provides information about whether employees are protected by public programs or Company benefits against loss of earnings due to sickness, unemployment, employment injury, acquired disability, parental leave, and retirement. Social protection applied Group-wide to all employees in fiscal year 2025 with the exception of protection against loss of earnings for employees on parental leave in the U.S.A.

• Gender pay gap: This corresponds to the difference in the average gross hourly earnings for female and male employees, expressed as a percentage of the average gross hourly earnings for male employees. It amounted to 20.5 % in fiscal year 2025. Average gross hourly earnings were calculated by evaluating all fixed salary components and other remuneration that employees had received in cash or in kind as of the December 31, 2025, reporting date, and annualizing the remuneration components so as to calculate the total annual target remuneration. Salary adjustments made during the year were not taken into account. In addition, short- and long-term variable salary components were included: commission payments linked to a fixed target value are recognized on the basis of an assumed target achievement level of 100%, while commission payments that are not linked to a target value are determined on the basis of the actual amounts received. The long-term variable remuneration comprises a virtual stock-option-based participation program (stock appreciation rights (SARs)) and is reported as awarded and due in the fiscal year in which the SARs are exercised. Amounts in foreign currency are translated into euros using the average exchange rates for fiscal year 2025. Finally, the gross hourly pay is calculated from the total annual remuneration on the basis of the standard working hours specified.

• Annual total remuneration : The remuneration ratio of the highest-paid individual to the median annual total remuneration for all employees (excluding the highest-paid individual) was 108:1 in fiscal year 2025. The calculation was based on the method for determining the total annual remuneration used in the “Gender pay gap,” with the figure being adjusted in addition for purchasing power differences between the countries. This was done by establishing the ratio of per capita GDP in the countries concerned in current prices to German per capita GDP and dividing the annual target salary by this factor. The method used to determine the remuneration paid to the highest-paid individual is given in the remuneration report for the Business Applications Segment.
• Adequate wage: All United Internet staff receive an adequate wage that corresponds to the standards applicable in the individual country concerned. The relevant national or regional minimum wages were used as the benchmarks. Austria is an exception to this rule: since it does not have a statutory minimum wage, the collective agreement for IT workers was used as the benchmark. Compliance with the benchmark was checked by evaluating the base salaries and then calculating the hourly rates from them on the basis of the standard working hours specified. Inactive members of staff, interns, Bachelor’s degree students, and vocational trainees are not included in the measurement.

Metrics Relating to the “Shortage of Specialist Staff and Employee Turnover due to Unattractive Working Conditions” Risk

The “Shortage of specialist staff and employee turnover due to unat tractive working conditions” risk is monitored using the following metrics:

• Employee turnover (total): The ratio for fiscal year 2025 was 14 % , based on 1,530 leaving events in the fiscal year (2024: 1,677 Austritte, 15%). The turnover rate was calculated as the total number of all leaving events in the fiscal year divided by the average monthly number of employees in the fiscal year. Leaving events taken into account include employee resignations and dismissals, severance agreements, retirement, expiring contracts, deaths, and departures of casual workers, student workers, interns, and thesis students.
• Rate of voluntary terminations in the permanent workforce (entity-specific metric) : This metric is determined in addition to the employee turnover. It relates to voluntary terminations by active employees in the permanent workforce, i.e., excluding casual workers and including management board members and managing directors. The ratio in fiscal year 2025 was 5.8%.
• Percentage of vocational trainees who are taken on permanently (entity-specific metric) : This metric is defined as the ratio of the number of vocational trainees who are taken on permanently to the number of vocational trainees who successfully completed their training in the relevant fiscal year. Persons who start a permanent position, a twin-track degree course, or a position as a working student are classified as having been taken on permanently. The percentage in fiscal year 2025 was 48% (2024: 48%).

Metrics Relating to the “Lack of Equal Opportunities and Inclusion” Impact

In keeping with its commitment to transparency and equal opportunities, United Internet has defined specific metrics to ensure that information on recruitment, training, and promotions is continuously updated and monitored. This gives it a clear overview of employees’ opportunities for development and promotion. Data on gender, age, and qualifications is collected during the recruitment process so as to ensure diversity and fairness during hiring. The recruitment and promotion processes are specifically designed to use qualifications, skills, and professional experience as core components of human resources decisions.

The following metrics are used to manage the “Lack of equal opportunities and inclusion” impact:

The top management level used for gender distribution is defined in the following table as two levels below the administrative and supervisory bodies, i.e., not including the Group’s Management Board and Supervisory Board but including the relevant bodies at the subsidiaries.

^(*) Gender as specified by the employees themselves.

In addition, the following metrics serve to monitor target achievement in relation to the impact:

• Proportion of women in management positions (entity-specific metric) : This metric relates to the active employees in the four top management levels below the administrative and supervisory bodies and includes the Group Management Board. The figure for this in fiscal year 2025 was 20.1% (2024: 21.2%), which was below the previous year's figure. The development is subject to annual fluctuations, partly due to personnel changes in a limited circle of executives . This metric is primarily used to assess equal opportunities at the Company .
• Completion rate for the “Diversity & Inclusion” training course (entity-specific metric) : The completion rate for the “Diversity & Inclusion” training course for all employees who were required to be registered for it since the course was rolled out in fiscal year 2024 was 89% until the end of the fiscal year 2025. This calculation is based on the ratio of employees demonstrated to have successfully completed the course to the total number of employees who were required to be registered for it. All active employees were registered for the course, including casual workers, with the exception of staff in the Business Applications Segment. In addition, with the exception of the Business Access Segment employees on parental leave and on long-term sick leave were registered. This means that a total of 6,512 people were registered for the training course . The metric serves to monitor progress in implementing the training requirement and to assess how well diversity and inclusion are embedded in the Company.

Metrics Relating to the “Health Risks in the Workplace” Impact

United Internet takes the “Health risks in the workplace” impact extremely seriously and aims to reduce stress-related absences and accidents in the workplace. It will continue to precisely analyze the causes for absences and accidents going forward. The effectiveness of its health and safety management can be seen from the accident and absence statistics.

The following metrics serve to monitor and manage the impact:

• Coverage by the health and safety management system : Coverage amounted to 81 % (2024: 82%) in fiscal year 2025. This corresponds to the employees at all of United Internet’s German locations.
• Fatalities, injuries, and ill-health : No employee fatalities due to work-related injuries and ill-health were recorded in fiscal year 2025 (2024: 0). No fatal work-related accidents or other fatalities were determined among other workers at the Company's locations in fiscal year 2025.
• Work-related accidents: A total of 37 recordable work-related accidents were reported in fiscal year 2025, corresponding to a ratio of 2.2% (2024: 34 accidents, ratio: 2.0%). This ratio represents the number of such accidents per one million hours worked, which corresponds to 500 full time people in the workforce over a one-year time frame. It was arrived at by estimating the hours worked on the basis of the standard hours of work, taking into account entitlements to periods of paid leave of absence from work for vacations, sick leave, and public holidays.

Human Rights Incidents and Complaints

In fiscal year 2025, 38 reports of potential compliance violations were sent to the Compliance organization via the channels already mentioned, and were checked by it (2024: 32 reports). Of these, 12 related to discrimination (including harassment) (2024: five), while six others related to other social factors or matters within the Company’s own workforce (2024: eight). Actual violations were found to exist in two of the 12 potential incidents of discrimination (2024: two), leading to remedial actions being defined and taken. No reports of human rights incidents were submitted. (2024: 0)

The incidents and complaints described above, including those relating to complaints about incidents of discrimination and harassment, did not result in any fines, penalties, or compensation payments. Consequently, the annual financial statements also do not report any such amounts for fiscal year 2025. (2024: 0)

The Management Board and the Supervisory Board’s Audit and Risk Committee are informed on a quarterly basis of reports of possible compliance violations. These clear reporting channels help actively promote a culture of trust, while insights from processing the reports are included in changes to the due diligence processes.

Workers in the Value Chain

Material Impacts, Risks, and Opportunities

United Internet does business in Europe and North America; in other words, it is also active outside its home market of Germany. Responsibility in the value chain is a material topic for the Company, especially as regards the protection of the environment and human rights. Human rights comprise not only fundamental rights such as the rights to life, freedom, and equality, but also a wide range of aspects from the world of work, such as the prohibition on discrimination and (“modern”) slavery, and the right to rest.

Both United Internet’s own staff and the workers in its value chain – who are outside the direct sphere of influence of its business activities – can be exposed to hazards or grievances. This applies in particular to the failure to provide fair working conditions and to human rights issues. United Internet identified the following positive and negative material impacts on workers in the value chain in its double materiality assessment.

Additional Information on the “Failure to Provide Fair Working Conditions and Human Rights Issues in the Upstream Value Chain” Impact

IT hardware that United Internet distributes or uses to provide internet and telecommunications services contains a number of different raw materials. The materials needed include oil (for plastics production), rare earths, lithium, silicon, and copper. These raw materials mainly come from China, Australia, the U.S.A., Chile, and the Democratic Republic of the Congo. Extraction of these raw materials can be marked by exploitative working conditions and human rights issues. The value chain for minerals can involve particular risks. In addition to the danger of child labor in cobalt mines and hazardous working conditions for mine workers, employees at supplier operations, self-employed people, and workers at third-party undertakings can be exposed to risks. A lack of occupational safety measures can seriously impair workers’ health or in the worst case result in their death. What is more, workers in the value chain can be exposed to abuse, violence, and forced labor without enjoying adequate protection or legal certainty.

The IT hardware that United Internet needs is primarily manufactured abroad, e.g., in China, Vietnam, India, Taiwan, and Japan. Migrant workers, women, and contingent labor are particularly at risk in IT hardware factories. For example, they may suffer from low wages, long working times, a lack of occupational health and safety measures, discrimination, and insecure contracts, often without any or only a small chance of enforcing their rights. Workers can also be exposed to sexual harassment. All these circumstances can potentially have a substantial impact on the physical and psychological health of those affected, and represent a disrespect for human rights.

All other information describing the material impacts and risks is reported in the “General Disclosures” chapter.

Policies and Guidelines

The following section lists the policies and guidelines that the Company has introduced to prevent, mitigate, or remedy negative impacts in the upstream value chain.

Supplier Code of Conduct

United Internet expects suppliers and service providers to comply with the same principles as the Company does itself. These expectations are described in concrete terms in its Supplier Code of Conduct and form part of United Internet’s careful selection process for business partners. The code is intended to help guarantee corresponding working conditions in the value chain. At the same time, the goal is to avoid human rights issues in the upstream and downstream value chain and associated potential negative impacts resulting from United Internet’s business activities.

United Internet has explicitly committed itself to the prohibition of human trafficking, forced labor, and child labor. This commitment is enshrined in the Supplier Code of Conduct and must be observed by suppliers and business partners.

Guideline for the Implementation of Supply Chain Due Diligence in the UI Group

The Guideline for the Implementation of Supply Chain Due Diligence in the UI Group describes the structural implementation of supply chain due diligence obligations at United Internet and defines roles and responsibilities in the Group-wide Supply Chain Due Diligence organization.

Actions

The following section describes actions implemented by United Internet to manage material impacts and risks in the upstream value chain and to achieve the targets set out in the associated policies and guidelines.

Actions Relating to the “Failure to Provide Fair Working Conditions and Human Rights Issues in the Upstream Value Chain” Impact

The actions relating to fair working conditions and avoiding human rights issues in the upstream value chain are designed to be risk-based and cover all workers at direct suppliers with which contractual relationships exist.

At the level of the indirect suppliers, ad hoc risk analyses are performed if substantiated knowledge exists, i.e., where there are actual indications of a possible violation of a human rights or environmental obligation at indirect suppliers. This can originate, for example, with a report to the whistleblowing system or media reports.

The actions take place at three levels of activity.

Level One: Preventive Measures

The Supplier Code of Conduct, contractual clauses, and IT solutions for implementing the two-stage risk analysis form the organizational and technical foundations for supply chain measures. They are supplemented by dedicated preventive measures and remedial actions, which are performed either ad hoc or on a risk-driven basis.

Firstly, an abstract gross risk analysis is performed to determine the sector- and country-specific risks to which direct suppliers are exposed . Direct suppliers undergo an abstract risk analysis once a year to prevent potential negative impacts in relation to working conditions and human rights issues in the value chain. Direct suppliers are analyzed using environmental, social, and ethical criteria so as to identify potential abstract risks at an early stage.

United Internet builds on the results of the gross risk analysis when developing preventive measures. Identified gross risk suppliers assigned to the “Priority A” risk category (“priority gross risk suppliers”) are invited to participate in a concrete ESG assessment and undergo a concrete risk evaluation every year. This serves to determine the individual risks for each gross risk supplier and ultimately to derive risk-based, targeted preventive measures . Vendor management software is used for the analysis. If this does not contain any usable information, the supplier is reviewed together with the departments. The “Priority A” risk category comprises direct suppliers who, based on a six-tier risk scale:

• have a gross risk of “medium-high,” “high,” or “very high” and a sales volume for the YTD as of September 30 > € 100,000, or
• have a gross risk of “high” or “very high” and a sales volume for the YTD as of September 30 > € 10,000.
• In fiscal year 2025, the abstract risk analysis was performed on a total of 7,080 suppliers to identify sector- and country-specific risks. Of these, 116 were classified as priority creditors. These underwent a net risk analysis, the results of which were still outstanding at the time this sustainability statement was prepared.

In addition, human rights expectations have been incorporated into the selection process for direct suppliers. Since March 1, 2025, all new suppliers with a potential order volume in excess of € 500,000 have undergone an abstract risk analysis, while those with a potential order volume in excess of € 1.5 million have undergone a concrete risk analysis. Based on the individual supplier’s concrete risk exposure, United Internet then takes any appropriate measures for improvement (generally training).

Level Two: Determination of Issues

At the level of the indirect suppliers, ad hoc risk analyses are performed if substantiated knowledge exists, i.e., where there are actual indications of a possible violation of a human rights or environmental obligation at indirect suppliers. This can originate, for example, with a report to the whistleblowing system or media reports. Please see the “Introduction to Social Topics” section for further information on the whistleblowing system.

In fiscal year 2025, no severe human rights issues or incidents in the upstream and downstream value chain were reported via United Internet’s whistleblowing system.

Automated regular screenings and live news tracking are performed for suppliers with an EcoVadis rating. This allows United Internet to identify topics and developments that could affect workers in the value chain.

In due diligence outsourcing, connected outsourcing partners undergo a dedicated audit to identify potential risks in relation to the call center agents that they employ, and to derive and implement risk-specific actions.

Level Three: Taking of any Remedial Actions Required

If breaches are determined or concrete risks are discovered, appropriate, suitable remedial actions are taken. The strategies adopted to prevent and mitigate negative impacts depend on the relationship between United Internet and the entity causing the risk, the severity of the issue involved, and the ability to influence the suppliers concerned.

Monitoring Mechanisms

The effectiveness of the actions is tracked using both technical and organizational approaches.

The position of the Human Rights Officer was established to monitor supply chain risk management. Key tasks performed by United Internet’s Human Rights Officer are monitoring performance of the annual risk analysis and initiating the measures to be derived from it, initiating ad hoc risk analyses and if necessary initiating any necessary measures, drawing up and if necessary updating the Policy Statement, and reporting to senior executive management.

A central human rights coordinator coordinates implementation of the due diligence obligations in the local purchasing units. Local human rights coordinators in the local purchasing units ensure the due diligence obligations are implemented in the relevant procurement processes.

Actions Relating to the “Employment and Inclusion of Persons with Disabilities in the Value Chain” Impact

United Internet actively promotes diversity and inclusion, not just as an employer in relation to its own employees but also in its value chain. It does this by specifically working together with inclusive business partners, especially when it comes to refurbishing IT hardware. For example, the Company has long-term partnerships with recycling specialists AfB gGmbH and GDW. These two companies make valuable contributions to employment opportunities for people with physical or mental disabilities, strengthening their independence, their feeling of self-worth, and their social integration. This contributes not only to a more diverse and integrative working environment but also to more equal opportunities and social justice in society as a whole.

Targets

Targets Relating to the “Failure to Provide Fair Working Conditions and Human Rights Issues in the Upstream Value Chain” Impact

The effectiveness of guidelines, policies, and actions relating to working conditions and human rights in the value chain is regularly tracked, although at present no specific targets for measurement have been defined. United Internet primarily uses the results of the regular abstract risk analyses of direct suppliers and the concrete ESG assessments for priority gross risk suppliers for this. In addition, insights from the established whistleblowing system are included in the assessment of effectiveness. The degree of ambition defined consists of using preventive measures to ensure compliance with the rules, and to identify potential breaches at an early stage, clarify them completely, stop them, and sanction them systematically.

Targets Relating to the “Employment and Inclusion of Persons with Disabilities in the Value Chain” Impact

No specific targets existed for the “Employment and inclusion of persons with disabilities in the value chain” impact during fiscal year 2025. This is due to the fact that guidelines on this still have to be developed. The effectiveness of the partnership with AfB is quantified annually in a certificate issued by AfB. Thus in fiscal year 2025, the old devices supplied by United Internet alone financed nine jobs for persons with disabilities. However, this metric is not suitable for determining a target level, since it is directly linked to the volume of old devices supplied.

The medium-term goal is to continue embedding social and environmental sustainability issues in procurement activities. The aim is to safeguard and enhance the positive impact in relation to the employment and inclusion of persons with disabilities in the value chain by expanding the relevant guidelines and policies and using defined criteria to assess existing and new partner organizations. The definition of concrete targets will be examined once the preliminary conceptual work has been done and suitable processes and metrics have been established.

Consumers and End-users

Preliminary remark: The official category for this chapter is “Consumers and End-Users.” The terms “consumers,” “customers,” “end customers,” and “customer base” are used as synonyms in this chapter.

Involvement of End Customers

Consumer satisfaction with United Internet’s products and services is a critical element of the Company’s success. Continuous improvement and the incorporation of feedback are needed to accommodate customers’ constantly growing demands on telecommunications and internet companies. This is why United Internet uses regular customer surveys plus additional market research tools to identify areas of potential optimization for products, processes, and the customer service organization. United Internet’s double materiality assessment included the consumer perspective by involving relevant departments such as Customer Experience. The insights gained were backed up by the results of surveys and market research.

Material Impacts, Risks, and Opportunities

The following material impacts and risks were identified during the double materiality assessment:

The following material IROs were identified in connection with business customers, but also affect the end user group, which is why they are also reported in this chapter. United Internet’s guidelines, policies and actions for the “Digital security and consumer protection” and “Inadequate protection of customer and end user personal data” IROs, which are described in the following chapter, also help combat the potential effects of the “Impacts of cybersecurity incidents on the value chain” and “Loss of data availability, confidentiality, and integrity lead to data losses and data misuse” IROs. The guidelines, policies, and actions relating to the “Critical infrastructure outages” impact are listed separately.

Policies and Guidelines

The following table summarizes the policies and guidelines affecting consumers and end users.

Information Security Top Level Policy United Internet Group

The Information Security Top Level Policy United Internet Group sets out minimum information security requirements, which are based on ISO standard 27001:2022, for the entire Group. The policy was being revised at the time of reporting so as to define a security governance framework (SGF) within it. The SGF sets out the core reporting obligations and opportunities for review, and the goal is to put it into operation by the end of the third quarter of 2026.

Security Policy – Information Classification

The Security Policy – Information Classification defines core information classes and levels of confidentiality for the Group so as to ensure a uniform approach. The specific requirements for the individual segments are then fleshed out further in local guidelines.

Security Policy – Information Security Incident Handling Guidelines

This policy defines uniform requirements for the classification, evaluation, analysis, and follow-up of information security incidents such as breaches of the protective goals (confidentiality, integrity, and availability). It specifies target reaction times depending on the severity of the security incident concerned, plus key points for cooperation with the segments.

Group Policy on Device Use

The Group Policy on Device Use covers the recycling topics set out in the section entitled “Resource Use and Circular Economy,” plus data privacy-related information. Company and privately owned devices accessing the Company’s network must be used securely and in line with the rules. This means protecting them against unauthorized access and complying with data privacy and information security guidelines. The policy covers the entire device life cycle from procurement through delivery to return. This also means that damage to or the loss of devices must be reported immediately. In addition, business data on Company-owned and privately owned devices must be handled in such a way as to minimize the risk of data leakages to unauthorized third parties.

Data Protection Guideline

The internal Data Protection Guideline aims to ensure a uniform high level of data privacy and the responsible handling of personal data within its scope by ensuring an effective data privacy organization and focusing on overarching data privacy goals. Key overarching data privacy goals include compliance with the EU’s General Data Protection Regulation (GDPR) and other relevant data privacy laws to the extent that these are applicable.

Deletion Concept Policy

The internal Deletion Concept Policy sets out the responsibilities for complying with data privacy law obligations on deleting personal data that apply within its scope. In addition, it describes the concrete framework and requirements for defining and implementing deletion policies.

Guideline on the Use of Artificial Intelligence at the United Internet Group

The guideline sets out general principles for United Internet’s use of AI technologies in an ethical and legally compliant manner. It aims to create a Group-wide framework (with the exception of those companies for which no right of direction exists) for dealing with AI technologies. In particular, it aims to work towards the implementation of the requirements set out in Regulation (EU) 2024/1689 (the Artificial Intelligence Act, or AI Act for short) in all Group segments. Among other things, it includes ensuring an approval procedure for AI systems, introducing an AI inventory that provides an overview of approved AI systems and models, and establishing training offerings to ensure adequate AI skills.

It is binding on Corporate and on the Consumer Applications Segment, and has the status of a recommendation for the other segments. All segments with the exception of Corporate already have their own written procedures that comply with the AI Guideline.

Editing Guidelines

The Editorial Team has developed a number of policies and guidelines to combat the spread of fake news and the associated hazards for readers . The rules governing how editorial staff work are made transparent for the public, updated regularly, and published. In addition, the Editorial Team has committed to observing the German Press Council’s Press Code. Specific guidelines for the use of artificial intelligence in the Editorial Team were introduced to supplement the segment’s AI Guideline.

United Internet Media: General Guidelines (Advertising Guidelines)

The Consumer Applications Segment ensures that the advertising environments on the GMX and WEB.DE portals are serious and trustworthy, in particular by implementing youth protection measures such as not targeting minors. Advertising for alcohol, tobacco, and erotica is highly restricted. Guidelines forbid advertising against equality or diversity. Advertising defaming social groups; that contains unconstitutional, subversive, sexist, or racist material; or that glorifies violence or war is also prohibited.

RL 6326 Emergency Management and LL 3700 Business Continuity Management

The Business Access Segment’s “RL 6326 Emergency Management” and “RL 3700 Business Continuity Management” serve to inform employees of the rules that have been established for use in emergency situations. The goal is at least to limit, or better still prevent, damage that could potentially arise in an emergency such as a network failure. The Business Access Segment’s Emergency Management team ensures that key business processes at customers are not interrupted even in critical situations, or that they are only interrupted temporarily.

Actions

Actions Relating to the “Inadequate Digital Security and Lack of Consumer Protection” Impact

Expanding Internet Security

As a data processing company, United Internet has a significant social responsibility for protecting sensitive data and hence safeguarding customers from detrimental effects. Information security is the precondition for customers being prepared to entrust United Internet with information in the form of digital data such as photos, documents, and e-mails.

United Internet’s goal is to protect this information from unauthorized access and misuse. The individual segments’ security strategies aim to achieve the protective goals of data confidentiality, availability, and integrity throughout the Group. Security management in the segments is based on focused technical and organizational measures. These are derived from the security guideline requirements, which in turn are based on a variety of criteria. Sources include international standards, and especially ISO 27001, but also legislation such as the German Telecommunications Act (Telekommunikationsgesetz – TKG), the European NIS 2 Directive, or the German BSI Act (BSI-Gesetz – BSIG).

The measures taken to protect the product landscape against unauthorized access and misuse are constantly upgraded. United Internet’s information security management system (ISMS) is based on internationally recognized standards such as ISO 27001 and on the BSI IT-Grundschutz compendium and C5 catalog from Germany’s Federal Office for Information Security (BSI).

Building on these standards, United Internet analyzes whether an appropriate, risk-based, effective approach to dealing with information security challenges exists – from security management down to implementing the security requirements in the operating security units. In addition, planning and achieving information security objectives is a key part of implementing and maintaining the ISMS.

Management Using the Information Security Management System

All of the segments have an ISMS. In line with the individual segments’ business strategies, the ISMS in the Consumer Access, Consumer Applications, and Business Applications segments is managed by United Internet’s Group Information Security Officer (GISO) and the Segment Information Security Officers (SISOs). In the case of the Business Access segment, this task is performed by the Head of Information Security Management. A guidelines management policy is also in place. The SISOs are responsible for information security risk management. In addition, they develop security instructions and employee training courses, and are responsible for communication with public authorities, e.g., in the case of reportable security incidents.

Technical Security & Abuse Management is responsible for providing advice on security architectures and applications, systems, and network security. It trains employees in how to ensure secure development and operations, performs security tests, and deals with potential security incidents together with other departments. The department also develops and operates systems that are used in abuse management processes. These processes ensure that support is provided to customers during security incidents for which they themselves are responsible, helping them to use United Internet’s products securely again.

The SISOs perform segment-specific Telecommunications Security Officer roles, e.g., as required by the TKG. They report regularly to the Chief Technology Officers for their segments. Reporting covers the information security risk portfolio, any relevant security incidents that have occurred, the specific measures taken, the results of security audits, and key security trends. Internal security architecture experts support the GISO and the SISOs in designing and implementing comprehensive, cross-segment security improvements. Senior executive management at the Business Access Segment is ultimately responsible for information security there. It entrusts the Head of Information Security Management and his department, plus the organizations supporting them, with operating and continuously improving the ISMS. In this way, United Internet establishes structured, targeted security management.

In the Business Access segment, United Internet has organized information security activities in line with the Three Lines of Defense (TLoD) model. Information Security Management represents the second line of defense under this model. Among other things, the department develops and resolves policies, guidelines, and work instructions that serve as the basis for operational security measures, requirements, and activities. These are then implemented by the staff responsible in the various departments, which represent the first line of defense. A Security Operations Center works 24 x 7 to identify, target, and remedy security attacks. The Head of Information Security is also the Business Access Segment’s Telecommunications Security Officer under the TKG and reports regularly to senior executive management.

Information Protection Measures

The BSI has detected an ongoing high threat level in cyberspace. In addition to its telecommunications technology, United Internet uses information technology to provide business process-related services whose availability and proper functioning could be endangered by threats emanating from the internet or from internal sources. In addition to availability risk, there is a risk that cyberattacks could, for example, lead to customer data being read, deleted, or misused.

Potential threats from the internet represent one of the largest risk clusters facing United Internet, measured in terms of their impact. Vulnerabilities could have far-reaching consequences for customers. United Internet has taken the technical and organizational security measures described below, among others, to contain such risks. No sanctions in the form of fines were imposed on United Internet in fiscal year 2025 for security violations or other security-related incidents.

Technical Measures

• Introduction of two-factor authentication (including for externals) : IT systems protection starts when users log on. Since various attack vectors such as phishing can quickly lead to the theft of user names and passwords today, two-factor authentication is vital for making unauthorized use as difficult as possible. United Internet forces users, including external ones, to use a second factor at a technical level (rolling one-time passwords, authenticator apps using challenge-response procedures), thus adequately protecting access to the Company’s network. The measures for establishing two-factor authentication have been implemented in full.
• Stricter password rules and modified target data for password rotation : The IT security world is in a constant state of flux, and previous approaches to regular password changes (the classic “password2023-passwort2024” pattern) now present a risk. Security is achieved through complexity (a minimum of 12 characters comprising a mix of upper and lower case, numerals and special characters) and a second factor, not just through frequent rotations. The use of two-factor authentication provides adequate user security and enables password expiration dates to be deactivated. The approach is based on the NIST (National Institute of Standards and Technology) (SP 800-63B) and BSI standards. The measures to enhance the password rules will have been fully implemented by the end of the first quarter of 2026.
• Revised technical-organizational measures (TOMs): The TOMs were revised in order to ensure customer data privacy during processing. The revision also included a review in line with best-practice standards (ISO 27001 and the BSI’s IT-Grundschutz standards). The structure of the appendix to the definition of the TOMs was expanded to include more details, making the depictions of the associated checks more efficient. This ensures that contract data processing can be performed appropriately and securely. The action to revise the TOMs was completed as of the third quarter of 2025 and the new version is already in use.
• Use of Microsoft Defender : The solutions in Microsoft’s Defender Suite are already in use and will be rolled out in full in order to provide complete protection for end-user devices in particular. Pilot projects are currently ongoing to implement device tracking and remote lockdown/remote wipe functions for compromised devices. This modern workplace (part of the “New Work” initiative) will replace all employee devices in the near future. Implementation is scheduled to have been completed by the end of the fourth quarter of 2026.
• Secure software development: The best protection against vulnerabilities is to prevent them arising in the first place. All segments use various maturity levels of the Secure Software Development Life Cycle (SSDLC), which incorporates security into the software development process at a methodological level right from the start. Integral aspects of product development include threat analyses, dual control source code reviews, automated checks, developer documentation, and application tests, among other things. As the use of agile development methods and new technical platforms spreads, the SSDLC is being continuously expanded to include software dependency analyses up to and including secure (software) containerization.
• Global distributed DDoS shield : Distributed denial of service attacks (DDoSs) are concerted internet attacks originating from multiple sources that are designed to limit service availability. The Group works together with partners to protect United Internet against these attacks using an internally developed global DDoS shield, which is optimized continually and which is deployed in the Consumer Access, Consumer Applications, and Business Applications segments. An internal team of experts is entrusted with continuously improving the DDoS mitigation platforms and with maintaining a constant high level of security. The Business Access segment uses a third-party DDoS product.
• Systematic use of encryption – Transport Layer Security (TLS): TLS is used throughout United Internet for encrypted customer data transfer. In addition, United Internet makes TLS functionality available to customers so as to protect their data traffic, e.g., when entering passwords or payment information. United Internet bases the strength of its encryption on recognized international authorities such as the U.S. NIST or Germany’s BSI.
• Georedundancy : United Internet operates data centers in multiple, geographically discrete locations in Europe and the U.S.A. This allows the Company to store and back up information at a variety of different locations and to minimize the risk of business interruptions and data losses caused by external factors.

• Certification of Company data centers: United Internet ensures that it can offer customers the highest possible security standards by having its own data centers certified. These include the data centers belonging to the Business Applications Segment, the data centers and technical spaces in the Business Access Segment that fall within the scope of certification, and some system operations at Customer Support, all of which are certified in accordance with ISO 27001 and the BSI’s IT-Grundschutz. Other security certifications are obtained for areas above and beyond the data centers; these include the IT-Grundschutz or BSI C5 certifications for cloud security that are recognized in Germany, plus international standards such as PCI DSS for electronic payments systems. In addition, Business Continuity Management (BCM) for business customers is being constantly enhanced.

Organizational Measures

• Information security training for staff: Above and beyond United Internet’s technology, humans are an important and ever-present aspect of its security chain. Basic and refresher e-learning courses are used to provide employees with information on security issues. This mandatory e-learning course must be repeated every two years. Classroom training is also offered for knowledge-building.
• Information security rules: United Internet provides employees with a comprehensive rulebook that serves as a guide for all areas of information security. The mandatory Information Security Top Level Policy United Internet Group serves as the formal basis for this within the Group. This rulebook is continually enhanced and updated at segment level so as to reflect up-to-the-minute technological challenges. It is disseminated using a variety of different communications channels, depending on the target groups concerned. In addition to the training courses that have already been mentioned, tips and tricks and explanations of the rules for key employee roles are available on the intranet. The regular onboarding event, security training, and the intranet also provide information on contact points to which staff must report potential security incidents, or suspicions of such events, without undue delay. This reporting obligation includes events in which applicable rules are being breached or that could otherwise pose a danger to United Internet.
• Security audits : Product, process, and system audits are performed in order to ensure the effectiveness of the ISMSs in the segments. They are supplemented by checks performed by the departments themselves and by additional audits. These audits, which are often commissioned externally, are supported by the decentralized security organization. One tool that is increasingly being used in this context is the maturity models. Maturity models offer an efficient way of planning effort-intensive, in-depth audits more effectively. They allow audits to be directed during planning towards those places in which they will help enhance maturity levels most effectively. In particular, the technical departments that are responsible for customer data use a security maturity model developed by Information Security. These departments benefit from a clear analysis of how they are developing. The model also provides a way of ensuring independent, focused, and comparable progress.
• Continuous monitoring : The various IT systems are monitored continuously in order to discover any data vulnerabilities as quickly as possible. In addition to local monitoring, the Security Incident and Event Management System (SIEM), which has been customized internally and migrated to a more modern platform, supports incident capture and can trigger appropriate responses. The time taken to distinguish between security-related incidents (e.g., attacks) and incidents that are not security-related (e.g., power circuit interruptions) is measured to facilitate continuous improvement. The response times from the point at which the notification of a problem is received to its resolution are also logged. In addition, United Internet has defined internal targets for certain protective goals, such as data availability.

Security Incident Handling

All business segments have defined standardized processes for handling security incidents in compliance with standards such as ISO 27001. Once a significant incident is detected, a trained incident manager takes responsibility for its resolution. Where necessary, he or she also consults the Security Team or external consultants.

When integrating acquired companies, United Internet reviews the existing technical and organizational information security measures both before the combination and at key points in the subsequent integration process (this procedure does not apply to the Business Access Segment). A maturity analysis based on international standards is used for this. The maturity level established in this way is supplemented by a risk assessment complete with recommended measures. A range of integration measures are then resolved and implemented, depending on the results and the business strategy. The segments’ security organizations assess the maturity level and the measures to be taken and determine whether it makes sense to integrate the acquired company with United Internet’s ISMS. The goal is to establish and maintain an appropriate, Group-wide security standard.

High Security Standards for E-mail Accounts

E-mail providers deployed improved methods and data science in fiscal year 2025, continually enhancing their spam scanners and succeeding in further increasing the proportion of identified and filtered spam mails. As a result, the proportion of incoming e-mails flagged by customers as spam declined by a further 2 % year-over-year. This increased both the relevance of the e-mails received and the security with which they could be handled.

Phishing is one of the greatest threats facing United Internet’s consumers. The Hall of Fame established jointly by Germany’s Federal Office for Information Security (BSI), Bitkom e. V., and eco e. V. honors companies that have made e-mail communication measurably safer: GMX, WEB.DE, and IONOS have been awarded gold status. In addition, the BSI offers an e-mail security check for consumers that tests the sophisticated technical security features offered by e-mail providers. GMX and WEB.DE meet all BSI criteria.

Awareness-raising campaigns for customers are also run to provide information about, and sensitize them to, cyberthreats. For example, two actions – “Keep your account data up to date” and “Check how strong your password is” – were rolled out in this area. These successfully reached several million users and led to changes in their behavior.

Actions Relating to the “Inadequate Protection of Customers’ and End Users’ Personal Data” Risk

United Internet ensures that personal data is protected, and checks whether personal data processing is admissible, on the basis of the European GDPR and the national regulations in the countries in which it operates. This is not merely a compliance requirement but is also in United Internet’s own interests. The reason is that the lawful, secure, and responsible handling of personal data is always in the public eye, especially when it comes to internet use. In particular, United Internet’s customers trust it with the data for their more than 29 million fee-based customer contracts and roughly 39 million ad-financed free accounts worldwide. As a result, guaranteeing strict security and systematically protecting customer data are part of the Company’s DNA. Data privacy and information security at United Internet are always aligned with the current requirements for, and strict standards applicable to, data privacy in Europe and Germany.

United Internet’s data privacy measures aim to ensure compliance with data privacy requirements throughout the Group, and to embed this in its systems, processes, and products. In practice, this means tracking developments at the legislative level, in case law, and in supervisory practice, plus monitoring technological risks and threat scenarios, and continuously adapting the data privacy management system on this basis. The segments have created their own individual data privacy organizations, policies and guidelines, and processes for this. They have established their own data privacy units and appointed data protection officers. The data protection officers regularly report to the top management of the Group company concerned. Other data protection roles have been established where needed to implement the data privacy goals, bearing in mind the individual segment involved, its size, and the risks involved. United Internet uses the following tools to ensure compliance with data privacy requirements in the Group:

• Embedding data privacy expertise in the product development process : The data privacy departments and data privacy coordinators serve as internal consultants for data privacy questions that arise, for example, during product design or development (“privacy by design” or “privacy by default”) or in relation to contractual agreements.
• Prevention through mandatory data privacy training : United Internet wants all employees to help ensure that personal data is processed lawfully and, in particular, that sensitive information does not fall into the wrong hands. This is achieved using employee training courses that are held regularly, but at least every two years. In addition, regular measures are taken to further raise employee awareness in the data privacy area.
• Contact with supervisory authorities : United Internet’s data privacy departments are in regular contact with the competent data protection supervisory authorities, in particular so as to handle customer concerns that have been passed on by the authorities. Set reporting and review processes have been defined for data privacy incidents. Where an obligation to report them exists, they are reported to the supervisory authorities. A total of 29 reports were submitted to the competent data protection supervisory authorities in fiscal year 2025.
• Effective detection through complaints procedures: Customer questions and complaints about data privacy are handled by trained staff in special data privacy teams, who work in close cooperation with the specialist data privacy units in the segments concerned. In addition, employees can contact the data privacy units or their data protection officers in confidence at any time to discuss data privacy issues arising in the course of their day-to-day work.
• Checks used to monitor effectiveness: United Internet’s data privacy units regularly perform function-specific data privacy assessments and checks. In addition, independent audit organizations can be commissioned as needed to perform external, objective data privacy audits in order to identify internal potential for improvement. The data privacy units are also entitled to check service providers and subcontractors in the course of their controls.
• Greater data privacy through continuous enhancement of technical and organizational safeguards: Customers entrust United Internet with their personal data. The segment security standards that have been implemented are constantly enhanced and improved to ensure that this data can be protected.
• Implementation of data subjects’ rights : United Internet’s clearly defined workflows for timely and transparent request processing enable data subjects to effectively exercise their data privacy rights and especially their rights of access, rectification, and erasure. Requests are processed promptly, and in all cases within one month of being received. The legislation stipulates that this period can be extended by a further two months under certain circumstances.
• Deletion of personal data : In keeping with the storage limitation principle, United Internet only processes personal data for as long as this is needed for the defined purpose. After this, it is deleted in line with data privacy requirements.

Actions Relating to the “Use of AI in Processes and Services” Impact

Group-wide AI Working Group

The AI Community, which is currently being set up, is intended to serve as a Group-wide platform for information sharing, networking, and cooperation in relation to artificial intelligence. It aims to identify use cases, share knowledge, and support the introduction of AI solutions at the Company. Above and beyond this, the Community will generate momentum for evaluating and providing AI tools and enable employees to use AI in a responsible manner. The initiative promotes transparency, synergies, and interdisciplinary cooperation with the goal of deploying AI sustainably and efficiently.

Training to Ensure Responsible, Secure AI Usage

Internal e-learning programs on AI fundamentals were developed at Corporate and in all segments in fiscal year 2025. The objective of the training courses is to promote appropriate AI skills within the organization. Key items taught to employees were knowledge of how AI technologies work, its secure and successful integration in day-to-day work, the relevant legal framework (and especially data privacy, information security, and copyright) and ethical questions and their impact on customers, employees, and society. In addition, the risks and limitations associated with using AI technologies were illustrated.

Introduction of Own AI Compliance Teams and AI Officers

Corporate established its own AI compliance team (Legal AI Management) in fiscal year 2025 to ensure that artificial intelligence is used responsibly and in line with the rules. This cross-departmental team consists of experts from Corporate Legal and Corporate Privacy. It addresses practical questions relating to AI compliance and in particular checks whether relevant compliance matters are observed when new software solutions are introduced. The AI compliance check performed as part of the software approval process ensures that the requirements of the European AI Act are identified and complied with at an early stage. In addition, checking that AI-specific compliance risks have been identified and mitigated serves to ensure that new technologies are introduced responsibly and in line with the rules.

Actions Relating to the “Dangers for Fact-based Opinion-forming” Impact

The World Economic Forum’s "Global Risks Report 2026” identified “misinformation” and “disinformation” as the second greatest global risks in the coming two years. The substantial reach of the GMX and WEB.DE brands’ editorial offerings in the Consumer Applications Segment means that these are considered to have considerable influence in shaping opinions. The Medienvielfaltsmonitor 2024, which is published by Germany’s state media authorities (Landesmedienanstalten), puts GMX in third place and WEB.DE in second place on the online opinion market, with 3.0% and 3.5% respectively.

This being the case, the following actions are being taken in relation to the “Dangers for fact-based opinion-forming” impact:

Transparency

• Specific reader questions are taken up and answered in longer articles in the “How the Editorial Team Works” column.
• The Editorial Team provides the public with transparent information as to which external news sources, such as news agencies, are used and the names of the columnists with whom they work.
• GMX and WEB.DE’s news offering is recertified every two years under the Journalism Trust Initiative launched by Reporters Without Borders and CWA 17493:2019. This takes the form of an independent audit by Deloitte. The next recertification is scheduled for the beginning of 2026.

Balanced News

• Editorial news items are personalized. The Editorial Team takes care to prevent filter bubbles by not just providing readers with content from their preferred sections but rather supplying a varied and dynamic selection of topics.
• GMX and WEB.DE’s news offering continuously uses the fact checker supplied by Correctiv, the independent nonprofit research center, so as to report about widespread fake news and actual facts.
• GMX and WEB.DE regularly publish articles about the climate so as to reach readers with information about the climate crisis and climate change mitigation from a basis of fact. This climate-related offering will continue to report regularly, and at least weekly, in 2026.

User Feedback

The Editorial Team regularly publishes calls to readers in its daily news reporting, encouraging them to get involved and contribute their opinions, viewpoints, and personal stories. The resulting articles, which are identified as such, are published on GMX and WEB.DE’s news channels. “Editorial Team feedback” or “feedback” buttons can be found directly below each article, allowing readers to submit queries and comments and to flag potential errors to the Editorial Team easily and directly. A dedicated Community Management team fields hundreds of user comments every day so as to be able to respond to their feedback immediately. In addition, regular reader action days are used to identify potential improvements in reporting.

Sustainability Pact for the Media

The GMX and WEB.DE brands with their high-circulation news offerings are members of the Bavarian Regulatory Authority for New Media’s “Nachhaltigkeitspakt Medien” (Sustainability Pact for the Media) initiative. This aims to actively help develop a sustainable media industry and to develop a common understanding of sustainability within the sector. All members of the Sustainability Pact for the Media must answer and publish an extensive list of questions. The initiative’s current 2025 report answers questions about their organizational structure, climate and environmental goals, diversity, and journalistic offering.

Actions Relating to the “Breaches of Youth Protection Requirements in the Digital Environment” Impact

United Internet supports youth protection and educating children and young people on how to conduct themselves on the internet. The internet is a key part of children and young people’s everyday lives and is used for communication, researching lessons, and entertainment alike. However, in many cases they are not media-literate or experienced enough to deal with unfamiliar life issues or inappropriate content that they come across online. This means that they have difficulty in assessing risks and therefore cannot adequately protect themselves. Developmentally appropriate measures and education on possible dangers and risks are therefore needed. This is the only way in which United Internet can ensure adequate protection for children and young people, and hence enable them to navigate the internet safely and in an age-appropriate manner.

United Internet ensures that both its own products and services and its partner offerings comply with the legal requirements for youth protection. This applies to all segments with potentially negative impacts on youth protection. Internal reviews for compliance with statutory youth protection requirements are performed during product development and product launches, and any necessary modifications are made. This enables United Internet to ensure that children and young people are not confronted with inappropriate content. The segments for whose products and services youth protection is a major issue have appointed youth protection officers as contacts in this area, who advise the various departments and functions internally. They also act as the central contacts for external stakeholders, liaise regularly with other youth protection officers, and represent United Internet in its dealings with associations and supervisory authorities. In addition, youth protection e-mail mailboxes have been set up for the Consumer Access, Consumer Applications, and Business Applications segments; the details are given in the legal notices and youth protection sections of the sites concerned. Third parties can use these mailboxes to contact the youth protection officers if they have any questions or complaints. Above and beyond this contact information, the segments’ youth protection sections provide information, tips and tricks designed to educate children, young people, and their parents, and to improve their media literacy. The material provided includes links to youth protection programs and information about counseling services and contacts for specific topics and problems associated with internet usage.

Actions Relating to the “Facilitating Digital Participation” Impact

Expansion of the Digital Infrastructure Using Open RAN Technology

As a telecommunications company, the Consumer Access Segment provides a large proportion of society with access to a digitalized world and hence makes an important contribution to the digital transformation process. This is why the Company’s 1&1 brand, as a new mobile network operator, has focused from the beginning on state-of-the-art technology by building Europe's first fully virtualized mobile network based on Open RAN technology.

Mobile services have been offered in the Company’s own 5G mobile network since December 2023. All network functions are managed by software in its private cloud. More than 500 decentralized edge data centers will be commissioned to facilitate this in the period up to 2030. Only fiber-optic connections and gigabit antennas are used throughout. This has created a particularly future-proof network, benefiting consumers.

1&1’s 5G network also substantially expanded its own antenna locations last year. As of the end of 2025, the 1&1 O-RAN already reached 27% of German households. This means that 1&1 has exceeded the requirement set by the Bundesnetzagentur, Germany’s Federal Network Agency, which was to reach one-quarter of households by December 31, 2025. To ensure a nationwide service for mobile customers while 1&1’s innovative O-RAN is being built, customers automatically use antennas operated by 1&1’s national roaming partner, Vodafone, in those areas in which 1&1 does not yet have its own antenna locations. At the same time, the main goal is and remains to expand 1&1’s mobile network as fast as possible and to make its innovative Open RAN technology available in more and more areas.

Digitalization by the Business Access Segment

The Business Access Segment’s network infrastructure enables systematic ongoing expansion of the data and infrastructure business for self-employed people; small, medium-sized and large enterprises; public institutions; local authorities and communal enterprises; and schools and protects it using customized IT security solutions. By connecting these entities to a fast digital infrastructure, United Internet allows them to digitalize administrative and service processes, for example. The Business Access Segment documents the number of finally completed projects for schools and libraries so as to illustrate the progress made with rolling out fiber-optic connections. A total of 135 schools and 12 libraries were connected to the fiber-optic network in fiscal year 2025.

Participation in EU Projects

The Business Applications Segment is participating in a number of initiatives designed to promote Europe’s digital infrastructure. Key among them is its participation in the GAIA‑X and IDSA framework initiatives, which facilitate federated, secure, interoperable data spaces and reduce dependency on non‑EU providers. The segment is also involved in platforms such as NexusForum, the EU Cloud Alliance, and the Open Source Business Alliance so as to promote open standards and transparent rules. These activities are strengthening Europe’s digital resilience and facilitating the secure, sustainable, and self-determined use of the digital transformation.

Teaching Digital Skills

The Consumer Applications Segment’s GMX and WEB.DE brands offer e-mail mailboxes with associated cloud storage. The free-mail offerings do not cost users anything and hence allow socially disadvantaged groups to participate in digital daily life. Information channels such as the blogs on United Internet’s portals offer easily understandable tips about e-mail, the digital world, and security, teaching key skills needed to use these new media . Parents and legal guardians are made aware of issues relating to digital participation by children and young people, and of how to ensure they have a healthy relationship with digital media, in a blog and a quarterly newsletter, with topics including e.g., “cybersecurity for kids.” A variety of blog articles are used to address sociopolitical hazards in the digital environment resulting from hate speech, fake news, or fake images. In addition, critical internet trends such as sharenting and kidfluencers are discussed, and attention is drawn to dangers such as those from phishing. On average, each brand publishes roughly 30 articles per year on these topics.

Free Basic Digital Access

GMX’s free eSIM cellphone plan expands the basic digital services on offer: consumers have a single, free point of access to e-mail, cloud storage, news, and mobile communications. This creates the basis for digital participation for all, and especially for people with low incomes.

Freely Accessible News Sources

GMX and WEB.DE offer users not only e-mail and cloud services but also unrestricted access to content from their own, independent Editorial Team. The editorial news offering is not limited to the German market but is also to be found on the localized national portals in e.g., Austria and Switzerland. Users of other country portals in the U.S.A., the United Kingdom, France, and Spain are offered an automated news feed in the language of the country concerned. A total of 8% and 12% of German internet users source news from GMX and WEB.DE respectively every week. What is more, 5% (GMX) and 6% (WEB.DE) of users access the two freemail portals to obtain information at least three times a week. These figures are documented in the Reuters Institute’s Digital News Report 2025.

Actions Relating to the “Failure of Own Mobile Network” Risk

Given its total of four core data centers, the network has the necessary georedundancy to ensure reliable stability for the 1&1 mobile network.

In addition, specific technical and organizational measures (and especially the redundancy review), expanded redundancy tests, and capacity checks for the individual core data centers, are performed so as to be able to make sufficient capacity available in the remaining data centers for all end customers if one data center should suffer an outage.

Stability of the Mobile Network

As is the case with conventional mobile networks, ensuring the security of Open RAN networks requires in-depth risk analysis and continuous monitoring of all security-related facilities and systems. Rakuten, the general contractor, has performed detailed risk analyses on behalf of the Consumer Access Segment and operates an ISO 27001-certified security management system. Both 1&1 Mobilfunk and its partner Rakuten are working continuously to improve and optimize the existing security systems and on security operations. Security teams provide support for new services offered to mobile customers from an early stage onwards, in the form of “security by design.” The segment is a member of the international O-RAN Alliance, whose expert bodies perform in-depth analyses of security in Open RAN networks and continuously enhance it.

The products in the Consumer Access Segment and the business processes needed for them are based on a complex technical infrastructure and a large number of software systems (for cell towers, data centers, customer management databases, statistical systems, etc.). Due to the complexity involved, modifications – be they minor maintenance or major technical changes – may lead to malfunctions or outages. Should this affect the systems used to provide services, for example, the Consumer Access Segment might temporarily be unable to provide customers with a warranted service.

The segment combats these risks by making specific architectural modifications, using quality assurance measures, and through the georedundant (physically separate) design of core functionality. In addition, a variety of software- and hardware-based safeguards are used to protect the infrastructure and ensure availability. Tasks are distributed so that risky actions or transactions are not performed by a single employee acting alone but rather in keeping with the principle of dual control. Moreover, manual and technical access restrictions ensure that employees can only perform tasks in their own areas of responsibility. Data is regularly backed up and stored in georedundant data centers, offering an additional security measure against data loss.

The Consumer Access and Business Access segments are working together to build and run the fully virtualized 5G mobile network based on the new Open RAN technology. The results of this cooperation can be seen in the connections to the 5G locations (front-, mid-, and backhaul links), the operation of the backbone network, and the expansion of dedicated data centers for network operations.

Actions Relating to the “Critical Infrastructure Outages” Impact

A number of organizational and technical measures are taken to strengthen network resilience, based on the LL 3700 Business Continuity Management and RL 6326 Emergency Management guidelines.

Organizational Measures

The Company’s structures and workflows reflect its operation of one of Germany’s largest and most powerful fiber-optic networks. Specialized functions and departments such as Network Expansion Planning and the Team Network Management Center ensure the fiber-optic network’s high performance. The Team Network Management Center is responsible for 24 x 7 monitoring, operations, and fault clearance at the fiber-optic network for all customers throughout Germany. The Company’s procedures are also based on specific standards, while business process design is based on the Business Process Framework (eTOM).

In addition, the Business Access Segment has developed detailed emergency planning and crisis management strategies to enable it to react swiftly and effectively in the case of unexpected events. This planning includes defined responsibilities and clear communications channels so as to enable normal operations to be rapidly resumed.

Technical Measures

• Alignment with international network operation standards: The Business Access Segment implements the requirements set out in international standards in its business processes so as to be able to offer customers stable and secure telecommunications products. This is audited every year by external certification companies and certified as complying with ISO/IEC 27001, ISO/IEC 20000, and ISO 9001. These certifications provide proof that the segment operates in accordance with recognized international quality, IT service management, and information security standards. The objective of complying with the standards is to promote reliable, secure, cost-efficient service delivery and to provide efficient network planning and operation services. In addition to these ISO certifications, the Business Access Segment is a recognized secure service provider for the automotive industry, meeting the TISAX procedure’s strict information security requirements.
• Redundancy: The network infrastructure is designed so as to have a number of different redundant systems. For example, data traffic can be switched to a different line at short notice so as to ensure a largely uninterrupted connection. This minimizes potential disruptions to the service if specific infrastructure becomes unavailable at short notice.
• Uninterruptible power supply: The segment equips the relevant operating infrastructure with standby power systems and uninterruptible power supply technology so as to increase the resilience of the telecommunications networks. This ensures that the technology continues to function.

Monitoring/Maintenance

The Business Access Segment regularly conducts maintenance and continuously monitors the network infrastructure. State-of-the-art monitoring tools enable potential discrepancies and problems to be identified and remedied at an early stage before they lead to outages. Incoming messages are recorded and error messages, warnings, and status messages are evaluated. These can then be used as the basis for deciding on the measures to be taken.

A number of effective actions were taken in fiscal year 2025 to ensure network stability and availability, and to prevent outages:

• Business continuity management system (BCMS): Business continuity management and the LL3700 BCM guideline, the methodology for which is based on ISO Standard 22301, provide for conducting risk analyses, training, regular tests, and emergency training exercises so as to improve and test smooth operations in emergencies.
• Risk analysis for “basement locations”: To increase the reliability of network operations, the failure risk for technical locations sited in basements due to potential water damage (e.g., as a result of flooding) was investigated and assessed as part of a comprehensive risk analysis. This analysis was then used to identify recommended actions (such as moving or upgrading the technical locations), some of which have already been implemented.

Targets

The material topics in the “Consumers and End-users” chapter are managed using the actions mentioned in this chapter and not using concrete, quantifiable targets. The reasons for this can be seen from the following examples:

• Dangers for fact-based opinion-forming: A large number of actions designed to ensure fact-based journalism and promote transparency are used to protect readers from fake news and promote fact-based opinion-forming. Since it is difficult to measure this result, the Consumer Applications Segment has not yet defined a quantifiable, overarching target. The segment will check in the coming fiscal years whether such a target makes sense.
• Negative ethical impacts from the use of AI in processes and services : United Internet aims as far as possible to prevent any negative impacts that could arise from the use of AI in processes and services. This makes it essential to raise awareness among United Internet’s employees of the dangers of AI, such as AI bias. At present it is not possible to clearly quantify a measurable overarching target, e.g., for whether AI was deployed in an ethically correct manner. Consequently, United Internet is focusing on effective actions relating to this topic, such as conducting AI training, and will check in the coming fiscal years whether meaningful metrics can be defined to measure and schedule target formulation.
• Failure of own mobile network: Since network stability cannot be adequately reflected using a single measurable target, United Internet manages this risk using a clearly defined list of measures and continuous technical and organizational improvements. Chief among these are regular redundancy reviews, expanded redundancy tests, and capacity reviews for the individual core data centers so as to ensure that services to all end customers can be maintained as far as possible even if there were to be an outage at one location. These actions aim to contain the impact of a data center outage and to maximize service availability.