Legal compliance and prevention of corruption

Particular emphasis is placed on the protection of customer interests, which is ensured by the Group-wide applicable Code of Conduct “This is how we think, this is how we act” together with internal monitoring, quality assurance, and complaint management systems.

Compliance at Energie AG is based on a mutual understanding of values, which is expressed in the Code of Conduct and published for all stakeholders, managers and employees. The Code of Conduct assures the compliance of the Group's actions with the relevant laws and regulations. It forms the foundation for all business activities and decisions within Energie AG Group as well as for a morally, ethically and legally flawless conduct of all employees of the Group. The Code of Conduct is mandatory for all employees and contains essential rules concerning respectful conduct and open communication. All managers and employees throughout the Group have been and will continue to be informed about the in-house Code of Conduct.

The “Code of Conduct for Contractors” deals with safeguarding human dignity, responsible communications and data processing, environmental conduct and sustainability, as well as integrity and also sets out the consequences of violations of these principles and rules. This Code of Conduct also provides an important link to suppliers and enables Energie AG to pass on its high standards to business partners.

Internal and external audits serve the purpose of highlighting potential improvements and necessary actions that support the continuous development of the management systems. Audits are very important for Energie AG in this context as well as in light of the changing general conditions.

Compliance Management System

To establish compliance effectively throughout the company, a compliance management system was established, appropriate guidelines were developed and numerous training sessions and awareness-raising measures were implemented. The content, responsibilities, distributions of skills, and required documentation and reporting have all been decided. Information on compliance is provided to employees via e-learning and classroom-based training. Employees can decide for themselves when to access e-learning modules, allowing them to fit the sessions into their everyday work routines as they wish.

Whistleblowing system

Employees may use Energie AG's web-based whistleblowing system to report, including anonymously, suspected compliance breaches to the Compliance Officer. Employees and external persons have additional reporting channels available to report their observations, including a compliance email address and telephone number. Reports about suspicious activities (including from external persons) that are received elsewhere within the Group must be forwarded to the Compliance Officer without delay. All whistleblowers are assured strict confidentiality with regard to their identity and the contents of reported circumstances; reports are processed according to data protection regulations. During the 2022/2023 fiscal year, no reports were submitted via Energie AG’s internal whistleblower system “Tell Me!”. Moreover, no compliance cases were reported via external reporting channels.

As part of the Energie AG Group's due diligence measures, the experts in the various areas of legal specialism monitor the relevant national and European legislative frameworks. The Compliance Organisation is involved in issues relevant to the Group as a whole.

The Legal Department acts as one of a number of information channels, notifying the relevant departments and entities of new legal developments. The Group provides legal certainty and ensures compliance with the applicable requirements by attending seminars, specialist conferences, participating in various committees, keeping up to date with the latest legal developments and legislative plans, and scheduling visits to individual locations.

Internal control system

For further information about Energie AG’s internal control system, see the Group Management Report, Internal control system.


Energie AG’s entities and employees are subject to provisions regarding public officials (Amtsträger) within corruption law. Training sessions are held continuously to ensure the Group-wide implementation of the comprehensive compliance standards in force at the Energie AG Group to prevent corruption. The “Anti-Corruption” learning module offered in Austria has so far been completed by 81.0% of the employees in the country (previous year: 80.0%).

As in previous years, there were no confirmed cases of corruption leading to dismissals or the issuing of warning notices within the Energie AG Group in the 2022/2023 fiscal year. Nor were any violations were confirmed in connection with corruption at business partner companies.

Antitrust compliance

Energie AG unconditionally declares its commitment to fair competition with its competitors, business partners and other market participants. With its comments on the necessary market behaviour, the antitrust law manual is primarily aimed at the sales-oriented divisions and is also available to all employees in the Energie AG Group via the Intranet. Since the 2018/2019 fiscal year, a Group-wide learning module has been available on the subject of antitrust/competition law to ensure that new staff and employees active in sales and distribution demonstrably have access to clearly presented and structured information on the subject. The primary target groups for graduating this module are all sales and sales-related units as well as procurement staff.

The investigations throughout Austria into the area of collection and transport in the waste management industry initiated by the Federal Competition Authority (BWB) in 2021 are still in progress. Umwelt Service GmbH is actively involved in the investigation and has submitted a report. The response of the BWB is still outstanding. There were no other incidents related to antitrust law.

Data protection

Energie AG maintains a data protection management system to ensure Group-wide implementation and compliance with the provisions of the General Data Protection Regulation (EU 2016/679; GDPR) and the new Austrian Data Protection Act (Datenschutzgesetz; DSG 2018) that has been in effect since 2018.

Energie AG’s Data Protection Policy explains the data protection management system’s essential operational framework. Energie AG is aware of the trust that its customers place in the Company. As a result, security, integrity and trust is a top priority when handling personal data in day-to-day operations.

The data protection processes the Group has implemented log and process valid complaints regarding breaches of customer data protection, resulting in corrective action if necessary. As was the case in the previous year, no reportable data protection violations pursuant to GDPR Article 33 were identified in the past fiscal year.

An awareness campaign started in the autumn of 2019 has focused on raising employees' awareness for the prudent handling of personal data and potential risks (cyber crime etc.). The campaign aims at increasing the awareness for information security among employees. To this end, an information security topic was presented each month using a range of materials such as posters, flyers and e-learning units. The main focus was on phishing as well as email and internet security, with a practical component (“Friendly Phishing”) added to the awareness campaign.

Promoting a compliance-conscious culture

Management are responsible for promoting a compliance-conscious culture among staff. Energie AG ensures that its employees know the compliance standards and the values from the Code of Conduct “This is how we think, this is how we act” and put them into practice. Within the annual definition of targets, the Management Board has the opportunity to agree on measurable and adjustable compliance goals that form part of the management performance with the Company's managers and executives. The managerial staff further confirm their adherence to the relevant and compulsory compliance requirements of Energie AG in these individual target agreements.

The conduct of Netz OÖ GmbH’s management and employees in relation to lobbying activities is based on its own Code of Conduct in accordance with § 7 of the Austrian Lobbying Act (LobbyG). Netz OÖ GmbH has created an equal treatment programme and appointed an Equal Treatment Officer in line with its legal obligations as an electricity and gas distribution grid operator.

Compliance forum

The Compliance forum was set up to ensure that compliance questions are handled in a comprehensible manner. Regular meetings help to ensure the necessary exchange of information and consistent treatment of compliance-related matters throughout the Group. All areas of the Group have the opportunity to submit compliance queries and receive compliance advice.

Compliance controls

The compliance management system regulates systematic access to compliance and defines content, responsibilities and the division of authorities as well as documentation and reporting obligations. At the heart of the Group's compliance with laws and regulations is the Code of Conduct entitled “This is how we think, this is how we act”. In establishing its compliance management system, Energie AG ensures the principles laid down in this Code of Conduct are acted upon. Implementation requires regular compliance controls, which were implemented at Group level for the first time in fiscal year 2022/2023 and reported to the Audit Committee meeting held on 27 June 2023. Compliance controls deal with management, business and service processes and are based on defined compliance risks at the level of these processes.

Information security management

In order to be able to reliably guarantee continuous service to customers and other stakeholders in line with their needs, Energie AG has maintained a comprehensive, Group-wide information security management system for a number of years. Especially in the age of digitalisation and cyber-attacks, detecting and countering risks and attacks of this nature is of great importance. A risk-based assessment is made on the basis of a group-wide analysis of the impact on the process landscape (business impact analysis). It is carried out using the newly established governance risk compliance (GRC) system and forms the starting point for the subsequent risk assessment, in which Energie AG periodically and systematically analyses and evaluates threats to its information security, decides its stance on any risks and takes effective steps to control and reduce these risks.

The cyber risk and fidelity insurance taken out in fiscal year 2018/2019 has been updated and forms part of the information security management risk assessment 2022/2023. Key areas of activity have an information security management system (ISMS) and are certified under ISO 27001:2013 and reviewed regularly. A supervisory audit pursuant to ISO 27001:2013 was carried out in the 2022/2023 fiscal year in the department for Group IT Services of the Business Services GmbH. The requirements stemming from the Austrian Network and Information System Security Act (Netz- und Informationssystemsicherheitsgesetz; NISG), which aim to ensure a high degree of security for networks and information systems, were gradually implemented in the relevant areas in a timely manner. The Group-wide awareness campaign “Schlaufuchs” regularly informs users about the risks and dangers related to information security and offers yearly (electronic) training programmes. As part of a Group assessment and governance project, the requirements of the successor regulations to the NISG (NIS 2) are analysed and processed by the responsible units in a structured manner. In this, Energie AG benefits from the high degree of maturity of the various Group companies.

In addition, Energie AG has taken a large number of steps to establish and maintain an adequate level of security. However, even the most strenuous effort cannot guarantee absolute security when it comes to modern technology in the area of information and communication technology, meaning that there is always a certain residual risk. As a result, Energie AG has an emergency and crisis management system in place, enabling it to safely restore orderly operation and customer supply as quickly as possible in the event of a failure.