ÖBB Annual Report 2025

Group Management Report 76 Österreichische Bundesbahnen-Holding Aktiengesellschaft Consolidated Financial Statements | Group Management Report 33 Important key figures at a glance 2025 2024 Asset innovations Current research projects (number) 68 84 Project volume ÖBB share in EUR million* ) 87.5 43.0 Project volume (ÖBB incl. partners) in EUR million* ) 669.1 555.8 Project partners from research (number) 30 25 Project partners from industry (number) 86 80 Project partners SMEs (number) 61 81 Service innovations Ideas submitted via internal platforms (number) 1,060 1,434 * ) Total term of current projects. D. Report on Key Features of the Internal Control and Risk Management System with Regard to the Financial Reporting Process The members of the Boards of Management and managing directors of the Group companies are aware of, and embrace, their responsibility to establish an appropriate internal control system (ICS). A Group-wide minimum standard, which is implemented by the sub-groups, has been formulated for the ICS. ESRS 2.GOV-1.22.c; ESRS 2.GOV-5.36.a As part of a continuous improvement process, projects are carried out at regular intervals with external support to further develop the ICS. The identified and target-oriented further development steps are then implemented. ESRS 2.GOV-1.22.c; ESRS 2.GOV-5.36.a The ICS is based on the international COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework. It comprises the following elements: Identification, analysis, measurement, management, effectiveness monitoring, documentation and communication of ICS-relevant processes, risks, and controls, as well as the monitoring of these activities. ESRS 2.GOV-1.22.c; ESRS 2.GOV-5.36.a D.1. Control environment The ICS is a key component of company-wide risk management. By systematically managing process-related risks, it helps to achieve the company’s objectives. The target categories of the ICS are compliance in financial reporting, promotion of operational efficiency, and compliance with legal and internal requirements. The identification and measurement of process-related risks that jeopardize these objectives and the implementation of risk-mitigating control activities ensure that the ICS objectives are achieved. D.2. Risk assessment and control activities Key risks are identified and recorded periodically on the basis of the process documentation. Suitable monitoring activities are determined in order to reduce the risk to an appropriate level. Regular self-assessment and documented results make sure the control activities are effective. ESRS 2.GOV-5.36.a A set of generic key risks broken down by category has been formulated for risk identification. If a key risk is found to exist, the respective Group company is obliged to define and implement an adequate control measure for the underlying detailed risk. ESRS 2.GOV-5.36.a In addition to the ICS, the ÖBB Group has established the staff units “Group Audit” and “Compliance.” Among other things, Group Audit verifies the existence of an effective ICS and checks certain ICS elements on the basis of an approved annual audit schedule. In addition to the review of circumstances without instructions and on an ad hoc basis, a key aspect of compliance is the implementation of preventive measures. ESRS 2.GOV-5.36.a D.3. Information and communication Each sub-group demonstrates an appropriate, effective ICS based on the Group-wide minimum requirements. Establishment and maintenance are therefore the responsibility of the company itself. The Group-wide minimum standard for implementing the ICS is regularly evaluated and adjusted if necessary. ESRS 2.GOV-5.36.a The Group’s organizational units are obliged to maintain software-supported, standardized documentation. This covers the risk areas identified within the process, including the designated mitigating key controls and the associated test steps. Reports to management and the audit committees of the respective Group companies are also based on this non-editable, annotated, and verifiable data. ESRS 2.GOV-5.36.a | MR33