International Compliance Program

FS Italiane Group (hereinafter also referred to as FS Group) boasts a consolidated status at international level guaranteed by the direct commitment of its Foreign Subsidiaries, which operate in different and complementary sectors/markets.

In recent years, many Countries in which FS Group operates have established a liability regime for legal persons in relation to unlawful conduct committed by representatives, employees or third parties acting in their interest. Most of these regulations encourage companies to adopt corporate governance structures and risk prevention systems, sometimes providing for an exemption or mitigation of applicable sanctions where appropriate preventive measures have been taken.

In this context, FS Group confirms its commitment to preventing and combating unlawful activities in its business.

This document serves as a pillar for strengthening the Internal Control and Risk Management System at Group level, in compliance with the main and most recent best practices and regulations on compliance programmes², in order to harmonise the principles applied, and provide a shared, consistent and comprehensive approach against unlawful or circumventing behaviour.

_{Disclaimer. The principles and rules of conduct defined in this document also constitute control safeguards for anti-corruption purposes and for the prevention of crime risks pursuant to Italian Legislative Decree 231/2001, implementing the provisions of the Organisation, Management and Control Model adopted by the Company pursuant to Italian Legislative Decree 231/2001 (Model 231), FS Italiane Group Code of Ethics, Anti-Corruption Policy and the Anti-Corruption Management Model¹, the Data Protection Framework and FS Italiane Group Classification and Confidentiality Protection Framework. Heads of the structures involved should constantly monitor this document to ensure its correct application and constant adaptation. Violations or attempted circumventions must be promptly reported in accordance with the Whistleblowing Management Procedure and Model 231.}

The International Compliance Program is an opportunity to strengthen the Internal Control and Risk Management System, and is designed to promote behaviour based on the principles of loyalty, fairness, honesty, integrity and compliance with laws, regulations, standards and best practices.

The International Compliance Program aims to prevent the compliance risk, i.e. the risk of incurring in violations of national or international (legislative or regulatory) or self-regulatory rules (e.g. statutes, codes of conduct, self-regulatory codes) which, in addition to the reputational damages, may result in sanctions imposed by national, foreign or supranational judicial or administrative authorities, including restrictive and disqualifying measures (e.g. suspension or cessation of activity, prohibition to contract with the Public Administration, inclusion in black lists, disqualification, etc.) capable of jeopardising business continuity as well as generating significant economic and financial losses.

In this context, the International Compliance Program identifies General Control Standards, Areas of Compliance, Areas at Risk and Specific Standards of Conduct in order to provide the Recipients with a standard set of rules aimed at preventing the Company’s liability.

All Foreign Companies are solely responsible for preventing the risk of crimes within their organisation. All Foreign Companies are obliged, to the extent deemed necessary and appropriate, to introduce any control measures, as well as to supplement, adopt or develop the principles and indications set out in this document.

In addition, all Foreign Companies are in any case required to identify further Areas of Compliance, Areas at Risk and Specific Standards of Conduct attributable to their own operating context and local regulations of reference, and to adopt, where necessary, further prevention and control tools to address the specific risks identified, also in implementation of the Group’s regulations.

The provisions contained in the International Compliance Program are supplemented by those contained in:

• the Group Code of Ethics;
• the Group Anti-Corruption Policy and Corporate Anti-Corruption Management Models;
• the Group Sanction Policy;
• the Group Antitrust Compliance Programme;
• the Group Data Protection Framework;
• the Group Tax Strategy;
• the Rules for the internal management and external communication of inside information and for the handling of confidential information.

• Ferrovie dello Stato Italiane SpA
• FS International SpA and FS Logistix SpA
• Foreign Companies belonging to FS Italiane Group³

This document is a direction and coordination measure. In compliance with their prerogatives of autonomy and independence, FS International SpA, FS Logistix and the Foreign Subsidiaries⁴ adopt this document and ensure the correct and constant application of what has been defined, the maximum dissemination thereof internally and the relative implementation control, in compliance with the confidentiality obligations and the prerogatives of autonomy and independence of each Company.

• Direct applicability

• Preparation and updating of the International Compliance Program.
• Promotion, together with competent corporate structures, of information and communication campaigns aimed at ensuring knowledge of the Program, with the support of FS International SpA Human Resources.
• Provision of periodical information to Top Management and control bodies, concerning adoption of the Program, with the help of FS International SpA Human Resources.

• Monitors the state of adoption of the Program by the Foreign Companies, interacting with competent corporate structures.
• Supports FS SpA Compliance in providing periodical information to Top Management and control bodies regarding adoption of the Program.
• Supports FS SpA Compliance and competent structures in promoting campaigns to ensure awareness of the Program.

• Assesses the adequacy of the Program in relation to the business environment and local regulations.
• Identifies further Areas of Compliance, Areas at Risk and/or Specific Standards of Conduct; assesses adoption/update of further tools to address specific risks, also implementing Group regulations.
• Supports competent corporate structures in defining and/or updating internal regulatory documents in relation to the Areas of Compliance.
• Promotes, with competent structures, specific training, information and communication campaigns aimed at ensuring awareness of the Program.
• Ensures reporting on the status of adoption of the Program within periodic information flows to Top Management and Control Bodies, per the Group Compliance Model.

a) Corruption crimes

b) Other crimes against Public Administrations

c) Accounting fraud

d) Tax crimes

e) Organised crime

f) Financing of terrorism and so-called money laundering crimes

g) Market abuse

h) Crimes against individuals

i) Health and safety crimes

j) Environmental crimes

k) Computer crimes

l) Copyright crimes

m) Smuggling

n) Crimes against cultural heritage

The list above, as well as the Areas at Risk and related Specific Standards of Conduct identified in the attached document, are the starting point for Foreign Companies to carry out a local assessment (Risk Assessment) and evaluate necessary organisational documents (Gap Analysis).

The Foreign Companies’ Compliance structures (or Focal Point Compliance) are responsible for monitoring the adequacy of and compliance with the Program, including:

• Assessing the adequacy of the Program relative to context and local regulations.
• Identifying additional Areas of Compliance, Areas at Risk and/or Specific Standards of Conduct and assessing adoption/update of organisational documents to address specific risks.
• Supporting competent corporate structures in defining/updating documents in relation to the Areas of Compliance.

FS International SpA Human Resources monitors the state of adoption by Foreign Companies.

As part of the periodic information flows envisaged by the Group Compliance Model, the Foreign Company Compliance structure (or Focal Point Compliance) provides information to Top Management and Control Bodies regarding the state of adoption of the International Compliance Program. FS SpA Compliance, with the help of FS International SpA Human Resources, provides periodical information to FS’s Top Management and control bodies on the adoption of the Program within the Group.

FS SpA and all Foreign Companies promote awareness of the content of the Program. Foreign Companies plan and manage training activities on the contents of the Program and any additional tools envisaged to address specific risks, and monitor participation of all personnel concerned.

In line with best practices, training must be real-life-scenario-based, measured on practical cases of possible violations and the conduct to be adopted to ensure compliance, including instructions for identifying and managing red flags. Participation in training is mandatory. The Program must be made available via internal (Intranet) and external (website) channels. Principles and content are brought to the knowledge of Third Parties by means of contractual clauses that bind the counterparty to comply with the provisions directly applicable to it.

Violation of the Program by Group Company personnel may result in disciplinary sanctions according to measures defined by each Company. Violation by Third Parties of the principles or provisions of the Program may result, based on specific assessments by the concerned Group Company, in the non-establishment or termination of contractual relations.

Signed by Mario Antonio Scino

Area at Risk: areas/activities in which the risk of commission of the offences identified in the Areas of Compliance may be more specifically considered.

Areas of Compliance: categories of offences whose prevention in the FS Group should be prioritised in order to manage its business with honesty and integrity.

Foreign Subsidiary or Foreign Company: foreign companies controlled by FS SpA pursuant to Article 2359(1)(1,2) of the Italian Civil Code.

FS Italiane Group or FS Group or Group: FS and its subsidiaries, within the meaning of Article 2359 of the Italian Civil Code.

FS SpA or the Holding Company: Ferrovie dello Stato Italiane SpA.

General Control Standards: general control standards that must be adopted by each Foreign Subsidiary in order to allow for the sound, proper and coherent management of business.

Recipients: members of the Corporate Bodies and of the Supervisory Board, employees and any kind of collaborators of FS Group Foreign Companies and Third Parties.

Specific Standards of Conduct: minimum standards of conduct to be followed by all Foreign Subsidiaries in relation to each Area at Risk.

Third Parties: all those who have contractual relationships with FS Group’s Foreign Companies (e.g. suppliers, business partners, consultants and commercial promoters, auditors, etc.), whether on a temporary or permanent basis.

• Segregation of duties and responsibilities: ensure segregation between execution, control and authorisation, including IT user profiling aligned to delegated/proxy powers.
• Roles and responsibilities: formalise internal regulations describing tasks, responsibilities and operating methods.
• Delegated and proxy powers system: define a system that assigns autonomy, representation and spending limits consistent with organisational position and level.
• Traceability and storage: ensure traceability and verifiability of activities and controls with adequate documentary/IT support and compliant storage.
• Impartiality and absence of conflicts of interest: act professionally and impartially, avoiding and promptly reporting any potential conflicts.
• Correct management of relations with Third Parties: verify reliability/reputation/suitability; require contractual adherence to Program principles; verify services rendered and appropriateness of disbursements.

Corruption crimes

For the definition of Corruption Crimes, identification of Areas at Risk and Specific Standards of Conduct, please refer to FS Group Anti-Corruption Policy.

Other crimes against Public Administrations

These crimes mainly concern fraud against public bodies (e.g. improper public financing/subsidies/tenders) via false or deceptive representations and misuse of funds.

Areas at Risk: (a) participation in and (b) performance of public procurement and concessions; (c) applications for public funds/subsidies/guarantees; (d) management of such funding; (e) managing relations with public authorities (e.g. HSE, personnel, taxes).

Specific Standards of Conduct: maintain relations by formally delegated/authorised structures; refrain from inaccurate/false information; do not misuse public funds; avoid reticent/deceptive behaviour that may mislead public parties.

Accounting fraud

Intentional manipulation of financial statements to misrepresent the economic and financial position (e.g. overstating revenues/assets, omitting expenses, understating liabilities).

Areas at Risk: (a) drafting documents for shareholders/public; (b) accounting records; (c) monetary and financial flows; (d) relations with external auditors.

Specific Standards of Conduct: do not represent/transmit false or incomplete data; do not omit or alter relevant data; do not obstruct control/audit activities; ensure every operation is promptly and correctly recorded and supported by adequate documentation for truthful, complete and transparent accounts.

Tax crimes

Examples include issuing documents for non-existent transactions, false returns, intentional reductions using fictitious documents, and obstructing Tax Authority Officers.

Areas at Risk: corporate taxation; accounting records and tax documentation; invoicing; data for financial statements; tax returns; settlement and payment of taxes.

Specific Standards of Conduct: comply with applicable tax provisions; adopt utmost caution; ensure correct determination/reporting of tax burden; maintain complete/transparent books; monitor deadlines/changes; provide regular training.

Organised crime

Stable associations or organised groups committing multiple crimes for profit.

Areas at Risk: HR selection/management; selection of economic operators; relations with Third Parties; extraordinary corporate/financial transactions and liquidity use; investments and joint ventures/partnerships.

Specific Standards of Conduct: refrain from relations/donations where Third Parties are suspected of organised crime; comply with transparent selection processes; use traceable banking channels; authorise and record operations; monitor financial flows; perform counterparty checks including presence on reference/black lists.

Financing of terrorism and money laundering

Terrorist financing involves provision/collection of funds to support terrorist acts/organisations. Money laundering includes conversion/transfer, concealment/disguise, and acquisition/possession/use of property known to be illicit.

Areas at Risk: relationships with operators/partners in high-risk/non-cooperative jurisdictions; management of monetary/financial flows.

Specific Standards of Conduct: use banking system and require traceable payments; use payment instruments appropriately; maintain updated counterparty data; refrain from business with known/suspected criminal persons; authorise, verify and record operations (including extraordinary); ensure correct accounting; constantly monitor cash flows; define and implement controls and governance for company cards; perform thorough counterparty checks and list screenings.

Market abuse

Behaviours include insider dealing, unlawful disclosure of inside information, dissemination of false information, and sham transactions to affect prices.

Areas at Risk: (a) public disclosures/relations with investors/analysts/media; (b) management of inside information; (c) drafting public accounting documents/prospectuses; (d) transactions in portfolio instruments.

Specific Standards of Conduct: refrain from disclosing inside information (unless legally required), recommending/inducing trades on inside information, disseminating false/misleading data, or executing transactions that generate false signals.

Crimes against individuals

Includes exploitation in recruitment/employment and violations of respect for people and human rights.

Areas at Risk: (a) HR selection/recruitment/management (working hours, pay, H&S, conditions); (b) activities involving Third-Party labour, especially where rights are insufficiently protected.

Specific Standards of Conduct: verify legal compliance in recruitment and employment; require operators/subcontractors to comply with international/local labour laws; verify counterparties’ reputation/reliability; protect dignity and provide safe workplaces; ensure respect for human rights and differences.

Health and safety crimes

Failure to comply with applicable laws and workplace standards to prevent accidents/illnesses.

Areas at Risk: compliance with applicable health and safety regulations.

Specific Standards of Conduct: adopt and effectively implement an OHS management system; prioritise legal compliance; eliminate or minimise risks; perform risk assessments; inform contractors of on-site risks; monitor/analyse incidents; train employees; verify application/effectiveness of procedures; allocate resources for compliance and continuous improvement.

Environmental crimes

Unlawful acts that damage the environment (e.g. waste management, emissions, harmful substances).

Areas at Risk: compliance with environmental laws (design/construction/operation/maintenance); selection of Third Parties for environmentally impactful activities.

Specific Standards of Conduct: assess risks and develop prevention programmes; establish procedures per law; promote awareness and lawful operations; adopt means to prevent damage to the ecosystem.

Computer crimes

Crimes targeting or facilitated by IT systems (e.g. unauthorised intrusion, malware, data interception, system interruption, fraud).

Areas at Risk: use of IT tools; protection of devices; definition of physical/logical security (incl. classification, admin profiles); network security and crypto/defence.

Specific Standards of Conduct: ensure lawful access/processing; monitor activities per local law; raise awareness/training; enforce IT security management, physical security, separation of duties in change management; implement disaster recovery; respect IP rights; implement authentication; protect against spam/malware; filter irrelevant/prohibited sites; revoke access upon role change/termination; deploy advanced monitoring and logs; run periodic audits and security tests/simulations.

Copyright crimes

Unauthorised use of copyrighted/intellectual property-protected works.

Areas at Risk: software installation/use/reproduction; use of texts/images/music/videos; IP management (trademarks, patents, designs).

Specific Standards of Conduct: prevent unlawful use or public dissemination; avoid circumvention of rights; prohibit illegal downloads without contracts; include compliance clauses in contracts with external contractors.

Smuggling

Illegal import/export to evade customs provisions/duties.

Areas at Risk: customs compliance management; payment of duties and document delivery; selection of suppliers and contract management; warehouse management.

Specific Standards of Conduct: ensure strict regulatory compliance; define operational procedures for customs operations and monitoring.

Crimes against cultural heritage

Crimes concerning cultural heritage as a collective legal asset (e.g. theft/misappropriation, illegal circulation, forgery, concealment of illicit origin, destruction/deterioration/defacement/unlawful use).

Areas at Risk: management of cultural heritage, movable and immovable.

Specific Standards of Conduct: comply with protection regulations and set appropriate controls; fulfil regulatory obligations including acquisition/circulation; monitor acquisition phases and verify provenance with necessary certifications/authorisations.

_{^{1 Where adopted by the Company. The model was published in its first edition under the name “Anti-Bribery & Corruption Management System” (Group Directive No. 247 P/AD of 23/02/2018 and corresponding company documents). In accordance with its unique characteristics, Anas SpA and QMU SpA have adopted their own voluntary Organisation and Management Model on anti-corruption and transparency.}}

_{^{2 Examples include: Italian Legislative Decree 231/2001; Borsa Italiana Corporate Governance Code; US Federal Sentencing Guidelines; US FCPA; UK Bribery Act; OECD Guidance; US DOJ FCPA Resource Guide; DOJ Evaluation of Corporate Compliance Programs; UNODC Practical Guide; FATF Recommendations; EU AML/CTF Regulations.}}

_{^{3 “Foreign Companies belonging to FS Italiane Group” stands for the foreign companies controlled by FS SpA pursuant to Article 2359(1)(1,2) of the Italian Civil Code.}}

_{^{4 The Foreign Companies adopt the regulated principles in compliance with the legal system applicable to that Company’s registered office.}}