4. Governance impacts

This section covers the effects, risks, opportunities, governance, strategies, actions, and results of Deloitte's identified material governance impacts (refer to page 122 for a summary of our material impacts). The ultimate responsibility for the topics in this section of the report rests with our Chief Quality & Risk Officer.

4.1 Quality of services

­

We are committed to maintaining the highest standards of quality in our audit and advisory service delivery and through our people. Our focus on quality is not merely a policy but a core value that drives our operations and interactions with clients and other stakeholders. This commitment is reflected in our strategic initiative 'Steward Quality and Trust' which is underpinned by our strong roots in the industries and our position as undisputed leader in the market.

Key results

­

Material impacts, risks and opportunities

In our Double Materiality Assessment as published on pages 117-123, we have identified the following material IROs for Quality:

1. Positive impact / Risk: Quality as an enabler of making an impact through our services;

2. Positive impact on the policy and regulatory landscape, through thought leadership, informed responses to consultations and transparent dialogue with regulators and lawmakers;

3. Risk: Failure to deliver high quality services can lead to major economic damage and fines, and ultimately, to a loss of social trust in our firm;

4. Opportunity: High quality services enable the generation of more business and becoming the preferred supplier of professional services to our clients.

Our related activities contribute to the following SDGs:

Governance

Our ambition is to be the undisputed leader in professional services. The governance on quality is therefore integral to our system of quality control which incorporates the international quality management standard ISQM1.

The importance of quality is anchored in the role of the Chief Quality and Risk Officer (CQRO), who is a member of our Executive Board. The Quality, Integrity and Risk Committee, as a subcommittee of our Supervisory Board, plays a critical role in overseeing the quality and risk activities initiated by the Executive Board.

The primary responsibility for safeguarding the quality of our service delivery lies with our Engagement Partners, who oversee their teams and the professionals directly involved in the service delivery to clients. The second line of responsibility is established through the CQRO in conjunction with the Risk and Reputation Leader (RRL) and the Business Risk Leaders, who ensure that appropriate risk management frameworks are in place.

Additionally, our Internal Audit Function conducts third-line controls to provide independent assurance that our quality standards are being upheld. This multi-tiered governance structure promotes a culture of accountability and continuous improvement throughout the organisation.

Our governance is supported by robust policies and procedures to ensure high quality service delivery and compliance with all applicable legislation. This is all reflected in our common Engagement Approach, which showcases the various checks and balances we have in place in our engagement life cycle. This approach ensures that every engagement is subject to rigorous scrutiny, with multiple layers of review and oversight to mitigate risks and uphold our quality standards.

Policies

To safeguard the quality of our services Deloitte maintains the policies in - among others - the following areas:

• Independence;

• Engagement acceptance and risk classification;

• Engagement continuance and risk assessment;

• Consultations;

• Quality assurance;

• Portfolio risk review;

• Member firm practice reviews.

These policies are implemented on the level of Deloitte Netherlands and are tailored to the specific needs of our businesses. Jointly, they address the material IROs included on page 170.

Engagement Approach

Activities 2024/2025

In 2024/2025, we maintained our broad range of quality initiatives and further enhanced our system of quality control, for example through the completion of our common storefront modernisation, increased NSE integration and enhanced risk reporting.

Common Storefront

We completed the implementation of our new common storefront enabling us to better serve our clients through further alignment of our business model and capabilities.

NSE Integration

Increased integration of selected service offerings at NSE level enhances the consistency in service delivery and enables us to further align risk mitigating strategies and risk appetite. Delivery Excellence through NSE service offerings is adjusting the focus to meet changing needs of the business, and has resulted in a number of our key processes having NSE-wide participation: Solution Review Board (SRB), Deal Review Board (DRB) and Quality & Assurance (QA).

Risk & Reputation Executive and enhanced risk reporting

This year, the Reputation & Risk Executive was established. This Executive is chaired by our CQRO and includes representatives from Legal, Public Policy, Ethics and RRL. One of the first initiatives from this Executive, was a redesign of the monthly reporting to capture trends and themes that can affect our current risk exposure (horizon scanning). All the Businesses and relevant Enabling Functions (e.g. Independence, Talent, Transformation Office) have a responsibility to inform this report ensuring a robust and holistic view on emerging topics and developments that are relevant to our organisation. This enables us to actively implement risk mitigating measures where needed.

Through these initiatives, we reaffirm our unwavering commitment to quality, which is essential for sustaining trust and delivering exceptional value to our clients and stakeholders.

Results

Progress on our ongoing focus on quality is measured based on a set of strategic performance indicators, e.g. Regulatory reviews score, Client satisfaction, and the Net promoter score (NPS).

Table 21: Satisfactory regulatory reviews as a percentage of all regulatory reviews issued and communicated in the reporting year

Table 22: Client satisfaction score

Client satisfaction score is based on post-engagement questionnaires that are sent out on the discretion of the engagement manager or partner in 24% of engagements (also see Basis of reporting).

As from 2024/2025, we report client satisfaction on a scale from 1-100 rather than from 1-10. As a consequence, we have multiplied the data for 2022/2023 and 2023/2024 by a factor of 10.

Table 23: Net promotor score as measured by Client Service Assessments

­

4.2 Ethics and integrity

Building and maintaining a culture of ethics and integrity is a top priority at Deloitte. Our ethics programme aims to foster trust, both in our professions and among our professionals. We are committed to strengthening our reputation and relationships with stakeholders while actively minimizing ethical risks. Each day, we work alongside our professionals to support them in making sound professional choices.

Key results

­

Material impacts, risks and opportunities

In our Double Materiality Assessment as published on pages 117-123, we have identified the following material IROs for Ethics and integrity:

1. Positive impact on employees of an effective whistleblowing policy, encouraging the reporting of unethical practices which could otherwise harm our reputation and relationships;

2. Positive impact on employees of an ethical corporate culture, through increased motivation, innovation, talent attraction and job satisfaction;

3. Positive impact on society by role modelling ethical corporate culture/ good governance, demonstrating that this can enhance corporate reputation, relationships and value;

4. Positive impact of Deloitte audit and assurance services that verify or advise on compliance and anti-corruption approach of institutions and companies;

5. Positive impact on society of role modelling strong anti-corruption policies, demonstrating that this can enhance corporate reputation, relationships and value;

6. Positive impact / risk / opportunity: Level of trust in the integrity of our profession and among our professionals;

7. Positive impact / opportunity: Strengthening our reputation and relationships with stakeholders through integrity;

8. Risk: Damage to our reputation as a result of unethical behaviour by our professionals;

9. Opportunity: Help our people make the best professional choices;

10. Opportunity: To attract and retain the best talent by role modelling an ethical corporate culture.

Our related activities contribute to the following SDGs:

Governance

The ethics team brings a diverse palette in specialisations and educational backgrounds to the table, in order to accommodate the changing demography of reporters and implicated persons. The team members address and resolve ethical reports, consult on complex issues, and serve as moral compass for anyone who feels ethically conflicted. The Ethics leader and team members continuously work on increasing understanding and awareness on ethics and related topics with the leadership (partners/directors), providing structural ethics onboarding programmes and supporting ethical dialogue.

Besides the Ethics Leader, the ethics team consists of a Deputy Ethics Officer, and three ethics team members. Next to that an independent investigator is available upon request to support the Ethics Leader and ethics team. The ethics team actively engages in North South Europe (NSE) ethics programmes and initiatives to ensure the consistent implementation of an ethics strategy throughout NSE. On a quarterly basis, the NL Ethics Leader reports on ethics issues, trends and the progress of the ethics programme to the Executive Board and Supervisory Board. The Ethics Leader and team regularly have a place at the table with other parties, like the Health Case Managers and the Heads of HR Advisory, to share perspectives.

The five confidential counsellors (three internal and two external) are there to operate on behalf of the individual reporting the matter, are trained to offer a listening ear, discuss potential next steps, and navigate the complexities of sensitive situations with confidentiality as required by law.

Ten ethics ambassadors (partners and directors) in our businesses help to broaden the scope of the ethics programme, acting as linking pin between the business and the ethics team, and promoting our core values at a business level. The ethics teams works closely together with the ethics ambassadors to develop knowledge and capabilities, exchange experiences and insights and build awareness.

All resources mentioned above can be used for reporting purposes, as well as for our digital and optionally anonymous Speak Up portal: a 24/7 reporting system, run by an independent party.

Policies

To promote ethical behaviour and ensure compliance with prevailing anti-corruption regulations, Deloitte maintains the following policies:

• NSE Code of Conduct (to address IROs 1, 2, 3, 6, 7, 8, 9, 10 as included on pages 173-174);

• NSE Anti-discrimination and anti-harassment policy (to address IROs 2, 6, 7, 8, 9, 10);

• NSE Non-retaliation policy (to address IROs 1, 2, 3, 6, 7, 10);

• Alcohol & drugs policy (to address IROs 2, 6, 8, 9, 10);

• Social media policy (to address IROs 2, 6, 8, 9, 10);

• Deloitte Netherlands complaints procedure (to address IROs 3, 7, 10);

• NSE Anti-bribery and corruption policy (to address IROs 2, 5, 6, 7, 8, 9, 10).

Our NSE Code of Conduct reflects our DTTL Shared Values and Global Principles of Business Conduct, which are essential to our reputation and continued success. These principles are woven into the fabric of our operations, and are top of mind in the way we serve clients, manage our businesses, collaborate as teams, and impact society at large. The Code of Conduct references all pertinent ethics policies, for example our Anti-discrimination and anti-harassment policy, which underscores our commitment to providing a respectful and inclusive working environment. We aim to create a space that is free from harassment, sexual harassment, and discrimination, ensuring that each person is treated with courtesy, dignity, and respect, and that there are equal opportunities for all to succeed.

Additionally, the Non-retaliation policy is designed to protect individuals who report concerns or violations related to ethical conduct, laws or company policies. This policy reinforces the commitment to fostering an open and transparent workplace where employees can voice concerns without fear of reprisal. This policy is of paramount importance, and we are committed to ensuring that all colleagues are familiar with it. To achieve this, we share real-life ethics stories that illustrate how the policy is applied in practice, making it more relatable and understandable for everyone.

The Familial and personal relationships policy is brought to the attention of all to make people aware of the consequences of having a familial or personal relationship within the company. It mandates the disclosure of personal relationships with other individuals associated with Deloitte to prevent conflicts of interest that could affect confidentiality, morale, or our culture of inclusiveness.

Lastly, references are also made to the Anti-bribery & corruption policy, underscoring our firm stance against all forms of corruption. It explicitly states that it is unacceptable for any Deloitte personnel to engage in acts of bribery, including soliciting, accepting, offering, promising, or paying bribes.

Deloitte Shared Values

Activities in 2024/2025

­

Ethics survey

Outcomes of the 2024/2025 ethics survey and the ethics case trends invite us to: a) have a pro-active focus by addressing root causes, taking preventive measures, and providing information and support; b) maintain the general awareness of ethics and focus on visibility of and trust in our ethics team and process; c) continue our efforts to promote ethical dialogue and provide guidance to uphold ethical standards.

Key findings of our 2024/2025 recent ethics survey, conducted in June 2024, are:

• A still high - but slightly trending downward - percentage of 96% in the belief Deloitte is an ethical place to work.

• There is more knowledge on where to report possible unethical conduct, compared to previous years. The awareness of our ethics programmes, reporting channels, and policies have increased significantly, especially among people with a tenure of 0-3 years;

• The belief that people exhibiting ethical leadership are recognized for it, has slightly increased. Also more people are aware that it is their responsibility to report unethical behaviour;

• The trust that an independent investigation will take place and appropriate action will be taken slightly decreased;

• We see that the number of people indicating to have observed/experienced unethical conduct is slowly rising, which is in line with our upward trend in number of ethics reports. This trend is supported by a strong and stable belief that individuals can report unethical conduct without fear of retaliation, emphasising our commitment to creating a safe and supportive environment for raising concerns.

However, it is important to acknowledge that some respondents indicated they have experienced retaliation after reporting. This feedback highlights the need for us to continue refining our efforts and reinforces our dedication to fostering an ethical workplace, ensuring that everyone feels empowered to speak up.

In light of the key findings from our most recent ethics survey, it is clear that we need to continue to address the slight downward trend in the perception that Deloitte is an ethical place to work, as well as the decreased trust in our process of independent investigations. Additionally, the experiences shared by some respondents who reported retaliation after speaking up, underscore the critical need for us to concentrate our efforts on these areas.

As mentioned above, the upward trend in the number of ethics reports continues. This indicates higher visibility and accessibility of our ethical support channels, encouraging individuals to speak up in the face of unwanted behaviours. We have invested considerable effort in training, including e-learning and in-classroom sessions tailored for various groups, and have enhanced our communications to encourage our people to speak up.

However, we must also recognise the increased pressures on the organisation due to current economic challenges, as well as the complex political landscapes and polarisation that may affect our reporting statistics. As we move forward, it is essential that we remain vigilant and responsive to these challenges while continuing to strengthen our ethical culture.

The findings provide us with a valuable opportunity to enhance our efforts and reinforce our commitment to fostering an ethical workplace. We are dedicated to continuous improvement and will persist in our focus on supporting our colleagues, ensuring that everyone feels empowered to contribute to a culture of integrity.

To further this commitment, ethics is also a crucial component of the monthly reporting process, which is overseen by the newly established Reputation & Risk Executive. Chaired by our Chief Quality and Risk Officer (CQRO), this Executive includes representatives from Legal, Public Policy, and Risk and Reputation Leadership (RRL), as well as our Ethics Leader. One of its initial initiatives is to redesign the reporting framework to better capture trends and themes that may influence our risk exposure. By incorporating the Ethics perspective into this reporting framework, we strive to uphold our ethical standards.

Ethics Risk Assessment

In January 2025, the annual ethics Risk Assessment for the Netherlands was conducted as an integral part of the NSE Risk Assessment. This process involved collaborative discussions with our Business Risk Leaders, the Ethics Leader, some young professionals, and the Risk and Reputation Leader. Both the December 2023 and January 2025 Ethics Risk Assessments identified an overall 'medium risk' profile for the Netherlands and involved collaborative discussions with key stakeholders. Specifically, six risk scenarios were categorised as 'medium' risk and four scenarios as 'low’ risk.

Among the medium risks identified, we recognise the importance of encouraging open reporting of ethical concerns, as some individuals may hesitate to raise issues. Additionally, we must be mindful of the potential pressures that employees might feel to compromise ethical standards in pursuit of business objectives. It is essential that we actively promote our Shared Values and foster an inclusive culture to support our efforts in attracting and retaining a diverse workforce.

In our hybrid working environment, we need to ensure that our professionals, particularly new joiners and contractors, are fully engaged with Deloitte's Culture and Shared Values. We also acknowledge the role of leadership in setting the right example; consistent modelling of ethical behaviour is crucial for reinforcing our commitment to the Global Code. Lastly, as we integrate AI into our processes, we must remain vigilant to ensure that its use aligns with relevant guidelines, helping us to navigate potential ethical and compliance considerations effectively.

Our Ethics Learning activities

This year, we successfully hosted the ongoing Leading with Integrity workshop for 47 Partners. This workshop focused on reinforcing the fundamental role that ethical leadership plays in our organisation, encouraging participants to embody our shared values in their decision-making processes. Additionally, our Ethical Leadership Masterclass attracted 140 Directors, providing them with critical insights into ethical leadership practices. These sessions emphasised the importance of setting the right tone from the top and fostering an environment where ethical considerations are at the forefront of business decisions.

To ensure that our new joiners are imbued with our commitment to ethics from day one, we conducted 24 Ethics & Integrity onboarding sessions across our five business units in 2024/2025. These sessions serve as an essential introduction to the ethical framework that underpins our operations and culture.

Our innovative Dilemma Season 1 e-learning series confronts participants with real-life scenarios that prompt critical thinking and ethical decision-making, ensuring that our colleagues are well-prepared to uphold our Deloitte shared values. The e-learning was also hosted face-to-face in our offices, including Amsterdam and Rotterdam.

As we move forward, we remain committed to enhancing our learning initiatives and maintaining our status as a leader in ethical business practices. Through ongoing education and open discussion, we will continue to strengthen our ethical foundation and support our professionals in navigating the complexities of today's business environment.

Results

Table 24: Incidents: number of reported occurrence

In 2024/2025, the ethics team received and processed a total of 196 reports, an increase from the 181 reports received in 2023/2024. It is important to understand that these 196 unique reports include instances where multiple reports have been submitted regarding the same issue. Specifically, there were ten cases that were reported more than once, resulting in an additional 24 reports being added to the total count. This increasing complexity of cases contributes to the occurrence of multiple reports on the same issues. To clarify, if we exclude these duplicate reports from the 196 total, we can identify that there were effectively 172 unique cases reported. Factors contributing to the duplicates include reports being submitted through various ethics resources, multiple individuals reporting the same situation, and Confidential Counsellors supporting several individuals related to a single report.

The upward trend is influenced by several factors: heightened media focus on integrity issues encourages reporting, increased economic pressures have heightened challenges among leaders and professionals, and our Confidential Counselors, to whom over 40% of the cases are reported, play a crucial role in providing a trusted channel for concerns. While the rise in case numbers may initially seem concerning, it ultimately reflects our commitment to transparency and integrity within our organisation. We remain dedicated to strengthening our reporting mechanisms, ensuring that every voice is heard and respected.

By the end of 2024/2025, 168 out of 196 investigations had been finalised. Of these cases, 26% were concluded as (partially) substantiated, resulting in appropriate measures being implemented. Notably, in half of the finalised cases, only advisory measures were provided. The majority of these reports were managed by our Confidential Counselors. Other cases were not ethics-related and were either referred to relevant departments, such as Talent or our Businesses, or could not be investigated due to insufficient information.

In 2024/2025, no incidents of corruption were reported through our internal reporting systems. In parallel, no legal cases were brought forward implicating Deloitte in any (alleged) incident of corruption.

Our efforts are aimed at reducing unethical behaviour as much as we reasonably can. In this respect, we encourage our people to report any unethical behaviour that they observe or experience where we rather see overreporting than underreporting. For this reason, we do not believe that Ethics & integrity is suitable for defining quantitative targets.

Anti-corruption has always been part of Deloitte’s ethical principles. We are against corruption in all its forms, and we are committed to staying compliant with all relevant laws and regulations, both in spirit and intent. This aligns with Deloitte’s values, purpose and public interest commitment.

At Deloitte, we recognise the profound impact of corruption on global commerce, economic stability and trust in financial systems. Upholding the principles of honesty, transparency and accountability, we stand unwavering in our commitment to anti-corruption in all its forms.

Our fully implemented and comprehensive Anti-Corruption Framework consists of seven different elements that mitigate the risk of corruption within Deloitte and supports our employees and partners with guidelines to report corruption if needed. These elements include:

• Governance;

• Policies, procedures and guidelines;

• Training & communication;

• Risk assessment, testing & monitoring;

• Third party due diligence,

• Consultation and incident response and

• Investigations, for which we have the ethics reporting channels in place.

It is evident that we ensure rigorous compliance with both local and international regulations, including the Foreign Practices Act (FCPA) and the UK Bribery Act. We have also woven anti-corruption measures into the very fabric of our operations, from client onboarding to ongoing project execution.

The anti-corruption programme strategy and objectives are determined by our Anti-Corruption Committee and the progress of our operational plan is regularly discussed within this committee. Together with our Reputation & Risk Leader, the Committee is responsible for actively overseeing the anti-corruption programme.

Every two years, a mandatory Financial Crime e-learning is launched to remind our partners and employees of expectations related to anti-corruption and financial crime compliance, how to identify potential corruption and financial crime risks, and how to address these risks. Additionally, all new joiners who start during the year will receive an invitation to the mandatory Financial Crime e-learning course at the time they commence their employment. Per the end of 2024/2025, the completion rate of this Financial Crime e-learning training was more than 98.7%. Compliance by Supervisory Board, Executive Board and Executive Committee members with the training requirement amounted to 100%.

Going forward, we will continue to maintain and align within the three crime pillars to enhance full compliance with all regulatory and other requirements.

Therefore, in the past year our organisation has continued to strengthen its commitment to combating financial crime, focusing on anti-corruption, trade controls, and anti-money laundering initiatives. This commitment is vital for safeguarding our integrity, protecting our stakeholders, and ensuring compliance with regulatory requirements.

4.3 Data security and privacy

Key results

­

Material impacts, risks and opportunities

In our Double Materiality Assessment as published on pages 117-123, we have identified the following material IROs for Data security and privacy:

1. Risk: Data breaches can harm our clients and our reputation as a trusted business partner, leading to significant monetary fines and loss of revenues;

2. Risk of legal, reputational, and financial consequences due to non-compliance with data protection legislation and/or inadequate protection of client information;

3. Risk of legal, reputational, and financial consequences due to non-compliance with data protection legislation and/or inadequate protection of employees' personal information;

4. Opportunity: Helping clients to identify and manage their data, infrastructure and cyber risks;

5. Positive impact on society, building societal trust by providing value chain employees the same effective policies on privacy provided to core employees;

6. Positive impact: Level of trust from our clients that their data is secure with us.

Our related activities contribute to the following SDGs:

Governance

Our Risk & Reputation Leadership Office (RRL) is committed to maintain the quality of governing policies and procedures, with the credo “Protecting the Brand” in any possible way. The RRL Office has several areas of expertise and focusses mainly on risk management and compliance. Every area of expertise is responsible for maintaining, coordinating and communicating their policies, such as. Engagement Opportunity Screening, Ethics, General Data Protection Regulation (GDPR), ISO standards, the cybersecurity compliance framework SOC2, and the EU Artificial Intelligence Act compliance.

These policies, frameworks & principles are applicable to all Deloitte colleagues and the services that we offer to our clients.

The RRL Confidentiality, Privacy & Security Office is charged with compliance with the principles and regulations regarding Data and Privacy. This office operates under the responsibility of our Reputation & Risk Leader.

Policies

To achieve a high level of data security and compliance with prevailing privacy legislation, Deloitte maintains the following policies:

• Deloitte Talent privacy policy (addresses IROs 3 and 5 as included on page 178);

• Deloitte Privacy statement for business relations (addresses IROs 2, 5 and 6);

• NL - Integrated security policy and generic implementing rules (addresses IROs 1-3);

• Acceptable use policy, Compliance and auditing policy, Security policy, Data classification & handling policy, Data privacy policy, Logical access security policy, Systems management policy, Personnel security policy, Physical security policy, Incident and crisis management policy, Business continuity management policy, Travel risk management policy (address IROs 1-3).

In order to safeguard and address Deloitte’s privacy compliance, strategy and governance, several policies are in place and maintained, such as our privacy policy, which is maintained by Deloitte’s Internal Privacy Office that operates on behalf of our RRL Office.

The Privacy Office is, among other responsibilities, tasked with examining privacy aspects of processes and systems through our internal Data Privacy Impact Assessment (DPIA). In addition, Deloitte has appointed Privacy and Cyber Champions both within our business and in our Support Organisation. These champions are trained to be the first line of defence in the organisation concerning privacy and confidentiality aspects that arise within the business. By making use of Privacy and Cyber Champions, Deloitte creates privacy and security awareness within the organisation. Having the Privacy and Cyber Champions as the first line, the Privacy Office as the second line, the Data Protection Officer as the third line of defence, and a robust internal audit Member Firm Standard programme in place, enables Deloitte to operate in a privacy and GDPR compliant manner.

New Global tools and vendors go through an extensive Data Risk Assessment Service (DRAS) to provide NSE privacy and confidentiality subject matter experts (SMEs) all the information needed for their approval or rejection. Local software tools and vendors are assessed through the Global Technology Operating Model (GTOM) process, meaning all relevant SMEs will review the application in one meeting from a privacy, security and IT perspective. This way Deloitte only cooperates with vendors that ensure the same level of data protection and confidentiality as Deloitte.

New assets that Deloitte develops for clients are subject to the Certify to Sell process which also includes privacy, confidentiality and security assessments. Moreover, to ensure employees operate in a privacy and confidentiality minded manner, privacy and security awareness is at the top of Deloitte’s training agenda. This is reflected in the “Secure the Future” privacy & security training that all employees must complete.

Deloitte Group Support Center is ISO: IEC 27001:2022 (Information security) certified. Conformity with this standard means that we have put an information security management system (ISMS) in place to manage risks related to the security of data owned or handled by Deloitte, and that this system respects all the best practices and principles enshrined in this International Standard.

Deloitte follows a well-defined data breach procedure in order to adequately address any data breach.

Deloitte Netherlands is also ISO: IEC 22301 certified (Security & resilience). This is the international standard for Business Continuity Management (BCM). This framework helps us to prevent, prepare for, react and recover from disruptive incidents.

Activities in 2024/2025

As an emerging technology trend, the world has noticed the potential of GenAI such as OpenAI's ChatGPT. This global development will have impact on our way of working and service delivery. Throughout the reporting year, the RRL Confidentiality Privacy & Security office contributed to Deloitte’s trustworthy AI framework as our AI initiatives require adherence to the EU AI Act. The principles described in the EU AI Act are woven into our Trustworthy AI framework.

With a continuous development and improvement mindset, the RRL Confidentiality, Privacy & Security Office maintains the privacy Policy, Record of processing activities (RoPA), and increases the robustness on the Privacy champions framework and data protection.

We are maintaining the ISO: IEC 27001:2022 & ISO: IEC 22301 controls and are currently preparing for the upcoming NIS2 (Incident reporting), DORA (Digital operational resilience) directives.

We continue to investigate other emerging technologies like Quantum Encryption to determine how these technologies will impact our data security and are looking into the maturity of post-quantum encryption algorithms.

Results

Despite our efforts, in 2024/2025 65 incidents were internally reported of which 34 concerned personal data incidents. We received one complaint from one data subject regarding a privacy breach at a vendor who is engaged by Deloitte. We notified five personal data breaches to the supervisory authority in conformity with the legal requirements of the ‘Wet meldplicht datalekken’ (Law on mandatory reporting of data leaks).

Although our efforts are aimed at reducing the number of data and privacy incidents to the absolute minimum, we do not believe this topic to be suitable for defining quantitative targets. We continually evaluate and adapt our approach on the basis of our ISO certification, compliance assessments and outcome of our investigations into incidents.