Atea Group and Each of Its Subsidiaries to to Take a Brief Online Self-Test Concerning the Compliance Website - Atea.Com/Trust

CODE OF CONDUCT FOR MORE INFORMATION – GO TO ATEA.COM/TRUST

Version 1.8 - published Oct 2019 ATEA CODE OF CONDUCT 2

LETTER FROM THE CEO: THE FOUNDATION OF OUR BUSINESS IS TRUST

Atea is a leading provider of information technology, with a clear relationships with our customers and technology partners. They vision and mission for success. Our company was founded in 1968, conduct themselves with the highest standards of integrity and at the start of the information technology revolution. Today we have respect for others. expanded to over 7,000 employees across 87 cities in the Nordic and Baltic regions, and continue to break new growth records The nature of our business means that Atea is a highly visible every year. company and is held accountable for the actions and decisions of every employee. For this reason, our continued success is dependent Our vision for Atea is to be “The Place to Be” – a center of gravity on all employees following a strong code of ethical and professional for IT professionals where customers, employees and partners conduct. Steinar Sønsteby collaborate on the most important IT challenges in our region. CEO In short – the foundation of Atea’s business is trust. Our mission is to “Build the Future with IT”. We believe that information technology, combined with knowledge and creativity, can Trust at Atea covers a wide area of behavior. Trust means that we transform productivity and living standards across society. It is with are open and honest in how we communicate, but maintain privacy this purpose that we set out to build a company to be the market and confidentiality when the situation requires. Trust means that we leader in IT infrastructure across the Nordic and Baltic regions. comply with the policies of our organization and with relevant laws. Trust means that we treat one another with respect, so that every Atea designs, implements and operates IT infrastructure solutions one can contribute to the best of their abilities. Trust means that for the largest and most vital organizations in our regions. Most of we seek to make a positive impact on society and the environment our sales are to national and local government agencies, including when taking decisions or acting on behalf of Atea. Trust means that highly sensitive customers such as the military and police. We also we ask questions, express concerns and seek advice when we face provide mission-critical IT solutions to the biggest corporations in a difficult situation and are unsure how to respond. our regions. At Atea, trust is also a two-way street. As an Atea employee, you can Our success in winning these customers is based on the competence rely on the fact that your trust will be returned in kind, and that the and professionalism of our entire organization. Atea employees company will listen to any concerns you may have about workplace take responsibility for their work commitments and build trusting issues. You can feel secure that there will be no retaliation if you ATEA CODE OF CONDUCT 3

report your concerns in good faith. If you are facing a challenging Finally, if you have a concern which you wish to report anonymously, situation at work involving conduct, business ethics or compliance, you can submit a report to the Whistleblower Hotline. A link to the we want to know and help. We promise to listen and respond as Whistleblower hotline can also be found on the Atea compliance necessary to uphold our Code of Conduct. website: atea.com/trust. Concerns reported to the Whistleblower hotline are sent to an independent law firm, who will summarize and The Code of Conduct provides standards for business practices report your concern to the appropriate level of the Atea organization. at Atea to help guide conduct and decision making for all Atea employees. The Code of Conduct is not exhaustive, and there will For over 50 years, Atea has built its business by earning the be many situations where you wish to discuss or report a workplace trust of its customers and partners, and creating an environment issue. If you are facing a difficult situation at work, you should first where talented professionals can collaborate, learn and grow. With speak with your direct manager or HR manager in the region in everyone’s support for this Code of Conduct, we will continue to which you work. They are the ones who are closest to your issue and successfully build our business on this foundation for the next 50 are most able to quickly respond with direct assistance and support. years.

If you do not feel comfortable raising an issue with your local Thank you for your contribution to Atea, and for making our company managers or if you seek additional guidance, the Atea compliance “The Place to Be”. organization is also available to hear and address any concerns or questions you may have. The Atea compliance website - atea.com/trust - provides all contact information if you wish to escalate an issue to your national and group compliance officers. The website also provides additional reference information directly relevant to the Code of Conduct.

ATEA CODE OF CONDUCT 4

Code of Conduct

1. Introduction 5 2. Personal conduct 6 3. Anti-corruption 8 4. Internal control 10

Supplemental Documents: a. Crisis Management Plan 12 b. Authority Matrix 15 ATEA CODE OF CONDUCT 5

1. INTRODUCTION

The Code of Conduct is the foundation of how we work at Atea. It provides a summary of the values, ethical guidelines and basic rules which govern our conduct and decision making. It sets the principles with which Atea employees act toward each other and toward outside stakeholders.

1.1. Employee Responsibilities In order to ensure that all employees understand the employee can escalate their concern to ethics in a confidential manner to an independent It is the personal responsibility of every employee the Code of Conduct, employees are required the compliance organization through Atea’s third party with legal skills outside of their local of the Atea group and each of its subsidiaries to to take a brief online self-test concerning the compliance website - atea.com/trust. The Atea organization and management structure. review, sign and follow the Code of Conduct. This main provisions of the Code. Upon successful compliance website provides contact information responsibility to abide by the Code of Conduct completion of the self-test, the employee may for the compliance organization, including the Reports submitted to the to the Whistleblower also pertains to all who act on behalf of the electronically sign the Code of Conduct. This Compliance Officer of each national organization Hotline are handled discretely and confidentially company, including contracted consultants. electronic signature will be returned to the HR and the Group Compliance Officer. by a law firm Atea has entered into agreement function of each national organization for record- with, with total anonymity for the reporter. The Any violation of the Code of Conduct will not be keeping. It is the responsibility of line managers to The role of the Compliance Officers is to counsel law firm no other business with Atea, aside from tolerated, and may lead to internal disciplinary ensure that their employees review, successfully employees on matters related to the Code of the whistleblower function. The law firm will measures, notice, dismissal, or – in the event of complete the self-test, and then sign the Code Conduct, relevant laws, and business ethics, and follow up on whistleblower reports discretely and illegal behavior – criminal prosecution. Failure by of Conduct. to govern that the organization remains compliant confidentially with relevant persons in the Atea an employee to report a violation of the Code of with the Code of Conduct. The Group Compliance organization. Conduct is itself a breach of the Code. 1.2. Raising issues or concerns Officer can also be reached by email at the If an Atea employee seeks additional guidance following address: [email protected]. Atea will not tolerate retaliation against anyone The Code of Conduct is not meant to be regarding a challenging business, legal or ethical who in good faith reports a concern about exhaustive, and there may be situations where situation, or is concerned about a potential If the employee is concerned about a potential conduct within Atea. A good faith report is one this code does not provide explicit guidance. For violation of the Code of Conduct, law, or business violation of Code of Conduct or law and wishes that an employee believes to be true and not with example, employees of Atea must always comply ethics by another Atea employee, the employee to communicate this anonymously, the employee the aim of harming others. An employee does with applicable laws and regulations, even if these should first discuss the situation with their direct can submit a report to the Whistleblower Hotline. not have to know all the facts before reporting a laws are not expressly stated in the Code of manager. A link to the whistleblower hotline can be found on concern, as long as the employee reports their Conduct. In situations where the Code or law does the Atea compliance website. The function of the concern in good faith. not provide clear guidance, the employee should If the manager does not provide a satisfactory whistleblower hotline is to provide employees with exercise good judgement consistent with the response, or if the employee is not comfortable the opportunity to raise concerns about potential business ethics promoted by the Code. in discussing the topic with their direct manager, violations of the Code of Conduct, law or business ATEA CODE OF CONDUCT 6

2. PERSONAL CONDUCT

The personal conduct of every Atea employee Our success as a company is dependent on open disability, sexual orientation, marital status, age of employment or contractual relationship with shapes the work culture and defines our reputation and honest communication, and a dedication or political conviction. Atea for as long as the information is considered as a company. A common commitment to ethical from all team members to do the right thing. We to be of a sensitive nature or in any other way behavior, inclusiveness and sustainability is commit ourselves to upholding the trust placed Atea personnel are committed to fair and confidential. essential for us to pursue our vision of being in us by others. We reject unethical or illegal busi- respectful treatment of all employees or other “The Place to Be”. ness practices. business associates with whom they interact. 2.4. Privacy Employees will base personnel-related decisions At Atea, we believe that all individuals have a right to By consistently demonstrating high standards All employees must comply with laws and solely on relevant qualifications such as perso- privacy, and we are committed to handling personal of ethics and integrity, we build trusting relation- regulations when acting on behalf of Atea. nal suitability, education, experience, results and data with due care. Personal data is defined as any ships – across Atea, and with our customers, Violations of laws and regulations will not be other professional criteria. information which can be referenced to a specific technology partners and investors. By conducting tolerated. and identifiable person. our business in a socially responsible manner, 2.3. Confidentiality we play a positive role in society at large. By 2.2. Diversity All Atea employees have a responsibility to safe Atea is subject to strict legal requirements when embracing diversity within our workforce, we At Atea, we appreciate that all people are uni- guard sensitive information relating to Atea, as handling personal data, as defined by the General ensure that the entire organization can contribute que and are to be respected for their individual well as its customers, partners and stakeholders. Data Protection Regulation (GDPR) of the to its full potential. talents. For this reason, we strive to attract a The duty of confidentiality is critical to building European Union. All Atea employees must diverse workforce and to create an inclusive work trust and strong relations with outside parties and understand the company’s requirements under 2.1. Integrity environment which allows everyone to contribute. across Atea. The principle of “need to know” shall the GDPR when handling personal data. These Our mission at Atea is to “Build the Future By embracing diversity, we open Atea to new ways always apply when handling sensitive information. requirements are summarized in the document with IT”. Atea employees are expected to of thinking, new skills and new opportunities. “Atea Global Information Security: Risk demonstrate the highest standards of integrity Atea employees shall exercise caution when Management Policies for Employees” which and professionalism when fulfilling their job Any form of harassment, discrimination or other discussing and handling information, to avoid can be found on the Atea compliance website: responsibilities. We are committed to listening behavior that may be perceived as threatening or this information being received by unauthorized atea.com/trust. to the needs of our clients and stakeholders, and degrading will not be tolerated. This includes – persons. If sensitive information is to be shared to delivering products and services to the best but is not limited to – discrimination on the basis with third parties, a written confidentiality When handling personal data, Atea must have of our competence. of gender, religion, national or ethnic origin, agreement should be in place. The duty of a process to notify the individual whose data cultural background, social affiliation, functional confidentiality also applies after the termination will be processed. Atea must have documented ATEA CODE OF CONDUCT 7

measures to protect personal data from breach. Due to the importance of data protection and Atea’s environmental initiatives are an integral The company must inform the data protection IT security issues at Atea, all employees are part of its operations. Atea employees actively authorities in the event of a serious data breach, required to have read the document “Atea Global promote sustainable IT solutions to customers and is subject to heavy potential penalties if it has Information Security: Risk Management Policies to minimize the negative impact of IT operations not managed personal data responsibly. for Employees” as part of their Code of Conduct on the environment. One such solution is Atea’s training. GoITLoop recycling program, which efficiently When Atea processes personal data on behalf collects its customers’ used IT hardware and of its clients – for example, when Atea provides 2.5. Sustainability processes this equipment for recycling and reuse. data center services to a client – Atea must have At Atea, financial and corporate sustainability a valid data processing agreement with the client. goals are not at odds with each other in growing All Atea employees have a role in supporting Atea’s Atea must also have a valid data processing a successful company. They are complementary. sustainability objectives, and are encouraged agreement with companies that process personal Together, they allow us to run a profitable to report opportunities to improve environmen- data on behalf of Atea – for example, when business while making a positive contribution to tal performance to the Compliance Officers. Atea uses cloud-based applications to process society. By promoting IT recycling and other “Green IT” personal data which are operated outside of Atea. programs externally, we offer our customers Atea is a member of the UN Global Compact solutions to meet their environmental targets. Based on the requirements of GDPR, it is critical (UNGC) and observes the Global Compact’s At the same time, we strive to reduce unnecessary that all processes involving personal data are 10 principles within Human Rights, Labor, waste and emissions internally at Atea. documented, and all internal applications and Environment, and Anti-corruption. Atea establishes contracts which involve personal data are sustainability objectives according to these identified. This information must be available to principles and reports its progress to the UNGC the Chief Information Security Officer of each each year. country. The Chief Information Security Officer of each country and of the Group can be found on the Atea Compliance website. ATEA CODE OF CONDUCT 8

3. ANTI-CORRUPTION

Atea believes in fair competition, and is firmly 3.1. Gifts and business courtesies should be especially cautious when dealing with When organizing or participating in events and opposed to all forms of corruption. Employees Atea employees must always exercise caution the public sector. Regardless of their value, gifts conferences, Atea employees must evaluate the should never offer or provide improper benefits when offering or accepting gifts and business and business courtesies must never be offered value of business courtesies which are offered to business contacts, government agencies or courtesies, including invitations to meals or or accepted if it could be perceived that the gift during the event. If these business courtesies other third parties in order to influence a business events. Gifts and business courtesies should only or business courtesy is offered in exchange for exceed the maximum level allowed under guide- decision or facilitate a legal/regulatory process. be offered or accepted when they are of modest influencing a business decision. lines for Atea or for the customer, the excess Nor should employees solicit improper benefits value and with limited frequency, and are in amount must be invoiced as a participant fee to as the basis for transactions with Atea. accordance with local practice and national If an Atea employee is offered or has accepted the recipient. guidelines within the Atea organization. gifts and business courtesies in excess of normal Corruption and bribery may consist of either tokens of appreciation, he should immediately Specific rules on events and conferences for each direct payments or indirect benefits, if the There are some differences in national guide- notify his immediate supervisor, who can decide country can be found on the intranet sites of each intention for granting the benefit is in exchange lines across the Atea geographies. For this with the local Compliance Officer whether the country. for influence over a business decision or legal/ reason, all Atea employees must read, under- employee’s integrity and independence may be regulatory process. Examples of indirect benefits stand, and follow the national guidelines in the perceived as being influenced. 3.3. Conflicts of interest may include sponsorships of favored organiza- countries in which they work. Atea employees will not seek to attain personal tions, donations to political groups, and excessive 3.2. Events and conferences benefits for themselves (or closely related spending on hospitality, travel and entertainment. When offering anything of value, including a All events involving customers or business persons) that may be perceived as a conflict This applies irrespective of whether the benefit meal or other courtesy, Atea employees should partners must have a clear business agenda. with the interests of Atea. Situations which may is offered from Atea or through an intermediary. understand whether the offer would violate any Business courtesies such as meals and result in a potential conflict of interest should be rules for professional conduct by the recipient. entertainment provided during the conference avoided. To ensure impartiality, Atea employees Atea employees must also avoid conflicts of If this is the case, the recipient’s rules apply and must be limited, and not overshadow the should not participate in decisions in which there interest between their work in Atea and their the offer should not be made. Atea employees business content. may be a conflict of interest. interactions with outside organizations. ATEA CODE OF CONDUCT 9

Conflicts of interest are not always obvious. If an investment in a company that competes with Atea All Atea employees must comply with competition employee becomes aware of a potential conflict or does business with Atea. (Investments of less and antitrust laws. This means that Atea employees of interest, or has questions about a conflict of than 5 % of the share capital in a listed company are prohibited from: interest, he should notify his superior immediately. are exempt from this requirement.) • being involved in any agreements, arrange- 3.4. Private interests in 3.5. Compliance with antitrust laws ments or practices that have as their object or other businesses and regulation effect to prevent, restrict or distort competition; Atea employees must avoid having personal Competition or antitrust laws are designed to • discussing pricing or other competitive interests – direct or indirect – in other businesses protect free and effective market competition. information with competitors, fixing prices or organizations if these may be perceived as Atea is committed to competing in a fair and with competitors or entering into any other negative to the employee’s relationship with Atea. ethical way, in compliance with the laws and arrangements with competitors that might regulations in the markets in which we operate. restrict free competition. An employee must inform and receive consent from his direct superior before undertaking Competition law prohibits companies from Employees involved in a private or public tender external duties or positions which may impact collaborating with competitors against the interest process must always comply with applicable tender the employee’s work at Atea (including Board of potential customers. This includes a range of regulations, and provide correct, transparent and positions with another company). prohibited activities including price fixing, sharing non-discriminatory data. of price information with competitors, restricting An employee must inform and receive consent the supply of goods or services, submitting false from his direct superior before undertaking an bids or tenders and dividing markets or territories. ATEA CODE OF CONDUCT 10

4. INTERNAL CONTROL

The market for IT infrastructure is evolving rap- 4.1. Authorization of transactions and stored electronically in the contract database. report on these transactions in its financial and idly, and Atea needs to continuously adapt and be All national organizations have a written Information regarding access to the contract legal statements. If any Atea employee becomes flexible in order to meet the needs of its customers. document that outlines which persons or levels database in each country can be found on the aware of transactions which have not been reported To succeed in this dynamic environment, Atea in the organization have the authority to intranet sites of each country. accurately, they should report this information believes in a decentralized approach to decision approve various types of transactions relating to immediately to their manager and if necessary, to making which empowers employees to solve personnel staffing, contracts, and cash Certain types of contracts will create additional the Compliance Officer. problems for customers on a local level. disbursements. compliance obligations. Contracts involving the processing of personal data require a supplemental 4.4. “Price sensitive information” Atea’s internal control routines enable the Group Transactions above a specific size must be data processing agreement, see Code of Conduct and Insider trading to execute strategy and operate in a coordinated approved by Group management, or by the 2.4. Other contracts may have restrictions which As a publicly traded company, Atea ASA is subject nature while providing employees the flexibility to Board of Directors. These maximum amounts are relevant for other stakeholders. to strict laws concerning the handling of sensitive make customer decisions on a local level. Internal allowed for approval at each level of the information which may have an impact on the controls ensure that Atea’s business processes organization are stated in the Authority Matrix It is the responsibility of the individual who signs share price of Atea ASA. are efficient and run within an acceptable level for the Atea Group. The Authority Matrix is or executes the agreement to ensure that any of risk, that Atea’s assets are safeguarded and provided as a supplemental document to the Code compliance obligations are met or are otherwise Sensitive information which is not generally known utilized, that financial information is correct and of Conduct and is available on the local intranet. notified to key stakeholders. in the market and may have an impact on the timely, and that laws, regulations and guidelines share price of Atea ASA is called “price-sensitive are followed. 4.2. Contract management 4.3. Reporting and disclosure information”. Employees holding price-sensitive Any contract or agreement which an Atea Atea’s financial and legal reporting shall comply information are subject to special legal require- Internal controls are the responsibility of employee enters on behalf of the company must with all applicable laws and regulations, and be ments on confidentiality, documentation, and management, but every employee must con- be registered and stored in electronic format in full, fair, accurate, timely and understandable. This restrictions on trading in the shares of Atea. tribute to ensure that these control routines are the contract database of the applicable country requires that all transactions are correctly reported Violation of these legal requirements is subject effective. Most control routines are of a highly or business unit. This includes all contracts with in accordance with local law and good accounting to prosecution under the Norwegian Securities operational nature, but the Code of Conduct customers, suppliers and business partners. practice. Trading Act. provides guidelines on major control routines within authorization and reporting of transactions, It is the responsibility of the individual who signs All Atea employees share a responsibility for Price-sensitive information may include infor- contract management, communications and or executes the agreement on behalf of Atea to registering transactions in a correct and properly mation on large new contracts which have been insider trading. ensure that the contract is correctly registered documented nature, so that Atea can accurately awarded to Atea, but which are not generally ATEA CODE OF CONDUCT 11

known to the public. The Group has set a policy Employees who are holding “price-sensitive • Abstain from trading in the financial instruments 4.5. Public communications that all new contracts with expected sales over information” must: of Atea ASA: Employees holding price- In order to ensure that public reporting on Atea NOK 350 million per year (approximately 1 % of sensitive information must abstain from trading is correct, consistent and reliable, only a limited Group revenue) are automatically considered • Register as an Atea “insider”: this involves in the financial instruments of Atea ASA, number of people are authorized to speak with price-sensitive information if the outcome of the contacting the Group CFO and providing including purchasing or selling Atea shares / news media. All queries from the media must be contract has not already been announced to the information on (1) what price-sensitive informa- bonds, and exercising Atea stock options. This referred to the country manager or local press public. The Group may decide to publish information tion the employee is holding, (2) when and how trading prevention does not prevent the normal contact. on new contracts below this size through a stock he received the price-sensitive information. exercise of option or future contracts which exchange notice as information to investors were previously entered into upon expiry of In principle, only the Group CEO, Group CFO and without the contract being considered price- Based on this information, Atea will such contracts. country managers are authorized to communicate sensitive information. register the case in the Computershare Insider with the media. Only the Group CEO and Group Management System “CIMS”. Once the case An Atea insider remains subject to the above CFO can comment on financial issues. However, Price-sensitive information may also include is registered, the insider has to confirm in the requirements until the price-sensitive information other people may be authorized to communicate information on Atea’s local financial performance system that they will comply with the insider is publicly available, or is otherwise no longer with media in specific cases. This must always be or operations, which has not been reported to rules described in this Code of Conduct. Atea considered to have an impact on the share price clarified with the country manager in advance. the public, but can significantly impact the overall ASA will maintain this information for at least of Atea ASA. All employees who have been financial performance of the Group. Furthermore, five years after the date in which the case registered as an Atea insider should receive a All price-sensitive information (defined in 4.4. price-sensitive information may include other is created or updated, and will provide this confirmation that they are no longer considered above) must first be disclosed to the Oslo Stock events or transactions which could impact Atea’s information to the Norwegian Financial an insider in Atea before assuming that they are Exchange in a stock exchange announcement financial performance and share price, such as Authority (Finanstilsynet) upon request. no longer subject to the above requirements. before it can be communicated externally or the acquisition of another company. internally to those who are not company insiders. • Keep price-sensitive information confidential: It is the duty of all employees to investigate All announcements to the Oslo Stock Exchange Determining whether sensitive information is Price-sensitive information cannot be whether they are holding price-sensitive are the responsibility of the Group CEO and Group price-sensitive information is not always clear. communicated to anyone who is not an Atea information before trading in the financial CFO. Employees which are holding sensitive information insider without the express consent of the instruments of Atea ASA. Employees which (for example, regarding a large contract) and Group CEO or Group CFO. If an Atea employee are uncertain whether they are holding price- In the event of an emergency or serious incident are uncertain whether this is “price-sensitive becomes aware that another person has sensitive information should contact the CFO of at Atea, the Group has a crisis management plan information” should contact the CFO of their local received price-sensitive information without their local organization. which includes policies on communication. The organization with the details of this information being registered as an insider, this must be crisis management plan is provided as a so that the specific situation may be evaluated. reported to the Group CFO immediately. supplemental document to the Code of Conduct. CODE OF CONDUCT: SUPPLEMENT A 12

CRISIS MANAGEMENT PLAN

1. Introduction Other crises (e.g., business, legal issues) 2. Organisation of responsibility The CEO must approve all information and Atea’s Code of Conduct provides guidelines for • Breach of laws and ethics (e.g., corruption, There are three levels of emergency response at media relations strategy in a crisis. The CEO is the conduct in the ordinary course of business. In the bribery, embezzlement) Atea. These are: spokesperson for Atea on a Group level, or on a event of an emergency or serious incident at Atea, • Serious disruption in operations country level if justified by the situation. additional governance routines are necessary for (e.g., data center) 1. Group level - Crisis management: Overall Atea management and employees to respond to • Strikes responsibility for all crisis management at Atea The CEO will appoint an assistant crisis mana- an unpredictable situation. 2. Country management level - Emergency ger to act as a supporting resource for the crisis A crisis may involve consequences such as loss response: Handling the crisis itself manager, and lead the crisis management on a The Emergency response plan provides the of life, health, value, reputation and/or stoppage 3. Local office level – Operational response: Group level when the CEO is not present. foundation for Atea’s emergency response and of day-to-day operations. Liaison/accident site function crisis management work. In case of emergency, 2.2 Country level - Emergency response the plan provides clear routines and procedures When an incident is so critical and serious that Critical incidents that are more physical in nature management which enable the organization to react in an ordinary management routines at Atea are must be managed locally. Other crises involving The Country manager holds tactical responsibility effective and coordinated manner. incapable of properly handling the situation, the business or reputational issues must initially be for dealing with crises at Atea in their respective emergency response organisation comes into handled at the country management level, with regions. When addressing a crisis, the Country 1.1 “Crisis” definition force. the support of regional offices. manager reports directly to the CEO or assistant A crisis is a serious, unwanted incident which falls crisis manager in the group management team. outside of the scope of regular operations. 1.2 Emergency response plan 2.1 Group level - Crisis management Atea’s Emergency response plan is available to all The CEO holds strategic responsibility for dealing All serious incidents must be reported to the Examples of scenarios which may lead to a “crisis” employees on the Atea intranet for each country with crises at Atea. Upon receiving notification of Country manager. Upon receiving notification of a include but are not limited to: in which Atea operates. a crisis, the CEO is responsible for mobilising the crisis, the Country manager must notify the CEO group-level strategic crisis management team. immediately. Based on the actual or potential Physical crises The Group Compliance committee is responsible scope of the incident, the Country manager works • Physical harm or threats to employees, for ensuring that the Emergency response plan is The CEO works in partnership with the country in partnership with the CEO to decide on which customers, partners or external consultants current and that necessary expertise regarding manager to determine which parts of the functions and resources are to be mobilised within • Fire or other accidents causing damage to the Emergency response plan exists across the organization should be mobilized in responding the emergency response management. Atea’s facilities country organizations. to the crisis. • Burglary or cybercrime CODE OF CONDUCT: SUPPLEMENT A 13

The Country manager should appoint the following • HR: If the crisis includes the company’s 3. Communications responsibility Emergency response management team within own employees and their relatives, HR is The Country manager will act as media spokes each country: responsible for the tactical handling of person in the event of a crisis. All country managers communication with employees, in partner- are required to complete training sessions in • Assistant emergency response manager: ship with the communications officer. media and communications. All public commu- The Assistant emergency response manager nications regarding the crisis must be approved acts as an additional resource for the Country • Other support functions: The Country by the CEO in coordination with the Country manager. The assistant emergency response Manager will add other support functions manager. manager must take minutes of meetings to (IT, administration/legal) to the Emergency address the crisis and will distribute these response team on an as-needed basis. If justified by the situation, the CEO may make a minutes as necessary until the crisis is resolved. statement in the media on behalf of the Group or 2.3 Local level - Operational management the local country. Strategic assessments should • Communications officer:The Communi Within each Atea office, the local manager holds be carried out if the CEO is to be the spokes cations officer must develop an information operational responsibility for dealing with crises at person. Three possibilities: strategy to deal with the crisis, in Atea. When addressing a crisis, the local manager coordination with the Country Manager and reports directly to the Country manager. The local • The CEO remains in the background during Emergency response management team. The manager may also appoint other support resources the initial phase of the crisis, until the case information strategy must be reviewed and on an as-needed basis. is clearer approved by the Group CEO. • The CEO comments on the seriousness of the matter initially and then takes a step back The Communications officer is responsible • The CEO is exposed as the primary source for ensuring the distribution of information, from the outset in coordination with HR and the central switchboard. CODE OF CONDUCT: SUPPLEMENT A 14

The emergency response system at Atea is illustrated as follows:

GROUP LEVEL – CRISIS MANAGEMENT Overall strategic responsibility for crisis management

CEO

Group Vice President Country manager Assistant crisis manager Emergency

Notification/collaboration/cooperation

COUNTRY LEVEL – EMERGENCY RESPONSE MANAGEMENT Tactical responsibility for dealing with crisis in each country SUPPORT FUNCTIONS (Included as a resource in tactical management) Country manager

Asst. emergency Communication HR Administration IT Legal response manager

Notification/collaboration/cooperation

LOCAL OFFICE LEVEL – OPERATIONAL RESPONSE Liason / accident site function

Local office manager, with additional support functions as needed CODE OF CONDUCT: SUPPLEMENT B 15

AUTHORITY MATRIX - ATEA GROUP

Limits represent maximum levels to be approved by each position, according to Group policy. Countries may set lower limits, as they choose. Amounts above specified levels are subject to Board approval. For customer frame agreements, the authorization limits stated below are the estimated value per year, unless otherwise specified.

Authorization limits (currency in thousand krone 1)) Local Group Group Local Local exec team Head of Employee/ Transactions Comment CEO CFO CEO CFO member department Sales staff

Customer Customer agreements: Agreements 2) Products 300,000 N/A 75,000 50,000 10,000 8,000 1,000 IT as a Service (Data Center outsourcing) Total Contract Value of sales agreement. Capex subject to separate approval (below). 300,000 N/A 75,000 50,000 10,000 8,000 - IT as a Service (Client outsourcing) Total Contract Value of sales agreement. Sublease loans subject to separate approval (below). 300,000 N/A 75,000 50,000 10,000 8,000 - Fixed Price consulting projects Total Contract Value of sales agreement. 300,000 N/A 75,000 50,000 10,000 8,000 - Time and Material consulting projects Total Contract Value of sales agreement. 300,000 N/A 75,000 50,000 10,000 8,000 1,000 Extended payment terms (e.g., >15/30 days) Approval from Local CEO or CFO + exec team member - - x x x - - Other deviation from standard terms Approval from Local CEO or CFO. May delegate specific authority (e.g., AOS) to other staff. - - x x - - - COGS Purchases directly associated with revenue Tied to revenue approval above, plus specific controls on low margin deals (locally defined) ------Opex/ Purchases within approved budgets 40,000 - 15,000 1,000 250 100 - purchases Purchases outside of approved budgets Requires Local CEO approval to spend in excess of budgets. 40,000 - 15,000 1,000 250 100 - (associated with ordinary Special purchases: operations) External consultants Same as other purchases + "managers manager" 40,000 - 15,000 1,000 250 100 - Marketing/Representation Same as other purchases + repr. > 1000 kr/pers to be apporoved by "managers manager" 40,000 - 5,000 1,000 250 100 - Major travel expenses (incl. conferences, training) Same as other purchases 40,000 - 5,000 1,000 250 100 - Inventory (buffer stock for warehouse) Special routine incl. head of procurement 40,000 - 15,000 1,000 250 100 - Personnel Staffing approvals (new positions) Local CEO on new positions, if temporary local HR (one of the local exec team members) - - x - - - - Salary & benefit changes Local exec team member (region director) if within approved FC - - - - x - - Promotions (mgmt employees) Local exec team member (region director) if within approved FC - - - - x - - Promotions (non-mgmt employees) Local exec team member (region director) if within approved FC - - - - x - - Capital Fixed assets (IT equipment, office furniture) If budgeted, then according to limits as follows. Otherwise, local CFO must also approve. 40,000 - 10,000 1,000 250 100 - Expenditure Systems and development projects If budgeted, then according to limits as follows. Otherwise, local CFO must also approve 40,000 - 10,000 1,000 250 100 - (investments) Customer specific investments If budgeted, then according to limits as follows. Otherwise, local CFO must also approve. 40,000 - 10,000 1,000 250 100 - M&A Acquisition/sale of enterprise Requires group CEO or Board. Divesture of dormant company can be approved by local CEO. 50,000 - x - - - - Disbursements Authority to disburse cash Dual approval required (basic control). - - - 30,000 - - - Credit note issuance 100,000 - 20,000 1,000 250 100 - Facility lease Lease of premises Must be approved by Group CEO, according to Board policy x ------Finance Loans/financing ATEA ASA CFO approval + execution by subsidiary Board. - x - - - - - Guarantees - x - - - - - Sale of assets Sale of assets (per sale) 15,000 - 5,000 1,000 - - - Sale of assets (per year) 50,000 - 10,000 1,000 - - -

1) All amounts can be converted to EUR by dividing by 10 Holding Norway Sweden Denmark Atea ASA Atea AS Atea AB Atea A/S Atea ASA Brynsalleen 2 Kronborgsgränd 1 Lautrupvang 6 Brynsalleen 2 Box 6472 Etterstad Box 18 DK-2750 Ballerup Box 6472 Etterstad NO-0605 Oslo SE-164 93 Kista +45 70 25 25 50 NO-0605 Oslo +47 22 09 50 00 +46 (0)8 477 47 00 O rg . n o 25 5114 8 4 +47 22 09 50 00 Org.no 976 239 997 Org.no 556448-0282 [email protected] Org.no 920 237 126 [email protected] [email protected] atea.dk [email protected] atea.no atea.se atea.com

Finland Lithuania Group Logistics Group Shared Services Atea Oy Atea Baltic UAB Atea Logistics AB Atea Global Services SIA Jaakonkatu 2 J. Rutkausko st. 6 Smedjegatan 12 Mukusalas Street 15 PL 39 LT-05132 Vilnius Box 159 LV-1004 Riga FI-01621 Vantaa +370 5 239 7899 SE-351 04 Växjö +371 67359600 + 358 (0)10 613 611 Org.no 300125003 +46 (0)470 77 16 00 Org.no 50203101431 Org.no 091 9156-0 [email protected] Org.no 556354-4690 [email protected] [email protected] atea.lt [email protected] ateaglobal.com atea.fi