Pursuant to Legislative Decree No. 231/2001, the Anti Bribery&Corruption Management System, the FS Group's Code of Ethics, laws or regulations, Rete Ferroviaria Italiana S.p.A. has adopted a process for receiving, analysing and processing reports (including anonymous reports) on Rete Ferroviaria Italiana S.p.A. (hereinafter the “Company”) submitted by Third Parties or by FS Group's employees, to help prevent any unlawful acts, irregularities or conduct in breach of the Organisational, Management and Control Model.

The process complies with the regulatory changes introduced by Legislative Decree No. 24 of 10 March 2023 implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of whistleblowers who report violations of European Union law and on provisions concerning the protection of whistleblowers who report violations of national laws (so-called “Whistleblowing Decree”).

The process for managing reports is an integral part of the RFI S.p.A. Organisation, Management and Control Model pursuant to Legislative Decree No. 231/2001.

RFI S.p.A. has a dedicated platform available to web users, which is the preferred channel for sending reports.

Who can make a report?

The following people can make a report:

• employees, self-employed workers, contractors, volunteers and trainees, including non-paid persons, who work for the companies;

• workers or collaborators working for entities that supply goods or services or perform work for third parties; freelance professionals and consultants working for the Companies; shareholders and company employees with administrative, management, control, supervisory or representative duties.

These individuals report information on violations they have become aware of as part of their working environment.

Reports can also be made:

a) even if the employment relationship has not yet begun, if the information on violations was acquired during the recruitment process or in other pre-contractual stages;

b) during the probationary period;

c) after the termination of the employment relationship if the information on violations was acquired in the course of that relationship.

RFI S.p.A. prefers that the identity of the whistleblower, whose confidentiality is guaranteed in compliance with the legislation in force, be made clear in the reports, to facilitate verification of the facts reported and to inform the whistleblower on the results of the investigations conducted. However, anonymous reports are also accepted.

What to report?

Information on violations with regard to facts (of any nature whatsoever, including mere omissions), attributable to FS Italiane Group Employees or Third Parties, which may represent:

1. violations of the corporate 231 Model and the procedures implementing it and/or of the Company’s Anti-Corruption Policy and Anti Bribery&Corruption management system (hereinafter the “ABC system”) and/or the Code of Ethics and/or the Company’s internal regulations and/or in any case likely to result in detriment or damage, even if only in terms of image or reputation, to the FS Italiane Group;

2. administrative, accounting, civil or criminal offences;

3. unlawful conduct pursuant to Legislative Decree No. 231 of 8 June 2001;

4. offences covered by European Union legislation and the national provisions implementing it;

5. acts or omissions detrimental to the financial interests of the European Union;

6. acts or omissions affecting the internal market (e.g. competition and state aid violations);

7. acts or misconduct that undermine the object or purpose of the European Union acts.

Reports must relate to facts about which the whistleblower has knowledge, where the whistleblower has reasonable ground to consider that the information reported is true at the time of the report.

Reports must be made promptly in relation to the knowledge of the facts so as to make it practically possible to verify them.

Complaints, claims or requests related to a personal interest of the whistleblower that relate exclusively to his/her individual employment relationship, or concerning his/her relationship with hierarchically superior figures, are not considered whistleblowing reports.

▶ Internal reporting channels

Reports can be sent through: i) the IT platform that can be accessed from the corporate website and the corporate intranet; ii) e-mail to the dedicated e-mail addresses; iii) ordinary mail to the corporate bodies responsible for handling the report; iv) verbally, by means of a statement issued by the whistleblower at a designated hearing. A dedicated telephone line/voice messaging system is currently being implemented.

The IT platform is the preferred means for sending and handling reports, as it is best suited to ensure that the Whistleblower's identity is kept confidential and that adequate information security measures are ensured.

The platform can be used to:

• send a report;

• modify or update a sent report;

• consult the status of a sent report;

• receive feedback on any follow-up to the report.

The platform allows to:

1. separate the whistleblower's identification data from the content of the report, providing for the adoption of codes replacing the identification data, so that the report can be processed anonymously;

2. keep the content of the report confidential throughout the entire report management phase, allowing access only to authorised persons;

3. adopt secure protocols for transporting data over the network as well as the use of encryption means for the content of the report and any attached documentation;

4. interact with the whistleblower, guaranteeing his or her anonymity.

▶ External Reports and Public Disclosure

Legislative Decree No. 24/2023 provides for the possibility of making external reports to the National Anti-Corruption Authority (ANAC) and public disclosures of violations in the cases expressly provided for by the regulation. External reporting to the ANAC is permitted only in the following cases:

• if the internal reporting channel is not active or if it does not comply with legal requirements;

• if the internal reporting channel is not active or if it does not comply with legal requirements;

• in cases where the Whistleblower has reasonable grounds to believe that, if he/she were to make an internal report, it would not be effectively followed up or that it might lead to a risk of retaliation;

• if the whistleblower has reasonable grounds to believe that the violation may constitute a clear or imminent danger to the public interest.

In compliance with the legal provisions, RFI S.p.A. guarantees that the whistleblower’s identity is kept confidential from the time when the report is received, and prohibits (and sanctions to the extent permitted by its powers and faculties) any direct or indirect retaliation or discrimination and misconduct towards the whistleblower as a result of the report, including omissions, even attempted or threatened, or actions targeting third parties associated with the whistleblower, such as relatives, colleagues, legal entities owned by or for which the whistleblowers work, that work for or with the FS Italiane Group.

To ensure that retaliation is not practised against the whistleblower, even after the report has been made, the whistleblower's work situation is monitored for a period of two years from the date of the report.

Individuals in any capacity involved in the management of reports are required, to the extent provided for by law, to maintain confidentiality on the existence and content of the report received and on the activity carried out in this regard, and guarantee the confidentiality of the whistleblower's identity in accordance with the provisions of the applicable legislation.

The whistleblower is given acknowledgement of receipt of the report within 7 days from the date of receipt. The whistleblower is also informed of the outcome of the investigation into the matter.

The Company protects the rights of Involved Persons, primarily by ensuring, so as to guarantee appropriate confidentiality, that any disclosure relating to their identity strictly follows the “need to know” criterion (the principle whereby a person is authorised to access certain information only if necessary - and to the extent necessary - for the performance of the activities falling within his or her remit according to the tasks assigned to him or her by the company).

The Involved Person is informed of the existence and content of the report and receives a copy of it, excluding reference to the Whistleblower's identity, which may not in any case be disclosed to the Involved Person, except in the cases expressly provided for by law.

The Involved Person is entitled to be informed of the results of the investigation. After due consideration, the information to the Involved Person may be delayed or not provided in whole or in part if it becomes necessary to withhold proceedings by public authorities, or it is reasonable to assume that the confidentiality of the Whistleblower's identity, which is protected by law, may be at risk by providing the information.

Reports are addressed to the Company's Ethics Committee and/or the Supervisory Board. The Supervisory Board handles reports of violations or attempted violations of the Company's Model 231 and/or its implementing procedures or violations of the Code of Ethics that have or may have relevance pursuant to Legislative Decree No. 231/2001. The company's Internal Audit Department is in charge of investigations, aimed at ascertaining whether or not the reported facts are well-founded.

As part of the reporting process, personal data is processed in compliance with the relevant regulations (EU Regulation 679/2016 and Legislative Decree 196/2003, as amended by Legislative Decree 101/2018). Information on the processing of personal data can be found below.