Organisational culture, integrity and compliance

Corporate culture

NS aspires to be an organisation characterised by an open and safe corporate culture where professional integrity is a matter of course. We attach great importance to results-oriented working practices that are consistent with the norms and values to which we have committed ourselves. To this end, we approach the risks and issues surrounding integrity and compliance in a controlled and balanced manner.

The conduct of NS’s employees and the choices they make in their work are crucial to the integrity of the company. We promote a culture of openness and accountability and our awareness-raising activities in this area are ongoing. We also launched the 'NS for each other' campaign in December 2024, which aims to combat inappropriate behaviour.

Our Code of Conduct forms the basis for the professional conduct of all NS employees, helping them to make the right decisions and deliberate choices in a variety of sometimes difficult situations. The Code of Conduct has been approved by the Executive Board and is available to employees on the intranet. Employees complete online training on the NS Code of Conduct at least once every three years.

The Code of Conduct also forms the basis for handling integrity reports and investigations. The Code is consistent with the relevant OECD guidelines and with the Dutch Corporate Governance Code. This means that there are also safeguards within NS for the protection of human rights. Based on the Code, we have formulated policies on specific themes such as conflicts of interests, competition, information protection, the fight against corruption and fraud. Furthermore, we operate a national programme to improve workplace behaviours and combat harassment and racism, among other things. The NS Code of Conduct serves as the guiding document for this programme. In addition, NS has a planning and control system in place that helps to ensure integrity and compliance risks and issues within the organisation remain visible and manageable.

Governance and integrity

The operational departments within NS are responsible for ensuring ethical business practices. Our Integrity department supports efforts to encourage desired behaviour, regulatory compliance and observance of the NS Code of Conduct. Issues are submitted to confidential advisers within NS, if and to the extent permitted by confidentiality rules. To escalate integrity issues, the Integrity department also has a direct line of communication with the Chief Executive Officer of NS and with the Supervisory Board.
NS has an Integrity Committee, whose members include the Directors of HR, Legal, Security and Risk. This committee assesses new integrity policies and provides advice on integrity issues.

Advice and information for employees

On the Integrity Portal on the intranet, employees can find information about integrity and NS’s policy in this regard. In addition, employees are welcome to submit concrete issues and dilemmas to the Integrity department. They can ask questions by email or by telephone. The department advises employees about possible solutions and actions. In 2024, the department answered 291 questions (2023: 218).

Integrity Desk and NS Integrity Issues Reporting Scheme

In autumn 2023, NS revamped its reporting scheme to comply with the Whistleblowers Protection Act. This new NS scheme is called the Integrity Issues Reporting Scheme.

The Integrity Issues Reporting Scheme (including whistleblower reporting) ensures that:

• NS employees can report any irregularities or suspected irregularities;

• NS handles reports with due care and confidentiality;

• employees are not adversely affected by having made a report.

Employees have several options for reporting integrity issues or abuses (anonymously or otherwise): via the Integrity Desk, via a special app, by email, by telephone or in a one-on-one conversation. An integrity violation report may result in a recommendation to the person who reported the issue, and to the managers involved, on any subsequent steps or measures. It may also be decided to ask NS Security to conduct an independent fact-finding investigation, with NS taking measures based on the outcomes. A total of 99 integrity violation reports were received in 2024 (2023: 99). Of all finalised reports in 2024, 17% were wholly or partially upheld.
Employees may seek support from one of NS’s confidential advisers if they want to report an integrity violation (or for other reasons). This option was used 187 times in 2024 (2023: 151). External stakeholders can report issues to NS via a special desk. This option was used five times in 2024. Critical issues with potential company-wide impact are reported to the Executive Board quarterly by numbers and categories. There is also a line of escalation to the CEO.

Compliance 

NS is committed to conducting its business with integrity and transparency. As a state-owned company, we must also set a good example. That is why we make sure we are 'compliant', in other words that we carefully observe laws and regulations. NS is bound by a complex set of laws and regulations. For example, we must comply with external requirements imposed by national and European authorities. These range from the Railways Act and the main rail network concession to laws and regulations in many sub-areas. Examples include safety, customers, competition, working conditions, tendering procedures, IT, spatial planning and sustainability. In addition, we apply numerous internal rules and requirements such as the Collective Labour Agreement, Code of Conduct, terms and conditions of purchase and the train driver's manual.

Governance 

Primary responsibility for compliant working practices rests with the NS business units themselves. In this context, they are able to draw on the knowledge and advice of teams and departments that have extensive knowledge of compliancy: NS Legal, NS Integrity and QHSE. The Risk & Compliance department supervises compliance at NS and reports on its findings to the Executive Board and the Supervisory Board. 

Vision, implementation and monitoring 

NS has a company-wide vision for compliance, which lists the main challenges and priorities for compliant working. Based on this vision, fraud management was expanded in 2024 and two programmes were launched to prepare NS for new legislation in the areas of sustainability (CSRD) and cyber security (NIS 2). Discussing sustainability (CSRD) within the Supervisory Board and RAC increases members' knowledge and skills.
We also use compliance standards and performance indicators in implementation, including for competition, tendering procedures, privacy and safety. We also provide training courses within the organisation to keep employees’ knowledge of legislation and regulations up to date. 
To maintain an overview and enable us to take corrective measures, the Risk & Compliance department draws up NS-wide compliance reports. These reports set out the main risks and challenges for NS, plus an overview of relevant KPIs. 

Privacy 

For NS, the need to handle our passengers’ and employees’ personal data carefully is self-evident. To remain compliant with privacy legislation, NS has set up a privacy structure and governance arrangement. We also constantly seek to train our employees in and raise their awareness of the importance of privacy. We do this through channels such as e-learning modules, training courses and newsletters. Last year we once again appointed ‘privacy champions’: employees who, in addition to their regular work, answer questions and serve as the eyes and ears of the Privacy Office within their business units. In late 2024, there were 101 active privacy champions within NS (2023: 96). Together with the Data Protection Officer and Privacy Officers, these privacy champions make up the privacy function within NS.

Privacy by design 

Effective and careful data processing starts with privacy by design. This means that we recognise the need to protect the privacy of data subjects right from the initial design phase of a product or service. We also carry out assessments in which we check the impact of data protection. This allows us to identify risks to data subjects and take measures to manage those risks at an early stage.