Risk management

Business strategy and control

Our business strategy defines where we are headed as an organisation. Up to 2035, NS will focus on three main strategic goals:

providing a reliable service
offering an affordable product
and social engagement.

The risk strategy then determines how much risk and uncertainty we accept during this process (our risk appetite). It provides a framework for strategic choices and investment decisions. It also enables us to consciously deal with risks and uncertainties that may have a negative impact on the realisation of our strategic objectives.

Risk appetite

NS works with a risk appetite per risk theme. Every year, the Executive Board reviews and, if necessary, adjusts this risk appetite. The risk appetite remained largely the same for 2025 as 2024, except for reputation, where it was increased to neutral. The definitions we use here are:

We accept minimal risks in any decision, investment or business operation.
We accept limited risks when the potential benefit of a decision, investment or business operation is in reasonable proportion to the possible adverse consequences.
We accept increased risks in a decision, investment or business operation when the potential contribution to achieving strategic objectives, growth or value creation is also high.

Theme	Risk appetite
Safety	We accept minimal risks
Compliance	We accept minimal risks
Operations	We accept minimal risks
Finances	We accept minimal risks
Reputation	We accept limited risks
CSR	We accept increased risks

Risk management system

The main objectives of risk management are to ensure business continuity, support decision-making, comply with legal requirements, ensure our financial stability and protect our reputation.

NS has set up a risk management system for this purpose, based on the COSO/ERM framework that helps organisations manage risk to achieve their objectives. It provides a structured approach to identifying, assessing and controlling risk, whereby strategy, performance and risk are managed in an integrated manner. The system focuses on creating value and helps monitor efficiency, regulatory compliance, reliable reporting and the achievement of strategic objectives.

NS uses the three lines model:

The first line (line management) is directly responsible for controlling risks within its processes.
The second line, such as Risk & Compliance, supports and monitors this control.
The third line, NS Audit, carries out independent audits to make sure that the risk management system is working properly.

Risks and uncertainties are subject to both qualitative and quantitative analysis. In the business plan, strategic asset plans and rolling stock projects, quantitative models were set up and used to analyse the impact of risks and uncertainties. This gives NS a better idea of the reliability of plans, policy choices and risk provisions in projects, thus supporting the decision-making process.

NS also has a procedure for learning from incidents in order to continuously improve risk management.

The Executive Board reports on and renders account for the risk management and internal control system to the Supervisory Board after discussing it in the Risk and Audit Committee.

Recording and reporting

Significant risks were recorded in risk registers and estimated using a uniform NS risk matrix. The risk appetite has been translated into specific values in this risk matrix. NS reports the main risks for NS Reizigers, NS Stations and NS Group in quarterly reports. These are discussed by the Executive Board as part of the planning and control cycle.

In addition, safety risks, measures and actions to be implemented are recorded in the Safety Report and discussed on a quarterly basis during the safety consultation.

A Risk Report is also drawn up on a quarterly basis, which is discussed by the Executive Board and Supervisory Board. The report sets out the main risks and developments, as well as risk appetite themes and tolerances. Where values fall outside tolerances, consideration is given to what additional measures can be taken (at acceptable costs).

Risk reporting

NS faces strategic, external and internal risks. Key strategic/external risks:

For NS, losing parts of the main rail network as a result of the Trade and Industry Appeals Tribunal ruling on northern lines (slow trains) and order for reference on the award of the main rail network is a strategic risk. We continue to proactively take part in the deliberation process on what is best for the accessibility of the Netherlands and why NS has an important role to play.
Economic slowdown or recession resulting in a sharp drop in passenger kilometres. The concession includes a risk-sharing arrangement to accommodate significant dips in passenger kilometres.

In addition to these strategic/external risks, NS faces risks that directly affect its operations.

The risks specified are those that applied at the end of the reporting year. Global geopolitical developments and the associated uncertainty may have an impact on NS’s risk profile in the coming years.

The individual top risks have been scored (probability x impact) using the NS Risk Matrix and are explained in greater detail below. The more to the right the risk is positioned (from A to F), the more likely it is to materialise. The higher its position in the matrix (from 1 to 7), the greater its impact on NS’s objectives should the risk materialise. The colours show how each risk relates to NS’s risk appetite and at which level within NS any residual risk should be accepted if no further mitigating measures can be taken.

Key Top risks and scores:

1. Infrastructure E7
2. Costs E6
3. Rolling stock C6
4. Cyber C6
5. Revenue E5
6. Absences due to mental health issues C5
7. IT D4
8. Public safety D4
9. Staff C4

Key changes in the risk profile compared with 2024

The risk profile within the themes of operations, finance and safety remains high. The measures implemented in 2025 within the themes of reputation and CSR ensure a stable risk profile. In the coming year, the risk profile for the theme of compliance will increase due to new laws and regulations such as the Corporate Sustainability Reporting Directive (CSRD), the Cyber Security Act (Cbw) and Critical Entities Resilience Act (Wwke).

Operations: the biggest risk to operating the train service remains the infrastructure risk. This leads to inconvenience for train passengers and postponement of product steps. This is expected to increase in the coming years. NS is heavily reliant on ProRail in this respect. The risk of staff shortages has decreased, but the risk of rolling stock shortages remains high. We have also identified an increasing vulnerability of IT, which can lead to serious disruptions in core processes.
Finance: an inability to attract enough new passengers due to long-term working from home, more expensive train tickets and declining purchasing power remains a significant risk. Savings measures reduced costs, but on the other hand the cost of salaries, rolling stock, materials, components and financing increased in 2025. Although inflation has fallen, it is still above the desired 2% so this may still have an impact on cost levels in the coming years.
Safety: growing rudeness, aggression and polarisation in society affects passenger and staff safety and is increasingly shifting to train stations and causing unrest there. The number of incidents involving aggression rose slightly, but the number of injuries fell. Cyber-attacks were already high on the agenda, but geopolitical developments are further increasing this risk.

Explanation of top risks

Group risk	Development in 2025	Control measures
1. Infrastructure The risk of the inadequate quality or availability of infrastructure. 2025: E7 (dark red) 2024: E7 (dark red)	Infrastructure quality and availability were under huge pressure in 2025. Problems like temporary speed limits (TSL), track stability and safe usability increased. The number and duration of service interruptions increased as well, leading to full schedules and little scope for setbacks. Projects often experienced delays due to mounting ambitions, shortage of contractors, budget deficits and the implementation of ERTMS. Without a fundamental review of priorities, pressure on infrastructure will continue to increase.	Discussions with ProRail and the Ministry of Infrastructure and Water Management: align maintenance plans and ambitions to reduce pressure on infrastructure. Address specific problems like track stability, temporary speed limits and demonstrable safe usability, focusing on repair and maintenance. Work with ProRail to develop solutions for capacity and time pressure: focus on the shortage of contractors, unscheduled service interruptions and issues with ERTMS and Performance-Based Maintenance Contracts.
2. Costs The risk of cost increases or failure to achieve savings. 2025: E6 (red) 2024: D6 (red)	In 2025, the financial results of NS were under pressure due to rising costs for salaries, rolling stock, materials, parts and financing. Savings initiatives have been introduced since 2020, plus additional savings targets as part of the new main rail network concession. Choices have been made within the result areas, both in the business plan and via portfolio resets. Despite this, it is uncertain whether the savings envisaged will be achieved on time. IT costs and expense management in particular will require extra attention in this respect.	Saving initiatives since 2020. Additional savings targets, partly arising from agreements for the new main rail network concession and to manage IT costs and other expenses. Choose which projects to implement. Energy costs will be covered (in part) 3 years in advance.
3. Rolling stock The risk of rolling-stock shortages: existing rolling stock, inflow of new rolling stock and shortage of maintenance capacity. 2025: C6 (red) 2024: C6 (red)	The availability of rolling stock was largely in order in 2025; there were enough trains to operate the timetable, even with a reduced number of units. However, robustness remained vulnerable, especially at peak times in autumn and for the longer term. The ICNG delivery schedule was adjusted in collaboration with Alstom and additional measures have been taken. However, risks remained, both in the delivery and maintenance of ICNG trains and new rolling stock to be supplied later on. Maintenance and repair capacity of new trains is to be expanded with additional high-level work facilities. However, there is a chance that this additional capacity may not be ready in time.	Measures to reduce risk and strengthen the robustness of rolling stock (maintenance and repair). TRAXX operations will be phased out in 2025. By the end of 2025, ICNG will be fully deployed on the High-Speed Line (HSL). Intensive management and monitoring of Alstom; improved production and retrofit processes. ICNG Belgium: successful deployment in Eurocity Direct (formerly IC Brussels). Maintenance and track capacity: expansion of ICNG/DDNG maintenance and repair capacity is on schedule.
4. Cyber The risk of process failure due to a cyber-security incident. 2025: C6 (red) 2024: C6 (red)	NS once again took significant steps in 2025 to increase the robustness of its digital resilience and to manage risks. At the same time, the threat level increased due to geopolitical tensions and we saw an increase in cyber attacks. Added to this is the fact that NS's attack surface is increasing due to ever-greater digitalisation. We are also seeing increasing compliance pressure due to cyber legislation imposed by Europe and from our corporate customers. Cybersecurity requires, and is therefore receiving, continued attention.	Systematic implementation of laws and regulations, including NIS2, CER and AI ACT. Continuation of compliance requirements such as ISO27001 and SOC2 type2. Further shaping of the cybersecurity organisation according to the three lines model. Implementation of a Cyber Security Framework with improved internal controls. Planning and prioritising of security improvements based on risks. Including strict cybersecurity requirements in the tender and retender of IT and associated assurance. Monitoring cyber risks in the supply chain (our suppliers). Expansion and enhancement of central cybersecurity facilities within the nationwide NS network. Raising awareness of cyber safe working among employees and suppliers. Increasing preparedness and anticipating triggering events based on up-to-date Cyber Threat Intel.
5. Revenue The risk of not being able to attract enough customers. 2025: E5 (red) 2024: E6 (red)	The risk of slower passenger growth as people work from home on a long-term basis, train tickets become more expensive, and purchasing power decreases. Our continued financial health requires a balance between fare increases and cost management. In 2025, NS still received a contribution from the government that dampened the price increase to 6.18%. It will no longer receive this contribution in future. In addition, revenue from the student travel product was lower in 2025 due to the reassessment of this product. Whereas this lower revenue was still offset in 2024, it was not offset in 2025.	The business platform NS GO is ISO 9001 and ISO 27001 certified. Introduction of NS Price Time Deals to keep train travel affordable by offering extra discounts to customers who buy train tickets at least a day in advance for off-peak times. Growth strategy has been set out up to 2035. Digital strategy has been recalibrated.
6. Absences due to mental health issues The risk of psychosocial complaints due to work stress. 2025: C5 (yellow) 2024: C5 (yellow)	The sickness absence rate rose across the board, with absences due to mental health issues also rising from 2.38% in 2024 to 2.95% in 2025. In the November 2025 staff satisfaction survey check, 62% of colleagues scored working at NS as 8 or above.	Conducting the company-wide Risk Inventory and Evaluation (RI&E) for Psychosocial Workload (PSA) for train and office-based staff, NS Control Centre staff, and Safety & Service (S&S) staff. Vitality plans per business unit are being implemented in cooperation with employee representation bodies and the occupational health service. Vitality has been introduced as part of the Management Learning Programme. Greater focus on managers’ knowledge of psychosocial complaints. Preventive and curative support for work-related stress is available to all NS employees. Improvements have been implemented in the support and aftercare process. Resilience training for Safety & Service staff, senior conductors, train managers and service staff.
7. IT Risk of failure of critical IT infrastructure 2025: D4 (yellow)	NS’s operations rely heavily on IT systems, including some key suppliers from outside Europe. Failure of these systems due to errors, failing processes, technical problems or cyber attacks on NS or at suppliers can have a major impact. A large proportion of the company’s IT has been outsourced. These IT services will be put out to tender again in the period 2025 to 2027. Fragmenting into multiple lots, new contracting parties and their coordination increase the risk of disruptions.	The mission-critical systems are provided by a Dutch company. NS's IT demand-supply organisation is being strengthened with additional capacity. Creation of a new OSI model, which controls communication between the various IT systems. Several innovative infrastructure initiatives are also being carried out to create a more robust technical environment.
8. Public safety The risk of aggression increasing in society. 2025: D4 (yellow) 2024: D4 (yellow)	Passenger experience of public safety improved in 2025, but employees’ perception of safety fell. The number of incidents involving aggression increased by 3.4% compared to 2024. The resulting injury rate fell slightly by 3%. Within injuries, we saw a clear shift from train staff to Safety & Service staff. Professionalisation of S&S and de-escalation training for driving and Retail staff seem to be having an effect. Addressing behaviour and ticket checks remain the biggest trigger for violence. This is a broader social problem for which government measures and support are crucial.	Intensive approach in focus areas. Increased checks and enforcement. Deployment at large-scale events; 100% ticket checks where non-ticket holders are denied access to trains. Stricter agreements with the security supplier; trial with prevention officers in Utrecht and Rotterdam; increased camera surveillance. Safety & Service (S&S) training has been strengthened, with a focus on professionalism and operational scenarios. Pilot in which Safety & Service employees are allowed to carry a baton from 2025 onwards.
9. Staff The risk of staff shortages in crucial locations. 2025: C4 (yellow) 2024: D6 (red)	NS already saw a positive effect of the measures taken in recent years on the staff shortage in 2025. Recruitment initiatives in recent years have ensured that we have enough driving personnel to run the timetable as planned in the coming years. However, staffing challenges persist, mainly due to long-term labour market shortages, retirement and reduced deployability of employees. The shortage of technicians is expected to last until at least 2027. A great deal of effort will be necessary to avoid shortages in Safety & Service. Additional measures have been taken to increase the inflow of new staff and reduce their outflow. Long-term and region-specific solutions are currently being explored to further counter staff shortages.	Additional efforts to recruit and retain staff for key roles, including an in-house training programme. Specific measures in the area of maintenance and service through the ‘Master Plan for Mechanics’. Reducing demand for labour, for example by using cameras for rolling stock inspections. Planning adjustments to increase the deliverability of the timetable.

We started the section with the relationship between business strategy and risk management. The main risks are shown below in relation to the main strategic goals.

Risk Management Statement

The Executive Board believes that the report provides sufficient insight into any deficiencies in the operation of the internal risk management and control systems and that sufficient insight has been provided into the operational, compliance and reporting risks facing NS. We provide further details below.

Financial reporting

The Executive Board considers that the internal control system with regard to financial reporting during the reporting year offers a reasonable degree of certainty that the financial reporting does not contain any material inaccuracies. The Executive Board states that, as far as it is aware:

the financial statements give a true and fair view of the assets, liabilities, financial position and profits of NS and the companies included in the consolidation as a whole;
the annual report gives a true and fair view of the situation on the balance-sheet date and the course of business during the financial year;
given the current state of affairs, the preparation of the financial reports on a going concern basis is justified;
the annual report specifies the material risks and uncertainties that are relevant to expectations about the company’s continuity for a period of twelve months after the compilation of the report.

Sustainability reporting

The Executive Board considers that the internal control system surrounding the generation of sustainability information provides limited assurance that the sustainability reporting does not contain any material inaccuracies.

Operational and compliance processes

The departments within NS work according to the risk management policy, which means that the main risks of processes, IT systems and programmes that are known within the organisation are also known to management. A quarterly report is drawn up and these risks are discussed with the risk managers at regular intervals.

NS has a Safety Management System and a Quality Management System that includes various certifications (VBS, ECM, ISO 55001, ISO 9001). To also be demonstrably in control for key operational and compliance processes, NS is setting up an internal control framework. This internal control framework is at various stages of elaboration. The framework is already in place for a number of processes, and the focus lies on testing, monitoring and assessing the effectiveness of controls. The sub-frameworks for other processes and compliance frameworks are to be further developed and implemented over the next two to three years. The Executive Board monitors progress and assesses the effectiveness of the measures taken at least once per year. The Executive Board is not aware that the internal risk management and control systems did not provide sufficient assurance in 2025 that the operational and compliance risks mentioned above were effectively controlled, where 'sufficient assurance' means assurance appropriate to our risk appetite, the complexity of our business, inherent limitations to these systems and other information about these systems in this report.

The Executive Board discussed the design and functioning of the internal risk management and control systems with the Supervisory Board, including the internal audit function.

Note that the above does not mean that those systems and procedures provide absolute assurance as regards the achievement of operational and strategic objectives, nor that they will necessarily be sufficient to prevent any and all risks, inaccuracies, errors and cases of fraud and failure to comply with laws and regulations. Neither can they provide assurance that we will be able to reach our objectives.

Given the above, the Executive Board is of the opinion that this statement satisfies the requirements of best practice provision 1.2 and 1.4 of the Dutch Corporate Governance Code.