Economic and Governance Dimension

The Group is committed to prioritizing the quality and safety of its products and services, recognizing these as key success factors for the business. Through continuous efforts in new products development and innovation, the Group aims to minimize environmental impacts across its value chain and contribute to sustainable production and consumption.

Quality and Safety of Products and Services ^(3-3)

The Group prioritizes the quality and safety of its products and services, recognizing them as critical factors in customer decision-making. The Group also acknowledges the importance of environmental management and operational stability. To this end, the Group strives to enhance the delivery of high-quality and safe products and services, fostering customer confidence and trust, maintaining the existing customer base, and expanding into new market segments. The Group actively seeks feedback from all groups of relevant stakeholders, both internal and external, to continuously improve, adjust, and develop the products and services, ensuring sustainable business growth and long-term success.

The Group operates in alignment with action plans, setting performance targets tailored to the specific nature of business unit. Post-implementation assessments are conducted to evaluate the effectiveness of these action plans, ensuring continuous improvement in product and service quality and safety.

Communication via Product

The Company has implemented a policy requiring subsidiaries engaged in consumer goods production to enhance communication methods and product information. This aims to provide accurate, up-to-date, and comprehensive consumer knowledge about the products. Various communication channels are utilized, including product labeling, printed materials, online media, and direct customer hotlines, ensuring consumers receive precise and timely information.

The Group recognizes the importance of customer relationship management for retaining customers, acquiring new ones and prioritizing systematic complaint management to improve and develop the operations, ensuring to effectively meet customer needs.

Customer Relationship and Complaint Management^(3-3)

The Group is committed to meeting customer needs to enhance satisfaction and positive customer experiences. Recognizing that customer satisfaction and strong relationships are fundamental to long-term business sustainability, the Group aims to develop high-quality, standardized products and services across all business units to meet customer expectations. Appropriate, accurate, and responsible marketing practices are in place so customers receive reliable information for decision-making. Furthermore, the Group provides various channels for customers to provide feedback, suggestions, and satisfaction evaluations to continuously improve the quality of the operations, products, and services, ensuring that customers receive products and services that meet their needs to the greatest extent possible. This approach helps retain the existing customer base and encourages its expansion through word of mouth, driving the Group's continued growth.

Code of Business Conduct: Guidelines for Dealing with Customers

To comprehensively and precisely meet customer needs, the Group has incorporated guidelines for interacting with customers as part of its Code of Business Conduct. This is communicated to all employees and relevant parties, and regular knowledge assessments are conducted. The Group's Code of Business Conduct was initially implemented in December 2009 and was last reviewed and revised in 2025.

Value Chain Management ^(3-3)

Value chain management is a key driver of efficient business operations. The Group believes that a sustainable value chain management strategy strengthens business stability by fostering strong supplier relationships. This enhances credibility and mitigates risks within the value chain, including social, environmental, governance, and economic risks. Additionally, it ensures the procurement of high-quality raw materials, upholding the standards of the Group’s products and services and effectively meeting stakeholder expectations. This enables the Group to deliver superior customer experiences, fostering customer interest and demand while driving sustainable growth with a commitment to Environment, Social, and Governance and Economic (ESG) principles throughout the value chain.

The Group is committed to responsible business operations that prioritize accountability to communities, society and the environment across the entire value chain. It emphasizes ethical business conduct, compliance with laws and regulations and the prevention of negative impacts on all groups of stakeholders. Moreover, the Group is dedicated to raising supplier awareness regarding responsible business practices. The Group promotes collaboration with suppliers to jointly contribute to community, social and environmental development. This commitment is reinforced through the Supplier Code of Conduct, which is regularly updated to align with evolving circumstances.

Supplier Code of Conduct

The Company has established guidelines for supplier management by implementing Supplier Code of Conduct, which outlines the principles and best practices for fair procurement. This includes procurement regulations that the Group adheres to when conducting business with suppliers in a sustainable manner, as well as supplier selection criteria aligned with the Company’s strategic direction.

TTA’s Supplier Code of Conduct considers environmental and social factors alongside governance and economic aspects. TTA requires suppliers to acknowledge and sign the Supplier Code of Conduct and conduct an annual self-assessment to ensure compliance with its principles. Additionally, TTA may conduct inspections of suppliers' production processes and service delivery as deemed appropriate. Internal audits are also conducted for subsidiaries to ensure that suppliers adhere to the established criteria and regulations set by the Company.

Access more details on Supplier Code of Conduct: https://www.thoresen.com/storage/download/corporate-documents/20220520-tta-supplier-coc-en.pdf

Supplier Code of Conduct Guidelines

1. Procurement with consideration for cost efficiency and effectiveness in terms of quality, price and service for the best benefit of the Company.
2. Procurement with a focus on business ethics, ensuring fair treatment of suppliers, providing accurate, complete, and transparent information, and treat suppliers equally, including considering opinions and suggestions.
3. Procurement that is transparent, fair, and traceable and adheres rigorously to relevant regulations and laws, while implementing risk management and good internal controls.
4. Sustainable procurement and supplier management by considering Environment impact, water and energy resource management, waste management, energy consumption, climate change, pollution prevention and mitigation, and biodiversity conservation, social responsibility and Governance and Economic factors (ESG), as well as monitoring suppliers to ensure compliance with the Supplier Code of Conduct as part of a sustainable value chain management approach.

Green Procurement Management Process

1. Procurement officers must use resources efficiently to achieve maximum benefits and environmental friendliness.
2. Consider products and services with no environmental impact.
3. Support the use of products made from recyclable resources and do not cause environmental pollution, such as products with ecolabels certified.
4. Consider suppliers and service providers with environmental standards certifications.
5. Establish fair and equitable procurement procedures and methods.

Selection of the Company’s Suppliers

When it is necessary to procure goods and services, procurement officers will select suppliers from the Approved Supplier List according to the procedures and guidelines described below:

1. Provide accurate, clear, and fair procurement requirements to all qualified suppliers to ensure equal opportunities for suppliers to offer the goods and services.
2. The initial selection of new suppliers is based on key criteria, prioritizing the quality of goods and/or services, reasonable pricing, and other necessary requirements. New suppliers must complete a self-assessment covering product and service quality, business operations, social responsibility, and environmental responsibility to support the next stage of procurement approval.
3. The procurement officers evaluate the supplier's self-assessment alongside product and/or service quality, pricing, and other necessary requirements.
   • A score above 70 percent is considered a pass and the results will be presented to the approving authority.
   • A score below 70 percent is considered as underqualified and requires further review. The procurement officers will notify the supplier and collaborate on preventive measures to address potential sustainability concerns with a follow-up evaluation in the next round.
4. Approved suppliers are categorized as Critical Tier 1 Supplier or Critical Non-Tier 1 Supplier based on the criteria for supplier segmentation.
5. After joining the Approved Supplier List, the existing suppliers must undergo a Yearly Performance Evaluation using the Company's supplier assessment along with the supplier’s self-assessment covering product and service quality, business operations, social responsibility, and environmental responsibility to monitor the performance. Throughout the year, the Company may raise concerns or report issues related to product performance, or Environment, Social, Governance and Economic aspects. The Company will investigate, determine corrective actions, provide recommendations, and develop the supplier’s capabilities together with related parties from all departments and suppliers before reassessing the situation.

Criteria for Supplier Segmentation

The Company establishes supplier segmentation criteria to enable systematic procurement analysis and strategy development, as well as effective supplier risk assessment. Suppliers are categorized based on the following criteria:

1. Critical Tier 1 Supplier

Suppliers with high contract value, high expenditure, limited alternative products and essential components or equipment critical to the production process, posing a very high risk or high risk to the Company's operational capability. This supplier group is required to undergo the Yearly Performance Evaluation through the Company's supplier assessment, combined with the supplier’s self-assessment and/or an onsite audit. The evaluation process covers product and service quality, business operations, social responsibility, and environmental responsibility.

2. Critical Non-Tier 1 Supplier

Suppliers with moderate service usage or lower contract value, posing a medium or low risk to the Company’s operational capability. These suppliers undergo the Yearly Performance Evaluation through the Company's supplier assessment, combined with the supplier’s self-assessment and assessments from relevant department(s). The evaluation process covers product and service quality, business operations, social responsibility, and environmental responsibility.

Supplier Risk Assessment

The key factor in enhancing value chain management efficiency is the risk assessment. The Company has implemented a supplier risk management system, which includes value chain risk assessment, company-conducted supplier assessment, and supplier’s self-assessment. These processes help identify key suppliers within the value chain and to check the qualifications of those who will be registered as suppliers of the Company. The key risk areas are as follows:

1. Economic risks issues such as raw material price fluctuation risks, etc.
2. Environmental risks such as greenhouse gas emissions, noise pollution, water usage and wastewater discharge, energy consumption and waste, raw materials, or equipment containing hazardous substances management, etc.
3. Governance risks such as corruption, tax evasion, fair competition, and intellectual property, etc.
4. Social risks such as human resources management, human rights, occupational health and safety and legal compliance, etc.

Average Supplier Payment Period in 2025

• Supplier Credit-Term according to internal practice is within 30 days.
• The actual supplier average credit-term in 2025 was 30 days.

Thoresen Thai Agencies: TTA

With the Company’s commitment to establishing a foundation of sustainability across the value chain, the Supplier Code of Conduct has been developed. This serves as a guideline for the Company’s suppliers to follow, mitigating risks related to the environment and society. Additionally, supplier assessment guidelines have been established. Suppliers of the Company are also required to sign an acknowledgment of the Supplier Code of Conduct to ensure strict adherence. Furthermore, the Company actively manages supplier relationships to foster continuous and sustainable business operations.

Sort Before Dispose Project

In 2025, the Company contributed to the sustainable business development of its suppliers by organizing training under the " Sort Before Dispose" project, alongside the communication of the Supplier Code of Conduct and the Environmental Policy for State Service Co., Ltd., a cleaning service provider responsible for maintaining the Company's headquarters clean. This initiative aimed to promote waste segregation in alignment with the Company's commitment to environmental responsibility across all areas. It also raised awareness among cleaning staff, ensuring they understood waste types and adopted proper waste segregation practices similar to the Company's employees. This training serves as a foundation for creating a sustainable environment together in the future. The knowledge gained will enable cleaning staff to correctly separate waste at the source and apply these practices at other locations where they work.

For the results, the cleaning staff participated in the training representing 100 percent of the cleaning workforce; 4 participants in first session and 5 participants in second session (1 additional hired cleaning staff during the year). Pre-and post-training assessments showed a 100 precent pass rate. In 2025, correct waste segregation increased and a rise in waste being repurposed such as an increase of electronic waste, paper and plastic bottles being sent to recycling.

Additionally, in 2025, the Company communicated the Supplier Code of Conduct alongside TTA’s Environmental Policy to 6 suppliers via e-mail, representing 13.95 percent of all suppliers. Furthermore, the "Sort Before Dispose" project included training sessions that also covered the Environmental Policy.

Technological resources are business assets that require efficient management, including preventive measures and the definition of data usage security levels. This management is crucial for maintaining the privacy of stakeholders' personal data and data used in the Group's business operations.

Cybersecurity and Data Privacy ^(3-3)

Rapid technological change and development, coupled with the increasing sophistication of cyber threats, present risks related to data privacy and cybersecurity. These risks include computer viruses, hacking, ransomware, unauthorized use or disclosure of user data, and the loss or leakage of sensitive of the Group data and stakeholders' personal data. Therefore, cybersecurity and the safeguarding of personal data are critical corporate risk factors of utmost importance to the Group. This prioritization aims to reduce potential risk levels and prevent negative impacts on the Group, both monetary and non-monetary, such as fines from legal actions, damages from ransomware or extortion, reputational damage, and loss of revenue or profit, or customer base due to diminished trust in the Group's reputation and image, etc. The Group is committed to investing in technology, enhancing work process efficiency, increasing cybersecurity awareness among personnel, and continuously promoting the appropriate use of digital technology.

Thoresen Thai Agencies: TTA

Information and Cyber Security Management Policy

The Company recognizes the inherent risks associated with information technology and, therefore, prioritizes the care and protection of its information technology resources. The Information and Cyber Security Management Policy serves as the operational framework that all users must adhere to, the Company also complies with the relevant laws such as the Computer Crime Act B.E. 2550 (2007) and as amended, including Personal Data Protection laws. The Company collects personal data only when necessary for its operational purposes, depending on the individual's relationship or activity with the Company, and the type of product or service used. Individuals are notified of these practices before or at the time of personal data collection. Explicit consent is obtained from individuals before or at the time of collecting their personal data.

In 2025, the Company reviewed Information and Cyber Security Management Policy and considered its appropriateness in line with the current operations. After review, this current Policy still remains suitable and effective for continued application; hence no further significant revision. Nevertheless, the Company developed and supplemented related guidelines and supporting documents to ensure greater clarity, consistency, and standardization in operational practices across the organization.

Key elements of this policy encompass regulations for controlling and preventing information access, access rights management to information resources, security measures of data both document and electronic formats, including data backup and recovery based on appropriate practices to support the Company’s business continuity.

Key elements of this policy encompass regulations for controlling and preventing information access, access rights management to information resources, security measures of data both document and electronic formats, including data backup and recovery based on appropriate practices to support the Company’s business continuity.

Privacy Policy

The Company maintains a Privacy Policy that adheres to the Personal Data Protection Act B.E. 2562 (2019), as well as other pertinent laws and regulations enforced in Thailand, to govern its data privacy operations. The core principles of this policy are to collect and store personal data lawfully, ethically, and only to the extent necessary for the Company's operational purposes. Data collection is limited in purpose, scope, and method. The data is categorized as follows:

Channels of Receiving Complaints

TTA provides channels for inquiries or requests for further information regarding personal data protection, collection, use, disclosure, and the exercise of data subject rights. These channels are also available for lodging complaints. Contact can be made through the following means:

Role and Responsibilities of the Board of Directors regarding Information Technology

The Company designates the Board of Directors as responsible for overseeing information technology governance, innovation, and information technology risk management, in accordance with relevant standards and laws. The Board considers policies and procedures related to the management and mitigation of cyber and information technology risks, integrating these into enterprise-wide risk management. This integration spans from risk or business opportunity identification, assessment, and prioritization to the determination of management measures, monitoring and reporting, and the annual review of the Information and Cybersecurity Management Policy to ensure compliance with corporate governance principles. The Information Technology Department serves as the primary unit responsible for overseeing and managing the organization's cybersecurity. This includes actively monitoring and responding to threats and maintaining information technology systems to be secure and up to date.

In 2025, the Company continued to implement cybersecurity and data privacy initiatives and programs on an ongoing basis, with a strong focus on mitigating risks arising from human factors, enhancing employee awareness, and further strengthening a systematic governance framework. During the year, the Company reviewed its Information and Cybersecurity Management Policy and determined that the Policy remains appropriate and effective for continued application. As a result, no changes were made to the core Policy. Nevertheless, the Company developed and supplemented related guidelines and supporting documents to ensure greater clarity, consistency, and standardization in operational practices across the organization.

In terms of human capital development, the Company continuously promoted employee knowledge and understanding of personal data protection and cybersecurity through ongoing training programs and internal communications. In 2025, the Company further introduced the Security Awareness Proficiency Assessment (SAPA) to evaluate employees’ levels of knowledge and security-related behaviors. A summary report of the assessment results was prepared and provided to department heads to support effective supervision and targeted development of their teams. This approach also enabled clearer identification of each team’s strengths and areas for improvement in cybersecurity awareness.

In addition, the Company continued to conduct Phishing E-mail Attack Simulation exercises and increased the frequency of such testing to twice per year to assess employees’ readiness in identifying and responding to fraudulent e-mails. Employees who did not pass the simulations were required to undertake supplementary training, aimed at mitigating cybersecurity risks and reinforcing practical awareness in real-world operating environments.

For 2026, the Company plans to further enhance its cybersecurity management framework by increasing the variety and sophistication of Phishing E-mail Attack Simulation. The Company will also develop an online information security training platform to enable continuous and accessible learning for employees. In addition, the Company plans to transmit security event logs to a Security Operations Center (SOC) to support 24 hours monitoring, detection, and alerting of security incidents. This initiative is intended to strengthen the Company’s capabilities in timely and effective threat detection and incident response.

Communication on Personal Data Protection and Cybersecurity

The Company communicates information regarding personal data protection and cybersecurity to employees through pop-up notifications and the Company's internal portal system, ensuring employees can access this information at their convenience.

Phishing E-mail Attack Simulation

Qualitative Target : Employees are aware of and correctly prevent Phishing E-mail

Quantitative Target : Percentage of fallen victim from Phishing E-mail Attack Simulation between 3-7

In 2023, the Company launched a Phishing E-mail Attack Simulation project to train employees to effectively handle and respond to phishing e-mail threats. This initiative is a key measure to mitigate the risk of phishing attacks. Furthermore, the project aims to build accurate knowledge and understanding of phishing tactics and to enhance employee vigilance in identifying suspicious emails.

In 2025, the Company enhanced the rigor of its Phishing E-mail Attack Simulation by increasing the testing frequency to twice per year, with the objective of strengthening employee resilience against increasingly sophisticated cyber threats. The test results demonstrated a significant improvement in employees’ ability to identify and respond to Phishing E-mail attack. In the first simulation, the failure rate (fell victim) stood at 16.30 percent. Following continuous awareness campaigns and targeted communications, the failure rate in the second simulation decreased to 5.00 percent (Out of 120 participating employees, only 6 were fell victims).

Based on the above performance results, the Company successfully achieved both its qualitative and quantitative goals. Employees demonstrated a clearly improved ability to accurately identify and avoid phishing e-mails. Phishing E-mail Attack Simulation failure rate in the second test was reduced to 5.00 percent, which falls within the Company’s predefined target range of 3–7 percent. This outcome provides tangible evidence of the effectiveness of the Company’s cybersecurity awareness measures. The Company will continue to conduct Phishing E-mail Attack Simulation and enhance employee capabilities on an ongoing basis to maintain a strong level of preparedness against increasingly complex cyber threats in the future.

In addition, the Company emphasized the cultivation of a strong security culture by promoting self-directed learning among employees. This included the implementation of in-depth knowledge assessments through the Security Awareness Proficiency Assessment (SAPA) and PDPA knowledge tests for operational-level employees. In 2025, the participation rate for these initiatives was 68.03 percent of the targeted employee group. Looking ahead, the Company plans to elevate these measures by integrating them into key performance indicators (KPIs) in the following year, to ensure that all employees are comprehensively and consistently assessed and developed in cybersecurity competencies.

Remark: ^1/ Participants who failed in second test are currently undergoing a follow-up process, with remedial training scheduled to be completed within the first quarter of 2026.

Thoresen Thai Agencies: TTA

TTA has established Creativity Promotion and Innovation Management Policy to serving as a framework for innovation initiatives across the Group. This policy focuses on fostering creativity within the organization, which will drive the development and improvement of products, services, and work processes, ensuring efficient alignment with the operational guidelines of each company.