ESRS S4 – Consumers and End-Users
Material Impacts, Risks and Opportunities
S4. Consumers and End-Users
| Sub-topic and sub-sub-topic | Description | Negative/ Positive/ Risk/ Opportunity | Stage of the value chain affected | Time horizon |
|---|---|---|---|---|
| Personal safety of consumers or end-users: Health and safety | Potential reputational risk if any deviations in product safety that cause hazardous incidents were to be detected. | Actual financial risk | Own operations Downstream | All |
| Negative impacts on customer satisfaction, customer and stakeholder perceptions and, consequently, direct financial effects if perceived quality does not correspond to customer requirements. | Actual financial risk | Own operations Downstream | All | |
| Improving the health and safety of customers with Bittium’s technology products that promote healthcare. | Actual opportunity | Own operations Downstream | All | |
| Information-related impacts on consumers and/or end-users: Privacy | A significant reputational risk if information security deficiencies were to be detected in the company’s operations or products. Such deficiencies may also lead to legal consequences or the termination of customer relationships. | Actual financial risk | Own operations Downstream | All |
| The increase in information security threats and the tightening security climate increase the demand for secure products and lead to a situation where taking information security and data protection into consideration in product development is a key opportunity for Bittium in all of its businesses. | Actual opportunity | Own operations Downstream | All | |
| Information-related impacts on consumers and/or end-users: Availability of high-quality information | Unclear or incomplete product information or labeling may affect customers’ understanding of the use of products and indirectly affect their safety, as well as reduce customer satisfaction. | Actual negative impact | Own operations Downstream | All |
Use of Transitional Provisions According to ESRS 1 Appendix C
Bittium has decided to apply the transitional provision according to ESRS 1 Appendix C with regard to information under the S4 standard. In this reporting according to minimum disclosure requirements, Bittium will describe the sub-topics that have been assessed as material and provide a brief description of how the company’s impacts related to these matters are taken into account in the company’s business model and strategy. The reporting according to minimum disclosure requirements also includes a brief description of time-bound targets and Bittium’s policies, actions and metrics related to the matters in question.
Material Sustainability Matters Related to Consumers and End-Users
In the double materiality assessment process carried out in spring 2024, S4 Consumers and end-users was identified as a material sustainability matter at the level of the following sub-topics: Personal safety of consumers and end-users and Information-related impacts on consumers and/or end-users. A more detailed description of the process to identify and assess material impacts, risks and opportunities is provided in section ESRS 2 IRO-1.
| Sub-topic | Sub-sub-topic | Impact, risk or opportunity |
|---|---|---|
| Personal safety of consumers or end-users | Health and safety | Negative impacts on customer satisfaction, customer and stakeholder perceptions and, consequently, direct financial effects if perceived quality does not correspond to customer requirements. (Own operations, downstream, risk) |
| Personal safety of consumers or end-users | Health and safety | Potential reputational risk if any deviations in product safety that cause hazardous incidents were to be detected. (Own operations, downstream, risk) |
| Personal safety of consumers or end-users | Health and safety | Improving the health and safety of customers with Bittium’s technology products that promote healthcare. (Own operations, downstream, opportunity) |
| Information-related impacts on consumers and/or end-users | Privacy | A significant reputational risk if information security deficiencies were to be detected in the company’s operations or products. Such deficiencies may also lead to legal consequences or the termination of customer relationships. (Own operations, downstream, risk) |
| Information-related impacts on consumers and/or end-users | Privacy | The increase in information security threats and the tightening security climate increase the demand for secure products and lead to a situation where taking information security and data protection into consideration in product development is a key opportunity for Bittium in all of its businesses. (Own operations, downstream, opportunity) |
| Information-related impacts on consumers and/or end-users | Availability of high-quality information | Unclear or incomplete product information or labeling may affect customers’ understanding of the use of products and indirectly affect their safety, as well as reduce customer satisfaction. (Own operations, downstream, negative impact) |
Bittium has a broad customer base of consumers and end-users who use the defense industry products, communication and connectivity solutions and biosignal measurement and monitoring solutions developed by the company. Risks related to the health and safety of consumers and end-users are linked to Bittium’s business through product quality and safety. At the same time, improving consumer and end-user health and safety with the help of Bittium’s products that promote information security, communication solutions and healthcare create a business opportunity for the company. Bittium complies with product liability regulations in its operations, including requirements that are specific to the target markets of the products. The relationship of the impacts, risks and opportunities to the business model and strategy is described for individual impacts, risks and opportunities in section ESRS 2 SBM-3.
With regard to the Medical and Defense & Security business segments, the strategy emphasizes the continuous improvement of product competitiveness and productivity, the development of quality and the efficiency of operations, as well as the utilization of development cooperation between companies. High-quality product information is also an integral part of quality. The absence or lack of clarity of product information would have a negative impact on the customers’ understanding of the use of the product and an indirect impact on customer safety. The absence of high-quality product information would reduce customer satisfaction.
The significant change in patient care that is under way in healthcare technology is highlighted in Bittium’s strategy. The development of early-stage diagnostics and the increasing use of early discharge practices increase the efficiency of healthcare processes and improve the care experience. Bittium can promote the personal health and safety of consumers and end-users by enabling accurate monitoring and measurement in home conditions through remote monitoring solutions.
The development of the information security of Bittium’s own products and new technology has an impact on the privacy of customers and end-users through information security and data protection, contributing to the prevention of threats to data and national security. In product development service projects, information security and confidentiality are important considerations right from the start of the design stage. The company is known for its information security expertise, secure products for the defense and security industry, and medical devices. For this reason, Bittium would incur a significant reputational risk if information security deficiencies were to be detected in the company’s operations or products. The increase in information security threats and the tightening security climate increase the demand for secure devices, which means that the secure products offered by Bittium create business opportunities and a competitive advantage relative to other operators in the industry.
Targets Related to the Material Sustainability Matters
Bittium’s target is to maintain a high level of customer satisfaction. To achieve this target, Bittium continuously develops its processes and systems. Bittium is committed to comprehensive quality assurance to ensure that the company’s products and related product information meet customer expectations and the requirements of the applicable regulations and standards. Confidential customer relationships and safety are part of Bittium’s sustainability strategy, which has been updated for the period 2025–2028 and which aims to take into account the company’s customers and health and safety.
Customer satisfaction and project satisfaction are measured and monitored by means of customer satisfaction surveys and the project satisfaction NPS (Net Promoter Score). The achievement of targets and the agreed-upon development measures are monitored in quarterly personnel briefings for the company’s entire personnel. The Board of Directors monitors the achievement of outcomes and targets annually. The NPS target for 2024 was set at 40, which is a very high customer satisfaction score. This target was achieved in both customer satisfaction and project satisfaction measurements. At Bittium, the most senior level in the organization that is responsible for the implementation of policies and processes related to customer satisfaction and customer cooperation is the company’s CEO and the members of the Management Group.
Bittium did not have any time-bound targets for 2024 with regard to promoting the quality of services and products. Bittium began surveying the life-cycle data of the company’s products for the digital product passport in 2024. This will increase transparency in the supply chain and contribute to the availability of high-quality product information. Progress towards this target was made with regard to one key product in the Defense & Security and Medical business segments. This work will continue in 2025 with the target of expanding the number of products for which life-cycle data is collected. Product information has also been improved by developing the management of material databases.
Bittium’s target is to have secure products and to strengthen its role in the identification of information security threats and the utilization of data. Bittium does not have time-bound targets related to information security threats. Bittium has defined four themes for the process of monitoring non-time-bound targets related to information security threats: 1) compliance with information security certificates and the information security of operations, 2) situational awareness of information security and the capacity to detect deviations, 3) business continuity management, and 4) information security of the company’s own products and new technologies. Progress towards these targets is monitored in the annual management review.
Maintaining the personnel’s information security and data protection competence and increasing special expertise has been highlighted as one of Bittium’s key targets. Bittium aims to strengthen its role in the recognition of information security threats and in the utilization of information together with its stakeholders, and the company also aims to participate in the information security development projects and key forums of the EU and other parties. Information security training for the personnel is part of mandatory recurring training. Bittium began updating the information security training in 2024 and will start the monitoring of the new training in 2025. With regard to the policy concerning risk management, Bittium set a target of fulfilling the requirements of the international ISO 27001 information security certificate in 2024. This target was accomplished, and the achievement of the target was verified by means of an external audit.
Policies Related to the Material Sustainability Matters
The policies that guide Bittium’s operations in relation to consumers and end-users include the company’s Code of Conduct, sustainability policy, the Group’s quality policy and the Medical business segment’s own quality policy, which takes into account the specific needs of the sector in question. The Code of Conduct and the sustainability policy define Bittium’s general principles for sustainable business conduct, such as respecting human rights, ensuring information security and data quality, as well as ensuring information security in the work environment and workplace atmosphere, environmental responsibility and the management of supplier relationships.
The target of Bittium’s quality policy is to achieve customer satisfaction through the good quality of products and services. Bittium aims to ensure the successful implementation of its policies by means of certified management systems and the requirements established by them. According to the quality policy of the Medical business segment, Bittium complies with the Medical Devices Regulation (MDR (EU) 2017/745), which governs the design, development and production of medical devices as well as their life cycle management.
Bittium’s key policies related to information security and data protection are the company’s information security policy and its sub-policies. The policies define the company’s approach to maintaining confidential customer relationships, manufacturing safe and secure products, and collecting, storing and using confidential or proprietary information. Bittium has drawn up business continuity plans to ensure that the company is able to continue its operations even during and after serious disruptions. The purpose of Bittium’s Disaster Recovery Plan is to minimize the impacts of potential disasters and limit the duration of recovery in order to maintain business continuity.
Actions Related to the Material Sustainability Matters
Ensuring Product Safety
Bittium sees to the health and safety of consumers and end-users by ensuring the safety of the Bittium’s products and, in product development, by systematically assessing the risks related to each product and its life-cycle, the safety of the materials and components used in the product and the information security aspects of the product. In Europe, Bittium’s products are required to have CE marking and a related declaration of conformity. Actions related to consumers and end-users are assessed, reviewed or audited on a regular basis in accordance with internal practices as part of the internal requirements of Bittium’s product development processes. Bittium trains its personnel on product liability.
All of Bittium’s medical devices are designed with user safety (patient safety) in mind, and they comply with the requirements of either the EU Medical Device Regulation (MDR), which entered into force on May 26, 2021, or its predecessor, the Medical Device Directive (MDD), which is in force until 2028. In 2024, Bittium made progress as planned in obtaining product approvals for its products in accordance with the MDR. In 2024, Bittium focused on increasing its regulatory competence related to medical devices and began to systematically review and update product information as part of continuous quality management measures.
In order to ensure the information security of its product information, Bittium uses layered security methods that cover all areas of the infrastructure, from networks to terminal devices. Bittium monitors the availability and quality of product information through customer correspondence, an annual customer satisfaction survey and relevant quality and safety requirements.
Audits, Compliance Monitoring and Management Review
In relation to compliance in quality management, the company conducts a regular management review. Feedback obtained from the management review is used in the development of Bittium’s operations and processes. The focus of the management review conducted in 2024 was on updated business processes and policies. The management review also covers internal or customer-related operations, products and services and their quality.
Bittium conducts extensive external and internal audits to ensure the quality of its products and processes. Annual internal audits are carried out at Bittium on the ISO 9001 and ISO 13485 standards. Bittium is also audited or assessed by customers and by means of annual external audits of management systems. Bittium’s external management system audits include Group-level ISO 9001, ISO 14001, ISO 50001, ISO 27001, ISO 13485 and AQAP 2110 audits carried out by KIWA (Inspecta), and ISO 13485, MDR 2017/745, MDSAP and MDR-M 75 audits carried out by Eurofins. The external auditing activities carried out in 2024 identified not only numerous positive quality-related factors but also areas for development. In addition, a few deviations were detected in relation to the Medical business segment’s processes. These deviations currently being addressed.
Training and Development Projects
In the development of customer service and customer cooperation skills, examples of the current themes include topics related to information security, quality management systems, programming languages, working in a cloud environment, and embedded systems. A Sales Excellence training program was introduced in 2024 for people working in sales. In 2024, the company continued to use an online learning platform where employees can participate in high-quality mini webinars focused on information security and data protection. Bittium’s target is to promote continuous on-the-job learning among its personnel with regard to the identification of information security threats and the utilization of information.
Strengthening Information Security and Data Protection
Bittium has a comprehensive range of data protection and information security measures and methods in place to protect the business secrets and professional secrets of Bittium and its customers, as well as the privacy of customers. Examples of these measures and methods include firewall and endpoint security software, the encryption of data communications, multi-factor authentication and access management, regular information security updates, vulnerability scanning, an SIEM system and SOC services. Bittium has access to the company’s own VPN encryption product, which has quantum security capabilities, and a NATO-approved secure phone that the company can use to leverage material opportunities related to information security and data protection.
In 2024, Bittium took the following actions to manage negative and positive impacts related to information security and data protection:
- Transitioning to the updated version of the ISO 27001:22 standard.
- Complementing information security training by participating in the national TAISTO exercise.
- Publication of the Post-Quantum Cryptography (PQC) ML-KEM algorithm standardized by the U.S. National Institute of Standards and Technology (NIST) for the Bittium SafeMove® Mobile VPN software used for the encryption of communications.
- Updating information security risk management by combining it with the management of other business risks.
- Starting the technology upgrade of network infrastructure.
- Decision on joining the Hyöky service and its deployment. The Hyöky service is the Finnish National Cyber Security Centre’s attack surface survey service. Joining the service promotes the achievement of the goals of the policy that relates to risk management.
Metrics Related to the Material Sustainability Matters
Bittium measures customer satisfaction by means of two different types of surveys: For customer satisfaction, the assessed areas are the smoothness of cooperation, Bittium’s ability to understand the customer, and satisfaction with the quality of products and services. For project satisfaction, the key areas are the success of project management, the functioning and quality of technical solutions, and the outcome of the project. Both surveys provide information on deviations and product and service quality, which are measured by the number of severe defects in each business area. No severe quality defects were observed in 2024.
Bittium uses NPS (Net Promoter Score) to measure customer satisfaction. For 2024, the target NPS measured in both customer and project satisfaction surveys was set at 40, which is higher than the average NPS among technology companies. In 2024, the customer satisfaction survey NPS was 48 and the project satisfaction NPS was 73, which meant that the targets set for the year were exceeded.
Bittium’s metrics related to consumer and end-user health and safety are based on monthly internal quality management reporting to the Quality Board. The realization of patient safety among Bittium’s customers and end-users is measured by means of the quality and safety requirements of the ISO 13485 standard. Compliance with regard to the quality of product information is measured by means of various audits and other requirements. Feedback concerning the improvement of product information has also been obtained from the customer satisfaction survey and, in 2024, the company started updating product information to improve quality.
The privacy of consumers and end-users in terms of information security and data protection is measured by means of the ISO/IEC 27001:2013 information security certificate. A valid certificate demonstrates that the organization has adopted known best practices for securing its business operations and the information it processes and for managing information security risks. The validity of the certificate must be maintained on a continuous basis. The certificate also requires continuous and regular monitoring, measurement and analysis of data on information security, such as the number and nature of information security incidents, the effectiveness of risk management measures and the effectiveness of controls related to information security and data protection. No actual adverse information security incidents were identified in 2024.