Telenor : SASB report 2023

SASB Report

2023

Topic

CODE

METRIC

Telenor's response

Environmental		TC-TL-130a.1		1)	Total energy consumed
Footprint of
Operations				2)	Percentage grid electricity
				3)	Percentage renewable

6 904 800 GJ. Equal to 1 918 GWh of energy.

80%. A total of 1 527 GWh has been sourced throughthe grid.

36%.

Telenor Group has sourced 655 GWh of renewable electricity through national electricity grids. Renewable grid electricity has been purchased in our Nordic operations via Guarantee of Origin Certificatesand in Pakistan and Bangladesh via IRECs. A remaining 24 GWh of renewable electricity has beengenerated mostly via solar off-grid sites.

Data Privacy	TC-TL-220a.1	Description of policies and
		practices relating to
		behavioural advertising and
		customer privacy

Telenor Group Privacy governance is part of our commitment to Responsible Business. A description can be found on our corporate website at https://www.telenor.com/sustainability/responsible-business/privacy-governance/

Telenor is a diverse group of companies, operating in different markets across Europe and Asia. Each Telenor company is its own data controller and disclose their privacy practices on the respective company's website as part of their privacy statement.

TC-TL-220a.2 Number of customers whose information is used for secondary purposes

Telenor Group companies may only use customer data for defined and lawful purposes in accordance with current legislation and our internal Group Privacy Policy. Any further use of customer data for secondary purposes may happen in anonymised form, only. A description of our privacy governance structure and the role of our Group Privacy Policy can be found on our corporate website at Privacy governance in Telenor - Telenor Group.

TC-TL-220a.3 Total amount of monetary losses as a result of legal proceedings associated with customer privacy

We have not registered any losses as a result of legal proceedings associated with customer privacy.

TC-TL-220a.4	1)	Number of law
		enforcement requests for
		customer information
	2)	Number of customers
		whose information was
		requested
	3)	Percentage resulting in
		disclosure

Telenor Annual Authority Requests Disclosure report is available here: Telenor Annual Authority Request Disclosure Report 2023

2

Data Security		TC-TL-230a.1		1)	Number of data breaches
				2)	Percentage involving
					personally identifiable
					information (PII),
				3)	Number of customers
					affected

Telenor Group do not report this indicator as detailsaround data breaches are confidential. Global companies, such as Telenor Group, are at constant risk of cyber-attacks.While we are constantly increasing our efforts to actively protect our networks, products and customer data, advanced threat actors are increasingly aiming to steal information, modify customer data or make our services unavailable. Specific details associated withsecurity incidents are subject to national laws and regulation and confidential, as to not compromise the integrity of ongoing and future investigations. For more information on Telenor's commitment to cybersecurity, refer toTelenor's Cyber Security page.

TC-TL-230a.2Description of approach to identifying and addressing data security risks, including use of third-party cybersecurity standards

The Telenor Group approach to managing security risk encompasses the utilization of various security standards, notably ISO/IEC 27001. We engage in continuous monitoring the threat landscape through predicative analysis to adaptively establish proactivesecurity measures. These measures include preventative controls, stringent access management,comprehensive vulnerability management, and detective controls. Our monitoring is executed through Security Operation Centers, ensuring vigilantoversight. Additionally, we have reactive controls in place designed for prompt response to challenges through our well-defined incident management procedures. Our strategy extends to recovery processes, guided by robust disaster recovery and crisis management frameworks. Consequently, this comprehensive approach significantly mitigates theimpact of security incidents. Read more on how we work with cyber security on Telenor.comand our public position oncyber security. We also refer to ourAnnual Reportfor further description in the chapters:'Cyber security' and 'Risk management'.

3

Product End-of-TC-TL-440a.1	1) Materials recovered
Life
through take back
Management
programmes

2) Percentage recovered materials reused

3) Percentage recovered materials recycled

4) Percentage recovered materials landfilled

466 185 devices.

Telenor Group reports the number of devices returned through take back programmes in the Nordic business units. These consist of mobile devices such as smartphones and fixed CPE devices such as TV boxes and broadband routers. A total of 107 519 mobile devices were returned through take- back programmes of which 93% were reused and 7% were recycled. A total of 358 666 fixed devices were returned through take-back programmes of which 70% were re-used and 30% were recycled.

75% of returned devices (93% of returned mobile devices and 70% of returned fixed devices).

25% of returned devices (7% of returned mobile devices and 30% of returned fixed devices).

0%

4

Competitive			TC-TL-520a.1		Total amount of monetary		We are not aware of any monetary losses related to
Behaviour and					losses as a result of legal		legal proceedings associated with anti-competitive
Open Internet					proceedings associated with		behavior in 2023.
					anti-competitive behaviour
					regulations
			TC-TL-520a.2		Average sustained download		Mobile network 4G: 19 Mbps Group average DL
					speed of 1) owned and		throughput per user (Mbps).
					commercially-associated
					content and 2) non-associated		Mobile network 5G: Nordic only: 150 Mbps Nordic
					content		average DL throughput per user (Mbps).
							Telenor does not differentiate between owned,
							commercial and non-associated content. The source
							of the average download speed is based on
							measurement directly from the radio end/equipment
							and is the average download speed per user for the
							whole reporting period. The reported 4G download
							speed is the average of the business units in both
							Nordic and Asia, while the 5G download speed is
							average of the Nordic business units.
			TC-TL-520a.3		Description of risks and		Legislation on net neutrality, paid peering, zero
					opportunities associated with		rating and related practices vary according to the
					net neutrality, paid peering,		markets where we operate. Telenor Group complies
					zero rating and related		with the applicable legislations in each and every one
					practices		of them. The company's approach to IP-
							Interconnection (Peering, IP-Transit and CDN)
							reflects limited materiality and is focused on

optimization in terms of costs and quality. The rulingof the European Court of Justice in September 2021 and the subsequent guidelines from The Body of European Regulators for Electronic Communications(BEREC) in June 2022 eliminated the possibility for Telenor Group's European business units to provide zero rated tariffs. The implementation of this ruling has been completed in all Telenor Group's European business units. The company considers opportunitiesto be limited within these topics.

5

Managing	TC-TL-550a.1	1)	System average	Telenor Group is not reporting this indicator as there
Systemic Risks		is no Group wide definition of how to measure this.
		interruption frequency
from			Our approach to managing systemic risks includes
Technology		2)	Customer average	both preventive and corrective actions to avoid
Disruptions		major service interruptions and to limit impact to our
		interruption duration
			customers.
				The Telenor Risk management policy ensures that
				risks in Telenor are identified, assessed, and treated
				in a way that supports Telenor in achieving our
				ambitions and goals. The Telenor policy framework
				ensures that Telenor Group is compliant to
				regulations including security and privacy, enabled
				through technology design and solutions.
	TC-TL-550a.2	Discussion of systems to	The main business continuity risks associated with
		provide unimpeded service	technology are technical failures, cyber-attacks, or
		during service interruptions	weather events. The main measures applied to
				mitigate Business continuity risks from the three
				main areas include:

• Regular assessment and measurement on service operations according to international standard (e.g. ITIL, TMForum)

• Implementing security capabilities to prevent and reduce the effect of a range of threats to protect the confidentiality, integrity of customer data and internal business information and the availability of services.

• Yearly benchmarking process level against international best practices and capabilities for monitoring and detection. To support incident management and response is measured and developed through Security Operations Center - Capability Maturity Model (SOC-CMM) across Telenor business units to mitigate threats.

• Focus on continuous improvement process to increase automation, operating quality and to better support business and improve customer experience.

In the event of major incidents crisis management plan (CMP) & processes is followed. The CMP is updated on a yearly basis. We also refer to our Annual Reportfor supplementary information in the 'Risk management' chapter.

6

Activity Metrics	TC-TL-000.A	Number of wireless	136 million.
		subscribers
	TC-TL-000.B	Number of wireline	0.2 million. Nordic only.
		subscribers
	TC-TL-000.C	Number of broadband	2.2 million. Nordic only.
		subscribers
	TC-TL-000.D	Network traffic (Petabyte)	10 804 PB. Mobile network only.

The SASB report and figures have been in scope for limited assurance. The independent auditor's assurance report is published here.

Reporting Boundaries

The scope of the SASB report follows the Group reporting structure for year-end 2023.

7