Business Conduct
ESRS G1 – Business Conduct
Material impacts, risks and opportunities and their interaction with strategy and business model (SBM-3)
Business conduct and corporate integrity underpinned our operations during the reporting year. We operated in accordance with applicable laws, regulations and internal standards, maintaining a corporate culture based on ethical behavior, accountability and transparency.
As a biotechnology company operating in a highly regulated environment, compliance, effective internal controls, and responsible supply chain management were integral to the execution of our business model. Established governance structures and control mechanisms remained in place throughout the reporting period.
The table below summarizes the five material impacts, risks and opportunities (IROs) identified for our business and our governance structures in accordance with ESRS 2 (SBM 3 and IRO 1), reflecting the outcome of our FY25 double materiality assessment.
Material Topic |
Description |
IRO Type |
Value Chain |
|---|---|---|---|
Corporate Culture and business conduct |
Inappropriate corporate culture and business conduct could affect the long-term reputation and success of our organization and have an impact on e.g., the attraction and retention of talent or the interaction with customers, regulators, partners and suppliers. |
Risk |
Entire |
Protection of whistleblower |
Failure to appropriately hear, investigate or protect whistleblower reports could result in financial penalties and reputational damage, particularly in light of expanded operations in the United States. |
Risk |
Entire |
Management of relationships with suppliers |
Our success relies on supply chain partnerships, underpinned by our ability to build a trusted supply chain and maintain sound relations to mitigate potential supply chain risks. |
Risk |
Entire |
By maintaining effective supplier relationship management, we help safeguard the continuity of operations and support ethical practices across our value chain. |
Actual |
Entire |
|
If suppliers are unable to provide the therapy needed for patients or do not meet required ethical standards, this could affect patient access to treatment and contribute to non‑compliant practices in the value chain. |
Potential negative |
Entire |
All material IROs identified under ESRS G1 fall within the short‑term time horizon (i.e., <3 years).
The material G1 IROs were linked to the execution of our business model through their relevance to corporate conduct, whistleblower mechanisms, and the management of supplier relationships. Risks relating to corporate culture and whistleblower protection were associated with our ability to identify and address potential misconduct in a timely manner. Non-compliance with applicable whistleblower protection legislation, including EU requirements, could have resulted in financial penalties and reputational damage. Supplier-related IROs were connected to our reliance on specialized external partners for key operational activities. Effective management of supplier relationships supported continuity of operations and adherence to required ethical standards within the value chain. If suppliers were unable to meet contractual or ethical requirements, this could have affected operational continuity and contributed to non-compliant practices within the value chain.
Governance oversight of business conduct matters is described in ESRS 2 (GOV-1), and the process for identifying material impacts, risks and opportunities is set out in ESRS 2 (IRO-1).
Business conduct policies and corporate culture (G1-1)
To address the material G1 impacts and risks described above, we maintained policies and procedures governing corporate conduct, whistleblower protection and supplier-related business practices during the reporting year. These policies define expected standards of behavior, establish reporting and investigation mechanisms, and support compliance with applicable legal and regulatory requirements.
We maintained a suite of policies and processes to manage business conduct and corporate culture. These policies were supported by internal processes designed to promote awareness and consistent application across the organization. New members of the Audit Committee were provided with onboarding of the Code of Conduct and Speak-Up Policy. Compliance with the Code of Conduct formed a mandatory element of onboarding new employees and external staff (including, but not limited to, consultants). In 2025, 97% of the new employees and external staff completed the related training, and this percentage is measured against all new employees and external staff.
Detailed information regarding our Code of Conduct, compliance standards and related procedures is provided below.
Code of Conduct
Our Code of Conduct sets out the overarching business conduct expectations for all employees and external staff (including, but not limited to, consultants) working on our behalf. Responsibility for the Code of Conduct and compliance oversight rests with the General Counsel, who is a member of the Executive Committee. The Board of Directors approves the Code of Conduct.
During the reporting year, the Code of Conduct was reviewed to ensure it remained up to date and aligned with current operations. Minor updates were made where appropriate, including administrative updates. No substantive changes were introduced.
Further information about our Code of Conduct is provided in the Corporate Governance chapter of this report.
The principles of the Code of Conduct are focused on:
Patients as our foremost consideration in decision making
Acting in an ethical, honest and transparent manner
Being responsible corporate citizens
Speaking up to address issues that may arise
Not tolerating harassment or discriminatory behavior
Complying with the UN Global Compact
Holding ourselves accountable
Policies and compliance standards
In addition to the Code of Conduct, we have established a rigorous compliance program that is built on guidelines and standards through group-wide policies, standards and procedures. This program includes:
A Speak-Up Policy which provides mechanisms for employees and third parties to raise concerns in relation to business conduct in line with the EU Whistleblowing Directive (see detailed description below).
An Anti-Bribery & Anti-Corruption Policy which prohibits all forms of bribery in the course of Galapagos business.
Guidance on Identifying and Declaring Personal Interests which provides guidance on how to prevent certain situations where a personal interest is involved and establishes rules for identifying, disclosing, and handling of potential risks that may occur in certain (specific) situations with personal interests.
A procurement policy outlining how we purchase goods and services based on their type, budget, risk, and importance to operations.
Through the Audit Committee Complaints Procedure Policy, complaints can be made regarding (1) accounting, internal accounting controls or auditing matters, including the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters, or (2) potential violations of any applicable law, including the relevant federal securities laws and including any rules and regulations thereunder, or the U.S. Foreign Corrupt Practices Act. While we have not yet defined specific functions that may be most exposed to corruption or bribery risks, all employees are required to complete Code of Conduct training as part of their onboarding.
Whistleblower Policies
We maintain a Speak-Up Policy designed to support the reporting of concerns and protect individuals from retaliation.
The general investigation principles of the Speak-Up policy are:
Confidentiality
Objectivity
Timeliness
Consistency
Integrity
Documentation
Transparency
While it is possible for individuals to raise concerns anonymously (where permissible), our Speak-Up Policy includes a non-retaliation principle and describes how escalation and reporting should take place.
We prevent and protect against retaliation by:
Always acting proactively (e.g., through analytics tracking and monitoring of pay rises, bonus, relocation, promotions, etc.);
Remaining in contact (after consent) with the reporter to discuss the outcome;
Fully investigating all allegations of retaliation;
Taking the appropriate disciplinary actions; and
Openly communicating about cases of retaliation, where possible.
These measures help to build trust in the system and to encourage others to come forward. In addition, regular mandatory training is provided to new and current employees.
The Speak-Up Policy sets out steps to investigate business conduct incidents promptly and objectively. Incidents are recorded and tracked using an independent reporting platform. We have a clear process for reporting concerns and take all reports seriously. For substantiated or partially substantiated compliance concerns, corrective and preventative action is taken in collaboration with relevant functions. We also oversee activities in our supply chain and aim to resolve any issues responsibly.
Management of relationships with suppliers (G1-2)
During the reporting year, new vendors were subject to a Third Party Risk Assessment (TPRA) process, and we maintained a Supplier Code of Conduct setting out expected standards of behavior.
As set out in our procurement policy, our standard payment terms for regular suppliers are 45 days. For healthcare suppliers, our payment term is 30 days. For governmental bodies, personnel insurances and patients, we have 0 days immediate payment. To prevent late payments, we are using an ERP (Enterprise Resource Planning) system which integrates invoice processing. Some deviations and exceptions from this policy exist but all best efforts are made to uphold these terms.
Third Party Risk Assessment (TPRA)
The TPRA applies to all new vendors and is initiated in the early stages of the vendor selection process. While contract negotiations may begin once the TPRA process has started, contract execution does not proceed until the TPRA assessment has been completed.
The TPRA process includes assessment of areas such as quality, IT security, compliance and ethics, data privacy and sustainability. As part of the process, vendors complete a preliminary questionnaire (PLQ), which includes questions relating to social and environmental matters. These may include, for example:
Whether the vendor is a signatory to the UN Global Compact
Existence of a Code of Conduct or Business Ethics policy
Whether the vendor has defined a carbon footprint or carbon reduction targets
Whether the vendor is certified against recognized environmental, health and safety standards (e.g., ISO 14001, ISO 45001 or similar)
The TPRA framework remained in place during the reporting year.
Code of Conduct
In addition to the TPRA process, we maintained a Code of Conduct setting out expectations by which we expect our suppliers to comply. The Supplier Code of Conduct reflects the specific needs of the industry we operate in, taking into account various stakeholders such as patients and healthcare professionals. Suppliers and other stakeholders are aware of the Code of Conduct, and it may be included in legal agreements when necessary.
Payment practices (G1-6)
We are using an ERP (Enterprise Resource Planning) system with an integrated invoicing processing system. In 2025, we paid invoices on average within 30 days after the start date of the contractual or statutory term, with 77.33% of our payments aligned with the standard payment terms as described above. On December 31, 2025, we had no legal proceedings outstanding for late payments.