NN (NNBR) Risk Analysis

Quality is important to us and our customers, and our products and solutions are held to high quality and performance standards. In the event our products and solutions fail to meet these standards, our reputation could be harmed, which could damage our competitive advantage, causing us to lose customers and resulting in lower revenues. The majority of our products are components of our customers' products that are used in critical industrial applications. A failure of our components could lead to a product recall. If a recall were to happen as a result of our components failing, we could bear a substantial part of the cost of correction. In addition to the cost of fixing the parts affected by the component, a recall could result in the loss of a portion of or all of the customer's business and damage our reputation. A successful product recall claim requiring that we bear a substantial part of the cost of correction, or the loss of a key customer could have a material adverse effect on our business, prospects, financial condition, results of operations, or cash flows.

We obtain a portion of our raw materials from overseas suppliers, actively participate in overseas manufacturing operations, and sell to a large number of international customers. During the year ended December 31, 2025, sales to customers located outside of the U.S. accounted for 46% of our consolidated net sales. Risks related to international operations that have adversely impacted and may continue to adversely impact our business, results of operations and reputation as well as our customers and suppliers include: - changes in tariff regulations and the imposition of trade restrictions or prohibitions, import tariffs or other duties or taxes, which may make our products more costly to export or import - changes in monetary and fiscal policies, laws and regulations, and other activities of governments, agencies and similar organizations;- fluctuations in interest rates and currency exchange rates, including the relative strength or weakness of the U.S. dollar against foreign currencies that are important to our business;- recessions or marked declines specific to a particular country or region;- difficulties establishing and maintaining relationships with local original equipment manufacturers, distributors and dealers;- difficulty in staffing and managing geographically diverse operations;- differing labor regulations;- compliance with respect to anti-bribery, competition, export and import, trade sanctions, data privacy, environmental, human rights and other laws;- political uncertainty, instability, civil unrest, government controls over certain sectors and human rights and forced labor concerns in countries, including but not limited to, China, in which our suppliers, manufacturing operations, and customers are located; and - changes in the geopolitical environment, wars, conflicts, or trade barriers or blockades in the European Union and Asia, which may adversely affect business activity and economic conditions globally and could continue to contribute to instability in global financial and foreign exchange markets, as well as disrupt the free movement of goods, services, and people between countries. These and other risks may also increase the relative price of our products compared to those manufactured in other countries, thereby reducing the demand for our products in the markets in which we operate, which could have a material adverse effect on our business, prospects, financial condition, results of operations, or cash flows. In addition, we could be adversely affected by violations of the Foreign Corrupt Practices Act (the "FCPA") and similar worldwide anti-bribery laws, as well as export controls, which may include International Traffic in Arms Regulation and Export Administration Regulations, and economic sanction laws (collectively, "Trade Laws"). The FCPA and similar anti-bribery laws in other jurisdictions generally prohibit companies and their intermediaries from offering, providing, or authorizing the provision of anything of value directly or indirectly to government officials and other persons for the purpose of obtaining or retaining business. Further, certain Trade Laws may require us to obtain export licenses or authorizations prior to exporting our products and technology, or may even restrict our ability to export our products and services to, or otherwise transact or deal with, certain countries, territories, and persons. We cannot assure you that our internal controls and procedures will prevent violations of Trade Laws committed by our employees or agents. If we are found to be liable for violations of Trade Laws, we could suffer from criminal or civil penalties or other sanctions, including loss of export privileges or authorization needed to conduct aspects of our international business, which could have a material adverse effect on our business, prospects, financial condition, results of operations, or cash flows. We currently source certain raw materials from international suppliers. Import tariffs, taxes, customs duties and/or other trade regulations imposed by the U.S. government on foreign countries, or by foreign countries on the U.S., could significantly increase the prices we pay for raw materials. Changes in U.S. administrative policy have led, and may continue to lead, to significant increases in tariffs for imported goods among other possible changes, which has and may continue to result in foreign governments proposing or implementing their own retaliatory tariffs on goods imported from the U.S. Additionally, our customers' businesses may be negatively impacted by import tariffs, taxes, customs duties and/or other trade regulations imposed by the U.S. government on foreign countries or by foreign countries on the U.S., which could, in turn, reduce our customers' demand for the components that we manufacture for them. Any reduction in customer demand for our components as a result of such tariffs, taxes, customs duties and/or other trade regulations, could have a material adverse effect on our business, prospects, financial condition, results of operations, cash flows or liquidity. We cannot predict whether, and to what extent, there may be changes to international trade agreements or whether quotas, duties, tariffs, exchange controls or other restrictions on our products will be changed or imposed. See "-Changes in U.S. administrative policy, including the imposition of or increases in tariffs, changes to existing trade agreements and any resulting changes in international trade relations, may have an adverse effect on our business." In addition, an open conflict or war across any region could affect our ability to obtain raw materials. The military conflicts (including the ongoing war between Russia and Ukraine and conflict in the Middle East), and related sanctions, export controls or other actions that may be initiated by nations could adversely affect our business and our supply chain or our business partners or customers in other countries. If we are unable to source our products from the countries where we wish to purchase them, either because of the occurrence or threat of wars or other conflicts, regulatory changes or for any other reason, or if the cost of doing so increases, it could have a material adverse effect on our business, financial condition, liquidity and results of operations. Disruptions in the supply of raw materials and components could temporarily impair our ability to manufacture our products for our customers or require us to pay higher prices to obtain these raw materials or components from other sources, which could have a material adverse effect on our business, liquidity and results of operations.

We purchase large quantities of steel, aluminum, alloy and other metal commodities, for the manufacture of our products. We also purchase significant quantities of copper and precious metals, including gold and silver used in the manufacture of certain of our products. Historically, prices for commodities and precious metals have fluctuated, however prices for certain metals, including, but not limited to, silver, have recently shown increased volatility. Significant price increases for these commodities and precious metals have, and could continue to have, an adverse effect on our liquidity and operating profits if we cannot timely mitigate the price increases by successfully sourcing lower cost commodities or precious metals or by passing the increased costs on to customers. Shortages or other disruptions in the supply of these commodities or precious metals could also delay sales or increase costs.

We and the third parties with whom we work are, and may increasingly become, subject to various laws, rules, regulations, treaties, decisions and industry standards, as well as contractual obligations, relating to data privacy and security in the jurisdictions in which we operate. In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, privacy laws, consumer protection laws, and similar laws (e.g., wiretapping laws). Rights provided by such laws may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. For example, the California Consumer Privacy Act of 2018 ("CCPA") applies to personal data of California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides fines and allows private litigants affected by certain data breaches to recover significant statutory damages. The exercise of these rights may impact our business and ability to provide our products and services. Outside the United States, an increasing number of laws, regulations, and industry standards may govern data privacy and security. For example, we may be subject to data protection and privacy laws in the European Union, Brazil, Mexico, and China, including the European Union's General Data Protection Regulation ("EU GDPR"), Brazil's General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or "LGPD") (Law No. 13,709/2018), Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), and China's Personal Information Protection Law ("PIPL"), each of which imposes strict requirements on the processing of personal data. For example, under GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to the greater of 20 million Euros under the EU GDPR or 4% of annual global revenue; or private litigation brought by classes of data subjects. In addition, we may be unable to transfer personal data from Europe and other jurisdictions to the United States or other countries due to data localization requirements or limitations on cross-border data flows. Europe and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. Although there are currently various mechanisms that may be used to transfer personal data from Europe to the United States in compliance with law, these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures. In addition to data privacy and security laws, we are contractually subject to industry standards adopted by industry groups and may become subject to such obligations in the future. We are also bound by other contractual obligations related to data privacy and security, and our efforts to comply with such obligations may not be successful. We publish privacy policies and other statements concerning data privacy, and security. Regulators in the United States are increasingly scrutinizing these statements, and if these policies, materials or statements are found to be deficient, lacking in transparency, deceptive, unfair, misleading, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators or other adverse consequences. We or third parties with whom we work may at times fail (or be perceived to have failed) in efforts to comply with data privacy and security obligations, and we could face significant consequences, including but not limited to: government enforcement actions, litigation and mass arbitration demands, additional reporting requirements and/or oversight, bans or restrictions on processing personal data, or orders to destroy or not use personal data. Any of these events could result in significant adverse consequences, including fines and penalties, the inability to transfer data and work with partners, vendors and other third parties, and injunctions against our processing or transferring of personal data necessary to operate our business, which could have a material adverse effect on our reputation, business, or financial condition.

Certain of the acquisition agreements from past acquisitions require the former owners to indemnify us against certain liabilities related to the operation of each of their companies before we acquired it. In most of these agreements, however, the liability of the former owners is limited in amount and duration and certain former owners may not be able to meet their indemnification responsibilities. These indemnification provisions may not fully protect us, and as a result we may face unexpected liabilities that adversely affect our profitability and financial position.

We are subject to taxes in a variety of U.S. and foreign jurisdictions, including Mexico. Significant judgment is required to determine our consolidated income tax provision and related liabilities. Our effective tax rate could be affected by various factors, such as changes in the mix of earnings in jurisdictions with varying statutory tax rates, changes in the recognition and/or release of valuation allowances, changes in the amount of unrecognized tax benefits, our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements, and changes to tax rates or tax laws, regulations, or accounting principles (or interpretations thereof). The taxing authorities of the jurisdictions in which we operate may disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations. We currently have a $12.9 million tax refund receivable, which is being processed for refund at the Internal Revenue Service based on provisions in the Coronavirus Aid, Relief, and Economic Security Act. Significant delays in receiving our tax refund could adversely impact us. The U.S. and foreign tax laws and regulations, as well as the administrative interpretations of those laws and regulations, are constantly under review and may be changed at any time, possibly with retroactive effect. For instance, the recently enacted legislation commonly referred to as the One Big Beautiful Bill Act (along with prior U.S. federal tax reform legislation) has resulted in significant changes to the taxation of business entities, including, among other changes, imposition of minimum taxes and excise taxes, changes to the taxation of income derived from international operations, changes in the deduction and amortization of research and development expenditures, and limitations on the deductibility of business interest. Future guidance from the Internal Revenue Service and other tax authorities with respect to these and other legislation may affect us, and certain aspects of such legislation could be repealed or modified in future legislation or sunset in future years. No assurance can be given as to whether, when, or in what form changes to the applicable tax laws applicable to us may be enacted. Changes in tax laws or interpretations of existing tax laws could materially affect our business, cash flow, results of operations, and financial condition.

During 2025, sales to various U.S. and foreign divisions of our ten largest customers accounted for approximately 49% of our consolidated net sales. The loss of all or a substantial portion of sales to these customers would cause us to lose a substantial portion of our revenue and would lower our operating profit margin and cash flows from operations.

Our ability to attract and retain customers, suppliers, investors, and employees is impacted by our reputation. Harm to our reputation can arise from various sources, including employee misconduct, security breaches, unethical behavior, litigation, or regulatory outcomes. The consequences of damage to our reputation include, among other things, increasing the number of litigation claims and the size of damages asserted or subjecting us to enforcement actions, fines, and penalties, all of which would cause us to incur significant defense related costs and expenses.

Approximately 46% of our revenues are denominated in foreign currencies, which may result in additional risk of fluctuating currency values and exchange rates and controls on currency exchange. Changes in the value of foreign currencies could increase our U.S. dollar costs for, or reduce our U.S. dollar revenues from, our foreign operations. Any increased costs or reduced revenues as a result of foreign currency fluctuations could affect our profits. In 2025, the U.S. dollar weakened against foreign currencies which unfavorably affected our revenue by $0.6 million. In contrast, a weakening of the U.S. dollar may beneficially affect our business, prospects, financial condition, results of operations, or cash flows.

Pandemics, epidemics or disease outbreaks in the U.S. or globally have disrupted, and may in the future disrupt, our business, which could materially affect our results of financial condition, results of operations and cash flows. Any such events may adversely impact our global supply chain and global manufacturing operations and cause us to again suspend our operations in countries and states where we operate. In particular, we have experienced, and could continue to experience, among other things: (1) global supply disruptions, especially in China; (2) labor disruptions; (3) an inability to manufacture; (4) an inability to sell and distribute our products to our customers; (5) a decline in customer demand during and following the pandemic, whether as a result of our inability to satisfy customer demand in a timely manner due to raw material shortages, supply chain disruptions, inflationary cost pressures, or work stoppages experienced by one or more of our customers; and (6) an impaired ability to access credit and the capital markets, especially in light of the fluctuating interest rates. Any new pandemic or other public health crises, or future public health crises, could have a material impact on our business, financial condition, results of operations and cash flows going forward and may also have the effect of heightening other risks and uncertainties disclosed below.

In connection with the award of new business, we obligate ourselves to deliver new products and services that are subject to our customers' timing, performance and quality standards. Additionally, we must effectively coordinate the activities of numerous suppliers in order for the program launches of our products to be successful. Given the complexity of new program launches, we may experience difficulties managing product quality, timeliness and associated costs. In addition, new program launches require a significant ramp up of costs; however, our sales related to these new programs generally are dependent upon the timing and success of our customers' introduction of new products. Our inability to effectively manage the timing, quality and costs of these new program launches could adversely affect our financial condition, operating results and cash flows.

We rely upon patents, copyrights, trademarks, and trade secret laws to establish and maintain its proprietary rights for various trade names. There can be no assurance that any of our patents, trademarks or other intellectual property rights will not be challenged, invalidated, or circumvented, or that any rights granted thereunder will provide competitive advantages to us. In addition, there can be no assurance that patents will be issued from pending patent applications filed by us or that claims allowed on any future patents will be sufficiently broad to protect us from infringement. Further, the laws of some foreign countries may not permit the protection of our proprietary rights to the same extent as do the laws of the U.S.

We rely on proprietary and third-party information technology systems to process, transmit and store information and to manage or support our business processes. We store and maintain confidential financial and business information regarding us and persons with whom we do business on our information technology systems. We also collect and hold personal data of our employees in connection with their employment. In addition, we engage third-party service providers that may collect and hold personal data of our employees in connection with providing business services to us, including, but not limited to, web hosting, accounting, payroll and benefit services. The protection of the information technology systems on which we rely is critically important to us. We take steps, and generally require third-party service providers to take steps, to protect the security of the information maintained in our and our service providers' information technology systems, including the use of systems, software, tools, and monitoring to provide security for processing, transmitting, and storing of the information. Despite our security measures and business continuity plans, we face risks associated with security breaches or disruptions to the information technology systems on which we rely, which could result from, among other incidents social-engineering attacks (including through deep fakes, which may be increasingly more difficult to identify as fake, and phishing attacks), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks, credential stuffing attacks, credential harvesting, malicious code (such as computer viruses and worms), ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, personnel misconduct or error, attacks enhanced or facilitated by AI, and other similar threats. Such threats are prevalent and continue to rise, are increasingly difficult to detect, and come from a variety of sources, including traditional computer "hackers," threat actors, "hacktivists," organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors. In particular, severe ransomware attacks are becoming increasingly prevalent – particularly for companies like ours that are engaged manufacturing – and can lead to significant interruptions in our operations, loss of sensitive data and income, reputational harm, and diversion of funds. Extortion payments may alleviate the negative impact of a ransomware attack, but we may be unwilling or unable to make such payments due to, for example, applicable laws or regulations prohibiting such payments. Future or past business transactions (such as acquisitions or integrations) could expose us to additional cybersecurity risks and vulnerabilities, as our systems could be negatively affected by vulnerabilities present in acquired or integrated entities' systems and technologies. Furthermore, we may discover security issues that were not found during due diligence of such acquired or integrated entities, and it may be difficult to integrate companies into our information technology environment and security program. Our third-party service providers could also be the source of a cybersecurity attack on, or breach of, our information technology systems. Techniques used in cybersecurity attacks to obtain unauthorized access, disable or sabotage information technology systems change frequently, as data breaches and other cybersecurity events have become increasingly commonplace, including as a result of the intensification of state-sponsored cybersecurity attacks during periods of geopolitical conflict. The security measures put in place by us and our service providers cannot provide absolute security and there can be no assurance that we or our service providers will not suffer a data security incident in the future, that unauthorized parties will not gain access to sensitive information stored on our or our service providers' systems, that such access will not, whether temporarily or permanently, impact, interfere with, or interrupt our operations, or that any such incident will be discovered in a timely manner. Further, we may be required to expend significant additional resources to continue to enhance information security measures and internal processes and procedures or to investigate and remediate any information security vulnerabilities. Certain data privacy and security obligations have required us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive information. Applicable data privacy and security obligations may require us, or we may voluntarily choose, to notify relevant stakeholders, including affected individuals, customers, regulators, and investors, of security incidents, or to take other actions, such as providing credit monitoring and identity theft protection services. Such disclosures and related actions can be costly, and the disclosure or the failure to comply with such applicable requirements could lead to adverse consequences. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims. In addition to experiencing a security incident, third parties may gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveals competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position. A data security incident could compromise our or our service providers' information technology systems, and the information stored by us or our service providers, including personally identifiable information of employees, could be accessed, misused, publicly disclosed, corrupted, lost, or stolen. Any data breach or a security failure of our or our service providers' information technology systems could interrupt our operations, result in downtime, divert our planned efforts and resources from other projects, damage our reputation and brand, damage our competitive position or subject us to liability claims or regulatory penalties under applicable law. Various events described above have occurred in the past and may occur in the future. Although impacts of past events have been immaterial, the impacts of such events in the future may materially and adversely affect our business, financial condition, or results of operations.