Stevanato Group (STVN) Risk Analysis

Our customer base includes leading pharmaceutical, biologic, diagnostic and medical device companies worldwide. Many factors, including public policy spending priorities, available resources and product and economic cycles, have a significant effect on the capital spending policies of these entities. For instance, any change in the international healthcare systems, including the Patient Protection and Affordable Care Act (the "PPACA") in the U.S., resulting in a reduced ability of pharmaceutical companies and healthcare providers to receive reimbursements by government authorities, private insurers and other third-party payers for the costs of our products, could result in reduced demand for our products. More recently, the Inflation Reduction Act (the "IRA") was signed into law. Among other things, the IRA requires manufacturers of certain drugs to engage in price negotiations with Medicare (beginning in 2026) with prices that can be negotiated subject to a cap; imposed rebates under Medicare Part B and Medicare Part D to penalize price increases that outpace inflation (first due in 2023); and replaces the Part D coverage gap discount program with a new discounting program (beginning in 2025), all factors which could impact our business by affecting our ability to achieve value-based price, maintaining an acceptable return on our investments in R&D of our products, creating a potential financial impact to the Company to the extent our products are used in connection with drugs that are impacted by the IRA pricing provisions under the IRA and impacting our ability to research and develop new products. Fluctuations in the research and development budgets of our customers could have a significant effect on the demand for our products. Our customers determine their research and development budgets based on several factors, including the need to develop new products, continued availability of governmental funding and other incentives, competition and the general availability of resources. Any reduction in research and development budgets or a shift of any funding source currently allocated to our business sector to different areas of research, could adversely affect our business, financial condition and results of operations.

In addition to registered intellectual property rights, we rely on trade secrets and confidential know-how to protect our technology, especially because we believe that patent protection alone would not be sufficient to protect our business. However, trade secrets and confidential know-how are difficult to protect, and we have limited control over the protection of trade secrets and confidential know-how used by our licensors, collaborators and suppliers. To protect this type of information against disclosure or appropriation by competitors, our usual practice is to require our directors, employees, consultants, contractors and advisors to enter into confidentiality agreements and, if applicable, material transfer agreements, consulting agreements or other similar agreements with us prior to beginning research or disclosing proprietary information. Moreover, we put in place appropriate procedures to identify confidential information and restrict access to documentation. However, current or former employees, consultants, contractors and advisers may unintentionally or willfully disclose our confidential information to competitors, we have entered into, and may in the future enter into additional, collaborations with our competitors, and confidentiality agreements may not provide an adequate remedy in the event of unauthorized disclosure of confidential information. In addition, the need to share trade secrets and other confidential information increases the risk that such trade secrets become known to our competitors, are inadvertently incorporated into the technology of others, or are disclosed or used in violation of these agreements. It may then be possible for unauthorized third parties to copy aspects of, or otherwise obtain and use, our proprietary information without authorization. However, enforcing a claim that a third party obtained illegally and is using trade secrets and/or confidential know-how is expensive, time consuming and the outcome is unpredictable, and the enforceability of confidentiality agreements may vary from jurisdiction to jurisdiction. Moreover, if any of our trade secrets and confidential know-how were to be lawfully obtained or independently developed by a competitor or other third party, we would have no right to prevent them from using that technology or information to compete with us. In some cases, we have entered into joint development agreements with our competitors that necessitate the sharing of certain trade secrets with these competitors. Given that our competitive position is based, in part, on our know-how and trade secrets, a competitor's knowledge of our trade secrets or other unauthorized use or disclosure could impair our competitive position and may have an adverse effect on our business and results of operations.

We depend on standardized procedures and multiple information systems for our operations, customer service and quality and safety procedures. Furthermore, we rely on information technology systems to process, transmit, store and protect electronic information, including confidential customer, supplier, employee or other business information. Through our online platform, we collect and store confidential information that website users provide to us when submitting queries or job applications or information that third party vendors relay to us. We use commercially available third-party technology solutions, software and software systems with some proprietary configurations. We also store data using third-party cloud services. Our information systems may be subject to damage or interruption from power outages, computer and telecommunications failures, computer viruses, security breaches, vandalism, catastrophic events, natural disasters, terrorist attacks, hackers and other security issues as well as human error, all of which are made more vulnerable by the rapid evolution of technology and increasing adoption of new technologies such as artificial intelligence. If our information systems are damaged, fail to work properly or otherwise become unavailable, we may incur substantial costs to repair or replace them, and we may experience a loss of critical information, customer disruption and interruptions or delays in our ability to perform essential functions and implement new and innovative services. If the cloud service providers we use were to experience unplanned downtime, delays or other issues delivering data to our information technology systems, it could adversely impact business operations. The compromising of our information systems or those with which we interact could harm our reputation and expose us to regulatory actions and claims from customers and other persons, any of which could adversely affect our business, financial condition and results of operations. In addition, we may not have the necessary resources to enhance existing information systems or implement new systems where necessary to handle our increasing volume and/or our changing needs, and we may experience unanticipated delays, complications and expenses in implementing and integrating our systems. Any interruptions in operations would adversely affect our ability to properly allocate resources and timely deliver our products, which could result in customer dissatisfaction. We currently rely on certain legacy systems that are no longer supported by their respective manufacturers, with only a small number of current employees able to maintain these systems. Any failure of these systems could have a business impact. The failure to successfully implement and maintain information systems could have an adverse effect on our ability to obtain new business, retain existing business and maintain or increase our sales and profit margins, any of which could adversely affect our business, financial condition and results of operations.

As a result of our prior status as an emerging growth company, our previous registered public accounting firm was not obligated or required to perform an audit of our internal control over financial reporting during any period in accordance with the provisions of the Sarbanes-Oxley Act. It is possible that, had our previous registered public accounting firm performed an audit of our internal control over financial reporting in accordance with the provisions of the Sarbanes-Oxley Act, significant deficiencies and/or material weaknesses would have been identified. The continued presence of material weaknesses and/or significant deficiencies in any future financial reporting periods could result in financial statement errors that, in turn, could lead to errors in our financial reports, delays in our financial reporting, and that could require us to restate our operating results, investors may lose confidence in the accuracy and completeness of our financial reports and the market price of our ordinary shares could be materially and adversely affected. We might also not identify one or more material weaknesses and/or significant deficiencies in our internal controls in connection with evaluating our compliance with Section 404(a) of the Sarbanes-Oxley Act. Furthermore, Section 404(b) of the Sarbanes Oxley Act ("Section 404(b)") requires our independent registered public accounting firm to issue an annual report that addresses the effectiveness of our internal control over financial reporting. When we still had our emerging growth company status, we had opted to rely on the exemptions provided in the JOBS Act, and consequently were not required to comply with SEC rules that implement Section 404(b). Now that we are no longer an emerging growth company, our independent registered public accounting firm is required to attest to the effectiveness of our internal control over financial reporting. In order to achieve and maintain compliance with the requirements of Section 404(a), we need to expend significant resources and provide significant management oversight. Implementing any appropriate changes to our internal controls may require specific compliance training of our directors and employees, entail substantial costs in order to modify our existing accounting systems, take a significant period of time to complete and divert management's attention from other business concerns. These changes may not, however, be effective in maintaining the adequacy of our internal controls. As disclosed in more detail under Item 15, "Controls and Procedures" below, we identified material weaknesses as of December 31, 2025 in our internal control over financial reporting. Our management has taken actions to remediate the previously identified material weaknesses as of December 31, 2024 by implementing our remediation plans throughout the fiscal year ending December 31, 2025; however, for certain of the items, remediation has not been fully completed to-date resulting in an extension of our remediation plans through the fiscal year ending December 31, 2026. There can be no assurance that all such remediation efforts will be successful, that our internal control over financial reporting will be effective as a result of these efforts or that any such future deficiencies identified may not be material weaknesses that would be required to be reported in future periods. In addition, we cannot assure you that our independent registered public accounting firm will be able to attest that such internal controls are effective. If either we are unable to conclude that we have effective internal control over financial reporting or, at the appropriate time, our independent registered public accounting firm issues an adverse opinion on the effectiveness of our internal control over financial reporting as required by Section 404(b), investors may lose confidence in our operating results, the price of our ordinary shares could decline, and we may be subject to litigation or regulatory enforcement actions. In addition, if we are unable to meet the requirements of Section 404, we may not be able to remain listed on the NYSE.

Our business involves risk of product liability claims related to providing incorrect product information at the time of purchase, claims for defective containment solutions which may impair drug efficacy and other claims in the ordinary course of business. Furthermore, there may be product liability risks that are unknown or which become known in the future. We may also face claims raised by our present employees for injury deriving from the lifting and handling of loads and the use of heavy machinery, as well as claims raised by our present and past employees for injury and illness from hazardous substances used or present at certain of our facilities. Substantial, complex or extended litigation on any claim could cause us to incur significant costs and distract our management. For example, lawsuits by governmental authorities, employees, shareholders, suppliers, collaborators, distributors, customers, competitors or others could be very costly and substantially disrupt our business. Our exposure to such claims may increase as we seek to increase the geographic scope of our sourcing and sales activities and to the extent that we expand our manufacturing operations. We maintain insurance policies but we cannot assure you that our insurance coverage will be available in all pending or any future cases brought against us. Furthermore, our ability to recover under any insurance is subject to the terms and conditions of such insurance, as well as the financial viability of our, and such third parties', insurers, as well as legal enforcement under the local laws governing these arrangements. Insurance coverage in general or coverage for certain types of liabilities, such as product liability in developing markets, may not be readily available for purchase or cost-effective for us to purchase. Furthermore, many of our insurance policies are subject to deductibles and retentions. Accordingly, we could be subject to uninsured and unindemnified future liabilities requiring us to provide additional reserves to address such liabilities. An unfavorable result in a case for which adequate insurance or indemnification is not available could adversely affect our business, financial condition and results of operations. Occasionally, we are also involved in disputes, litigation and regulatory matters incidental to and in the ordinary course of our business, including employment matters, commercial disputes, government compliance matters, environmental matters, and other matters arising out of the normal conduct of our business. Where merited, we will vigorously defend ourselves in such matters. There can be no assurance that the impact of any pending or future claims will not be material to our business, financial condition or results of operations.

We operate in many different jurisdictions throughout the world, through our group companies. Over recent years, tax laws and practice applicable in various countries have become increasingly complex and sophisticated, particularly with respect to cross-border transactions. Italy has historically implemented a number of domestic provisions - including those implementing EU anti-abuse Directives and OECD principles - aimed at facing tax basis erosion schemes and allocation of income between associated enterprises adopted by multinational groups. Italian Tax authorities are increasingly scrutinizing multinational groups based on these provisions by also enforcing exchange of information instruments in force with foreign tax authorities. The combination of the above factors may lead to an increased likelihood of tax audits with respect, among other things, to: (i) tax residence, (ii) permanent establishment, (iii) transfer pricing, (iv) Controlled Foreign Company legislation, (v) taxation of dividends and capital gains derived upon interests held in companies located in low-tax Jurisdictions, (vi) withholding tax application on cross-border payments, and (vii) anti-hybrid mismatches. In any such case, depending on the specific circumstances, tax audits and/or tax litigations with the Italian tax authorities could result in tax liabilities and fines and penalties of significant amounts, which could be in excess of the amounts. We provide for in our financial statements for tax liabilities.

EU Member States, the United Kingdom and many other non-US jurisdictions have adopted statutes and/or regulations concerning privacy and data protection and requiring notification of personal data security breaches if certain thresholds are met. For example, the EU adopted the General Data Protection Regulation ("GDPR"), which became effective in 2018, and the UK transposed the GDPR into national law ("UK GDPR") following the exit of the United Kingdom from the European Union, which became effective in 2021 (collectively, Applicable Data Protection Laws). The Applicable Data Protection Laws impose strict requirements on controllers and processors of personal data in the European Economic Area, or EEA and the United Kingdom, including, for example, higher standards for obtaining consent from individuals to process their personal data, more robust disclosures to individuals and a strengthened individual data rights regime and shortened timelines for data breach notifications. Failure to comply with the GDPR or UK GDPR may result in monetary penalties of up to €20.0 million or 4% of an undertaking's total worldwide annual turnover of the previous financial year, whichever is higher. Given the EU GDPR and UK GDPR are separate regimes, fines could arise under each in respect of a single incident, to the extent it affects EEA and UK personal data. In addition to fines, a breach of the GDPR or UK GDPR may result in regulatory investigations, reputational damage, orders to cease/change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) or civil claims (including class actions). The UK GDPR is in a currently substantially unvaried form from the GDPR, however, it is likely to be subject to divergence from the GDPR over time. We may therefore be subject in the future to separate and additional data protection obligations to those to which we are already subject. This may result in additional costs and may necessitate changes to our business practices, which in turn may compromise our growth strategy and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. In recent years, the United States and European lawmakers and regulators have expressed concern over electronic marketing and the use of third-party cookies, web beacons and similar technology for online behavioral advertising. In the European Union, marketing is defined broadly to include any promotional material and the rules specifically on e-marketing are currently set out in the ePrivacy Directive which will be replaced by a new ePrivacy Regulation. In the EEA and in the UK under national laws derived from the e-Privacy Directive, informed consent is required for the placement of a cookie or similar technologies on a user's device and for e-marketing. The GDPR and UK GDPR also impose conditions on obtaining valid consent for cookies, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. Recent European court decisions and regulators' recent guidance are driving increased attention to cookies and tracking technologies and the online behavioral advertising ecosystem. This could lead to substantial costs, require significant systems changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, increase costs and subject us to additional liabilities. In addition, regulation of cookies and similar technologies, and any decline of cookies or similar online tracking technologies as a means to identify and potentially target users, may lead to broader restrictions and impairments on our marketing and personalization activities and may negatively impact our efforts to understand users. Finally, the current national laws that implement the e-Privacy Directive are highly likely to be replaced across the EU (but not the UK) with a EU regulation known as the e-Privacy Regulation which, though still in development, will if adopted, impose new obligations on the use of personal data in the context of electronic communications, particularly in relation to online tracking technologies, and significantly increase regulators' ability to impose fines for non-compliance. This again introduces the possibility we will be subject to, and required to comply with, a separate and additional legal regime with respect to data privacy, which may result in additional costs and may necessitate changes to our business practices, which in turn may compromise our growth strategy and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. On August 20, 2021, the Standing Committee of the National People's Congress of the People's Republic of China promulgated the so-called Personal Information Protection Law (the "PIPL"), which entered into force on November 1, 2021. The PIPL, regarded as China's version of the GDPR, aims at protecting the personal information rights and interests ensuring the orderly and free flow of personal information in accordance with the law, and promotes the reasonable use of personal information. The PIPL regulates how business operators may collect, use, process, share, and transfer personal information in China and supplements the existing data protection regime previously established by the Cybersecurity Law ("CSL") and other fragmented national guidelines. Under the PIPL, personal information handlers must adopt necessary measures to safeguard the security of personal information. The PIPL further mandates that, in case of violations, the business operators can receive orders of rectification, suspension, termination of provision of services, or confiscation of illegal income. There are also numerous U.S. federal and state laws and regulations related to the privacy and security of personal information. For example, the California Consumer Privacy Act of 2018, which came into effect in 2020, requires disclosures of our privacy practices to California consumers and affords such consumers certain rights, such as the right to opt out of the sale of their personal data. The California Privacy Rights Act of 2020 amended the California Consumer Privacy Act of 2018 which came into effect on January 1, 2023, imposes additional data protection obligations on companies doing business in California and grants California consumers additional rights, potentially resulting in further complexity for our compliance efforts. Additionally, the Gramm-Leach-Bliley Act of 1999 (along with its implementing regulations) (the "GLBA") restricts certain collection, processing, storage, use and disclosure by covered companies of certain personal information, requires notice to individuals of privacy practices and provides individuals with certain rights to prevent the use and disclosure of certain non-public or otherwise legally protected information. The GLBA also imposes requirements regarding the safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. State laws are changing rapidly (with at least ten such states (in addition to California) enacting comprehensive privacy laws scheduled to take effect starting in 2023, and privacy bills proposed in a number of other states in varying stages of the legislative process), and there is discussion in Congress of a new comprehensive federal data protection law to which we would become subject if it were enacted, which may lead to additional complexity for our compliance efforts and new restrictions regarding how we use data, and which may expose us to potential legal risks. More recently, privacy and data protection regulators have been paying special attention to emerging issues linked to new technologies, such as the use of artificial intelligence, biometrics, and surveillance technologies, which pose unique challenges to existing privacy and data protection paradigms. The evolving regulatory landscape may require additional investment of resources in our compliance programs, impact our strategies and the availability of information useful for our business, and could otherwise result in increased compliance costs or changes in our business practices and policies. The cross-border data transfer landscape globally (including in the EEA, United Kingdom and United States) is continually evolving, and other countries outside of Europe have enacted or are considering enacting cross-border data transfer restrictions and laws requiring data localization, which may affect our ability to process or transfer personal data from Europe or elsewhere. The EU's adequacy decision with respect to the UK, which allows the continued flow of personal data from the EU to the UK following Brexit, will be regularly reviewed and may be revoked if the UK diverges from its current adequate data protection laws. The UK has developed its own international data transfer agreement, which was implemented in March 2022. GDPR and UK GDPR, as well as other statutes and/or regulations concerning privacy and data protection, increase compliance obligations, affect collection, processing, retention and transfer of personal data and the reporting of personal data security breaches, and provide for increased penalties for non-compliance. On July 11, 2023, the European Commission entered into force its adequacy decision for the EU-US Data Privacy Framework (a new framework for transferring personal information from the EEA to the United States), having determined that such framework ensures that the protection of personal information transferred from the EEA to the US will be comparable to the protection offered in the EU. The UK has also approved a UK extension to the EU-US Data Privacy Framework, which were laid before Parliament in September 2023 and come into force on October 12, 2023. However, this decision will likely face legal challenges and ultimately may be invalidated by the Court of Justice of the European Union ("CJEU"). We are also reliant on certain manual processes for collecting and processing data, and any failures in these processes or failure to handle the data collected in accordance with relevant regulations could lead to enforcement actions. Complying with all applicable laws, regulations, standards and obligations relating to data privacy, security and transfers may cause us to incur substantial operational costs or require us to modify our data processing practices and processes. Government enforcement actions can be costly and interrupt the regular operation of our business, and data breaches or violations of data privacy laws can result in significant fines, reputational damage and civil lawsuits, any of which may adversely affect our business, financial condition and results of operations. We may not be able to respond quickly or effectively to regulatory, legislative and other developments, and these changes may in turn impair our ability to commercialize our products or increase our cost of doing business. In addition, if our practices are not consistent or viewed as not consistent with legal and regulatory requirements, including changes in laws, regulations and standards or new interpretations or applications of existing laws, regulations and standards, we may become subject to audits, inquiries, whistleblower complaints, adverse media coverage, investigations, loss of export privileges, severe criminal or civil sanctions or reputational damage. Any of the foregoing could have an adverse effect on our competitive position, business, financial condition, results of operations and prospects.

Certain of our manufacturing processes involve heating glass to extremely high temperatures, forming plastic and operating heavy machinery and equipment, which entail a number of risks and hazards, including industrial accidents, leaks and ruptures, explosions, fires, mechanical failures and environmental hazards, such as spills, storage tank leaks, discharges or releases of toxic or hazardous substances and gases, including into the environment. Any of these events, which are generally more likely to occur as our machines approach time for refurbishment, could lead to requirements for environmental remediation and civil, criminal and administrative sanctions and liabilities. These hazards may cause unplanned business interruptions (also as a consequence of remediation actions), unscheduled downtime, transportation interruptions, personal injury and loss of life, severe damage to or the destruction of property and equipment, environmental contamination and other environmental damage, civil, criminal and administrative sanctions and liabilities and third-party claims, any of which may have a material adverse effect on our business, financial condition, results of operations and cash flows. In addition, under applicable local laws, including Italian law, our directors and officers may be subject to criminal liability, in connection with injuries occurred to our employees, as a result of workplace health and safety violations by reason of their position as employers (posizione di garanzia). Convictions of our directors and officers could negatively impact our reputation. Moreover, due to the long industrial history of our manufacturing facilities and the subsequent lack of detailed information regarding historical waste and chemical storage and disposal, the risk of soil, water or groundwater contamination and related civil, administrative and criminal liabilities cannot be eliminated.

Our success largely depends on the skills, experience and continued efforts of our management, including our Chief Executive Officer and our senior leadership, as well as of our research and development and highly skilled employees. The replacement of certain members of our global leadership team would likely involve the expenditure of significant time and financial resources, and the loss of any such individual may significantly delay or prevent the achievement of our business objectives. Likewise, the members of our research and development team and our highly skilled employees, whom our customers and competitors often seek to engage, may be difficult to replace in light of their sophisticated skills and experience and a shortage of such employees or wage inflation could disrupt our operations. As we continue to grow, our success also depends on our ability to attract, motivate and retain highly qualified individuals who will also fit within our culture. Competition for senior management and other personnel in our industry is intense, and the pool of suitable candidates is limited. If qualified personnel become scarce or difficult to attract or retain in our industry for compensation-related or other reasons, we could experience higher labor, recruiting or training costs. Further, new hires may require significant training and time before they achieve full productivity and may not become as productive as we expect. The failure to attract, retain and properly motivate members of our senior management team and other employees, to find suitable replacements for them in the event of death, illness or their desire to pursue other professional opportunities, or to maintain our corporate culture as we continue to grow, could have a negative effect on our operating results.

Changes in political conditions in the United States and China and changes in the state of China-U.S. relations are difficult to predict. The trade policy of the U.S. Trump administration could trigger retaliatory actions by China which could, in turn, adversely affect our business. For instance, the U.S. Trump administration has called for substantial changes to trade agreements and imposed significant increases on tariffs on goods imported into the United States, particularly from China. Other countries have responded similarly, with tariffs on goods entering their respective countries. We currently have facilities and sell products in China and have invested, and expect to continue investing, in the country, and if the Chinese government makes any changes to its laws or policy concerning foreign ownership of companies or assets located within China, or imposes any significant increases on tariffs on goods imported into or out of China, it could have a significant impact on our business and financial results. If import and export controls on pharmaceutical products are increased, our supply chain and flow of our products would be disrupted. Any future legislative proposals in the U.S. which pose disruption risks to our operations in China could significantly impact our ability to work and operate in the region, including by impacting our ability to source raw materials in adequate quantities to meet our needs, impairing our ability to operate our business on a day-to-day basis and impeding, delaying, limiting or preventing the research, development or commercialization of our current and future products. In addition, for any activities conducted in China, we are exposed to political unrest or unstable economic conditions in China, including the future appreciation of the Chinese local currency and increased labor costs amidst declining availability of skilled labor.