Stevanato Group (STVN) Risk Factors

We sell our products in industries that are characterized by significant technological changes, frequent new product and technology introductions and enhancements and evolving regulatory requirements and industry standards. As a result, our customers' needs continue to evolve and our products may be superseded by new technologies (for instance, if certain drugs are no longer administered through injection) or their demand may decline. For instance, as our sales and profitability are largely dependent on the sale of products delivered by injection, if our customers reconfigure their drug product or develop new drug products requiring less frequent dosing, our sales and profitability may suffer. Likewise, if we do not appropriately innovate and invest in new products and technologies, and be open to broadening the scope of our offerings, our product offerings may become less desirable in the markets we serve, and, although changing providers is a lengthy process for our customers, they could move to new technologies offered by our competitors, especially if such competitors are able to react more directly and effectively to a customer's specific demand. Though we believe customers in our markets display a significant amount of loyalty to a particular product, we also believe that because of the initial time investment required by many of our customers to reach a purchasing decision for a new product, it may be difficult to regain a customer once that customer purchases a product from a competitor. Moreover, there is a risk that significant amounts of time and resources that we invest in research, development and identification of new products may not result in the expected positive results for our business. If we invest our resources into a new product or product enhancements that fail to meet our high-quality standards and market expectations or do not perform as intended, this could adversely affect our business. Our current customers may decide not to purchase these new products or product enhancements and / or purchase a product from a competitor or cease doing business with us altogether. It can take significant time to identify an unmet customer need and develop a product to meet that need, and to the extent we fail to obtain desired levels of market acceptance, our business, financial condition or results of operations could be adversely affected. Our estimates of our addressable market include several key assumptions based on our industry knowledge, industry publications, third-party research and other surveys, which may be based on a small sample size and may fail to accurately reflect market opportunities. While we believe that our internal assumptions are reasonable, no independent source has verified such assumptions. Industry publications, research, surveys, studies and forecasts generally state that the information they contain has been obtained from sources believed to be reliable. If any of our assumptions or estimates, or these publications, research, surveys or studies prove to be inaccurate, then the actual market for our products may be smaller than we expect, and as a result, our product revenue may be limited and our business, financial condition or results of operations could be adversely affected.

Although we currently own trademark registrations and have trademark applications pending, it may be possible that some trademarks may be the subject of a governmental or third-party objection, which could prevent the registration or maintenance of the same. We cannot assure you that any currently pending trademark applications or any trademark applications we may file in the future will be approved. If we are unsuccessful in obtaining trademark protection for our primary brands, we may be required to change our brand names; additionally, if competitors try to adopt trade names or trademarks similar to ours, this might impede our ability to build brand identity and possibly lead to market confusion, adversely affecting our business in the long-term. In addition, there could be potential trade name or trademark infringement claims brought by owners of other registered trademarks or trademarks that incorporate variations of our unregistered trademarks or trade names. Our efforts to enforce or protect our proprietary rights related to trademarks, trade secrets, domain names, copyrights or other intellectual property may be ineffective and could result in substantial costs and diversion of resources and could adversely impact our financial condition or results of operations.

Our operations in China are governed by Chinese laws and regulations. The Chinese legal system is based in part on government policies and internal rules, some of which are not published in a timely manner or at all and may have retroactive effect. As a result, we may be in violation of some of these policies and rules, without being aware of such violation. Such unpredictability towards our contractual, property and procedural rights could adversely affect our business and impede our ability to continue our operations in China. Furthermore, if China adopts more stringent standards with respect to environmental protection or corporate social responsibilities, we may incur increased compliance costs or become subject to additional restrictions in our operations. Intellectual property rights and confidentiality protections in China may also not be as effective as in the United States or other countries. The Chinese government continues to exercise significant oversight and control over virtually every sector of the Chinese economy through regulation and state ownership. The ability of our Chinese subsidiaries to operate may be impaired by changes in its laws and regulations, including those relating to taxation, land use rights, foreign investment limitations, and other matters.

Certain of the acquisition agreements by which we have acquired companies or businesses require the former owners to indemnify us against certain liabilities related to the operation of the company or business before we acquired it. In most of these agreements, however, the liability of the former owners is limited, and certain former owners may be unable to meet their indemnification responsibilities. While we are protected by representation and warranties and related indemnification in relation to such acquisitions, these may not be enough to cover our exposure if a significant liability arose in connection with any acquisition agreement. We cannot assure you that these indemnification provisions will protect us fully or at all, and as a result we may face unexpected liabilities that adversely affect our business, financial condition and results of operations.

A non-U.S. corporation such as the Company will be classified as a PFIC for U.S. federal income tax purposes for any taxable year if either: (i) 75% or more of its gross income for such year consists of certain types of "passive income" or (ii) 50% or more of the value of its assets (determined on the basis of a quarterly average) during such year is attributable to assets that produce or are held for the production of passive income. Whether we are treated as a PFIC is a factual determination that is made on an annual basis after the close of each taxable year. This determination will depend on, among other things, the composition of our income and assets, as well as the value of our assets (which generally will be determined by reference to the public price of our shares, which may fluctuate significantly), from time to time. Based on the current and anticipated composition of our income, assets and operations and the price of our shares, we do not believe we were a PFIC for U.S. federal income tax purposes for our most recent taxable year and do not expect to be a PFIC for the current taxable year or in foreseeable future years. Nevertheless, there can be no assurance that we will not be a PFIC for any taxable year. If we are treated as a PFIC for any taxable year during which a U.S. Holder (as defined below) holds our shares, such U.S. Holder could be subject to adverse U.S. federal income tax consequences. See "Income Tax Considerations-U.S. Federal Income Tax Considerations – Passive Foreign Investment Company."

EU Member States, the United Kingdom and many other non-US jurisdictions have adopted statutes and/or regulations concerning privacy and data protection and requiring notification of personal data security breaches if certain thresholds are met. For example, the EU adopted the General Data Protection Regulation ("GDPR"), which became effective in 2018, and the UK transposed the GDPR into national law ("UK GDPR") following the exit of the United Kingdom from the European Union, which became effective in 2021 (collectively, Applicable Data Protection Laws). The Applicable Data Protection Laws impose strict requirements on controllers and processors of personal data in the European Economic Area, or EEA and the United Kingdom, including, for example, higher standards for obtaining consent from individuals to process their personal data, more robust disclosures to individuals and a strengthened individual data rights regime and shortened timelines for data breach notifications. Failure to comply with the GDPR or UK GDPR may result in monetary penalties of up to €20.0 million or 4% of an undertaking's total worldwide annual turnover of the previous financial year, whichever is higher. Given the EU GDPR and UK GDPR are separate regimes, fines could arise under each in respect of a single incident, to the extent it affects EEA and UK personal data. In addition to fines, a breach of the GDPR or UK GDPR may result in regulatory investigations, reputational damage, orders to cease/change our data processing activities, enforcement notices, assessment notices (for a compulsory audit) or civil claims (including class actions). The UK GDPR is in a currently substantially unvaried form from the GDPR, however, it is likely to be subject to divergence from the GDPR over time as demonstrated by the Data Protection and Digital Information (No. 2) Bill which is under the United Kingdom Parliament's consideration and expected to come into force in 2024. We may therefore be subject in the future to separate and additional data protection obligations to those that we are already subject to. This may result in additional costs and may necessitate changes to our business practices, which in turn may compromise our growth strategy and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. In recent years, the United States and European lawmakers and regulators have expressed concern over electronic marketing and the use of third-party cookies, web beacons and similar technology for online behavioral advertising. In the European Union, marketing is defined broadly to include any promotional material and the rules specifically on e-marketing are currently set out in the ePrivacy Directive which will be replaced by a new ePrivacy Regulation. In the EEA and in the UK under national laws derived from the e-Privacy Directive, informed consent is required for the placement of a cookie or similar technologies on a user's device and for e-marketing. The GDPR and UK GDPR also impose conditions on obtaining valid consent for cookies, such as a prohibition on pre-checked consents and a requirement to ensure separate consents are sought for each type of cookie or similar technology. Recent European court decisions and regulators' recent guidance are driving increased attention to cookies and tracking technologies and the online behavioral advertising ecosystem. This could lead to substantial costs, require significant systems changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, increase costs and subject us to additional liabilities. In addition, regulation of cookies and similar technologies, and any decline of cookies or similar online tracking technologies as a means to identify and potentially target users, may lead to broader restrictions and impairments on our marketing and personalization activities and may negatively impact our efforts to understand users. Finally, the current national laws that implement the e-Privacy Directive are highly likely to be replaced across the EU (but not the UK) with a EU regulation known as the e-Privacy Regulation which, though still in development, will if adopted, impose new obligations on the use of personal data in the context of electronic communications, particularly in relation to online tracking technologies, and significantly increase regulators' ability to impose fines for non-compliance. This again introduces the possibility we will be subject to, and required to comply with, a separate and additional legal regime with respect to data privacy, which may result in additional costs and may necessitate changes to our business practices, which in turn may compromise our growth strategy and otherwise adversely affect our business, reputation, legal exposures, financial condition and results of operations. On August 20, 2021, the Standing Committee of the National People's Congress of the People's Republic of China promulgated the so-called Personal Information Protection Law (the "PIPL"), which entered into force on November 1, 2021. The PIPL, regarded as China's version of the GDPR, aims at protecting the personal information rights and interests ensuring the orderly and free flow of personal information in accordance with the law, and promotes the reasonable use of personal information. The PIPL regulates how business operators may collect, use, process, share,and transfer personal information in China and supplements the existing data protection regime previously established by the Cybersecurity Law ("CSL") and other fragmented national guidelines. Under the PIPL, personal information handlers must adopt necessary measures to safeguard the security of personal information. The PIPL further mandates that, in case of violations, the business operators can receive orders of rectification, suspension, termination of provision of services, or confiscation of illegal income. There are also numerous U.S. federal and state laws and regulations related to the privacy and security of personal information. For example, the California Consumer Privacy Act of 2018, which came into effect in 2020, requires disclosures of our privacy practices to California consumers and affords such consumers certain rights, such as the right to opt out of the sale of their personal data. The California Privacy Rights Act of 2020 amended the California Consumer Privacy Act of 2018 which came into effect on January 1, 2023, imposes additional data protection obligations on companies doing business in California and grants California consumers additional rights, potentially resulting in further complexity for our compliance efforts. Additionally, the Gramm-Leach-Bliley Act of 1999 (along with its implementing regulations) (the "GLBA") restricts certain collection, processing, storage, use and disclosure by covered companies of certain personal information, requires notice to individuals of privacy practices and provides individuals with certain rights to prevent the use and disclosure of certain non-public or otherwise legally protected information. The GLBA also imposes requirements regarding the safeguarding and proper destruction of personal information through the issuance of data security standards or guidelines. State laws are changing rapidly (with at least ten such states (in addition to California) enacting comprehensive privacy laws scheduled to take effect starting in 2023, and privacy bills proposed in a number of other states in varying stages of the legislative process), and there is discussion in Congress of a new comprehensive federal data protection law to which we would become subject if it were enacted, which may lead to additional complexity for our compliance efforts and new restrictions regarding how we use data, and which may expose us to potential legal risks. The evolving regulatory landscape may require additional investment of resources in our compliance programs, impact our strategies and the availability of information useful for our business, and could otherwise result in increased compliance costs or changes in our business practices and policies. The cross-border data transfer landscape globally (including in the EEA, United Kingdom and United States) is continually evolving, and other countries outside of Europe have enacted or are considering enacting cross-border data transfer restrictions and laws requiring data localization, which may affect our ability to process or transfer personal data from Europe or elsewhere. The EU's adequacy decision with respect to the UK, which allows the continued flow of personal data from the EU to the UK following Brexit, will be regularly reviewed and may be revoked if the UK diverges from its current adequate data protection laws. The UK has developed its own international data transfer agreement, which was implemented in March 2022. GDPR and UK GDPR, as well as other statutes and/or regulations concerning privacy and data protection, increase compliance obligations, affect collection, processing, retention and transfer of personal data and the reporting of personal data security breaches, and provide for increased penalties for non-compliance. On July 11, 2023, the European Commission entered into force its adequacy decision for the EU-US Data Privacy Framework (a new framework for transferring personal information from the EEA to the United States), having determined that such framework ensures that the protection of personal information transferred from the EEA to the US will be comparable to the protection offered in the EU. The UK has also approved a UK extension to the EU-US Data Privacy Framework, which were laid before Parliament in September 2023 and come into force on October 12, 2023. However, this decision will likely face legal challenges and ultimately may be invalidated by the Court of Justice of the European Union ("CJEU"). We are also reliant on certain manual processes for collecting and processing data, and any failures in these processes or failure to handle the data collected in accordance with relevant regulations could lead to enforcement actions. Complying with all applicable laws, regulations, standards and obligations relating to data privacy, security and transfers may cause us to incur substantial operational costs or require us to modify our data processing practices and processes. Government enforcement actions can be costly and interrupt the regular operation of our business, and data breaches or violations of data privacy laws can result in significant fines, reputational damage and civil lawsuits, any of which may adversely affect our business, financial condition and results of operations. We may not be able to respond quickly or effectively to regulatory, legislative and other developments, and these changes may in turn impair our ability to commercialize our products or increase our cost of doing business. In addition, if our practices are not consistent or viewed as not consistent with legal and regulatory requirements, including changes in laws, regulations and standards or new interpretations or applications of existing laws, regulations and standards, we may become subject to audits, inquiries, whistleblower complaints, adverse media coverage, investigations, loss of export privileges, severe criminal or civil sanctions or reputational damage. Any of the foregoing could have an adverse effect on our competitive position, business, financial condition, results of operations and prospects.

Most of our products are highly exacting and complex due to their use for containment and injection of biologic drugs and vaccines. Providing high-quality products that deliver specificity, sensitivity and consistency, together with extensive product validation data is a fundamental driver of customer loyalty and our reputation with life sciences researchers. Our operating results depend on our ability to execute and, when necessary, improve our global quality control systems, including our ability to effectively train and maintain our employees with respect to quality control. A failure of our global quality control systems could result in problems with facility operations or preparation or provision of defective or non-compliant products which could ultimately cause harm to the final user. In each case, such problems could arise for a variety of reasons, including equipment malfunction, failure to follow specific protocols and procedures, problems with critical materials and components, failure by one or more of our suppliers to meet our quality requirements, or environmental factors and damage to, or loss of, manufacturing operations. Such problems could affect production of a particular batch or series of batches of products, requiring the destruction of such products or a halt of facility production altogether. Although we currently hold an insurance policy that covers liabilities for defective products and product recalls in amounts we believe to be adequate for our business, our coverage may not be adequate to insure against all product liability claims that may arise which may be particularly high in case failure of our products to meet the appropriate quality standards which may cause product recalls or damages to our customers or ultimate users. As a result of this, product defect claims or product recalls may have a material adverse effect on our business, financial condition, results of operations and cash flows. Our success depends on our customers' confidence that we can provide reliable, consistently high-quality products, which also requires us to provide validated data to support our customers' use of our products. We believe that customers are likely to be sensitive to our products failing to meet the specifications shown on our data sheets. Our reputation and the public perception of our products and technologies may be impaired if our products fail to perform as expected or fail to meet applicable quality criteria, specifications or performance standards. If our products experience, or are perceived to experience, a material defect or error, this could result in loss or delay of sales, damaged reputation, diversion of development resources and increased insurance or warranty costs, any of which could harm our business. These risks may be amplified by our new product lines as we implement appropriate quality control criteria. We are reliant, to an extent, on customer feedback on the quality of our products, and it may take additional time for new products to meet the desired quality standards. Any defects or errors could also result in our inability to timely deliver products to our customers, which could cause disruptions to our customers' ability to obtain results, narrowing the scope of the use of our products and ultimately hindering our or their success in relevant markets. Even after any underlying concerns or problems are resolved, any lingering concerns regarding our technology, product defects or performance standards could continue to result in lost sales, delayed market acceptance and damaged reputation, among other things. If problems in preparation or manufacture of a product, failure to meet required quality standards for that product or other product defects are not discovered before such product is released to our customers, we may be subject to adverse legal or regulatory actions, including halting of manufacturing and distribution, restrictions on our operations, civil sanctions (including monetary sanctions), and criminal actions. In addition, such problems or failures subject us to other litigation claims, including claims from our customers for reimbursement of the cost of lost or damaged materials. Our customers also require specific information regarding our products and their uses, and any inaccuracies in this information could lead to products being sold for the wrong uses and may result in our having to refund or replace the products in question. Any of the above problems may adversely affect our reputation, business, financial condition and results of operations.

We cannot provide assurance that our internal controls and compliance systems will always protect us from acts committed by employees, agents or business partners of ours (including third-party suppliers, distributors or of businesses we acquire or partner with) that would violate U.S. and/or other national laws, including the laws governing payments to government officials, bribery, fraud, kickbacks and false claims, pricing, sales and marketing practices, conflicts of interest, competition, export and import compliance, money laundering and data privacy. In particular, the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and similar anti-bribery laws in other jurisdictions generally prohibit companies and their intermediaries from making improper payments for the purpose of obtaining or retaining business. Any improper actions by our employees, suppliers and distributors or allegations of such acts could damage our reputation and subject us to civil or criminal investigations in Italy, under Italian Legislative Decree No. 231 of June 8, 2001 (the "Decree 231") pursuant to which a legal entity can be held liable to pay fines in connection with certain criminal offenses committed, inter alia, by its directors, officers or employees, the United States and in other jurisdictions, and any related shareholder lawsuits could lead to substantial civil and criminal, monetary and nonmonetary penalties and could cause us to incur significant legal and investigatory fees. In particular, pursuant to Decree 231, a defense can be established by an entity involved in a Decree 231 investigation, if such entity can prove, among others, that it adopted and properly implemented an organization, management and control model aimed at effectively preventing the commission of the criminal acts involved prior to such unlawful conduct having taken place. We approved and adopted the current (fourth) version of our organization, management and control model provided by Decree 231 ("Model 231") by means of a resolution of the board of directors dated November 4, 2022, and appointed the current supervisory body (the "Supervisory Body") that supervises the functioning of and compliance with Model 231, and monitors and assesses the implementation status of preventive measures, with regular yearly reports to the board of directors. The adoption of organization and management models does not by itself exclude applicability of the penalties provided by Decree 231. In fact, upon commission of an offense resulting in administrative liability of the Company pursuant to Decree 231, the court will evaluate the models and their actual implementation. Failure to comply with Decree 231 could result in the imposition of administrative sanctions such as monetary sanctions and other types of sanctions, if applicable (e.g., interdictory sanctions, including prohibitions such as participation in public tenders or the termination of a public contract already awarded, confiscation of the price or profits deriving from the crime and publication of the judgment) and loss of confidence of our customer base, which could have a material adverse effect on the business, financial condition, results of operations and prospects of the Group. In addition, a government may seek to hold us liable as a successor for violations committed by companies in which we invest or that we acquire. We also rely on our suppliers to adhere to our supplier standards of conduct, and material violations of such standards of conduct could occur that could have a material effect on our business, reputation, financial condition and results of operations.

On October 7, 2023, Hamas militants infiltrated Israel's southern border from the Gaza Strip and conducted a series of attacks. As a result of such attacks, Israel's security cabinet declared war against Hamas, and Israel launched an aerial bombardment to the Gaza Strip and then also began ground operations in the Gaza Strip, which remain ongoing. It is possible that other regional organizations will join the hostilities as well, resulting in a widening of the conflict, which could negatively impact the global economy. Furthermore, following Hamas' attack on Israel and Israel's security cabinet declaration of war against Hamas, the Houthi movement, which controls parts of Yemen, launched a number of attacks on marine vessels traversing the Red Sea. The Red Sea is a vital maritime route for international trade. These disruptions may impact our ability to receive materials and products from suppliers, to distribute our products in a cost-effective and timely manner and to meet customer demand, all of which could have an adverse effect on our financial condition and results of operations. There can be no assurance that further unforeseen events impacting the supply chain will not have a material adverse effect on us in the future. Additionally, the impacts that supply chain disruptions have on our third-party manufacturers and suppliers are not within our control. It is not currently possible to predict how long it will take for these supply chain disruptions to cease or ease. Prolonged supply chain disruption could increase raw material and product costs, impact our ability to meet customer demand and result in lost sales, all of which could have a material adverse effect on our business, financial condition and results of operations. We are monitoring the developing military conflict in Israel and Gaza, but cannot predict whether this situation, which is unfolding in real-time, may escalate and result in material implications for our business. None of our operations are located in Israel or Gaza and currently we do not have any significant customers or suppliers in the region.