NCC Group plc annual report and accounts for the year ended…

Download our annual report and accounts for the year ended 31 May 2022

Unlocking our potential

Annual report and accounts for the year ended 30 September 2025

NCC Group is a people-powered, tech‑enabled global Cyber Security and software escrow business.

We harness our collective insight, intelligence and innovation to power end-to-end cyber services that protect our clients from cyber threat.

A global delivery engine as a differentiated and scalable service for clients around the world

A single technology stack and the opportunity to leverage our scalable full‑circle cyber services

A network of partners and strategic alliances to optimise solutions for clients

Find out more: p2

Find out more: p8

Find out more: p12

In this report

Strategic report 1

Governance 58 Chair’s introduction to governance 61 Governance framework 62 Board of Directors 64 B oard composition and division of responsibilities

Audited consolidated financial statements

H ighlights for the year ended 30 September 2025

99 Independent auditors’ report 104 C onsolidated income statement 104 C onsolidated statement of comprehensive income 105 Consolidated balance sheet 106 Consolidated cash flow statement 107 Consolidated statement of changes in equity 108 Company balance sheet 109 Company statement of changes in equity 110 Notes to the Financial Statements Additional information 157 Appendix 1 159 Glossary of terms – other terms

2 4 6 8

At a glance

Chair’s statement

CEO’s review

Our business model

70 Shareholder engagement 71 Audit Committee report

10 Market outlook 12 Our strategy 14 Stakeholder engagement 16 Sustainability

77 Nomination Committee report 79 Cyber Security Committee report 81 Remuneration Committee report 94 Directors’ report 98 Directors’ responsibilities statement

29 Risk management 38 Viability statement 40 Financial review

161 Other information 162 Financial calendar

View our latest results: nccgroupplc.com

Highlights for the year ended 30 September 2025

IFRS measures 1

Revenue (£m) £305.4m

Profit/(loss) before taxation (£m) £20.6m

Basic EPS (p) 5.6p

305.4

20.6

5.6

429.5

(27.5)

(10.4)

335.1

(4.3)

(1.5)

Alternative Performance Measures

Net cash/(debt) excluding lease liabilities 3 (£m) £13.1m

Adjusted operating profit 3 (£m) £23.7m

Adjusted EPS 3 (p) 4.7p

23.7

4.7

13.1

(45.3)

22.3

3.4

(49.6)

16.6

2.8

Highlights • Group revenue on a constant currency basis 3 (excluding non-core disposals 2 ) has declined by 2.6% to £293.9m with Escode experiencing growth of 2.2% to £66.5m, offset by a Cyber Security decline of 4.0% to £227.4m. • Revenue performance in H2 2025 on a constant currency basis 1 (excluding non-core disposals 2 ) for both Escode and Cyber Security improved from the position in H1 2025, with Escode H2 2025 growth of 2.5% vs H2 2024 compared to H1 2025 growth of 1.8% vs H1 2024, and Cyber Security H2 2025 decline of 1.6% vs H2 2024 compared to H1 2025 6.3% decline vs H1 2024. Escode has now delivered 12 consecutive quarters of year-on-year revenue growth and Cyber Security has returned to growth in Q4 FY25 providing momentum into FY26. • Gross margins (excluding non-core disposals 2 ) year on year have improved to 44.5% from 43.9% as the Group maintained operational discipline, with Escode gross margin improving by 2.6% pts at 71.4% and Cyber Security declining slightly by 0.4% pts to 36.6%. • The Group reported Adjusted EBITDA 3 (excluding non-core disposals 2 ) of £40.6m, down from £42.1m in the 12 months to 30 September 2024, in line with Board’s expectations (down from £51.6m for the 16 month period ending 30 September 2024 (including non-core disposals 2 )). • Profit before taxation grew to £20.6m from a loss of £17.8m in the year ended 30 September 2024, as a result of a reduction in non-core disposals 2 trading (£4.7m), underlying reduction in Adjusted EBITDA trading performance (£1.5m), a one-off profit (£11.4m in H1 2025) from the sale of our Fox Crypto business for a total consideration of £65.6m completed in March 2025, a reduction in other Individually Significant Items (£29.5m), excluding the £11.4m profit on disposal of Fox Crypto, reduction in depreciation and amortisation (£2.2m) and finance costs (£1.3m).

• The disposal of Fox Crypto in March 2025 was part of the strategic plan to simplify our business and focus on creating a pure play cyber service proposition for clients. It has also helped us transform our Balance Sheet to eliminate Group borrowings, with net cash of £13.1m at 30 September 2025 compared to net debt of £45.3m on 30 September 2024. In conjunction with our successful refinancing in April 2025 to a new four year, £120m multi-currency revolving credit facility (RCF) and an uncommitted £50m accordion option, this supports strategic options for a recently announced share buy-back programme and value enhancing M&A opportunities. • As announced on 28 April 2025, the Group confirmed that it was investigating several options for its Escode business, including a potential sale (‘Escode review’). If a transaction were to be successfully concluded it would enable the Group to consider a significant return of capital to shareholders over and above the recently announced share buy-back programme. The Board will provide updates as and when appropriate. • Further to the announcement on 16 July 2025, the Board confirms the process to review all options for the Group’s Cyber Security business also continues and is independent from both the process and outcome of the Escode review. Our focus remains on operational excellence and continuing our transformation journey as we ensure the operating model is aligned to support our clients and the underlying Cyber Security strategy. • The Board is proposing an unchanged final dividend of 3.15p per ordinary share, marking 20 consecutive years of dividend payments for shareholders. • The Board anticipates that revenue (including recent non-core disposals 2 ) for the year ended 30 September 2026 is expected to grow marginally, with Escode and Cyber Security experiencing low single-digit growth as pipeline continues to build. FY26 Group Adjusted EBITDA 1 (after the adjustment for non-core disposals 2 ) is expected to be in line with Board expectations – growing faster than revenue and the Board remains confident in delivering the Group’s medium-term financial goals as it continues to improve operational discipline and transform our cyber security engine.

1 T he statutory results for the audited year (and the audited prior period of 16 Months to 30 September 2024) present the Group’s Escode business as discontinued operations. Therefore, the tables below show the Group’s continuing operations results, with Escode added back to ensure full comparability of the Group’s performance.

2 Non-core disposals refer to the disposals of Fox-IT Crypto and Fox DetACT. The disposal of Fox-IT Crypto and Fox DetACT completed on 28 March 2025 and 30 April 2024 respectively.

3 R evenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 1

At a glance

We are NCC Group plc

What we do Founded in 1999, we are a global leader in cyber security and business resilience. Our colleagues are relied upon by the world’s leading companies and governments to help them manage risk, strengthen resilience and build lasting trust. Against a backdrop of continued, fast-paced technological change and increasing interconnectedness, we help companies to manage risk and face into the future with confidence. NCC Group has two main divisions: a people-powered, tech-enabled Cyber Security company (nccgroup.com), and a market-leading IP and software escrow business, Escode (escode.com). Working together with our clients, we create a more secure digital future.

Escode We give organisations the legal right and practical means to access, rebuild, and maintain business-critical software and intellectual property when a supplier is no longer able to support it. Our independent escrow and verification services support organisations in four key ways: • Resilience for organisations when software suppliers falter, code shows weaknesses or disruption strikes • Confidence that continuity and compliance are built into both on-premise and cloud solutions • Secure storage and long-term access to essential software and data • Technical assurance that the materials held in escrow can be successfully rebuilt and function as intended when it matters most For more information visit our Escode website: escode.com Cyber Security Protecting today. Shaping tomorrow. Creating a more secure digital future. NCC Group is a leading global Cyber Security and resilience company, trusted for over 25 years by leading businesses and governments. With roots in offensive security and defence, and a heritage built on research and threat intelligence, we uncover thousands of risks each year, bringing deep insight into vulnerabilities, attack patterns and adversary behaviours. With significant market presence in the UK, Europe, North America and Asia Pacific we deliver full-spectrum cyber resilience to governments and businesses to protect what matters most – the cars we drive, the energy in our homes, and the phones in our pockets, and critical infrastructures worldwide. We build resilience and deliver impactful, forward‑thinking solutions that help create a safer digital future. For more information visit our Cyber Security website: nccgroup.com

Leaders in regulatory and complex testing

Managed Security including MXDR

Digital Forensics and Incident Response

Consultancy and Implementation

Escrow agreements for both cloud and on-premise

Testing and verification services

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 2

Where we operate We operate as one global business, with in-country delivery tailored to local needs and cultures, as well as a global delivery team to respond quickly to our clients’ challenges.

Our offices We have a significant market presence in the UK, Europe and North America, and a growing footprint in Asia Pacific, with offices in Australia and Singapore, and the Philippines.

Group revenues

UK and Asia Pacific £163.8m (2024 1 : £209.8m)

North America £89.6m (2024 1 : £136.2m)

Europe £52.0m (2024 1 : £83.5m)

Cyber Security revenue £238.9m (2024 1 : £342.1m)

Escode revenue £66.5m (2024 1 : £87.4m)

• Technical Assurance Services (TAS): £88.4m (2024 1 : £141.4m) • Consulting and Implementation (C&I): £48.5m (2024 1 : £55.2m) • Managed Services (MS): £76.4m (2024 1 : £91.8m) • Digital Forensics and Incident Response (DFIR): £13.1m (2024 1 : £20.6m) • Other services: £12.5m (2024 1 : £33.1m)

• Escrow contracts: £43.0m (2024 1 : £57.2m) • Verification services: £23.5m (2024 1 : £30.2m)

1 2 024 represents the 16 month period ended 30 September 2024 (audited).

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 3

Chair’s statement

Unlocking our potential

When I reflect on the past year at NCC Group, I am reminded that progress is rarely linear. It is shaped by the challenges we face, the decisions we make, and – most importantly – the people who come together to move us forward. This year has been a testament to the resilience, adaptability and shared purpose that defines our Group. And I want to begin by expressing my heartfelt thanks to every colleague, client and shareholder, as well as our partners, who continue to be a part of our journey.

As a result of this decision, we announced in July 2025 that we had started to explore options for our Cyber business should the Escode sale proceed. This was about looking ahead and anticipating what our people, our clients and shareholders will need in years to come, and we believe it is right that we keep all options open. Deepening relationships and building trust In May we hosted a unique experience for shareholders, analysts and partners, demonstrating our ongoing commitment to transparency and engagement. Guests were invited to step into our world and experience first-hand decisions that management teams must make in response to cyber threats. It was a powerful reminder of the trust our clients place in us, and of course the expertise and dedication that runs through every part of our business. These moments of connection, where we open our doors and share our story, are vital. They build understanding, foster trust and remind us all of the critical role NCC Group plays in keeping our digital world safer and more secure. I’m proud that we’ve continued to strengthen our relationships with clients, focusing on strategic partnerships that go beyond transactions, which you’ll see from Mike’s review on pages 6 and 7. Our teams work tirelessly to understand the evolving needs of our clients, offering not just technical solutions but genuine partnership and support. In a world where digital risks are ever-present, our role as a trusted advisor has never been more important. Our people: the heart of NCC Group If there is one thing that stands out year after year, it is the extraordinary commitment and talent of our people. The pace of change has been relentless, and yet our colleagues have responded with professionalism and creativity, focused on our client’s needs. Whether adapting to new ways of working, supporting clients through complex challenges, or driving innovation from within, our teams have shown what is possible when we pull together. Our investment in people is matched by our commitment to sustainability and responsible business. As we nurture talent and foster a positive culture, we also strive to make a meaningful impact on the environment and society. Our Manila operations have gone from strength to strength, bringing new perspectives and capabilities to our global front and back-office teams. I am proud of the progress we have made, but even more excited about what lies ahead.

Chris Stone Non-Executive Chair

Navigating change with purpose We continue to make bold decisions as we navigate the changing landscape all businesses are operating in. I’m proud of the way the management team and the wider Group embrace these as opportunities to continue to grow and strengthen the overall business. In March 2025, we completed the sale of the Fox-IT Crypto business for a gross consideration of £65.6m, a milestone that not only reflects our commitment to simplifying the Group’s proposition, deriving great value to our shareholders and reducing net debt, but also our willingness to evolve in a rapidly shifting digital landscape. And this commitment continued as we announced in April 2025 that we were exploring a range of strategic options for our Escode business, including a potential sale (Escode review). The decision is one that was not taken lightly by the Board. The Board will provide updates as and when it is practicable and appropriate to do so. If a sale of Escode were to be successfully concluded, the Group would become a focused, people-powered, tech-enabled global Cyber Security business. It would also enable the Board to consider a significant return of capital to shareholders over and above the recently announced initial share buy-back programme.

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 4

We have also continued to review and strengthen our governance practices, learning from best practice and adapting to the evolving needs of our business. This includes ongoing engagement with our shareholders, listening to their views and incorporating their feedback into our decision making. Looking to the future With strong foundations in place – strategic clarity, stakeholder trust, empowered people and robust governance – we are well positioned to embrace the future with confidence. We are continuing to build strategic client relationships, scan the market for smart acquisition opportunities and focus on operational efficiencies that will make us stronger and more agile. Our partnerships are deepening, our Manila office is flourishing and our global teams are united by a shared sense of purpose. I am confident that we have the right people, the right strategy and the right values to succeed. Together, we are building a stronger, more resilient NCC Group – one that is ready to seize the opportunities of tomorrow. Share buy-back programme Reflecting the Board’s continued confidence in the future prospects of the Group and the strength of the Balance Sheet, regardless of the outcome of the Escode review, we announced in October 2025 our intention to commence an initial share buy-back programme. This will be carried out utilising our current shareholder authority and in accordance with our capital allocation policy, and relevant legal and regulatory obligations. It was also noted that the initial share buy-back programme would not launch before 11 December 2025. Dividends During the year, total dividends of £19.0m were paid (2024: £14.5m), an increase due to the change in our year end and the additional dividend we gave for the four month period to 30 September 2024. The Board is proposing an unchanged final dividend of 3.15p per ordinary share for the year ended 30 September 2025, as it remains mindful of the continued need to invest in the Group’s strategy, marking 20 consecutive years of dividend payments for shareholders. The final dividend will be paid on 10 April 2026, subject to approval at the AGM on 3 March 2026, to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026. Our existing dividend policy will remain unchanged by any share buy-back programme noted above. Closing thoughts In closing, I want to thank everyone who has been part of our journey this year. To our colleagues: your dedication, creativity and resilience inspire me every day. To our clients: thank you for your trust and partnership. And to our shareholders: thank you for your continued support and belief in our vision. We do not take any of these relationships for granted. As we move forward, we will continue to listen, learn and adapt – always with the goal of creating lasting value for all our stakeholders.

VIEWPOINT

Identity at the core: Strengthening cyber resilience with end-to-end access governance and expertise

Commitment to sustainability and responsible business This year, we took significant steps forward on our climate action agenda, responding to changing requirements and also client requests. We published our Carbon Reduction Plan, developed in partnership with Positive Planet, which sets out our path to net zero and commits us to ambitious, science-based targets. We are on track to achieve SBTi verification by March 2026 and will update our plan to reflect our progress. Our partnership with Positive Planet led to the creation of a bespoke Carbon Literacy Training programme, and I am delighted that my fellow Board member Lynn Fordham was among the first to achieve certification. We are now working towards verification of our science-based targets, a further demonstration of our commitment to collaborating with other businesses to reduce our impact on the environment and will update the Carbon Reduction Plan in early 2026. This holistic approach to sustainability is reflected in our governance practices. The Board remains focused on upholding the highest standards and ensuring that our values are embedded in every decision we make, and you can read more about our progress on this from page 58. Governance and Board Leadership The Board has played an active and engaged role, providing challenge, support and guidance as we continue to navigate this critical time for the Group. We are committed to upholding the highest standards of governance, ensuring that our decisions are grounded in integrity, transparency and a long-term perspective. Our focus has been on supporting the management team, overseeing strategic reviews and ensuring that the interests of all stakeholders are represented. Poorly maintained access control processes are among the leading causes of cyber breaches and regulatory non-compliance. Up to 80% of security incidents involve compromised credentials and insufficient safeguards, giving attackers the keys to infiltrate networks, steal sensitive data, and disrupt operations. The cost? Millions in lost revenue, reputational damage, regulatory penalties, and recovery downtime. AI and autonomous agents amplify identity risks by increasing access across systems, making an already complex task even more challenging. We help our clients manage every aspect of Identity and Access Management (IDAM), ensuring human and non-human accounts are governed, monitored, secured, and maintained across the entire lifecycle. With NCC Group’s expertise and strategic partnerships, you gain resilience, confidence, and continuity so you can focus on what matters most: running your business securely.

Chris Stone Non-Executive Chair 11 December 2025

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 5

CEO’s review

Strategic progress positions the Group for return to profitable growth As we reflect on FY25, I want to begin by recognising the continued commitment and expertise of our colleagues across the globe. The work they do for clients is extraordinary and they have continued to demonstrate their resilience and adaptability navigating change and at times an uncertain economic environment. Our purpose – to create a safer digital future – remains at the heart of everything we do, and our progress this year is a testament to the strength of our people and the trust our clients place in us.

enabled us to scale, win more opportunities and serve clients more efficiently. We will continue to invest in our people, technology and strategic partnerships – underpinned by our leading intelligence, innovation and insight, we remain at the forefront of an evolving cyber threat landscape. Market environment and client needs As a B2B service provider, demand for many of our services reflects the macro-economic cycle and the confidence of our clients to invest. During the year this cycle and the geopolitical environment remained complex, particularly in the first half. We saw this reflected in cautious client behaviour, which naturally lengthen sales cycles. Despite these headwinds, demand for cyber resilience and regulatory assurance continues to grow, particularly in highly regulated sectors such as financial services, healthcare and businesses running critical infrastructure. Our clients are increasingly seeking expert-led, end-to-end solutions that address the full spectrum of cyber risk – from Identity and Access Management to Operational Technology security and Managed Detection and Response. Our differentiated capabilities, global delivery and strategic alliances with leading technology partners position us strongly to meet these needs. Financial performance As expected, we saw Group revenue for FY25 decline by 2.6% on a constant currency basis (excluding non-core disposals), with Escode delivering growth on a constant currency basis of 2.2% and Cyber Security declining on a constant currency basis by 4.0% when compared to the previous 12 months. Importantly, as I reflect on all of this, half-to-half performance was markedly stronger with revenue performance improving in the second half, a reflection of the positive impact of our strategic focus and operational discipline together with the strong order book we indicated in our December 2024 results. Gross margins (excluding non-core disposals) overall strengthened to 44.5% with Escode margin reaching 71.4% and Cyber Security broadly flat at 36.6%. Adjusted EBITDA (excluding non-core disposals) was in line with Board expectations and amounted to £40.6m when compared to the previous 12 months. Our Balance Sheet remains robust, with net cash of approximately £13m at year end, a marked improvement from the net debt of £79.6m as at 31 May 2023 and now providing a strong foundation for future investment and capital returns. Sales and commercial execution We continued to strengthen our business in FY25 with management action focused on strategic change to build the necessary technical capability in cyber and to strengthen our commercial organisation in both the Escode and Cyber Security businesses.

Mike Maddison Chief Executive Officer

Strategic progress and transformation FY25 has been a year of disciplined execution against the strategy we originally established back in 2023 to transform and reshape the Group. We have made significant progress to simply the Group and built our two distinct businesses – Cyber Security, with Managed Services at the centre, and Escode, our software escrow service. We have improved profitability, materially reduced and eliminated net debt, and repositioned the Group’s portfolio around core, scalable activities. More timely and granular financial and operational information has strengthened decision making, however there is more work to do. A major event this year was the successful sale of our Fox-IT Crypto business in March 2025 that strengthened our Balance Sheet, providing us with the financial flexibility to invest in growth, while removing the management distraction of a non-core business. In April 2025, the Group confirmed that it was investigating several options for its Escode business, including a potential sale. The Board will provide updates as and when it is practicable and appropriate to do so. If a sale of Escode were to be successfully concluded, the Group would become a focused, people-powered, tech-enabled global Cyber Security business. It would also enable the Board to consider a significant return of capital to shareholders over and above the recently announced initial share buy-back programme. Our investments in new capabilities such as Operational Technology and Digital Identity have allowed us to win further strategic projects during the year. Our global operating model, including our expanding office in Manila with exceptional cyber and operational talent, has

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 6

The worldwide shortage in qualified cyber security professionals is both widening and coming more acute. This structural gap is most evident in highly specialised skills, including advanced testing, Operational Technology, and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients need around-the-clock expert coverage without inflating their cost base as a cost of employment and our global delivery hubs meet this need. Additionally, the strong reputation that we have among cyber professionals positions us to attract the best talent using our academy/ training ability to further expand and strengthen this talent base. The combination of hybrid working and using personal devices at work has shifted the security perimeter from the edge of the Enterprise network to the individual user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2, the EU’s updated cyber security directive and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations. Lastly, the attack surface is expanding and becoming more complex, with cloud migrations accelerating, SaaS solution proliferation and AI adoption continuing, as well as early discussions ongoing regarding the potential implications of quantum computing. Each new platform expands the potential for malicious attacks and reinforces the need for security to be embedded earlier into development pipelines. Demand is therefore rising for secure-by-design assessments, supply chain software assurance and Managed Extended Detection and Response (MXDR) coverage that spans traditional IT, cloud and OT environments. The breadth of clients we serve across industries, geographies and IT and OT environments has allowed us to build unique IP to help clients secure this expanding attack surface. Outlook Looking ahead, we remain confident in our strategy and the medium- term growth prospects for both businesses. While we expect the current challenging economic conditions to endure in the near term, our pipeline is building, and we anticipate a return to Cyber Security revenue growth in FY26 as our continued transformation delivers further benefits to both our competitive positioning and stakeholders. On 28 April 2025, the Board confirmed that it was investigating a number of options for its Escode business including a potential sale (Escode review). We currently remain in that process and we will provide a further update in due course. Further to a subsequent announcement on 16 July 2025, the Board confirms that the Group remains in the early stages of a review of all strategic options for its Cyber business should the Escode business be sold, this includes a range of potential outcomes including potential offers for the entire issued and to be issued share capital of the Company, and that no decision has been made regarding which options will be pursued. Our focus remains on operational excellence, innovation and supporting existing and new clients as they navigate an increasingly complex digital threat landscape. In closing, I would like to thank our colleagues, clients and partners for their continued trust and support. Together, we are building a stronger, more resilient NCC Group, well positioned for sustainable growth and long-term success.

In Escode, we: • Reorganised our sales structure by industry verticals to deliver deeper sector expertise and create greater value for customers in finance, critical infrastructure, and commercial markets • Established a dedicated new customer acquisition team focused on ideal customer profiles within our priority growth sectors in the UK and US • Expanded our software verification offering to include fully independent builds of cloud-hosted solutions, ensuring greater reliability and trust • Broadened our regional presence with an extended market focus into the Middle East In Cyber Security, we: • Invested in strategic sales capability • Enhanced client propositions with embedded technology • Put foundations in place for global account management to deepen relationships and unlock revenue opportunities • Have improved Management Informationwith our global sales operation • Have fully implemented global scheduling, timesheets and pricing tools • Have fully separated Fox DetACT and Fox Crypto These actions are already delivering results, an improved sales pipeline visibility, deeper client engagement and a positive shift in revenue mix towards higher value, recurring contracts. We remain focused on further evolving our sales model to ensure stronger linkage between sales execution and service delivery, and to drive deeper penetration in our priority sectors globally: financial services, insurance, healthcare, industrials, and the public sector. Operational highlights • Transformation: Continued progress in repositioning the Cyber Security business towards higher value, recurring revenue streams, supported by a single technology stack and scalable global delivery • Strategic partnerships: Recognition from key partners, including Splunk and Microsoft, underscores our reputation as a trusted advisor and innovator • Talent: Our ability to attract and develop top cyber talent remains a competitive advantage, supported by our academy and training programmes • Escode: The business continues to deliver consistent growth and profitability, with discussions regarding its future strategic direction ongoing • Public Research: Our leading technical expertise including Cryptography, Hardware and AI/ML Security was engaged by leading companies including Meta, Whatsapp and Google, to review and publish public reports into their emerging technology Market trends and regulatory landscape The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. Regulatory momentum has intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act, which came into force in December 2024 and the UK’s AI Cyber Security Code of Practice will embed secure-by-design requirements up through the software supply chain, while NIS2, DORA and sector-specific requirements in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by similar requirements in the US, Australia and APAC, signalling a global consensus for higher standards. Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group’s recognised contribution to the UK government’s AI and CRA initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services.

Mike Maddison Chief Executive Officer 11 December 2025

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 7

Our business model

Transforming for global growth For decades, we’ve developed thousands of cyber experts and explored emerging technologies. Now, as a global, client-focused business, we continue to evolve, delivering groundbreaking projects for leading companies and governments. Our collective expertise sits at the forefront of cyber resilience, shaping a more secure digital future.

Read more on market outlook on pages 10 and 11

Inputs

Two distinct businesses

Cyber Security As a leading global Cyber Security services company we are trusted to protect what matters most – the cars we drive, the energy in our homes, and the phones in our pockets, and critical infrastructures worldwide. With roots in deep offensive security and defence and a heritage built on research and threat intelligence, we deliver full-spectrum cyber resilience to governments and businesses. From tracking threat actors and uncovering vulnerabilities to responding to ransomware, we don’t just defend, we are actively building a more secure digital future. Through our end-to-end cyber capabilities, we empower organisations to counter threats, manage disruption and navigate regulations with confidence.

Sustainable growth strategy In a fast-moving and complex environment, our strategy puts clients’ needs first, with a roadmap of investments designed to develop future capabilities and a global delivery model to provide clients with the best solution.

People-powered, tech-enabled We are a diverse global community of talented and creative individuals, working together and united by the same goal – to create a more secure digital future.

Culture of innovation With our roots stretching back to the 1990s we have a track record of being at the cutting edge of innovation. NCC Group was created in 1999 when the National Computing Centre sold its commercial divisions to its existing management; from there we continued to grow through acquisitions. And while history is important, so is the future, with innovation, insights and intelligence the drivers of differentiation and woven into the DNA of who we are.

For more information visit our Cyber Security website: nccgroup.com

Escode We provide specialist escrow and verification solutions for business-critical IP, technology and software applications. Our services help companies and government organisations manage supplier risk, sustain business continuity and give confidence that essential third party software can be accessed and redeployed when required. Our cloud services bring clarity to application management, making the transition to the cloud straightforward and controlled.

Stronger partner relationships We are active members of the global cyber community, working in collaboration and in partnership with key industry players. Many successful global partnerships have delivered integrated, seamless solutions to clients.

Market-leading reputation We’re recognised by leading analysts for excelling in our understanding of CISO needs, building strong partnerships with clients and being called to solve complex problems.

For more information visit our Escode website: escode.com

Read more on our strategy on pages 12 and 13

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 8

Value creation

Colleagues Our people are leading the industry with innovative solutions protecting clients and society from growing cyber threats. As a people-powered, tech-enabled organisation, our talent strategy builds future-ready skills, strengthens leadership and fosters an inclusive culture of high performance, aligned with our business goals. We’re committed to helping every colleague thrive – through inclusive practices, targeted development and a focus on colleague experience – driving commercial success through empowered, engaged teams.

Read more on our sustainability strategy: nccgroupplc.com/sustainability

Clients Our cyber security and software escrow solutions enable clients to confidently innovate and embrace new technologies, and build responsible, sustainable and resilient organisations that thrive and succeed.

INSIGHT

INTELLIGENCE

INNOVATION

Our network We’re the collaborators, the co‑ordinators, the conveners, and you will find us bringing together our global community to drive our industry forward and create a more secure digital future. We invest 1,100 days of research each year and engage proactively to ensure our insights and vision deliver the best societal outcomes, bringing partners together in support of our clients as well as policymakers and regulators to help shape future cyber policy. Shareholders We have a dedicated Investor Relations programme providing shareholders and financial analysts with regular updates on our performance. Engagement activities include results presentations, roadshows with the CEO and CFO, Capital Markets events, site visits, RNS and email updates.

Establish legal right

Scenario test

Release

Knowledge transfer

Deposit

Secure storage

Manage

Read more on stakeholder engagement on pages 14 and 15

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 9

Market outlook

Intensifying regulatory momentum versus a worldwide shortage of qualified talent

Global market trends, threats and opportunities

The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. We remain confident our transformation strategy will deliver growth underpinned by the range of services, geographic coverage, and breadth and depth of offering. Cautious client behaviour and the lengthening sales and onboarding cycles reported in December 2024 have impacted our first half results. This is also against a backdrop of macro-economic uncertainty, IT and security budgets being under scrutiny and competitive pricing. We continue to see cyber resilience elevated as a core business risk agenda item to the C-suite as opposed to a purely IT consideration. Cyber continues to be elevated as a core business risk for boards, as opposed to just an IT consideration. This pivot is most evident in highly regulated verticals – financial services, healthcare, government and critical infrastructure – where regulatory scrutiny and heightened director liability is driving materially larger, multi-year security programmes. Within Operational Technology (OT) in particular, full risk reviews and resilience roadmaps are being commissioned as the potential business interruption cost of an OT outage becomes clearer. Our global delivery model ensures that these international operators can obtain expert support around the clock, irrespective of time zone or geography. Strategically, our global delivery engine is a differentiated and scalable service that enables us to be competitive. Ransomware remains widespread and we have seen a marked uplift in AI-enabled phishing and double extortion campaigns, including the more recent high profile retail sector cases in the UK. This evolving threat landscape is leading organisations to favour Managed (Extended) Detection and Response (MDR/MXDR) solutions that provide continuous monitoring across endpoint, cloud, identity and OT telemetry. In addition, businesses are requesting OT-specific MDR to counter the increase in attacks against industrial control environments.

Regulatory momentum intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act and UK’s software and AI security Codes of Practice will drive secure-by-design requirements up the supply chain, while NIS2, DORA and sector‑specific mandates in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by comparable moves in the US and APAC, signalling a global consensus for higher standards.

Read our leading Global Cyber Policy Radar: tinyurl.com/522my5vc

Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group’s recognised contribution to the UK government’s cyber resilience initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services.

The UK Government’s Industrial Strategy calls out NCC Group as a company exporting world-leading cyber solutions: tinyurl.com/yefadasr

The worldwide shortfall in qualified cyber security professionals continues to become more acute. This structural gap is most evident in highly specialised skills, including advanced testing, OT and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients are relying on our global delivery hubs to ensure around-the-clock expert coverage without inflating their cost base as a cost of employment. Additionally, the strong reputation that we have among cyber professionals positions us to attract talent more easily than our competitors, with our academy/training ability allowing us to further expand and strengthen this talent base. Hybrid working and personal device policies have shifted the security perimeter from the edge of the Enterprise network to the user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2 and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations.

NCC Group named ‘Strong Performer’ in the 2025 Forrester assessment of European MDR providers: tinyurl.com/5n8rc9uc

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 10

OT/IT Cyber Safety Webinar series Between December 2024 and February 2025, NCC Group’s OT/IT Cyber Safety Webinar series explored the critical intersection of IT and OT cyber security convergence and the safety considerations in industrial environments, addressing the unique challenges and opportunities that arise when legacy operational technologies meet modern digital systems amid rising cyber threats.

Watch our YouTube video series here: tinyurl.com/4c6s96tm

The NCC Group Cyber Security regulations maturity curve

Inflection point: the future trajectory is yet to be set in stone Inflection point: the future trajectory is yet to be set in stone Continued increase of volume of cyber rules and regulations, e.g. ransomware payment bans, mandating Cyber Essentials, etc. Continued increase of volume of cyber rules and regulations, e.g. ransomware payment bans, mandating Cyber Essentials, etc.

Commencement of enforcement actions Commencement of enforcement actions

Political recognition of market failure in Cyber Security Political recognition of market failure in Cyber Security

Period of heightened legislative and regulatory activity to “make up for lost ground” Period of heightened legislative and regulatory activity to “make up for lost ground”

Scattered Spider Scattered Spider

UK Cyber Security and Resilience Bill UK Cyber Security and Resilience Bill

Synnovis Synnovis EU Cyber Resilience Act EU Cyber Resilience Act

Regulatory settlement or equilibrium as cyber rules reach saturation, and increased mandated baseline forms part of “cyber toolbox” in 21st century increased mandated baseline forms part of “cyber toolbox” in 21st century Regulatory settlement or equilibrium as cyber rules reach saturation, and

EU NIS2 EU NIS2

Australia Cybersecurity Act Australia Cybersecurity Act

UK Product Security UK Product Security and Telecoms Infrastructure Act and Telecoms Infrastructure Act

US sector regulations US sector regulations UK Telecoms Security Act UK Telecoms Security Act

Australia Security of Critical Infrastructure Act Singapore Cybersecurity Act Singapore Cybersecurity Act Australia Security of Critical Infrastructure Act

EU Cybersecurity Act EU Cybersecurity Act

Reduction in regulatory requirements in the name of growth, competitiveness and innovation Reduction in regulatory requirements in the name of growth, competitiveness and innovation

EU NIS EU GDPR EU NIS EU GDPR

WannaCry NotPetya WannaCry NotPetya

2017 2017

2018 2018

2019 2019

2020 2020

2021 2021

2022 2022

2023 2023

2024 2024

2025 2025

Key Key

Legislative intervention Legislative intervention

NCC Group’s 1000+ respondent survey reveals the critical issues driving supply chain security in 2025 68% of organisations expect the severity and scale of supply chain attacks to escalate further

Lastly, the attack surface is expanding, with cloud migrations accelerating, SaaS proliferation and AI adoption continuing, and early discussions ongoing regarding the implications of quantum computing. Each new platform expands the potential for malicious attacks and reinforces the need for security to be embedded earlier into development pipelines. Demand is therefore rising for secure-by-design assessments, supply chain software assurance and MXDR coverage that spans traditional IT, cloud and OT environments. The breadth of clients we serve across industries, geographies and IT and OT environments has allowed us to build unique IP to help clients secure this expanding attack surface.

© 2025 NCC Group. All rights reserved. Please see www.nccgroup.com for further details. No reproduction is permitted in whole or part without written permission of NCC Group. This content is for general purposes only and should not be used as a substitute for consultation with professional advisers. © 2025 NCC Group. All rights reserved. Please see www.nccgroup.com for further details. No reproduction is permitted in whole or part without written permission of NCC Group. This content is for general purposes only and should not be used as a substitute for consultation with professional advisers.

45% experienced a cyber security breach in the prior 12 months 59% were concerned about visibility over their supply chain

Read more: www.nccgroup.com/the-state-of-supply-chain-security

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 11

Our strategy

A range of services and geographies and breadth of offering

Strategic priority

Progress in FY25

• Appointed a CCO to align the global go-to-market strategy with overall business objectives • Hired new Market Leads to drive and implement regional strategies • Redefined the global markets organisational structure to support growth and enhance sales performance • Streamlined internal processes to sharpen focus on clients and execution of the go-to-market strategy • Strengthened our Managed Services business by expanding client adoption of our MXDR platform and adding enhanced detection and response capabilities • Built momentum in Digital Identity and Operational Technology practices, winning new client mandates • Continued to leverage technology partnerships to extend our propositions and global reach • Drove margin improvement within Technical Assurance, particularly in North America, through delivery model optimisation • Rolled out global scheduling tool (Kantata) across all key regions, improving resource visibility and planning • Manila office scaled significantly, now an established hub for delivery and enabling functions • Introduced new ways of working within global delivery to improve efficiency and management information (MI) for decision making • Launched a distinct brand refresh for NCC Group Cyber Security business while establishing and embedding Escode • Celebrated 25 years of cutting-edge research and delivered market-leading thought leadership such as our monthly Threat Intelligence series and global Cyber Policy Radar • Recognised by leading industry analysts such as Forrester, Gartner and IDC citing our ability to solve complex security challenges with trusted CISO partnerships

Our clients Deeper client engagement on the most pressing Cyber Security and software escrow needs

Our proposition Offering a broader service portfolio addressing the full Cyber Security lifecycle

Global delivery Transitioning from an international to a fully global business

Brands Creating distinct and relevant brands for our Cyber Security and Escode businesses

FY25 financial framework goals

Sustainable revenue growth

Improved gross margin

• Deliver underlying growth in Cyber Security • Increase Managed Services revenue as a proportion of total Cyber Security • Maintain momentum in Escode

• Maintain utilisation % • Smart pricing and margin investment decision making • Globalise technical resource footprint

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 12

Page i Page ii Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147 Page 148 Page 149 Page 150 Page 151 Page 152 Page 153 Page 154 Page 155 Page 156 Page 157 Page 158 Page 159 Page 160 Page 161 Page 162 Page 163 Page 164

Made with FlippingBook Online newsletter maker