i Table of contents 164

NCC Group plc annual report and accounts for the year ended…

Market outlook

Intensifying regulatory momentum versus a worldwide shortage of qualified talent

Global market trends, threats and opportunities

The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. We remain confident our transformation strategy will deliver growth underpinned by the range of services, geographic coverage, and breadth and depth of offering. Cautious client behaviour and the lengthening sales and onboarding cycles reported in December 2024 have impacted our first half results. This is also against a backdrop of macro-economic uncertainty, IT and security budgets being under scrutiny and competitive pricing. We continue to see cyber resilience elevated as a core business risk agenda item to the C-suite as opposed to a purely IT consideration. Cyber continues to be elevated as a core business risk for boards, as opposed to just an IT consideration. This pivot is most evident in highly regulated verticals – financial services, healthcare, government and critical infrastructure – where regulatory scrutiny and heightened director liability is driving materially larger, multi-year security programmes. Within Operational Technology (OT) in particular, full risk reviews and resilience roadmaps are being commissioned as the potential business interruption cost of an OT outage becomes clearer. Our global delivery model ensures that these international operators can obtain expert support around the clock, irrespective of time zone or geography. Strategically, our global delivery engine is a differentiated and scalable service that enables us to be competitive. Ransomware remains widespread and we have seen a marked uplift in AI-enabled phishing and double extortion campaigns, including the more recent high profile retail sector cases in the UK. This evolving threat landscape is leading organisations to favour Managed (Extended) Detection and Response (MDR/MXDR) solutions that provide continuous monitoring across endpoint, cloud, identity and OT telemetry. In addition, businesses are requesting OT-specific MDR to counter the increase in attacks against industrial control environments.

Regulatory momentum intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act and UK’s software and AI security Codes of Practice will drive secure-by-design requirements up the supply chain, while NIS2, DORA and sector‑specific mandates in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by comparable moves in the US and APAC, signalling a global consensus for higher standards.

Read our leading Global Cyber Policy Radar: tinyurl.com/522my5vc

Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group’s recognised contribution to the UK government’s cyber resilience initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services.

The UK Government’s Industrial Strategy calls out NCC Group as a company exporting world-leading cyber solutions: tinyurl.com/yefadasr

The worldwide shortfall in qualified cyber security professionals continues to become more acute. This structural gap is most evident in highly specialised skills, including advanced testing, OT and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients are relying on our global delivery hubs to ensure around-the-clock expert coverage without inflating their cost base as a cost of employment. Additionally, the strong reputation that we have among cyber professionals positions us to attract talent more easily than our competitors, with our academy/training ability allowing us to further expand and strengthen this talent base. Hybrid working and personal device policies have shifted the security perimeter from the edge of the Enterprise network to the user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2 and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations.

NCC Group named ‘Strong Performer’ in the 2025 Forrester assessment of European MDR providers: tinyurl.com/5n8rc9uc

NCC Group plc — Annual report and accounts for the year ended 30 September 2025 10

Made with FlippingBook Online newsletter maker