The worldwide shortage in qualified cyber security professionals is both widening and coming more acute. This structural gap is most evident in highly specialised skills, including advanced testing, Operational Technology, and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients need around-the-clock expert coverage without inflating their cost base as a cost of employment and our global delivery hubs meet this need. Additionally, the strong reputation that we have among cyber professionals positions us to attract the best talent using our academy/ training ability to further expand and strengthen this talent base. The combination of hybrid working and using personal devices at work has shifted the security perimeter from the edge of the Enterprise network to the individual user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2, the EU’s updated cyber security directive and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations. Lastly, the attack surface is expanding and becoming more complex, with cloud migrations accelerating, SaaS solution proliferation and AI adoption continuing, as well as early discussions ongoing regarding the potential implications of quantum computing. Each new platform expands the potential for malicious attacks and reinforces the need for security to be embedded earlier into development pipelines. Demand is therefore rising for secure-by-design assessments, supply chain software assurance and Managed Extended Detection and Response (MXDR) coverage that spans traditional IT, cloud and OT environments. The breadth of clients we serve across industries, geographies and IT and OT environments has allowed us to build unique IP to help clients secure this expanding attack surface. Outlook Looking ahead, we remain confident in our strategy and the medium- term growth prospects for both businesses. While we expect the current challenging economic conditions to endure in the near term, our pipeline is building, and we anticipate a return to Cyber Security revenue growth in FY26 as our continued transformation delivers further benefits to both our competitive positioning and stakeholders. On 28 April 2025, the Board confirmed that it was investigating a number of options for its Escode business including a potential sale (Escode review). We currently remain in that process and we will provide a further update in due course. Further to a subsequent announcement on 16 July 2025, the Board confirms that the Group remains in the early stages of a review of all strategic options for its Cyber business should the Escode business be sold, this includes a range of potential outcomes including potential offers for the entire issued and to be issued share capital of the Company, and that no decision has been made regarding which options will be pursued. Our focus remains on operational excellence, innovation and supporting existing and new clients as they navigate an increasingly complex digital threat landscape. In closing, I would like to thank our colleagues, clients and partners for their continued trust and support. Together, we are building a stronger, more resilient NCC Group, well positioned for sustainable growth and long-term success.
In Escode, we: • Reorganised our sales structure by industry verticals to deliver deeper sector expertise and create greater value for customers in finance, critical infrastructure, and commercial markets • Established a dedicated new customer acquisition team focused on ideal customer profiles within our priority growth sectors in the UK and US • Expanded our software verification offering to include fully independent builds of cloud-hosted solutions, ensuring greater reliability and trust • Broadened our regional presence with an extended market focus into the Middle East In Cyber Security, we: • Invested in strategic sales capability • Enhanced client propositions with embedded technology • Put foundations in place for global account management to deepen relationships and unlock revenue opportunities • Have improved Management Informationwith our global sales operation • Have fully implemented global scheduling, timesheets and pricing tools • Have fully separated Fox DetACT and Fox Crypto These actions are already delivering results, an improved sales pipeline visibility, deeper client engagement and a positive shift in revenue mix towards higher value, recurring contracts. We remain focused on further evolving our sales model to ensure stronger linkage between sales execution and service delivery, and to drive deeper penetration in our priority sectors globally: financial services, insurance, healthcare, industrials, and the public sector. Operational highlights • Transformation: Continued progress in repositioning the Cyber Security business towards higher value, recurring revenue streams, supported by a single technology stack and scalable global delivery • Strategic partnerships: Recognition from key partners, including Splunk and Microsoft, underscores our reputation as a trusted advisor and innovator • Talent: Our ability to attract and develop top cyber talent remains a competitive advantage, supported by our academy and training programmes • Escode: The business continues to deliver consistent growth and profitability, with discussions regarding its future strategic direction ongoing • Public Research: Our leading technical expertise including Cryptography, Hardware and AI/ML Security was engaged by leading companies including Meta, Whatsapp and Google, to review and publish public reports into their emerging technology Market trends and regulatory landscape The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. Regulatory momentum has intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act, which came into force in December 2024 and the UK’s AI Cyber Security Code of Practice will embed secure-by-design requirements up through the software supply chain, while NIS2, DORA and sector-specific requirements in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by similar requirements in the US, Australia and APAC, signalling a global consensus for higher standards. Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group’s recognised contribution to the UK government’s AI and CRA initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services.
Mike Maddison Chief Executive Officer 11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 7
Made with FlippingBook Online newsletter maker