Annual Report (ESEF) • Jan 9, 2025
Preview not available for this file type.
Download Source File213800DJCGZRB65239342023-06-012024-09-30iso4217:GBPxbrli:sharesiso4217:GBP213800DJCGZRB65239342022-06-012023-05-31213800DJCGZRB65239342024-09-30213800DJCGZRB65239342023-05-31213800DJCGZRB65239342022-05-31213800DJCGZRB65239342023-09-30213800DJCGZRB65239342022-05-31ifrs-full:IssuedCapitalMember213800DJCGZRB65239342022-05-31ifrs-full:SharePremiumMember213800DJCGZRB65239342022-05-31ifrs-full:MergerReserveMember213800DJCGZRB65239342022-05-31ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342022-05-31ifrs-full:RetainedEarningsMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:IssuedCapitalMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:SharePremiumMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:MergerReserveMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342022-06-012023-05-31ifrs-full:RetainedEarningsMember213800DJCGZRB65239342023-05-31ifrs-full:IssuedCapitalMember213800DJCGZRB65239342023-05-31ifrs-full:SharePremiumMember213800DJCGZRB65239342023-05-31ifrs-full:MergerReserveMember213800DJCGZRB65239342023-05-31ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342023-05-31ifrs-full:RetainedEarningsMember213800DJCGZRB65239342023-06-012024-09-30ifrs-full:IssuedCapitalMember213800DJCGZRB65239342023-06-012024-09-30ifrs-full:SharePremiumMember213800DJCGZRB65239342023-06-012024-09-30ifrs-full:MergerReserveMember213800DJCGZRB65239342023-06-012024-09-30ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342023-06-012024-09-30ifrs-full:RetainedEarningsMember213800DJCGZRB65239342024-09-30ifrs-full:IssuedCapitalMember213800DJCGZRB65239342024-09-30ifrs-full:SharePremiumMember213800DJCGZRB65239342024-09-30ifrs-full:MergerReserveMember213800DJCGZRB65239342024-09-30ifrs-full:ReserveOfExchangeDifferencesOnTranslationMember213800DJCGZRB65239342024-09-30ifrs-full:RetainedEarningsMember NCC Group plc Annual report and accounts for the period ended 30 September 2024 Annual report and accounts for the period ended 30 September 2024 Focusing on client needs We have made great progress over the past 18 months, transforming the business by focusing on client needs while building the Group’s resilience. Our more focused Cyber Security business returned to growth in the second half to May 2024, with improved sources of recurring revenue with Managed Services performing well, and our Escode business building a track record of growth. We are pleased to see this strategic progress coming through in improved gross margin and Adjusted EBITDA – a key priority for the Group. We continue to focus on our client-centric strategy and notwithstanding macroeconomic factors outside of our control, weexpect to grow in the current financial year and remain confident in delivering our medium-term financial goals. An ever-increasing threat landscape, rapidly evolving technology such as AI, digital adoption and a rise in regulation across the world creates multiple growth drivers for both our Escode and Cyber businesses, and we continue to enhance our capabilities and improve our routes to market to ensure we are the go-to choice for organisations and governments as they build and enhance their cyber resilience.” Mike Maddison Chief Executive Officer In this report NCC Group is a people-powered, tech-enabled global Cyber Security and software escrow business. We harness our collective insight, intelligence and innovation to power end-to-end cyber services that protect our clients from cyber threat. Strategic report 1 Highlights for the period ended 30 September 2024 2 At a glance 4 Chair’s statement 6 CEO’s review 8 Our business model 10 Market outlook 12 Our strategy at a glance 14 Stakeholder engagement 16 Sustainability 29 Risk management 39 Viability statement 40 Financial review Governance 52 Chair’s introduction to governance 55 Governance framework 56 Board of Directors 58 Board composition and division of responsibilities 66 Shareholder engagement 67 Audit Committee report 74 Nomination Committee report 77 Cyber Security Committee report 79 Remuneration Committee report 101 Directors’ report 105 Directors’ responsibilities statement Financial statements 106 Independent auditors’ report 112 Consolidated income statement 112 Consolidated statement of comprehensive income 113 Consolidated balance sheet 114 Consolidated cash flow statement 115 Consolidated statement of changes in equity 116 Company balance sheet 117 Company statement of changes in equity 118 Notes to the Financial Statements Additional information 174 Glossary of terms – other terms 176 Other information IBC Financial calendar Intelligence Insight Innovation It’s in our DNA It’s what makes us different. A part of who we are that underpins everything we do. View our latest results: nccgroupplc.com Highlights for the period ended 30 September 2024 1 Revenue at constant currency, Adjusted EBITDA, Net (debt)/cash excluding lease liabilities, Adjusted operating profit and Adjusted EPS are APMs and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. Further information is also contained within the Financial Review on pages 40 to 51. 2 After reconsidering FRC best practice guidance around the disclosure of adjusting items and APMs, the Group has reduced the number of adjusted measures and items. The Group now only has one adjusted item ‘Individual Significant Items’. Previous adjusted items of amortisation of acquisition intangibles and share-based payments are no longer disclosed as an adjusted item. Accordingly, comparative numbers have been restated. For further detail, please refer to the Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 3 (Loss)/profitbeforetaxationisafteranimpairmentof£31.9minrelationtotheNorthAmericaCybersecuritybusinessduetoitshistoricalperformance. Headlines Revenue (£m) £429.5m Net (debt)/cash excluding lease liabilities 1 (£m) £(45.3)m Adjusted operating profit (restated) 2 (£m) £22.3m Adjusted EPS (restated) 2 (p) 3.4p Basic EPS (p) (10.4)p 270.5 22 22 22 22 22 22 20.5 2.5 9.6 2.3 263.7 21 21 21 21 21 21 (27.5) (10.4) 20 20 20 20 20 20 24 24 24 24 24 24 429.5 (49.6) (52.4) 16.6 2.8 (1.5) 23 23 23 23 23 23 314.8 335.1 83.3 30.0 35.6 7.0 7.7 14.8 31.0 7.4 3.6 (Loss)/profit before taxation 3 (£m) £(27.5 )m IFRS measures Alternative Performance Measures • Strategic execution is transforming the business, with improved grossmarginsandAdjustedEBITDA 1,2 margins • Groupgrossmarginimproved+2.0%ptsto41.4%in12months to31May2024and+6.5%ptsto42.2%infour-monthperiodto 30 September 2024 • CyberSecuritygrossmarginimproved+2.4%ptsto34.2% inthe12monthsto31May2024and9.5%ptsto35.5%in the four-month period to 30 September 2024 compared to the 4-month period to 30 September 2023 driven by continued efficiencies • Escodegrossmargindeclined1.6%ptsto69.8%inthe 12monthsto31May2024and3.1%ptsto68.4%inthe four-month period to 30 September 2024 due to investment in the sales team for future growth • GroupAdjustedEBITDA 1,2 marginimproved+1.3%ptsto13.0% inthe12monthsto31May2024and+7.1%ptsto9.0%inthe four-month period to 30 September 2024 • Unaudited proforma 12 months trading to 30 September 2024 (including non-core disposals) shows similar improvements in CyberSecuritygrossmarginsandGroupAdjustedEBITDA 1,2 • Cyber Security gross margin in H2 September 2024 improved+9.2%ptsto37.5% • GroupAdjustedEBITDA 1,2 marginimproved+5.5%ptsto 15.1%(£49.7m) • CyberSecurityreturnedtoconstantcurrency 1 revenue growth of+6.0%inthe6monthsended31May2024(actualrates +4.7%)againstthecomparablepriorperiod(sixmonthsto 31May2023).CyberSecurityrevenueatconstantcurrency 1 declinedforthe12monthsended31May2024by2.2%(actual rates(4.5%)).Thefour-monthperiodto30September2024 experiencedrevenuegrowthof+7.6%atconstantcurrency 1 (actualrates+6.0%) • Escode has now delivered sustained revenue growth through seven quarters and the four-month period to September 2024 • The Group has a strong pipeline of opportunities, and management is pleased with the foundations put in place through strategic actions taken in the period. In line with the wider market, the Group has recently seen a lengthening of sales cycles, in particular across the Cyber business, compared to H2 to May 2024 and also the four-month period to September 2024. In spite of this, management expects to deliver profitable growth across both businesses in the current financial year to 30 September 2025, with flat to low single digit revenue growth and modest Group Adjusted EBITDA gains (after adjustment for the non-core disposals and share-based payments) and remains confident in delivering the Group’s medium-term financial goals (4.2) (4.3) (45.3) 22.3 3.4 NCC Group plc—Annualreportandaccountsfortheperiodended30September2024 1 Strategic report At a glance We protect the development, supply and use of business critical IP, technology and software applications ensuring: • Buyers are safeguarded from supplier failure, software vulnerabilities and unforeseen technology disruption • Clients have confidence in the business continuity and risk mitigation of on-premise and/or cloud software solutions • Security of long-term availability of business critical software data and applications • Verification of the software held in escrow can be replicated from the original source should it ever be needed NCC Group is made up of two distinct businesses – Cyber Security and our software escrow business, Escode – both working with the world’s leading companies and governments, operating across multiple sectors, geographies and technologies. We demystify cyber and ensure clients: • Understand the cyber threats and vulnerabilities across their technology environments, supply chains, processes and products • Maintain their licence to do business, having achieved their governance, compliance and accreditation objectives in a changing regulatory environment • Materially improve their resilience against ever- increasing cyber threats by implementing remediation plans and solutions • Reduce risk and achieve greater resilience for less investment • Can improve their cyber defence operations and increase their confidence in detecting and responding to cyber events What we do Cyber Security Escode The trend of technological change within increasingly complex, connected ecosystems means cyber threats continue to evolve and grow at pace, as does the risk of disruption posed by failure in the supply chain. We bring decades of experience and expertise to help our clients be proactive in resilience and counteract threats, manage disruption as usual and comply and prepare for the ever-expanding regulations relevant to their business. We are driven by a collective purpose – working together to help create a more secure digital future. For more information visit our Cyber Security website: nccgroup.com For more information visit our Escode website: escode.com NCC Group plc —Annualreportandaccountsfortheperiodended30September20242 Group revenues UK and Asia Pacific £209.8m (2023: £144.2m) North America £136.2m (2023: £133.8m) Europe £83.5m (2023: £57.1m) We operate as one global business, with in-country delivery tailored to local needs and cultures, as well as a global delivery team to respond quickly to our clients’ challenges. We have a significant market presence in the UK, Europe and North America, and a growing footprint in Asia Pacific, with offices in Australia and Singapore, and our new office in Manila, the Philippines. Our offices Key: Where we operate Cyber Security revenue £342.1m (2023: £270.8m) • TechnicalAssuranceServices(TAS):£141.4m(2023:£142.9m) • ConsultingandImplementation(C&I):£55.2m(2023:£44.7m) • ManagedServices(MS):£91.8m(2023:£50.1m) • DigitalForensicsandIncidentResponse(DFIR):£20.6m(2023:£13.5m) • Other services: £33.1m(2023:£19.6m) Escode revenue £87.4m (2023: £64.3m) • Escrow contracts: £57.2m(2023:£42.8m) • Verification services: £30.2m(2023:£21.5m) NCC Group plc—Annualreportandaccountsfortheperiodended30September2024 3 Strategic report Chair’s statement Delivering value Introduction As Chair of NCC Group it is with pride that I report a solid period of transformational performance both strategically and in operational efficiency. The Board has focused on supporting the NCC Group management team to rebuild confidence and deliver sustainable shareholder value. Improvements in gross margin (41.6%) are driven by increased utilisation through rigorous resource allocation and planning, and overall a more commercial approach to the business. While moving from an international group of businesses to a global business takes time, it is pleasing to see over the past 18 months, making progress to deliver even greater returns and create an end-to-end value adding Cyber Security service for clients. Strategic progress The decision to create two distinct businesses and dispose of non-core assets has helped make NCC Group a simpler business to understand, but also improved how we report our results. During the period we launched the newly branded software escrow business as Escode, focusing on positioning this as a standalone business within the Group – highlighting the pioneering history of the service by NCC Group. This was brought to life at NCC Group’s first ever Capital Markets event in April at the London Stock Exchange in London. The Escode management team shone a light for the first time on what it does, how it does it and why the future is bright. With seven quarters of growth and growth in our four month stub period, and with further planned growth, it’s clear this business is definitely back on track. This event paved the way for a similar deeper dive into the Managed Services business, a strategic growth opportunity for the Group’s cyber offering. The hybrid event, hosted at the London Stock Exchange, enabled over 60 investors and analysts to interact with the management team and understand the drivers of growth as well as the proposition for clients. Of course, a highlight for the Group was the successful and formal launch of our newest operations based in Manila, the Philippines. The flawless execution of the plan, the calibre of talent and the support of our clients and local partners have given this the very best of starts. We’re seeing real growth at this early stage and it’s quickly been embraced as part of the wider Group. We saw the disposal of the Fox Crypto business for a total consideration of c.£66m to CR Group Nordic AB, which is now expected in FY25 due to standard regulatory approvals and the Fox DetACT business to DataExpert BV for a total gross consideration of c. £8m, which completed on 30 April 2024. These disposals enable the Fox business to focus on its core Cyber Security services in Europe as part of the broader global delivery operating model. Further details on our strategy and business model are provided on pages 12 and 13 and pages 8 and 9 respectively Talent and culture Last year was tough for everyone and, on behalf the Board, I want to give my thanks to colleagues across the Group for their passion and dedication and the significant role they’ve played in driving our business forward. Client feedback and the contracts that our teams are securing continue to demonstrate the value of NCC Group’s technical expertise in both software resilience and Cyber Security. Internally we’ve seen engagement scores increase steadily and the investments we are able to make now will continue our drive to become the employer of choice. Further details on our people are provided on page 18 Commitment to ESG Sustainability is important to our clients, who trust us to help secure their digital assets; it’s important to our colleagues, who are critical to the value we bring to our clients; and it’s important to our shareholders, who entrust their investments to NCC Group. That is why we embed sustainability into how we work – from our business strategy to our people policies to our governance. This period has seen an increased focus on both environmental and social value. We’re preparing to map the Group’s transition to net zero and contributing to the broader community social value opportunities in addition to investing in the Group’s people proposition. 4 NCC Group plc —Annualreportandaccountsfortheperiodended30September2024 Board and governance matters It is the role of the Board to uphold the principles of the UK Corporate Governance Code and how we do this is laid out on pages52to66.IamresponsiblefortheleadershipofourBoard and am pleased with the contribution we make, providing the right level of challenge to the Executive Directors and broader management team, and counsel where required. Chris Batterham, one of our Independent Non-Executive Directors, stepped down from the Board on 30 November 2023, after eight and a half years’ service. On behalf of the Board, I would like to thank Chris for his commitment and work over this time. The Board made a number of key decisions this period in line with corporate reporting best practice and the re-focusing of the Group. After considering Financial Reporting Council best practice guidance around the disclosure of adjusting items and APMs, the Group reduced the number of adjusted measures and items. The Group now only has one adjusted item, Individually Significant Items. Previous adjusted items of amortisation of acquisition intangibles and share-based payments are no longer disclosed as adjusted items. See Appendix 2 to the financial statements To drive greater efficiency in our corporate reporting and audit process, the Board changed the year end of the Group from 31 May to 30 September. As a result, the Group announced H2 2024 results and the 12 months’ trading to 31 May 2024 on1August2024.Inaddition,the16months’tradingto 30 September was announced on 10 December 2024. To support our continuing work to build good analyst relations, a pro forma was issued to analysts to aid their modelling. Earlier this year, alongside the Chair of the Group’s Remuneration Committee and Non-Executive Director, Jennifer Duvalier, we engaged eight of our top investors in proposals for our 2025 Remuneration Policy. The previous Policy was approved at the 2021 AGM with a three year life. Since that time, we have seen significant change among our executive team, including the appointment of Mike Maddison and Guy Ellis as CEO and CFO respectively, who are leading the forward drive of the Group. In this context, the Remuneration Committee felt it was important to test whether our Policy on executive reward was fit for purpose in the medium to longterm.Youcanreadmoreaboutthisonpages79to100. Further details on our Board composition are provided on pages 58 to 65 Dividend Totaldividendsof£14.5mwerepaidintheperiod(2023:£14.5m). The Board is proposing a final dividend of 1.5p per ordinary share. This is equivalent to the interim dividend previously paid albeit for the final four month period ending 30 September 2024. The final dividend of 1.5p per ordinary share, which, together with the interim dividends of 3.15p and 1.5p per ordinary share paid on 4 October 2024 and 15 March 2024 respectively, makes atotaldividendof6.15pfortheperiodended30September2024. The final dividend will be paid on 4 April 2025, subject to approval attheAGMon28January2025,toshareholdersontheregisterat the close of business on 21 February 2025. The ex-dividend date is 20 February 2025. Summary Overall the Board is pleased with continuing progress and the investments being made to build a sustainable future for this business. The resilience of the management team and colleagues is admirable and working together we are fully focused on continuing to build shareholder value. The strategy continues to serve us well, we are the world leader in software escrow and we are well on our way to becoming the leading independent Cyber Security provider globally. We do not rest on our laurels; we continue to step forward, seeking opportunities to realise efficiencies to improve the client proposition and experience, and work towards being the leading employer in our industry. Finally, I would like to personally thank all of our clients who have trusted us with such important work on their behalf, and also thank all of our colleagues who have chosen to build their careers with NCC Group. We do not take any of these relationships for granted, and we are grateful for their continuing trust. Chris Stone Non-Executive Chair 10 December 2024 NCC Group plc—Annualreportandaccountsfortheperiodended30September2024 5 Strategic report CEO’s review Focusing on client needs whilebuilding the Group’sresilience Market economics Reflecting on our overall growth in the past financial period we continue to focus on our client-centric strategy and notwithstanding macroeconomic factors outside of our control, we remain confident in delivering our medium-term financial goals. As a proof point of the early part of our transformation activities, our efforts to move from a group of disparate international businesses delivering locally to clients into a global operating model have driven efficiencies and importantly sustainable gross margin improvement. The successful implementation of our office in Manila and our ability to attract and onboard fantastic talent there, has enabled us to expand our global capability and offer more options to our clients, and as a result, we are winning work we wouldn’t have been able to bid on previously. All of this is critical to create a more resilient business particularly given the lengthening of sales cycles we are currently experiencing, in line with the wider market. Other market factors impacting revenue growth include: • Clients are looking for higher levels of assurance during their procurement processes, which have greater scrutiny and oversight from within organisations. Equally, certain clients still require volume assurance activities, testing infrastructure and applications at the appropriate price points. • As we move the balance of our business to higher value, longer term contracts such as those in Managed Services, there is typically a longer buying cycle than a standalone service such as testing, which is more transactional in nature. • While spending has not stopped, we are seeing security leaders compete for budget with other spending priorities in their organisations and cyber security is not immune from the cost pressures experienced by other departments. Equally when business projects are suspended the security component is impacted so the economic cycle remains important in terms of demand drivers. In the UK, for example, with a general election and then the narrative relating to the new government’s budget, we have seen a relative cooling in buying activity, and a resulting pause in spend . In North America, Technology sector spending has not returned to the levels seen during or immediately after the Covid-19 pandemic, however while we are making progress into other verticals which are at a lower spending scale than the tech sector. I’d like to start my review of the past 18 months with a tribute to NCC Group’s colleagues around the world. The depth of technical expertise in this business continues to be truly inspiring and I know it’s valued by our clients too. As we continue to go through, significant change, against a backdrop of an ever evolving macro political and economic environment, and the focus and determination to succeed of all our colleagues is really at the heart of our progress. I’m pleased our strategy to transform the business to make it simpler and more agile is beginning to pay off. We are laser focused on our clients, helping to create a more secure digital future through the work we do across our cyber and software escrow businesses. Our clients trust NCC Group with their critical digital assets, and it’s something we will never be complacent about. As a result of greater commerciality within the organisation and our increasingly global ways of operating, we achieved the goals we set out in the financial framework at the start of the period, delivering greater value at improved price points for our clients. We delivered £10m of annualised savings, improved our net debt position by divesting non-core assets in our Dutch cyber business (with completion expected early in the new calendar year) and finished the 16-month financial year with a strong balance sheet – paving the way for future inorganic growth investment when the right opportunity presents itself. 6 NCC Group plc —Annualreportandaccountsfortheperiodended30September2024 Market dynamics In the past five years we have seen people continually look to technology to detect and respond to cyber threats, with an increasingly competitive market of providers for managed services. In talking to clients, it’s becoming increasingly apparent that tech or AI-only fatigue is setting in, and what they want is a proven solution and access to experts – this we believe is an opportunity for NCC Group as we go forward into 2025. As revealed in our Digital Dawn report, governments around the world are shifting responsibility for Cyber Security away from end users onto the providers of the technology, infrastructure and services that we all rely on. In particular, the US National Cybersecurity Strategy has given rise to the commitment from 183companies,includingtechgiantsMicrosoft,AWSandCisco, to build stronger security into their software from the start of development (secure-by-design). In the UK, the government has announced a new Code of Practice for software vendors and an AI Cyber Security Code of Practice (in consultation), developed in conjunction with industry experts like NCC Group, that will help to ensure secure-by-design principles are embedded in software and AI from the outset. Lookingahead,theEU’sCyberResilienceAct(CRA)ispoised for adoption. The CRA will be more ambitious than the recent UK Product Security and Telecommunications Infrastructure Regime(PSTI),introducingCyberSecurityrequirementsfora substantial portion of hardware and software sold within the EU. This includes risk assessments, vulnerability handling processes and incident reporting. Countries in the EU are also implementing the Network and InformationSecurityDirective(NIS2)intonationallaws,which will require more critical infrastructure sectors to comply with strengthened cyber security and incident reporting requirements. In addition, the US and Australia are taking similar approaches, underscoring the international commitment to safeguarding consumers from modern cyber risks. What is key from all these developments is that whether you are manufacturing or producing technology, including emerging technologies such as AI, or owning and operating an increasing spectrum of critical infrastructure, governments have strengthened the cyber security requirements companies need to adhere to, making it crucial to review and update security programmes to future-proof investments. Securing the digital future through our clients In terms of how this plays out against our cyber proposition, while Technical Assurance demand changes with less demand for volume assurance, this is being replaced by requirements for specialist skills such as Regulatory Testing or AI assurance as well as growth in our other capabilities that we’ve strategically invested in to create a full cycle offering for clients. The stand-out is Managed Services, which we detailed at our Capital Markets eventinJune2024,withIdentityandAccessManagement(IDAM) and Operational Technology demand increasing. IDAM underpins digital transformation and early signals are positive – with the rail sector being a particularly strong sector for these services. We continue to work with TikTok as their independent third-party security provider of ongoing managed security services for TikTok’s security gateways, performing real-time monitoring to identify and respond to anomalous activity and helping to ensure the continuous integrity of its security controls operations. This again demonstrates how the Group can provide end-to-end capabilities across the whole of the cyber lifecycle. We’ve also expanded our routes to market through our partner and alliance ecosystem, including SAFE Security, Cycognito and Microsoft, as well as securing a global partnership with global enterprise software company Splunk. This led to us being awarded the 2024 Splunk Global Services Market Partner of the Year award as well as the EMEA 2024 Regional Services Partner of the Year award for exceptional performance and commitment to the Splunk partnership. Our software escrow business, which we rebranded to Escode earlier this period, is less impacted by the market economics affecting cyber. Contract sizes have always been much smaller, although we have focused on addressing the lack of historical pricing management, and while there is improvement in revenue as a result of this, the growth is also driven through increased verification services. As outlined at the Escode Capital Markets event in April 2024, our Escode investment case is clear and as a leading global player in software escrow, the business is well positioned for growth. The growth levers include adding further value to our customer proposition, expanding into additional verticals (for examplecriticalinfrastructure)andgeographies(Australia), increasing awareness and education, working with regulators to influence regulation globally and continuing to build out our product offering. Business performance Ourstatutoryresultscomparea16-monthperiodtoa12-month period following our change in year end and further details of this performance can be found within the Financial Review. If I turn to our recent trajectory and our unaudited four-month and 12-month periods to 30 September 2024, these show encouraging results and demonstrate Escode revenue momentum and a return to Cyber Security revenue growth. We have improved our Cyber gross margins while experiencing a reduction in Escode gross margins due to investment in the sales team for future growth. All of this has translated to improved Group Adjusted EBITDA margins, with the 12 months to 30 September 2024 obtaining midteengroupmargin(+15.1%)inlinewithourmedium-term ambitionssetout18monthsago. Further details on our business performance are provided on pages 40 to 51 Moving into the next phase of our transformation We are clear on what we need to do in each of our divisions as we continue to simplify our business enabling us to deliver profitable growth and sustainable gross margin improvement. Outlook The Group has a strong pipeline of opportunities, and management is pleased with the foundations put in place through strategic actions taken in the period. In line with the wider market, the Group has recently seen a lengthening of sales cycles, in particular across the Cyber business, compared to H2 to May 2024 and also the four-month period to September 2024. In spite of this, management expects to deliver profitable growth across both businesses in the current financial year to 30 September 2025, with flat to low single digit revenue growth and modest Group Adjusted EBITDA gains (after adjustment for the non-core disposals and share-based payments) and remains confident in delivering the Group’s medium-term financial goals. Mike Maddison Chief Executive Officer 10 December 2024 NCC Group plc—Annualreportandaccountsfortheperiodended30September2024 7 Strategic report Our business model We draw on our expertise, capabilities and global footprint to develop solutions tailored to sectors most at risk to meet current and future cyber and software resilience challenges. We reset our strategy in February 2023 and continue to transform and evolve, focused on and driven by our clients’ needs. Read more on market outlook on pages 10 and 11 Sustainable growth strategy In a fast-moving and complex environment, our strategy puts clients’ needs first, with a roadmap of investments designed to develop future capabilities and a global delivery model to provide clients with the best solution. People powered, tech enabled We are a diverse global community of talented and creative individuals, working together and united by the same goal – to make the digital world safer and more secure. Culture of innovation Withourrootsstretchingbacktothe1990s we have a track record of being at the cutting edge of innovation. NCC Group was created in1999whentheNationalComputingCentre sold its commercial divisions to its existing management; from there we continued to grow through acquisitions. And while history is important, so is the future, with innovation, insights and intelligence the core elements of our DNA. Stronger partner relationships We are active members of the global cyber community, working in collaboration and in partnership with key industry players. Many successful global partnerships have delivered integrated, seamless solutions to clients. Market-leading reputation We understand our clients’ challenges and the risks to their businesses. We continually enhance our global delivery model to bring our insights, intelligence and innovation together to help clients understand and improve their cyber resilience posture. Read more on our strategy on pages 12 and 13 Transforming for global growth Inputs We are a global Cyber Security company trusted by the world’s leading companies and governments to help create a more secure digital future. We provide clients with a clear understanding of cyber threats and vulnerabilities. We help them maintain their licence to operate, by achieving governance, compliance and accreditation objectives. By implementing remediation plans and solutions, we enhance their resilience against cyber threats. We offer the option to outsource cyber defence operations, as well as complementing existing resources, to reduce risk, achieve greater resilience and give confidence in detecting and responding to cyber threats. For more information visit our Cyber Security website: nccgroup.com Cyber Security Two distinct businesses ALL TYPES OF PENETRATION TESTING INCLUDE RESPONSES TO RANSOMWARE CONSULTANCY SERVICES ACROSS ALL INDUSTRIAL VERTICALS INSIGHT INNOVATIONINTELLIGENCE COVER ALL VARIATIONS OF OUTSOURCED SECURITY OPERATIONS SERVICES M A N A G E D S E R V I C E S D I G I T A L F O R E N S I C S A N D I N C I D E N T R E S P O N S E I M P L E M E N T A T I O N C O N S U L T I N G A N D T E C H N I C A L A S S U R A N C E CYBER SECURITY 8 NCC Group plc —Annualreportandaccountsfortheperiodended30September2024 Colleagues Our colleagues are at the forefront of our industry, developing and delivering solutions that protect clients and society from the growing threat of cyber-crime. We are people led and technology enabled, and our people strategy is focused on creating a culture where everyone can be successful, from our inclusive culture to our personal and professional development programmes and our focus on enhancing the colleague experience. Read more on our sustainability strategy: nccgroupplc.com/sustainability Clients Our Cyber Security and software escrow solutions enable clients to confidently innovate and embrace new technologies, and build responsible, sustainable and resilient organisations that thrive and succeed. Our network We engage proactively to ensure our insights and vision deliver the best societal outcomes in support of our purpose to create a more secure digital future for all. We work within a cyber ecosystem, bringing partners together in support of our clients as well as with policymakers and regulators to help shape future cyber policy. Shareholders We have a dedicated Investor Relations programme providing shareholders and financial analysts with regular updates on our performance. Engagement activities include results presentations, roadshows with the CEO and CFO, Capital Markets events, site visits and RNS and email updates. Read more on stakeholder engagement on pages 14 and 15 Value creation Specialist solutions that protect business critical IP, technology and software applications. Our proposition safeguards buyers from various risks, provides robust business continuity, secures long-term availability of essential business software, and offers assurance and guidance for application management. And with our Escrow-as-a-Service proposition, we facilitate a secure transition to the cloud, enabling clients to adopt cutting-edge technology with confidence. For more information visit our Escode website: escode.com Escode Two distinct businesses INSIGHT INNOVATIONINTELLIGENCE ESTABLISH LEGAL RIGHT AND ENABLE SOURCE CODE TO BE ACCESSED IN EVENT OF AN APPROVED RELEASE KNOWLEDGE TRANSFER TO ENSURE ALL INFORMATION RELATED TO THE ORIGINAL BUILD IS SHARED – FROM TOOLING TO PRODUCTION ENVIRONMENT BUILD AND DEPLOY AGAINST A RANGE OF SCENARIOS TO TEST THAT THE SOFTWARE CODE HELD IN ESCROW CAN BE REPLICATED IN THE EVENT OF AN APPROVED RELEASE S O F T W A R E E S C R O W V E R I F I C A T I O N S E R V I C E S ESCODE Strategic report 9NCC Group plc —Annualreportandaccountsfortheperiodended30September2024 Operating in a dynamic market Our new normal of near-constant digital disruption and ever-escalating cyber threats has become the defining marker of organisations’ operating environment in the 21st century. It is also the driving force for governments globally taking a firm stance when it comes to more interventionist cyber rules and regulations. Indeed, as we found when we commissioned transatlantic pollstersJ.L.Partnerstoaggregateandanalysedataonpublic views regarding online safety, Cyber Security and governments’ role in governing technology: • Citizens around the world are intensely concerned about cyber threats • Citizens globally agree that their governments have a role to play in making them feel secure in today’s digitally interconnected world, and delivering the expected levels of cyber resilience in the critical services and infrastructure they rely on Market outlook NCC Group’s Digital Dawn report summarised the findings of interviews with policymakers around the world, and provided recommendations for governments on how to meet their citizens’ desire for safety and security. We found that while lawmakers still struggle to keep pace with the speed of technological evolution, they are up for the challenge to provide the trust and confidence that need to underpin prosperous economies and cohesive societies in the digital age. View our Digital Dawn report: nccgroup.com/uk/newsroom/ncc-group- urges-governments-to-get-on-the-front-foot-in-new-cyber-security- policy-report As governments are responding to their people’s demands, we are looking ahead to an era of government action in cyberspace. This will continue to shape the markets we, our clients and our partners operate in and, more broadly, the world we, and our colleagues, friends and families live in. While individual regulatory requirements will, of course, matter to organisations in securing their licence to operate, we believe that this era of government action goes beyond specific Acts of Parliament, executive orders, regulations or directives. We believe that it is important to make sense of the complexity of multiple, and sometimes overlapping, regulations to identify common themes and overarching trends that set the rules of the road for years and decades to come. As we demonstrate in our bi-annual Global Cyber Policy Radar, we believe that regulatory insights and political horizon scanning should inform sustainable cyber investments and future-proof strategic Cyber Security programmes and decisions. View our Global Cyber Policy Radar: nccgroup.com/uk/global-cyber- policy-radar NCC Group plc —Annualreportandaccountsfortheperiodended30September202410 We are fortunate that our unique DNA of insight, intelligence and innovation, our valued contributions to cyber policy debate, and our position at the heart of the global cyber ecosystem allow us to look to the big developments on the horizon: 1. Tightening cyber rules, continued cyber rulemaking and a growing patchwork of rule makers beyond governments Cyber rules for critical infrastructure, and its critical suppliers, continue to be tightened and expanded. Whether it’s the European NIS2 Directive, the UK’s forthcoming Cyber Security and Resilience Bill, the US CIRCIA, Australia’s SOCI Act or Singapore’s updated Cybersecurity Act, laws are being updated to: • Strengthen security requirements, include additional obligations for owners and operators of critical infrastructure, and step up enforcement action • Bring into scope new sectors of the economy • Introduce enhanced incident reporting mandates, with a view to improving authorities’ real-time understanding of threats and resilience Following the multiple elections around the world in 2024, cyber rulemaking is set to continue, too, with a particular focus on future safety, security and privacy rules for emerging technologies like artificial intelligence. While governments are increasingly seeking to harmonise cyber rules across sectors and across borders, remaining fragmentation and barriers to implementation do mean that regulated organisations will have to continue to navigate complex regulatory regimes for some time to come. This landscape is further complicated by the increased number of bodies with the authority to set cyber rules. It is no longer just lawmakers and regulators, but government procurement departments, political leaders and the courts that are using their soft power to encourage and incentivise better Cyber Security behaviours. Whether it’s voluntary codes of practice, public pledge documents, or Supreme Court rulings and legal challenges, organisations will have to look across the landscape to get the full picture of the rules of the road. 2. Changing responsibilities for Cyber Security There is emerging global consensus about the future shape of the “whole of society” approach to Cyber Security. Most governments agree that responsibility should be placed on those most capable of taking action to prevent bad outcomes, not on end users. The US National Cybersecurity Strategy marked a step change in the rhetoric from the federal government, signalling that “the most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem”. Similar statements have been made by governments around the world, with many using regulatory levers to embed secure-by-design and secure-by-default practices into the services and products citizens and organisations rely on to participate in a digital society. This also includes the introduction of new voluntary and mandatory measures, such as the EU’s Cyber Resilience Act, that is set to enhance hardware and software security standards, covering connected devices, ICT products and generative AI systems. 3. Increasing executive accountability for cyber risk Governments are taking action to ensure that company boards and senior leadership are ultimately held accountable for their organisation’s digital resilience. The EU’s flagship cyber laws – NIS2andDORA–bothplacespecificobligationsonorganisations’ senior leadership to oversee risk management programmes. Leadershipcanbeheldpersonallyliable,withconsequences for non-compliance including temporary suspension from senior management roles. Meanwhile, the US Security Exchange Commission’s(SEC)requirementsforpubliccompaniesto disclose their board’s Cyber Security expertise and oversight of cyber risks are now in full effect. With responsibility for cyber risk firmly placed on senior leaders, it is critical that organisations’ C-suites and boards have the information they need to make, justify and defend decisions about their organisation’s cyber strategy. 4. Safeguarding future cyber capabilities at home and abroad NCC Group’s Digital Dawn report concluded that “much needed cross-border collaboration amongst allied nations to tackle cyber threats is ramping up”. At the same time, governments are taking steps to balance sovereignty, security and economic considerations when considering their own nations’ Cyber Security capabilities. Recognising that they, in isolation, cannot tackle the world’s cyber threats, we have seen an uptick in governments seeking partnerships and taking joint action with private sector partners. With trust fundamental to the global whole of society approach to cyber, and the cyber industry an increasingly critical pillar of a digital future, efforts are being made to certify and accredit cyber firms to give governments measurable assurance that they can be trusted. Undertakings such as the EU’s Cyber Reserve of cyber incident responders may mean that organisations will have to demonstrate to government that they can be trusted – but could also benefit from governments creating a pool of trusted providers for them to choose from. Governments are also cracking down on the use of offensive cyber tools. This includes initiatives like the global Pall Mall Process, which aims to tackle the irresponsible use of commercial cyber intrusion capabilities. Policymakers have emphasised their intent to safeguard the legitimate use of these kind of capabilities, but poorly crafted rules may affect CISOs’ ability to access these tools, impeding their ability to implement their security programmes effectively. It’s therefore critical that industry engages in the making of these rules from the outset. The era of government action in cyberspace is obvious to see. This will have significant implications for our markets and societies, and their underpinning cyber resilience. Driven by our purpose to create a more secure digital future, NCC Group engages with governments around the world, enabling us to understand, navigate and shape the emerging rules of the road. NCC Group plc—Annualreportandaccountsfortheperiodended30September2024 11 Strategic report Progress towards ourstrategic priorities Our strategy at a glance Strategic priority Progress in FY24 Future outlook Link to risks: Read more on our risks on pages 29 to 38 Our clients Deeper client engagement on the most pressing Cyber Security and software escrow needs • LaunchedmarketstructureinNorthAmericacybertoenablesharper focus on key sectors • Activated a price uplift on Escode contracts (new business and renewals) and verifications • Began to scale Escode in North America and Australia • Continue to reduce concentration in US Tech through a focus on Financial Services and Insurance, Industrials, Healthcare and the Public Sector globally • Continue to grow Escode in North America and Australia, as well as Critical Infrastructure • Embed a new approach to sales in Escode that enables greater alignment in sales and operations A Strategy B Cyber and information security D People and partners E Market and competition F Brand and reputation G Quality and delivery H Legal, regulatory compliance and governance Our capabilities Offering broader service portfolio addressing the full Cyber Security lifecycle • In Managed Services we launched our unified cyber platform to elevate our MXDR proposition and offer a differentiated service that’s tech-flexible, and can scale and grow with clients and their technology or business changes • Established two new Consulting and Implementation practices in Digital Identity and Operational Technology • Established a range of cyber partnerships and alliances with specific propositions • Continue to drive growth in MS • Further develop the growth of two new Consulting and Implementation practices: Digital Identity and Operational Technology • LeverageourglobalmodeltoimproveprofitabilitywithinourTechnical AssuranceServicesbusiness(inparticularNA) A Strategy B Cyber and information security C Innovation and product development D People and partners E Market and competition F Brand and reputation G Quality and delivery H Legal, regulatory compliance and governance Global delivery Transitioning from an international to a fully global business • Implementedandlaunchedglobalschedulingtool–KantataintheUK, North America and the Philippines • Our new Manila office continues to grow in line with expectations with colleagues operational in delivery and enabling functions • Embed new ways of working to drive efficiencies and better management information(MI) A Strategy B Cyber and information security D People and partners G Quality and delivery Brands Creating distinct and relevant brands for our Cyber Security and Escode businesses • Launchedadistinctnewbrandforoursoftwareescrowbusiness –Escode • Developed our industry analyst programme driving improvements in coverage for both the Cyber Security and Escode businesses • Focused and targeted activity at key industry events for both businesses • Grow thought leadership, research activity and industry engagement in cyber • Continue to increase the profile and impact of analyst endorsements A Strategy C Innovation and product development E Market and competition F Brand and reputation G Quality and delivery FY24 financial framework measures Sustainable revenue growth Improved gross margin Efficient cost base Balance sheet resilience • Returned Cyber Security to growth in H2 • Accelerated growth of recurring revenue in Managed Services • Maintained momentum of quarterly growth in Escode • Improved utilisation % • Globalised technical resource footprint • Delivered c.£5m of efficiencies in Cyber Security in FY24 (annualised c.£10m from FY25) • Annualised Escode efficiencies delivered in FY23 • Strong cash conversion • Reduced debt • Maintained dividend NCC Group plc —Annualreportandaccountsfortheperiodended30September202412 Strategic priority Progress in FY24 Future outlook Link to risks: Read more on our risks on pages 29 to 38 Our clients Deeper client engagement on the most pressing Cyber Security and software escrow needs • LaunchedmarketstructureinNorthAmericacybertoenablesharper focus on key sectors • Activated a price uplift on Escode contracts (new business and renewals) and verifications • Began to scale Escode in North America and Australia • Continue to reduce concentration in US Tech through a focus on Financial Services and Insurance, Industrials, Healthcare and the Public Sector globally • Continue to grow Escode in North America and Australia, as well as Critical Infrastructure • Embed a new approach to sales in Escode that enables greater alignment in sales and operations A Strategy B Cyber and information security D People and partners E Market and competition F Brand and reputation G Quality and delivery H Legal, regulatory compliance and governance Our capabilities Offering broader service portfolio addressing the full Cyber Security lifecycle • In Managed Services we launched our unified cyber platform to elevate our MXDR proposition and offer a differentiated service that’s tech-flexible, and can scale and grow with clients and their technology or business changes • Established two new Consulting and Implementation practices in Digital Identity and Operational Technology • Established a range of cyber partnerships and alliances with specific propositions • Continue to drive growth in MS • Further develop the growth of two new Consulting and Implementation practices: Digital Identity and Operational Technology • LeverageourglobalmodeltoimproveprofitabilitywithinourTechnical AssuranceServicesbusiness(inparticularNA) A Strategy B Cyber and information security C Innovation and product development D People and partners E Market and competition F Brand and reputation G Quality and delivery H Legal, regulatory compliance and governance Global delivery Transitioning from an international to a fully global business • Implementedandlaunchedglobalschedulingtool–KantataintheUK, North America and the Philippines • Our new Manila office continues to grow in line with expectations with colleagues operational in delivery and enabling functions • Embed new ways of working to drive efficiencies and better management information(MI) A Strategy B Cyber and information security D People and partners G Quality and delivery Brands Creating distinct and relevant brands for our Cyber Security and Escode businesses • Launchedadistinctnewbrandforoursoftwareescrowbusiness –Escode • Developed our industry analyst programme driving improvements in coverage for both the Cyber Security and Escode businesses • Focused and targeted activity at key industry events for both businesses • Grow thought leadership, research activity and industry engagement in cyber • Continue to increase the profile and impact of analyst endorsements A Strategy C Innovation and product development E Market and competition F Brand and reputation G Quality and delivery FY24 financial framework measures Sustainable revenue growth Improved gross margin Efficient cost base Balance sheet resilience • Returned Cyber Security to growth in H2 • Accelerated growth of recurring revenue in Managed Services • Maintained momentum of quarterly growth in Escode • Improved utilisation % • Globalised technical resource footprint • Delivered c.£5m of efficiencies in Cyber Security in FY24 (annualised c.£10m from FY25) • Annualised Escode efficiencies delivered in FY23 • Strong cash conversion • Reduced debt • Maintained dividend NCC Group plc—Annualreportandaccountsfortheperiodended30September2024 13 Strategic report Stakeholder engagement Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Colleagues The opportunity • Know they are contributing to our success • Feel confident they have the skills to do their job or are supported to learn on the job • Know what is expected of them through a structured and fair performance management process • Have the opportunity to grow their career through our learning and development offering • Spend quality time with their line manager and feel listened to How we listen and engage • Regular virtual and in-person meetings at different levels in the organisation with line managers and Executives • Internal news and collaboration channels to connect colleagues to what is happening and also enable them to easily share approved content • Electedcolleagueforumsandaworkscouncil(Europe) where appropriate • Quarterly engagement pulse and Non-Executive Director ledengagementsessionswithcolleagues(seepage62) Highlights in 2023/24 • New communication platform launched to provide a tailored electronic communication experience for colleagues, simplifying and making it easy for colleagues to engage • Harmonised moments that matter policies across our global operations, enhancing support for colleagues in areas such as paternity and maternity leave, adoption leave, child loss, and celebrating life events such as marriage • Launchofourfirstinclusionsurvey,tounderstandwhat matters to colleagues most, alongside our bi-annual Glint engagement survey to inform our people strategy We are a people-powered, tech-enabled business and our colleagues around the world each play an important role in helping to make the digital world safer and more secure. Clients The opportunity • Using our research and intelligence expertise to understand the threat and how that affects our customers’ operations in their sector • Using our insights to develop “right-fit” solutions, which improve and enhance our customers’ current and future cyber resilience • The ability to work collaboratively with our clients, and their partners and broader supply chains • Horizon scanning regulations and legislation, and contributing to government consultations based on understanding future market needs How we listen and engage • Active account management • Client satisfaction surveys and complaints procedure in place • Industry collaboration with investment in sector-based approach to understand and mitigate risks of current and future technologies Highlights in 2023/24 • New Escode brand launch including a new website and a renewed sales structure, making it easy for clients to do business with us • LaunchofthenewunifiedcyberplatformforourManaged Services proposition, enabling us to create an elevated MXDR proposition to market that enables us to offer a differentiated service that’s tech-flexible, and can scale and grows with clients, improving service delivery to existing clients as a result • Global delivery model enabling us to offer clients a more competitive pricing model and faster service delivery Rooted in our sector knowledge, we develop solutions tailored to the unique needs of our clients. Bringing our in-depth understanding of the threat and regulatory landscape, we assist our clients in addressing their complex Cyber Security challenges. Investing in stakeholder engagement We believe we have a responsibility to listen to our stakeholders, considering all their needs, and using insights and learnings to improve how we make important decisions. Our Code of Ethics guides us, informing us and helping us to build enduring and trusted relationships. Listeninginsightsareusedtoinformdecisionmakingateveryleveloftheorganisation. NCC Group plc —Annualreportandaccountsfortheperiodended30September202414 Shareholders Network The opportunity • Financial performance • Dividend • Responsible long-term sustainable strategy • Sound corporate governance and stewardship How we listen and engage • Strategic and financial updates issued via RNS Reach and RNS respectively • Regular meetings with Investor Relations, management and Board members • Investor roadshows after the full and half-year results • Open-door policy with investors • AGM Highlights in 2023/24 • HostedCapitalMarketsevents–Escodebusinessand ManagedServices,liveandonlinefromtheLondonStock Exchange with replay via our website too • Changed our reporting of cyber to align with the cyber operations, improving transparency on how our business is performing • LaunchedourFY24financialframeworktodemonstrate performance of the strategy • Onboardedanewjointbroker–Investec–inApril2024,to support the growth strategy and NCC Group’s transformation The opportunity • Building on our technology heritage and our role as trusted advisors to governments and regulators we provide independent, technical expertise to improve cyber resilience policies • By understanding and shaping new and emerging regulations and policy proposals we can develop the right solutions to prepare for our clients’ future needs and requirements How we listen and engage • Building alliances with global think tanks and foundations, trade associations and campaign groups to pool resources, amplify our messages and maximise impact • Strategic relationships with national technical authorities, and support for government initiatives across all our regions through direct engagement • Representation on senior government advisory panels Highlights in 2023/24 • Published Digital Dawn, interviewing policymakers around the world and providing recommendations for governments on how to take cyber resilience to the next level to meet their citizens’ desire for safety and security in the global 2024 election year • Ensured lawmakers heard from our experts in considering Cyber Security rules for artificial intelligence and critical infrastructure, with our Chief Scientist and Chief Technology Officer both providing expert testimony to parliamentary hearings • Signed the global Pall Mall Declaration to tackle the proliferation of commercial cyber intrusion capabilities while protecting their legitimate use – in line with our mission to improve legal protections for security researchers We are committed to engaging with our shareholders, creating an opportunity to understand our business, the market, how we are responding and the opportunity to secure growth. Our expertise plays a pivotal role in shaping evidence-based policy decisions. By adopting a proactive engagement approach, we harness our insights to contribute meaningfully towards a more secure digital society and differentiate ourselves in the market. Suppliers The opportunity • Long-termtrustedpartnershipsfacilitatingsustainable overhead cost reduction and cost of sale margin improvement • Fit for purpose contracts and payment terms, ensuring a safe and responsible supply chain with suppliers delivering to acceptable service levels and protecting NCC Group from any long-term commercial inflation How we listen and engage • Regular meetings are held with key suppliers to help them understand our strategy and future forecasting of service • Due diligence completed at the beginning of our relationship with suppliers and structured onboarding process Highlights in 2023/24 • Secured and mobilised new office in the Philippines • Development of our real estate strategy to provide fit for purpose, quality and productive environments • Development and launch of a new global supplier onboarding and due diligence process to gain better visibility and control of third party risks • Launchofanewtravelsuppliertoimprovecolleagueexperience and safety, reduce costs and enhance Scope 3 reporting We engage with many different suppliers across our global business and value the role our supply chain plays in supporting responsible business operations. Our procurement operations have been endorsed in line with industry best practice and we proactively work with a consolidated supply chain network to drive innovation, deliver commercial value, mitigate risk and improve operational benefit. NCC Group plc—Annualreportandaccountsfortheperiodended30September2024 15 Strategic report A resilient future Sustainability We strive for a resilient future through sustainable business practices, and take responsibility for identifying and managing the impact we have on people and the planet. 2024 highlights • Launched our new and harmonised global family friendly policies, offering enhanced leave programmes from day one of a colleague’s experience within NCC Group • Reduced our office footprint by 40% and extended Scope 3 emissions to include spend-based purchased goods and services and employee commuting • Global re-certification against ISO 9001:2015 and ISO 27001:2013 standards, and successful transition to the new ISO 27001:2022 Information Security Standard ahead of October 2025 deadline Why sustainability matters Sustainability is about doing the right thing in the right way, and this is reflected in our Code of Ethics and embedded into our everyday ways of working. It’s important to our clients, who trust us to help secure their digital assets; it’s important to our colleagues, who are critical to the value we bring to our clients; and it’s important to our shareholders, who entrust their investments to NCC Group, relying on us to deliver returns to their shareholders. It also matters to our political stakeholders who turn to us for trusted and independent advice and insights that improve cyber rules and regulations around the world. We live in a rapidly evolving digital world, where the concept of sustainability extends to how we operate in totality. Not only are we supporting our clients to meet their governance requirements through our Cyber Security and escrow solutions, we are also helping to advance technologies that are at the forefront of fighting climate change, as well as other UN Sustainable Development Goals. This means systems, networks and infrastructures need to be resilient, secure and long lasting. Cyber security and sustainability are inherently intertwined, which means cyber threats pose a significant risk not only to individual businesses but to our very way of life too. The decisions we make today have far-reaching implications for the future. Securing our future As our lives become more digitally interconnected, the risk landscape broadens. From smart homes to smart cities, from online banking to telehealth services, from power grids to water supplies – they all rely on complex digital infrastructures. If these systems are compromised, the repercussions can be devastating. Hence, securing these infrastructures is an essential part of ensuring a sustainable future. Our ability to protect against cyber threats, through the work we do for our clients, plays a pivotal role in guaranteeing that our world remains functional, reliable and consistent for generations to come. Indeed, we believe strongly that we can’t build a resilient economy without resilient cyberspace, and we can’t have a resilient cyberspace without 21st century laws and an infrastructure to tackle cyber threats, which is why we share our expertise with policymakers to improve cyber rules and regulations meaningfully. Our sustainability framework While the primary focus of our industry has always been about security, we recognise our operations have a broader environmental and societal impact. Our sustainability framework has two core tenets focused on people and the planet, underpinned by being a responsible employer and supply chain partner. This framework is the foundation to start making tangible progress in addressing material topics for our stakeholders. We believe that this is a journey, not a race. Therefore we resist declarations of being carbon neutral or net zero, and rather we place sustainability at the heart of our strategy – not just securing the digital world, but securing the future for ourselves and for generations to come. We invite our stakeholders to join us, working together to build a future that is not only secure but also sustainable. Optimise talent Responsible business priorities Strong governance and ethical standards Leading cyber resilience and data protection standards Stakeholder collaboration Responsible employer and supply chain partner Enhance colleague experience Build an inclusive culture Develop sustainable solutions Decarbonise energy use Support the net zero transition P e o p l e l e d , t e c h n o l o g y e n a b l e d A c t i o n o n c l i m a t e People led, technology enabled We can only lead with our purpose through our greatest asset, the exceptional people we employ. They are at the forefront of our industry, developing solutions that protect our clients and society from the growing threat of cyber crime. Action on climate Taking urgent action to combat climate change and its impacts supports our purpose. Decarbonising our business and embedding climate considerations into our commercial offering are crucial elements in our support for the net zero transition. Responsible business Our desire to improve the world we live in is encapsulated in our purpose. Embedding responsible business into our everyday activities is central to achieving this aim. Our sustainability strategy 16 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 View our sustainability report: nccgroupplc.com Non-financial and sustainability information statement The following table provides readers with an index of where to further find relevant non‑financial information within this Annual Report and Accounts, in line with the Financial Reporting Directive requirements contained in sections 414CA and 414CB of the Companies Act. Where relevant, additional information is signposted to further support the requirements. The Group considers that it complies with the disclosure requirements under section 414CB(2A) of the Companies Act 2006 and has included climate-related financial disclosures that are partially consistent with the TCFD recommendations. Reporting topic Policies and standards which govern our approach Annual Report and Accounts section reference Page Website resources Climate-related disclosures • Environmental policy • Sustainability Report • TCFD Report • Risk Management • Stakeholder Engagement 21 29 14 • Sustainability Strategy Report • Planet Mark certification • Streamlined Energy Carbon Report Colleagues • Whistleblowing policy • Code of Ethics • Disciplinary and grievance policy • Sustainability Report • Stakeholder engagement • Remuneration Committee Report • Culture 14 79 18 • Sustainability Strategy Report Social and community matters • Modern slavery statement • Code of Ethics • Supply chain Code of Conduct • Giving back policy • Matched funding policy • Sustainability Report • Stakeholder Engagement 66 • Sustainability Strategy Report Respect for human rights • Modern slavery statement • Data privacy policy • Global equal opportunities and diversity policy • Sustainability Report • Stakeholder Engagement • Culture 66 76 • Sustainability Strategy Report Anti-bribery and corruption • Anti-bribery and corruption policy • Gifts and entertainment policy • Sustainability Report • Audit Committee Report 68 • Sustainability Strategy Report For information on our business model please see pages 8 and 9 For full details of the Group’s principal risks see pages 29 to 38 17 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Sustainability continued Our people At NCC Group we embrace difference and are connected by our purpose to make the digital world safer and more secure. Across our global operations we form a phenomenal network, working together, collaborating and innovating to support our clients. We are guided by our Code of Ethics and our values, which define our behaviours – treating everyone and everything with respect. This is the foundation of our culture and we strive to create an environment where everyone is welcome, feels safe and can be successful. Our progress in 2024 • Launched our new and harmonised global family friendly policies, offering enhanced leave programmes from day one of a colleague’s experience with NCC Group • Undertook our first inclusion survey in collaboration with colleague resource groups with a 49% response rate, helping to shape our future agenda • Trained managers on the importance of colleague wellbeing, and removing any potential stigma associated with mental illness A global team We have 2,203 (as at 30 September 2024) colleagues across the world supporting our clients, made of three core groups – technical experts, sales, and professional services such as Finance, Legal and HR, for example. Circa 94% of colleagues are permanent and the remainder are individuals on short-term contracts to provide support on projects. People powered, technology enabled We aim to create an environment where all colleagues feel psychologically, emotionally and physically safe to be authentic, representative of the diversity of the world they live in, to share their personal experiences and to have equal opportunity to achieve. This brings to life our values – working together, being brilliantly creative, embracing difference and taking responsibility – all of which are essential elements in driving forward our technological advancements and maintaining a competitive edge in the market. Our approach to inclusion and diversity We recognise and take responsibility for the role we can play in improving diversity across the whole of the technology sector. Inclusion and diversity principles are embedded into our hiring and talent management process, partnering with external organisations to ensure we are accessible to a more diverse candidate base. Unconscious bias training is part of our standard training offer and our core colleague resource groups (gender, LGBTQIA+, neurodiversity, accessibility, race and ethnicity) play an important role providing input to ways of working, engaging and educating colleagues and creating a voice for underrepresented communities across our global business. This period we undertook our first inclusion survey in collaboration with the colleague resource groups, to get input from colleagues on what matters – helping to shape our future agenda. We had a 49% response rate and the colleague resource groups will work with HR to prioritise and take forward actions. As of 30 September 2024, the Board of Directors comprised four males and three females. The wider Group employed 588 females, 1,569 males, and 61 individuals whose gender was not disclosed. For the purposes of this disclosure, the Group defines its senior management as the Executive Committee, which consisted of three males and four females as of 30 September 2024. These figures for the Executive Committee include colleagues who also serve as statutory directors of subsidiary companies, where relevant. Talent development We have a track record of being at the cutting edge of innovation, and this along with insight and intelligence are core elements of our DNA. This gives us our position in the market that is hard to match and achieved through our investment in the critical skills to deliver for our clients. We promote a culture of learning at NCC Group. Depending on the role, this will typically be a combination of on the job learning through line management support and skills-based mentoring, self-learning and formal training. Colleagues have personal development plans, which enable them to gain certifications related to their current role, support their career advancement and enhance their personal development skills, too. In the UK, we seek to take advantage of the Modern Apprenticeship Levy offering colleagues the opportunity to further develop their skills. The percentage of colleagues in this past financial year studying/have studied who are eligible for levy funding is 2.7%. To ensure levy funds are not lost, we have partnered with the Co-Op Levy Share to donate our excess apprenticeship levy funds. Read more about this in our Sustainability Report. We are due to launch our new Learning Experience Platform in January 2025. This will provide an enhanced learning experience for colleagues as well as support our management development programme through formal personal development plans. It will also enable us to measure and report on the training investment we make across our global teams. 18 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Leadership development Sponsored by the CEO, we launched our new leadership development programme, with 65 senior leaders across the global business having undertaken the two day workshop, with additional coaching support sessions. The aim is to create a common language for leadership at NCC Group, and this builds on our existing Managing Essentials courses for managers. Enhancing the colleague experience through health and wellbeing Our globally HR-led programme ensures colleagues have access to support at all points in their career. To help us further develop our people proposition, we have designed three pillars to focus activities aligned with colleague feedback and global best practice: Over the next financial year we will start to transition our activities to sit under each of these pillars but some early work has seen us launch new policies, and harmonise benefits that support our colleagues at key life stages. Our ambition is to be a leading family friendly employer and offer enhanced leave programmes from day one of a colleague’s experience with NCC Group. This suite of ‘moments that matter’ policies include marriage/civil ceremonies, pregnancy loss, fertility treatment, maternity and paternity leave, menopause, moving home, pet care and cancer-related milestones and treatment. We are focused on preventive health and early diagnostics and a sample of activities this past period includes: • Training to understand what burnout is and how to avoid it, specifically aimed at individuals working in high-pressured environments like Cyber Security • Male mental health – understanding specific challenges to asking for help and taking steps to look after your own health and wellbeing • Launching our MenoPause & Connect Community supported by a new Global Menopause Policy, line manager training and support tools for colleagues Managers in the UK and APAC region joined training with our Employee Assistance Programme (EAP) provider on mental health, with the aim of stressing the importance of colleague wellbeing, and removing stigma associated with mental illness. This period we’ve provided disaster support to colleagues and their families globally – supporting colleagues in Manila, the US and Spain following extreme weather-related events. Support is tailored to the needs of colleagues helping them to get back on their feet, but also our approach to flexibility in working ensures they focus on their personal safety and wellbeing as a priority and know they are supported by their colleagues. To find out more about our people proposition, please see pages 18 and 19 of our Sustainability Strategy Engagement Over 500 colleagues were nominated in our annual NCC Diamonds programme – a peer to peer recognition scheme, which promotes our core values. Winners are selected at a regional and a global level and awarded an experience of their choice. We have a number of mechanisms to measure colleague engagement (see page 14), which includes our engagement survey using the Glint platform. On average 1,456 colleagues responded to the three surveys run, with an improved engagement score of 13 points from 2023. Actions from the survey are driven locally, with recommendations at a global level led by the Executive Committee, and fed into relevant decision-making processes. In addition to the survey, Senior Non-Executive Director Julie Chakraverty hosts monthly colleague sessions to ensure the Board is listening to the voice of colleagues and decision making takes into account their interests. In the FY24 period, over 80 colleagues met with Julie, who reported feedback to the Board each month. Speaking up We have created a global speak up framework, which outlines channels and resources available to colleagues for raising concerns or sharing feedback – both positive and negative. It also provides guidance on who to engage with on different types of feedback, and to ensure confidentiality where appropriate. This ensures colleagues are encouraged to speak up, safe from fear of reprisals, and with the reassurance that any concerns will be listened to and acted on appropriately. To find out more about our support of colleagues please see our sustainability strategy on page 16 Health Family Flexibility 19 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Sustainability continued Action on climate We have a responsibility to reduce our carbon emissions as a business by understanding all applicable Scope 1, Scope 2 and Scope 3 emissions, and taking credible steps towards reducing them in line with the international Paris Agreement’s objective to achieve net zero emissions before 2050. Our progress in 2024 • Reduced our office footprint by 40% • Appointment of new travel provider to improve reporting on emissions, seek lower carbon options, and improve health, safety and wellbeing of colleagues • Extended Scope 3 emissions reporting to include purchased goods and services, and employee commuting In addition to our support of the net zero transition (read more on our sustainability strategy at nccgroupplc.com/sustainability), our action on climate has three pillars, starting with our own operations and extending to the support we give to clients operating in the energy transition sector and the contribution we make to their endeavours: • Supporting the net zero transition • Decarbonising energy use • Developing sustainable solutions The biggest impact occurs in our business travel, both for client and non-client related travel, and our leased office spaces and is the focus for our reporting. Decarbonising energy use Our total annual Scope 1 and 2 emissions associated with our business operations were 1,686.8 tCO 2 e for our full year 2024, a 41% increase compared to the full year 2023. See page 26 for further detail. We continue to review our leased office space requirements, considering client and colleague needs. Considerations are given to collaboration, health and safety, personal wellbeing and the impact emissions have on the environment. This includes taking into consideration commuting for colleagues and the accessibility of public transport networks. In FY24 we closed ten offices. While some will still require rent to be paid due to lease requirements, they are now closed from an emissions reporting perspective. Our square footage of leased buildings in operation is now c.50,000 square feet, a 40% reduction of active office space. The benefits of GHG emission reductions will flow through in the next reporting period, although this is not guaranteed as new office spaces might be required depending on business needs. We review office usage monthly as part of the executive team operations review, which, alongside colleague feedback and engagement, and consideration of client needs, informs the real estate strategy. On travel, to improve the reporting of both client and non-client related travel, we have appointed a new supplier. This provides us with global tracking and improves how we respond to any social or climate-related issues that colleagues may face. We introduced a new travel policy during FY24, which improved management oversight of non-client related travel. The focus was on improving the health, safety and wellbeing of colleagues, while continuing to consider our impact on the local communities in which we are located and our broader commitment to reducing GHG emissions. Domestic flights within the UK and European countries are by exception only, with rail travel the preferred option. As a result, any train journey more than three hours in duration in total is travelled by first class to ensure the health, safety and wellbeing of colleagues. * Due to the change in year end, our emissions reporting has been calculated for the period 1 October 2023 to 30 October 2024, with the comparator of FY23 set for the same period. As our data collection improves, we acknowledge like-for-like comparisons on prior year is not reflective of the work being done to reduce the impact of our operations on climate change. 20 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 In alignment with the UK Listing Rules – which mandates climate-related disclosure for all UK listed companies – we have produced a comprehensive TCFD Report. Our report covers the four pillars recommended by TCFD: governance, strategy, risk management and metrics/targets, and the 11 disclosures recommended by TCFD except as noted below. To ensure consistency across our report, we adhered to section C of the TCFD Annex, titled “Guidance for All Sectors”. As a result the following are documented as partially consistent, with further detail available within this report: • Strategy B and C – these disclosures have not been fully met because our priority this period has been to manage a change in year end financial reporting and we did not have the bandwidth to do financial implications of climate scenarios in our financial planning. Our aim is to begin, this in FY25 as part of developing our net zero journey and set credible science-based targets. • Metrics and targets B – for FY24 we are reporting full Scope 3 emissions for our business, incorporating for the first time employee commuting and purchased goods and services. There are caveats on this as some of our business travel is a challenge to report against due to limitations of the expense system we had in place. We have invested in a new system to improve not only reporting but also the health, safety and wellbeing of our colleagues. With this improved data collection, we aim to be consistent in our FY25 report. Our assessment indicates a low risk of exposure to physical and transitional climate changes, thanks to our business model. However, we acknowledge the high importance of mitigating greenhouse gas emissions, which emerged as a priority from stakeholder feedback as part of our ‘ongoing assessment’ of double materiality in accordance with ESRS. In FY24 Planet Mark, a leading sustainability certification organisation, calculated and verified our GHG emissions. We have appointed a new partner – Positive Planet – for FY25 as we prepare to map our net zero journey and set credible science-based targets. We recognise the considerable opportunities presented by the growing climate-focused market. Our collaborations with clients in industries such as electric vehicles, renewable energy, operational technology and other climate-friendly technologies underscore our readiness to seize these opportunities for sustainable growth. Task Force on Climate-related Financial Disclosures (TCFD) TCFD reporting helps organisations like ours disclose climate‑related financial risks and opportunities in a structured way. Governance TCFD recommended disclosure Consistency NCC Group disclosure Focus area for FY25 Governance A. Describe the Board’s oversight of climate- related risks and opportunities Consistent • The Board’s Head of the Audit Committee is the lead Non-Executive Director responsible for sustainability. Monthly updates are provided via the CFO report to the Board as well as directly from regular (at least twice per period) discussions with the Director of Investor Relations and Sustainability with the full Board, including an update on progress against the Group’s goals and targets where appropriate • The Board takes overall accountability for the management of climate-related risks and opportunities and considers them as part of its overall risk review processes • Meet at least quarterly with the nominated NED responsible for sustainability to reflect, discuss and ensure actions are being taken • Continue to develop NCC Group’s net zero journey and broader sustainability strategy with oversight and input from the Board B. Describe the management’s role in assessing and managing climate-related risks and opportunities Consistent • The Director of Investor Relations and Sustainability reports to the Chief Financial Officer, providing advice and updates to the Executive Committee on climate- related issues as and when relevant • An Executive Risk Management (ERM) Committee, established in 2021, which meets quarterly addresses climate risk as part of that process where appropriate • Assess the volume of client requests for different reporting platforms and ensure the cost of participation is incorporated into the cost of sale • Develop a carbon literacy education programme for colleagues relevant to their role, to help drive our commitment to net zero before 2050 • Continue to embed climate action into key business decisions • Understand the steps we need to take to progress the commitment to net zero, and set an annual review of targets aligned with internal and external factors 21 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Sustainability continued TCFD continued Governance continued Lynn Fordham, the lead Non-Executive Director for Sustainability, was appointed by the NCC Group Board Chair. In addition to her position as the Head of the Audit Committee, Lynn’s role is to oversee the Company’s sustainability strategy, ensure its integration with the overall business strategy and provide regular sustainability updates to the Board. While there is no specific Board committee for environmental issues, an Executive Risk Management (ERM) Committee chaired by the Director of Global Governance addresses these issues. The ERM meets bi-monthly and is attended by our CEO and CFO. It discusses, among other risks, sustainability and environmental challenges where relevant, which are then reported to the Board. The results from our ongoing double-materiality assessment continues to inform our sustainability framework and guide our priority areas for the next two years. We have undertaken a gap analysis on this against CSRD reporting requirements too, which impact our European business operations, and to ensure we can bid competitively for work we will begin reporting voluntarily against the current known standards in FY25. As NCC Group’s business strategy evolves, the sustainability framework will be integrated into our strategic planning. An engagement programme is being developed to ensure that our internal stakeholders, including the Board, are informed and engaged on not just climate change but all priority sustainability topics. This programme will feature training sessions, workshops and continued awareness-building initiatives. It will be developed as part of our journey to net zero commitments. The Board is committed to communicating its dedication to addressing climate change. This is demonstrated through our annual Sustainability Report and reinforced through other appropriate internal and external communication channels throughout the financial year. Strategy TCFD recommended disclosure Consistency NCC Group disclosure Focus area for FY25 Strategy A. Describe the climate- related risks and opportunities the organisation has identified over the short, medium and long term Consistent • See tables on pages 23 and 24 describing risks and opportunities, which were selected based on the location of our existing business and known climate change risks affecting the broader region we operate in • Monitor actions arising from the risk register B. Describe the impact of climate-related risks and opportunities on the organisation’s business strategy and financial planning Partially consistent • Climate-related taxes, or fines for non- compliance, could impact the business if we fail to take action • Our ability to raise capital to invest in growth may be restricted if we fail to make progress on climate-related action, if this is a requirement of any future sustainable lending requirements • Assess financial implications of climate scenarios in our financial planning C. Describe the resilience of the organisation’s strategy, taking into consideration different climate-related scenarios, including a 2°C or lower scenario Partially consistent • We have conducted an initial quantitative analysis against two scenarios of 1.5°C and 4°C • Develop the initial scenario analysis and integrate, aligned to NCC Group’s strategy development, into future financial and strategic planning activities as our net zero journey matures Our focus is not limited to risk mitigation but extends to exploring opportunities where we can make a positive impact. This includes improving the energy efficiency of our operations, collaborating with our landlords and requesting renewable energy sources, and identifying ways our technology solutions can contribute to our clients’ sustainability efforts. As we continue our climate change journey, we are committed to regularly reporting our progress against these objectives, showing transparency in our endeavours, and constantly seeking ways to better our efforts. 22 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Climate-related risks Our comprehensive risk management framework (summarised in the Risk Management section of the Annual Report on pages 29 to 38) is instrumental in identifying and assessing climate-related risks. We categorise these risks into: • Short term (less than one year) – based on short-term regulatory or policy changes impacting climate-related risks and opportunities as well as existing forecasting processes considered by management which are reviewed and evaluated on an annual basis • Medium term (one to five years) – based on regulatory changes that may affect climate-related risks and opportunities • Long term (more than five years) – based on the likely timeline of international agreements and commitments, technological trends and changes to policy or carbon pricing and their impact on our operations, client services and supply chain For instance, short-term risks might include immediate regulatory changes or extreme weather events, while long-term risks could be major shifts in our industry driven by the transition to a low carbon economy. Each identified risk is paired with corresponding mitigation measures, such as implementing energy-efficient technologies or diversifying our supply chain, aimed to reduce our vulnerability. It’s critical that we remain flexible in our approach but focused on taking responsibility for the emissions we generate and seek to reduce what we can control. While these risks apply to the Group as a whole, we do recognise that certain locations face unique challenges. For example, our operations in coastal areas are more susceptible to rising sea levels and increased frequency of extreme weather events. For a more detailed understanding of the climate-related risks and opportunities we face, please refer to the table below. It provides a snapshot of the specific challenges we’re addressing and the strategic responses we have undertaken. Risk Risk impact Short/medium/ long term Regions impacted Mitigating activities Physical risks Extreme weather (acute) Causing business disruption and loss of service delivery if colleagues or clients are impacted adversely, which would in turn potentially impact revenue. Short to medium term All but particularly Europe (Delft and Amsterdam) • Business interruption cover • Business Continuity Plans • Remote working in place • Dutch flood defences in place Sea level rises (chronic) Increased likelihood of flooding in Delft and Amsterdam offices causing increased insurance premiums to mitigate against business interruption and material loss. Long term Europe – Delft and Amsterdam offices Transition risks Increase in taxes and levies for greenhouse gas emissions Increased costs to implement control and monitor/measurement processes as well as actual cost of taxes and levies. Medium term Depends on local legislation • Planet Mark helps us understand our data, which enables us to take direct action to reduce our GHG emissions Move to net zero Increased costs required to lower emissions. Long term Global • Remote delivery of client services where possible • Company car scheme only for electric and hybrid vehicles (UK) • Annual calculation of Scope 1 and 2 emissions and an active reduction plan in place aligned to new Planet Mark guidance • Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction Margin risk Impact on results due to extra costs incurred to lower emissions. Medium term Global • Accounting policies regularly reviewed • Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction 23 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Sustainability continued Continuous improvement to reduce NCC Group’s impact on the environment Resource efficiency: By embracing more efficient modes of transport, promoting recycling, encouraging hybrid working models and operating within efficient buildings, we can lessen our environmental footprint, improve colleague satisfaction and reduce operational costs. For instance, removing unnecessary travel not only reduces our carbon emissions but also empowers colleagues with more control over their work-life balance, contributing to improved morale and productivity (anticipated medium to long-term benefits). Energy source: Our transition to lower emission energy sources, underpinned by the introduction of an electric/hybrid car scheme for all UK colleagues, demonstrates our commitment to sustainable practices. By giving colleagues access to green car options, we are mitigating our exposure to future fossil fuel price fluctuations and regulations. It also addresses our colleagues’ material concerns, fostering a culture of environmental responsibility and enhancing overall job satisfaction (medium to long-term impact). Market: As industries evolve in response to climate change, we’re strategically positioned to leverage these transformations. For example, by partnering with companies transitioning to alternative energy sources or working on projects involving smart meters, electric vehicles, IoT technology for waste reduction and cloud data centres, we anticipate strengthening our market position and enhancing our reputation as a sustainable and innovative enterprise (short to medium-term outlook). Resilience: Our sustainable business model increases our resilience to climate-related risks, demonstrating our commitment to being a responsible and ethical supply chain partner. This commitment to sustainability not only aligns us with an increasingly eco-aware market but also empowers us to lead in the space, fostering a culture of innovation and responsible business practices (short to long-term perspective). Scenario analysis To understand the risks and opportunities our business faces considering climate change, we have conducted a quantitative scenario analysis using two distinct scenarios: a “<2°C” scenario (“Scenario 1”), where global warming is limited to less than 2°C with net zero achieved by 2050, and a “4°C” scenario (“Scenario 2”), where the goal of net zero by 2050 is not reached. A summary of the scenarios selected is provided below. These scenarios are chosen to reflect the diverse spectrum of possibilities that could unfold due to different levels of global effort to curb climate change. In the context of these scenarios, “transition risks” refer to the challenges associated with the shift towards a lower carbon economy, while “physical risks” denote the potential damage caused by climate change itself. In terms of the risks selected, these were based on physical locations and the nature of our business in key locations of North America, the UK, Europe and Asia Pacific. We are in the process of flowing this into our financial planning and will continue to do so as we mature our climate action planning and reporting. Under Scenario 1, we anticipate higher transition risks due to rapid shifts in regulatory and market conditions, but the physical risks would be significantly reduced due to the effective global action on climate change. Conversely, Scenario 2 predicts lower transition risks but considerably higher physical risks due to the lack of substantial progress towards climate goals. We’ve further broken down these risks by timeline, classifying them as short term (less than one year), medium term (one to five years) and long term (more than five years). The table on page 25 offers a comprehensive overview of NCC Group’s potential exposure to both transition and physical risks under each scenario. While our current analysis is qualitative, we are working towards quantifying these risks and opportunities as we progress towards our net zero targets and continually improve our data collection across Scope 1, 2 and 3 emissions. At this point, we don’t foresee a significant impact on our Financial Statement disclosures based on our materiality assessment results (see page 26 of the Annual Report) and known near to mid-term regulatory developments. However, we will continuously monitor both transition and physical risks, adjusting our mitigation strategy as necessary. Risk Risk impact Short/medium/ long term Regions impacted Mitigating activities Transition risks continued Reputation risk Increased stakeholder concern and changing client behaviours. Medium term Global • Ongoing dialogue with investors • Benchmarking and independent reviews undertaken through a double-materiality assessment • ESG information publicly available Supply chain risk Substitution of existing products and services with lower emission options. Medium to long term Global • Building in climate change reporting and activity into supplier onboarding • Business Continuity Plans • Continuing to review our estate provision and taking steps to move out of leases where there is no client or business benefit to being there • Implementation of new estates policy, which incorporates environment considerations alongside health, safety and security of colleagues TCFD continued Climate-related risks continued 24 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Risk type Risk Risk impact Scenario Short-term risk (<1 year 2024) Medium-term risk (1–5 years 2025 to 2030) Long-term risk (>5 years >2030) Physical risk Rising sea levels Risk to NCC Group offices located in high risk areas, as well as colleagues’ homes and clients’ business premises resulting in business disruption 1 Low Low High 2 Low High High Transition risk Increase in taxes and levies Disruption and increased costs to ensure compliance with new legislation 1 Low Medium High 2 Low Low Low Margin risk Impact on results due to extra costs incurred to lower emissions 1 Low Medium High 2 Low Low Low Reputation risk Increased stakeholder concern and changing client behaviours 1 Low Medium High 2 Low High High Supply chain risk Substitution of existing products and services with lower emission options 1 Low Medium High 2 Low Low High Financial planning We recognise the potential implications of climate-related risks and opportunities on our financial planning. We anticipate shifts in our future business model and strategy in response to evolving market conditions due to climate change. We foresee potential changes in client preferences towards more sustainable products and services, along with possible disruptions in our supply chain due to extreme weather events. These factors are thoroughly considered in our business strategy development. Our business strategy has been designed to be resilient to future economic and climate-related scenarios. And by running regular scenarios we can test that resilience and ensure it’s considered in future business strategy development, enabling us to adapt accordingly, without disrupting or negatively impacting current operations. The scenarios are based on industry insights, which were used in the expert input into our materiality assessment. We will look to assess the potential financial implications of various climate scenarios and factor these into our revenue forecasts, expenditure plans and asset valuations from FY25 onwards. This will include a detailed analysis of potential climate-related liabilities and their impact on our financial stability. Our future aspiration is to incorporate climate considerations to influence future investment decisions by the Group, always reducing our carbon footprint, and gradually divesting areas that carry high climate-related risks. For now though, we are actively working to improve our operational efficiency and addressing things we can directly influence to reduce our impact on the environment and realise cost savings. For example, our new travel policy, launched during FY24, encourages the use of rail travel, by offering first class travel for all journeys over three hours. This improves health and wellbeing for colleagues and reduces driving related risks for long journeys. Domestic flights in Europe and the UK are by exception only where it makes sense from a welfare and commercial perspective. The known benefit of this is hard to determine because we don’t yet have the travel tool that enables us to do that analysis – but the processes and policy are in place and in the next reporting period we will have that benchmark data. Further analysis will then need to be done to assess this increased financial cost versus the reduced emissions and incorporate that into the financial planning process, for example. In summary, our organisation is committed to integrating climate considerations into our financial planning process. We will continue to refine our approach as we gain more data and insights into the evolving climate scenarios. 25 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Sustainability continued TCFD continued Risk management TCFD recommended disclosure Consistency NCC Group disclosure Focus area for FY25 Risk management A. Describe the organisation’s processes for identifying and assessing climate- related risks Consistent • Climate-related risks are managed through our Enterprise Risk Management framework • Monitor actions arising from the risk register B. Describe the organisation’s processes for managing climate-related risks Partially consistent • Climate-related risks are documented, mitigating actions are considered, a risk rating is assigned and associated actions are documented and followed up • Monitor actions arising from the risk register C. Describe how processes for identifying, assessing and managing climate-related risks are integrated into the organisation’s overall risk management Partially consistent • Climate-related risks are managed through our Enterprise Risk Management framework • Monitor actions arising from the risk register As part of our robust materiality assessment, we conducted in-depth, topic-based and industry research to identify our most material sustainability issues. Through a detailed materiality matrix, we also identified opportunities to enhance our sustainability performance by focusing on reducing GHG emissions, monitoring product design and lifecycle management, and mitigating biodiversity loss. Our approach is to address these opportunities through targeted initiatives in cleantech, increasing sustainability awareness and capability, and climate adaptation. Addressing these issues will involve closer collaboration with our supply chain, particularly our global landlords and our top suppliers. A key initiative in this regard is our Data Centre Management Strategy, aimed at reducing our energy consumption. Climate-related risks are managed through our NCC Group Enterprise Risk Management (ERM) framework. This framework, which is detailed in the Risk Management section of the Annual Report on page 30, uses a sophisticated risk model to assess and score each risk based on likelihood and impact. Risks are re-evaluated consistently to ensure we’re responsive to evolving circumstances. Our risk management approach combines “top-down strategic” and “bottom-up operational” perspectives, fostering collaboration and promoting efficient risk identification. With respect to climate-related risks, we have outlined our strategies and targets for GHG emissions reduction and biodiversity preservation. These climate-related risks are integrated into our Principal Risks section (pages 29 to 38). The Executive Risk Management Committee plays an active role in the ongoing review of these risks, and their mitigations, controls and associated actions. This Committee meets on a regular basis and follows a stringent process for identifying, assessing, responding to and escalating serious concerns related to these risks. We firmly believe that this integrated and transparent approach will ensure effective risk management aligned with the principles of TCFD, while driving our strategic objectives for sustainability. How we manage risks Obtain assurance Implement internal control Adapt ERM Perform scenario analysis Integrate into reporting Use existing tools Solicit investor feedback Assess financial impacts Collaborate across the business Secure leadership buy-in Establish Committee oversight A u d i t C o m m i t t e e R i s k C o m m i t t e e 26 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Metrics and targets The metrics and targets have changed as a result of new best practice advised by our partner, Planet Mark. Reduction initiatives and measurement are for Scope 1 and 2 only, not Scope 3. Setting metrics and targets is very challenging when reporting scope is continuing to change. Previously reduction initiatives were across all three scopes, however our current partner, Planet Mark has changed that guidance to be Scope 1 and 2 only. This on top of a year end change, the addition of full Scope 3 reporting relevant to our business operations and significant changes in our footprint as we continue to grow the business has made any previous reduction targets impossible to measure. We made a decision to appoint a new partner – Positive Planet and taking the opportunity to reset a baseline now we have full Scope 1, 2 and 3 reporting in place. Working with Positive Planet, we have begun mapping our net zero journey, and will set credible science-based targets, from which to measure our performance against in future. NCC Group’s sustainability strategy 2024 is complementary to this TCFD Report. TCFD recommended disclosure Consistency NCC Group disclosure Focus area for FY25 Metrics and targets A. Disclose the metrics used by the organisation to assess climate-related risks and opportunities in line with its strategy and risk management process Partially consistent • Reporting of Scope 1, Scope 2 and Scope 3 greenhouse gas emissions for FY24 compared to prior years • Scope 1 and 2 emissions increased by 41%, against the new reporting period and acknowledges improvements in data quality • Map our net zero journey and set credible science-based targets B. Disclose Scope 1, Scope 2 and, if appropriate, Scope 3 greenhouse gas emissions and the related risks Partially consistent • Publication of Scope 1 and 2 GHG emissions for FY24 vs FY23 adjusted for the new reporting period • Full Scope 3 emissions relevant to our business operations • Using insights from new travel tool, continue to improve disclosures of business related travel C. Describe the targets used by the organisation to manage climate- related risks and opportunities and performance against target Consistent • 5% year-on-year overall reduction of Scope 1 and Scope 2 GHG emissions • Map our net zero journey and set credible science-based targets 27 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Sustainability continued Streamlined Energy and Carbon Reporting (SECR). The period under review in the current period is from 1 October 2023 to 30 September 2024. Total GHG tCO 2 e Source 2023 2024 tCO 2 e change from previous year % change from previous year Scope 1 Gas 124.7 344.4 219.7 176% Company vehicles Diesel 3.0 0.8 (2.2) (73%) Petrol 12.3 11.3 (1.0) (8%) Hybrid — — — — Fleet fuel – petrol 43.0 — (43.0) (100%) 58.3 12.1 (46.2) (79%) Total Scope 1 183.0 356.5 173.5 95% Scope 2 Electricity 979.0 1,280.5 301.5 31% Heat and steam 19.8 40.9 21.1 107% Company vehicles – electric 13.7 8.9 (4.8) (35%) Total Scope 2 1,012.5 1,330.3 317.8 31% Total Scope 1 and 2 1,195.6 1,686.8 491.2 41% Scope 3 Data centre electricity — 71.7 71.7 — Business travel 134.7 1,257.5 852.7 633% Commuting — 225.4 225.4 — Transmission and distribution losses 52.9 82.3 29.4 56% Heat and steam transmission and distribution losses — 2.8 2.8 — Fleet transmission and distribution losses 0.3 0.8 0.5 163% Purchased goods and services — 5,713.7 5,713.7 — Total Scope 3 187.9 7,354. 2 7,166.3 3,814% Total Scope 1, 2 and 3 1,383.4 9,041.0 7,657.6 554% Underlying energy use The table below shows the proportion of energy use that occurs in the UK and non-UK countries alongside the total carbon emissions, including the global emissions for purchased goods and services. In FY24, 29% of the Group’s energy consumption and 20% of carbon emissions arose from the UK. Purchased goods and services are reported for the first time in FY24 and account for 61% of the Group’s carbon emissions. FY24 energy use FY24 carbon emissions Area kWh % of global energy use Total emissions (tCO 2 e) % of global emissions UK 1,834,242.1 29% 1,672.5 18% Non-UK 4,492,678.7 71% 1,654.8 18% Global purchased goods and services — — 5,713.7 63% Total 6,326,920.9 100% 9,041.0 100% Intensity metric Total per £m turnover – location based Amount Turnover (£m) Total emissions (tCO 2 e) Intensity per turnover (tCO 2 e) 1 June 2022 – 31 May 2023 5,126,288.0 335.0 1,383.4 4.1 1 October 2023 – 30 September 2024 6,326,920.9 329.2 9,041.0 27.5 Comparison 23.4% (1.7%) 553.5% 565.0% 28 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Risk management Risk is an inherent part of doing business, and risk management is a fundamental aspect of good corporate governance. A successful risk management process balances risk and reward and is underpinned by sound judgement regarding the impact and likelihood of risks. The Board holds overall responsibility for ensuring that NCC Group has an effective risk management framework that aligns with our business objectives. The Board has established an Enterprise Risk Management Policy, which has established protocols, including: • Roles and responsibilities for the risk management framework • A risk scoring framework • A definition of risk appetite The integrated approach to risk management diagram on page 30 summarises the Group’s overall approach to risk management. NCC Group’s approach to risk management NCC Group adopts both a “top-down” and “bottom-up” approach to risk, to manage risk exposure across the Group to enable the effective pursuit of strategic objectives. The approach is summarised in the diagram on page 30. The approach is one of collaboration, which supports our comprehensive approach to risk identification, from the “top down” and “bottom up”. The Group believes that this is the most efficient and effective way to identify its business risks. Top down The Board, Audit Committee and Cyber Security Committee review risks on an ongoing basis and are supported by the Executive Committee and subject matter specialists (including Escode, Cyber Security, information security, data protection and health and safety). The Board considers the Group’s strategic objectives and any barriers to their achievement. Bottom up The Board and senior leadership team engage with colleagues at every level of the Group in recognition of the importance of their expertise, contribution and views. Risk management model The Board has overall responsibility for ensuring that NCC Group adopts an effective risk management model, which is aligned to our objectives and promotes good risk management practice. We have therefore adopted the model described in this section and summarised in the diagram above. The Board, Audit Committee, Cyber Security Committee and executive team review risks on an ongoing basis throughout the period. The appropriateness and relevance of the risks are monitored by the Global Governance team to ensure they continue to be updated, meet the needs of the Group and remain Risk management model Assess adequacy and effectiveness of existing controls Identify risks Identify inherent risks and likelihood of impact Monitor delivery of action plans/ risk universe Assign Director- level sponsorship Evaluate mitigated risks and likelihood of impact Develop action plans (treat, transfer, tolerate, terminate) I d e n t i f y M o n i t o r A s s e s s A d d r e s s C o r p o r a t e g o v e r n a n c e C o r p o r a t e g o v e r n a n c e in line with good risk management practice. In addition, there is a robust process in place for monitoring and reporting the implementation of agreed actions. We are satisfied that the Risk Management Policy, framework and model currently in place are sufficient to manage risk across the Group. The key areas of identifying, assessing, addressing and monitoring risks are explained in more detail below: Identify Risks exist within all areas of our business, and it is important for us to identify and understand the degree to which their impact and likelihood of occurrence will affect the delivery of our key objectives. This is achieved through day-to-day working practices and incorporates risks in both the internal and external environment. Examples of identification include horizon scanning for emerging risks such as increasing energy costs, takeover risks, legislative and market changes and geopolitical risks. 29 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 30 Managing risk from the top down Managing risk from the bottom up Top down Strategic risk management Bottom up Operational risk management • Establishing guidance on the Group’s approach to risk management and establishing the parameters for risk appetite and associated decision making • Identification, review and management of identified Group strategic risks and associated actions • Ongoing consideration of: – IT and cyber-centric risk – Environmental risk Board Audit Committee Cyber Security Committee • Periodically assessing the effectiveness of the embedded Group risk management process • Challenging the content of the strategic risk register to support a comprehensive and balanced assessment of risk • Reporting on the principal risks and uncertainties of the Group • Implementing and embedding the Group’s Risk Management Policy and approach • Directing the delivery of the Group’s identified actions associated with managing/mitigating risk • Identification of key risk indicators, monitoring and taking timely action where appropriate Executive Board Leadership team • Responsible for reviewing the operational risks across the business units and Group • Challenging the appropriateness and adequacy of proposed action plans to mitigate risk • Giving due consideration to the aggregation of risk across the Group • Provisioning suitable cross-functional/ business unit resource to effectively manage risk where appropriate • Instrumental in developing the risk management framework adopted by the Board • Conduit between the Board and the business units – providing training and support where appropriate • Developing and executing a risk-based Internal Audit Plan to assess the management of risks Global Governance function • Ongoing monitoring and reporting to the Board in relation to the progress being made by the business units in implementing agreed action plans to mitigate strategic risk • Close cross-functional relationships with the Global Technical Services (GTS) security operations team to facilitate the identification, management, monitoring and reporting of data security risks • Execution of the delivery of the Group’s identified actions associated with managing risk • Timely reporting on the implementation and progress of agreed action plans • Provision of key risk indicator updates Business units • Identification and reporting of strategic risk to the Board • Provision of reports and data relating to significant emerging risks to the Group (internal and external) • Implementation of risk management approach which promotes the ongoing identification, evaluation, prioritisation, mitigation and monitoring of operational risk Effective pursuit of strategic objectives Risk management continued Risk management model continued Identify continued All identified risks are initially assessed for their “inherent” risk (risk with no controls in place), using a scoring mechanism that accounts for the likelihood of an event occurring and the impact that it may have on the Group. The scoring mechanism adopted takes account of high impact, low likelihood events and these risks are managed in a timely manner. In addition to ongoing risk identification, an annual exercise is undertaken to review the Group’s strategic risk universe by the Board. This exercise is reliant on the “top-down”, “bottom-up” approach discussed earlier. 30 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Assess Post-identification of the Group’s inherent risk exposure, a comprehensive assessment of the effectiveness of current mitigating controls is undertaken. This exercise takes account of the design of the current control environment and the application of these controls prior to assessing the Group’s current exposure to risk – the mitigated risk score. The Board uses a number of sources of information to support the scoring of risk and these include, but are not limited to: • Management updates • Action tracking and reporting • Control environment policies and procedures • Independent audit activity • Project monitoring reports Address Having identified and assessed the risks faced by the Group, the risks are scored according to likelihood of occurring and impact to the business should they occur. An assessment of whether additional actions are required to reduce our risk exposure is undertaken, with actions falling into one of four categories: • Treat – develop an action plan (applying responsibility, deadlines and prioritisation) that may include the implementation of additional controls, or increase the requirement for additional assurance over the adequacy and effectiveness of the existing controls • Transfer – use a third party specialist to undertake the activity, thus mitigating the risk • Tolerate – determine the risk is within appetite • Terminate – exit the activity The output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders or has been used in the development of the Group’s transformation programme. Monitor Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual. Examples of ongoing monitoring of business risks include, but are not limited to: • Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks • Review of the annual Internal Audit Plan to validate that it incorporates key areas of business risk • A review of internal audit reports issued during the period, including a summary of progress against previously raised management actions at each Audit Committee meeting • Annual review of the strategic risk register by the Enterprise Risk Management Steering Group and Board to ensure that it includes risks arising in the period Internal control While risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation. NCC Group has established a robust internal control framework, which is made up of a number of components: Control environment The control environment has primarily been established taking account of the Group’s values (working together, being brilliantly creative, embracing difference and taking responsibility), and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, while also maintaining integrity and transparency. Risk assessments Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements and are vital in our transformational programmes. Policies and procedures Established policies communicate expected behaviours and are supported by procedures and guidelines that define required processes and controls. This, in turn, helps the business to adopt efficient and effective control environments. Information and communications Access to accurate and timely data is essential for supporting our colleagues in making informed decisions and effectively managing and controlling their areas of responsibility. Activity monitoring The minimum financial controls framework was established in FY20. Further enhancement of the framework is being designed and implemented to align with the UK Corporate Governance Reform and upcoming Directors’ attestation of internal controls. In preparation for new legislative requirements relating to failure to prevent fraud, key anti-fraud controls have been identified and this is supported by red flag reporting and ongoing trend analysis to enhance the existing control environment to ensure compliance with the Economic Crime and Transparency Act (2023). Financial accounting and reporting follow generally accepted accounting practices. Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies. The approval procedures are captured within a revised global Delegation of Authority (DoA) matrix which is disseminated across the Group. Compliance with all legislation, current and new, is closely monitored. Risk and control reporting structure NCC Group has embedded the “three lines of defence” to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control. Three lines of defence: • First line – Group policies and procedures • Second line – information security, data protection, health and safety, and legal • Third line – risk and assurance, incorporating internal audit, standards and support, assessing compliance with standards and external audit, both financial and operational, providing independent challenge and assessment 31 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Risk management continued A. Strategy 1. Inability to execute the Group’s strategy VR Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name Ineffective execution of the Group’s strategy Risk owner Mike Maddison, CEO Risk impact Ineffective execution of a strategy could have a material negative impact on the Group’s financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group’s established position in the marketplace. Risk impact and movement Key controls and mitigating factors New strategy launched in February 2023 and in process of being implemented with full Board support. New leadership team in place, including new Head of Strategy. Strategy accelerated (delivery centre in Manila successfully launched in September 2023) and simplifying the business via the disposal of non-core offerings such as our DetACT and European Crypto business. 2. Poor adoption of change management mechanisms Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name Poor and/or ineffective change management mechanisms Risk owner Mike Maddison, CEO Risk impact Implementation of projects that then cost more to deliver, take longer to deliver and result in fewer benefits being realised (or all three). Poor delivery of change could ultimately impair business performance. As the Group adapts and executes its strategy, there are a number of complex projects and initiatives that not only need to be delivered but also require understanding and support from all colleagues. Risk impact and movement Key controls and mitigating factors The Group has a Head of Strategy who will manage the implementation alongside key stakeholders. This includes regular reviews of strategic projects. Experienced executive leadership team in place to drive the new strategy. Development of business cases underpinned by robust financial and legal due diligence which clearly articulate project objectives including delivery metrics which are monitored. 3. Over-reliance on market sector, product/service or client VR Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name N/A Risk owner Mike Maddison, CEO Risk impact Loss of key customers or over-reliance on market sector can result in a reduction in revenue and consequential impact on profitability and cash generation. Risk impact and movement Key controls and mitigating factors The new strategy looks to help mitigate this risk and ensure we don’t have any future overexposure to a market sector or client. Viability risk considers this as part of the scenarios modelled. Increased globalisation underpinned by global sales and delivery strategies to reduce concentration on specific clients, markets and regions. Market and competitive intelligence reporting. Risk movement: Increased Decreased Unchanged Viability risk: VR New risk: NR Risk impact: High Medium Low Extraordinary risk during the period Principal risks and uncertainties During the period, the Board has completed a robust assessment of the Company’s emerging and principal risks. This has included the Board reassessing and rescoring the principal risks, with changes to the risks noted below. The Group continues to operate in a particularly dynamic and evolving marketplace. The current risk register has been developed to reflect these factors and includes risks that could threaten the Group’s business model, future performance, solvency, or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, along with their potential impact and the mitigating processes and controls, are set out below. The strategic risks are based on the four pillars of our strategy: our clients, our capabilities, global delivery and differentiated brands. 32 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Risk movement: Increased Decreased Unchanged Viability risk: VR New risk: NR Risk impact: High Medium Low A. Strategy continued 4. Technology changes render services obsolete/technology disruption impacts pace of change Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name N/A – new risk Risk owner Siân John, CTO Risk impact Failure to stay updated with technological changes can erode competitive advantage, leading to a decline in market share and revenue. Risk impact and movement NR Key controls and mitigating factors Market intelligence and competitive intelligence reporting. Strategic partnerships with technology partners, regulatory bodies and industry experts to ensure alignment with emerging trends and technology changes. 5. Unable to meet the service and resource needs of our clients VR Link to strategy: Our capabilities Global delivery Previous risk name N/A – moved from Market and Competition theme Risk owner Kevin Brown, COO Risk impact Loss of clients will result in a loss of revenue and reputational damage. Risk impact and movement Key controls and mitigating factors New strategy includes capabilities as a key pillar and the business has been restructured to mitigate this risk. Launch of delivery centre in Manila in September 2023 to reduce our cost base to further meet the needs of our clients. B. Cyber and information security 6. Cyber attack VR Link to strategy: Our capabilities Global delivery Differentiated brands Previous risk name N/A Risk owner Rebecca Fox, CIO Risk impact Data breach leading to fines from regulators and reputational damage. Lack of availability in systems. Inability to operate services resulting in loss of customer trust, resulting in loss of revenue and negative impact on share price. Impact on national security due to our work with government clients. Risk impact and movement Key controls and mitigating factors The Board operates a Cyber Security Committee chaired by a NED. All colleagues globally are required to undertake annual and ongoing security training to alert them to potential methods of security breach and to their responsibilities in safeguarding information and reporting potential issues. Security testing is regularly carried out on the Group’s infrastructure and there are extensive response plans, which are tested. Comprehensive plans are in place and being delivered associated with discharging our data protection obligations. Deployed an Information Security Management System (ISO 27001). All key locations are certified. 33 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Risk management continued B. Cyber and information security continued 7. Significant business systems failure VR Link to strategy: Our capabilities Global delivery Differentiated brands Previous risk name N/A Risk owner Rebecca Fox, CIO Risk impact Inability to transact, operate and deliver services resulting in loss of customer trust, resulting in loss of revenue and negative impact on share price. Risk impact and movement Key controls and mitigating factors Deployed an Information Security Management System (ISO 27001). All key locations are certified. IT strategy of continued cloud migration which has greater resilience and availability. Business Continuity Plans, including Crisis Management, in place and tested regularly. Change management process in place within IT which assists a reduction in incidents caused by human error. Backups in place and single points of failure identified and mitigated in the event of prolonged loss of systems. Regular vulnerability assessments (perimeter scanning) and penetration testing undertaken. Introduction of global systems. 8. Loss of client/colleague data Link to strategy: Our capabilities Differentiated brands Previous risk name N/A Risk owner Guy Ellis, CFO Risk impact Data breach leading to fines from regulators and reputational damage. Risk impact and movement Key controls and mitigating factors Deployed an Information Security Management System (ISO 27001). All key locations are certified. Regular compliance training, including data protection, provided to all colleagues at least annually. Information classification and handling and data privacy policies in place. 9. Insufficient quality, integrity and availability of management information VR Link to strategy: Our clients Our capabilities Global delivery Previous risk name N/A Risk owner Guy Ellis, CFO Risk impact Suboptimal business decision making and performance as key financial performance data is not available or trusted. Risk impact and movement Key controls and mitigating factors We are ISO 9001 accredited across key locations. Standardised business process control standards are in place and subject to regular review by the global standards and support team. Increased focus on implementing global systems to support global strategy. C. Innovation and product development 10. Intellectual property theft or exposure Link to strategy: Differentiated brands Previous risk name N/A Risk owner Siân John, CTO Risk impact Reputational damage from losing client data and industrial espionage, resulting in loss of revenue and loss of competitive advantage from threat of malicious actors. Risk impact and movement Key controls and mitigating factors Security and technical controls in place through our Information Security Management System (ISO 27001). Principal risks and uncertainties continued Risk movement: Increased Decreased Unchanged Viability risk: VR New risk: NR Risk impact: High Medium Low 34 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 C. Innovation and product development continued 11. Ineffectual product/service management Link to strategy: Global delivery Previous risk name N/A Risk owner Siân John, CTO Risk impact Loss of revenue from uncompetitive solutions and failure to compete effectively. Failure to align to the business strategy resulting in lack of client trust leading to a loss of clients. Failure to maintain competitive advantage. Ineffectual marketing strategy. Risk impact and movement Key controls and mitigating factors Suitably qualified and experienced product managers. Quality review process. Customer feedback and escalation process. Marketing strategy in place focused on product development. 12. Lack of Innovation Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name N/A – new risk Risk owner Siân John, CTO Risk impact Loss of competitive advantage resulting in declining market share. Failure to deliver the Group strategy. Increased cost base eroding margins. Risk impact and movement NR Key controls and mitigating factors Research and development budgets and culture which proactively embraces new trends and technologies. Cross-functional collaboration via working groups to promote innovation. Customer engagement and feedback to enhance the portfolio of product and services. D. People 13. Insufficient workforce resilience Link to strategy: Our capabilities Previous risk name N/A Risk owner Michelle Porteus, CPO Risk impact Inability to deliver to clients resulting in loss of revenue. Loss of colleague morale and risk of “burnout”. Risk impact and movement Key controls and mitigating factors Workforce resourcing managed by Chief People Officer. Full review of workforce requirements undertaken as part of strategic review. 14. Inability to retain/recruit colleagues to meet the resource needs of the business VR Link to strategy: Our capabilities Previous risk name Attracting and retaining appropriate colleague capacity and capability Risk owner Michelle Porteus, CPO Risk impact Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group’s strategy. Inability to attract and retain sufficient high calibre colleagues could become a barrier to the continued success and growth of NCC Group. Risk impact and movement Key controls and mitigating factors Colleagues are offered an industry aligned salary and benefits package, which can include participation in share schemes, a salary sacrifice car scheme and retail discount offerings. Improved communications with our colleagues managed by the new Chief Marketing Officer. New global delivery and operations centre opened in Manila in September 2023. Risk movement: Increased Decreased Unchanged Viability risk: VR New risk: NR Risk impact: High Medium Low 35 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Risk management continued Principal risks and uncertainties continued E. Market and competition 15. Failure to capture on partnership ecosystem Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name Reliance on relationships with third parties Risk owner Mike Maddison, CEO Risk impact Loss of margin. Reputational damage if third parties don’t deliver. Risk impact and movement Key controls and mitigating factors Contracts in place with third parties. Ongoing review of service and delivery from third parties. 16. Geopolitical risk Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name International trade Risk owner Kevin Brown, COO Risk impact Failure to comply with changing global regulations may cause disruption to our business. Risk impact and movement Key controls and mitigating factors The new strategy is focused on globalisation and thus the resource structure is being designed to promote global delivery. 17. Lack of market strength versus competitors Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name N/A – new risk Risk owner Kevin Brown, COO Risk impact Declining market share. Less influence in shaping industry trends and changes. Brand perception issues. Reduction in workforce morale and increased challenges in relation to talent acquisition and retention. Risk impact and movement NR Key controls and mitigating factors Market intelligence and competitive intelligence reporting. Launch of Kantata globally in FY24 to enable global scheduling and assessment of profitability. F. Brand and reputation 18. Lack of visibility in the marketplace Link to strategy: Our clients Our capabilities Global delivery Differentiated brands Previous risk name N/A – moved from Market and Competition theme Risk owner Mike Maddison, CEO Risk impact Loss of clients will result in a loss of revenue. Risk impact and movement Key controls and mitigating factors Escode rebranded in FY24 and plans for cyber in line with the Group strategy. Continue to publish expert advice and content publicly. Risk movement: Increased Decreased Unchanged Viability risk: VR New risk: NR Risk impact: High Medium Low 36 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 F. Brand and reputation continued 19. Adverse publicity in news and social media Link to strategy: Differentiated brands Previous risk name N/A Risk owner Angela Brown, CMO Risk impact Reputational damage leading to loss of existing and potential clients resulting in loss of revenue. Risk impact and movement Key controls and mitigating factors Policies and procedures in place which follow good practice and ethics. Research quality review process managed by a panel of experts. 20. Undertaking work with disreputable clients or in sanctioned/undesirable jurisdictions Link to strategy: Our clients Global delivery Previous risk name N/A Risk owner Angela Brown, CMO Risk impact Reputational damage. Potential fines. Risk impact and movement Key controls and mitigating factors Country risk assessment process in place for new business. Higher risk countries have a risk assessment completed and approved appropriately. G. Quality and delivery 21. Service delivery does not achieve established quality standards VR Link to strategy: Our clients Our capabilities Previous risk name N/A Risk owner Kevin Brown, COO Risk impact Clients don’t renew, have their SLA breached or cancel mid-service leading to loss of revenue. Negligence in delivery leading to legal action or loss of revenue and reputational damage. Risk impact and movement Key controls and mitigating factors Quality assurance processes in place. Standard methodologies and procedures followed. Customer feedback and complaints process. Ongoing internal training programmes. 22. Loss of internationally recognised quality and security standards VR Link to strategy: Our capabilities Global delivery Differentiated brands Previous risk name N/A Risk owner Kevin Brown, COO Risk impact Failure to retain a core standard, e.g. 9001, 27001 or PCI, with a consequential loss of key customer accounts or ability to operate. Risk impact and movement Key controls and mitigating factors We operate a comprehensive programme to ensure the retention of our core standards. Policies and procedures in place and audited against the design and application. External assessors conduct audits at least annually confirming the retention of our quality and security standards. We have extended our ISO standards to more locations during FY24. Risk movement: Increased Decreased Unchanged Viability risk: VR New risk: NR Risk impact: High Medium Low 37 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Principal risks and uncertainties continued Risk management continued H. Legal, regulatory compliance and governance 23. Criminal and civil corporate legal action resulting in fines and incarceration VR Link to strategy: Our clients Global delivery Differentiated brands Previous risk name Criminal and civil legal action resulting in fines and incarceration Risk owner Guy Ellis, CFO Risk impact Reputational damage from legal action being taken and financial impact of the fines and the impact it may have on key customer accounts. Risk impact and movement Key controls and mitigating factors Legal team reviews customer contracts. Annual compliance training undertaken including ethics, economic crime, health and safety, information security and data protection. 24. Inability to identify and adopt emerging regulations in a timely manner Link to strategy: Our clients Global delivery Differentiated brands Previous risk name N/A Risk owner Guy Ellis, CFO Risk impact Non-compliance with regulations resulting in fines from regulators and reputational damage leading to loss of key customer accounts and shareholder investment. Risk impact and movement Key controls and mitigating factors TCFD reporting in third period and working on CSRD for our Fox-IT business. Horizon scanning for new regulations. In addition to identifying the Group strategic risks, we continuously review and monitor emerging risks through horizon scanning; publications; assessing regulatory changes and how they may impact the Group; and ensuring adequate oversight over significant projects. Emerging risks Risk area Risk Risk description Mitigating controls People and partners Pandemic Already experienced with Covid-19 (remains on the risk register). Colleagues can deliver client services remotely. Market and competition Blackouts Potential energy supply shortages as a result of supply issues created by the Russian invasion of Ukraine. Emergency backup generators in place and tested. Property rationalisation exercise advanced during the period. Increasing energy costs Energy costs have increased significantly since the Russian invasion of Ukraine. Factored into budget. Financial Inflation and interest rate fluctuations leading to wider economic uncertainty. Less spending in public sector by UK government could lead to reductions in funding. New strategy implemented and Kantata implementation has provided improved visibility of profitability. Quality and delivery Project management/ project commercial Significant number of large scale projects which need to be adequately managed. New Head of Strategy responsible for project management. Development of business cases which clearly articulate project objectives including delivery metrics which are monitored. Risk movement: Increased Decreased Unchanged Viability risk: VR New risk: NR Risk impact: High Medium Low 38 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Viability statement In line with Provision 31 of the 2018 UK Corporate Governance Code, this Viability Statement outlines the Directors’ assessment of the Group’s ability to continue in operation and meet its liabilities as they fall due over the designated assessment period, drawing attention to any qualifications or assumptions, as necessary. This evaluation considers our current financial position, outlook, and principal risks and uncertainties, as well as the critical judgements and estimates underpinning the Financial Statements. The Directors’ assessment is grounded in the Group’s business model and strategic plan, which are reviewed and approved annually by the Board with a focus on a sustainable growth strategy derived from two distinct businesses, increasing shareholder value, and enhancing our service offering. For further details, please see the Strategic Report on pages 8 and 9. The Group’s strategic priorities, detailed on pages 12 and 13 of the Strategic Report, provide a foundation for this outlook. Additionally, the effective management of principal risks and uncertainties, as outlined on pages 29 to 38, underscores those factors that could theoretically pose a threat to the Group’s operational or financial resilience, particularly those carrying the viability risk (VR) designation. The assessment period The Directors have assessed the viability of the Group over a three year period ending in September 2027. This timeframe aligns with the Group’s strategic planning horizon and reflects a practical planning period, considering the pace of industry change and evolving customer demands. Assessment of viability The viability of the Group has been assessed based on its current financial position, available bank facilities, and the Board-approved FY25 budget and three year strategic plan. The Group’s base case budget for FY25 incorporates recent growth trends across geographical regions and operating segments, as well as relevant growth opportunities driven by existing offerings. This assessment also accounts for current macro-economic conditions where applicable. Additionally, the Directors have modelled the impact of severe, yet plausible scenarios associated with the Group’s principal risks, which could have the most significant potential impact on viability over the three year period, as outlined in the table below. These sensitivities have been assessed against the Group’s projected cash flow position, available bank facilities, and compliance with financial covenants throughout the viability period. The Directors note that the Group’s revolving credit facility (RCF), which currently provides liquidity headroom, is due to expire in December 2026. The viability model assumes that the RCF will be refinanced within the assessment period, and this assumption has been incorporated into the severe yet plausible downside scenarios. Under these scenarios, the Group has assessed and concluded that sufficient headroom exists to support its operations and meet its liabilities as they fall due. Further details on the Group’s financing arrangements and expiry dates can be found in Note 1 of the Financial Statements. The applied sensitivities demonstrate sufficient levels of headroom, indicating that no mitigating actions are necessary under the severe but plausible scenarios modelled by management. Nevertheless, should additional headroom be needed, available measures within the Directors’ control include reducing planned capital expenditure, adjusting headcount, freezing pay and recruitment, and suspending dividend payments to shareholders. Conclusions Based on the severe but plausible scenarios modelled, including the assumption that the Group’s revolving credit facility (RCF) will be successfully refinanced within the three year assessment period, the Directors have a reasonable expectation that the Company will be able to continue in operation and meet its liabilities as they fall due over the three year period of assessment. The Directors have considered this assumption as part of their viability assessment and believe it to be reasonable based on the Group’s financial position. Viability risk Risk as applied to viability assessment Specifics of scenario modelled Potential impact Inability to execute the Group’s strategy Ineffective execution of a strategy could have a material negative impact on the Group’s financial performance and value. It would potentially weaken the Group compared to its competitors and risk the Group’s established position in the marketplace. In order to consider the impact of the risks identified, management has modelled the following scenario: A reduction in the future performance regarding Cyber Security trading performance, specifically within the North American Technical Assurance Services (TAS). This scenario models an annualised reduction of £5.3m in revenue and £2.5m in profitability over the three year viability period. The impact of these sensitivities has been assessed against the Group’s projected cash flow, available bank facilities and compliance with financial covenants over the three year viability period. The scenarios applied indicate sufficient headroom throughout this period, confirming that no mitigating actions are necessary. Inability to retain/recruit colleagues to meet the resource needs of the business Loss of key colleagues or significant colleague turnover could result in a lack of necessary expertise or continuity to execute the Group’s strategy. Inability to attract and retain sufficient high calibre colleagues could become a barrier to the continued success and growth of NCC Group. Insufficient quality, integrity and availability of management information Suboptimal business decision making, and performance as key financial performance data is not available or trusted. These suboptimal decisions could prevent the Group from achieving its strategic goals. Over-reliance on market sector, product/service or client Loss of key customers or over-reliance on market sector can result in a reduction in revenue and consequential impact on profitability and cash generation. In order to consider the impact of the risks identified, management has modelled the following scenario: A loss in key customers resulting in an annualised reduction of £24.8m in revenue and £14.2m in profitability over the three year viability period. The impact of this sensitivity has been assessed against the Group’s projected cash flow, available bank facilities and compliance with financial covenants over the three year viability period. The scenarios applied indicate sufficient headroom throughout this period, confirming that no mitigating actions are necessary. Unable to meet the service and resource needs of our clients Loss of clients will result in a loss of revenue and reputational damage. Cyber attack Data breach leading to fines from regulators and reputational damage. Lack of availability in systems. Inability to operate services resulting in loss of customer trust, resulting in loss of revenue and negative impact on share price. Impact on national security due to our work with government clients. Each of the above could result in a loss of customers and revenue. Significant business systems failure Inability to transact, operate and deliver services resulting in loss of customer trust, resulting in loss of revenue and negative impact on share price. Service delivery does not achieve established quality standards Clients don’t renew, have their SLA breached or cancel mid-service leading to loss of revenue. Negligence in delivery leading to legal action or loss of revenue and reputational damage, resulting in a loss in customers. Loss of internationally recognised quality and security standards The risk of the Group failing to retain a core standard, e.g. 9001, 27001 or PCI, with a consequential loss of key customer accounts or ability to operate. Criminal and civil corporate legal action resulting in fines and incarceration Reputational damage from legal action being taken and financial impact of the fines and the impact it may have on key customer accounts. 39 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Financial review Delivering on our financialframework Highlights – financial framework Reviewing our financial framework for the 16-month period to 30 September 2024 set out at the start of the period, it is encouraging to see that we continue to deliver. The key points to note are as follows: Sustainable revenue growth • Returning Cyber Security to growth in second half of the unaudited period ended 31 May 2024 and in the unaudited four-month period ending 30 September 2024 – second half of the 12 months ended 31 May 2024 revenue was ahead of the comparative period on constant currency 1 by 6.0% (at actual rates 4.7%). Momentum continued during the four‑month stub period, giving rise to constant currency growth of 7.6% (at actual rates 6.0%). • Accelerating growth in our recurring Managed Services – revenue momentum continued during the 12-month period ended 31 May 2024 and the four-month stub period, giving rise to constant current 1 growth in the four‑month stub period of 45.0% (at actual rates 43.3%). • Maintaining momentum of growth in Escode – sustained growth through the past seven quarters and four‑month period leading to +2.9% constant currency growth (+0.5% actual rates). Improved gross margin • Improved utilisation – Technical Assurance Services (TAS) and, Consulting and Implementation (C&I) average utilisation for all locations improved to c.66% for the four-month period ending 30 September 2024 contributing to Cyber Security gross margin improvement of 9.5% in the four-month stub period following low performance in H2 of the year ended 31 May 2023 of c.58%. Utilisation for the 12-month period to 31 May 2024 amounted to c.68%. • Globalised technical resource footprint – from a global delivery perspective the Group continues to invest in its Manila office. Efficient cost base • Delivering efficiencies – Cyber Security gross margin improved from 31.8% for the year ended 31 May 2023 to 34.5% for the 16-month period ended 30 September 2024. Overheads have also been effectively managed after considering inflationary pressures. • Annualising Escode efficiencies delivered in FY23 – our work carried out in FY23 enabled us to invest in our sales and support team to lay the foundations for further revenue growth, with the benefits beginning to come to fruition. Balance sheet resilience • Strong cash conversion 1 – strong historic cash conversion, with the 12 months to 30 September 2024 amounting to 96.6%. • Reducing net debt 1 – net debt effectively managed to £45.3m, reduction of £4.3m. Following the non-core disposal announcement on 1 August 2024 of our European Crypto business for initial net proceeds of c.€74m (c.£66m), net debt will be cleared early in the new calendar year following standard regulatory approvals, this will facilitate organic and inorganic growth in the Group’s Cyber Security business. • Maintaining dividend – 12 month dividend maintained at 3.15p and final dividend for the four-month period proposed of 1.5p which is in line with the historic six-month interim period dividends previously paid. 1 Revenue at constant currency is an unaudited Alternative Performance Measures (APM) and not an IFRS measures. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. NCC Group plc — Annual report and accounts for the period ended 30 September 202440 Overview of financial performance Change in year end The following table summarises the Group’s overall audited performance the Group for the 16-month period ended 30 September 2024 following our unaudited results for the 12 months to 31 May 2024 announced on the 1 August 2024. Following the change in financial year end, contained within Appendix 1 to the consolidated financial statements are unaudited 12-month pro forma results for the period ending 30 September 2024 compared to the previous unaudited 12-month period ending 30 September 2023 to aid comparability of the new year end performance and importantly the current trajectory of the Group. 16-month period ended 30 September 2024 Year ended 31 May 2023 Cyber Security £m Escode £m Central and head office £m Group £m Cyber Security £m Escode £m Central and head office £m Group £m Revenue 342.1 87.4 — 429.5 270.8 64.3 — 335.1 Cost of sales (224.1) (26.7) — (250.8) (184.7) (18.4) — (203.1) Gross profit 118.0 60.7 — 178.7 86.1 45.9 — 132.0 Gross margin % 34.5% 69.5% — 41.6% 31.8% 71.4% — 39.4% Administrative expenses (97.3) (24.1) (3.4) (124.8) (70.7) (14.7) (5.2) (90.6) Share-based payments (0.1) (0.2) (2.0) (2.3) (1.6) (0.1) (0.5) (2.2) Adjusted EBITDA 1,2 20.6 36.4 (5.4) 51.6 13.8 31.1 (5.7) 39.2 Depreciation and amortisation (10.9) (0.6) (5.3) (16.8) (8.5) (0.6) (3.5) (12.6) Amortisation of acquired intangibles (1.4) (7.1) (4.0) (12.5) (1.2) (5.8) (3.0) (10.0) Adjusted operating profit 1,2 8.3 28.7 (14.7) 22.3 4.1 24.7 (12.2) 16.6 Individually Significant Items (41.4) (0.1) — (41.5) (12.3) (2.4) — (14.7) Operating (loss)/profit (33.1) 28.6 (14.7) (19.2) (8.2) 22.3 (12.2) 1.9 Operating margin % (9.7%) 32.7% n/a (4.5%) (3.0%) 34.7% n/a 0.6% Finance costs (8.3) (6.2) Loss before taxation (27.5) (4.3) Taxation (5.0) (0.3) Loss after taxation (32.5) (4.6) EPS Basic EPS (10.4p) (1.5p) Adjusted basic EPS 1,2 3.4p 2.8p 1 Adjusted EBITDA, Adjusted Operating profit and Adjusted basic EPS are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 2 After reconsidering FRC best practice guidance around the disclosure of adjusting items and APM’s, the Group has reduced the number of adjusted measures and items. The Group now only has one adjusted item ‘Individual Significant Items’. Previous adjusted items of Amortisation of acquisition intangibles and share based payments are no longer disclosed as an adjusted item. Accordingly, comparative numbers have been restated. For further detail, please refer to the Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 41 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Overview of financial performance continued 16-month period ended 30 September 2024 (audited) On the basis we are comparing a 16-month period to a 12-month period. Revenue increased by 31.3% on a constant currency basis (Actual rates 28.2%), with Cyber Security Revenue increasing 29.3% on a constant currency basis (Actual rates: 26.3%) and Escode growing by 39.8% on a constant currency basis (Actual rates: 35.9%). Encouragingly, when you directly compare our gross margins, we have improved since the second half of the year ended 31 May 2023 with gross margin percentage increasing to 41.6% (2023: 39.4%). The 2.2% pts gross margin (%) increase is due to improved utilisation and operational efficiencies within Cyber Security, alongside a change in the service mix whereby managed services are becoming a greater proportion of overall revenue at a higher margin. This is offset by a decline in Escode gross margin due to continued investment in the sales team for future growth. Administrative expenses increased from £90.6m to £124.8m following the management of inflationary pressures with a decrease in non-client travel and training offset by strategic investments (including investment in our Manila office) and foreign exchange. A loss before taxation of £27.5m for the period was recognised after incurring £41.5m of Individual Significant Items (including the North America Cyber Security impairment, fundamental re-organisation costs and the profit on disposal of non-core operations), this gave rise to a basic and diluted EPS of (10.4p) (2023: basic and diluted (1.5p)). Adjusted basic EPS 1 amounted to 3.4p (2023 restated 2 : 2.8p). Net debt excluding lease liabilities 1 amount to £45.3m (2023: £49.6m). Our Balance Sheet remains strong following our refinancing in December 2022. Our facilities include a four-year £162.5m multi-currency revolving credit facility and additional £75m uncommitted accordion option. The Board is proposing a final four-month dividend of 1.5p per ordinary share (2023: 3.15p). This is equivalent to the interim dividend previously paid albeit for the final 4-month period ending 30 September 2024 rather than six-months. 4-month pro forma results for the period ending 30 September 2024 (Unaudited) The following table summarises the pro forma results of the period ending 30 September 2024 4-month period ended 30 September 2024 4-month period ended 30 September 2023 Unaudited Cyber Security £m Escode £m Central and head office £m Group £m Cyber Security £m Escode £m Central and head office £m Group £m Revenue 83.6 21.5 — 105.1 78.9 21.4 — 100.3 Cost of sales (53.9) (6.8) — (60.7) (58.4) (6.1) — (64.5) Gross profit 29.7 14.7 — 44.4 20.5 15.3 — 35.8 Gross margin % 35.5% 68.4% — 42.2% 26.0% 71.5% — 35.7% Administrative expenses (26.9) (6.6) (0.7) (34.2) (26.0) (7.2) (0.2) (33.4) Share-based payments 0.2 — (0.9) (0.7) — (0.1) (0.4) (0.5) Adjusted EBITDA 1,2 3.0 8.1 (1.6) 9.5 (5.5) 8.0 (0.6) 1.9 Depreciation and amortisation (2.4) (0.2) (1.6) (4.2) (2.3) (0.1) (1.6) (4.0) Amortisation of acquired intangibles (0.4) (1.6) (1.0) (3.0) (0.3) (1.8) (1.0) (3.1) Adjusted operating profit 1,2 0.2 6.3 (4.2) 2.3 (8.1) 6.1 (3.2) (5.2) Individually Significant Items — — — — (2.5) — — (2.5) Operating profit/(loss) 0.2 6.3 (4.2) 2.3 (10.6) 6.1 (3.2) (7.7) Operating margin % 0.2% 29.3% n/a 2.2% (13.4%) 28.5% n/a (7.7%) Finance costs (2.1) (1.9) Profit/(loss) before taxation 0.2 (9.6) Revenue increased by 6.6% on a constant currency basis (Actual rates 4.8%), with Cyber Security Revenue increasing 7.6% on a constant currency basis (Actual rates: 6.0%) and Escode growing by 2.9% on a constant currency basis (Actual rates: 0.5%). As you look at our revenue trajectory in Cyber Security for the final four months of the period compared to the similar prior period to 30 September 2023, we have experienced continued growth in our UK Managed Service performance whilst our North America rate of decline has eased to 5.7% on a constant currency basis (actual rates (8.4%)). Technical Assurance Services has declined by 3.6% on a constant currency basis 1 (Actual rates: 5.5%) with the recovery in demand still less consistent than expected against a backdrop of the current macro uncertainty within North America and UK. Gross profit increased by 24.0% to £44.4m with gross margin percentage increasing to 42.2% (2023: 35.7%). The overall 6.5% pts gross margin increase is due to improved utilisation and operational efficiencies within Cyber Security, alongside a change in the service mix whereby managed services are becoming a greater proportion of overall revenue at a higher margin. This is offset by a decline in Escode gross margin due to continued investment in the sales team for future growth. Adjusted EBITDA has improved by £7.6m when compared to the similar prior period driven by Cyber Security gross margin improvements noted above which have been slightly offset by 7.5% increase in administrative expenses (excluding share-based payments) driven by investment and inflationary pressures. Financial review continued 1 Adjusted EBITDA, Adjusted operating profit and Adjusted basic EPS are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 2 After reconsidering FRC best practice guidance around the disclosure of adjusting items and APM’s, the Group has reduced the number of adjusted measures and items. The Group now only has one adjusted item ‘Individual Significant Items’. Previous adjusted items of Amortisation of acquisition intangibles and share based payments are no longer disclosed as an adjusted item. Accordingly, comparative numbers have been restated. For further detail, please refer to the Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 42 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 12-month pro forma results for the period ending 30 September 2024 (Unaudited) The following table summarises the pro forma results for the 12-month period ending 30 September 2024: 12-month period ended 30 September 2024 12-month period ended 30 September 2023 Unaudited Cyber Security £m Escode £m Central and head office £m Group £m Cyber Security £m Escode £m Central and head office £m Group £m Revenue 263.2 66.0 — 329.2 258.4 65.4 — 323.8 Cost of sales (165.7) (20.6) — (186.3) (179.6) (18.4) — (198.0) Gross profit 97.5 45.4 — 142.9 78.8 47.0 — 125.8 Gross margin % 37.0% 68.8% — 43.4% 30.5% 71.9% — 38.9% Administrative expenses (71.3) (16.9) (3.2) (91.4) (69.6) (16.6) (6.4) (92.6) Share-based payments (0.1) (0.1) (1.6) (1.8) (1.2) (0.1) (0.7) (2.0) Adjusted EBITDA 1,2 26.1 28.4 (4.8) 49.7 8.0 30.3 (7.1) 31.2 Depreciation and amortisation (8.6) (0.5) (3.7) (12.8) (8.4) (0.5) (3.6) (12.5) Amortisation of acquired intangibles (1.1) (5.3) (3.0) (9.4) (1.1) (5.6) (2.9) (9.6) Adjusted operating profit 1,2 16.4 22.6 (11.5) 27.5 (1.5) 24.2 (13.6) 9.1 Individually Significant Items (38.9) (0.1) — (39.0) (15.6) (2.4) — (18.0) Operating (loss)/profit (22.5) 22.5 (11.5) (11.5) (17.1) 21.8 (13.6) (8.9) Operating margin % (8.5%) 34.1% n/a (3.5%) (6.6%) 33.3% n/a (2.7%) Finance costs (6.3) (6.9) Loss before taxation (17.8) (15.8) Taxation (7.3) 0.4 Loss after taxation (25.1) (15.4) EPS Basic EPS (8.1p) (5.0p) Adjusted basic EPS 1,2 5.2p 0.6p Revenue increased by 3.5% on a constant currency basis (Actual rates +1.7%), with Cyber Security Revenue increasing 3.7% on a constant currency basis (Actual rates: 1.9%) and Escode growing by 2.8% on a constant currency basis (Actual rates: 0.9%). Turning to Cyber Security revenue trajectory during this 12-month pro forma period, UK & APAC grew by +15.1% at constant currency (Actual rates: +14.6%) driven by the TikTok contract, North America declined by 18.1% (Actual rates (21.0%)) whereas Europe grew by 11.8% (Actual rates: +9.6%). We have experienced continued growth in our UK Managed Service performance whilst North America’s rate of decline has eased to (3.7%) on a constant currency basis (Actual rates (6.1%)) in the second half of this proforma period. Technical Assurance Services declined by (0.2%) on a constant currency basis 1 (Actual rates: (1.3%)) in the second half of this proforma period, with the recovery in demand still less consistent than expected against a backdrop of the current macro conditions within North America and UK. Gross profit increased by 13.6% to £142.9m with gross margin percentage increasing to 43.4% (Sept 2023: 38.9%). The overall 4.5% pts gross margin (%) increase is due to improved utilisation and operational efficiencies within Cyber Security, alongside a change in the service mix whereby Managed Services is becoming a greater proportion of overall revenue at a higher margin. Cyber Security gross margin now equates to 37.0% compared to 30.5% as at 30 September 2023. This is offset by a decline in Escode gross margin by 3.1% pts due to continued investment in the sales team for future growth. Adjusted Operating profit 1,2 has improved by £18.4m when compared to the similar 12-month proforma prior period driven by gross margin improvements noted above and well controlled overheads. For the 12-month period ending 30 September 2024, our cash conversion 1 was 96.6% (May 2023 restated 2 : 108.7%). Further analysis on our performance for the 12-month period ending 30 September 2024 can be found within the unaudited Appendix 1 of the financial statements. Alternative Performance Measures (APMs) Throughout this Financial Review, certain APMs are presented. The APMs used by the Group are not defined terms under IFRS and therefore may not be comparable with similarly titled measures reported by other companies. They are not intended to be a substitute for, or superior to, IFRS measures. This presentation is also consistent with the way that financial performance is measured by management and reported to the Board, and the basis of financial measures for senior management’s compensation scheme and provides supplementary information that assists the user in understanding the financial performance, position and trends of the Group. We believe these APMs provide readers with important additional information on our business and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can differ significantly from the APMs and may be assessed differently by the reader, we encourage you to consider these figures together with statutory reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related APMs may exclude recurring business transactions (e.g. acquisition related costs) that impact financial performance and cash flows. After reconsidering FRC best practice guidance around the disclosure of adjusting items and APM’s, the Group has reduced the number of adjusted measures and items within the period. The Group now only has one adjusted item ‘Individually Significant Items’. Previous adjusted items of amortisation of acquisition intangibles and share based payments are no longer disclosed as an adjusted item. Accordingly, comparative numbers have been restated. 43 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Overview of financial performance continued Alternative Performance Measures (APMs) continued The following tables reconciles how these changes have affected the historic measures of Adjusted EBITDA, Adjusted Operating profit, Adjusted profit for the period, Adjusted basic EPS and cash conversion, which includes Adjusted EBITDA: Adjusted measure 16-month period ended 30 September 2024 Year ended 31 May 2023 (restated) 2 Adjusted EBITDA – previously (£m) 53.9 41.4 Share-based payments (£m) (2.3) (2.2) Adjusted EBITDA – revised (£m) 51.6 39.2 Adjusted operating profit – previously (£m) 37.1 28.8 Share-based payments (£m) (2.3) (2.2) Amortisation of acquired intangibles (£m) (12.5) (10.0) Adjusted operating profit – revised (£m) 22.3 16.6 Adjusted profit for the period – previously (£m) 21.3 18.9 Share-based payments (£m) (2.3) (2.2) Amortisation of acquired intangibles (£m) (12.5) (10.0) Tax effect of above items (£m) 4.1 2.1 Adjusted profit for the period – revised (£m) 10.6 8.8 Adjusted basic EPS – previously (pence) 6.8 6.1 Effect of share-based payments (pence) (0.7) (0.7) Effect amortisation of acquired intangibles (pence) (4.0) (3.3) Tax effect of above items (pence) 1.3 0.7 Adjusted basic EPS – revised (pence) 3.4 2.8 Cash conversion – previously (%) 71.2% 102.9% Effect of share-based payments (%) 3.2% 5.8% Cash conversion – revised (%) 74.4% 108.7% The Group now has the following APMs/non-statutory measures: • Adjusted EBITDA (reconciled below) • Adjusted Operating profit (reconciled below) • Adjusted basic EPS (pence) (reconciled below) • Adjusted profit for the period (reconciled below) • Net debt excluding lease liabilities (reconciled below) • Net debt (reconciled below) • Cash conversion which includes Adjusted EBITDA (reconciled below) • Constant currency revenue (reconciled below) Apart from the changes noted above, the above APM’s are consistent with those reported for the year ended 31 May 2023. The Group also reports certain geographic regions and service capabilities on a constant currency basis to reflect the underlying performance considering constant foreign exchange rates period on period. This involves translating comparative numbers at current period rates for comparability to enable a growth factor to be calculated. As these measures are not statutory revenue numbers, management considers these to be APMs; see unaudited appendix 1 for further details. Adjusted EBITDA 1 and Adjusted operating profit 1 Following the changes noted above to the number of adjusting items, the revised calculation of Adjusted EBITDA 1 is set out below: 16-month period ended 30 September 2024 £m Year ended 31 May 2023 (restated) 2 £m Operating (loss)/profit (19.2) 1.9 Depreciation and amortisation 16.8 12.6 Amortisation of acquired intangibles (Note 8) 12.5 10.0 Individually Significant Items (Note 4) 41.5 14.7 Adjusted EBITDA 1 51.6 39.2 Depreciation and amortisation and amortisation of acquired intangibles (29.3) (22.6) Adjusted operating profit – revised 1,2 22.3 16.6 Financial review continued 1 Adjusted EBITDA, Adjusted operating profit and Adjusted basic EPS are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 2 After reconsidering FRC best practice guidance around the disclosure of adjusting items and APM’s, the Group has reduced the number of adjusted measures and items. The Group now only has one adjusted item ‘Individual Significant Items’. Previous adjusted items of Amortisation of acquisition intangibles and share based payments are no longer disclosed as an adjusted item. Accordingly, comparative numbers have been restated. For further detail, please refer to the Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 44 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Previously these adjusted measures would have been calculated as follows: 16-month period ended 30 September 2024 £m Year ended 31 May 2023 (restated) 2 £m Operating (loss)/profit (19.2) 1.9 Depreciation and amortisation 16.8 12.6 Amortisation of acquired intangibles 12.5 10.0 Individually Significant Items (Note 4) 41.5 14.7 Share-based payments 2.3 2.2 Adjusted EBITDA – previously 1,2 53.9 41.4 Depreciation and amortisation (excluding amortisation of acquired intangibles) (16.8) (12.6) Adjusted operating profit – previously 1,2 37.1 28.8 1 See above for an explanation of Alternative Performance Measures (APMs) and adjusting items. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 2 After reconsidering FRC best practice guidance around the disclosure of adjusting items and APMs, the Group has reduced the number of adjusted measures and items. The Group now only has one adjusted item ‘Individual Significant Items’. Previous adjusted items of amortisation of acquisition intangibles and share-based payments are no longer disclosed as an adjusted item. Accordingly, comparative numbers have been restated. For further detail, please refer to the Financial Review and above for an explanation of APMs and adjusting items, including a reconciliation to statutory information. Revenue summary 16-month period ended 30 September 2024 £m Year ended 31 May 2023 £m % change at actual rates 16-month period ended 30 September 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 Cyber Security revenue 342.1 270.8 26.3% 342.1 264.5 29.3% Escode 87.4 64.3 35.9% 87.4 62.5 39.8% Total revenue 429.5 335.1 28.2% 429.5 327.0 31.3% 12-month period ended 31 May 2024 £m Year ended 31 May 2023 £m % change at actual rates 12-month period ended 31 May 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 Cyber Security revenue 258.5 270.8 (4.5%) 258.5 264.5 (2.3%) Escode 65.9 64.3 2.5% 65.9 62.5 5.4% Total revenue 324.4 335.1 (3.2%) 324.4 327.0 (0.8%) 4-month period ended 30 September 2024 £m 4-month period ended 30 September 2023 £m % change at actual rates 4-month period ended 30 September 2024 £m Constant currency 1 4-month period ended 30 September 2023 £m % change at constant currency 1 Cyber Security revenue 83.6 78.9 6.0% 83.6 77.7 7.6% Escode 21.5 21.4 0.5% 21.5 20.9 2.9% Total revenue 105.1 100.3 4.8% 105.1 98.6 6.6% 1 Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not IFRS measures. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 45 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Divisional performance The following sections summarises the Group’s divisional performance for the 16-month period ended 30 September 2024 following our unaudited results for the 12-month period to 31 May 2024 announced on the 1 August 2024. This section also includes the unaudited results for the remaining four months to 30 September 2024 compared to the previous unaudited four-month period ending 30 September 2023 to aid comparability and importantly the current trajectory of the Group. Cyber Security The Cyber Security division accounts for 79.7% of Group revenue (2023: 80.8%) and 66.0% of Group gross profit (2023: 65.2%). Cyber Security revenue analysis – by originating region: Audited 16-month period ended 30 September 2024 £m Year ended 31 May 2023 £m % change at actual rates 16-month period ended 30 September 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 UK and APAC 173.3 118.4 46.4% 173.3 117.8 47.1% North America 90.7 99.3 (8.7%) 90.7 94.2 (3.7%) Europe 78.1 53.1 47.1% 78.1 52.5 48.8% Total Cyber Security revenue 342.1 270.8 26.3% 342.1 264.5 29.3% Unaudited 12-month period ended 31 May 2024 £m Year ended 31 May 2023 £m % change at actual rates 12-month period ended 31 May 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 UK and APAC 129.8 118.4 9.6% 129.8 117.8 10.2% North America 69.0 99.3 (30.5%) 69.0 94.2 (26.8%) Europe 59.7 53.1 12.4% 59.7 52.5 13.7% Total Cyber Security revenue 258.5 270.8 (4.5%) 258.5 264.5 (2.3%) Unaudited 4-month period ended 30 September 2024 £m 4-month period ended 30 September 2023 £m % change at actual rates 4-month period ended 30 September 2024 £m Constant currency 1 4-month period ended 30 September 2023 £m % change at constant currency 1 UK and APAC 43.5 37.7 15.4% 43.5 37.6 15.7% North America 21.7 23.7 (8.4%) 21.7 23.0 (5.7%) Europe 18.4 17.5 5.1% 18.4 17.1 7.6% Total Cyber Security revenue 83.6 78.9 6.0% 83.6 77.7 7.6% 1 Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not IFRS measures. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. Cyber Security revenue analysis – by type of service and capability: Audited 16-month period ended 30 September 2024 £m Year ended 31 May 2023 £m % change at actual rates 16-month period ended 30 September 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 Technical Assurance Services (TAS) 141.4 142.9 (1.0%) 141.4 138.7 1.9% Consulting and Implementation (C&I) 55.2 44.7 23.5% 55.2 44.0 25.5% Managed Services (MS) 91.8 50.1 83.2% 91.8 49.5 85.5% Digital Forensics and Incident Response (DFIR) 20.6 13.5 52.6% 20.6 13.5 52.6% Other services 33.1 19.6 68.9% 33.1 18.8 76.1% Total Cyber Security revenue 342.1 270.8 26.3% 342.1 264.5 29.3% Unaudited 12-month period ended 31 May 2024 £m Year ended 31 May 2023 £m % change at actual rates 12-month period ended 31 May 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 Technical Assurance Services (TAS) 107.0 142.9 (25.1%) 107.0 138.7 (22.9%) Consulting and Implementation (C&I) 42.8 44.7 (4.3%) 42.8 44.0 (2.7%) Managed Services (MS) 67.3 50.1 34.3% 67.3 49.5 36.0% Digital Forensics and Incident Response (DFIR) 16.4 13.5 21.5% 16.4 13.5 21.5% Other services 25.0 19.6 27.6% 25.0 18.8 33.0% Total Cyber Security revenue 258.5 270.8 (4.5%) 258.5 264.5 (2.3%) Financial review continued 46 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Unaudited 4-month period ended 30 September 2024 £m 4-month period ended 30 September 2023 £m % change at actual rates 4-month period ended 30 September 2024 £m Constant currency 1 4-month period ended 30 September 2023 £m % change at constant currency 1 Technical Assurance Services (TAS) 34.4 36.4 (5.5%) 34.4 35.7 (3.6%) Consulting and Implementation (C&I) 12.4 13.1 (5.3%) 12.4 13.0 (4.6%) Managed Services (MS) 24.5 17.1 43.3% 24.5 16.9 45.0% Digital Forensics and Incident Response (DFIR) 4.2 5.5 (23.6%) 4.2 5.5 (23.6%) Other services 8.1 6.8 19.1% 8.1 6.6 22.7% Total Cyber Security revenue 83.6 78.9 6.0% 83.6 77.7 7.6% Cyber Security revenue increased by +29.3% on a constant currency basis 1 and at +26.3% at actual rates when comparing the 16-month period to the year ended 31 May 2023. UK & APAC increased due to Managed Services, and North America decline has slowed since the decline in the unaudited 12 months period to 31 May 2024, while Technical Assurance Services declined with the recovery in demand still less consistent than expected within the UK and North America. In relation to the unaudited four-month period to 30 September 2024, C&I declined across all regions and the DFIR decline arose from the UK. Managed Services revenue for the 16-month period 30 September 2024, now represents 26.8% of total Cyber Security revenue as compared to the year ended 31 May 2023 of 18.5%, demonstrating the change in service mix to more annual recurring revenues. Looking at other KPIs, our TAS and C&I average utilisation has improved to 66% in the second six-month period to 30 September 2024 (from 57% in the second six-month period to 30 September 2023), while we have 178 clients with sales orders >£250k, of which 73% take multiple capabilities. The number of recurring clients over £250k amounts to 133 in the second six-month period to 30 September 2024. Cyber Security gross profit is analysed as follows: Audited 16-month period ended 30 September 2024 £m 16-month period ended 30 September 2024 % margin Year ended 31 May 2023 £m Year ended 31 May 2023 % margin % pts change UK and APAC 72.5 41.8% 40.3 34.0% 7.8% pts North America 18.4 20.3% 26.1 26.3% (6.0% pts) Europe 27.1 34.7% 19.7 37.1% (2.4% pts) Cyber Security gross profit and % margin 118.0 34.5% 86.1 31.8% 2.7% pts Gross margins increased overall by +2.7% pts, driven by UK managed services within UK & APAC, this was offset by North America. In Europe, the margin decreased by 2.4% pts due to the recognition of historic one-off project cost compensation of £1.5m in H1 of the year ended 31 May 2023. Excluding this item, the margin would have remained flat. Unaudited 12-month period ended 31 May 2024 £m 12-month period ended 31 May 2024 % margin Year ended 31 May 2023 £m Year ended 31 May 2023 % margin % pts change UK and APAC 55.4 42.7% 40.3 34.0% 8.7% pts North America 14.2 20.6% 26.1 26.3% (5.7% pts) Europe 18.7 31.3% 19.7 37.1% (5.8% pts) Cyber Security gross profit and % margin 88.3 34.2% 86.1 31.8% 2.4% pts Unaudited 4-month period ended 30 September 2024 £m 4-month period ended 30 September 2024 % margin 4-month period ended 30 September 2023 £m 4-month period ended 30 September 2023 % margin % pts change UK and APAC 17.1 39.3% 11.2 29.7% 9.6% pts North America 4.2 19.4% 3.6 15.2% 4.2% pts Europe 8.4 45.7% 5.7 32.6% 13.1% pts Cyber Security gross profit and % margin 29.7 35.5% 20.5 26.0% 9.5% pts 1 Revenue at constant currency is an unaudited Alternative Performance Measures (APM) and not an IFRS measures. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 47 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Divisional performance continued Escode The Escode division accounts for 20.3% of Group revenues (2023: 19.2%) and 34.0% of Group gross profit (2023: 34.8%). Escode revenue analysis – by originating region: Audited 16-month period ended 30 September 2024 £m Year ended 31 May 2023 £m % change at actual rates 16-month period ended 30 September 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 UK 36.5 25.8 41.5% 36.5 25.7 42.0% North America 45.5 34.5 31.9% 45.5 32.8 38.7% Europe 5.4 4.0 35.0% 5.4 4.0 35.0% Total Escode revenue 87.4 64.3 35.9% 87.4 62.5 39.8% Unaudited 12-month period to 31 May 2024 £m Year ended 31 May 2023 £m % change at actual rates 12-month period to 31 May 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 UK 27.3 25.8 5.8% 27.3 25.7 6.2% North America 34.4 34.5 (0.3%) 34.4 32.8 4.9% Europe 4.2 4.0 5.0% 4.2 4.0 5.0% Total Escode revenue 65.9 64.3 2.5% 65.9 62.5 5.4% Unaudited 4-month period ended 30 September 2024 £m 4-month period ended 30 September 2023 £m % change at actual rates 4-month period ended 30 September 2024 £m Constant currency 1 4-month period ended 30 September 2023 £m % change at constant currency 1 UK 9.2 8.5 8.2% 9.2 8.5 8.2% North America 11.1 11.5 (3.5%) 11.1 11.1 0.0% Europe 1.2 1.4 (14.3%) 1.2 1.3 (7.7%) Total Escode revenue 21.5 21.4 0.5% 21.5 20.9 2.9% Escode revenues analysed by service line: Audited 16-month period ended 30 September 2024 £m Year ended 31 May 2023 £m % change at actual rates 16-month period ended 30 September 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 Escrow contracts 57.2 42.8 33.6% 57.2 41.5 37.8% Verification services 30.2 21.5 40.5% 30.2 21.0 43.8% Total Escode revenue 87.4 64.3 35.9% 87.4 62.5 39.8% Unaudited 12-month period to 31 May 2024 £m Year ended 31 May 2023 £m % change at actual rates 12-month period to 31 May 2024 £m Constant currency 1 Year ended 31 May 2023 £m % change at constant currency 1 Escrow contracts 43.3 42.8 1.2% 43.3 41.5 4.3% Verification services 22.6 21.5 5.1% 22.6 21.0 7.6% Total Escode revenue 65.9 64.3 2.5% 65.9 62.5 5.4% Unaudited 4-month period ended 30 September 2024 £m 4-month period ended 30 September 2023 £m % change at actual rates 4-month period ended 30 September 2024 £m Constant currency 1 4-month period ended 30 September 2023 £m % change at constant currency 1 Escrow contracts 13.9 14.9 (6.7%) 13.9 14.5 (4.1%) Verification services 7.6 6.5 16.9% 7.6 6.4 18.8% Total Escode revenue 21.5 21.4 0.5% 21.5 20.9 2.9% Financial review continued 1 Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not IFRS measures. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 48 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Gross margin is analysed as follows: Audited 16-month period ended 30 September 2024 £m 16-month period ended 30 September 2024 % margin Year ended 31 May 2023 £m Year ended 31 May 2023 % margin % pts change UK 24.8 67.9% 18.2 70.5% (2.6% pts) North America 32.6 71.6% 25.0 72.5% (0.9% pts) Europe 3.3 61.1% 2.7 67.5% (6.4% pts) Escode gross profit and % margin 60.7 69.5% 45.9 71.4% (1.9% pts) Unaudited 12-month period to 31 May 2024 £m 12-month period to 31 May 2024 % margin Year ended 31 May 2023 £m Year ended 31 May 2023 % margin % pts change UK 18.6 68.1% 18.2 70.5% (2.4% pts) North America 24.8 72.1% 25.0 72.5% (0.4% pts) Europe 2.6 61.9% 2.7 67.5% (5.6% pts) Escode gross profit and % margin 46.0 69.8% 45.9 71.4% (1.6% pts) Unaudited 4-month period ended 30 September 2024 £m 4-month period ended 30 September 2024 % margin 4-month period ended 30 September 2023 £m 4-month period ended 30 September 2023 % margin % pts change UK 6.2 67.4% 5.8 68.2% (0.8% pts) North America 7.8 70.3% 8.5 73.9% (3.6% pts) Europe 0.7 58.3% 1.0 71.4% (13.1% pts) Escode gross profit and % margin 14.7 68.4% 15.3 71.5% (3.1% pts) Individually Significant Items During the period, the Group has incurred £41.5m in individually Significant Items (ISIs) (2023: £14.7m) as follows: 16-month period ended 30 September 2024 £m Year ended 31 May 2023 £m North America Cyber Security goodwill impairment 31.9 9.8 Fundamental reorganisation costs 9.4 4.2 Transaction costs associated with disposal of Fox Crypto 1.6 — Costs associated with strategic review of Escode business 0.1 3.0 NCC Group A/S goodwill impairment — 3.0 IPM Escode business deferred income adjustment — (0.6) Profit on disposal of non-core operations (1.5) (4.7) Total ISIs 41.5 14.7 Individually Significant Items incurred during the period of £41.5m are represented mainly by an impairment in Goodwill of £31.9m (2023: £9.8m) for the North America Cyber security business due to its historical performance, as the recovery in demand is less consistent than expected, and £9.4m (2023: £4.2m) in relation to fundamental reorganisation costs as we continue to reshape the Group to implement the Group’s strategy. Finance costs Finance costs for the 16-month period were £8.3m (2023: £6.2m). Finance costs include lease financing costs of £1.7m (2023: £1.1m). Taxation The Group’s effective statutory tax rate is (18.2%) (2023: (7.0)%). The change in tax rate from 2023 to 2024 is due to a number of factors including an increase in the UK corporate tax rate, the impact of non-deductible goodwill and intangible assets impairment and the derecognition of deferred tax assets in North America. The Group’s adjusted tax rate is 24.3% (2023 restated: 15.4%). The increase in the adjusted tax rate from 2023 to 2024 is due predominantly to an increase in the UK statutory tax rate and increased tax losses not recognised as deferred tax assets. (Loss)/earnings per share (EPS) 16-month period ended 30 September 2024 Year ended 31 May 2023 (restated) 2 Statutory Statutory loss for the period (32.5) (4.6) Basic loss per share (10.4p) (1.5p) Diluted loss per share (10.4p) (1.5p) Adjusted 1 Adjusted profit for the period 10.6 7.3 Basic EPS 3.4p 2.8p Diluted EPS 3.4p 2.8p Weighted average number of shares (million) Basic 311.7 310.4 Diluted 313.2 311.2 49 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Financial review continued (Loss)/earnings per share (EPS) continued Adjusted basic EPS 1 is reconciled as follows: 16-month period ended 30 September 2024 Year ended 31 May 2023 (restated) 2 Statutory loss for the period (32.5) (4.6) Individually Significant Items 41.5 14.7 Tax effect of Individually significant items (5.8) (2.8) North America deferred tax Asset derecognition (adjusting item) 7.4 — Adjusted profit for the period 10.6 7.3 1 Adjusted EPS is an Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 2 After reconsidering FRC best practice guidance around the disclosure of adjusting items and APMs, the Group has reduced the number of adjusted measures and items. The Group now only has one adjusted item ‘Individual Significant Items’. Previous adjusted items of Amortisation of acquisition intangibles and share-based payments are no longer disclosed as an adjusted item. Accordingly, comparative numbers have been restated. For further detail, please refer to the Financial Review and appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. Reconciliation of net debt 1 The table below summarises the Group’s cash flow and net debt 1 : 30 September 2024 £m 31 May 2023 £m Operating cash inflow before movements in working capital 48.5 38.7 Movement in working capital and non-payables (10.1) 3.9 Cash generated from operating activities before interest and taxation 38.4 42.6 Interest element of lease payments (1.7) (1.1) Finance interest paid (6.0) (4.0) Taxation paid (4.3) (5.4) Net cash generated from operating activities 26.4 32.1 Purchase of property, plant and equipment (6.2) (3.9) Software and development expenditure (2.6) (3.4) Acquisition of trade and assets as part of a business combination (1.0) (1.0) Sale proceeds from business disposals 12.4 2.0 Equity dividends paid (14.5) (14.5) Repayment of lease liabilities (principal amount) (10.2) (6.1) Acquisition of treasury shares (5.8) — Purchase of shares — (0.5) Proceeds from the issue of ordinary share capital 0.3 0.1 Net movement (1.2) 4.8 Opening net debt (excluding lease liabilities) 1 (49.6) (52.4) Non-cash movements (release of deferred issue costs) (0.6) (0.8) Foreign exchange movement 6.1 (1.2) Closing net debt excluding lease liabilities 1 (45.3) (49.6) Lease liabilities (27.6) (30.0) Closing net debt 1 (72.9) (79.6) Net debt 1 can be reconciled as follows: 30 September 2024 £m 31 May 2023 £m Cash and cash equivalents 29.8 34.1 Bank overdraft (13.6) (1.8) Borrowings (net of deferred issue costs) (61.5) (81.9) Net debt excluding lease liabilities 1 (45.3) (49.6) Lease liabilities (27.6) (30.0) Net debt 1 (72.9) (79.6) 50 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Reconciliation of net change in cash and cash equivalents to movement in net debt 1 : 30 September 2024 £m 31 May 2023 £m Net decrease in cash and cash equivalents (inc. bank overdraft) (18.4) (41.5) Change in net debt 1 resulting from cash flows (net of deferred issue costs) 17.2 44.8 Release of deferred issue costs (0.6) (1.0) Issue costs related to borrowings (non-cash) — 1.7 Effect of foreign currency on cash flows 2.3 0.6 Foreign currency translation differences on borrowings 3.8 (1.8) Change in net debt 1 during the period 4.3 2.8 Net debt 1 at start of period excluding lease liabilities (49.6) (52.4) Net debt 1 at end of period excluding lease liabilities (45.3) (49.6) Lease liabilities (27.6) (30.0) Net debt 1 at end of period (72.9) (79.6) 1 Net debt is an Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. The calculation of the cash conversion ratio 1 is set out below and is lower due to the summer period: 30 September 2024 £m 31 May 2023 (restated) 2 £m % change/ % pts Operating cash flow before interest and taxation 38.4 42.6 (9.9%) Adjusted EBITDA 1,2 51.6 39.2 31.6% Cash conversion ratio 1,2 (%) 74.4% 108.7% (34.3% pts) 1 See Financial Review for an explanation of Alternative Performance Measures (APMs) and adjusting items. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 2 After reconsidering FRC best practice guidance around the disclosure of adjusting items and APM’s, the Group has reduced the number of adjusted measures and items. The Group now only has one adjusted item ‘Individual Significant Items’. Previous adjusted items of Amortisation of acquisition intangibles and share based payments are no longer disclosed as an adjusted item. Accordingly, comparative numbers have been restated. For further detail, please refer to the Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information. Cash capital expenditure during the period was £8.8m (2023: £7.3m), which includes tangible asset expenditure of £6.2m (2023: £3.9m) and capitalised software and development costs of £2.6m (2023: £3.4m). The increase in tangible capital expenditure includes the opening of our new Manila office. Sale proceeds from disposals represent payment of contingent consideration in relation to the disposal of the Group’s DDI business of £3.8m, the full payment of £8.2m for the DetACT business disposed in April 2024 and £0.4m for disposal of a 3.35% shareholding in an unlisted investment. Acquisition of trade and assets as part of a business combination of £1.0m relates to the final consideration payable in relation to the Adelard acquisition. Dividends During the period total dividends of £14.5m were paid in the period (2023: £14.5m). Additionally, a dividend of £9.8m was recognised but not yet paid as of the period end. The Board is proposing a final dividend of 1.5p per ordinary share. This is equivalent to the interim dividend previously paid albeit for the final 4-month period ending 30 September 2024. The final dividend of 1.5p per ordinary share, which, together with the interim dividends of 3.15p and 1.5p per ordinary share paid on 4 October 2024 and 15 March 2024 respectively, makes a total dividend of 6.15p for the period ended 30 September 2024. The final dividend will be paid on 4 April 2025, subject to approval at the AGM on 28 January 2025, to shareholders on the register at the close of business on 21 February 2025. The ex-dividend date is 20 February 2025. Our FY25 framework Looking forward to FY25, we have set a framework to measure ourselves against as follows: • Sustainable revenue growth • Deliver underlying growth in Cyber Security • Increase Managed Services revenue as a proportion of total Cyber Security • Maintain momentum in Escode • Improved gross margin • Maintain utilisation % • Smart pricing and margin investment decision making • Globalise technical resource footprint • Efficiency for growth • Simplify operating model to generate efficiencies • Drive towards consistent profit conversion in every market • Eliminate stranded costs resulting from non-core disposals • Capital deployment supporting growth • Strong cash conversion • Ensure appropriate liquidity and debt facilities • Maintain dividend • Accretive acquisition opportunities Guy Ellis Chief Financial Officer 10 December 2024 51 Strategic report NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Dear Shareholder On behalf of the Board, I am pleased to present the Corporate Governance Report for the period ended 30 September 2024. Throughout the period the Board has worked cohesively as a team and I would like to thank each Director for their wise counsel and continued efforts during this time. The Board is composed of highly skilled and experienced Directors from a diverse range of industries and backgrounds, all of whom contribute towards the long-term success of the Company and show commitment and enthusiasm in the performance of their roles and duties. I would like to thank all of my Board colleagues for their commitment, support and flexibility over the past period. We now have returned to predominantly face-to-face Board meetings, but we still use virtual meetings for shorter update meetings or when we need to meet at short notice. This continued hybrid way of working has enabled us to maintain strong governance and robust decision making, delivering against our strategy. During the period, particular highlights were our visits as a Board to our Manchester, Cheltenham and London offices, where we enjoyed and valued spending time with colleagues. We look forward to visiting more offices and meeting more colleagues in the coming period. The Board is committed to creating and maintaining a culture where strong levels of governance thrive throughout the organisation, specifically ensuring that we send out consistent messages on our values and principles for our colleagues, our customers, our suppliers and our advisers. Governance standards The Board is committed to high standards of corporate governance and is pleased to confirm that throughout the period ended 30 September 2024, the Company complied with all relevant provisions of the UK Corporate Governance Code. A key focus of the Code is culture and ensuring it aligns with the Group’s purpose, strategy and values. Culture has been high on the Board’s agenda for a long time and the Board considers culture to be an essential ingredient in meeting our long-term, sustainable returns to all stakeholders. The Board, the Executive Committee and senior management continue to promote our culture and standards throughout the business and lead by example to provide a strong corporate governance framework. One of the most significant parts of the Code affecting NCC Group is in respect of workforce engagement. Our main stakeholder is our colleagues and we continue to maintain meaningful mechanisms to ensure that we, as a Board, have constructive and regular dialogue with our dedicated and committed workforce. This then puts us in a strong position to deliver our strategy. During the period, Julie Chakraverty, Senior Independent Director and designated Non-Executive Director for workforce engagement, has been reaching out to colleagues across the business. As a people business, insights from our colleagues are invaluable, therefore employee engagement is a crucial area for us to continue to focus on and continue to get right. We have not let distance or differing time zones be a barrier to hearing our colleagues’ opinions around the Board table. Chair’s introduction to governance Chris Stone Non-Executive Chair NCC Group plc — Annual report and accounts for the period ended 30 September 202452 Board composition and diversity With regard to our current diversity, I am satisfied that we have an appropriately diverse Board in terms of experience, skills and personal attributes among our Board members. The Directors have many years of experience gained across a variety of industries and sectors, ensuring a mix of views and providing a broad perspective. We recognise that we still have some progress to make in terms of improving the diversity of the Board and our executive team (and indeed our workforce as a whole). During the year ended 31 May 2021, we made the firm commitment that by 2024, we will have at least 33% female representation on our Board and at least one person of colour. We have now delivered on our commitment and are also on course to meet the FTSE Women Leaders Review and Listing Rules target of 40% female representation by the end of 2025. Although this is best practice for FTSE 350 companies, we have committed to this target regardless of which share index we are in. Our Board now has 43% female representation (three out of seven) and we will look to improve this further still during any future appointments to the Board. Improvements in diversity are often not a quick process but we are very mindful of the need to take positive action, and the matter remains fully on our agenda, as can be seen with the progress we have made over recent periods. Accessing the candidates we require to reach this target will involve us looking beyond the obvious pool of existing board directors within the UK and we intend to ensure that we extend our talent search to other sectors and countries to ensure we find a diverse pool of candidates from which to choose to provide us with true diversity around our Board table. To confirm, as at 30 September 2024, we complied with the following: • At least 40% of the individuals on our Board of Directors are women • At least one of the senior positions on our Board of Directors is held by a woman (our Senior Independent Director) • At least one individual on our Board of Directors is from a minority ethnic background Our approach The Directors have acted in a way they consider, in good faith, to be most likely to promote the long-term success of the Company. Our role as the Board is to set the strategy of the Group and ensure that management operates the business in accordance with our priorities. We believe this approach will promote the Group’s long-term success and our customers’ interests as well as create value for shareholders and have regard to our other key stakeholders such as our colleagues. The Board’s intention is to hand over the business to our successors in a better and more sustainable position for the future. We recognise the renewed focus on the contribution that a successful company can make to wider society in general, in addition to generating value for shareholders, and as a Board we want to ensure that we have effective engagement with, and encourage participation from, shareholders and other stakeholders. The Board acknowledges that there are competing priorities for different stakeholders but strives to balance the priorities, while ensuring decisions made are in the best interests of the Company. Board changes As announced on 22 June 2023, Guy Ellis succeeded Tim Kowalski as CFO on 30 June 2023. Prior to stepping down, Tim supported an orderly handover to Guy. The biographies of all the Board members can be found on pages 56 and 57. After over eight years’ service on the Board (along with being Senior Independent Director and Chair of the Audit Committee), Chris Batterham retired from the Board at the November 2023 AGM. I would like to pay tribute to Chris for all that he has done for the Company over his time with NCC Group, and his extremely valuable and insightful contributions to the Board. We also wish him well for the future. Board tenure as at 30 September 2024 7 years 6 months Mike Maddison Guy Ellis Chris Stone 2 years 3 months 1 year 3 months Lynn Fordham 2 years 9 months Julie Chakraverty 6 years 5 months Jennifer Duvalier 7 years 0 months Mike Ettling 2016 2017 2018 2019 2020 2021 202420232022 30 September: 2 years 1 month 53 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Effectiveness As Chair, I am responsible for providing leadership to ensure that the Board operates effectively. I have been supported in this by all the Directors, but in particular our Senior Independent Director (Julie Chakraverty). The annual reviews of Board effectiveness help the Board to consider how it operates and how its operations can be improved. This period, we undertook an internally facilitated Board and Committee evaluation and the findings of this review have provided us with ideas to further improve the manner in which the Board operates, and build on our inaugural externally facilitated evaluation in 2023, along with previous internally facilitated evaluations. The results were very useful and insightful and will be incorporated into our plans for the coming period. In particular, Board succession planning remains a priority, particularly as we look to ensure the Board and Executive Committee have the right set of skills and experience to support the Group as the business evolves. You can read more about the Board and the Committee evaluation on pages 63 and 64. Our investors We are in regular contact with our large investors through a regular scheduled programme of meetings attended by our CEO, CFO and Chair. Julie Chakraverty (Senior Independent Director), Lynn Fordham (Audit Committee Chair) and Jennifer Duvalier (Remuneration Committee Chair) are also available to meet with investors should the need arise. Our Director of Investor Relations and Sustainability (Yvonne Harley) has now been in her role for over a year and this has allowed us to make a step change in our approach to Investor Relations, notably the two Capital Markets events we hosted in April and June 2024 which were both very well received. This was an internal appointment and Yvonne continues to bring energy and rigour to the role and ensures that our engagement with shareholders is done efficiently and properly. I continue to meet with our larger investors and I feed back my findings to Board colleagues. We have been particularly active with our investor engagement during the period as we sought their views on the Directors’ Remuneration Policy for the period 2024–2027, which we will seek shareholder approval for at our AGM in early 2025. Jennifer Duvalier (our Remuneration Committee Chair) has led this process diligently and you can read more about this in the Remuneration Committee Report starting on page 79. In addition, our brokers undertook an investor survey on the back of our half-year results in January 2024 and the results of this were presented and discussed at a Board meeting. Our aim is to engage with our shareholders in an open and meaningful way. Chair’s introduction to governance continued Ensuring that the Directors’ remuneration packages align the Directors’ and senior managers’ interests with the long-term interests of NCC Group and its shareholders is always a key area of interest for investors. The 2021 Directors’ Remuneration Policy received 87.43% of votes in favour at the 2021 AGM, and it was pleasing that our 2023 Directors’ Remuneration Report received 85% of votes in favour, recognising the continued support of our shareholders for our approach to executive remuneration. As part of our 2021 Remuneration Policy, we have now aligned our Executive Directors’ pensions with our wider colleague population and introduced post-employment shareholding rules. Statement of compliance with the UK Corporate Governance Code The Company measures itself against the requirements of the UK Corporate Governance Code 2018 (the “Code”), which is available on the Financial Reporting Council website (www.frc.org.uk). I can confirm that the Board has applied the principles and complied with the provisions of the UK Corporate Governance Code 2018 throughout the financial period to 30 September 2024. Thank you We are immensely proud of our colleagues for their continuing extraordinary efforts, always acting in the best interests of our customers and our stakeholders. I would like to thank all our colleagues for their incredible contribution in stepping up and meeting the challenges that the Group has faced over the past period. Chris Stone Non-Executive Chair 10 December 2024 54 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Governance framework Provides leadership and is responsible for the overall management of NCC Group, its strategy, long-term objectives and risk management. It ensures the right Company structure is in place to deliver long-term value to shareholders and other stakeholders. Has responsibility for managing the business and overseeing the implementation of the strategy agreed by the Board. Currently comprises the Group’s most senior business and operational Executives. It is responsible for assisting the Chief Executive Officer in the performance of its duties including: • Developing the budget • Monitoring the performance of the different divisions of the Company against the plan • Carrying out a formal risk review process • Reviewing the Company’s policies and procedures • Prioritisation and allocation of resources • Overseeing the day-to-day running of the Company • Being responsible for people, talent and culture Support the Board in its work with specific areas of review and oversight objectives and risk management. They ensure the right Company structure is in place to deliver long-term value to shareholders and other stakeholders. Board (The Board has collective responsibility to promote the long-term sustainable success of the Group, ensuring due regard is paid to the interests of its stakeholders.) Board Committees (The Board oversees the Group’s operations through a unitary Board and four principal Committees, being Audit, Nomination, Remuneration, and Cyber Security. The terms of reference for these Committees can be found on our website. Further information on the work of these Committees can be found in later sections of this Annual Report and Accounts.) Executive Committee (ExCom) Chief Executive Officer (Manages the day-to-day operations of the Group, prioritising and allocating resources. The CEO is supported by the Executive Committee.) The different parts of the Company’s governance framework are shown below, with a description of how they operate and the linkages between them. Primary function is to assist the Board in fulfilling its financial and risk responsibilities. It also reviews financial reporting, the internal controls in place and the external audit process. Responsible for considering the Board’s structure, size, composition, diversity and succession planning. Responsible for overseeing and advising on the Group’s exposure to cyber risk and its future cyber risk strategy, its Cyber Security breach response and its crisis management plan and the review of reports on any Cyber Security incidents. Responsible for determining the overall remuneration of the Executive Directors and the remuneration of senior managers (ExCom) within the broader institutional context of remuneration practice. Audit Committee Nomination Committee Cyber Security Committee Remuneration Committee Read more on pages 67 to 73 Read more on pages 74 to 76 Read more on pages 77 and 78 Read more on pages 79 to 100 For further details on Board composition and division of responsibilities, see pages 58 to 65 55 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Chris Stone Non-Executive Chair Appointment to the Board: 6 April 2017 Career experience Chris has held various Non-Executive Director and Chief Executive roles at listed and private equity backed technology companies. He was CEO of Northgate Information Solutions plc from 1999 to 2008, until its sale, and stayed as CEO until 2011. From 2013 to 2016, he was CEO of Radius Worldwide. Chris was also a Non-Executive Director of CSR plc, and Chair of the Remuneration Committee, from 2012 until its sale in 2015. Chris was also Chair of AIM listed CityFibre plc from January 2017 until June 2018, when it was sold to private equity buyers. Chris has also been Chair of Everynet BV, a privately owned Internet of Things infrastructure business. External appointments Chris is currently Chair of AIM listed Idox plc. Appointment to the Board: 7 July 2022 Career experience Mike was formerly head of EY’s Cyber Security, privacy and trusted technology practice for EMEA, a role he has held since 2017. During that time Mike has successfully delivered strong growth across the 97 countries in the region and reinforced EY’s position as a leading Cyber Security adviser. Previously he led PwC’s risk services practice across the Middle East and before that was head of Deloitte’s Cyber Security consultancy in EMEA for ten years where he also drove significant growth. External appointments Mike does not currently have any external appointments. Appointment to the Board: 30 June 2023 Career experience Guy joined NCC Group in 2021, as Director of Commercial Finance as well as serving as Interim Managing Director of our Software Resilience business, and most recently as Interim Managing Director of our UK Cyber Security business. Guy has over 25 years’ experience in finance and commercial roles in the retail sector for brands including Asda and Specsavers. This experience and the recent interim roles in NCC Group have given him a breadth of understanding of the commercial drivers and operations across the whole business. External appointments Guy does not currently have any external appointments. Our business is led by our Board of Directors. Biographical and other details of the Directors are as follows: N Mike Maddison Chief Executive Officer Guy Ellis Chief Financial Officer Board of Directors C View our Executive Committee: nccgroupplc.com/our-board-executive-committee/ During the period a number of Directors took on additional appointments outside of their role with NCC Group. The Board considered these appointments and concluded that these appointments did not conflict with NCC Group, and the Director would have sufficient time to devote to NCC Group following the additional appointments, and that the appointments did not result in the Directors concerned being “overboarded”. 56 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 A Member of Audit Committee C Member of Cyber Security Committee N Member of Nomination Committee R Member of Remuneration Committee Committee Chair Committee key: Jennifer Duvalier Independent Non-Executive Director Julie Chakraverty Senior Independent Non-Executive Director (and designated Non-Executive Director for Colleague Engagement) Appointment to the Board: 1 January 2022 Career experience Julie has a wealth of PLC board experience, recently serving as a Non-Executive Director on the boards of Santander UK and Abrdn plc (formerly Standard Life Aberdeen plc, having been Senior Independent Director and Chair of the Risk and Innovation Committees for Aberdeen Asset Management plc prior to merging). She has also been Chair of the Remuneration Committee for the global insurer MS Amlin plc, a Non-Executive Director for Spirit Pub Company Limited and a Trustee for The Girls’ Day School Trust. During her executive career, Julie was a board member of UBS Investment Bank where she held a number of global leadership positions and won industry awards for innovation every year from 2001–2009 for her “CreditDelta” technology product. Julie was a Director and founder of Rungway Limited, a colleague engagement platform that empowers people to seek and share advice at work, used by leading global firms. External appointments Julie is currently an Independent Non-Executive Director of AJ Bell plc, and also at Starling Bank Limited (where she chairs the Ethics and Sustainability Committee and is the Board’s Consumer Duty Champion). Appointment to the Board: 25 April 2018 Career experience Jennifer was Executive Vice President of People at ARM Holdings plc, with responsibility for all people and internal communications activity globally, from September 2013 to March 2017. External appointments Jennifer is currently the Senior Independent Director of Trainline plc (where she is also a member of the Audit and Risk, Nomination and Remuneration Committees) and an Independent Non- Executive Director and Chair of the Remuneration Committee of Mitie Group plc (as well as being a member of its Nomination Committee) (she is also the designated Non-Executive Director for colleague engagement at both companies). She is a Trustee of Somerset House (a UK-based charity) and also an adviser to the New York Presbyterian hospitals in the US, along with being Senior Advisor to the Board of M Squared Lasers Limited. Jennifer is also a Non-Executive Director of The Cranemere Group Ltd, and (until recently) was a member of The Council of the Royal College of Art and Chair of the Remuneration Committee. R NC Appointment to the Board: 22 September 2017 Career experience Mike has strong sector and non-executive experience. He has had an extensive career in global technology businesses including SAP-Sucessfactors, NorthgateArinso, Unisys, Synstar and EDS and was formerly a Non-Executive Director of Backoffice Associates LLC, a US PE backed data business, and also formerly a Non-Executive Director of Telkom BCX Ltd, a South African IT and telecommunications business. Mike has also served as a Non-Executive Director with Topia Inc, a Silicon Valley cloud relocation software business. He has also served as a Non-Executive Director of Impellam PLC, an AIM listed recruitment business. External appointments Mike is currently CEO of Unit4, a world leader in enterprise applications for services and people organisations. Mike Ettling Independent Non-Executive Director NCA R A Other Directors during the period Tim Kowalski Served as Chief Financial Officer for the period 1 June to 30 June 2023. Chris Batterham Served as an Independent Non-Executive Director for the period 1 June to 30 November 2023. Lynn Fordham Independent Non-Executive Director (and lead Non-Executive Director for Sustainability) Appointment to the Board: 1 September 2022 Career experience Lynn, a Chartered Accountant, was most recently Managing Partner of private investment firm Larchpoint Capital LLP, a position she held from 2017 to 2021. Prior to joining Larchpoint, Lynn was CEO of SVG Capital for eight years, having previously served as CFO. Before that she held senior finance, risk and strategy positions at Barratt Developments, BAA, Boots, ED&F Man, BAT and Mobil Oil. She also served as a Non- Executive Director on the board of Fuller, Smith & Turner for seven years until 2018, chairing its Audit Committee. Lynn was also a supervisory board member of VARO Energy B.V. External appointments Lynn is currently a Non-Executive Director and Chair of the Finance, Risk and Audit Committees of Caledonia Investments plc, Domino’s Pizza Group and Enfinium Limited. Lynn also serves as Chair and a member of the Nomination Committee of NewRiver REIT plc. Lynn is also Chair of RMA – The Royal Marines Charity. NCA R 57 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Board composition and division of responsibilities The Board has agreed a clear division of responsibilities with the responsibilities of the Chair, Chief Executive Officer, Chief Financial Officer, Senior Independent Director and other Directors clearly defined so that no individual has unrestricted powers of decision and no small group of Directors can dominate the Board’s decision making. Role Responsibilities Chair of the Board (Chris Stone) Is responsible for the running and leadership of the Board, setting its agenda and ensuring its effectiveness in all aspects of its role, and promoting a culture of openness, debate and the highest standards of corporate governance. The Chair, in conjunction with the CEO and other Board members, plans the agendas, which are issued with the supporting Board papers in advance of the Board meetings. These supporting papers provide appropriate information to enable the Board to discharge its duties, which include monitoring, assessing and challenging the executive management of the Group. Chief Executive Officer (Mike Maddison) Together with the senior management team (ExCom), is responsible for the day-to-day running of the Group’s business, implementing the strategy and policies approved by the Board, and regularly providing performance reports to the Board. The role of CEO is separate from that of the Chair to ensure that no one individual has unfettered powers of decision. Chief Financial Officer (Guy Ellis) Works closely with the CEO with specific responsibility for all financial matters, including Group accounting policies, financial control, tax and treasury management, risk management and financial probity. The CFO is also accountable for the transparency and appropriateness of management information and key performance indicators, internally and externally. Senior Independent Director (Julie Chakraverty) Provides a sounding board for the Chair and serves as an intermediary for other Directors, colleagues and shareholders when necessary. The main responsibility is to be available to the shareholders should they have concerns that they have been unable to resolve through normal channels or when such channels would be inappropriate. Non-Executive Directors (Jennifer Duvalier, Mike Ettling and Lynn Fordham) Bring experience and independent judgement to the Board. Maintain an ongoing dialogue with the Executive Directors, which includes constructive challenge of performance and the Group’s strategy. Designated Non-Executive Director for engagement with the workforce (Julie Chakraverty) Leads on Board engagement with the workforce (please see separate section on page 14). Company Secretary (Jonathan Williams) Ensures good information flows within the Board and its Committees and between senior management and Non-Executive Directors. The Company Secretary is responsible for facilitating the induction of new Directors and assisting with their professional development as required. All Directors have access to the advice and services of the Company Secretary to enable them to discharge their duties as Directors. The Company Secretary is responsible for ensuring that Board procedures are complied with and for advising the Board via the Chair on governance matters. The appointment and removal of the Company Secretary is a matter for the Board as a whole. Gender identity or sex as at 30 September 2024 No. of Board members % of the Board No. of senior positions on the Board (CEO, CFO, SID, Chair) No. in executive management (ExCom) % of executive management Men 4 57% 3 3 43% Women 3 43% 1 4 57% Not specified/prefer not to say — — — — — Ethnic background as at 30 September 2024 No. of Board members % of the Board No. of senior positions on the Board (CEO, CFO, SID, Chair) No. in executive management (ExCom) % of executive management White British or other White (including minority-white groups) 5 72% 3 7 100% Mixed/multiple ethnic groups — — — — — Asian/Asian British 1 14% 1 — — Black/African/Caribbean/Black British — — — — — Other ethnic group, including Arab — — — — — Not specified/prefer not to say 1 14% — — — 58 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Meetings and attendance The Board considers that each Director is able to allocate sufficient time to the Company to discharge their responsibilities effectively. The Non-Executive Directors are contracted to spend a minimum of 24 days per annum on the Group’s affairs, and the Chair 60 days. A summary of each current Director’s attendance at meetings that they were eligible to attend of the Board and its Committees during the financial period ended 30 September 2024 is shown below. Unless otherwise indicated, all Directors held office throughout the period. More meetings were held within the financial period owing to the fact that this was a 16 month as opposed to a 12 month financial period. For the avoidance of doubt, no concerns have been raised about the attendance record of any Directors, nor their continued commitment to their work and NCC Group. Board Audit Nomination Cyber Security Remuneration Chris Stone 14 14 n/a 2 2 * 4 4 n/a Mike Maddison 14 14 n/a n/a n/a n/a Guy Ellis 13 13 1 n/a n/a n/a n/a Tim Kowalski 1 1 2 n/a n/a n/a n/a Chris Batterham 5 5 3 3 3 1 1 1 1 2 2 Lynn Fordham 14 14 7 7 * 2 2 4 4 8 8 Julie Chakraverty 14 14 6 7 5 2 2 4 4 * 7 8 5 Jennifer Duvalier 14 14 n/a 2 2 4 4 8 8 * Mike Ettling 13 14 4 6 7 6 n/a n/a n/a At all times, all of the Board and Committee meetings remained quorate. Meetings attended Possible meetings * Committee Chair n/a Director is not required to attend the meeting, but may have attended by invitation. 1 Appointed to the Board on 30 June 2023. 2 Stepped down from the Board on 30 June 2023. 3 Stepped down from the Board on 30 November 2023. 4 Unable to make one Board meeting because of a pre-existing business commitment (scheduled before NCC Group set its Board meeting dates) that could not be rearranged. 5 Was unable to make one meeting due to an important personal matter that could not be rearranged. 6 Was unable to make one meeting due to illness. What principal decisions have been made and what have we looked at as a Board during 2023/24? Section 172 statement Section 172 of the Companies Act 2006 requires a director of a company to act in the way they consider, in good faith, would most likely promote the success of the company for the benefit of its members as a whole, but having regard to a range of factors set out in section 172(1)(a)–(f) of the Companies Act 2006. In discharging our section 172 duty, we have regard for these factors, taking them into consideration when decisions are made. The Board understands the importance of stakeholder engagement and, through regular updates from the Executive Directors and other senior managers, it has provided challenge and oversight throughout the period. The Company’s stakeholders are set out on pages 14 and 15, with an overview of how we engage with them, how they relate to our strategy and highlights from the previous year. Principal decisions made during the period Throughout this Annual Report, we have provided examples of how we have thought about the likely consequences of long-term decisions and detailed below is how the Board considered stakeholders, and the information we received through engagement, in a number of its key decisions in 2023/24. When making each decision, the Board carefully considered how it impacted on the success of the Group and its long-term (financial and non-financial) impact and had due regard to the others matters set out in section 172(1)(a)–(f) of the Companies Act 2006. The below should be read in conjunction with our Stakeholder Engagement section on pages 14 and 15, along with other sections of the Annual Report where appropriate. 59 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 What principal decisions have been made and what have we looked at as a Board during 2023/24? continued Principal decisions made during the period continued The below should be read in conjunction with our Stakeholder Engagement section on pages 14 and 15, along with other sections of the Annual Report where appropriate. Topic Stakeholder group Decision taken Engagement process Reference Strategic disposals Colleagues, shareholders During the financial period, a decision was taken to dispose of DetACT (an advanced preventive fraud detection solution for banks in Europe), and Fox Crypto B.V. (part of NCC Group’s European Cyber division in the Netherlands). These disposals represent a continuation of the Group’s transformation strategy to simplify the business and create a more focused Cyber Security business, and these non-core disposals will not impact the Group’s continuing cyber capabilities. We endeavoured to communicate with affected colleagues as soon as we could and ensured that any questions they had were answered in a timely manner. We were also mindful of the feelings of remaining colleagues unaffected by the disposal process who could be potentially losing long-term colleagues and friends. Shareholder engagement over the past one to two years and since announcing our new strategy has indicated that they were supportive of us disposing of non-core assets, further simplifying the business and creating a more focused Cyber Security business. Strategic Report on pages 4 and 32 Change in financial year end Shareholders, colleagues To drive greater efficiency in our corporate reporting and audit process, it was decided to change the year end from 31 May to 30 September. Shareholders were first informed of this on 25 January 2024. Shareholders were kept up to date on Group performance during the transition period (i.e. the period 1 June 2024 to 30 September 2024) with updates on 20 June, 1 August and 12 September 2024. In addition, two Capital Markets events were also held in April and June. Colleagues were kept regularly updated on the matter, particularly around issues concerning payment of bonuses and how the additional four months would be dealt with, along with the timing for future pay reviews. An internal steering group was formed to ensure that the Group complied with all stakeholder and regulatory reporting requirements. Colleague engagement section on page 14 Board composition and division of responsibilities continued 60 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 What have we looked at as a Board during 2023/24? At every meeting the Board reviews the minutes from the previous meeting and the status of any outstanding actions. Colleague engagement is a standing agenda item presented by Julie Chakraverty as our designated Non-Executive Director for workforce engagement. The CEO and CFO present their monthly performance update reports, which are also circulated to Board members in months where there is no scheduled Board meeting. The Board has also reviewed the following during 2023/24: Leadership and colleagues • Received an update on colleague engagement and the results of the annual colleague engagement survey, and any questions colleagues have raised on executive remuneration and how this aligns with the wider Company pay policy • Continued with the colleague engagement programme, led by an appointed designated Non-Executive Director, with an update to the Board at every Board meeting • Been updated on senior management changes to the Executive Committee • Spent informal time with wider colleagues during Board meetings held at our UK offices Strategy • Continued to be kept informed of progress with the Group’s strategy • Held a dedicated one day strategy session (see page 61) • Discussed the strategy day and the key points arising out of it, along with regular check-ins on progress against strategy • Had a number of post-acquisition reviews of acquisitions that the Group had made over the past few years • Considered and approved two non-core disposals in the Netherlands (the Fox Crypto business and the DetACT business) Governance • Continued with the colleague engagement programme, with an appointed designated NED leading the Board’s engagement activities • Completed the internally facilitated Board, Committee and Chair effectiveness reviews • Had a number of presentations on the Group’s ESG work and progress (labelled as “sustainability” internally) • Considered and approved a number of amendments to the Group’s delegated authority matrix • Discussed and approved the Group’s Modern Slavery Statement • Approved a change in external auditor, after recommendation from the Audit Committee, following a tender process (resulting in PwC replacing KPMG) • Received reports on any material litigation and colleague litigation issues affecting the Group • Reviewed and approved a number of country risk assessments for work in certain countries • Held a dedicated Enterprise Risk Management (ERM) Board workshop facilitated by the Director of Global Governance and Global Head of Risk and Assurance • Kept up to date on the Remuneration Committee’s progress with engaging with shareholders on the 2024–2027 Directors’ Remuneration Policy Financial • Reviewed and approved the Annual Report and Accounts, ensuring that it is fair, balanced and understandable • Discussed and approved the full-year and half-year results and associated presentations to investors • Approved the interim and final dividends and discussed the dividend policy • Noted and approved the Group insurance cover renewal • Discussed and approved the 2024/25 budget, along with approving a four month budget (i.e. 1 June 2024 to 30 September 2024) to take into account the year end change • Considered and approved the market purchase of shares to fund future discretionary share plan maturities • Was kept informed in the run up to two Capital Markets events which NCC Group hosted and noted the feedback from these sessions • Received external presentations on shareholder perspectives on the Company, including receiving regular updates from investor meetings and noting circular investor letters • Considered and approved a change to the year end Other Group business • Had a number of updates on the progress of the Company’s operations in the Philippines • Kept updated on a number of strategic projects • Had a number of sales and marketing presentations • Approved a number of major customer contracts and bids Board strategy review With a year having passed since the launch of the new Group strategy to the market and the completion of substantial transformation activity since that time, the Board met in March 2024 to hold a detailed review of the strategic plans for the business (with a focus on the coming stub period and FY25). The objective of the session was to review the vision, strategy and plans proposed to drive success in each of the strategic pillars that compose of the strategy. The session began with a senior analyst from Forrester offering an outside-in view of the evolving cyber market, covering the threats and trends that they were seeing, together with an assessment of how NCC Group’s service compare to that of its peers’. After this, an in-depth discussion was held on the Group’s vision, long-term financial and strategic goals and the strategic roadmap up to the end of FY25. The rest of the session was structured around the four pillars and associated enablers of the strategy, with senior executives and programme leads each presenting their workstream plans with objectives, roadmaps, timelines and deliverables. This was an opportunity for Board members to give valuable input and feedback on the emerging plans and it also enabled the Board to get a sense of the implementation risks and the mitigations being put in place to underpin the programme delivery. Specific topics addressed as part of the pillar programmes included continued global commercial strategy, development of each of our four capabilities, optimising NCC Group to take advantage of our global operating model and continuing to grow Escode and putting in place the building blocks that will steer NCC Group to becoming an employer of choice in cyber and escrow. Senior executives took the collective feedback, ideas and direction to help shape the strategy implementation plans and agreed it was a useful insight at a more detailed level than is usually possible during update and review sessions. 61 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Independent advice All Directors have access to the advice and services of the Company Secretary and Directors are entitled to take independent professional advice if necessary, at the expense of the Company. Conflicts of interest The Companies Act 2006 requires Directors to avoid situations where they have, or could have, a direct or indirect interest that conflicts or potentially conflicts with the interests of the Company. The Company’s Articles of Association require any Director with a conflict or potential conflict to declare this to the Board. That Director will not then be involved in the discussions relating to the proposal, transaction, contract or arrangement in which they have an interest, unless agreed otherwise by the Directors of the Company in the limited circumstance specified in the Articles of Association, nor will they be counted in the quorum or be permitted to vote on any issue in which they have an interest. Directors are required to inform the Board without delay should they be aware of any actual or potential conflicts of interest and a check on conflicts is undertaken each year with a report to the Board. Colleague engagement Julie Chakraverty is the Board’s designated Non-Executive Director to lead the Board’s colleague engagement programme and is committed to understanding the views of our colleagues and ensuring they are incorporated into the Board’s decision- making process. In addition, there is also opportunity for colleagues to ask any questions they have on executive remuneration and how this aligns with the wider Company pay policy. Prior to meeting with Julie at one of the engagement sessions, colleagues are introduced to Julie via our internal social channels where she explains her role through a video and written communications. Julie has access to these channels to enable her to engage fully outside of the formal events. We were keen to build on the momentum generated in previous years and Julie is sometimes joined by our Chair, Chris Stone, or other Non-Executives, to meet colleagues, all of whom are invited from below the mid-management level and all parts of the business to ensure diversity of thought. We ensure that no one has their line manager in either the physical or the virtual room to ensure they can speak freely and tell Julie what is on their mind. Feedback from each session’s participants is shared anonymously to the Board and to our CEO. This enables action to be taken, further strengthening the value of listening. Colleagues attending are invited to give their feedback and, so far, results have been positive and valued. Board independence As required by the Code, at least 50% of the Board, excluding the Chair, are Independent Non-Executive Directors. The Board comprises two Executive Directors, four independent Non-Executive Directors and the Non-Executive Chair. The Board has debated and considers that all of the current Non-Executive Directors are independent, and in so doing considered the profile of all of the individuals, concluding that none of them: • Have ever been a colleague of the Group • Have ever had a material business relationship with the Group or receive any remuneration other than their salary or fees • Have close family ties with the advisers, other Directors or senior management of the Group that could reasonably be expected to cause a conflict • Hold cross-directorships or have significant links with other Directors through involvement with other companies or bodies • Represent a significant shareholder • Have, at the point of this report, served on the Board for more than nine years from the date of their first election The Non-Executive Directors provide a strong independent element on the Board and are well placed to constructively challenge and help develop proposals on strategy and succession planning. Between them, they bring an extensive and broad range of experience to the Group. Details of the Directors’ respective experience are set out in their biographical profiles on pages 56 and 57. The terms and conditions of appointment of Non-Executive Directors are available for inspection at the Company’s registered office during normal business hours. Diversity The principle of Board diversity (and indeed diversity across the Group) is strongly supported by the Board. It is the Board’s policy that appointments to the Board will always be based on merit so that the Board has the right balance of individuals in place. The Board recognises that diversity of thought, approach and experience is an important consideration and it is therefore one of the selection criteria used to assess candidates prior to any Board appointments. Read more about diversity in the Nomination Committee Report on pages 74 to 76. The Company’s policy is to find, develop and maintain a diverse workforce at all levels with an initial focus on developing a culture where women can achieve and retain senior positions. Board composition and division of responsibilities continued 62 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Annual re-election In accordance with the Code, any Directors appointed in the financial year are subject to election by shareholders at the AGM and, in line with best practice, all the other Directors are subject to re-election annually. Director induction, training and development New Directors are provided with an induction on appointment, which would include visits to the Group’s operations and meetings with operational and executive management. Each Director’s induction is tailored to their experience and background with the aim of enhancing their understanding of the Group’s strategy, business, operating divisions, colleagues, customers, suppliers and advisers, and the role of the Board in setting the tone of our culture and governance standards. The Company acknowledges the importance of developing the skills of the Directors to run an effective Board. To assist in this, Directors are given the opportunity to attend relevant courses and seminars to acquire additional skills and experience to enhance their contribution to the ongoing progress of the Group. All of the Directors attend sessions which are aimed at updating the Board on trends and developments in corporate governance. During the financial period, our new CFO (Guy Ellis) was provided with a formal, comprehensive and tailored induction programme. Board and Committee effectiveness review The performance of the Board and its Committees is appraised annually and during the financial period an internally facilitated Board effectiveness review was undertaken by the Company Secretary, building on the externally facilitated review undertaken by Manchester Square Partners (MSP) in March and April 2023, which was the Board’s first ever externally facilitated effectiveness review. Outline of Board, Committee and Chair evaluation process The Company Secretary reviews previous year’s questionnaires and evaluation exercise results and, based on this, proposed questionnaires for the forthcoming evaluation exercise. The proposed questionnaires are reviewed and approved by the Chair and Committee Chairs and (for the Chair’s review) the Senior Independent Director. The Senior Independent Director meets with the Chair to feed back and discuss the Chair evaluation results. Questionnaires are added to an online survey website, which ensures the anonymous and efficient collection of answers. Board members, the Company Secretary and regular Committee attendees are then invited to complete the questionnaires. The responses are collated and analysed by the Company Secretary who then shares these with the Chair and Committee Chairs and (for the Chair’s review) the Senior Independent Director. Summary reports together with the results and comments received are prepared for the Board and Committee meetings where the results are discussed and key actions for the coming year agreed. The Chair holds one-to-one meetings with Board members where areas of interest could be discussed in more detail. The Senior Independent Director meets with the other Non-Executive Directors (without the Chair being present) to discuss the Chair’s performance during the period. 63 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Outcomes The results were presented at a Board meeting. The overall rating of the Board performance was positive. The Board and its Committees continue to function well, but a number of observations and recommendations were noted, which are detailed below. Area Recommendation/observation Board composition • Considering the next NED appointment and the skills and experience required to complement those already around the Board table Board agendas/ papers • Although it was felt that the Board papers had improved significantly, it was agreed that hearing further client feedback in a more systematic manner, including information on sales pipelines and the external perspective, was important • A suggestion that more colleagues from NCC Group’s global operations could join Board meetings virtually and present updates • A suggestion of a “reflections” session at the end of each Board meeting to play back what had been discussed at the meeting, and suggest topics for future Board meetings • More briefings and training on AI and cyber developments/emerging threats Board meetings • Consideration should be given to the frequency and number of Board meetings, i.e. was there an opportunity to have a fewer meetings • Spend more time visiting other NCC Group offices Strategy • Consider and discuss strategy and risks together • Build on the excellent progress of the last few annual strategy days and continue to hold dedicated Board strategy sessions, as well as check in on progress regularly Succession planning • Continue to focus on talent and ensuring the Board gets opportunities to meet colleagues within the business, both within Board meetings and in more informal settings such as Board dinners Stakeholder management • An appreciation that Investor Relations had improved significantly over the previous 18 months and that it was important to maintain this level of momentum and trajectory • Receive more external perspectives on how NCC Group is viewed, particularly by clients/prospective clients Information flows • Keep focusing on timeliness of papers; although this had improved, it was important to maintain discipline around this Committees • Audit Committee – ensure the Committee is briefed on key changes to accounting policies and Corporate Governance Code developments • Remuneration Committee – spend time discussing remuneration perspectives beyond the UK, i.e. internationally in the areas NCC Group competes for talent, along with new remuneration ideas that the Committee might consider in the future • Remuneration Committee – spend time considering from a Committee perspective how effectively the wider pay and benefits policy aligns with NCC Group’s strategy and talent agenda, and the implications of this for pay at the top of the organisation • Nomination Committee – spend more time over the annual cycle exploring the development actions that are in progress to actualise the potential of those on the succession plan to CEO/CFO and ExCom roles • Cyber Security Committee – make sure the education content on emerging trends, threats and opportunities is a focus for the Committee Board composition and division of responsibilities continued 64 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Operation of governance framework Role of the Board The Board is responsible for reviewing, challenging and approving the strategic direction of the Group, while providing strong values-based leadership of the Company, within a framework of prudent and effective controls which enable risk to be assessed and appropriately managed. The Board reviews the Group’s business model and strategic objectives to ensure that the necessary financial and human resources are in place to achieve these objectives, to sustain them over the long term and to review management’s performance in their delivery. The Board sets the tone of the Company’s values and ethical standards and manages the business in a manner to meet its obligations to shareholders and other stakeholders. The Board receives information on at least a monthly basis to enable it to review trading performance, forecasts and strategy and it has a schedule of matters specifically reserved for its decision. The most significant of these are: • Approval of strategic plans, the annual budget and any material changes to them • Oversight of the Group’s operations, ensuring competent and prudent management, sound planning and an adequate system of internal control and governance • Through the Audit Committee, oversight of financial reporting systems and information and adherence to appropriate accounting policies • Changes to the structure, size and composition of the Board and Executive Committee, and oversight of the Company culture and the ethical standards of the leadership and the independence of Non-Executive Directors, taking into consideration prudent succession planning • Approval of the acquisition or disposal of subsidiaries and major investments and capital projects • Approval of the dividend, treasury and banking policies, including the Group’s capital structure • Through the Remuneration Committee, the delivery of an effective executive and senior management Remuneration Policy • Receiving reports on the views of shareholders and approval of all documents put to shareholders at a general meeting or circulated to shareholders • Approval of the appointment of key advisers The Board has a schedule of specific matters reserved for its decision where it feels they are critical to the ongoing success of the business and are of a significant nature to merit the Board having such a decision reserved to it. The Group also has a Group authority matrix (which documents the levels of authority delegated from the Board to various role holders within the Group). The schedule of matters reserved for decision by the Board and the Group authority matrix are complementary documents and are designed to ensure that decisions are either made by the Board or delegated to an appropriate senior colleague within the Group. As noted above, the operational management of the Group is delegated to the Executive Committee. The Board also delegates other matters to Board Committees and management as appropriate. Risk management The Board has ultimate responsibility for ensuring that business risks are effectively managed. The Board has delegated regular review of the risk management procedures to the Cyber Security Committee in relation to cyber risks, and to the Audit Committee in relation to all other risks. The Board reviews the overall risk environment on at least an annual basis. The day-to-day management of business risks is the responsibility of the Executive Committee (ExCom). Internal control The Group has a system of internal controls which aims to support the delivery of the Group’s strategy by managing the risk of failing to achieve business objectives and to protect the stewardship of the Group’s assets. As with all such systems, the goal is to manage risk within acceptable parameters, rather than to eliminate risk entirely. The Group can therefore only provide reasonable and not absolute assurance that the business objectives and asset stewardship will be delivered successfully. In addition, the Group insures against various risks, but certain risks remain difficult to insure, due to the breadth and cost of cover. In some cases, external insurance is not available at all, or at least not at an economically viable price. The Group regularly reviews both the type and amount of external insurance that it buys in conjunction with its insurance brokers. For a more detailed review of risk management processes, the principal risks faced by the Group and their mitigation, see pages 29 to 38. The Audit Committee is responsible for reviewing the effectiveness of the risk management and internal control systems. The steps it takes in relation to the review are set out on page 70. The Audit Committee makes recommendations to the Board on the effectiveness of risk management and internal controls, which the Board considers, together with reports from the Cyber Security Committee, in forming its own view on the effectiveness of the risk management and internal control systems. During the period ended 30 September 2024, the Board reviewed the effectiveness of the Group’s risk management and internal control systems together with internal control findings issued by our auditor. We confirm that the processes outlined above and on page 70 have been in place for the period under review and up to the date of this Annual Report and Accounts, and that these processes accord with the UK Corporate Governance Code and the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. While we have had a number of weaknesses identified through our internal audit reports issued throughout the period, management has agreed the required actions and is working to close these down. We report on these regularly to the Audit Committee and are working with local management to continuously improve controls and processes across the business. Executive remuneration During the period, we operated within the Remuneration Policy approved by shareholders at the 2021 AGM. Details of how the Remuneration Policy has been applied during this financial year are set out on pages 79 to 100 of the Remuneration Committee Report. 65 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Shareholder engagement Share capital structure The Company’s issued share capital at 30 September 2024 consists of 314,524,630 ordinary shares of 1p each. There are no special control rights or restrictions on share transfer or special rights pertaining to any of the shares in issue and the Company does not have preference shares. As far as is reasonably known to the Board, the Company is not directly or indirectly owned or controlled by another company or by any government. Board engagement with shareholders Communications with shareholders are given high priority. There is a regular dialogue with institutional investors including presentations after the Company’s year end and half-year results announcements. A programme of meetings takes place throughout the period with major institutional shareholders, and private shareholders have the opportunity to meet the Board face to face and ask questions at the AGM. We are in regular contact with our large investors through a regular scheduled programme of meetings attended by either our CEO or CFO or both of them. Julie Chakraverty, our Senior Independent Director, and I are also available to meet with investors should the need arise. After meeting our larger investors, I feed back my findings to Board colleagues at the next Board meeting. In addition, our brokers undertake investor surveys on the back of our half and full-year results and the results of these were presented and discussed at a Board meeting. Our aim is to engage with our shareholders in an open and meaningful way. During the financial period, the Directors held a number of meetings with shareholders as set out below. Board shareholder updates Feedback from major institutional shareholders is provided to the Board on a regular basis and, where appropriate, the Board takes steps to address their concerns and recommendations. Investor meetings One-to-one meetings 1 28 Group meetings 52 Substantial shareholdings As at 30 September 2024, the Company had been notified of the following interests of 3% or more in the issued share capital of the Company under the UK Disclosure and Transparency Rules: Shareholder Number of ordinary shares % of NCC Group’s total share capital Aberforth Partners LLP 38,305,282 12.18% Odyssean Investment Trust 19,578,896 6.22% Canaccord Genuity Wealth Management (Inst) 14,470,000 4.60% NFU Mutual 14,183,506 4.51% Vanguard Group 13,295,985 4.23% Slater Investments 12,403,914 3.94% BlackRock 11,886,968 3.78% Schroder Investment Management 11,440,000 3.64% JO Hambro Capital Management 11,382,302 3.62% Kestrel Partners 10,255,458 3.26% Montanaro Asset Management 9,660,000 3.07% The following changes to the above interests have been notified to the Company from 30 September 2024 to 10 December 2024: Shareholder Number of ordinary shares % of NCC Group’s total share capital Montanaro Asset Management 8,310,000 2.64% Directors’ shareholdings For details of Directors’ shareholdings, remuneration and interests in the Company’s shares and options, together with information on service contracts, see pages 79 to 100 of the Directors’ Remuneration Report. Annual General Meeting The AGM is an opportunity for shareholders to vote on certain aspects of Group business and provides a useful forum for one-to-one communication with private shareholders. At the AGM shareholders receive presentations on the Company’s performance and may ask questions of the Board. The Chair seeks to ensure that the Chairs of the Audit, Remuneration, Nomination and Cyber Security Committees are available at the meeting to answer questions and all Directors attend. The Company prepares separate resolutions on each substantially separate issue to be voted upon at the AGM. The result of the vote on each resolution is published on the Company’s website after the AGM and will be announced via the regulatory information service. At the 2023 AGM, shareholders representing over 76.72% of the Company’s issued share capital returned their proxy votes. On behalf of the Board Chris Stone Non-Executive Chair 10 December 2024 66 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 I am pleased to present the Audit Committee Report for the period ended 30 September 2024 to explain how we have discharged our responsibilities with an overview of our principal activities and their outcomes. Committee membership, attendees’ access and objectives I have been Chair of the Audit Committee for the past financial period and I am a Chartered Accountant with diverse sector experience across listed companies, private equity and financial services in several disciplines including risk management, internal control and financial reporting. I am also currently Chair of the Audit and Risk Committees at Caledonia Investments plc, Domino’s Pizza Group plc and Enfinium Group, all of which provide me with an additional external perspective to bring to my chairing of this Committee. The Board therefore considers that I have the recent and relevant financial experience required by the Code. Mike Ettling, Julie Chakraverty and I all served on the Committee throughout the period. All members of the Committee are considered to be independent, and the Committee as a whole continues to have competence in the technology sector. Summary biographies of each member of the Committee are included on pages 56 and 57. The purpose of the Audit Committee is to assist the Board in the discharge of its fiduciary duties of stewardship of the Group’s assets. The Committee particularly focuses on systems and processes of management control, and the reporting of internal management information and externally reported financial information. The Committee also provides a forum for reporting by the external auditor. Cyber risk and controls are also considered in the Cyber Security Committee. A full copy of the Committee’s terms of reference can be found in the Investor Relations section of the Group’s website at www.nccgroupplc.com/investor-relations/ corporate-governance/. Audit Committee report Meeting frequency and attendance The terms of reference for the Committee require at least three meetings per year. During this financial period, the Committee met seven times. As well as the members of the Committee, standing invitations are given to the Company Chair, the other Independent Non-Executive Directors, the Chief Executive Officer, the Chief Financial Officer, the Group Director of Finance and the Group Director of Global Governance, with other attendees also attending by invitation. The external auditor also attends each meeting. During the period, the Committee held meetings with the external auditor and the Group Director of Global Governance without the Executive Directors being present. Attendance during the period of individual Audit Committee members is shown in the table on page 59. Significant accounting areas and areas of significant management judgement or estimation uncertainty The table below summarises the significant accounting issues, judgements and estimates considered by the Committee during the period in relation to the Financial Statements. These are categorised as either recurring items the Committee regularly reviews or current period focus areas. The table also indicates the level of judgement or estimation applied to each item. Items with a “low” judgement level typically have extensive independent third party evidence, while those requiring “high” judgement rely more on management estimates and historical trends than third party evidence. Review items Accounting judgement? Estimation required? Impairment of goodwill – North America Cyber Security n/a High Reallocation of goodwill – Europe Cyber Security n/a High Lynn Fordham Chair, Audit Committee NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Governance 67 Principal duties delegated to the Audit Committee Areas delegated to the Audit Committee Committee responsibilities Activities during the period Financial reporting • Monitoring the integrity of the Financial Statements relating to the Group’s financial performance and their compliance with the provisions of IFRS, the Companies Act, the UK Corporate Governance Code, the Disclosure Guidance Transparency Rules and other regulations • Reviewing material information and significant accounting judgements contained in the Annual Report and Accounts • Advising the Board on the continuing appropriateness of the Group’s existing accounting policies and the application of any new or modified accounting and reporting standards • Continued focus on quality of earnings and adherence to Individually Significant Items accounting policy • Reviewed all significant accounting areas and areas of key estimation. Reviewed PwC audit conclusions in these areas with significant discussions around the Group’s annual impairment review, assumptions and resultant disclosures • Changed the year end from May to September Narrative reporting • Advising the Board on the effectiveness of the processes ensuring that the Annual Report and Accounts, when taken as a whole, is fair, balanced and understandable • Undertook an internally facilitated Committee evaluation exercise to assess where the Committee should best focus its attention • Considered recent technical updates including guidance issued by the Financial Reporting Council • Reviewed management’s going concern and Viability Statement assessment, including macro-economic considerations. Reviewed PwC audit conclusions in these areas • Reviewed a summary of why management considers the Annual Report is fair, balanced and understandable Internal controls and risk management systems • Reviewing the effectiveness of the Group’s internal control systems • Reviewing the nature and extent of significant financial risks and how they can be mitigated • Received regular briefings from the Director of Global Governance summarising risk management and control issues • Received a self-assessment of the finance controls highlighting enhancements made during the period, areas of continuous improvement and specific actions to implement minimum control standards • Planning for regulatory changes arising from the new corporate governance reform requirements, including identifying material controls • Monitoring ESG reporting, including progress on TCFD and CSRD, and embedding sustainability into the business Compliance, whistleblowing and fraud • Reporting to the Board on the procedures for responding to whistleblowing, fraud or potential breaches of anti-bribery legislation • Received a summary of regulatory updates including health and safety updates documenting new initiatives and activities • Health and safety briefings were held for the Board and Executive Committee during the period • Review of the failure to prevent fraud legislation including reviewing our policies, risk assessment and training Internal audit • Reviewing the internal audit reports discussing any major control failures or weaknesses • Reviewed the findings from the internal audit reviews and projects conducted during the period and approved the Internal Audit Plan for the forthcoming year External audit • Reviewing the audit findings with the external auditor including discussing any major issues that arise during an audit, the accounting and audit judgements made, the level of any errors identified during the audit and the effectiveness of the audit process itself • Making recommendations to the Board in relation to the appointment of the external auditor, approving its remuneration and terms of engagement • Overseeing the relationship with the external auditor including, but not limited to, assessing its independence, objectivity and effectiveness • Appointed a new external auditor for FY24 • Assessed the effectiveness of the 2023 external audit process and Audit Committee effectiveness • Reviewed the findings from the audit for the period ended 30 September 2024 Audit Committee report continued 68 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Significant issues considered during the period in relation to the Financial Statements During the period, the Committee reviewed and considered the following areas in respect of financial reporting and the preparation of the interim and annual Financial Statements: • The appropriateness of the accounting policies used • Compliance with external and internal financial reporting standards and policies • Significant areas of management judgement or estimation • Assumptions and models used to determine fair value of all key business units for the Group annual impairment review • Assessed the quality of earnings by reviewing one-off, out of period or non-trading items arising over the period • Continued focus on the adherence to the Individually Significant Items (ISIs) accounting policy and presentation of ISIs • Accounting for the disposal of non-core operations during the period • Disclosure and presentation of GAAP and Alternative Performance Measures (APMs) • The effectiveness and changes to the financial control environment (including change in financial year end) • Whether the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary to assess the Group’s financial position, performance, business model and strategy • Revenue recognition on material contracts to the Group • Going concern and Viability Statement In carrying out this review the Committee challenged the significant estimates and judgements made by the Group’s finance team and considered the external auditor’s reports setting out its views on the accounting treatments and judgements included in the Financial Statements. Goodwill carrying value (Recurring item: see Note 11 to the Financial Statements) The Group has significant balances relating to goodwill as at 30 September 2024 as a result of acquisitions of businesses in previous years. The carrying value of goodwill at 30 September 2024 is £156.5m (31 May 2023: £255.8m). Goodwill balances are tested annually for impairment. The Group allocated goodwill to cash generating units (CGUs) which represent the lowest level of asset groupings that generate separately identifiable cash inflows that are not dependent on other CGUs. An impairment review was conducted as at 31 May 2024, resulting in full impairment of the goodwill held in this North America Cyber Security CGU of £31.9m. Following the Group’s change in its year end reporting date, a further impairment review was carried out as at 30 September 2024, leading to the allocation of £51.9m of goodwill to the new Fox Crypto CGU. This new impairment testing date is expected to be consistently applied for the annual impairment review going forward. Fair value less costs to sell In accordance with IAS 36, during the period ended 30 September 2024, tests for impairment are based on the calculation of a fair value less costs to sell (FVLCTS) which has been used to establish the recoverable amount of the CGU. The FVLCTS valuation for of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA 1 , and applying a reasonable market multiple on the calculated sustainable earnings. Estimated sustainable earnings have been determined taking into account past experience and includes expectations based on a market participant view of maintainable performance of the business based on market volatility and uncertainty as at 31 May 2024 and 30 September 2024. The sustainable earnings input is a level 3 measurement; level 3 measurements are inputs which are normally unobservable to market participants. The sustainable earnings figures used in this calculation include key assumptions regarding sustainable revenues and costs for the business. If the assumptions and estimates used in this valuation prove to be incorrect, the carrying value of goodwill may be overstated. During this period, the Committee has reviewed the Group’s latest available forecasts, along with its ongoing execution of the new strategy and management’s future action plans, as part of its consideration of the utilised sustainable earnings figures. The Group incurs certain overhead costs in respect of support services provided centrally to the CGUs. Such support services include Finance, Human Resources, Legal, Information Technology and additional central management support in respect of stewardship and governance. In calculating sustainable earnings these overhead costs have been allocated to the CGUs based on the extent to which each CGU has benefited from the services provided. Commonly this is driven by time spent by the relevant central department in supporting the CGU, informed by headcount or where possible specific cost allocations have been made. This allocation methodology remains consistent with the prior year, to ensure the allocation is representative of the business operating model. The Adjusted EBITDA 1 multiple used in the calculations is based on an independent third party assessment of the implied enterprise value (from a market participant perspective as at 31 May 2024 and 30 September 2024) of each CGU based on a population of comparable companies and precedent transactions. The estimated cost to sell was based on other recent transactions that the Group has undertaken. The Committee reviewed the FVLCTS calculations including the sustainable earnings used and the multiple applied (considering the independent third party valuation as at 31 May 2024 and 30 September 2024 that takes into account a market participant view of the performance of the business based on market volatility and uncertainty as at 31 May 2024 and 30 September 2024). Impairment of goodwill – North America Cyber Security The Committee concurred with the view of management that a full goodwill impairment of £31.9m should be taken as at 31 May 2024 in relation to North America Cyber Security CGU and that no other impairments should be recognised as recoverable amount was higher than carrying value for all other CGUs. The Committee reviewed the sensitivity analysis and the disclosure included in Note 11 to the consolidated Financial Statements and concurred with management’s assessments. This assessment considered reasonable possible changes in the expected gross margin, a key assumption for sustainable earnings, and evaluated how changes in sustainable earnings could impact the potential for further impairment of North American Cyber Security other assets as at 31 May 2024. As the goodwill in the North America Cyber Security CGU was fully impaired as at 31 May 2024, no further sensitivity analysis is provided as at 30 September 2024. 1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 69 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Goodwill carrying value continued Goodwill reallocation – Europe Cyber Security During June 2024, as part of the expected disposal of the Fox Crypto B.V. entity, the Group reorganised its reporting structure to separate out the Fox Crypto B.V. entity from the Europe Cyber Security CGU. On this basis the Europe Cyber Security goodwill has been reallocated between the newly created Fox Crypto CGU and the remaining Europe Cyber Security CGU. Goodwill has been reallocated based on the relative values of the two CGUs, with adjustments made to reflect the fact that the Fox Crypto CGU is less asset-intensive than the remaining Europe Cyber Security CGU. The value of each CGU is based on FVLCTS. For the Fox Crypto CGU the FVLCTS is based on the expected consideration to be received on disposal (see Note 18 of the Financial Statements) of this business less estimated selling costs. For the remaining Europe Cyber Security CGU the fair value has been calculated using a methodology consistent with that used in the goodwill impairment review and described above. Based on this assessment, goodwill of £51.9m has been reallocated to the Fox Crypto CGU, leaving £2.2m as reallocated to the EU Cyber Security CGU. Goodwill reallocated to the Fox Crypto CGU has been reclassified to asset held for sale (see Note 18). The FVLCTS valuation for of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA 1 , and applying a reasonable market multiple on the calculated sustainable earnings. Specifically, the key assumption for the Europe Cyber Security CGU is considered to be the forecast revenue that has been used to calculate sustainable earnings. On this basis, sensitivity analysis was performed for certain scenarios where management considered that reasonably possible changes in key assumptions as at 30 September 2024 could occur, potentially leading to a change in the reallocation of goodwill. The Committee concurred that it was appropriate to separate the Europe Cyber Security CGU into two separate CGUs and that the goodwill reallocation between the Fox Crypto CGU and the remaining Europe Cyber Security CGU was appropriate. The Committee also reviewed the sensitivity analysis and the disclosure included in Note 11 to the consolidated Financial Statements and concurred with management’s assessment. This assessment considered reasonable possible changes in revenue, a key assumption for sustainable earnings, and evaluated how changes in sustainable earnings could impact the reallocation of goodwill as at 30 September 2024. The Group’s approach to materiality In considering the materiality of any individual issue or issues in aggregate, the Group looks at a range of qualitative and quantitative measures to assess whether omitting, misstating or obscuring information could reasonably be expected to influence decisions that the primary users of general-purpose Financial Statements make on the basis of those Financial Statements. The range of measures includes (but is not limited to) the primary Financial Statements themselves, the individual line item in question, and whether the issue moves the result from one side of an inflection point to another (for example, turning a profit into a loss or a net asset into a net liability). Qualitative and quantitative measures are both considered, as is any potential impact on remuneration or banking arrangements such as debt covenants. Internal audit The Internal Audit function is responsible for internal audit, and the provision of assurance in relation to financial, operational and quality systems and processes. The team is responsible for supporting the implementation of risk management across the business and monitors the implementation of related action plans. During the period, 19 internal audit reports were issued to the Audit Committee covering a range of risk areas including key financial controls, payroll processes, expenses, user access controls, use of spreadsheets, and an IR35 review. The Audit Committee maintains an ongoing review of the Internal Audit function, which reports directly into the Chair of the Committee. The Committee is responsible for approving the content and coverage of the Internal Audit Plan, which documents the links to the Group’s strategic risks, key controls and associated assurance coverage. As a result, the Committee has approved the expansion of the internal audit team with an the additional of a qualified auditor joining in during the period, increasing the volume and coverage of assurance audits. In addition, Internal Audit has a co-source arrangement as required for IT specialist audits and also utilises the cyber experts from within the business. The members of the internal audit team are all qualified in ACA, ACCA, or CIMA, and one member is completing the CIIA qualification. The Internal Audit Plan also includes time for the continual professional development of the team. The work of the Internal Audit function is a regular standing agenda item at all Committee meetings where a full update is provided including updates on audit and assurance activities, progress against on the Internal Audit Plan, and commentary and tracking of the implementation of agreed management actions where to address deficiencies are addressed in an expedited manner. All internal audit reports are provided to the PwC external audit team and discussed with it during regular catch-up meetings. The Internal Audit Plan is reviewed to ensure continued relevance or is adjusted to the current environment taking a risk-based approach. Finally, the internal audit team is reviewing the new 2024 CIIA Standards and preparing a gap analysis to ensure full compliance to expected practice. Internal controls and risk management The Board is responsible for establishing, maintaining and monitoring the Group’s system of risk management and internal control and reviewing its effectiveness. The Committee monitors the performance of management in this area. We have an ongoing process for identifying, evaluating and managing the principal risks faced by the Group, which has been in place for the period under review and is deemed effective up to the date of approval of the Annual Report and Accounts. The Group’s non-Cyber Security risks are monitored by the Audit Committee on behalf of the Board, which sets aside time for an in-depth discussion of notable or changing risks to the business. A description of the process for managing risk, together with a description of the principal risks and strategies to manage those risks, is provided on pages 29 to 38. Cyber risks are reviewed by the Cyber Security Committee; the Cyber Security Committee Report can be found on pages 77 and 78. Internal control systems are designed to meet the needs of the Group and the risks to which it is exposed. By their nature, however, internal control systems are designed to manage rather than eliminate the risk of failure and can provide only reasonable but not absolute assurance against material misstatement or loss. Key elements of the risk management and internal control system are described below. Audit Committee report continued 70 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Controls relating to financial reporting and preparation of the Annual Report and Accounts • Information provided to management covering financial performance and key performance indicators, including non-financial measures • A robust internal review process to ensure the integrity of the preparation of the Annual Report and Accounts • A detailed budgeting process where business units prepare plans for the coming year • Procedures for the approval of capital expenditure and investments and acquisitions • Monthly operational reviews to monitor and reforecast results as required against the annual operating plan, with major variances followed up and management action taken where appropriate • Introduction of the Group finance manual in FY24 Other controls • Defined management structure and delegation of authority to Committees of the Board, subsidiary boards and associated business units • Regional governance committees established • Recruitment standards and compliance training to ensure the integrity and competence of staff • Annual economic crime, ethics, data protection, information security, health and safety and export controls training for all colleagues • Clearly documented internal procedures set out in the Group’s ISO 9001-2015-accredited quality manual • Regular internal audits of key processes and procedures under the Group’s ISO 9001 and ISO 27001-accredited quality assurance process • Monitoring of any whistleblowing or fraud reports supported by recently introduced red flag reporting The external auditor regularly reports its findings on those areas of internal control which it assesses as part of the external audit to the Board and the Audit Committee. Our internal control effectiveness is assessed through the performance of regular checks, which in the period ended 30 September 2024 included: • Assessment of the identification and management of risks connected to the Group’s new strategy and management of strategic change • Reviewing and testing the Group’s financial reporting processes • Performing compliance monitoring activities • Assessment of the Group’s processes for identifying and mitigating potential conflicts of interest • Monitoring the completion of the Group’s mandatory colleague training Following these regular checks, it was deemed that the controls were effective and the internal control systems are designed to meet the needs of the Group and its risks. Whistleblowing and confidential reporting procedures The Group operates a confidential reporting and whistleblowing procedure (known as our “Whistleblowing Policy”). The policy aims to support the stewardship of the Group’s assets and the integrity of the Financial Statements as well as protecting colleague welfare. The procedure is reviewed annually by the Committee to ensure that it remains fit for purpose. The Group has appointed an independent third party reporting agent to be the first point of contact for those who do not wish to use normal internal line management channels for reporting their concerns. This is advertised both internally, via colleague noticeboards and our intranet, and externally on the website. Colleagues are asked to undertake mandatory training on an annual basis including a reminder on the Code of Ethics policy and the Whistleblowing Helpline. The Committee reviews any whistleblowing or confidential reporting of concerns raised during the period with respect to their nature, scale and any associated or consequential risks. Review of the Audit Committee’s effectiveness The Committee has reviewed and considered the effectiveness of its performance during the period via an internally facilitated Board and Committee evaluation process. The review included the views of members of the Committee and of regular attendees at the various meetings (including the Executive Directors). I am satisfied that the degree of rigour and challenge applied in performing the Committee’s responsibilities is appropriate and effective and continues to improve. Please see pages 63 and 64 for further details of the Committee evaluation process. External auditor appointment The Committee is responsible for overseeing the relationship with the external auditor, including recommending to the Board their appointment, reappointment and removal, assessing their independence on an ongoing basis and approving the statutory audit fees. The Committee notes the publication in May 2023 of the FRC’s Audit Committees and the External Audit: Minimum Standard. In making these recommendations the Committee considers: • The experience, industry knowledge and expertise of the auditor • The scope and planning of the audit and any variations from the plan • The quality of the processes adopted • The auditor’s explanations of significant risks to audit quality by reference to the Company’s specific circumstances and changes to the risks • The fees charged • Its attitude to, and handling of, key audit judgements • Its ability to challenge and communicate effectively with management • The quality of the final report • The FRC’s Audit Quality Review report relating to the auditor • The appropriate and effective use of experts and specialists As part of the Board’s responsibility to ensure the integrity of the Company’s financial reporting and audit processes, the Audit Committee undertook a comprehensive review of the effectiveness of the external audit, leading to a change in the Company’s statutory auditor. In accordance with UK corporate governance requirements, the Company initiated a formal tender process in November 2023, inviting several audit firms to participate. The process was overseen by the Audit Committee and involved a thorough assessment of each firm’s capabilities, including: • Audit approach: The Committee evaluated each firm’s approach to addressing the Company’s specific audit risks, especially considering its industry and international scope • Expertise and resources: The firm’s sector expertise, team quality and global reach were assessed, as these factors are critical for effective audit service delivery 71 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 External auditor appointment continued • Independence and ethics: The firm’s commitment to maintaining the highest levels of independence and adherence to ethical standards was also a key consideration Following this process, the Board approved the recommendation of the Audit Committee to appoint PricewaterhouseCoopers (PwC) as the Company’s statutory auditor, effective for the financial period ended 30 September 2024. The external audit PwC is engaged to express an opinion on the Financial Statements. It reviews the data contained in the Financial Statements to the extent necessary to express its opinion. It discusses with management the reporting of results and the financial position of the Company and presents findings to the Committee. Where it makes recommendations in its report to the Committee, the Committee reviews them and agrees with management the manner and extent to which they should be implemented. Each of the Directors in office at the date of this report is not aware of any relevant information that has not been made available to PwC and each Director has taken steps to be aware of all such information and to ensure it is available to PwC. PwC’s audit report is published on pages 106 to 111. Auditor’s independence and objectivity The Committee received a formal statement of independence from the external auditor. The Committee recognises the importance of ensuring that the independence and objectivity of the external auditor is not impaired through the provision of non-audit services. We have in place robust policies on the use of auditors for non-audit work. Additionally, the Audit Committee’s approval is also required for any fees for any non-audit work undertaken by the auditor. During the period, the Group paid PwC £80,000 (2023: £nil) for their review of the interim Financial Statements and £2,000 for access to a generic online accounting manual (both of which are non-audit services). These represented 4.9% of the total audit fees. No other non-audit services were provided by the external auditor. All significant pieces of non-audit work are put to informal tender to suitable parties that, if appropriate, can include the external auditor. Upon review as to suitability and price, the work will then be placed with the service provider recommended. If this is the external auditor, then Audit Committee approval is required. The external auditor was not engaged during the period to provide any services which may have given rise to a conflict of interest. The Committee is satisfied that the overall levels of audit and non-audit fees are not material relative to the income of the external auditor as a whole and therefore that the objectivity and independence of the external auditor were not compromised. During the period, our external auditor received ad hoc cyber resilience services in the ordinary course of business, totalling £151,861 (2023: £82,907). The Committee is satisfied that this work is immaterial and provided on normal commercial terms to both the external auditor and the Company and therefore the objectivity and independence of the external auditor are not compromised. External auditor’s effectiveness For the financial year ended 31 May 2023, KPMG LLP served as the Company’s statutory auditor. The Audit Committee conducted an annual assessment of KPMG’s effectiveness, taking into account factors such as: • Audit quality: The Committee evaluated the quality of the audit conducted by KPMG, including the rigour of audit procedures, its technical capabilities and its understanding of the Company’s industry and risks • Independence and objectivity: The independence of KPMG was reviewed to ensure that there were no conflicts of interest and that it adhered to the applicable ethical standards • Communication and transparency: The Committee considered the quality of communication between KPMG and both management and the Audit Committee. This included its willingness to challenge management’s judgements where appropriate and the timeliness of its feedback Following this review, the Committee concluded that while KPMG had performed adequately, it was in the Company’s long-term interest to rotate auditor in line with best practice governance. Since its appointment, PwC has been fully engaged with both management and the Audit Committee to ensure a smooth and effective transition. This has included: • Audit planning: PwC presented a detailed audit plan for the financial period ended 30 September 2024, which included its approach to significant areas of risk • Independence: PwC has confirmed its independence in accordance with applicable regulations and has established rigorous controls to ensure this is maintained throughout their engagement • Engagement with management: Initial feedback from management indicates that PwC has adopted a thorough and collaborative approach to understanding the business’ operations, processes and risk areas During the financial period, I attended regular meetings with PwC’s engagement partner without management being present. This provided the opportunity for open dialogue. The engagement partner demonstrated her understanding of the Group’s business risks and the consequential impact on the Financial Statements. The Audit Committee will continue to closely monitor PwC’s performance throughout the audit period and conduct a post-audit review to assess its effectiveness in delivering a high quality and independent audit. In line with the UK Corporate Governance Code, the Audit Committee will continue to monitor the effectiveness of the external audit process annually, ensuring that the Company’s auditor continues to meet the highest standards of independence, audit quality and service. Related party transactions and other fees approved by the Committee Refer to Note 31 for related party transactions during the period. Audit Committee report continued 72 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Fair, balanced and understandable The following process was followed by the Committee in making its assessment: 1. Financial information • Prepared by individual business units • Consolidated by Group finance team • Reviewed by Group Financial Controller and CFO 2. Narrative disclosures • Prepared by Group finance team • Reviewed by Group Financial Controller and CFO • Various reports prepared by Committee Chairs, CEO and CFO 3. Independent reviewers • Senior members of the Executive Committee or other senior colleagues • Those who have not been major contributors 4. Audit Committee Chair • Review of detailed verification documents • Review of findings and observations from independent reviewers 1 Financial information 3 Independent reviewers 2 Narrative disclosures 4 Audit Committee Chair Fair, balanced and understandable At the request of the Board, the Committee considered whether the 2024 Annual Report and Accounts, when taken as a whole, was fair, balanced and understandable (FBU) and whether it provided the necessary information for shareholders to assess NCC Group’s position and performance, business model and strategy. The reviews outlined in the diagram above include reviews of all material matters, as reported elsewhere in this Annual Report and Accounts, and reviews of the balance of good and bad news and ensure the Annual Report and Accounts correctly reflects: • The Group’s position and performance as described on pages 6 and 7 and 40 to 51 • The Group’s business model as described on pages 8 and 9 • The Group’s strategy as described on pages 12 and 13 The independent reviewers were not major contributors to the Annual Report and Accounts but, at the same time, as members of the Executive Committee or other senior colleagues, are deemed to be sufficiently well informed on the Group’s activities to be able to give appropriate feedback on the FBU criteria. They undertake a qualitative review of disclosures and a review of internal consistency throughout the Annual Report and Accounts. The Directors’ statement on a fair, balanced and understandable Annual Report and Accounts is set out on page 105. Lynn Fordham Chair, Audit Committee 10 December 2024 73 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Nomination Committee report We also assess the time commitment required. Candidates are sought by third party executive search consultants and, where appropriate, through the assessment of internal candidates and are then formally considered by the Nomination Committee. Extensive external referencing is also completed. Board succession The Committee is tasked with overseeing the succession planning process and providing recommendations to the Board. It adopts a long-term perspective on succession planning, consistently evaluating Board tenure and diversity (with an emphasis on gender, cultural background and experience), and identifying the skills necessary for the Board to effectively support the Company’s strategy both in the immediate future and over several years. The Committee’s efforts in succession planning played a crucial role in recruitment activities over the years. In the forthcoming period, the Committee will continue to prioritise the establishment of suitable succession plans for various timeframes. Diversity Our objective is to have a broad range of skills, backgrounds, experiences and personal attributes within the Board as this ensures the Board is best placed to serve the Company. All appointments are made on merit and against objective criteria with due regard for the benefits of diversity on the Board, including gender identity, nationality and educational and professional background, as well as individual characteristics which will enhance diversity of thinking on the Board. NCC Group and the Committee value the aims and objectives of the FTSE Women Leaders Review (formerly the Hampton-Alexander Review on FTSE women leaders) and the Parker Review on ethnic diversity of UK boards and support and apply the Group’s diversity policy. The Committee is also mindful of the Group’s diversity policy when making appointments to the Board Committees (Audit, Cyber Security, Nomination and Remuneration), ensuring an appropriate range of backgrounds across Committee members to enhance quality decision making. The members of the Nomination Committee are Julie Chakraverty, Jennifer Duvalier and Lynn Fordham, along with me. (Chris Batterham also served as a Committee member until 30 November 2023). The Nomination Committee’s objectives and responsibilities The Nomination Committee is responsible for reviewing the size, structure, balance, composition and progressive refreshing of the Board and its Committees and as such its duties include: • Reviewing the structure of the Board • Evaluating the balance of skills, knowledge, experience and diversity on the Board • Making recommendations for further recruitment to the Board or proposing changes to the existing structure of the Board, or individual Directors • Reviewing the leadership needs of the Company, both Executive and Non-Executive • Succession planning for Directors and other senior executives within the business • Recruiting, appointing and exiting of Directors • Overseeing membership of, and succession to, the various Board Committees • Reviewing the time commitment required from the Non-Executive Directors on NCC Group business The Chair of the Board leads the process for the appointment of new Non-Executive Directors to the Board and for the appointment of the Chief Executive Officer. The Chief Executive Officer, in conjunction with the Chair, leads the process for the Chief Financial Officer. The Senior Independent Director leads the process for a new Chair of the Board. In relation to an appointment to the Board, the Committee draws up a specification and assesses the capabilities and experience required for such a role, taking into account the Board’s existing composition, including relevant experience and understanding of our stakeholder groups. Chris Stone Chair, Nomination Committee NCC Group plc — Annual report and accounts for the period ended 30 September 202474 The Group’s gender diversity statistics are set out on page 18. At Board level, we currently have three females, one of whom is a person of colour; however, we note that diversity extends beyond the measurable statistics of gender and ethnicity. We continue to take diversity in its wider context into account, having regard to the diversity policy, and recommend only the most appropriate candidates for appointment to the Board. During the year ended 31 May 2021, we made the firm commitment that by 2024, we would have at least 33% female representation on our Board and at least one person of colour. Through our most recent Non-Executive appointments, in 2022 we delivered on our commitment and are also on course to meet the FTSE Women Leaders Review target of 40% by the end of 2025. Although this is best practice for FTSE 350 companies, we have committed to this target regardless of which share index we are in. Our Board now has 43% female representation. We remain focused on ensuring diversity within our leadership population and will continue to address this during future Board and Executive Committee appointments. Improvements in diversity are often not a quick process; however, we are very mindful of the need to continue to take positive action, and the matter remains an ongoing priority on our agenda. Accessing the candidates we require to reach this target will involve us looking beyond the obvious pool of existing board directors within the UK and we are committed to ensuring that we extend our talent search to other sectors and locations globally to ensure we find a diverse pool of candidates to provide us with true diversity of thought, culture and lived experience, around our Board table. When a new Director is appointed, they receive a full, formal and tailored induction into the Company and discuss with the Chair to identify any immediate and longer-term training requirements. During the period, we ensured that our CFO (Guy Ellis) was provided with a formal, comprehensive and tailored induction programme, supported by internal and external stakeholders, to establish himself in his statutory role. The Committee’s terms of reference can be found in the Investor Relations section of the Company’s website: www.nccgroupplc. com/investor-relations/corporate-governance. The terms of reference are reviewed annually and updated when necessary. Committee meetings During this financial year, the Committee held two scheduled meetings. The attendance of individual Committee members at Nomination Committee meetings is shown in the table on page 59. Activities during the period During the period, the Committee: • Evaluated the skills, knowledge and experience around the Board table • Reviewed the structure, size and composition of the Board • Reviewed the Directors’ length of service • Reviewed the diversity of the Board • Reviewed the memberships of all Committees • Reviewed the expected time commitment of the Chair and the Non-Executive Directors • Evaluated its own performance as a Committee During the period, the Nomination Committee has had several in-depth presentations from the Chief People Officer, focused on leadership, succession planning and talent management and development, informed by insights from our data analysis and the external environment. These presentations looked at the overall current position, and in particular senior succession, i.e. the Executive Committee and its direct reports. Presentations and updates during the period This period the Committee has had a number of presentations and updates on various colleague matters across the Group, including: • Undertook a deep dive into Board composition and succession, inclusive of Chair succession • Reviewed achievements over the previous year for the global people team and looked forward to priorities for the year ahead • Reviewed our ongoing development of capability, with a particular focus on senior succession and talent • Reviewed our approach to collecting colleague diversity data, with a focus on building colleague sentiment • Considered the generational perspectives of colleagues within the Group and their diverse needs from an organisational and leadership perspective • Received comprehensive colleague engagement briefings on survey results from the “MyVoice” survey (which utilises the Glint platform), along with the agreed next steps and future commitments in response to colleague feedback. Exit interview data and key themes were also presented to the Committee • Reviewed both present and former colleague sentiment on Glassdoor and LinkedIn • Explored our current global leadership KPIs and discussed opportunities for improvement as we launched our leadership development programme during the period 75 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Presentations and updates during the period continued To support the ambition and our commitment to improving global diversity, we are focusing on: Processes • Removing barriers to entry and making our talent attraction and acquisition experience world class, leading to a review of our selection methodology and a new framework being developed, to help to level the playing field for under-represented communities, remove bias and create a robust and valid way of identifying and selecting talent • The ongoing review of our policies, processes and documentation to ensure all bias is removed (including adverts and job descriptions), and ensuring the use of inclusive language wherever possible • Throughout the period, the people team has been working on a strategic project to introduce diversity data collection processes for both future and current talent for NCC Group. The Chief People Officer has been driving this initiative and has kept the Board regularly updated on progress with a planned go-live for this project early during the next financial year, leveraging diversity data to foster inclusion, drive equitable recruitment and provide equal opportunities for all candidates and colleagues Culture • Development of a behavioural framework which has been launched and embedded into several elements of the employee lifecycle, namely performance management reviews, hiring and, in particular, our bespoke psychometric profiling tools developed with Saville Assessment, and through our Group annual bonus plan in the assessment of behavioural indicators. Further development and embedding are planned for the coming financial year. The framework was created in partnership with diversity, equity and inclusion (DE&I) experts and talent consultancy Pearn Kandola and with input from our global colleague resource groups • Roll-out of our new leadership development programme, enabling performance to create a consistent understanding of the essential role of leadership for NCC Group • Continued support for our DE&I colleague resource groups to make positive change and build awareness, to foster inclusion, awareness and meaningful conversations while empowering colleagues to drive positive change and cultivate an inclusive work environment. Additionally, each colleague resource group now has a dedicated ExCom sponsor to provide support, and the colleague resource group leads meet quarterly with the CPO and CEO to maintain continuous dialogue and development • Shared our first Annual Inclusivity Survey to establish a baseline understanding of comfort level and how accepted colleagues feel at NCC Group, gauge familiarity with Company resources and programmes and to understand what colleagues would like to see more of • Launched moments that matter: our suite of supportive, people-focused policies designed around our colleagues and their needs. Moments that matter aligns to our people proposition, evolving and supporting family (in its many forms), flexibility and wellbeing • Our Chief People Officer, Michelle Porteus, signed the Working with Cancer Pledge to demonstrate our support in providing a more open, supportive and recovery-forward culture at work, not only for our colleagues with a diagnosis themselves, but to bolster those whose loved ones are also living with cancer Colleague voice • Committed to an ongoing open dialogue with our colleagues, through our bi-annual engagement survey (“MyVoice”), colleague forums, live leadership “Ask Me Anything” sessions, Board engagement sessions with colleagues, our colleague resource groups, listening sessions and our whistleblowing lines which all play an active role in creating a great place to work (for further information, please see the Stakeholder Engagement section on pages 14 and 15) • Our “Speak Up” Framework was launched globally to provide clear guidance and signposting to colleagues, covering the various routes to raise concerns, and the relevant policies to address these issues where required, as well as sharing colleague feedback. This activity was prioritised due to feedback that there was a lack of clarity around the routes to take, and the expectations of the process • NCC Diamonds, our annual colleague recognition programme completed its fourth cycle. NCC Diamonds provides colleagues across the organisation with the opportunity to nominate individuals or teams for the incredible work they do, recognising the brilliance and accomplishments of their peers. Nominations are linked to our NCC Group values, followed by regional and global judging periods, with each category winner receiving a “money can’t buy experience” • Continuing to develop and assess the broad range of opportunities for colleagues to ask questions, provide feedback and play an active role in creating a great place to work Long term • Developing our employer brand to broaden our attraction strategies, supported by a flexible, distinctive proposition to ensure we remain current and attractive in an extremely competitive global tech talent market • Building strategic partnerships with organisations to support our commitment to create an inclusive and diverse environment • Connecting the initiatives at every stage of colleagues’ lives and careers to create enriched career pathways and achieve the best return for investment with improved colleague retention. Initiatives include work experience, the Next Generation Talent programme, mentoring and CyberFirst bursaries and alumni programmes Committee effectiveness During the period, the Nomination Committee carried out an internally facilitated evaluation of its effectiveness. The Committee was found to be working effectively with a number of recommendations made. Further information can be found on pages 63 and 64 External search consultancies During the period, no external search agencies were engaged. Chris Stone Chair, Nomination Committee 10 December 2024 Nomination Committee report continued 76 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Cyber Security Committee report The Cyber Security Committee was formed to focus specifically on the cyber and data protection risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business and the potential damage to the business as a high value target for malicious acts. The Committee’s activities aim to challenge and support improvements to the Group’s information security and data protection policies, defences and controls, so as to comply with global data protection regulations around the world, and ensure that the Group looks after its own information, and the information that its customers entrust to it, with the proper care and attention. The Committee was formed in November 2016 and I have been Chair since July 2022. Chris Batterham (until 30 November 2023), Jennifer Duvalier, and Lynn Fordham (all Independent Non-Executive Directors) served as members of the Committee throughout the period. Chris Stone (Company Chair) is also a member of the Committee. The Group’s Director of Global Governance, the Group’s Director of Security Operations (DSO), the Group’s Chief Information Officer and the Group General Counsel (also Head of Data Governance) (GC) are standing invitees of the Committee. The Executive Directors are invited to attend Committee meetings when the Committee considers it to be appropriate. The Cyber Security Committee’s objectives and responsibilities The Cyber Security Committee is responsible for assessing the performance of the Group’s internal security and defences and as such its duties are to: • Oversee and advise the Board on the current cyber risk exposure of the Group and future cyber risk strategy Julie Chakraverty Chair, Cyber Security Committee • Review at least annually the Group’s Cyber Security breach response and crisis management plan • Review reports on any Cyber Security incidents and the adequacy of resulting actions • Receive and consider the regular update reports from the DSO and GC and ensure the DSO and GC are given the right of direct access to the Committee • Consider and recommend actions in respect of all cyber and data protection risk issues escalated to it • Keep under review the effectiveness of the Group’s controls, services and products to analyse potential vulnerabilities that could be exploited • Regularly assess what are the Group’s most valuable intangible assets and the most sensitive Group and customer information and assess whether the controls in place sufficiently protect those assets and information • Review the Group’s ability to identify and manage new cyber risks • Assess the adequacy of resources and funding for data protection and Cyber Security defence and control activities • Regularly review the cyber and data protection risk posed by third parties including outsourced IT and other partners • Oversee Cyber Security and data protection due diligence undertaken as part of an acquisition and advise the Board of the risk exposure • Annually assess the adequacy of the Group’s cyber insurance cover The Committee’s terms of reference can be found in the Investor Relations section of the Company’s website: www.nccgroupplc. com/investor-relations/corporate-governance/. The terms of reference are reviewed annually and updated when necessary. NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Governance 77 Committee effectiveness During the period, the Cyber Security Committee carried out an internally facilitated evaluation on its effectiveness, as it continues to mature since its formation in November 2016. The Committee was found to be working effectively and I am satisfied that the degree of rigour and challenge applied in performing the Committee’s responsibilities is appropriate and effective and continues to improve. As an output of both this and previous evaluations, the Committee, along with the Board, reaffirmed that Cyber Security and data protection are sufficiently important risks for the business and that the Committee should remain focused on this specific set of risks. Therefore, the current structure in which the responsibility for broader risk management remains with the Audit Committee will continue. Committee activities during the period The focus for 2024, in terms of Cyber Security, was ensuring the risks to the Group were well documented and the types of threats and attacks were well understood. To this end, a risk analysis was performed to ensure cyber risks map to the enterprise risk architecture and the work of the GTS security team was tailored to the highest value areas. Cyber incident readiness has been a key focus for 2024, with exercises and training undertaken at all levels, from operational teams to business leaders to ensure a swift and effective response in the case of cyber attack. This has involved teams from all areas of the business continuing the collaboration on Cyber Security across diverse areas. Training has been another critical area, with an increased emphasis on identifying phishing emails as this is an attack vector that is frequently observed. All colleagues now partake in monthly phishing exercises that cycle through difficulty levels to target different attacker sophistication, with educational assistance sent out post-exercise to help identify suspicious elements of an email that may indicate a phishing attack. Board training and updates on developments within Cyber Security are also provided regularly. Turning to data protection, the regulatory landscape is continually changing, particularly in light of the UK GDPR and regulatory updates in other key jurisdictions, and the team is working closely to stay abreast of such changes. The team has also experienced a notable upswing in the number of Data Subject Rights Requests it receives as individuals become more aware of their rights under GDPR. Noteworthy highlights since our previous report include: • All Rights Requests received this period have been fulfilled within legally compliant time periods • Our data protection team is now incorporated into the Legal function, reporting into the Group General Counsel, allowing better alignment and collaboration between the two teams. We have restructured the existing team with two Data Protection and Governance Officers (one focusing on Europe and one on the UK and RoW) and a Data Protection Manager to ensure support for the business globally while taking into account jurisdictional variation • Significant progress has been made to support our global delivery model, including updating the Intra-Group Agreement to strengthen cross-border transfers. Additionally, the standard terms and conditions have been updated to strengthen the Group’s data protection positions while maintaining commercial outcomes • A project to transfer our Records of Processing Activities into a unified system is in progress which allows us to better track our activities and simplify reviews • Further, our three year strategy continues to pave the way for our intended application for Binding Corporate Rules. As detailed in last year’s report, Binding Corporate Rules provide colleagues and customers alike with a sense of trust through demonstration of our commitment to protecting personal data, wherever in the world it may be processed during our business activities Committee meetings During this financial year, the Committee met four times and the attendance of individual Committee members at the Cyber Security Committee meetings is shown in the table on page 59. Julie Chakraverty Chair, Cyber Security Committee 10 December 2024 Cyber Security Committee report continued 78 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Remuneration Committee report Annual Statement The Committee closely monitors shareholder guidance and feedback on remuneration. Shareholder voting on AGM remuneration resolutions is reviewed annually, shareholders are consulted when changes to policy are being considered and major shareholders have the opportunity to provide annual feedback to the Board and Remuneration Committee on NCC Group’s remuneration approach at annual engagement meetings. There are a number of existing channels of communication with colleagues with regard to NCC Group’s remuneration policies and executive remuneration. Our engagement survey enables colleagues to provide feedback confidentially on many employment issues, including remuneration. Our designated NED for colleague engagement also holds a number of colleague engagement sessions during the period in which colleagues are invited to provide feedback and comments on any issue, including executive remuneration and broader remuneration policies. In particular, a question and answer discussion is always held on executive remuneration and how this aligns with the wider Company pay policy. Our designated NED also reminds colleagues where the information can be located and answers any questions as they arise. The Committee also receives regular feedback from the Chief People Officer and the Director of Reward and Benefits on how colleagues perceive our remuneration policies and practices in the context of recruitment, retention and motivation. This information is used by the Committee in its monitoring and development of remuneration policies. Jennifer Duvalier Chair, Remuneration Committee On behalf of your Board, I am pleased to present our Directors’ Remuneration Report (DRR) for the period ended 30 September 2024. The report is divided into three sections: this Annual Committee Chair’s Statement, the Annual Report on Remuneration for FY24, and the proposed Directors’ Remuneration Policy for the period 2025–2028. At the AGM in November 2023, 84.86% of shareholders voted in favour of the Directors’ Remuneration Report, and I would like to thank shareholders for their continuing support. Annual statement 2023/24 was another full period for the Remuneration Committee as we developed our 2025–2028 Directors’ Remuneration Policy, and also worked through a number of challenges in relation to the change of year end. The Committee comprised Julie Chakraverty, Lynn Fordham and myself as Chair. Our Board Chair, Chris Stone, also attended all meetings. Our remuneration consultants, Chief People Officer, Director of Reward and Benefits, CEO and other Executives, including the Group Director of Finance, were invited to meetings as required, although we always ensure that we have time without Executives present and no Executive was present when decisions relating to their own reward were made. NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Governance 79 Proposed Remuneration Policy and changes Throughout the 16 month period ended 30 September 2024, we operated within the Remuneration Policy that was approved by shareholders at the AGM in November 2021 with 87.43% of votes in favour. In early 2024, we commenced our engagement process with our major shareholders to shape the Directors’ Remuneration Policy for 2025–2028 (the “DR Policy”) and also to discuss our remuneration approach in relation to our change in year end. Since our last Remuneration Policy, we have seen significant change amongst our executive team, including the appointment of a new CEO and CFO who continue to drive the execution of our strategy, transforming the business at pace with the objective of creating a stronger, more resilient organisation that can truly deliver on its purpose to create a more secure digital future. Having reviewed the Policy, the Committee proposes to make relatively limited amendments to the variable incentives, as follows. Annual bonus: • The deferral provisions will be slightly adjusted; deferral will take place for 35% of any bonuses in excess of the first £50,000 earned. Awards will still be deferred for a period of two years into shares. • The performance scorecard will be simplified with fewer metrics. The intention is to focus on growth in profit, which is a key measure of success for the strategy. Long Term Incentive Plan (LTIP): • The Committee and management wish to strengthen the alignment to value creation by focusing on relative total shareholder return (TSR), earnings per share (EPS) and cash conversion, weighted 50%/30%/20% respectively. The Committee will retain flexibility to adjust these metrics and their weightings in the life of the policy, but no major changes would be made without shareholder consultation. • The Committee believes that the strategy offers a significant opportunity for NCC Group to rebuild and increase value to shareholders over the next three years. We have proposed an exceptional maximum opportunity in the Policy which provides an additional 50% of salary headroom. For the LTIPs issued in June 2024 only, the maximum opportunity was increased by 50% of salary for both the CEO and CFO. This additional opportunity is also linked to all three performance metrics proportionately. Vesting will be subject to exceptional performance and delivery of super stretch targets over and above the normal award opportunity currently available in the Policy. Similar provisions have been applied for performance share awards to other senior executives. The normal maximum will then apply for the CEO and CFO from 2025. • The additional LTIP award will help retain and incentivise the executive team over this period. The additional shares will only vest in the event that NCC Group delivers additional value to our shareholders via truly exceptional financial and share price performance. No other material changes are proposed since the DR Policy is already aligned to best practice. The Remuneration Committee felt it was important to test with our major shareholders whether our proposed changes were fit for purpose in the medium to long term. We would like to thank those investors who we met with and who provided valuable feedback in helping to shape our revised Policy, during our extensive consultation with our larger shareholders. Year end change As set out in the announcement of our interim results published on 25 January 2024, the Board has changed the year end of the Group from 31 May to 30 September, to drive greater efficiency in our corporate reporting and audit process. As a result, the Group announced H2 2024 results and the 12 months trading to 31 May 2024 on 1 August 2024. In addition, the 16 months trading to 30 September 2024 is reported within this Annual Report and Accounts and approved on 10 December 2024 in line with the new reporting timetable. The Committee deliberated on the course of action in relation to variable incentives. In general, the approaches taken are within the currently approved Remuneration Policy and are in line with the same treatment to the wider workforce and (where applicable) the rules of the 2020 Long Term Incentive Plan. However, in one area, we were required to make awards conditional upon the approval of the new DR Policy as noted below. • Annual bonus: a 12 month period operated as per normal, ended 31 May 2024. The additional four month period to 30 September 2024 was measured based on financial targets aligned to the four month period. There was a payout after 12 months following the review opinion by NCC Group’s auditor, PwC, with the four month period payouts made after publication of our final results for the 16 month period. All payments in respect of the 16 month period are disclosed within this report. This course of action is in line with the treatment to the wider workforce. • The 2021 LTIP has a measurement period that ends on 31 May 2024. Vesting was calculated based on performance to that date, subject to a review opinion by PwC. • The 2022 and 2023 LTIP awards will have a performance measurement period of 40 months to align with the publication of the 2025 and 2026 financial results. The Committee will review the EPS and cash conversion targets to ensure that the change to the financial year does not make the targets any less or more difficult to achieve. The holding period will continue to run until five years from date of grant in line with the Governance Code. • 2024 LTIP: previously, awards were granted annually in October with the performance period commencing on 1 June. In the future, awards will be granted in January with the performance period starting on 1 October. For the 2024 incentive, the Committee proposes to uplift the award opportunity for all long-term incentive participants by four months to allow for a smoother transition between grants. The performance period will begin on 1 June for the relative TSR element only with other financial metrics measured based on the October to September financial year. For the CEO and CFO, these awards are conditional on shareholder approval of the new DR Policy. Base salaries For the 16 month period ended 30 September 2024, an increase of 9% to Mike Maddison’s salary took effect from 1 December 2023 (the new base salary being £545,000). A further salary increase of 3% took place with effect from 1 June 2024, taking the new base salary to £561,350. The Committee thought it important to recognise Mike’s efforts in formulating and driving the strategy and for his significant personal contribution to business performance and the journey the Company is on. This increase should also be set against the fact that Mike had no increases to base salary during his first year of service. The Committee acknowledges that this was above the workforce average, but for the reasons explained above felt that it was appropriate. The CFO also received an increase of 4% effective 1 June 2024, (the new base salary being £312,000). The Committee recognised that his salary was somewhat below the appropriate level given the size and nature of the role, plus the strong start Guy had in Remuneration Committee report continued Annual Statement continued 80 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 the role, and his personal positive contribution to the Company and the finance teams. Last year, the Committee set Guy’s incentive opportunities slightly below the Policy limits for his first year; during the period the Committee decided to set his incentive opportunities in line with the Policy maximum – i.e. 125% of salary for the bonus and 150% for the LTIP. Performance related pay – annual bonus The annual bonus for the period ended 30 September 2024 for both the CEO and CFO was based on the satisfaction of stretching financial and strategic targets. The financial target of Group Adjusted operating profit for the 12 months to 31 May 2024 had a weighting of 60%. Group Adjusted operating profit was £31.1m and this resulted in a payout of 40% of the 60%. The strategic objectives had a weighting of 40% and covered a number of areas supporting our strategy, including strategic bonus measures around our clients, our capabilities, people and operational excellence, global delivery and differentiated brands. The Committee determined that the strategic element should pay out at maximum. Further detail on performance against strategic objectives is provided later in the report. This resulted in a total bonus for the 12 month period at 80% of maximum resulting in a bonus payout of £522,500 for the CEO and £250,000 for the CFO. Given the short time period, and recognising that setting meaningful strategic targets for such a short timeframe would be challenging, the bonus for the four month period ended 30 September 2024 was based purely on financial measures. The payout for this was 100% of maximum resulting in a bonus payout of £233,895 for the CEO and £130,000 for the CFO. For both the CEO and CFO, 35% of the aggregate bonus earned over the 16 month period to 30 September 2024 will be deferred into shares and will vest after two years. Clawback and malus provisions are also in place for the bonus. The Committee considered whether it should exercise any discretion to the bonus outcomes. The Committee concluded that the outcomes for both the financial and the strategic, non-financial elements were a fair reflection of the good performance in the relevant areas, and the Committee therefore decided not to exercise any discretion. For 2024/25, the Committee has considered the weighting of metrics in the annual bonus. The Committee concluded that the weighting on the Group Adjusted operating profit should be maintained at 60% of maximum, to continue to give appropriate emphasis to this metric. The remaining 40% will apply to key strategic metrics, with stretching targets. These will include targets linked to the pillars of the strategy, together with people and operational excellence objectives. These will be fully disclosed in the Remuneration Report for 2024/25. Performance related pay – LTIP The 2023–2026 LTIP was granted in October 2023 and the 2024–2027 LTIP was granted in June 2024. The awards will vest subject to demanding EPS, cash and relative TSR targets outlined later in this report. For the CEO and CFO the 2024–2027 awards are subject to the approval of the new DR Policy. The 2021 LTIP vested at 30% of maximum. This was based on the cash conversion element (weighting 30%) being achieved in full but with below-threshold achievement of the EPS growth and TSR metrics. The Committee considered whether any downward discretion should be applied to the overall vesting outcome. It concluded that it remained important to recognise and continue to incentivise strong levels of cash conversion and that it would not be appropriate to apply discretion to the payment outcome. The Committee also considered NCC Group’s underlying performance and the experience of both our shareholders and wider workforce. Neither of the current Executive Directors received an award under the 2021 LTIP. The Committee has reviewed targets and weightings in order to incentivise growth, maintain high levels of cash conversion and take into account market expectations. Performance will continue to be measured against stretching targets. The metrics and the targets for FY24 to FY27 are set out below: 1. Relative TSR (50% weighting): Median performance against the FTSE 250 (excluding investment trusts) will be required for any vesting. For this element to vest at 100%, upper quartile performance against the FTSE 250 (excluding investment trusts) will be required. For the stretch target to pay out (i.e. additional the 50% of salary opportunity that applies for 2024 awards only), TSR will need to be above the 90th percentile (i.e. within the top 10% when compared to the FTSE 250 (excluding investment trusts). 2. Cash conversion – new measure (20% weighting): The range will be increased to 85%–90%, with the stretch target being above 95%. 3. Adjusted basic EPS – new measure growth (30% weighting): The threshold is 6.0p, with the target being 7.0p, and the stretch being 8.5p. Non-Executive Director and Chair’s fees In accordance with our Remuneration Policy, the fees for Non-Executive Directors were thoroughly reviewed by the Company Chair, CEO and CFO. After careful consideration, it was determined that there would be no increases during the 2023/24 period. The Remuneration Committee also conducted a review of the fees for the Board Chair, utilising data provided by our remuneration consultants. Once again, it was decided that no increases would be made for the 2023/24 period. It is our intention to conduct a thorough review of both the fees for Non-Executive Directors and the Chair in the upcoming 2024/25 financial year. Details of these fees and allowances are given in the Annual Report on Remuneration on page 82 Grants of shares under a below-Board Restricted Share Plan to broaden colleague share ownership We remain committed to broadening share ownership throughout the Group, both as a reward and a retention tool. During the period, we made further grants to around 150 colleagues under our Restricted Share Plan (RSP), authorisation for which had been granted at the 2020 AGM. In addition, we also offered colleagues the opportunity to participate in our Save As You Earn/stock purchase share plans in the UK, the US, Canada, the Netherlands, Australia and Spain. Once again, these proved popular with high take-up levels. Over the course of the next year, we will explore how we can launch share plans within the Philippines for our new colleagues based there. The Group also has a new Share Incentive Plan (SIP) for UK-based colleagues, further increasing our commitment to cost effective colleague share ownership. Conclusion The 2024 Directors’ Remuneration Report will be put to the usual annual advisory vote at the AGM on 28 January 2025, along with the binding vote on the three year DR Policy covering the period 2025–2028. The Committee is committed to engagement and transparency and I welcome the opportunity for discussion of the Group’s remuneration with shareholders, at our AGM or at any other time during the period, and look forward to your continuing support. Jennifer Duvalier Chair, Remuneration Committee 10 December 2024 81 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Annual Report on Remuneration This part of the report has been prepared in accordance with Part 3 of The Large and Medium-sized Companies and Groups (Accounts and Reports) (Amendment) Regulations 2013 as amended and 9.8.8R of the Listing Rules. The following report will be subject to an advisory shareholder vote at the AGM, which is scheduled to be held on 28 January 2025. The information on pages 79 to 100 has been audited where indicated. How the Remuneration Policy has been implemented in the period ended 30 September 2024 This section sets out how the Remuneration Policy was implemented in 2023/24. The key implementation decisions during the period related to: • Review of salaries for Executive Directors • The determination of bonus outcomes for the 2023/24 performance period • The performance targets and value of awards granted under the LTIP, which will vest in 2026 and 2027 Further detail on these decisions, together with other information on payments made to Directors, is set out in the following sections. Single total figure of remuneration (audited) The detailed emoluments received by the Executive and Non-Executive Directors for the period ended 30 September 2024 are below. For ease of comparison, a 12 month period to 31 May 2024 has also been shown: Director Period ended Salary/ Non- Executive Director fees 1 £000 Benefits 2 £000 Pension benefits ³ £000 Total fixed pay £000 Bonus 12 months to 31 May 2024 ⁴ £000 Bonus 4 months to 30 Sept 2024 ⁴ £000 Long-term incentive ⁵ £000 Other 8 £000 Total variable pay £000 Total £000 Chris Stone 16 months to 30 Sept 2024 217 — — 217 — — — — — 217 31 May 2024 163 — — 163 — — — — — 163 31 May 2023 163 — — 163 — — — — — 163 Mike Maddison 16 months to 30 Sept 2024 710 14 32 756 523 234 — — 757 1,513 31 May 2024 523 11 24 558 523 — — — 523 1,081 31 May 2023 449 1 16 466 39 — — 500 539 1,005 Adam Palser 16 months to 30 Sept 2024 — — — — — — — — — — 31 May 2024 — — — — — — — — — — 31 May 2023 24 1 1 26 — — — — — 26 Guy Ellis 8 16 months to 30 Sept 2024 379 8 17 404 250 130 — — 380 784 31 May 2024 275 6 12 293 250 — — — 250 543 31 May 2023 — — — — — — — — — — Tim Kowalski 9 16 months to 30 Sept 2024 28 2 1 31 — — — — — 31 31 May 2024 28 2 1 31 — — — — — 31 31 May 2023 333 13 15 361 21 — 30 — 51 412 Chris Batterham 10 16 months to 30 Sept 2024 28 — — 28 — — — — — 28 31 May 2024 28 — — 28 — — — — — 28 31 May 2023 70 — — 70 — — — — — 70 Julie Chakraverty 6 16 months to 30 Sept 2024 114 — — 114 — — — — — 114 31 May 2024 85 — — 85 — — — — — 85 31 May 2023 78 — — 78 — — — — — 78 Jennifer Duvalier 16 months to 30 Sept 2024 90 — — 90 — — — — — 90 31 May 2024 67 — — 67 — — — — — 67 31 May 2023 67 — — 67 — — — — — 67 Lynn Fordham 7 16 months to 30 Sept 2024 90 — — 90 — — — — — 90 31 May 2024 67 — — 67 — — — — — 67 31 May 2023 46 — — 46 — — — — — 46 Mike Ettling 16 months to 30 Sept 2024 75 — — 75 — — — — — 75 31 May 2024 56 — — 56 — — — — — 56 31 May 2023 56 — — 56 — — — — — 56 Total 16 months to 30 Sept 2024 1,731 24 50 1,805 773 364 — — 1,137 2,942 31 May 2024 1,292 19 37 1,348 773 — — — 773 2,121 31 May 2023 1,286 15 32 1,333 60 — 30 500 590 1,923 Remuneration Committee report continued Annual Report on Remuneration 82 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 1 The Chair and Non-Executive Directors each receive an allowance paid as part of their base fees of £8,200 and £4,750 respectively, to cover all travel and expenses related to their roles on the Board. 2 Benefits currently include the provision to every Executive Director of private medical insurance, income protection and life assurance. Benefits also include the discount to market value (plus savings bonus) of the SAYE option granted to Mike Maddison during the financial period. 3 Executive Directors are entitled to a Company pension contribution, which is paid into the Group defined contribution personal pension scheme. They can also opt to have the same level of contribution made in the form of a cash contribution. 4 Annual bonus payments for performance in the relevant financial year; 35% of this bonus is deferred into nominal cost share options for two years. Dividend equivalents accrue on these shares. Awards are subject to service conditions but there are no further performance conditions. 5 Long-term incentive awards vesting under the LTIP. Neither Mike Maddison or Guy Ellis had any LTIP awards vesting during the 16 month period to 30 September 2024 (and indeed have not had any awards vesting to date under this scheme since they joined NCC Group). (The awards made to Tim Kowalski are covered within payments to former Directors.) 6 Julie Chakraverty joined the Board on 1 January 2022 and took over from Jennifer Duvalier as the designated Non-Executive Director for engaging with colleagues on behalf of the Board. On 1 July 2022, Julie took over from Chris Stone as Chair of the Cyber Security Committee, and on 1 February 2023 took over from Chris Batterham as the Senior Independent Director. 7 Lynn Fordham was appointed to the Board on 1 September 2022 and became Chair of the Audit Committee on 1 February 2023. 8 Guy Ellis was appointed CFO on 30 June 2023. 9 Tim Kowalski stepped down as CFO on 30 June 2023. 10 Chris Batterham stepped down as a Non-Executive Director on 30 November 2023. Additional information in respect of the single total figure of remuneration Pension and benefits The CEO’s and CFO’s pension provisions are in line with the level of the wider workforce, which is currently 4.5% of salary. These are either paid as pension contributions, or cash in lieu of pension. Annual bonus (audited) 2023/24 annual bonus (audited) For the period ended 30 September 2024, the maximum annual bonus opportunity for Mike Maddison was 125% of salary. For Guy Ellis, the maximum annual bonus opportunity was 100% of salary for the period 30 June to 30 November 2023 and 125% of salary for the period 1 December 2023 to 30 September 2024. For the 12 months ended 31 May 2024, bonuses of 80% of maximum were payable for both the CEO and CFO being £522,500 and £250,000 respectively for Mike Maddison and Guy Ellis. In accordance with the Remuneration Policy, 35% of each payment will be deferred into nominal cost share options for two years (these shares are subject to service conditions but there are no further performance conditions), with the remaining 65% paid in cash in August 2024. The performance measures and targets are set out below. Financial targets – up to 60% of the 12 month bonus to 31 May 2024 (audited) Performance targets Mike Maddison Guy Ellis Threshold (12%) Target (40%) Max. (60%) Actual Weighting Outturn Weighting Outturn Adjusted operating profit – previous measure 1,2 , target for CEO and CFO £28.8m £31.0m £34.0m £31.1m 60% 40% 60% 40% Strategic The strategic targets were set individually for the Executive Directors based on key strategic objectives for the period in their area of responsibility – see below. 40% 40% 40% 40% Total payout (% of bonus) 100% 80% 100% 80% Bonus opportunity £653,125 £312,500 Total bonus for 12 months to 31 May 2024 £522,500 £250,000 Amount paid in cash (65%) £339,625 £162,500 Amount deferred in shares (35%) £182,875 £87,50 0 (Guy Ellis was appointed as CFO on 30 June 2023.) 1 Adjusted operating profit – previous measure represents operating profit before share-based payments, amortisation of acquired intangibles and Individually Significant Items. 2 Adjusted operating profit – previous measure is an Alternative Performance Measure (APM) and not an IFRS measure. (See Note 3 for an explanation of APMs and adjusting items.) 83 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Additional information in respect of the single total figure of remuneration continued Annual bonus (audited) continued Strategic targets – up to 40% of the 12 month bonus to 31 May 2024 (audited) The table below highlights the key strategic targets and achievements for each Executive Director. Bonus target ranges have been disclosed to the extent possible, but the achievement of some areas is determined by the Committee based on its judgement of performance. Bonus award (% of maximum total bonus) 31 May 2024 Target and performance conditions Outcome Weighting Outcome CEO targets Our clients Deeper client engagement on the most pressing Cyber Security needs. 10% 10% Our capabilities Broader service portfolio addressing the full Cyber Security lifecycle. 10% 10% Global delivery Transition from an international to a global business taking into consideration actions to progress NCC Group’s journey to achieve net zero before 2050. 10% 10% Differentiated brands Clear and relevant brands for Cyber Security and Escode to support separate and distinct growth strategies. 2.5% 2.5% People and operational excellence Improvement in colleague engagement and appropriate succession planning following new executive team appointments. Ensure operational efficiency programme is executed. 7.5% 7.5% CEO outcome 40% 40% CFO targets Our clients Step change in Investor Relations engagement. 5% 5% Our capabilities Establish Global Cyber Commercial Finance function. 10% 10% Global delivery Transition from an international to a global business taking into consideration actions to progress NCC Group’s journey to achieve net zero before 2050. 10% 10% People and operational excellence Improvement in colleague engagement and appropriate succession planning following new executive team appointments. 5% 5% Ensure operational efficiency programme is executed. 10% 10% CFO outcome 40% 40% For the four months ended 30 September 2024, bonuses of 100% of maximum were payable. The actual bonus awarded for the four months to 30 September 2024 to Mike Maddison was £233,895 and to Guy Ellis was £130,000 based on the achievement of the performance conditions set out below. 35% of each payment will be deferred into nominal cost share options for two years (these shares are not subject to any further performance conditions), with the remaining 65% paid in cash in December 2024. The performance measures and targets are set out below. Financial targets – 100% of the four month bonus to 30 September 2024 (audited) Participants Threshold Potential Payout of pro rata OTE Target Potential Payout of pro rata OTE Stretch Potential Payout of pro rata OTE Executive Directors £3.0m 33% £4.0m 67% £4.5m 100% Performance Targets Potential Payout Mike Maddison Guy Ellis Adjusted operating profit – previous measure 1,2 , target for CEO and CFO Threshold £3.0m 33% Target £4.0m 67% Stretch £4.5m 100% Actual £6.0m 100% 100% 1 Adjusted operating profit – previous measure represents operating profit before share-based payments, amortisation of acquired intangibles and Individually Significant Items. 2 Adjusted operating profit – previous measure is an Alternative Performance Measure (APM) and not an IFRS measure. (See Note 3 for an explanation of APMs and adjusting items.) (Given the short time period, and recognising that setting meaningful strategic targets for such a short timeframe would be challenging, the bonus for the four month period ended 30 September 2024 was based entirely on Group Adjusted operating profit – previous measure 1,2 .) Remuneration Committee report continued Annual Report on Remuneration continued 84 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Long Term Incentive Plan (LTIP) vesting (audited) Neither Mike Maddison nor Guy Ellis had any LTIP awards vesting during the 16 month period to 30 September 2024. (The awards made to Tim Kowalski are covered within payments to former Directors.) Executive Number of LTIP awards 1 Basis Performance period Tim Kowalski 40,630 150% of base salary 1 June 2021 to 31 May 2024 The performance conditions for these awards are set out below: Weighting Component Metric Threshold (15% vesting) Maximum (100% vesting) Actual performance Actual % vested Vesting basis 60% Adjusted basic EPS – previous measure 3,4 Average growth over a three year period 9% 20% (9.9%) 0% Straight line between threshold and maximum 30% Cash conversion – previous measure 3,5 Average cash conversion 3 ratio – previous measure over a three year period 70% 80% 97.7% 30% Straight line between threshold and target, then target and maximum 10% TSR TSR over three years vs FTSE 250 comparator group (excluding investment trusts) Median Upper quartile Below median 0% Straight line between threshold and maximum Total 30% Long-term incentives granted during the 16 month period to 30 September 2024 (audited) During the 16 month period to 30 September 2024, the Executive Directors were granted awards subject to the performance conditions set out below. The awards were as follows: October 2023 awards Executive Number of shares under awards 1 Basis Face value 2 Performance period Mike Maddison 822,368 175% of base salary £875,000 1 June 2023 to 30 September 2026 Guy Ellis 281,954 100% of base salary £300,000 1 June 2023 to 30 September 2026 The performance conditions for these awards are set out below: Proportion Component Metric Threshold (15% vesting) Target (50% vesting) Maximum (100% vesting) Vesting basis 40% Adjusted basic EPS – previous measure 3,4 CAGR growth over a three year period 6% n/a 18% Straight line between threshold and maximum 20% Cash conversion – previous measure 3,5 Average cash conversion ratio over three years 80% 85% 90% Straight line between threshold and target, then target and maximum 40% TSR TSR over – previous measure three years vs FTSE 250 comparator group (excluding investment trusts) Median n/a Upper quartile Straight line between threshold and maximum 1 LTIP awards are structured as nominal cost options. 2 Based on a share price of £1.064, which was the closing mid-market price of the Company’s shares on the day before the date of grant. 3 Adjusted basic EPS – previous measure 4 , cash conversion – previous measure 5 , and cash conversion ratio – previous measure, are Alternative Performance Measures (APMs) and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. 4 Adjusted basic EPS – previous measure, is statutory basic EPS before share-based payments, amortisation of acquired intangibles and Individually Significant Items and the tax effect thereon. 5 Cash conversion – previous measure ratio percentage of net cash flow from operating activities before interest and tax divided by Adjusted EBITDA – previous measure. 85 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Long-term incentives granted during the 16 month period to 30 September 2024 (audited) continued June 2024 awards As mentioned in the introductory letter, awards have historically been granted annually in October; in future, with the change of year end, awards will be granted in January. To allow for the transition between grants, the Committee proposed that the 2024 awards should be uplifted by four months. It also proposed that the award basis be increased by 50% of salary (“stretch awards”) for each Director, as proposed in the new Policy and subject to shareholder approval at the 2025 AGM. The 50% uplift is subject to stretch performance criteria. No further awards will be made until January 2026. This period’s awards were as follows: Executive Number of shares under awards 1 Basis Face value 2 Performance period Mike Maddison 1,140,954 225% of 16 months’ salary £1,684,050 1 June 2024 to 30 September 2027 Guy Ellis 563,685 200% of 16 months’ salary £832,000 1 June 2024 to 30 September 2027 The performance conditions for these awards are set out below: Proportion Component Metric Threshold (20% vesting) Normal maximum (maximum vesting for standard awards) 6 Stretch target (maximum vesting for stretch awards) 7 Vesting basis 30% Adjusted basic EPS – new measure 3,4 Growth of Adjusted EPS over a three year period 6.0p 7.0p 8.5p Straight line between these points 20% Cash conversion – new measure 3,5 Average cash conversion ratio over three years 85% 90% 95% Straight line between these points 50% TSR TSR over three years vs FTSE 250 comparator group (excluding investment trusts) Median Upper quartile Above 90% Straight line between these points 1 LTIP awards are structured as nominal cost options. (Awards were granted on a 16/12ths basis to take account of the 40 month performance period arising from the change to the financial year end) and to allow for the ease of transition between grants. 2 Based on a share price of £1.476, which was the closing mid-market price of the Company’s shares on the day before the date of grant. 3 Adjusted basic EPS – new measure, cash conversion – new measure, and cash conversion ratio – new measure are Alternative Performance Measures (APMs) and not IFRS measures. See Note 3 for an explanation of APMs and adjusting items. 4 Adjusted basic EPS – new measure is statutory basic EPS before Individually Significant Items and the tax effect thereon. 5 Cash conversion – new measure is the ratio percentage of net cash flow from operating activities before interest and tax divided by Adjusted EBITDA – new measure. 6 Standard award relates to 887,409 shares for the CEO and 422,764 shares for the CFO. 7 Stretch award relates to 253,545 shares for the CEO and 140,921 shares for the CFO. (Subject to shareholder approval.) SAYE options granted in the period ended 30 September 2024 (audited) The Group operates an HMRC-approved SAYE scheme. All eligible colleagues, including Executive Directors, may be invited to participate on similar terms for a fixed period of three years. During the period, Mike Maddison joined the 2024 SAYE scheme (which will mature on 1 June 2027) and has options over 18,699 shares with an option price of £0.992. No awards vested this period. Payments for loss of office and to past Directors (audited) As disclosed last year, Tim Kowalski stepped down as CFO on 30 June 2023. He was not eligible for a bonus in the 16 month period ended 30 September 2024 and did not receive any further grants of long-term incentives. In June 2023, Tim Kowalski’s departure was announced and his contractual six month notice period commenced. Tim’s base salary continued to be paid during his notice period in monthly instalments (total £166,000), together with fringe benefits (total £5,000) (including pension payments in lieu of pension contributions (total £7,000)) while he remained a colleague. Annual Bonus Tim was not eligible for a bonus for the financial period beginning 1 June 2023. Deferred annual bonus awards The 2021 deferred bonus plan award vested as normal in October 2023. In accordance with the Directors’ Remuneration Policy, the Remuneration Committee exercised its discretion to allow the 2022 and 2023 awards to vest at the termination date, as performance for these awards was assessed previously in respect of the relevant bonus year. Shares vesting from the 2022 and 2023 awards are subject to the post-employment shareholding policy (see below). Long Term Incentive Plan (LTIP) awards Tim did not receive a 2023 LTIP grant. In respect of Tim’s existing LTIP awards, these were all pro-rated until the end of his notice period. The LTIP awards made in November 2021 (with a performance period of 1 June 2021–31 May 2024) will vest in December 2024. Tim Kowalski was a beneficiary of these and achieved a vesting of 30% of the award of 135,434 shares, being 40,630 shares (the original number of shares granted was 192,099 shares which was pro-rated for service). (The Committee is satisfied that the formulaic outcomes are appropriate and that they reflect performance over the performance period.) The three month average share price to 30 September 2024 was £1.56; therefore, the overall value of the shares was £63,000. The share price on the date of grant was £2.40, therefore (£0.84) was due to share price depreciation. These awards are subject to the post-employment shareholding guideline. Remuneration Committee report continued Annual Report on Remuneration continued 86 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 In the year ended 31 May 2023, 28,762 shares vested to Tim Kowalski which had a performance period ending on 31 May 2023. The share price on the date of vesting was £1.06; therefore, the award had an overall value of £30,000. The share price on the date of grant was £2.94, therefore, (£1.88) was due to share price depreciation. The two year post-vesting holding period applies to all LTIPs. Post-employment shareholding requirements The two year post-employment shareholding requirement, under the Directors’ Remuneration Policy, which came into effect from November 2021, applies to the 2021 and 2022 LTIPs and the 2022 and 2023 deferred annual bonus plan awards. Other Tim was reimbursed £6,000 (including VAT) for legal costs and £500 in respect of his non-compete agreement, and £30,000 (including VAT) for outplacement and transition support. Directors’ interests in shares (audited) The tables below set out details of the Executive Directors’ outstanding share awards, which will vest in future years subject to performance conditions and/or continued service. Summary of maximum LTIP awards outstanding Total LTIP options held at 31 May 2023 1 Granted during the period Exercised during the period Share price on date of exercise Lapsed during the period Total LTIP options held at 30 September 2024 1 Mike Maddison 436,408 1,963,322 — n/a — 2,399,730 Guy Ellis — 845,639 — n/a — 845,639 1 Includes only unvested and unexercised LTIP options. All awards granted under the LTIP are subject to continued employment and the satisfaction of the performance conditions as set out above. The awards were all nil-cost options. Share ownership (audited) The beneficial and non-beneficial interests of the current Directors in the share capital of NCC Group plc at 30 September 2024 are set out below. (Details of Executive Director shareholding requirements and achievement against these are set out on page 88.) Beneficial interests in ordinary shares 1 Nil-cost options subject to performance 2 SAYE options 3 Deferred bonus nil-cost options 4 Vested but unexercised nil-cost options Special Replacement Award 5 Total 30 Sept 2024 31 May 2023 30 Sept 2024 31 May 2023 30 Sept 2024 31 May 2023 30 Sept 2024 31 May 2023 30 Sept 2024 31 May 2023 30 Sept 2024 31 May 2023 30 Sept 2024 31 May 2023 Chris Stone 712,843 162,843 — — — — — — — — — — 712,843 162,843 Mike Maddison 148,063 — 2,399,730 436,408 18,699 14,269 130,190 — — — — 222,222 2,696,682 672,899 Guy Ellis 8 3,533 — 845,639 — — — 70,901 — — — — — 920,073 — Tim Kowalski 7 147,197 147,197 — 440,956 — 14,269 — 66,921 — 28,764 — — 147,197 698,107 Chris Batterham 6 55,000 55,000 — — — — — — — — — — 55,000 55,000 Julie Chakraverty 63,914 20,249 — — — — — — — — — — 63,914 20,249 Jennifer Duvalier 19,115 19,115 — — — — — — — — — — 19,115 19,115 Mike Ettling 50,000 50,000 — — — — — — — — — — 50,000 50,000 Lynn Fordham 50,000 25,000 — — — — — — — — — — 50,000 25,000 1 This information includes holdings of any connected persons. 2 These awards represent the outstanding LTIP interests, included in the table above, which are due to vest after 30 September 2024. 3 Representative SAYE scheme interests, which will vest after the end of the three year savings period in 2027. 4 Nominal cost share options granted under the deferred bonus plans, subject to a service condition, tax and National Insurance. (For Guy Ellis, awards made under the Restricted Share Plan of 14,450 shares made prior to his promotion to CFO are also included in this figure.) 5 Relates to the Special Replacement Award granted to replace remuneration at previous employment. The award was subject to a service condition. 6 Chris Batterham stepped down as a Director on 30 November 2023. At that time he held 55,000 shares. 7 Tim Kowalski stepped down as a Director on 30 June 2023. At that time he held 147,197 shares. 8 Guy Ellis was appointed as a Director on 30 June 2023 hence no shareholding is shown as at 31 May 2023. 87 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Share ownership (audited) continued Following the period ended 30 September 2024, the following Directors dealt shares. The number of shares traded are shown below: • On 7 October 2024, Mike Maddison purchased 521 shares at £1.688 by reinvesting his dividends • On 17 October 2024, Mike Maddison and Guy Ellis purchased 90 and 45 shares respectively at £1.6787 within the UK Share Incentive Plan • On 4 October 2024, Mike Maddison purchased 42 shares and Guy Ellis purchased 15 shares, both at £1.72 by reinvesting dividends within the UK Share Incentive Plan • On 11 October 2024, Guy Ellis sold 2,614 shares (held at 30 September 2024) at £1.656, along with 7,634 shares (again at £1.656) from the exercise of a Restricted Share Plan awards made prior to his promotion to CFO • On 18 November 2024, Mike Maddison and Guy Ellis purchased 94 and 47 shares respectively at £1.586 within the UK Share Incentive Plan Shareholding requirements (audited) The Executive Directors are expected to build and retain a shareholding in the Group equivalent to at least 200% of base salary. Executives will normally be required to retain all vested deferred bonus shares and LTIP shares released from the holding period, until they have attained the minimum shareholding requirement and, even then, only when they have held vested LTIP shares for a minimum period of two years. Executive Directors will also be required to retain all shares vesting from SAYE schemes. For the avoidance of doubt, Executive Directors are permitted to sell sufficient shares in order to meet any tax obligation arising from vesting shares. The table below sets out the Executive Directors’ shareholding requirements and achievement against these. The percentages within this table have been calculated using a three month average share price (1 July 2024 to 30 September 2024) of £1.56 and include Mike Maddison’s vested Special Award of 117,515 shares, and all unvested deferred bonus plans on a net of tax and National Insurance basis. Shareholding requirements (% of salary) Shareholding as at 30 September 2024 (% of salary) Requirement met Mike Maddison 200% 60% No Guy Ellis 200% 21% No Relative importance of the spend on pay The table below shows the percentage change in total remuneration paid to all colleagues compared to the total dividends (including those recognised but not yet paid as of 30 September 2024) in the current and previous financial periods. 30 September 2024 £m 31 May 2023 £m % change Colleague remuneration costs 1 283.6 236.9 19.7% Dividends 2 24.3 14.5 67.6% 1 Based on the figure shown in Note 6 to the consolidated Financial Statements. 2 During the period ended 30 September 2024, a total of £14.5m was paid out in dividends to shareholders, as detailed in Note 9 of the consolidated financial statements, excluding the proposed final dividend for 2024. Additionally, a dividend of £9.8m was recognised but not yet paid as at the period end, reflecting the Company’s continued commitment to returning value to its shareholders. Percentage change in the remuneration of Directors The table below shows the movement in the salary or fees, benefits and annual bonus for each Director over the last three financial years compared to the equivalent changes for all colleagues of the Company. The comparator group for salaries and benefits is all colleagues in the UK – there were no benefit policy changes in this time. There are no employees of NCC Group plc. The comparator group for the bonus is those in the senior management population who also have an annual scheme and excludes those on commission and incentive plans. Remuneration Committee report continued Annual Report on Remuneration continued 88 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 % increase in salary % increase in benefits % increase in annual bonus 2023/24 2023/24 2023/24 Director 2020/21 2021/22 2022/23 (12 months) (16 months) 2020/21 2021/22 2022/23 (12 months) (16 months) 2020/21 2021/22 2022/23 (12 months) (16 months) Chris Stone (5.0%) 14.0% 3.0% — — — — — — — — — — — — Mike Maddison (CEO) — — — 16.5% 18.6% — — — 1,000.0% 950.0% — — — 1,241.0% 1,841.0% Guy Ellis (CFO) — — — — — — — — — — — — — — — Adam Palser 3.0% 3.0% (95.0%) — — — (25.0%) (92.0%) — — 303.0% (33.0%) — — — Tim Kowalski 1.0% 8.0% 8.0% (92.0%) (94.0%) — (10.0%) (54.0%) (84.6%) (88.5%) 341.0% (17.0%) (90.0%) — — Chris Batterham (6.0%) 24.0% (4.0%) — — — — — — — — — — — — Julie Chakraverty — — 225.0% 9.0% 9.6% — — — — — — — — — — Jennifer Duvalier 2.0% 29.0% 2.0% — — — — — — — — — — — — Lynn Fordham — — — 45.7% 46.7% — — — — — — — — — — Mike Ettling (8.0%) 20.0% 2.0% — — — — — — — — — — — — All colleagues 5.1% 5.1% 7.9% 6.7% 7.4% — — — — — 1.0% (40.0%) (89.0%) 412.0% 561.0% The decrease and subsequent increase of NED fees in 2020/21 and 2021/22 are the results of the removal and reintroduction of the travel allowance and a review of NED fee levels. The travel allowance was removed in 2020/21 due to the lower levels of travel resulting from the reaction to the pandemic and then was reintroduced in 2021/22. The combination of these factors results in changes which are not reflective of changes to NED fee levels. The changes are also affected by the comparison of fees for a full year to fees for a part year when a Director joins or leaves. The increase for the CEO’s salary has been explained within the Committee Chair’s opening statement. The significant increase in CEO bonus from the previous year was caused by the 2022/23 bonus paying out at a very low level, with the 2023/24 bonus being paid out at a much higher level. For the 2023/24 16 month comparison, this has been annualised to provide a meaningful comparison to the prior year. To note that for the 2022/23 year, Mike Maddison (CEO) joined on 7 July 2022 hence the 2022/23 year is not a full year for comparison purposes. To note that for the 2023/24 year, Guy Ellis (CFO) was appointed on 30 June 2023 hence the 2023/24 period is not a full year for comparison purposes and there is no prior year comparator. Chief Executive pay compared to pay of UK colleagues The following table shows the ratio between the single total figure of remuneration (STFR) of the Chief Executive for 2023/24 and the lower quartile, median and upper quartile pay of our UK colleagues. The salary and total pay and benefits for the lower quartile, median and upper quartile colleagues are also shown. Total pay ratio Financial year Method 25th percentile pay ratio 50th percentile pay ratio 75th percentile pay ratio 2019/20 Option B 18:1 12:1 8:1 2020/21 Option B 27:1 18:1 11:1 2020/21 Option C 26:1 16:1 12:1 2021/22 Option C 23:1 14:1 10:1 2022/23 Option C 22:1 14:1 10:1 2023/24 Option C 25:1 16:1 11:1 2023/24 (16 months) Option C 26:1 17:1 11:1 12 months to 31 May 2024 Mike Maddison, CEO 25th percentile 50th percentile 75th percentile Salary (£000) 523 36 47 90 Total pay and benefits (£000) 1,081 44 68 101 16 months to 30 September 2024 Mike Maddison, CEO 25th percentile 50th percentile 75th percentile Salary (£000) 710 49 63 120 Total pay and benefits (£000) 1,513 58 90 134 89 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Chief Executive pay compared to pay of UK colleagues continued CEO pay ratio The CEO pay ratio has been calculated using Option C, which we deem the most appropriate methodology for NCC Group. Under Option C, we have used the most recent P60 information (for the 2023/24 tax year) to determine the relevant colleague at the 25th, 50th and 75th percentile. As such the data was correct as of 5 April 2024. As in prior years, we have omitted joiners and leavers from the data to ensure that the data is on a like-for-like basis. This option was chosen in preference to the other possibilities as it uses the most accurate and comprehensive data currently available and provides a fair reflection of the total pay received by colleagues. We are satisfied that the applicable colleagues chosen are a fair representation of the workforce. The CEO pay ratio has marginally increased due to the fact that the CEO had a higher than workforce average pay increase for the reasons explained within the Committee Chair’s opening statement. The pay ratio is consistent with the pay, reward and progression policies currently in place at NCC Group. Performance graph and table The following graph shows the total shareholder return, with dividends reinvested, from 1 June 2014 against the corresponding changes in a hypothetical holding in shares in both the FTSE All Share and FTSE 250 Indices. The FTSE All Share and FTSE 250 Indices represent broad equity indices. The Company is a constituent member of the FTSE 250 and FTSE All Share Index and the Committee has adopted the FTSE 250 Index for part of its LTIP performance measure. Both indices give a market capitalisation-based perspective. During the financial period ended 30 September 2024, the Company’s share price varied between £0.863 and £1.782 and ended the financial year at £1.782. Ten year historical TSR performance is the growth in the value of a hypothetical £100 holding over ten years. It has been calculated for NCC Group plc and the FTSE All Share, FTSE 250 and FTSE Small Cap Indices (excluding investment trusts) based on spot values. 200 150 100 50 0 2015 20162014 2017 2018 All years ended 31 May with exception of 2024 which was a 16 month period to 30 September 2024. 2019 2020 2021 2022 2023 2024 £100 £121 £168 £98 £129 £103 £101 £192 £62 £143 £129 NCC Group plc FTSE All Share Index FTSE 250 (excluding investment trusts) FTSE Small Cap (excluding investment trusts) Value (£) The share price was £0.913 on 1 June 2023 and £1.782 on 30 September 2024. The table below shows the total remuneration for the Chief Executive over the same ten year period, including share awards valued at the date they vested. Period ended 1,2,3,4 Incumbent Total remuneration £000 Annual bonus % of maximum 5 Long-term incentives % of maximum 6 31 May/30 September 2024 Mike Maddison 1,081/1,513 80/100 — 31 May 2023 1 Mike Maddison 1,005 7.5 — 31 May 2023 2 Adam Palser 26 — 30 31 May 2022 Adam Palser 1,081 60 59 31 May 2021 Adam Palser 1,110 92 40 31 May 2020 Adam Palser 861 23 52 31 May 2019 Adam Palser 679 48 — 31 May 2018 3 Adam Palser 292 3 32 — 31 May 2018 4 Brian Tenner 257 4 32 — 31 May 2017 Rob Cotton 610 — — 31 May 2016 Rob Cotton 1,091 70 20 31 May 2015 Rob Cotton 993 73 15 1 Mike Maddison was appointed on 7 July 2022. The amount above is in respect of the period from 7 July 2022 to 31 May 2023. Mike Maddison was not eligible for long-term incentives vesting in 2023 and 2024. However, LTIP awards vested at 30% and 30% in 2023 and 2024 respectively. 2 Adam Palser stepped down from the Board on 17 June 2022. The amount above is in respect of the period from 1 June 2022 to 17 June 2022. 3 Adam Palser was appointed on 1 December 2017. The total remuneration figure above is in respect of the period from 1 December 2017 to 31 May 2018. 4 During the year ended 31 May 2018, Brian Tenner acted as Interim Chief Executive Officer for the period 1 June 2017 to 30 November 2017. The total remuneration figure above is the total remuneration received in relation to that six month period. 5 Note that this shows the annual bonus payments as a percentage of the maximum opportunity. (For 2024, 80% relates to the 12 months to 31 May 2024, and 100% relates to the four months to 30 September 2024. Two figures are shown due to the change in financial year end and the 16 month financial period.) 6 This shows the LTIP vesting level as a percentage of the maximum opportunity. Remuneration Committee report continued Annual Report on Remuneration continued 90 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Membership and attendance The Remuneration Committee membership consists solely of Non-Executive Directors and comprises Jennifer Duvalier, Julie Chakraverty and Lynn Fordham. The Company Chair, Chief Executive Officer, Group Director of Finance, Chief People Officer, Director of Reward and Benefits and Company Secretary attend the Remuneration Committee meetings by invitation of the Chair of the Committee from time to time and assist the Committee with its considerations. No Director is involved in setting their personal remuneration. The attendance of individual Committee members at Remuneration Committee meetings is shown within the table on page 59. Committee effectiveness During the period, the Remuneration Committee carried out an internally facilitated evaluation of its effectiveness and a number of recommendations were made. The Committee was found to be working effectively with a number of recommendations made. Further information can be found on pages 63 and 64 Adviser to the Committee During the period, the Committee received advice on senior executive remuneration from Mercer and was comfortable that the advice was objective and independent. Mercer was appointed via an open tender process. Mercer is a founding member of the Remuneration Consultants Group and is a signatory to its Code of Conduct. The total fee charged in 2023/24 for providing advice in relation to executive remuneration was £98,000, with fees being determined on a time and expenses basis. At the end of FY23, the Committee made the decision to move the executive remuneration advisory relationship to Mercer, which also provides below-Board reward advice to NCC Group. This change allows the upcoming executive remuneration policy review to be linked in with other reward workstreams in the Group. Service contracts and letters of appointment The service contracts and letters of appointment of the current Directors include the following terms: Date of contract Notice period Executive Mike Maddison 28 April 2022 12 months Guy Ellis 30 June 2023 6 months Non-Executive Chris Stone 31 March 2017 3 months Julie Chakraverty 27 October 2021 3 months Jennifer Duvalier 25 April 2018 3 months Mike Ettling 21 September 2017 3 months Lynn Fordham 19 July 2022 3 months Dilution The LTIP has a dilution limit, for new and treasury shares, of 10% of the issued ordinary share capital of the Company in any ten year period for any share option scheme operated by the Company. As at 30 September 2024, the Company had utilised 22,262,996 (2023: 20,304,107) ordinary shares through LTIP, DABS, SAYE, CSOP, ISO, RSP and ESPP awards counting towards the 10% limit, which represents 7.08% (2023: 6.51%) of the issued ordinary share capital of the Company. To clarify, this figure of 7.08% includes both discretionary and all-colleague share schemes. How will the Remuneration Policy be implemented in the year ending 30 September 2025? Executive Directors’ base salaries Increases were made to the base salaries of both Executive Directors for the period ended 30 September 2024. The table below details the Executive Directors’ salaries as at 30 September 2024 and salaries which are in force on 1 October 2024, with the next review of salaries being January 2025, in line with the wider workforce. Base salary at 30 September 2024 £000 Base salary at 1 October 2024 £000 % change Chief Executive Officer – Mike Maddison 561 561 0% Chief Financial Officer – Guy Ellis 312 312 0% Pension Pensions will remain aligned with the level for other colleagues. 91 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Annual bonus The annual bonus maximum in 2024/25 will be 125% of salary for the Chief Executive Officer and 125% for the Chief Financial Officer, with 60% based on the achievement of Adjusted operating profit targets and 40% based on the achievement of strategic targets as outlined on page 84. These targets are commercially sensitive and will be disclosed in the next annual report. Awards will also be subject to the Committee’s assessment of the overall financial health of the business. In addition, to ensure that this bonus opportunity results in shareholder alignment and provides greater retention value, 35% of any bonus payment will be deferred into nominal cost share over £50,000 for a period of two years. The bonus, nominal cost share options and associated dividend equivalents are also subject to malus and clawback provisions. Long Term Incentive Plan (LTIP) LTIP awards were granted in June 2024. It is intended that no further awards will be made under the LTIP scheme for the year ending 30 September 2025, with the next round of LTIP awards expected to be made in January 2026 during the financial year ending 30 September 2026, which will be for performance period 1 October 2025 to 30 September 2028. Non-Executive Directors’ fees In line with the current Policy, Non-Executive Director fees are reviewed annually. The last increase was applied on 1 June 2022, and following the annual review in 2022, fees were increased as set out in the table below. A review was carried out of Non-Executive Directors’ fees during the period for 2023/24 and the decision was taken not to increase them and review the matter again in the financial year ending 30 September 2025: FY24/25 FY23/24 Chair fee (excluding travel allowance of £8,200) £154,500 £154,500 Non-Executive Director base fee (excluding travel allowance of £4,750) £51,500 £51,500 Supplemental fees for additional responsibilities: SID £10,000 £10,000 Audit Committee Chair £11,000 £11,000 Remuneration Committee Chair £11,000 £11,000 Cyber Security Committee Chair £8,000 £8,000 Designated NED for colleague engagement £11,000 £11,000 Statement of shareholder voting The following votes were received from the shareholders in respect of the Directors’ Remuneration Report and in respect of the Remuneration Policy: Remuneration Report (2023 AGM) Remuneration Policy (2021 AGM) Total number of votes % of votes cast Total number of votes % of votes cast For 1 206,893,530 84.86 217,981,169 87.43 Against 36,926,077 15.14 31,344,728 12.57 Total votes cast (for and against excluding withheld votes) 243,819,607 249,325,897 Votes withheld 2 5,772 3,296,572 Total votes cast (including withheld votes) 243,825,379 252,622,469 1 Includes Chair’s discretionary votes. 2 A vote withheld is not a vote in law and is not counted in the calculation of the proportion of votes cast “for” and “against” a resolution. Approved by the Board and signed on its behalf: Jennifer Duvalier Chair, Remuneration Committee 10 December 2024 Remuneration Committee report continued Annual Report on Remuneration continued 92 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Overall approach to remuneration The Remuneration Committee determines the Company’s policy on the remuneration of the Executive Directors and (from 1 June 2019) the Executive Committee (ExCom). The principles which underpin the Remuneration Policy for the Company are to: • Ensure Executive Directors’ rewards and incentives are directly aligned with the interests of the shareholders in order to reinforce the strategic priorities of the Group, optimise the performance of the Group and create long-term sustained growth in shareholder value, without encouragement to take undue risk • Provide the level of remuneration required to attract, retain and motivate Executive Directors and senior executives of an appropriate calibre • Ensure a proper balance of fixed and variable performance related components, linked to short and longer-term objectives and delivered in a mix of cash and shares • Reflect market competitiveness, taking account of the total value of all the benefit elements Our remuneration strategy has been designed to reflect the needs of a complex multinational organisation, which has grown both organically and by acquisition. Remuneration for the Executive Directors is structured so that the variable pay elements (annual bonus and long-term incentives) form a significant proportion of the overall package. This provides a strong link between the remuneration paid to Executive Directors and the performance of the Group, as well as providing a strong alignment of interest between the Executive Directors and shareholders. As a reminder, the following table summarises how our 2025–2028 shareholder-approved Remuneration Policy is aligned with the factors set out in provision 40 of the 2018 UK Corporate Governance Code. Code requirements How the Policy aligns Clarity – remuneration arrangements should be transparent and promote effective engagement with shareholders and the workforce The Committee is committed to providing transparent disclosures to shareholders and the workforce about executive remuneration arrangements and, to this end, the Directors’ Remuneration Report sets out the remuneration arrangements for the Executive Directors in a clear and transparent way. Our designated Non-Executive Director for colleague engagement engages with colleagues about our executive remuneration approach. Our AGM allows shareholders to ask any questions on the remuneration arrangements, and we welcome any queries on remuneration practices from shareholders throughout the period. Simplicity – remuneration structures should avoid complexity and their rationale and operation should be easy to understand Our remuneration arrangements for Executive Directors, as well as those throughout the Group, are simple in nature and understood by all participants, having been operated in a similar manner for a number of years. Executive Directors receive fixed pay (salary, benefits and pension) and participate in a single short-term incentive (the annual bonus) and a single long-term incentive (the Long Term Incentive Plan). Risk – remuneration arrangements should ensure reputational and other risks from excessive rewards, and behavioural risks that can arise from target-based incentive plans are identified and mitigated The Committee has designed incentive arrangements that do not encourage inappropriate risk taking. The Committee retains overarching discretion in both the annual bonus and LTIP schemes to adjust payouts where the formulaic outcomes are not considered reflective of underlying business performance and individual contributions. Robust withholding and recovery provisions apply to variable incentives. Predictability – the range of possible values of rewards to individual Directors and any other limits or discretions should be identified and explained at the time of approving the Policy Payouts under the annual bonus and LTIP schemes are dependent on the performance of the Company over the short and long term, and a significant proportion of Executive Director remuneration is performance linked. These schemes have strict maximum opportunities, with the potential value at threshold, target and maximum performance scenarios provided in the Directors’ Remuneration Report. Proportionality – the link between individual awards, the delivery of strategy and the long-term performance of the Company should be clear. Outcomes should not reward poor performance Payments from variable incentive schemes require strong performance against challenging conditions over the short and longer term. Performance conditions have been selected to support Group strategy and consist of both financial and non-financial metrics. The Committee retains discretion to override formulaic outcomes in both schemes to ensure that they are appropriate and reflective of overall performance. Alignment to culture – incentive schemes should drive behaviours consistent with Company purpose, values and strategy Performance measures used in our variable incentive schemes are selected to be consistent with the Company’s purpose, values and strategy. The use of annual bonus deferral, LTIP holding periods and our shareholding requirements provide a clear link to the ongoing performance of the Group and ensure alignment with shareholders, which continues after employment. 93 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Proposed Policy table for Executive Directors This Policy, if approved, will take effect from the date of the 2025 AGM on 28 January 2025. It will be binding for a 3 year period. Purpose and link to short and long-term strategic objectives Operation (including framework to assess performance) Maximum opportunity Changes since last Directors’ Remuneration Policy Salary To attract, retain and reward high calibre Executive Directors The Remuneration Committee reviews salaries for Executive Directors and also the Executive Committee (ExCom) annually unless responsibilities change. Pay reviews take into account Group and personal performance. Salaries are set on appointment and benchmarked periodically against market data for companies operating in IT services, management consulting and relevant high tech sectors, which, although not directly comparable, provide an indicative range. In setting appropriate salary levels the Committee takes into account pay and employment conditions of colleagues elsewhere in the Group, alongside the impact of any increase to base salaries on the total remuneration package. Any changes are normally effective from 1 January each year. Details of current Executive Director salaries are set out on page 91. Salary increases are normally in line with those for other colleagues but also take account of other factors such as changes to responsibility, development and the complexity of the role. n/a Benefits To attract, retain and reward high calibre Executive Directors Benefits in kind currently include the provision of private medical insurance, income protection and life assurance. Executive Directors may be invited to participate in the Sharesave and SIP Schemes approved by HMRC or other benefits introduced for all colleagues. Market-competitive benefits. SAYE Sharesave and SIP Schemes subject to HMRC-approved limits. n/a Pension To provide a competitive benefit, which attracts high calibre Executives and allows flexible retirement planning to suit individual needs Executive Directors are entitled to a Company pension contribution, which is paid into the Group defined contribution personal pension scheme. They can also opt to have the same level of contribution made in the form of a cash contribution. 4.5% Company pension contribution (or payment in lieu of pension) (which is line with the majority of the workforce (currently 4.5%)). Annual bonus To drive and reward sustainable business performance Based on a range of stretching targets measured over one year. This might include, but not exclusively, profit measures and other strategic objectives such as cash management, brand development, customer satisfaction and retention, business unit sales growth and colleague engagement. In normal circumstances at least 60% of the bonus will be related to financial measures. Performance below the minimum performance target results in no bonus. No more than 20% of the maximum opportunity is paid for achievement of the threshold performance targets. Payments rise from the threshold payment to 100% of the maximum opportunity for levels of performance between the threshold and maximum targets. The rate of the rise and the various payment targets are determined annually by the Committee. The Committee has discretion to reduce the formulaic bonus outcome if individual performance is determined to be unsatisfactory or if the individual is the subject of disciplinary action. 35% of any bonus payment earned in excess of £50,000 is normally deferred into shares or nominal cost share options which vest after a two year period. At the discretion of the Remuneration Committee, dividend equivalents may be included. Malus and clawback provisions are in place for both cash and deferred elements. 125% of base salary. First £50,000 of any bonus will be paid in cash before any bonus deferral. Remuneration Committee report continued Directors’ Remuneration Policy 94 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Purpose and link to short and long-term strategic objectives Operation (including framework to assess performance) Maximum opportunity Changes since last Directors’ Remuneration Policy Long Term Incentive Plan To drive long-term performance in line with Group strategy and incentivise through share ownership Awards have a performance period of at least three years and normally must be held for a further two years after vesting. The level of vesting is determined by measures appropriate to the strategic priorities of the business. At least half of any award will normally be subject to financial performance measures. Measures might include, but not exclusively, EPS, cash flow and relative TSR metrics. The Remuneration Committee has the discretion to determine the number of measures and the actual performance measures to be used. Performance below the threshold target results in no vesting. For performance between the threshold target and maximum performance target, vesting starts at 20% and rises to 100% of the shares vesting. Should a change in control of the Group occur, crystallisation of any LTIP awards is within the discretion of the Remuneration Committee. Malus and clawback provisions are in place. At the discretion of the Remuneration Committee, dividend equivalents may be included. Normally awards over shares with a face value at grant of 175% of salary per annum for the CEO and awards of 150% of salary for the CFO. In exceptional circumstances, the maximum opportunity is 225% per annum for the CEO and 200% for the CFO. It is the Committee’s intention to only allow this for the 2024 awards with the normal maximum being used from 2025. The 2024 awards have a higher opportunity with a longer performance period to ease the transition between changing of financial year-ends. The additional 50% opportunity is subject to super stretch targets over and above the normal targets for the normal maximum of annual awards. Use of an exceptional maximum with additional 50% of salary opportunity for both the CEO and CFO for the 2024 awards only. Threshold increased from 15% to 20%. Executive Director shareholding requirement To align the interests of Executive Directors with the interests of all of the Company’s shareholders The Executive Directors are expected to build and retain a shareholding in the Group at least equivalent to 200% of base salary. Executives will be required to retain all vested deferred bonus shares and LTIP shares released from the holding period until they have attained the minimum shareholding requirement and even then they may normally only sell when they have held vested LTIP shares for a minimum period of two years. For the avoidance of doubt, Executive Directors are permitted to sell sufficient shares in order to meet any tax or withholding obligation arising from vesting shares. Retention of shares post-employment: Executives will be expected to retain the lower of their holding on cessation or 200% of salary for the first year following cessation, reducing to 100% of salary for the second year. n/a n/a Choice of performance measures and target setting For both the annual bonus and LTIPs, the objective of our Policy is to choose performance measures which help drive and reward the achievement of our strategy and which also provide alignment between Executives and shareholders. The Committee reviews metrics annually to ensure they remain appropriate and reflect the future strategic direction of the Group. Targets for each performance measure are set by the Committee with reference to internal plans and external expectations. Performance is generally measured so that incentive payouts increase pro rata for levels of performance in between the threshold and maximum performance targets. With regard to the annual bonus, the Remuneration Committee believes that a simple and transparent scheme with sufficiently stretching targets and an element of bonus deferral prevents short-term decisions being made and ensures that the Executives are focused on the delivery of sustainable business performance. With regard to the LTIP, the Committee believes in setting demanding objectives, which reward steady, progressive growth, in order to incentivise and encourage long-term growth and enhance shareholder value. Where in exceptional circumstances the maximum opportunity is increased, more demanding performance objectives will normally be set. Performance measures and targets are disclosed in the Annual Report on Remuneration. In cases where targets are commercially sensitive, for example annual profit targets for the annual bonus, they will normally be disclosed retrospectively in the period in which the bonus is paid. 95 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Differences in Remuneration Policy for colleagues and Executive Directors The principles behind the Remuneration Policy for Executive Directors are cascaded down through the Group and their aims are to attract and retain the best talent and to focus their remuneration on the delivery of long-term sustainable growth by using a mix of salary, benefits, bonus and longer-term incentives. As a result, no element of the Executive Director Remuneration Policy is operated exclusively for Executive Directors other than the post-employment shareholding policy: • The annual performance related pay scheme for Executive Directors is largely the same as that of the Executive Committee and other senior managers within the business and all are aligned with similar business objectives. • Participation in the LTIP is extended to the Executive Committee and other senior managers where possible although restricted shares rather than performance shares are typically granted at levels below the Executive Committee. • The pension scheme is operated for all permanent colleagues and from 1 December 2021 the Executive Directors received the same level of contribution as the majority of other colleagues. The main difference between pay for Executive Directors and colleagues is that, for Executive Directors, the variable element of total remuneration is greater while the total remuneration opportunity is also higher to reflect the increased responsibility of the role. In addition, we have the ability to grant awards of restricted shares to Executive Committee members. This will enable us to be competitive in certain markets, most notably the US, where such plans are very much part of any executive remuneration package. Non-Executive Director Policy table Purpose and link to short and long-term strategic objectives Operation (including framework to assess performance) Maximum opportunity Changes since last Directors’ Remuneration Policy Fees To attract, reward and retain experienced Non-Executive Directors Fees for the Non-Executive Directors are determined by the Board within the limits set by the Articles of Association and are based on information on fees paid in similar companies, taking into account the experience of the individuals and the relative time commitments involved. There will be separate disclosures of fees paid for chairing the Audit, Remuneration and Cyber Security Committees, and for acting as Senior Independent Director or for other additional responsibilities. Fees for the Non-Executive Directors are reviewed annually. Additional fees may be paid in certain circumstances such as taking on extra duties, or if exceptionally the time commitment is significantly increased. An expenses allowance is paid or alternatively any reasonable business related expenses (including tax thereon) can be reimbursed if determined to be a taxable benefit. Current fee levels are set out on page 92. The overall fee limit will be within the current £750,000 limit set out in the Company’s Articles of Association, approved on 25 September 2019, which is subject to increase on 25 September each year by the same percentage increase as the percentage increase in the General Index of Retail Prices for all items (or such other comparable index as may be substituted for it from time to time before such anniversary) in the 12 months immediately preceding such date. n/a Remuneration Committee report continued Directors’ Remuneration Policy continued 96 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Approach to recruitment The principle applied in the recruitment of a new Executive Director is for the remuneration package to be set in accordance with the terms of the approved Remuneration Policy for existing Executive Directors in force at the time of appointment. Further details of this Policy for each element of remuneration are set out below. Pay element Approach Areas of flexibility Salary Set to reflect the Executive’s skills and experience, the Company’s intended pay positioning and the market rate for the applicable role. The Committee will have the discretion to allow phased salary increases over a period of time for newly appointed Directors, even though this may involve increases in excess of the rate for the wider workforce and inflation in circumstances where starting salary was below median levels. Benefits and pension Benefits will be provided in line with those offered to other Executive Directors, taking account of local market practice, with relocation expenses or arrangements provided if necessary. Tax equalisation may also be considered if an Executive Director is adversely affected by taxation due to their employment with the Company. The Company may also pay legal fees and other costs incurred by the individual. These would all be disclosed. Pension would be set in line with the workforce level. Incentive opportunity The aggregate ongoing incentive opportunity offered to new recruits will be no higher than that offered under the annual bonus plan and the LTIP to the existing Executive Directors. Different performance measures and targets may be set initially for the annual bonus plan, taking into account the responsibilities of the individual and the point in the financial year at which they join. “Buyout” awards Sign-on bonuses are not generally offered by the Group but, at Board level, the Committee may offer additional cash and/or share-based “buyout” awards when it considers these to be in the best interests of the Company and, therefore, shareholders, including awards made under Listing Rule 9.4.2R. Any such “buyout” payments would be based solely on remuneration lost when leaving the former employer and would reflect the delivery mechanism such as cash, shares, options, time horizons and performance requirements attaching to that remuneration. Transitional arrangements for internal appointments to the Board In the case of an internal appointment, any variable pay element awarded in respect of the prior role may be allowed to pay out according to its terms on grant, adjusted as relevant to take into account the appointment. In addition, any other ongoing remuneration obligations existing prior to appointment may continue, provided that they are put to shareholders for approval at the first AGM following their appointment. Approach to service contracts and letters of appointment The Committee’s policy is to offer service contracts for Executive Directors with notice periods of between six and 12 months exercisable by either party. In addition, the Executive Directors are subject to a non-compete clause from the date of termination, where enforceable. All Non-Executive Directors’ appointments are terminable on at least three months’ notice on either side. The Executive Directors and Non-Executive Directors offer themselves for re-election at the AGM every year. 97 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Policy on payment for loss of office Payments on termination for Executive Directors are restricted to the value of salary and contractual benefits for the duration of the notice period. It is the policy of the Remuneration Committee to seek to mitigate termination payments and pay what is due and fair. There are no predetermined special provisions for Executive Directors with regard to compensation in the event of loss of office. The Company may also pay an amount considered to be reasonable by the Committee where loss of office is due to redundancy or in respect of fees for legal advice for the outgoing Director or to settle or compromise any legal claims. Assistance with outplacement may also be provided. Elements of variable remuneration would be treated as follows: Pay element Approach Areas of flexibility Annual bonus Determined on a case-by-case basis. When the Committee determines that the payment of an annual bonus is appropriate, the annual bonus payment is typically: • Pro-rated for the period of time served from the start of the financial year to the date of termination and not for any period in lieu of notice or garden leave • Subject to the normal bonus targets, tested at the end of the period, and would take into account performance over the notice period • Subject to deferral of 35% of the value, in line with Policy The Committee has the discretion to pay cash bonus amounts in lieu of deferred bonuses in appropriate circumstances. Deferred bonuses will ordinarily be forfeited by leavers but for Good Leavers (defined as ill-health, injury or disability, the Participant’s employing company ceasing to be a Group Company or any other reason at the Committee’s discretion), the Committee may allow deferred bonus awards to vest on at the normal vesting date or on exit. If the Committee exercises this discretion, it can also determine if the vesting should be pro-rated to reflect time served since the beginning of the deferral date. The same discretionary principle would apply to the payment of dividend equivalents on any shares that have been deferred, but not yet vested. Long Term Incentive Plan Unvested awards will normally lapse upon cessation of employment. For Good Leavers (defined as ill-health, injury or disability, the Participant’s employing company ceasing to be a Group Company or any other reason at the Committee’s discretion), the Committee has discretion to allow awards to vest at the normal vesting date or earlier. If the Committee exercises this discretion, awards are normally pro-rated to reflect time served since the date of grant and based on the achievement of the performance criteria. The holding period detailed above will apply to such incentives. All-colleague share schemes The Executive Directors, where eligible for participation in all-colleague share schemes, participate on the same basis as for other colleagues. None. Remuneration Committee report continued Directors’ Remuneration Policy continued 98 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Illustration of remuneration scenarios The charts below detail the hypothetical composition of each Executive Director’s remuneration package and how it could vary at different levels of performance under the new Remuneration Policy set out above. Chief Executive Officer Chief Financial Officer 3,000 2,500 2,000 1,500 1,000 500 0 100% 100% 52% 31% 17% 54% 31% 15% 26% 31% 43% 28% 33% 39% 21% 25% 54% 23% 28% 49% Minimum MinimumTarget TargetMaximum MaximumMaximum + 50% share price growth Maximum + 50% share price growth £592 £332 £1,140 £621 £2,276 £1,190 £1,424 Fixed pay Long-term incentives Annual bonus £000 £2,768 Note that the charts are indicative, as actual amounts may depend on share price; in addition, charts are based on a 12 month financial period and not the 16 month financial period. Assumptions made for each scenario are as follows: • Minimum. Fixed remuneration only: salary, benefits and pension. Salary based on 1 June 2024 salary and benefits based on 2023/24 disclosed benefit amounts. • Target. Fixed remuneration plus “target” annual bonus opportunity of 50% of maximum bonus opportunity for the Chief Executive Officer and the Chief Financial Officer, plus 20% vesting of the normal maximum award under the LTIP. NCC Group does not use the concept of a “target” bonus; however, in order to be fully compliant with the regulations, an assumption of 50% of the maximum for 2024/25 has been used. • Maximum. Fixed remuneration plus maximum annual bonus opportunity equivalent to 125% of salary for both the Chief Executive Officer and the Chief Financial Officer for 2024/25, as well as 100% vesting of the normal maximum award under the LTIP, being 175% of salary for the Chief Executive Officer and 150% of salary for the Chief Financial Officer. • Effect of a 50% increase in share price. Same assumptions as for the maximum scenario, but with the additional assumption that the value of LTIP awards increases by 50% as a result of share price appreciation over the performance period. Statement of consideration of employment conditions elsewhere in the Group The Remuneration Committee does not consult directly with colleagues when determining the Remuneration Policy for Executive Directors. However, as stated above, the annual bonus and LTIP are operated for other colleagues to ensure alignment of objectives across the Group and the terms of the pension scheme are comparable with the majority of the UK workforce. In addition, the Committee compares information on general pay levels and policies across the Group when setting Executive Director pay. Until 1 January 2022, Jennifer Duvalier and, from 1 January 2022, Julie Chakraverty have undertaken regular colleague engagement sessions where colleagues are able to ask about Executive Director pay. During the period no questions or concerns on executive pay were raised to Julie (please see page 62 for further information). How shareholder views are taken into account The Remuneration Committee considers shareholder feedback received on the Directors’ Remuneration Report each year and guidance from shareholder representative bodies more generally. Shareholders’ views are key inputs when shaping remuneration policy. When any material changes are proposed to the Remuneration Policy, the Remuneration Committee Chair will inform major shareholders in advance and will generally offer a meeting to discuss these. 99 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Key areas of discretion in the Remuneration Policy The Committee operates the Group’s variable incentive plans according to their respective rules and in accordance with HMRC rules where relevant. To ensure the efficient administration of these plans, the Committee will apply certain operational discretions. These discretions are implicit in the Policy stated above, but we have listed them for clarity. These include, but are not limited to, the following: • Selecting the participants in the incentive plans on an annual basis • Determining the timing of grants of awards and/or payments • Determining the quantum of awards and/or payments (within the limits set out in the Policy table) • Reviewing performance against annual bonus and LTIP performance metrics • Determining the extent of payout or vesting based on the assessment of performance • Making the appropriate adjustments required in certain circumstances, for instance for changes in capital structure • Determining “good leaver” status for incentive plan purposes and applying the appropriate treatment • Undertaking the annual review of weighting of performance measures and setting targets for the incentive plans, where applicable, from year to year • Discretion to override formulaic outcomes of the incentive schemes if an event occurs which results in the annual bonus plan or LTIP performance conditions and/or targets being deemed no longer appropriate (e.g. material acquisition or divestment); the Committee will have the ability to adjust appropriately the measures and/or targets and alter weightings, provided that the revised conditions are not materially less challenging than the original conditions • Discretion to override formulaic vesting outcomes if they are judged by the Committee not to be an accurate reflection of Company performance Legacy arrangements For the avoidance of doubt, in approving the Remuneration Policy, authority is given to the Company to honour any commitments entered into with current or former Directors before the current legislation on remuneration policies came into force or before an individual became a Director, such as the payment of outstanding incentive awards; even where it is not consistent with the Policy prevailing at the time, such commitment is fulfilled. Details of any payments to former Directors will be set out in the Annual Report on Remuneration as they arise. External directorships for Executive Directors Executive Directors may accept one external non-executive directorship with the prior agreement of the Board, provided it does not conflict with the Group’s interests and the time commitment does not impact upon the Executive Director’s ability to perform their primary duty. The Executive Directors may retain the fee from external directorships. Neither of the Executive Directors currently undertake any external non- executive directorships. Remuneration Committee report continued Directors’ Remuneration Policy continued 100 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 The Directors present their report and the Group and Company Financial Statements of NCC Group plc (the “Company”) and its subsidiaries (together the “Group”) for the financial period ended 30 September 2024. Principal activities The Company is a public limited company incorporated in England, registered number 4627044, with its registered office at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ. The principal activity of the Group is the provision of independent advice and services to customers through the provision of Software Resilience and Cyber Security services. The principal activity of the Company is that of a holding company. Going concern At the time of approving the Financial Statements, the Board of Directors is required to formally assess that the business has adequate resources to continue in operational existence and as such can continue to adopt the ”going concern” basis of accounting. To support this assessment, the Board is required to consider the Group’s current financial position, its strategy, the market outlook, and its principal risks. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections. The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons. The Directors have prepared cash flow and covenant compliance forecasts for 12 months from the date of approval of the Financial Statements which indicate that, taking account of severe but plausible downsides on the operations of the Group and its financial resources, the Group will have sufficient funds to meet its liabilities as they fall due for that period. The going concern period is required to cover a period of at least 12 months from the date of approval of the Financial Statements and the Directors still consider this 12 month period to be an appropriate assessment period due to the Group’s financial position and trading performance and that its borrowing facilities do not expire until December 2026. The Directors have considered whether there are any significant events beyond the 12 month period which would suggest this period should be longer but have not identified any such conditions or events. The Group is financed primarily by a £162.5m multi-currency revolving credit facility maturing in December 2026. Under these banking arrangements, the Group can also request (seeking bank approval) an additional accordion facility to increase the total size of the revolving credit facility by up to £75m. This accordion facility has not been considered in the Group’s going concern assessment as it requires bank approval and is therefore uncommitted as at the date of approval of these consolidated Financial Statements. As of 30 September 2024, net debt (excluding lease liabilities) 1 amounted to £45.3m which comprised cash and cash equivalents of £29.8m, a bank overdraft of £13.6m and a drawn revolving credit facility of £61.5m, leaving £101.0m of undrawn facilities, excluding the uncommitted accordion facility of £75.0m. The Group’s day-to-day working capital requirements are met through existing cash resources, the revolving credit facility and receipts from its continuing business activities. The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA) 1 and interest cover (Adjusted EBITDA 1 to interest charge) that are tested bi-annually on 31 May and 30 November each year (following the change in the Group’s financial year end, these covenants will be tested bi-annually on 31 March and 30 September each year going forward). As of 30 September 2024, leverage amounted to 1.0x and net interest cover amounted to 8.8x compared to a maximum of 3.0x and a minimum of 3.5x respectively. The terms and ratios are specifically defined in the Group’s banking documents (in line with normal commercial practice) and are materially similar to amounts noted in these Financial Statements with the exceptions being net debt excludes IFRS 16 lease liabilities and Adjusted EBITDA 1 . The Group was in compliance with the terms of all its facilities during the period, including the financial covenants on 30 September 2024, and, based on forecasts, expects to remain in compliance over the going concern period. In addition, the Group has not sought or is not planning to seek any waivers to its financial covenants noted above. Management has prepared a base case model derived from the FY25 board-approved budget. In addition, management has produced forecasts that reflect severe yet plausible downside scenarios, taking into account the principal risks faced by the Group, including the loss of key customers and further reductions in the North America ‘TAS’ business. These forecasts, which have been reviewed by the Directors, lead them to believe that the Group can operate within its available committed banking facilities and meet its liabilities as they fall due during this period. The assumptions underpinning these forecasts (and severe yet plausible downside scenarios) are set out in more detail in the Viability Statement on page 39. Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, as well as factoring in the expected proceeds from the sale of Fox Crypto B.V. (see Note 18), the Directors are confident that the Group will have sufficient funds to meet its liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial Statements. This period is referred to as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s consolidated Financial Statements for the period ended 30 September 2024. Directors’ report The Directors present theirreport 1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 101 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Going concern continued From a Company perspective, the Company places reliance on other Group trading entities for financial support. The Company controls these Group entities and therefore has the ability to direct the financial activities of the Group. Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial Statements, which is determined as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the period ended 30 September 2024. There are no post-Balance Sheet events which the Directors believe will negatively impact the going concern assessment. Results and dividends The Group’s and Company’s audited Financial Statements for the financial period ended 30 September 2024 are set out on pages 112 to 173. The Directors propose a final dividend of 1.5p per ordinary share, which, together with the interim dividends of 3.15p and 1.5p per ordinary share paid on 4 October 2024 and 15 March 2024 respectively, makes a total dividend of 6.15p for the period ended 30 September 2024. The final dividend will be paid on 4 April 2025, subject to approval at the AGM on 28 January 2025, to shareholders on the register at the close of business on 21 February 2025. The ex-dividend date is 20 February 2025. Share capital and control At the AGM held on 30 November 2023, the Directors were granted authority to allot up to 104,042,900 ordinary shares representing approximately one-third of the Company’s issued share capital. In addition, the Directors were granted authority to allot a further 104,042,900 ordinary shares, again representing approximately one-third of the Company’s issued share capital, solely to be used in connection with a pre-emptive rights issue. As at 30 September 2024, the Company’s issued ordinary share capital comprised 314,524,630 ordinary shares with a nominal value of 1p each. During the period ended 30 September 2024, 2,395,738 shares in the Company were issued further to the exercise of options pursuant to the Company’s share option schemes. The holders of ordinary shares are entitled, among other rights, to receive the Company’s Annual Reports and Accounts, to attend and speak at general meetings of the Company, to appoint proxies and to exercise voting rights. Details of the movements of the called up share capital of the Company are set out in Note 27 to the Financial Statements and the information in this note is incorporated by reference and forms part of this Directors’ Report. All rights and obligations attaching to the Company’s ordinary shares are set out in the Company’s Articles of Association (the “Articles”), copies of which can be obtained from the Companies House website or by writing to the Company Secretary. Unless otherwise provided in the Articles, the terms of issue of any shares, any restrictions from time to time imposed by laws or regulations (for example insider trading laws) or pursuant to the UK Market Abuse Regulation whereby certain Directors, officers and colleagues of the Group require the approval of the Company to deal in ordinary shares of the Company, any shareholder may transfer any or all of their shares. The Company is not aware of any agreements between shareholders that may result in restrictions on the transfer of securities and/or voting rights. The Directors may refuse to register a transfer of shares in certificated form that are not fully paid up or otherwise in accordance with the Articles. Authority to purchase own shares At the AGM held on 30 November 2023, shareholders authorised the Company to make market purchases of up to 31,212,800 ordinary shares representing approximately 10% of the issued share capital. At the 2025 AGM, shareholders will be asked to give a similar authority. During the period, the Employee Benefit Trust purchased 4 million shares in connection with the Company’s employee share plans. Directors Biographical details of the Company’s current Directors are set out on pages 56 and 57 together with the names of Directors that have held office during the period. Subject to law and the Company’s Articles of Association, the Directors may exercise all of the powers of the Company and may delegate their power and discretion to Committees. The Company’s Articles of Association give the Directors power to appoint and replace Directors. Under the terms of reference of the Nomination Committee, any appointment to the Board of the Company must be recommended by the Nomination Committee for approval by the Board. The Articles of Association also require one-third of the Directors to retire by rotation each year end and each Director must offer themself for re-election at least every three years. However, in accordance with previous years and in accordance with best practice, all Directors will submit themselves for re-election at the AGM each year. During the period, no Director had any material interest in any contract of significance in the Group’s business. Directors’ report continued 102 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Directors’ and Officers’ insurance and indemnities The Company maintains Directors’ and Officers’ liability insurance, which provides appropriate cover for any legal action brought against its Directors (including those who served as Directors or Officers during 2023/24). This cover was in place throughout the financial period ended 31 September 2024 and up to the date of this Directors’ Report. The Directors of the Company have also entered into individual deeds of indemnity with the Company which constitute as qualifying third party indemnity provisions for the purposes of section 234 of the Companies Act 2006. The deeds were in effect during the course of the financial period ended 30 September 2024 for the benefit of the Directors and, at the date of this report, are in force for the benefit of the Directors in relation to certain losses and liabilities which they may incur (or have incurred) in connection with their duties, powers or office. Colleagues The Group uses a number of ways to engage with its colleagues on matters that impact them and the performance of the Group. These include briefings by members of the Executive Committee, regular team meetings, the Group’s intranet site, global communications and update emails which together provide, among other information, an awareness of the financial and economic factors affecting the Company’s performance. Further information on how the Directors engage with colleagues along with how colleague interests are taken into account during decision making can be found within the Corporate Governance Report on pages 52 to 66. We also conduct colleague engagement surveys to ensure all colleagues are given a voice in the organisation. We offer colleagues the opportunity to purchase ordinary shares in the Company through participation in either the Company’s Save As You Earn (SAYE) Scheme or Employee Stock Purchase Plan (ESPP). Colleagues in the UK also have the opportunity to purchases shares through a Share Incentive Plan (SIP). All these schemes help to encourage colleague interest in the performance of the Group. Business relationships with suppliers, customers and others The Directors have summarised how they have fostered the Company’s business relationships with suppliers, customers and others on pages 14 and 15. In addition, on page 59 the Directors have included the principal decisions taken by the Company during the financial year. Equal opportunities The Group is committed to providing equality of opportunity to all colleagues without discrimination and applies fair and equitable employment policies which seek to promote entry into and progression within the Group. Appointments are determined solely by application of job criteria, personal ability, behaviour and competency. In the opinion of the Directors, all colleague policies are deemed to be effective and in accordance with their intended aims. Disabled persons Disabled persons have equal opportunities when applying for vacancies, with due regard to their aptitudes and abilities. Procedures ensure that disabled colleagues are fairly treated in respect of training and career development. For those colleagues becoming disabled during the course of their employment, the Group is supportive so as to provide an opportunity for them to remain with the Group, wherever reasonably practicable. Political donations and expenditure NCC Group believes in the rights of individuals to engage in the democratic process; however, it is NCC Group’s policy not to make political donations. There were no political donations made or political expenditure incurred during the financial period ended 30 September 2024. We acknowledge the vote of “significant dissent” at the 2023 AGM, and we commented on the matter within the results of the AGM published on 30 November 2023, and we also published an update statement on our website on 5 July 2024, and also on the Investment Association’s Public Register on the same date. Although 21% of votes against were received, the Company acknowledges the 79% of shareholders who voted in favour of this resolution. To be clear, it is not the Company’s policy to make political donations, the Company has not made a political donation in the past, and the Company has no intention either now or in the future of changing its policy or making any political donation or incurring any political expenditure in respect of any political party, political organisation or independent election candidate. The resolution is put forward to allow the Company to support the community and put forward its views to wider business and government entities without running the risk of being in inadvertent breach of the law. Sustainability Report The Company’s Sustainability Report provides an update on the Group’s policies and activities in respect of its wider stakeholders, including colleagues; community, environmental, ethical and health and safety issues; and modern slavery. Overseas branches As at 30 September 2024, the Group had no overseas branches. Research and development We are committed to using innovative, cost effective and practical solutions for providing high quality services and we recognise the importance of ensuring that we focus our investment on the development of technology. The Group’s research and development expenditure is predominantly associated with computer and software systems. Change of control In the event of a change of control of the Company, the Group and each of its lenders shall enter into negotiation for a period to determine how the Group’s loan facilities may continue and if after negotiation there is no agreement the lender has the right to cancel the commitment. There are no agreements between the Company and its Directors or colleagues providing for compensation for loss of office or employment (whether through resignation, purported redundancy or otherwise) that occurs because of a takeover bid. Disclosure of information to the auditor The Directors who held office at the date of approval of this Directors’ Report confirm that, so far as they are each aware, there is no relevant audit information of which the Company’s auditor is unaware; and each Director has taken all the steps that they ought to have taken as a Director to make themselves aware of any relevant audit information and to establish that the Company’s auditor is aware of that information. Reappointment of auditor In accordance with section 489 of the Companies Act 2006, a resolution for the reappointment of PricewaterhouseCoopers LLP as auditor of the Company is to be proposed at the forthcoming AGM. 103 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Annual General Meeting The Notice of the Company’s AGM to be held at 9.00am on 28 January 2025 at the offices of DLA Piper UK LLP, 160 Aldersgate Street, London EC1A 4HT, along with details of the business to be proposed and explanatory notes, will be available on the Group’s website together with the Annual Report and Accounts. All shareholders will be notified by post or email, at their request, when the documents have been made available. The Board recognises that the AGM provides an important opportunity to engage with shareholders. Therefore, the Company will ensure that shareholders can submit any questions in writing prior to the AGM as outlined in the Notice of AGM. The result of the poll vote will be made available as soon as possible after the meeting on our website. Capitalised interest During the period, no interest was capitalised by the Group (2023: £nil). The tax benefit on this amount was £nil (2023: £nil). Reporting requirements The following sets out the location of additional information forming part of the Directors’ Report, which is incorporated by reference into this report: Reporting requirement Location Board’s assessment of the Group’s internal control systems Corporate Governance Report on pages 52 to 66 and Audit Committee Report on page 67 Details of uses of financial instruments and specific policies for managing financial risk Note 25 (Financial Instruments) on pages 151 to 155 Directors’ interests Remuneration Committee Report on page 87 Directors’ Responsibilities Statement Directors’ Responsibilities Statement on page 105 Directors’ remuneration including disclosures required by Schedule 5 and Schedule 8 of SI2008/410 – Large and Medium-sized Companies and Groups (Accounts and Reports) Regulations 2008 Remuneration Committee Report on pages 79 to 100 DTR 4.1.8.R – Management Report – the Directors’ Report and Strategic Report comprise the Management Report Directors’ Report on pages 101 to 104 and Strategic Report on pages 1 to 51 Going Concern Statement Directors’ Report on page 101 and Going Concern section within Note 1 on pages 119 and 120 Greenhouse gas emissions and energy consumption TCFD Report on pages 21 to 27 Likely future developments of the business and Group Strategic Report on pages 1 to 51 LR 9.8.4 (4) – Long-term incentive schemes Remuneration Committee Report on pages 79 to 100 LR 9.8.6 (2) – Substantial shareholders Shareholder Engagement section of Corporate Governance Report on page 66 Statement on corporate governance Corporate Governance Report, Audit Committee Report, Nomination Committee Report and Remuneration Committee Report on pages 67 to 100. Statement of compliance with the UK Corporate Governance Code is on page 54 Strategic Report – Companies Act 2006 section 414A–D Strategic Report on pages 1 to 51 The Strategic Report on pages 1 to 51 and this Directors’ Report on pages 101 to 104 have been approved and authorised for issue by the Board. They were signed on its behalf by: Mike Maddison Guy Ellis Chief Executive Officer Chief Financial Officer 10 December 2024 10 December 2024 Directors’ report continued 104 NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Directors’ responsibilities statement Statement of Directors’ responsibilities in respect of the Financial Statements The Directors are responsible for preparing the Annual Report and the Financial Statements in accordance with applicable law and regulation. Company law requires the Directors to prepare Financial Statements for each financial year. Under that law the Directors have prepared the Group Financial Statements in accordance with UK-adopted international accounting standards and the Company Financial Statements in accordance with United Kingdom Generally Accepted Accounting Practice (United Kingdom Accounting Standards, comprising FRS 101 ‘Reduced Disclosure Framework’, and applicable law). Under company law, Directors must not approve the Financial Statements unless they are satisfied that they give a true and fair view of the state of affairs of the Group and Company and of the profit or loss of the Group for that period. In preparing the Financial Statements, the Directors are required to: • Select suitable accounting policies and then apply them consistently • State whether applicable UK-adopted international accounting standards have been followed for the Group Financial Statements and United Kingdom Accounting Standards, comprising FRS 101, have been followed for the Company Financial Statements, subject to any material departures disclosed and explained in the Financial Statements • Make judgements and accounting estimates that are reasonable and prudent • Prepare the Financial Statements on the going concern basis unless it is inappropriate to presume that the Group and Company will continue in business The Directors are responsible for safeguarding the assets of the Group and Company and hence for taking reasonable steps for the prevention and detection of fraud and other irregularities. The Directors are also responsible for keeping adequate accounting records that are sufficient to show and explain the Group’s and Company’s transactions and disclose with reasonable accuracy at any time the financial position of the Group and Company and enable them to ensure that the Financial Statements and the Directors’ Remuneration Report comply with the Companies Act 2006. The Directors are responsible for the maintenance and integrity of the Company’s website. Legislation in the United Kingdom governing the preparation and dissemination of Financial Statements may differ from legislation in other jurisdictions. Directors’ confirmations The Directors consider that the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group’s and Company’s position and performance, business model and strategy. Each of the Directors, whose names and functions are listed in Board of Directors section of this report confirm that, to the best of their knowledge: • The Group Financial Statements, which have been prepared in accordance with UK-adopted international accounting standards, give a true and fair view of the assets, liabilities, financial position and profit of the Group • The Company Financial Statements, which have been prepared in accordance with United Kingdom Accounting Standards, comprising FRS 101, give a true and fair view of the assets, liabilities and financial position of the Company • The Strategic Report includes a fair review of the development and performance of the business and the position of the Group and Company, together with a description of the principal risks and uncertainties that they face In the case of each Director in office at the date the Directors’ Report is approved: • So far as the Director is aware, there is no relevant audit information of which the Group’s and Company’s auditor is unaware • They have taken all the steps that they ought to have taken as a Director in order to make themselves aware of any relevant audit information and to establish that the Group’s and Company’s auditor is aware of that information For and on behalf of the Board Mike Maddison Guy Ellis Chief Executive Officer Chief Financial Officer 10 December 2024 10 December 2024 105 Governance NCC Group plc — Annual report and accounts for the period ended 30 September 2024 Independent auditors’ report to the members of NCC Group plc Report on the audit of the financial statements Opinion In our opinion: • NCC Group plc’s group financial statements and company financial statements (the “financial statements”) give a true and fair view of the state of the group’s and of the company’s affairs as at 30 September 2024 and of the group’s loss and the group’s cash flows for the 16 month period then ended; • the group financial statements have been properly prepared in accordance with UK-adopted international accounting standards as applied in accordance with the provisions of the Companies Act 2006; • the company financial statements have been properly prepared in accordance with United Kingdom Generally Accepted Accounting Practice (United Kingdom Accounting Standards, including FRS 101 “Reduced Disclosure Framework”, and applicable law); and • the financial statements have been prepared in accordance with the requirements of the Companies Act 2006. We have audited the financial statements, included within the Annual report and accounts (the “Annual Report”), which comprise: the Consolidated and Company balance sheets as at 30 September 2024; the Consolidated income statement, the Consolidated statement of comprehensive income, the Consolidated cash flow statement and the Consolidated and Company statements of changes in equity for the period then ended; and the notes to the financial statements, comprising material accounting policy information and other explanatory information. Our opinion is consistent with our reporting to the Audit Committee. Basis for opinion We conducted our audit in accordance with International Standards on Auditing (UK) (ISAs (UK)) and applicable law. Our responsibilities under ISAs (UK) are further described in the Auditors’ responsibilities for the audit of the financial statements section of our report. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion. Independence We remained independent of the group in accordance with the ethical requirements that are relevant to our audit of the financial statements in the UK, which includes the FRC’s Ethical Standard, as applicable to listed public interest entities, and we have fulfilled our other ethical responsibilities in accordance with these requirements. To the best of our knowledge and belief, we declare that non-audit services prohibited by the FRC’s Ethical Standard were not provided. Other than those disclosed in Audit Committee report, we have provided no non-audit services to the company or its controlled undertakings in the period under audit. Our audit approach Context The group provides independent advice and services to customers through the provision of cyber security and software escrow services. The group operates globally and is headquartered in the UK. The consolidated financial statements are primarily an aggregation of legal entities from countries around the world. The period ended 30 September 2024 is our first period as external auditors of the group and the Company, and as part of our audit transition, we performed specific procedures over opening balances by reviewing the predecessor auditors’ working papers and risk assessment. We also performed process walkthroughs to understand and evaluate the key financial processes and controls across the group. As we undertook each phase of this first-period audit, we regularly reconsidered our risk assessment to reflect audit findings, including our assessment of the group’s control environment and the impact on our planned audit approach. Given the historical performance and recovery of customer demand in North America being less consistent than expected by management, we considered the recoverability of goodwill in the North American Cyber Security cash generating unit (CGU) to be of most significance in our audit of the financial statements and therefore we have included this as a key audit matter. Overview Audit scope • Our work incorporated full scope audits of three components and audit procedures on specific balances for a further six components and central consolidation adjustments. • The entities where we conducted audit work, together with audit work performed at the consolidated level, accounted for approximately 91% of the group’s revenue. Key audit matters • Recoverability of goodwill in North America Cyber Security cash generating unit (group). • Recoverability of Investments in subsidiary undertakings (parent). Materiality • Overall group materiality: £3,200,000 based on 0.75% of revenue. • Overall company materiality: £3,400,000 based on 1% of total assets. • Performance materiality: £2,400,000 (group) and £2,500,000 (company). The scope of our audit As part of designing our audit, we determined materiality and assessed the risks of material misstatement in the financial statements. Key audit matters Key audit matters are those matters that, in the auditors’ professional judgement, were of most significance in the audit of the financial statements of the current period and include the most significant assessed risks of material misstatement (whether or not due to fraud) identified by the auditors, including those which had the greatest effect on: the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team. These matters, and any comments we make on the results of our procedures thereon, were addressed in the context of our audit of the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters. This is not a complete list of all risks identified by our audit. NCC Group plc — Annual report and accounts for the period ended 30 September 2024106 Report on the audit of the financial statements continued Our audit approach continued Key audit matters continued Key audit matter How our audit addressed the key audit matter Recoverability of goodwill in North America Cyber Security cash generating unit (group) Refer to notes 2, 4 and 11 in the group financial statements. Goodwill of £nil (2023: £31.6 million) is allocated to the North America Cyber Security CGU after the recognition of a goodwill impairment charge of £31.9 million (2023: £9.8 million) against the carrying value of goodwill in the period. The group’s CGUs are assessed for impairment annually or more frequently if indicators of impairment have been identified. The performance of these impairment reviews require determining the recoverable amounts of the CGUs and comparing these calculations against the carrying values of the groups CGUs. The fair value less cost to sell (“FVLCS”) model utilised to determine the recoverable amount of the North American Cyber Security CGU required a significant level of management judgement around determining reasonable market multiples and sustainable earnings assumptions as changes in individual assumptions had a potential of significantly changing the calculated impairment charge. Given the historical performance and recovery of customer demand being less consistent than expected by management, we considered the recoverability of goodwill in the North American Cyber Security CGU to be of most significance in our audit of the financial statements and therefore we have included this as a key audit matter. In assessing the appropriateness of the impairment assessment for the North American Cyber Security CGU, we have performed the following procedures: We obtained the management impairment model and compared the actual results with previous forecasts to assess the historical accuracy of management forecasts. We held discussions and challenged directors and management to understand the reasons for the performance below management expectations over the last two years and the strategic plans in place to support the revenues and gross margin assumptions in the forward-looking sustainable earnings projections. We compared key assumptions around revenue growth rates to external market research on industry market growth rates to identify any inconsistencies. We assessed management’s assumptions for gross margin percentages by comparing to historical actual achieved margins. We considered management bias throughout the assumptions used and considered any contradictory evidence. We engaged our internal valuations experts to review the FVLCS model and assess the assumptions for the market multiple by comparing their assessment against external market data and comparable companies. We evaluated the competency, independence and objectivity of the experts engaged by management who supported management in the determination of the reasonable market multiples. We assessed the mathematical accuracy of the impairment assessment. We evaluated the appropriateness of disclosures included in the financial statements. As a result of these procedures, we were satisfied with the impairment charge recognised in the current period. Recoverability of Investments in subsidiary undertakings (parent) Refer to note 32 in the Company financial statements. The Company financial statements have investment in subsidiaries of £291.1 million (2023: £279.1 million). The investment is held in NCC Group Holdings Limited which subsequently holds an investment in other subsidiary undertakings in the group. An assessment is performed annually to identify whether there are internal or external factors that indicate the investment in subsidiary undertakings may be impaired. If indicators of impairment are identified, the Company would proceed to evaluate the recoverable amount of its investment in subsidiary undertakings. Given the magnitude of this balance, and the management judgement involved in determining whether any indicators for impairment exist, we have considered the risk of impairment of these assets as a key audit matter. In assessing the appropriateness of the investment valuation of NCC Group Holdings Limited, we performed the following procedures: We obtained a schedule of investments in subsidiary undertakings and ensured this is reconciled to the financial statements. We reviewed the assessment of the indicators of impairment and compared their assessment to external market factors and the results of the group’s annual goodwill impairment review. We compared the carrying value of the investment to the group’s market capitalisation at the reporting date. We reviewed the disclosures included within note 32 of the financial statements and consider these to be appropriate. As a result of these procedures, we were satisfied with the conclusion that no indicators of impairment were identified in the current period. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 107 Independent auditors’ report continued to the members of NCC Group plc Report on the audit of the financial statements continued Our audit approach continued How we tailored the audit scope We tailored the scope of our audit to ensure that we performed enough work to be able to give an opinion on the financial statements as a whole, taking into account the structure of the group and the company, the accounting processes and controls, and the industry in which they operate. The group provides independent advice and services to customers through the provision of cyber security and software escrow services. The group is split into two main reporting segments being Cyber Security and Escode. Each reportable segment has multiple management reporting units in a range of different geographies and is structured mainly across Europe and North America. Certain functions relevant for financial reporting are managed by the group’s head office. The financial statements are a consolidation of the group’s management reporting units and its centralised functions. As the group is headquartered and its principal finance offices are in Manchester, United Kingdom, the group engagement team is also based in Manchester. All audit work was completed by the group engagement team, with the exception of Fox-IT Holding B.V, which was audited by a component team in the Netherlands. In establishing the overall approach to the group audit, we determined the type of work that needed to be performed at the entities by us, as the group engagement team, or component auditors operating under our instruction. Where work was performed by the component auditor, we determined the level of involvement we needed to have in this work to be able to conclude that sufficient appropriate audit evidence had been obtained. Our group audit incorporated full scope audits of NCC Group Security Services Limited, Fox-IT Holding B.V. and NCC Group Security Services Inc, as well as specific audit procedures in relation to NCC Group Corporate Limited, NCC Group plc, NCC Services Limited, NCC Group (Solutions) Limited, NCC Group Accumuli Security Limited and NCC Group Software Resilience (NA) LLC. We also performed audit procedures over the consolidation adjustments for selected financial statement line items. The entities where we conducted audit work accounted for approximately 91% of the group’s revenue. The parent company is comprised of one reporting unit which was subject to a full scope audit for the purposes of the company financial statements. The impact of climate risk on our audit We made enquiries of management to understand the process they have adopted to assess the extent of the potential impact of climate risk on the group’s financial statements. The key areas of the financial statements where management evaluated that climate risk has a potential impact are set out in note 1 to the financial statements. The directors have reached the overall conclusion that there has been no material impact on the financial statements for the current period from the potential impact of climate change. We used our knowledge of the group to challenge management’s assessment. We particularly considered how climate risk would impact the assumptions made in the forecasts prepared by management used in their goodwill impairment analysis, going concern and viability. We also considered the consistency of the disclosures in relation to climate change (including the disclosures in the Non-Financial and Sustainability Information Statement) within the Annual Report with the financial statements and our knowledge obtained from our audit. Our procedures did not identify any material impact in the context of our audit of the financial statements as a whole, or on our key audit matters for the period ended 30 September 2024. Materiality The scope of our audit was influenced by our application of materiality. We set certain quantitative thresholds for materiality. These, together with qualitative considerations, helped us to determine the scope of our audit and the nature, timing and extent of our audit procedures on the individual financial statement line items and disclosures and in evaluating the effect of misstatements, both individually and in aggregate on the financial statements as a whole. Based on our professional judgement, we determined materiality for the financial statements as a whole as follows: Financial statements – group Financial statements – company Overall materiality £3,200,000. £3,400,000. How we determined it 0.75% of revenue. 1% of total assets. Rationale for benchmark applied We considered materiality in a number of different ways and used our professional judgement having applied ‘rule of thumb’ percentages to a number of potential benchmarks. On the basis of this, we concluded that 0.75% of revenue is an appropriate level of materiality considering the overall scale of the business. The company does not trade and therefore total assets is considered to be the most appropriate benchmark. For each component in the scope of our group audit, we allocated a materiality that is less than our overall group materiality. The range of materiality allocated across components was between £730,000 and £2,417,000. Certain components were audited to a local statutory audit materiality that was also less than our overall group materiality. We use performance materiality to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds overall materiality. Specifically, we use performance materiality in determining the scope of our audit and the nature and extent of our testing of account balances, classes of transactions and disclosures, for example in determining sample sizes. Our performance materiality was 75% of overall materiality, amounting to £2,400,000 for the group financial statements and £2,500,000 for the company financial statements. In determining the performance materiality, we considered a number of factors – the history of misstatements, risk assessment and aggregation risk and the effectiveness of controls – and concluded that an amount at the upper end of our normal range was appropriate. We agreed with the Audit Committee that we would report to them misstatements identified during our audit above £160,000 (group audit) and £170,000 (company audit) as well as misstatements below those amounts that, in our view, warranted reporting for qualitative reasons. NCC Group plc — Annual report and accounts for the period ended 30 September 2024108 Report on the audit of the financial statements continued Conclusions relating to going concern Our evaluation of the directors’ assessment of the group’s and the company’s ability to continue to adopt the going concern basis of accounting included: • We obtained the latest assessments supporting the directors’ conclusions with respect to the going concern basis of preparation of the financial statements and confirmed these assessments included directors’ evaluation of the downside scenarios that were considered severe but plausible. • We obtained the terms of the group’s revolving credit facility and the covenants in place in relation to this facility and determined that the directors’ forecast demonstrated compliance with all covenant conditions for at least 12 months from the date of the approval of the financial statements. • We tested the mathematical integrity of the directors’ going concern forecast model. • We evaluated and assessed the directors’ key assumptions in the going concern assessment over the period to December 2025, which included consideration of the severe by plausible downside scenarios. • We agreed the opening net debt position within the forecast to bank statements and revolving credit facility statements. • We reviewed the disclosures made in respect of going concern included in the financial statements. Based on the work we have performed, we have not identified any material uncertainties relating to events or conditions that, individually or collectively, may cast significant doubt on the group’s and the company’s ability to continue as a going concern for a period of at least twelve months from when the financial statements are authorised for issue. In auditing the financial statements, we have concluded that the directors’ use of the going concern basis of accounting in the preparation of the financial statements is appropriate. However, because not all future events or conditions can be predicted, this conclusion is not a guarantee as to the group’s and the company’s ability to continue as a going concern. In relation to the directors’ reporting on how they have applied the UK Corporate Governance Code, we have nothing material to add or draw attention to in relation to the directors’ statement in the financial statements about whether the directors considered it appropriate to adopt the going concern basis of accounting. Our responsibilities and the responsibilities of the directors with respect to going concern are described in the relevant sections of this report. Reporting on other information The other information comprises all of the information in the Annual Report other than the financial statements and our auditors’ report thereon. The directors are responsible for the other information. Our opinion on the financial statements does not cover the other information and, accordingly, we do not express an audit opinion or, except to the extent otherwise explicitly stated in this report, any form of assurance thereon. In connection with our audit of the financial statements, our responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements or our knowledge obtained in the audit, or otherwise appears to be materially misstated. If we identify an apparent material inconsistency or material misstatement, we are required to perform procedures to conclude whether there is a material misstatement of the financial statements or a material misstatement of the other information. If, based on the work we have performed, we conclude that there is a material misstatement of this other information, we are required to report that fact. We have nothing to report based on these responsibilities. With respect to the Strategic report and Directors’ report, we also considered whether the disclosures required by the UK Companies Act 2006 have been included. Based on our work undertaken in the course of the audit, the Companies Act 2006 requires us also to report certain opinions and matters as described below. Strategic report and Directors’ report In our opinion, based on the work undertaken in the course of the audit, the information given in the Strategic report and Directors’ report for the period ended 30 September 2024 is consistent with the financial statements and has been prepared in accordance with applicable legal requirements. In light of the knowledge and understanding of the group and company and their environment obtained in the course of the audit, we did not identify any material misstatements in the Strategic report and Directors’ report. Annual Report on Remuneration In our opinion, the part of the Annual Report on Remuneration to be audited has been properly prepared in accordance with the Companies Act 2006. Corporate governance statement The Listing Rules require us to review the directors’ statements in relation to going concern, longer-term viability and that part of the corporate governance statement relating to the company’s compliance with the provisions of the UK Corporate Governance Code specified for our review. Our additional responsibilities with respect to the corporate governance statement as other information are described in the Reporting on other information section of this report. Based on the work undertaken as part of our audit, we have concluded that each of the following elements of the corporate governance statement, included within the Governance section of the Annual Report is materially consistent with the financial statements and our knowledge obtained during the audit, and we have nothing material to add or draw attention to in relation to: • The directors’ confirmation that they have carried out a robust assessment of the emerging and principal risks; • The disclosures in the Annual Report that describe those principal risks, what procedures are in place to identify emerging risks and an explanation of how these are being managed or mitigated; • The directors’ statement in the financial statements about whether they considered it appropriate to adopt the going concern basis of accounting in preparing them, and their identification of any material uncertainties to the group’s and company’s ability to continue to do so over a period of at least twelve months from the date of approval of the financial statements; • The directors’ explanation as to their assessment of the group’s and company’s prospects, the period this assessment covers and why the period is appropriate; and • The directors’ statement as to whether they have a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the period of its assessment, including any related disclosures drawing attention to any necessary qualifications or assumptions. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 109 Independent auditors’ report continued to the members of NCC Group plc Report on the audit of the financial statements continued Corporate governance statement continued Our review of the directors’ statement regarding the longer-term viability of the group and company was substantially less in scope than an audit and only consisted of making inquiries and considering the directors’ process supporting their statement; checking that the statement is in alignment with the relevant provisions of the UK Corporate Governance Code; and considering whether the statement is consistent with the financial statements and our knowledge and understanding of the group and company and their environment obtained in the course of the audit. In addition, based on the work undertaken as part of our audit, we have concluded that each of the following elements of the corporate governance statement is materially consistent with the financial statements and our knowledge obtained during the audit: • The directors’ statement that they consider the Annual Report, taken as a whole, is fair, balanced and understandable, and provides the information necessary for the members to assess the group’s and company’s position, performance, business model and strategy; • The section of the Annual Report that describes the review of effectiveness of risk management and internal control systems; and • The section of the Annual Report describing the work of the Audit Committee. We have nothing to report in respect of our responsibility to report when the directors’ statement relating to the company’s compliance with the Code does not properly disclose a departure from a relevant provision of the Code specified under the Listing Rules for review by the auditors. Responsibilities for the financial statements and the audit Responsibilities of the directors for the financial statements As explained more fully in the Directors’ responsibilities statement, the directors are responsible for the preparation of the financial statements in accordance with the applicable framework and for being satisfied that they give a true and fair view. The directors are also responsible for such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error. In preparing the financial statements, the directors are responsible for assessing the group’s and the company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis of accounting unless the directors either intend to liquidate the group or the company or to cease operations, or have no realistic alternative but to do so. Auditors’ responsibilities for the audit of the financial statements Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditors’ report that includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements. Irregularities, including fraud, are instances of non-compliance with laws and regulations. We design procedures in line with our responsibilities, outlined above, to detect material misstatements in respect of irregularities, including fraud. The extent to which our procedures are capable of detecting irregularities, including fraud, is detailed below. Based on our understanding of the group and industry, we identified that the principal risks of non-compliance with laws and regulations related to employment laws in the countries where the group has more significant operations and data protection laws and regulations, and we considered the extent to which non-compliance might have a material effect on the financial statements. We also considered those laws and regulations that have a direct impact on the financial statements such as local and international tax laws and the Companies Act 2006. We evaluated management’s incentives and opportunities for fraudulent manipulation of the financial statements (including the risk of override of controls), and determined that the principal risks were related to posting inappropriate journal entries to manipulate financial performance and revenue recognition. The group engagement team shared this risk assessment with the component auditors so that they could include appropriate audit procedures in response to such risks in their work. Audit procedures performed by the group engagement team and/or component auditors included: • discussions with management, the Audit Committee and internal audit, including consideration of known or suspected instances of non-compliance with laws and regulations and fraud; • reviewing minutes of meetings of those charged with governance; • auditing the tax computations to evaluate compliance with tax legislation; • identifying and testing journal entries, in particular any journal entries posted with unusual account combinations impacting revenue recognition; and • reviewing financial statement disclosures and testing to supporting documentation where appropriate to assess compliance with applicable laws and regulations. There are inherent limitations in the audit procedures described above. We are less likely to become aware of instances of non-compliance with laws and regulations that are not closely related to events and transactions reflected in the financial statements. Also, the risk of not detecting a material misstatement due to fraud is higher than the risk of not detecting one resulting from error, as fraud may involve deliberate concealment by, for example, forgery or intentional misrepresentations, or through collusion. Our audit testing might include testing complete populations of certain transactions and balances, possibly using data auditing techniques. However, it typically involves selecting a limited number of items for testing, rather than testing complete populations. We will often seek to target particular items for testing based on their size or risk characteristics. In other cases, we will use audit sampling to enable us to draw a conclusion about the population from which the sample is selected. A further description of our responsibilities for the audit of the financial statements is located on the FRC’s website at: www.frc.org.uk/auditorsresponsibilities. This description forms part of our auditors’ report. NCC Group plc — Annual report and accounts for the period ended 30 September 2024110 Report on the audit of the financial statements continued Responsibilities for the financial statements and the audit continued Use of this report This report, including the opinions, has been prepared for and only for the company’s members as a body in accordance with Chapter 3 of Part 16 of the Companies Act 2006 and for no other purpose. We do not, in giving these opinions, accept or assume responsibility for any other purpose or to any other person to whom this report is shown or into whose hands it may come save where expressly agreed by our prior consent in writing. Other required reporting Companies Act 2006 exception reporting Under the Companies Act 2006 we are required to report to you if, in our opinion: • we have not obtained all the information and explanations we require for our audit; or • adequate accounting records have not been kept by the company, or returns adequate for our audit have not been received from branches not visited by us; or • certain disclosures of directors’ remuneration specified by law are not made; or • the company financial statements and the part of the Annual Report on Remuneration to be audited are not in agreement with the accounting records and returns. We have no exceptions to report arising from this responsibility. Appointment Following the recommendation of the Audit Committee, we were appointed by the directors on 7 March 2024 to audit the financial statements for the period ended 30 September 2024 and subsequent financial periods. This is therefore our first period of uninterrupted engagement. Other matter The company is required by the Financial Conduct Authority Disclosure Guidance and Transparency Rules to include these financial statements in an annual financial report prepared under the structured digital format required by DTR 4.1.15R – 4.1.18R and filed on the National Storage Mechanism of the Financial Conduct Authority. This auditors’ report provides no assurance over whether the structured digital format annual financial report has been prepared in accordance with those requirements. Hazel Macnamara (Senior Statutory Auditor) for and on behalf of PricewaterhouseCoopers LLP Chartered Accountants and Statutory Auditors Manchester 10 December 2024 Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 111 Consolidated income statement for the 16 month period ended 30 September 2024 16 months Year period ended ended 30 September 31 May 2024 2023 Notes £m £m Revenue 3 429. 5 3 3 5 .1 Cost of sales 3 (250. 8) (2 0 3 .1) Gross profit 3 178.7 132. 0 Administrative expenses Individually Significant Items 4 (41 .5) (14. 7) Depreciation and amortisation 5 (2 9.3) (2 2.6) Other administrative expenses (1 2 7. 1) (92.8) Total administrative expenses (1 97. 9) (1 3 0 .1) Operating (loss)/profit 3 (1 9. 2) 1.9 Finance costs 7 (8. 3) (6.2) Loss before taxation 5 (2 7. 5) (4. 3) Taxation 8 (5 .0) (0. 3) Loss for the period/year attributable to owners of the Company (32 . 5) (4 .6) Loss per ordinary share 10 Basic EPS (10.4)p (1. 5)p Diluted EPS (10.4)p (1. 5)p Consolidated statement of comprehensive income for the 16 month period ended 30 September 2024 16 months period ended Year 30 September ended 2024 2023 £m £m Loss for the period/year attributable to the owners of the Company (32 . 5) (4 .6) Other comprehensive (loss)/income Items that may be reclassified subsequently to profit or loss (net of tax) Foreign exchange translation differences (13. 0) 2.4 Total other comprehensive (loss)/income (13. 0) 2. 4 Total comprehensive loss for the period/year (net of tax) attributable to the owners of the Company (4 5. 5) (2.2) The accompanying Notes 1 to 34 are an integral part of these consolidated Financial Statements. NCC Group plc — Annual report and accounts for the period ended 30 September 2024112 Consolidated balance sheet at 30 September 2024 30 September 31 May 2024 2023 Notes £m £m Non-current assets Goodwill 11 156 .5 25 5. 8 Intangible assets 11 8 9. 2 11 0. 9 Property, plant and equipment 12 11. 6 12. 5 Right-of-use assets 13 15.7 18 .6 Investments 14 — 0.3 Deferred tax asset 17 0.6 2.9 Total non-current assets 273.6 40 1.0 Current assets Inventories 15 — 0.8 Trade and other receivables 16 32 .2 40.9 Contract assets 23 2 0 .1 1 7. 2 Contingent consideration receivable 33 — 3.8 Current tax receivable 2.9 3.6 Cash and cash equivalents 24 29. 8 3 4 .1 Assets classified as held for sale 18 61.5 — Total current assets 146 . 5 100.4 Total assets 4 2 0 .1 5 01.4 Current liabilities Trade and other payables 19 46.8 4 4.7 Bank overdraft 24 13.6 1.8 Lease liabilities 20 5.7 6. 0 Current tax payable 1.6 4.2 Derivative financial instruments 25 0.8 0.6 Contingent consideration payable — 1.0 Provisions 21 1. 4 1.2 Contract liabilities – deferred revenue 22 5 0.7 51 .6 Liabilities directly associated with assets classified as held for sale 18 5.7 — Total current liabilities 126. 3 111.1 Non-current liabilities Borrowings 24 61.5 81.9 Lease liabilities 20 21.9 24 . 0 Deferred tax liabilities 17 0.5 1.4 Provisions 21 1.9 1. 5 Contract liabilities – deferred revenue 22 2 .8 3.3 Total non-current liabilities 88.6 1 1 2 .1 Total liabilities 214 .9 223 .2 Net assets 205. 2 278 .2 Equity Share capital 27 3.1 3 .1 Share premium 27 224. 4 2 24 .1 Merger reserve 27 42 . 3 42. 3 Currency translation reserve 27 24 .5 3 7. 5 Retained earnings 27 (8 9 .1) (28.8) Total equity 205. 2 278 .2 The accompanying Notes 1 to 34 are an integral part of these consolidated Financial Statements. These Financial Statements were approved and authorised for issue by the Board of Directors on 10 December 2024. They were signed on its behalf by: Mike Maddison Guy Ellis Chief Executive Officer Chief Financial Officer 10 December 2024 10 December 2024 Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 113 Consolidated cash flow statement for the 16 month period ended 30 September 2024 16 months period Year ended ended 2024 2023 Notes £m £m Cash flows from operating activities Loss for the period/year (32 . 5) (4 .6) Adjustments for: Depreciation of property, plant and equipment 12 5.4 4.5 Depreciation of right-of-use assets 13 8 .1 5.7 Amortisation of customer contracts and relationships 11 12 .5 10.0 Amortisation of software and development costs 11 3.3 2.4 Impairment of goodwill 11 31. 9 12 . 8 Impairment of non-current assets included in ISIs 4 3.9 — Impairment of non-current assets included in administrative costs 5 0.9 1 .1 Impairment reversal of non-current assets included in ISIs 4 (0. 8) — Share-based payments 26 2.3 2. 2 Lease financing costs 7 1.7 1 .1 Other financing costs 7 6.6 5 .1 Foreign exchange loss 5 1.9 0.6 Disposal of business – transaction costs 33 — (0 .1) Non-cash impact from other Individually Significant Items 4 — 3.5 Profit on disposal of right-of-use assets 5 (0 .1) (0.7) Profit on disposal of businesses 33 (1.6) (4 .7) Profit on disposal of investment 14 (0 .1) — Loss on disposal of fixed assets 0 .1 — Income tax expense/(credit) 5.0 (0.2) Cash inflow for the year before changes in working capital 48.5 3 8.7 Decrease in trade and other receivables 1.3 15. 0 (Increase)/decrease in contract assets (5.9) 4.7 Decrease in inventories 0.2 0 .1 Decrease in trade and other payables (11.9) (7. 7) Increase/(decrease) in contract liabilities 5.5 (7. 4) Increase/(decrease) in provisions 0.7 (0.8) Cash generated from operating activities before interest and taxation 38.4 42 . 6 Interest element of lease payments 20 (1.7) (1 .1) Other interest paid (6.0) (4 .0) Taxation paid (4. 3) (5. 4) Net cash generated from operating activities 26.4 3 2 .1 Cash flows from investing activities Acquisition of trade and assets as part of business combinations (1. 0) (1. 0) Purchase of property, plant and equipment (6. 2) (3 .9) Software, development and customer contracts expenditure (2.6) (3 .4) Sale proceeds of business disposals 4,14 12. 4 2 .0 Net cash generated from/(used in) in investing activities 2.6 (6 .3) Cash flows from financing activities Proceeds from the issue of ordinary share capital 27 0.3 0 .1 Purchase of own shares — (0. 5) Acquisition of treasury shares (5. 8) — Principal element of lease payments 20 (1 0. 2) (6 .1) Drawdown of borrowings (net of deferred issue costs) 5 7. 8 70 .8 Issue costs related to borrowings — (1. 5) Repayment of borrowings (75.0) (115 .6) Equity dividends paid 9 (14 .5) (14. 5) Net cash used in financing activities (4 7. 4) (6 7. 3) Net decrease in cash and cash equivalents (inc. bank overdraft) (1 8 .4) (41 . 5) Cash and cash equivalents (inc. bank overdraft) at beginning of period 32. 3 73 .2 Effect of foreign currency exchange rate changes 2 .3 0.6 Cash and cash equivalents (inc. bank overdraft) at end of period/year 24 16. 2 32 .3 The accompanying Notes 1 to 34 are an integral part of these consolidated Financial Statements. NCC Group plc — Annual report and accounts for the period ended 30 September 2024114 Consolidated statement of changes in equity for the 16 month period ended 30 September 2024 Currency Share Share Merger translation Retained capital premium reserve reserve earnings Total Notes £m £m £m £m £m £m Balance at 1 June 2022 3 .1 2 24 . 0 42 .3 3 5 .1 (11 . 3) 2 93.2 Loss for the year — — — — (4. 6) (4. 6) Foreign currency translation differences — — — 2.4 — 2.4 Total comprehensive income/(loss) for the year — — — 2.4 (4 .6) (2.2) Transactions with owners recorded directly in equity Dividends to equity shareholders 9 — — — — (14 .5) (14 .5) Share-based payments 26 — — — — 2.2 2.2 Tax on share-based payments 8 — — — — (0 .1) (0 .1) Purchase of own shares — — — — (0 .5) (0 .5) Shares issued 27 — 0.1 — — — 0 .1 Total contributions by and distributions to owners — 0 .1 — — (12 .9) (12 . 8) Balance at 31 May 2023 3 .1 2 24 .1 42 . 3 3 7. 5 (28.8) 278. 2 Loss for the period — — — — (32 . 5) (32 . 5) Foreign currency translation differences — — — (13 . 0) — (13. 0) Total comprehensive loss for the period — — — (13.0) (32 .5) (4 5 .5) Transactions with owners recorded directly in equity Dividends to equity shareholders 9 — — — — (24. 3) (24 .3) Share-based payments 26 — — — — 2.3 2.3 Acquisition of treasury shares — — — — (5 . 8) (5 .8) Shares issued 27 — 0.3 — — — 0.3 Total contributions by and distributions to owners — 0.3 — — (2 7. 8) (2 7. 5) Balance at 30 September 2024 3 .1 2 24.4 42 .3 24.5 (8 9 .1) 205. 2 The accompanying Notes 1 to 34 are an integral part of these consolidated Financial Statements. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 115 Company balance sheet at 30 September 2024 Company no: 4627044 Notes 30 September 2024 £m 31 May 2023 £m Non-current assets Investments in subsidiary undertakings 32 291.1 279.1 Trade and other receivables 16 43.1 23.2 Total fixed assets 334.2 302.3 Current assets Cash and cash equivalents 24 9.8 15.0 Total current assets 9.8 15.0 Total assets 344.0 317.3 Current liabilities Trade and other payables 19 9.9 0.2 Total current liabilities 9.9 0.2 Total liabilities 9.9 0.2 Net assets 334.1 317.1 Equity Share capital 27 3.1 3.1 Share premium 27 224.4 224.1 Merger reserve 27 42.3 42.3 Retained earnings 27 64.3 47.6 Total equity 334.1 317.1 During the period ended 30 September 2024, the Parent Company reported a profit of £38.7m (2023: £17.5m). The accompanying Notes 1 to 34 are an integral part of these Financial Statements. These Financial Statements were approved and authorised for issue by the Board of Directors on 10 December 2024. They were signed on its behalf by: Mike Maddison Guy Ellis Chief Executive Officer Chief Financial Officer 10 December 2024 10 December 2024 NCC Group plc — Annual report and accounts for the period ended 30 September 2024116 Company statement of changes in equity for the 16 month period ended 30 September 2024 Notes Share capital £m Share premium £m Merger reserve £m Retained earnings £m Total £m Balance at 31 May 2022 and 1 June 2022 3.1 224.0 42.3 42.4 311.8 Profit for the year — — — 17.5 17.5 Total comprehensive income for the year — — — 17.5 17.5 Transactions with owners recorded directly in equity Dividends to equity shareholders 9 — — — (14.5) (14.5) Increase in subsidiary investment for share-based charges — — — 2.2 2.2 Shares issued 27 — 0.1 — — 0.1 Total contributions by and distributions to owners — 0.1 — (12.3) (12.2) Balance at 31 May 2023 and 1 June 2023 3.1 224.1 42.3 47.6 317.1 Profit for the period — — — 38.7 38.7 Total comprehensive income for the period — — — 38.7 38.7 Transactions with owners recorded directly in equity Dividends to equity shareholders 9 — — — (24.3) (24.3) Increase in subsidiary investment for share-based charges — — — 2.3 2.3 Shares issued 27 — 0.3 — — 0.3 Total contributions by and distributions to owners — 0.3 — (22.0) (21.7) Balance at 30 September 2024 3.1 224.4 42.3 64.3 334.1 The accompanying Notes 1 to 34 are an integral part of these Financial Statements. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 117 Notes to the Financial Statements for the 16 month period ended 30 September 2024 1 Accounting policies Basis of preparation NCC Group plc (the “Company”) is a public company incorporated in the UK, with its registered office at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ. The Group Financial Statements consolidate those of the Company and its subsidiaries (together referred to as the “Group”). NCC Group plc is a listed public Company, limited by shares, and the Company registration number is 04627044. The principal activity of the Group is the provision of independent advice and services to customers through the supply of Cyber Security and Escode services. The Parent Company Financial Statements present information about the Company as a separate entity and not about the Group. These Financial Statements have been approved for issue by the Board of Directors on 9 December 2024. The Group Financial Statements have been prepared and approved by the Directors in accordance with UK-adopted International Accounting Standards (UK-adopted IFRS) and with the requirements of the Companies Act 2006 as applicable to companies reporting under those standards. The Parent Company Financial Statements in the prior year were prepared in accordance with UK-adopted International Financial Reporting Standards and with the requirements of the Companies Act 2006 as applicable to companies reporting under those standards. These Parent Company Financial Statements have been prepared in accordance with FRS 101 Reduced Disclosure Framework (FRS 101), under the historical cost convention, and in accordance with the Companies Act 2006 and other applicable law. The impact on the net assets of the Parent Company as a result of the change in accounting convention has been £nil. As permitted by FRS 101, the Parent Company has taken advantage of the disclosure exemptions available under that standard in relation to standards not yet effective and presentation of a cash flow statement. The accounting policies adopted for the Parent Company are otherwise consistent with those used for the Group as set out within this note. The Company has also taken advantage of the following disclosure exemptions under FRS 101: • The requirements of paragraphs 91-99 of IFRS 13 “Fair Value Measurement” • The requirements of IFRS 7 “Financial Instruments: Disclosure” • The requirements of 45(b) and 46-52 of IFRS 2 “Share-based payments” • The requirements in IAS 24 “Related Party Disclosures” to disclose related party transactions entered into between two or more members of a group, provided that any subsidiary which is a party to the transaction is wholly owned by such a member On publishing the Parent Company Financial Statements here together with the Group Financial Statements, the Company is also taking advantage of the exemption in section 408 of the Companies Act 2006 not to present its individual Income Statement and related notes that form a part of these approved Financial Statements. The accounting policies set out below have, unless otherwise stated, been applied consistently to all periods presented in these Financial Statements. Climate change The Directors have reviewed the potential impact of climate change and the Task Force on Climate-related Financial Disclosures (TCFD) on the consolidated Financial Statements. During the period, the Group has reviewed its materiality assessment to identify what social, environmental and governance issues are most material and significant to the NCC Group business and stakeholders to aid our commitment to achieving net zero by 2050. Our overall exposure to physical and transitional climate change is considered low in the short to medium term due to the nature of the business and cyber assurance industry. The Group continues to evolve its sustainability agenda with further details on our short, medium, medium to long and long-term goals contained within the Non-Financial and Sustainability Information Statement on page 17 of the Annual Report. The Directors have considered climate change in the following areas of the consolidated Financial Statements (including critical accounting judgements and key sources of estimation uncertainty), noting no material financial impact in each area: • Going concern assessment • Property, plant and equipment – economic life and residual values • Impairment of assets (including right-of-use assets) – the impact of environmental change on growth rates and projected cash flows • Inventories – realisable value issues • Provisions – recognition of new liabilities or contingent liabilities arising from climate change and Group physical and transition risks of: • Greenhouse gas emissions – increased costs associated with more taxes and levies • Move to net zero – increased costs required to lower emissions • Margin risk – impact on delivery day rates and associated erosion of profit margin due to increased costs • Reputational risk – failure to comply with regulations resulting in negative impact on Group • Supply chain – increased supply costs and delayed deliveries impacting customer contracts/provision of services • Extreme weather or rising sea levels – reduction in revenue and increased costs • Fair value measurement – climate change variables being incorporated into market participant valuations • Financial instruments – expected credit losses and risk of default on Group borrowings (RCF and term loan) NCC Group plc — Annual report and accounts for the period ended 30 September 2024118 1 Accounting policies continued New and amended accounting standards that have been issued and are effective from 1 January 2024 At the date of authorisation of these Financial Statements, the following new accounting pronouncements have been issued and are effective from 1 January 2024: • Amendments to IFRS 16 ‘Lease Liability in a Sale and Leaseback’ issued in September 2022 and effective from 1 January 2024 • Amendments to IAS 1 ‘Presentation of Financial Statements – Classification of Liabilities as Current or Non-Current and Non-Current Liabilities with Covenants’ issued in November 2022 and effective from 1 January 2024 • Amendments to IAS 7 ‘Statement of Cash Flows’ and IFRS 7 ‘Financial Instruments: Disclosures – Supplier Finance Arrangements’ issued in May 2023 and effective from 1 January 2024 • Amendments to IAS 12 ‘International Tax Reform – Pillar Two Model Rules’ issued in May 2023; and ‘Deferred Tax related to Assets and Liabilities arising from a Single transaction’ issued in May 2021, both effective from 1 January 2024 These IFRSs are not expected to have a material impact on the Group’s consolidated or the Company’s financial position or performance. Other new accounting pronouncements In addition to the above, the following new accounting pronouncements have also been issued which are not yet effective, but the Group is not expecting them to have a significant impact on the Group’s consolidated Financial Statements: • Amendments to IAS 21 ‘The Effects of Changes in Foreign Exchange Rates’ issued in August 2023 and effective from 1 January 2025 • IFRS 19 ‘Subsidiaries without Public Accountability: Disclosures’ issued in May 2024 and effective from 1 January 2027 • Amendments to IFRS 9 ‘Financial Instruments’ and IFRS 7 ‘Financial Instruments: Disclosures’ issued in May 2024 and effective from 1 January 2026 • Annual improvements to the following IFRS Accounting Standards – amendments to: IFRS 1 ‘First-time Adoption of International Financial Reporting Standards’, IFRS 10 ‘Consolidated Financial Statements’ and IAS 7 ‘Statement of Cash flows’, issued in July 2024 and effective from 1 January 2026 In addition to the above new standards, the Group also continues to evaluate the potential impact from IFRS 18 ‘Presentation and Disclosure in Financial Statements’ issued in April 2024 and effective from 1 January 2027 . Basis of measurement The consolidated Financial Statements have been prepared on the historical cost basis except for the revaluation of certain financial instruments. Functional and presentation currency The Group and Company Financial Statements are presented in millions of Pounds Sterling (£m) because that is the currency of the principal economic environment in which the Group operates. Items included in the Financial Statements of each of the Group’s entities are measured using the currency of the primary economic environment in which the entity operates (the “functional currency”). Going concern At the time of approving the Financial Statements, the Board of Directors is required to formally assess that the business has adequate resources to continue in operational existence and as such can continue to adopt the ”going concern” basis of accounting. To support this assessment, the Board is required to consider the Group’s current financial position, its strategy, the market outlook, and its principal risks. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections. The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons. The Directors have prepared cash flow and covenant compliance forecasts for 12 months from the date of approval of the Financial Statements which indicate that, taking account of severe but plausible downsides on the operations of the Group and its financial resources, the Group will have sufficient funds to meet its liabilities as they fall due for that period. The going concern period is required to cover a period of at least 12 months from the date of approval of the Financial Statements and the Directors still consider this 12 month period to be an appropriate assessment period due to the Group’s financial position and trading performance and that its borrowing facilities do not expire until December 2026. The Directors have considered whether there are any significant events beyond the 12 month period which would suggest this period should be longer but have not identified any such conditions or events. The Group is financed primarily by a £162.5m multi-currency revolving credit facility maturing in December 2026. Under these banking arrangements, the Group can also request (seeking bank approval) an additional accordion facility to increase the total size of the revolving credit facility by up to £75m. This accordion facility has not been considered in the Group’s going concern assessment as it requires bank approval and is therefore uncommitted as at the date of approval of these consolidated Financial Statements. As of 30 September 2024, net debt (excluding lease liabilities) amounted to £45.3m which comprised cash and cash equivalents of £29.8m, a bank overdraft of £13.6m and a drawn revolving credit facility of £61.5m, leaving £101.0m of undrawn facilities, excluding the uncommitted accordion facility of £75.0m. The Group’s day-to-day working capital requirements are met through existing cash resources, the revolving credit facility and receipts from its continuing business activities. The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA) 1 and interest cover (Adjusted EBITDA 1 to interest charge) that are tested bi-annually on 31 May and 30 November each year (following the change in the Group’s financial year end, these covenants will be tested bi-annually on 31 March and 30 September each year going forward). Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 119 1 Accounting policies continued Going concern continued As of 30 September 2024, leverage amounted to 1.0x and net interest cover amounted to 8.8x compared to a maximum of 3.0x and a minimum of 3.5x respectively. The terms and ratios are specifically defined in the Group’s banking documents (in line with normal commercial practice) and are materially similar to amounts noted in these Financial Statements with the exceptions being net debt excludes IFRS 16 lease liabilities and Adjusted EBITDA 1 . The Group was in compliance with the terms of all its facilities during the period, including the financial covenants on 30 September 2024, and, based on forecasts, expects to remain in compliance over the going concern period. In addition, the Group has not sought or is not planning to seek any waivers to its financial covenants noted above. Management has prepared a base case model derived from the FY25 Board-approved budget. In addition, management has produced forecasts that reflect severe yet plausible downside scenarios, taking into account the principal risks faced by the Group, including the loss of key customers and further reductions in the North America ‘TAS’ business. These forecasts, which have been reviewed by the Directors, lead them to believe that the Group can operate within its available committed banking facilities and meet its liabilities as they fall due during this period. The assumptions underpinning these forecasts (and severe yet plausible downside scenarios) are set out in more detail in the Viability Statement on page 39. Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, as well as factoring in the expected proceeds from the sale of Fox Crypto B.V. (see Note 18), the Directors are confident that the Group will have sufficient funds to meet its liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial Statements. This period is referred to as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s consolidated Financial Statements for the period ended 30 September 2024. From a Company perspective, the Company places reliance on other Group trading entities for financial support. The Company controls these Group entities and therefore has the ability to direct the financial activities of the Group. Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial Statements, which is determined as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the period ended 30 September 2024. There are no post-Balance Sheet events which the Directors believe will negatively impact the going concern assessment. Business combinations Business combinations are accounted for by applying the acquisition method at the acquisition date, which is the date on which control is transferred to the Group. The Group controls an entity when the Group is exposed to, or has rights to, variable returns from its involvement with the entity and has the ability to affect those returns through its power over the entity. Acquisitions and disposals The Group measures goodwill at the acquisition date as: • The fair value of the consideration transferred • The recognised amount of any non-controlling interests in the acquiree • If the business combination is achieved in stages, the fair value of the existing equity interest in the acquiree • The fair value of the identifiable assets acquired, and liabilities assumed When the excess is negative, a bargain purchase gain is recognised immediately in profit or loss. The consideration transferred does not include amounts related to the settlement of pre-existing relationships. Such amounts generally are recognised in the Income Statement. Costs related to the acquisition, other than those associated with the issue of debt or equity securities, are expensed as incurred. Any deferred or contingent consideration payable is recognised at fair value at the acquisition date. If the contingent consideration is classified as equity, it is not remeasured, and settlement is accounted for within equity. Otherwise, subsequent changes to the fair value of contingent consideration are recognised in the Income Statement. On a transaction-by-transaction basis, the Group elects to measure non-controlling interests either at their fair value or at their proportionate interest in the recognised amount of the identifiable net assets of the acquiree at the acquisition date. The results of subsidiaries acquired or disposed of during the period are included in the Consolidated Income Statement from the effective date of acquisition or up to the effective date of disposal, as applicable. Comparatives are only restated if a disposed business meets the definition of a discontinued operation under IFRS 5 ‘Non-current Assets Held for Sale and Discontinued Operations’. This restatement occurs only when the disposal represents a separate major line of business or geographical area, or is part of a single co-ordinated plan to dispose of such a line or area. Subsidiaries Subsidiaries are entities controlled by the Group. The Financial Statements of subsidiaries are included in the consolidated Financial Statements from the date that control commences until the date that control ceases. Control is achieved where the Company has the power to govern the financial and operating policies of an investee entity so as to obtain benefits from its activities. Intercompany transactions and balances between subsidiaries are eliminated on consolidation. 1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. NCC Group plc — Annual report and accounts for the period ended 30 September 2024120 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 1 Accounting policies continued Intangible assets and goodwill Goodwill represents the amounts arising from the acquisition of subsidiaries, as well as from the acquisition of trade and assets. In respect of business acquisitions that have occurred since 1 June 2004, goodwill represents the difference between the cost of the acquisition and the fair value of the net identifiable assets acquired including identifiable intangible assets. Identifiable intangibles are those which can be sold separately, or which arise from legal rights regardless of whether those rights are separable. Goodwill is stated at cost less any accumulated impairment losses. Goodwill is allocated to cash generating units (CGUs) and is not amortised but is tested annually for impairment. In respect of equity accounted investees, the carrying amount of goodwill is included in the carrying amount of the investment in the investee. Research and development Expenditure on research activities is recognised in the Income Statement as an expense as incurred. Expenditure on development activities is capitalised as “development costs” if the product or process is technically and commercially feasible, if the Group has the technical ability and sufficient resources to complete development, if future economic benefits are probable and if the Group can measure reliably the expenditure attributable to the intangible asset during its development. Development activities involve a plan or design for the production of new or substantially improved products or processes. Subsequent expenditure is capitalised only when it increases the future economic benefits embodied in the specific asset to which it relates. All other expenditure, including expenditure on internally generated goodwill, is recognised in the Income Statement as an expense as incurred. Software costs The Group capitalises software costs in accordance with the criteria of IAS 38. Software costs comprise third party costs and internal colleague time costs for internal system developments. Capitalised amounts are initially measured at cost and amortised on a straight-line basis over the period for which the developed system is expected to be in use as a business platform. Software costs incurred as part of a service agreement are only capitalised when it can be evidenced that the Group has control over the resources defined in the arrangement. The expenditure capitalised includes the cost of materials, direct labour, overhead costs that are directly attributable to preparing the asset for its intended use and capitalised borrowing costs. Other development expenditure is recognised in the Consolidated Income Statement as an expense as incurred. Software costs are stated at cost less accumulated amortisation and less accumulated impairment losses. When the Group incurs customisation and configuration costs, as part of a service agreement for Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS), judgement is applied in assessing whether the Group has control over the resources defined in the arrangement. These costs are treated in accordance with the March 2019 IFRIC update with regard to the Customer’s Right to Receive Access to the Supplier’s Software Hosted on the Cloud (IAS 38 ‘Intangible Assets’) and the IFRIC interpretation ratified by the Interpretations Committee in April 2021 with regard to Configuration or Customisation Costs in a Cloud Computing Arrangement, as follows: • In specific circumstances, development costs incurred may give rise to an identifiable asset, for example where code/intellectual property hosted on third party cloud infrastructure is controlled by the Group and the cost of moving the asset to another provider or bringing on-premise is not prohibitive. • Amounts paid to the cloud vendor or third party for configuration and customisation that are not distinct from access to the cloud software are expensed over the contract term. • In all other instances, configuration and customisation costs will be expensed as the customisation and configuration services are received, for example a cloud provider’s monthly subscription. Intangible assets Expenditure on internally generated goodwill is recognised in the Income Statement as an expense as incurred. Intangible assets that are acquired by the Group are stated at cost less accumulated amortisation and less accumulated impairment losses. Amortisation Amortisation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of intangible assets unless such lives are indefinite. Intangible assets with an indefinite useful life and goodwill are systematically tested for impairment at each Balance Sheet date. Intangible assets are amortised from the date they are available for use. The estimated useful lives are as follows: Acquired customer contracts and relationships – between three and twenty years Software – between three and five years Capitalised development costs – between three and five years Impairment of non-financial assets The carrying amounts of the Group’s non-financial assets, other than deferred tax assets, are reviewed at each reporting date to determine whether there is any indication of impairment. If any such indication exists, then the asset’s recoverable amount is estimated. For goodwill, and intangible assets that have indefinite useful lives or that are not yet available for use, the recoverable amount is estimated each year at the same time. An impairment review was carried out at 31 May 2023 and 31 May 2024. Following the Group’s change in year end reporting date, the Group has carried out a further review at 30 September 2024 which is expected to be applied consistently as the date for the annual impairment review going forward. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 121 1 Accounting policies continued Impairment of non-financial assets continued The recoverable amount of an asset or cash generating unit is the greater of its value in use (VIU) and its fair value less costs to sell (FVLCTS). FVLCTS has been used for all CGUs for the period ended 30 September 2024 and the comparative period for the year ended 31 May 2023. The FVLCTS valuation for of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA 1 , and applying a reasonable market multiple on the calculated sustainable earnings. For the purpose of impairment testing, assets that cannot be tested individually are grouped together into the smallest group of assets that generates cash inflows from continuing use that are largely independent of the cash inflows of other assets or groups of assets (the “cash generating unit”). The goodwill acquired in a business combination, for the purpose of impairment testing, is allocated to cash generating units (CGUs). Subject to an operating segment ceiling test, for the purposes of goodwill impairment testing, CGUs to which goodwill has been allocated are aggregated so that the level at which impairment is tested reflects the lowest level at which goodwill is monitored for internal reporting purposes. Goodwill acquired in a business combination is allocated to groups of CGUs that are expected to benefit from the synergies of the combination. An impairment loss is recognised if the carrying amount of an asset or its CGU exceeds its estimated recoverable amount. Impairment losses are recognised in the Income Statement. Impairment losses recognised in respect of CGUs are allocated first to reduce the carrying amount of any goodwill allocated to the units, and then to reduce the carrying amounts of the other assets in the unit (group of units) on a pro rata basis. An impairment loss in respect of goodwill is not reversed. In respect of other assets, impairment losses recognised in prior periods are assessed at each reporting date for any indications that the loss has decreased or no longer exists. An impairment loss is reversed if there has been a change in the estimates used to determine the recoverable amount. An impairment loss is reversed only to the extent that the asset’s carrying amount does not exceed the carrying amount that would have been determined, net of depreciation or amortisation, if no impairment loss had been recognised. Related party transactions A related party is a person or entity that is related to the Group or Company. Related party transactions are the transfer of resources, services or obligations between parties regardless of whether a price is charged. In these circumstances, the Group or Company will disclose the nature of the related party relationship as well as information about the transactions and outstanding balances necessary for an understanding of the potential effect of the relationship on the Financial Statements in accordance with IAS 24 ‘Related Party Transactions’. Property, plant and equipment Property, plant and equipment assets are carried at cost less accumulated depreciation and any recognised impairment in value. To the extent that borrowing costs relate to the acquisition, construction or production of a qualifying asset, borrowing costs are capitalised as part of the cost of that asset. Depreciation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of each part of an item of plant and equipment as follows: Computer equipment – between three and five years Fixtures, fittings and equipment – between three and five years Motor vehicles – four years Property, plant and equipment is also tested for impairment whenever there is an indication of potential impairment. Leases At inception of a contract, the Group assesses whether a contract is, or contains, a lease. A contract is, or contains, a lease if the contract conveys the right to control the use of an identified asset for a period of time in exchange for consideration. To assess whether a contract conveys the right to control the use of an identified asset, the Group assesses whether: • The contract involves use of the identified asset; this may be specified explicitly or implicitly and should be physically distinct or represent substantially all of the capacity or a physically distinct asset. If the supplier has a substantive substitution right, then the asset is not identified • The Group has the right to obtain substantially all of the economic benefits from use of the asset and throughout the period of use The Group has the right to direct the use of the asset. The Group has this right when it has the decision-making rights that are most relevant to changing how and for what purpose the asset is used. In rare cases where all the decisions about how and for what purpose the asset is used are predetermined, the Group has the right to direct the use of the asset if either: • The Group has the right to operate the asset • The Group designed the asset in a way that predetermines how and for what purpose it will be used The Group recognises a right-of-use asset and a lease liability at the lease commencement date. The right-of-use asset is initially measured at cost, which comprises the initial amount of the lease liability adjusted for any lease payments made at or before the commencement date, and an estimate of costs to dismantle and remove the underlying asset or to restore the underlying asset or the site on which it is located, less any lease incentives received. The right-of-use asset is subsequently depreciated using the straight-line method from the commencement date to the earlier of the end of the useful life of the right-of-use asset or the end of lease term. The estimated useful lives of right-of-use assets are determined on the same basis as those of property, plant and equipment. In addition, the right-of-use asset is periodically reduced by impairment losses, if any, and adjusted for certain remeasurements of the lease liability. The lease liability is initially measured at the present value of the lease payments that are not paid at the commencement date, discounted using the interest rate implicit in the lease or, if that rate cannot be readily determined, the Group’s incremental borrowing rate. 1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. NCC Group plc — Annual report and accounts for the period ended 30 September 2024122 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 1 Accounting policies continued Leases continued The lease liability is measured at amortised cost using the effective interest method. It is remeasured when there is a change in future lease payments arising from a change in an index or rate, if there is a change in the Group’s estimate of the amount expected to be payable, or if the Group changes its assessment of whether it will exercise a purchase, extension or termination option. When the lease liability is remeasured in this way, a corresponding adjustment is made to the carrying amount of the right-of-use asset or is recorded in the Income Statement if the carrying amount of the right-of-use asset has been reduced to zero. The Group has elected not to recognise right-of-use assets and lease liabilities for short-term leases that have a lease term of 12 months or less and leases of low value assets, including certain IT equipment. The Group recognises the lease payments associated with these leases as an expense on a straight-line basis over the lease term. Lease rental costs in respect of short-term leases (less than one year) and low value assets which are exempt from being accounted for under IFRS 16 are charged to the Income Statement on a straight-line basis over the period of the lease. Investments Investments in subsidiaries are carried at cost less impairment. Investments in property and unlisted shares are carried at cost less impairment, which is based on the fair value at acquisition. Financial instruments Financial assets and financial liabilities, in respect of financial instruments, are recognised in the Group and Parent Balance Sheet when the Group or Company becomes a party to the contractual provisions of the instrument. Classification and measurement of financial assets and liabilities Classification of financial assets is generally based on the business model in which the financial asset is managed and its contractual cash flow characteristics. A financial asset is measured at amortised cost if it is held with the objective of collecting the contractual cash flows and its contractual terms give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding. All other financial assets are measured at fair value through other comprehensive income or the Income Statement. Financial assets at amortised cost Trade and other receivables Trade and other receivables are classified as financial assets at amortised cost in accordance with IFRS 9 ‘Financial Instruments’. This classification is applied to receivables such that the asset is to collect contractual cash flows. Trade and other receivables are initially recognised at their fair value, which is typically the transaction price. Subsequently, these assets are measured at amortised cost, less any provision for expected credit losses (ECLs). Under the IFRS 9 “expected credit loss” model, a credit event (or impairment “trigger”) no longer needs to occur before credit losses are recognised. The Group analyses the risk profile of trade receivables based on past experience and an analysis of the receivables’ current financial position, potential for a default event to occur, adjusted for specific factors, forward-looking general economic conditions of the industry in which the receivables operate, and assessment of both the current and the forecast direction of conditions at the reporting date. A default event is considered to occur when information is obtained that indicates that a receivable is unlikely to be paid to the Group. Credit risk is regularly reviewed by management to ensure the expected credit loss (ECL) model is being appropriately applied. The Group has performed the calculation of ECL separately for each business unit. Financial liabilities at amortised cost Trade payables Trade payables are other financial liabilities initially measured at fair value and subsequently measured at amortised cost. Borrowings Interest-bearing bank loans are initially recorded at their fair value and subsequently held at amortised cost. Transaction costs incurred are amortised over the term of the loan. Assets held for sale Assets are classified as held for sale if their carrying amount is to be recovered principally through a sale transaction rather than through continuing use. This condition is regarded as met only when the sale is highly probable within one year from the date of classification and the assets are available for sale in their present condition. Assets held for sale are stated at the lower of the carrying amount and fair value less costs to dispose. Inventories Inventories are valued at the lower of cost and new realisable value. Net realisable value is the estimated selling price in the ordinary course of the business, less applicable variable selling expenses. Items in transit where the Group has control are included in inventories. Revenue recognition Summary The Group provides independent global Cyber Security and Escode services. The revenue streams in relation to Cyber Security include: • Global Professional Services (GPS) – global Cyber Security consultancy services • Global Managed Services (GMS) – operational cyber defence, incident response, scanning, simulation and managed security operations centres (SOCs) including new Microsoft XDR (Sentinel) propositions • Product sales – sale of own manufactured and/or resale of third party products Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 123 1 Accounting policies continued Revenue recognition continued Summary continued The revenue streams in relation to Escode include: • Escrow contract services – securely maintain in “escrow” the long-term availability of business-critical software and applications • Verification services – verify source code, and provide a fully managed secure service and result validation While the detailed recognition is contract specific, and set out in the table on pages 124 to 127, in most cases: • GPS revenues are recognised on an input method over time • GMS revenues are bifurcated according to the separate performance obligations (see pages 125 and 126) • Product sales are recognised when control passes, usually on delivery • Escrow contract revenues are recognised over time • Verification services are recognised on the completion of the verification service Revenue is presented net of VAT and other sales related taxes. Revenue is measured based on the consideration specified in a contract with a customer. The Group recognises revenue when it transfers control over a good or service to a customer. The Group does not have any material obligations in respect of returns, refunds or warranties. The impact of any financing component within contracts with customers has been assessed and concluded to be immaterial. On contract inception, the probability of collectability is assessed across the Group and, unless there is a significant change in facts and circumstances, revenue is recognised. During the period, no instances have been identified where reassessment of the collectability has had to be reassessed, nor have there been any new contracts with customers for which the collection of consideration has not been assessed at inception as probable. Detailed policies The following table provides information about the nature and timing of the satisfaction of performance obligations in contracts with customers by reportable segments, including significant payment terms, and the related revenue recognition policies. Timing of satisfaction of performance Revenue recognition policies, including determination Revenue stream Nature obligations and significant payment terms of transaction price and rationale Global GPS is the Group’s core The customer simultaneously Revenue is recognised on an input basis to Professional consulting service represented receives the benefits of the measure the satisfaction of performance Services (GPS) by consultants providing Cyber consulting services provided by obligations over time. This is done according Security consultancy services the Group in the period over which to the number of days worked in comparison to a customer over time or to a the work is performed and one to the total contracted number of days of the set deliverable. promise (performance obligation) performance obligation. The work performed Some contracts may contain is identified. Work is performed occurs on a daily basis (for example security multiple services (e.g. Cyber on a daily basis. assessment of a customer’s security Security assessment and Invoices are raised monthly or environment). certified product evaluation based on an agreed invoicing It is considered that as the customer benefits services). These will be profile with the customer. over time based on consultants’ time, the identified as separate Invoices are usually payable input method faithfully depicts the Group’s performance obligations, and within 30 days. performance towards complete satisfaction the transaction price allocated of the single performance obligation. to each of these is determined No discounts or retrospective Transaction price is determined by fixed by using a fixed contract rate rebates are provided. contract rates based upon day rates and based upon day rates, being number of days. the relative standalone selling price basis. Specifically, the contract terms range from time and materials (based upon consultants’ time and expenses) to discrete statements of work, whereby the customer benefits gradually over the period over which the work is performed, unless there is a set deliverable (for example a defined security assessment report). NCC Group plc — Annual report and accounts for the period ended 30 September 2024124 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 Timing of satisfaction of performance Revenue recognition policies, including determination Revenue stream Nature obligations and significant payment terms of transaction price and rationale Global The Group in certain situations The customer simultaneously Revenue is recognised on an input basis to Professional operates on agreed customer receives and consumes the benefits measure the satisfaction of performance Services (GPS) terms, which allow the Group of the consulting services provided obligations over time. continued to recover any abortive by the Group over the period over Transaction price is determined by fixed revenue from its customer in which the work is performed by contract rates based upon day rates and the event that a customer the Group and one performance number of consultancy days. Invoices in terminates a contract before obligation is identified. This is done relation to the abortive revenue will be the contract or deliverable according to the number of days recognised when aborted. is complete. worked in comparison to the total contracted number of days of the performance obligation. Invoices are usually payable within 30 days. Global Managed These services provide The customer will benefit from The amount of revenue recognised in relation Services (GMS) operational cyber defence, the services over the period of to software licence(s) depends on whether the incident response, scanning, the contract. Group acts as an agent or as a principal. simulation and managed However, the type of contract The Group acts as principal when the Group security operations centres will depend on how the customer controls the specified software licence or (SOCs). Services are typically benefits from the software service prior to transfer (MSP model). for an extended delivery licence(s). duration, with contract lengths When the Group acts as a principal the varying up to a maximum of Where an MSP model is selected revenue recorded is the gross amount billed. five years. by the customer, the Group The transaction price is determined by a The proposition will also generally recognises three contract price (cost plus mark-up). The provide the customer with performance obligations: transaction price for the overall service is outlined within the customer contract. In software licence(s) to enable • Set-up fees certain scenarios, the contract will outline the these services to occur. • Post-go-live fees price for each performance obligation, which is On this basis, the Group • Combined monitoring cyber considered to be the standalone selling price operates two types of and licence service of the services/goods, and the transaction contracts: Where the licence and monitoring price is allocated to each performance obligation on this basis. Where the contract • A Managed Service Provider services terms are not coterminous, does not stipulate the price per performance (MSP) model whereby the they are treated as separate obligation, management determines the customer is supplied with performance obligations. relative standalone selling price for each one complete integrated The MSP model is considered to performance obligation based on the residual service including the be under a principal arrangement approach. This is assessed by reference to the software licence(s) whereby the Group controls the total transaction price less the sum of the • A reseller model whereby the service prior to transfer. observable standalone selling prices of the Group sources the software other services promised in the contract. The licence(s) on behalf of the Where a reseller model is selected contract transaction price is allocated to each customer and provides the by the customer, the Group performance obligation in proportion to those Managed Detection and recognises four performance standalone selling prices. Response services obligations: Under a reseller model, the Group’s These services will also • Sourced software licence(s) responsibility is to arrange for a third party to include set-up fees. Set-up • Set-up fees provide a specified software licence(s) to the fees represent workshops, • customer. In these cases, the Group is acting design and configuration to Post-go-live fees as an agent and the Group does not control the create a “connection” • Monitoring cyber service relevant licence(s) before it is transferred to between systems. The reseller model is considered to the customer. In particular, the Group does not Following services going live, be under an agency arrangement have inventory risk, have access to its source the Group will also provide a whereby the customer receives the code or hold the IP rights. certain level of professional benefit and control of the licence When the Group is acting as an agent, the service consultancy days on delivery. revenue is recorded at the net amount retained based on a day rate Invoices are raised monthly or (commission) at a point in time as the customer (post-go-live fees). based on an agreed invoicing receives immediate benefit from access to the profile with the customer. licence and the Group does not have any further Invoices are usually payable obligations in relation to the provision of the within 30 days. licence. The commission transaction value represents the mark-up on the licence provided. 1 Accounting policies continued Revenue recognition continued Detailed policies continued Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 125 Timing of satisfaction of performance Revenue recognition policies, including determination Revenue stream Nature obligations and significant payment terms of transaction price and rationale Global Managed The majority of set-up fees relate to the MSP model. Services (GMS) Set-up fees are recognised over time of the set-up. continued The set-up activities are completed by a separate deployment team that typically spans a period of one to two months. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group one the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or together with the other goods and services that are readily available and the promise to transfer the goods or service is distinct. The set-up fees are based on day rates incurred (defined by an in-house day rate sales pricing matrix). Accordingly, the charge out rates are recognised and allocated to these tasks when performed akin to technical professional day rate services. These rates are considered to be the standalone selling prices and are not discounted or reduced for other services. Post-go-live fees are recognised on delivery of consultancy services over time as the customer obtains incremental benefit from the hours provided. Revenue is recognised on an input basis (day rates) to measure the satisfaction of performance obligations over time. Transaction price is determined by fixed contract rates based upon day rates and number of post-go-live consultancy days. Where one performance obligation, being a combined monitoring cyber and licence service, is identified in relation to the MSP model monitoring service, revenue is recognised over the contract length as the software and monitoring process is an overall service, whereby the Group retains control of the licence and provides a complete monitoring service to the customer. If the customer cancels the contract, the Group will retain control of the licence. Where separate performance obligations are identified for monitoring services and the licence, revenue is recognised over the period the respective services are offered, in line with the underlying contract. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily and therefore revenue is recognised on straight-line basis as the performance obligation is satisfied over time. The transaction price is determined by fixed contract rates for the services. Revenue in relation to the reseller model monitoring service is recognised over the contract length on a straight-line basis as the performance obligation is satisfied over time. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily on straight-line basis. 1 Accounting policies continued Revenue recognition continued Detailed policies continued NCC Group plc — Annual report and accounts for the period ended 30 September 2024126 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 Timing of satisfaction of performance Revenue recognition policies, including determination Revenue stream Nature obligations and significant payment terms of transaction price and rationale Product sales This revenue represents The customer only benefits from Revenue is recognised when control of the sale of own manufactured the products on delivery. the product is transferred to the customer. and/or resale of third party Invoices are raised monthly or This occurs upon delivery under the products with no connection based on an agreed invoicing contractual terms. to other Group services. profile with the customer. On certain sales of third party products, the Invoices are usually payable control of the product is considered to pass within 30 days. from the vendor to the end customer and in these cases the Group acts as an agent, and hence only records a commission on sale as opposed to gross revenue and costs of sale. Long-term fixed This revenue represents Delivery of the product is Revenue is recognised on an input basis to price contracts the long-term development considered to represent one measure the satisfaction of the performance and/or manufacture of performance obligation. obligation over time. This is done according to specialised software and The development and/or total costs incurred in comparison to the total hardware solutions. manufacturing work carried out expected costs to be incurred to satisfy the by the Group is not considered to performance obligation. This input measure is create an asset with an alternative driven by the nature of the activities carried use to the entity. The Group is out in satisfying the performance obligation. entitled to payment as performance The transaction price is fixed within the terms of the contract is completed. On of the contractual arrangement. this basis, revenue is recognised over time. Invoices are raised based on achievements of pre-defined milestones in the contract. Invoices are usually payable within 30 days. Escode Escrow contract These services securely The customer benefits from the Revenue is recognised over time on a straight- services maintain in “escrow” the escrow service evenly over a line basis representing the service delivery long-term availability of contract period, usually at least agreement. The nature of the agreement gives business-critical software and a year and potentially up to rise to the customer having the benefit of Escode applications while protecting three years. if and when required over the contract period. the intellectual property rights The service represents one Revenue is recognised on a straight-line basis (IPR) of technology partners. performance obligation. as the pattern of benefit to the customer as well The service will include set-up as the Group’s efforts to fulfil the contract are time, which is administrative Invoices are raised based on generally even throughout the period. in nature. an agreed invoicing profile with The transaction price is determined by a the customer. contract price. Invoices are usually payable Set-up time is not considered distinct and a within 30 days. separate performance obligation due to the administrative nature and therefore is recognised over the period of the contract. Verification These services verify source The customer benefits from the Revenue is recognised on completion of the services code based upon an agreed verification service on completion verification services. scope between all parties and because the source code will only Transaction price is determined by fixed provide a fully managed secure have been fully verified/validated contract rates based upon day rates and service and result validation, at that point. number of verification days. typically delivered over a short The service represents one period of time (days). performance obligation. These include SaaS services Invoices are raised monthly or and ICANN services. based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. 1 Accounting policies continued Revenue recognition continued Detailed policies continued Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 127 1 Accounting policies continued Contract costs Contract costs comprise incremental sales commissions paid to sales agents or external third parties, which can be directly attributed to an acquired or retained contract. Capitalised commission costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services when the related revenues are recognised. In all other cases, all internal and external costs of obtaining the contract are recognised as incurred. Costs directly incurred in fulfilling a contract with a customer, which comprise labour hours on long-term contracts, are recognised as an asset to the extent they are recoverable. Such costs are amortised on a systematic basis that is consistent with the transfer to the customer of the services when the related revenues are recognised. Accrued income (contract asset) Accrued income represents the Group’s rights to consideration for work completed but not billed at the reporting date. Remaining balances are transferred to receivables when the rights become unconditional. Deferred revenue (contract liability) Deferred revenue represents advanced consideration received from customers for which revenue is recognised over time as services are rendered. Long-term loss-making contracts Long-term contracts are reviewed annually to establish if the contract is onerous in nature. In particular, the long-term contract becomes an onerous contract when the unavoidable costs (i.e. the lower of the cost of fulfilling the contract and any compensation or penalties arising from failure to fulfil it) exceed the economic benefits expected to be received under the contract. The assessment of cost to fulfil includes costs that relate directly to the contract and includes direct costs of production, direct costs of supplies/ hardware from external suppliers (materials), direct labour in relation to performance obligations and if appropriate any potential contractual fine dependent on items (performance obligations) not being delivered/performed. Any assets dedicated to the specific contract are also tested for potential impairment. Determination and presentation of operating segments The Group determines and presents operating segments based on the information that is provided to the Board, which acts as the Group’s Chief Operating Decision Maker (CODM) in order to assess performance and to allocate resources. An operating segment is a component of the Group that engages in business activities from which it may earn revenues and incur expenses, including revenues and expenses that relate to transactions with any of the Group’s other components. An operating segment’s results are reviewed regularly by the CODM to make decisions about resources to be allocated to the segment and to assess its performance. The Group reports its business in two key segments: the Cyber Security division and the Escode division. The two reporting segments provide distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. The operating segments are grouped into the reporting segments on the basis of how they are reported to the CODM. Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their relatively homogeneous commercial and strategic market environments. Both of the Group’s divisions (segments) are run by a senior executive team; those teams make all decisions on resource allocation, product development, marketing and areas for focus and investment. Allocation of central costs Some costs are collected and managed in one location but are actually incurred on behalf of multiple operating segments or reporting segments. These costs are then allocated to the reporting segments. The allocation is based on logical or activity driven cost algorithms. The allocation is necessary to give an accurate picture of the consumption of resources by each reporting segment. Individually Significant Items (ISI) Individually Significant Items are identified as those items or projects that based on their size and nature and/or incidence are assessed to warrant separate disclosure to provide supplementary information to support the understanding of the Group’s financial performance. Where a project spans a reporting period(s) the total project size and nature are considered in totality. ISIs typically comprise costs/profits/losses on material acquisitions/disposals/business exits, fundamental reorganisation/restructuring programmes and other significant one-off events (including material impairments). ISIs are considered to require separate presentation in the Notes to the Financial Statements in order to fairly present the financial performance of the Group. See Note 4 for further information. Foreign currencies Transactions in foreign currencies are recorded using the appropriate monthly exchange rate ruling at the date of the transaction. Monetary assets and liabilities denominated in foreign currencies are retranslated using the exchange rate ruling at the Balance Sheet date and the gains or losses on translation are included in the Income Statement. The assets and liabilities of overseas subsidiaries denominated in foreign currencies are retranslated at the exchange rate ruling at the Balance Sheet date. The income statements of overseas subsidiary undertakings are translated at the average exchange rates for the financial year. Gains and losses arising on the retranslation of overseas subsidiary undertakings are taken to the currency translation reserve. They are released to the Income Statement upon disposal of the subsidiary to which they relate. Derivative financial instruments and hedge accounting The Group holds derivative financial instruments to hedge its foreign currency risk exposures. Derivatives are initially measured at fair value. Subsequent to initial recognition, derivatives are measured at fair value, and changes therein are generally recognised in profit or loss. The Group designates certain derivatives as hedging instruments to hedge the variability in cash flows associated with highly probable forecast transactions arising from changes in foreign exchange rates. At inception of designated hedging relationships, the Group documents the risk management objective and strategy for undertaking the hedge. The Group also documents the economic relationship between the hedged item and the hedging instrument, including whether the changes in cash flows of the hedged item and hedging instrument are expected to offset each other. NCC Group plc — Annual report and accounts for the period ended 30 September 2024128 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 1 Accounting policies continued Cash flow hedges When a derivative is designated as a cash flow hedging instrument, the effective portion of changes in the fair value of the derivative is recognised in OCI and accumulated in the hedging reserve. The effective portion of changes in the fair value of the derivative that is recognised in OCI is limited to the cumulative change in fair value of the hedged item, determined on a present value basis, from inception of the hedge. Any ineffective portion of changes in the fair value of the derivative is recognised immediately in profit or loss. The Group designates only the change in fair value of the spot element of forward exchange contracts as the hedging instrument in cash flow hedging relationships. The change in fair value of the forward element of forward exchange contracts (forward points) is separately accounted for as a cost of hedging and recognised in a cost of hedging reserve within equity. When the hedged forecast transaction subsequently results in the recognition of a non-financial item, the amount accumulated in the hedging reserve and the cost of hedging reserve is included directly in the initial cost of the non-financial item when it is recognised. For all other hedged forecast transactions, the amount accumulated in the hedging reserve and the cost of hedging reserve is reclassified to profit or loss in the same period or periods during which the hedged expected future cash flows affect profit or loss. If the hedge no longer meets the criteria for hedge accounting or the hedging instrument is sold, expires, is terminated or is exercised, then hedge accounting is discontinued prospectively. When hedge accounting for cash flow hedges is discontinued, the amount that has been accumulated in the hedging reserve remains in equity until, for a hedge of a transaction resulting in the recognition of a non-financial item, it is included in the non-financial item’s cost on its initial recognition or, for other cash flow hedges, it is reclassified to profit or loss in the same period or periods as the hedged expected future cash flows affect profit or loss. If the hedged future cash flows are no longer expected to occur, then the amounts that have been accumulated in the hedging reserve and the cost of hedging reserve are immediately reclassified to profit or loss. Defined contribution pensions The Group operates a defined contribution pension scheme. The assets of the scheme are kept separate from those of the Group in an independently administered fund. The amount charged as an expense in the Income Statement represents the contributions payable to the scheme in respect of the accounting period. Short-term benefits Short-term colleague benefit obligations are measured on an undiscounted basis and are expensed as the related service is provided. A liability is recognised for the amount expected to be paid under short-term cash bonus or profit-sharing plans if the Group has a present legal or constructive obligation to pay this amount as a result of past service provided by the colleague and the obligation can be estimated reliably. Share-based payment transactions Share-based payments in which the Group receives goods or services as consideration for its own equity instruments are accounted for as equity settled share-based payment transactions, regardless of how the equity instruments are obtained by the Group. The grant date fair value of share-based payment awards granted to colleagues is recognised as a colleague expense, with a corresponding increase in equity, over the period that the colleagues become unconditionally entitled to the awards. The fair value of the options granted is measured using an option valuation model, taking into account the terms and conditions upon which the options were granted. The amount recognised as an expense is adjusted to reflect the actual number of awards for which the related service and non- market vesting conditions are expected to be met, such that the amount ultimately recognised as an expense is based on the number of awards that do meet the related service and non-market performance conditions at the vesting date. For share-based payment awards with non-vesting conditions, the grant date fair value of the share-based payment is measured to reflect such conditions and there is no true-up for differences between expected and actual outcomes. Share-based payment transactions in which the Group receives goods or services by incurring a liability to transfer cash or other assets that is based on the price of the Group’s equity instruments are accounted for as cash settled share-based payments. The fair value of the amount payable to colleagues is recognised as an expense, with a corresponding increase in liabilities, over the period in which the colleagues become unconditionally entitled to payment. The liability is remeasured at each Balance Sheet date and at settlement date. Any changes in the fair value of the liability are recognised as personnel expense within the Income Statement. Where the Company grants options over its own shares to the colleagues of a subsidiary it recognises in its individual Financial Statements, an increase in the cost of investment in that subsidiary equivalent to the equity settled share-based payment charge is recognised in respect of that subsidiary in its consolidated Financial Statements with the corresponding credit being recognised directly in equity. Holiday or vacation pay The Group recognises a liability in the Balance Sheet for any earned but not yet taken holiday entitlement for staff. Earned holiday is calculated on a straight-line basis over a holiday year, which can vary by business unit. Taken holiday is based on actually taken holiday. Any movement in the liability between the opening and closing balance in the period is recorded as a colleague cost or a reduction in colleague costs in the Income Statement in the period. Borrowings Borrowings are recognised initially at fair value less attributable transaction costs. Subsequent to initial recognition, borrowings are stated at amortised cost with any difference between cost and redemption value being recognised in the Income Statement over the period of the borrowings on an effective interest basis. Finance costs Finance costs are recognised within the Income Statement in the period in which they are incurred. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 129 1 Accounting policies continued Provisions Provisions are determined by discounting the expected future cash flows at a pre-tax rate that reflects current market assessments of the time value of money and the risks specific to the liability. The unwinding of the discount is recognised as finance cost. Taxation Taxation on the profit or loss for the period comprises current and deferred taxation. Taxation is recognised in the Income Statement except to the extent that it relates to items recognised directly in equity, in which case it is recognised in equity. Current tax is the expected tax payable or receivable on the taxable income or loss for the period, using tax rates enacted or substantively enacted at the Balance Sheet date, and any adjustment to tax payable in respect of previous years. Deferred tax is provided on temporary differences between the carrying amounts of assets and liabilities for financial reporting purposes and the amounts used for taxation purposes. The following temporary differences are not provided for: the initial recognition of goodwill; the initial recognition of assets or liabilities that affect neither accounting nor taxable profit other than in a business combination; and differences relating to investments in subsidiaries to the extent that they will probably not reverse in the foreseeable future. The amount of deferred tax provided is based on the expected manner of realisation or settlement of the carrying amount of assets and liabilities, using tax rates enacted or substantively enacted at the Balance Sheet date. A deferred tax asset is recognised only to the extent that it is probable that future taxable profits will be available against which the temporary difference can be utilised. Deferred tax assets and liabilities are offset where there is a legally enforceable right to offset current tax assets and liabilities and where the deferred tax balances relate to the same taxation authority. Current tax assets and tax liabilities are offset where the entity has a legally enforceable right to offset and intends either to settle on a net basis, or to realise the asset and settle the liability simultaneously. UK RDEC (Research and Development expenditure credits) tax credits are recognised for the UK tax jurisdiction within administrative expenses and R&D US tax credits within income tax for the US tax jurisdiction. Intra-group financial instrument From time to time, the Company enters into financial guarantee contracts to guarantee the indebtedness of its subsidiaries. The Company accounts for these contracts under IFRS 9. Financial guarantee contracts are initially measured at fair value and subsequently measured at the higher of fair value and the expected credit loss. Cash and cash equivalents Cash and cash equivalents comprise cash in hand and deposits repayable on demand. Bank overdrafts that are repayable on demand form part of the Group’s cash management and are included as a component of cash and cash equivalents for the purpose only of the Statement of Cash Flows. These facilities are considered to form an integral part of the treasury management of the Group and can fluctuate from positive to negative balances during the period. Treasury shares The Group operates an Employee Share Ownership Trust (ESOT), which holds shares for the benefit of employees under the Group’s share-based payment schemes. Shares held by the ESOT are classified as treasury shares in the consolidated Financial Statements and are presented as a deduction from equity. Consideration received for the sale of such shares is also recognised in equity, with any difference between the proceeds from sale and the original cost being taken to reserves. No gain or loss is recognised in the Income Statement on the purchase, sale, issue or cancellation of equity shares. To the extent the Company makes funds available to the ESOT under the terms of a formal loan arrangement, this loan arrangement is recognised as an intergroup loan receivable within current assets. The recoverability of this loan receivable is reviewed at each reporting date, and where objective evidence of impairment exists, an impairment loss is recognised in accordance with IFRS 9 ‘Financial Instruments’. 2 Critical accounting judgements and key sources of estimation uncertainty The preparation of Financial Statements requires management to exercise judgement in applying the Group’s accounting policies. Different judgements would have the potential to change the reported outcome of an accounting transaction or Balance Sheet. It also requires the use of estimates that affect the reported amounts of assets, liabilities, income and expenses. Actual results may differ from these estimates. Estimates and underlying assumptions are reviewed on an ongoing basis, with changes recognised in the period in which the estimates are revised and in any future periods affected. The table below shows the area of critical accounting judgement and estimation that the Directors consider material and that could reasonable change significantly in the next year. Accounting area Accounting judgement? Accounting estimate? Carrying value of Goodwill No Yes 2.1 Critical accounting judgements No critical accounting judgements have been made in applying accounting policies that have the most significant effects on the amounts recognised in the consolidated Financial Statements. NCC Group plc — Annual report and accounts for the period ended 30 September 2024130 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 2 Critical accounting judgements and key sources of estimation uncertainty continued 2.2 Key sources of estimation uncertainty Information about estimation uncertainties that have a significant risk of resulting in a material adjustment to the carrying values of assets and liabilities within the next financial year is addressed below. While every effort is made to ensure that such estimates and assumptions are reasonable, by their nature they are uncertain, and as such changes in estimates and assumptions may have a material impact. Estimates and assumptions used in the preparation of the Financial Statements are continually reviewed and revised as necessary as at each reporting date. The Directors have considered the impact of climate change on the following estimation uncertainties. Due to nature of the climate change impact on the Group, no material impact has been identified. Carrying value of goodwill The Group has significant balances relating to goodwill as at 30 September 2024 as a result of acquisitions of businesses in previous years. The carrying value of goodwill at 30 September 2024 is £156.5m (31 May 2023: £255.8m). Goodwill balances are tested annually for impairment. The Group allocated goodwill to cash generating units (CGUs) which represent the lowest level of asset groupings that generate separately identifiable cash inflows that are not dependent on other CGUs. Impairment of goodwill – North America Cyber Security For the period ended 30 September 2024, tests for impairment are based on the calculation of a fair value less costs to sell (FVLCTS) which has been used to establish the recoverable amount of the CGU. The FVLCTS valuation for of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA 1 , and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation include a key assumption regarding a sustainable gross margin percentage for the business. Reasonable changes in the key assumptions used to determine the sustainable earnings can materially impact the outcomes of the impairment reviews and the impairment charges recognised. An analysis of the Group’s goodwill, the methodology used to test for impairment and sensitivity analysis relating to the sustainable earnings are set out in note 11. Reallocation of goodwill – Europe Cyber Security During June 2024, as part of the expected disposal of the Fox Crypto B.V. entity, the Group reorganised its reporting structure to separate out the Fox Crypto B.V. entity from the Europe Cyber Security CGU. On this basis the Europe Cyber Security goodwill has been reallocated between the newly created Fox Crypto CGU and the remaining Europe Cyber Security CGU. Goodwill has been reallocated based on adjusted relative values of the two CGUs, whereby the value of each CGU is based on FVLCTS. Goodwill allocated to the Fox Crypto CGU has been reclassified to asset held for sale (see note 18). See note 11 for sensitivity analysis in regard to the reallocation of goodwill between Fox Crypto and Europe Cyber Security. 3 Segmental information The Group is organised into the following two (2023: two) reportable segments: Cyber Security and Escode. The two reporting segments provide distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. These operating segments are deemed to hold similar economic characteristics. The operating segments are grouped into the reporting segments on the basis of how they are reported to the Chief Operating Decision Maker (CODM) for the purposes of IFRS 8 ‘Operating Segments’, which is considered to be the Board of Directors of NCC Group plc. Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their relatively homogeneous commercial and strategic market environments. Performance is measured based on reporting segment profit, with interest and tax not allocated to business segments. There are no intra-segment sales. Cyber Central and Security Escode head office Group Segmental analysis for the period ended 30 September 2024 £m £m £m £m Revenue 342.1 87.4 — 429.5 Cost of sales (224.1) (26.7) — (250.8) Gross profit 118.0 60.7 — 178.7 Gross margin % 34.5% 69.5% — 41.6% Administrative expenses (97.3) (24.1) (3.4) (124.8) Share-based payments (0.1) (0.2) (2.0) (2.3) Depreciation and amortisation (10.9) (0.6) (5.3) (16.8) Amortisation of acquired intangibles (1.4) (7.1) (4.0) (12.5) Individually Significant Items (Note 4) (41.4) (0.1) — (41.5) Operating (loss)/profit (33.1) 28.6 (14.7) (19.2) Finance costs (8.3) Loss before taxation (27.5) Taxation (5.0) Loss for the period (32.5) 1 Revenue at constant currency, Adjusted EBITDA, and net debt excluding lease liabilities are Alternative Performance Measures (APMs) rather than IFRS measures. For an explanation of APMs and adjusting items, including a reference to the reconciliation with statutory information, please see appendix 2. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 131 3 Segmental information continued Cyber Central and Security Escode head office Group Segmental analysis for the year ended 31 May 2023 £m £m £m £m Revenue 270.8 64.3 — 335.1 Cost of sales (184.7) (18.4) — (203.1) Gross profit 86.1 45.9 — 132.0 Gross margin % 31.8% 71.4% — 39.4% Administrative expenses (70.7) (14.7) (5.2) (90.6) Share-based payments (1.6) (0.1) (0.5) (2.2) Depreciation and amortisation (8.5) (0.6) (3.5) (12.6) Amortisation of acquired intangibles (1.2) (5.8) (3.0) (10.0) Individually Significant Items (Note 4) (12.3) (2.4) — (14.7) Operating (loss)/profit (8.2) 22.3 (12.2) 1.9 Finance costs (6.2) Loss before taxation (4.3) Taxation (0.3) Loss for the year (4.6) Cyber Central and Security Escode head office Group Segmental analysis for the period ended 30 September 2024 £m £m £m £m Additions to non-current assets 12.6 1.6 4.0 18.2 Reportable segment assets 183.8 198.8 37.5 420.1 Reportable segment liabilities (77.2) (24.7) (113.0) (214.9) Cyber Central and Security Escode head office Group Segmental analysis for the year ended 31 May 2023 Restated £m £m £m £m Additions to non-current assets 7.0 0.3 4.3 11.6 Reportable segment assets 238.8 209.1 53.5 501.4 Reportable segment liabilities (131.4) (21.0) (70.8) (223.2) * The prior year figures have been restated following a review of the Group’s segmental goodwill allocation. £143.7m of goodwill previously allocated to the central and head office segment has been reallocated to the Cyber Security (£115.1m) and Escode (£28.6m) segments to better reflect the Group’s operational structure and ensure consistency with the segment disclosures in Note 11, Goodwill and Intangible Assets. In the prior presentation, the UK reportable segment assets were as follows: £197.2m for central and head office, £180.5m for Escode, and £123.7m for Cyber Security. The central and head office cost centre is not considered to be a separate operating segment nor part of any other operating segment as it does not generate any revenues. Included within central and head office are assets and liabilities not specifically allocated to the reporting segments and include investments, head office tangible and intangible assets, deferred tax assets and liabilities, right-of-use assets and associated lease liabilities, Parent Company cash balances, the RCF facility and certain provisions. Central and head office assets and liabilities are disclosed to allow a reconciliation back to the Group’s assets and liabilities. The net book value of non-current assets (excluding deferred tax assets) is analysed geographically as follows: Restated * 2024 2023 £m £m UK 85.9 96.9 APAC 5.4 2.4 North America 164.3 222.6 Europe 18.0 76.2 Total non-current assets 273.6 398.1 * The prior year figures have been restated to re-allocate £67.7m of goodwill from the UK to Europe to ensure consistency with Note 11, Goodwill and Intangible Assets. The UK previously presented £164.6m of non-current assets and Europe previously presented £8.5m of non-current assets. NCC Group plc — Annual report and accounts for the period ended 30 September 2024132 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 3 Segmental information continued Revenue is disaggregated by primary geographical market, by category and by timing of revenue recognition as follows: Cyber 2024 Cyber 2023 Security Escode Total Security Escode Total £m £m £m £m £m £m Revenue by originating country UK 158.9 36.5 195.4 106.6 25.8 132.4 APAC 14.4 — 14.4 11.8 — 11.8 North America 90.7 45.5 136.2 99.3 34.5 133.8 Europe 78.1 5.4 83.5 53.1 4.0 57.1 Total revenue 342.1 87.4 429.5 270.8 64.3 335.1 Cyber 2024 Cyber 2023 Security Escode Total Security Escode Total £m £m £m £m £m £m Revenue by category Services 337.5 87.4 424.9 267.1 64.3 331.4 Products 4.6 — 4.6 3.7 — 3.7 Total revenue 342.1 87.4 429.5 270.8 64.3 335.1 Cyber 2024 Cyber 2023 Security Escode Total Security Escode Total £m £m £m £m £m £m Timing of revenue recognition Services and products transferred over time 322.1 57.9 380.0 252.9 42.8 295.7 Services and products transferred at a point in time 20.0 29.5 49.5 17.9 21.5 39.4 Total revenue 342.1 87.4 429.5 270.8 64.3 335.1 The total future revenue from the remaining term of the Group’s contracts, for performance obligations not yet delivered as of 30 September 2024, is £251.4m (restated 2023 * : £122.7m). The Group expects this revenue to be recognised over the respective contract terms between FY25 and FY29. * The prior year figure has been restated to better align with the disclosure requirements of IFRS 15, following a review of the Group’s customer base, which identified £122.7m of unsatisfied performance obligations as at 31 May 2023. As part of the Group’s ongoing transformation and the implementation of its new strategy, Cyber Security revenue is now analysed in greater detail by service type and capability. This change in analysis enables the Group to better focus on existing customers, as well as on simplifying operations and the core services provided. The analysis is as follows: Restated * 2024 2023 £m £m Technical Assurance Services (TAS) 141.4 142.9 Consulting and Implementation (C&I) 55.2 44.7 Managed Services (MS) 91.8 50.1 Digital Forensics and Incident Response (DFIR) 20.6 13.5 Other services 33.1 19.6 Total Cyber Security revenue 342.1 270.8 * TAS, C&I and DFIR were formerly included within Global Professional Services (GPS as defined within the FY23 Annual Report) and Global Managed Services (GMS as defined within the FY23 Annual Report) is now reported as MS. Revenue is recognised on these capabilities as follows: • TAS, C&I and DFIR consulting revenues are recognised on an input method over time • MS revenues (including recurring revenue elements of DFIR) are bifurcated according to their separate performance obligations. The recognition policy is consistent with that disclosed for GMS in the FY23 Annual Report 1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 133 3 Segmental information continued Escode revenues analysed by service line: 2024 2023 £m £m Escrow contracts 57.2 42.8 Verification services 30.2 21.5 Total Escode revenue 87.4 64.3 4 Individually Significant Items (ISI) The Group separately identifies items as Individually Significant Items. Each of these is considered by the Directors to be sufficiently unusual in terms of nature or scale so as not to form part of the underlying performance of the business. They are therefore separately identified and excluded from adjusted results (as explained in appendix 2). 2024 2023 Reference £m £m North America Cyber Security goodwill impairment a 31.9 9.8 Fundamental reorganisation costs b 9.4 4.2 Transaction costs associated with disposal of Fox Crypto c 1.6 — Costs associated with strategic review of Escode business d 0.1 3.0 NCC Group A/S goodwill impairment e — 3.0 IPM Escode business deferred revenue adjustment f — (0.6) Profit on disposal of non-core operations g (1.5) (4.7) Total ISIs 41.5 14.7 (a) North America Cyber Security goodwill impairment Following the impairment review of goodwill as at 31 May 2024, an impairment of £31.9m (2023: £9.8m) has been recognised in North America Cyber Security. For further details, please refer to Note 11. (b) Fundamental reorganisation costs In order to implement the next chapter of the Group’s strategy to enhance future growth, certain strategic actions are required including reshaping the Group’s global delivery and operational model. This reshaping is considered a fundamental reorganisation and restructuring programme that will span reporting periods, and the total project size and nature are considered in totality. The programme commencement was accelerated following the Group experiencing specific market conditions that validated the rationale of the next chapter of the Group’s strategy. The programme has three planned phases as follows: • Phase 1 (March–April 2023) – initial reduction in global delivery and operational headcount; c.7% reduction of the Group’s global headcount. • Phase 2 (June–September 2023) – a further reduction in global delivery, operational and corporate functions headcount prior to opening our offshore operations and delivery centre in Manila. • Phase 3 (October 2023–December 2025) – finalisation of the Group’s operating model. Costs of £9.4m (2023: £4.2m) and a cash outflow of £6.0m (2023: £3.4m) have been incurred in relation to the implementation of this reorganisation. These cash outflows consist of severance payments, associated taxes, and professional fees for advisory and legal services. The reorganisation costs include £3.4m related to property rationalisation. This comprises £3.5m (2023: £nil) in property closure impairment charges and £0.4m (2023: £nil) in fixed asset impairment charges, both relating to non-current assets. Additionally, £0.7m (2023: £nil) relates to non-rental provision costs. Offsetting these costs are £0.8m (2023: £nil) in non-current asset impairment reversals and £0.4m (2023: £nil) in provision reversals. These costs and reversals reflect the impact of a reduction in the Group’s global headcount, leading to decreased office utilisation and a re-evaluation of the global property portfolio. It is expected that costs will also be incurred for the year ending 30 September 2025 and the Group will have to exercise judgement in assessing whether the restructuring items should be classified as ISI, this will involve taking into account the nature of the item, cause of occurrence and scale of the impact of those items on the reported performance, resultant benefits and after considering the original reorganisation programme principles and plans. (c) Transaction costs associated with the disposal of Fox Crypto On 1 August 2024, the Group announced the disposal of Fox Crypto B.V. for initial expected gross consideration of €77.3m to CR Group Nordic AB. As at 30 September 2024, the disposal was yet to be finalised, with completion expected in early FY25. As of 30 September 2024, transaction costs of £1.6m were incurred (2023: £nil), which meet the Group’s policy for ISIs as they relate to the disposal of a non-core operation. The expected gain on this disposal will be included within ISIs for the year ending 30 September 2025. NCC Group plc — Annual report and accounts for the period ended 30 September 2024134 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 4 Individually Significant Items (ISI) continued (d) Costs associated with strategic review of Escode business During February 2023, the Group announced its ongoing strategic review of Escode business and of other core and non-core assets. During the period ended 30 September 2024, a number of additional professional fees totalling £0.1m (2023: £3.0m) have been incurred, mainly in respect of advisory services. Such costs meet the Group’s policy for ISIs as they have been incurred as part of the wider restructuring/reorganisation activities that are ongoing within the Group. The Group has now stopped the strategic review of the Escode business. (e) NCC Group A/S goodwill impairment On 1 June 2022, the Group made the decision to reorganise its Danish business (NCC Group A/S) which had previously been a part of the EU Assurance CGU. Following that reorganisation, the cash inflows associated with the Danish business are separately identifiable and therefore the carrying value of the CGU assets were assessed separately for impairment at 31 May 2023. The charge of £nil (2023: £3.0) represented the impairment of goodwill associated with the Danish business following completion of that review. Such costs met the Group’s policy for ISIs as this is a significant one-off event. (f) IPM Software Resilience business deferred revenue adjustment This represents an adjustment to the opening deferred revenue balance in respect of the IPM acquisition in June 2021. During FY24, opening deferred revenue balances on verification tests totalling £nil (2023: £0.6m) have been identified for which the work has not been performed and the statute of limitations has now expired. As the period of hindsight for adjusting goodwill has now expired management has released these amounts to the Income Statement. Given the nature of this release which would typically have been adjusted to goodwill it is considered to meet the definition of an individually significant item and has been classified as such. (g) Profit on disposal of non-core operations On 30 April 2024, the Group disposed of its DetACT business for cash consideration of £8.2m. The profit of £1.6m (2023: £nil) is directly attributable to the disposal of the DetACT business. Please see Note 33 for further details. On 31 December 2022, the Group disposed of its DDI business for a total consideration of £5.8m, consisting of a cash payment of £2.0m and contingent consideration of £3.8m. This disposal resulted in a profit of £nil (2023: £4.7m), directly attributable to the DDI business sale. Further details are available in Note 33. The Group classified these proceeds under ISIs due to the material profit on disposal. During the period, the £3.8m contingent consideration identified in 2023 was received, and a £0.1m reclassification (2023: £nil) related to the final tranche payment was recorded. 5 Expenses and auditor’s remuneration 2024 2023 £m £m Loss before taxation is stated after charging/(crediting): Amounts receivable by auditor and its associates in respect of: Audit of the Parent and consolidated annual Financial Statements 1.6 1.1 Audit of Financial Statements of subsidiaries pursuant to legislation 0.1 0.2 Other assurance services (See Audit Committee Report on page 67 for further information) 0.1 — Total audit 1 1.8 1.3 Amortisation of development costs (Note 11) 1.3 1.2 Amortisation of software costs (Note 11) 2.0 1.2 Amortisation of acquired intangibles (Note 11) 12.5 10.0 Depreciation of property, plant and equipment (Note 12) 5.4 4.5 Depreciation of right-of-use assets (Note 13) 8.1 5.7 Other impairment charge of non-current assets 0.9 1.1 Individually Significant Items (ISIs) (Note 4) 41.5 14.7 Net impairment losses/(gains) on financial and contract assets (Note 16, 23) 0.4 (1.5) Cost of inventories recognised as an expense 0.8 0.6 Foreign exchange losses 1.9 0.6 Research and development UK tax credits (0.5) (0.5) Profit on disposal of right-of-use assets (0.1) (0.7) The impairment charge of non-current assets relates to impairment charges not included within Individually Significant Items. 1 The only non-audit services provided by the auditor were the interim review as of 31 May 2024, for which the fee was £80,000, and access to a generic online accounting manual, for which the fee was £2,000. No interim review was provided in the year ended 31 May 2023, nor fee charged for access to such a manual. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 135 6 Staff numbers and costs Directors’ emoluments are disclosed in the Remuneration Committee Report. Total aggregate emoluments of the Directors in respect of the 16 months period ended 30 September 2024 were £3.4m (2023: £2.3m). Employer contributions to pensions for Executive Directors for qualifying periods were £50,000 (2023: £32,000). The Company provided pension payments in lieu of pension contributions for three (2023: three) Executive Directors during the period ended 30 September 2024 amounting to £38,000 (2023: £32,000). The aggregate net value of share awards granted to the Directors in the period was £3.7m (2023: £1.9m). The net value has been calculated by reference to the closing mid-market price of the Company’s shares on the day before the date of grant. During the period, 5,000 (2023: 98,598) share options were exercised by Directors and their gain on exercise of share options was £5,000 (2023: £13,463). The average monthly number of persons employed by the Group during the period, including Executive Directors, is analysed by category as follows: Number of colleagues 2024 2023 Operational 1,733 1,955 Administration 468 478 Total 2,201 2,433 The aggregate payroll costs of these persons were as follows: 2024 2023 £m £m Wages and salaries 247.4 208.1 Share-based payments (Note 26) 2.3 2.2 Social security costs 25.9 20.3 Other pension costs (Note 30) 8.0 6.3 Total payroll costs 283.6 236.9 7 Finance costs 2024 2023 £m £m Interest payable on bank loans and overdrafts 6.6 4.5 Unamortised underwriting fees associated with old revolving credit facility — 0.6 Interest expense on lease liabilities 1.7 1.1 Finance costs 8.3 6.2 The above finance costs relate entirely to liabilities not at fair value through profit or loss. 8 Taxation Recognised in the Income Statement 2024 2023 £m £m Current tax expense Current period/year 1.6 0.1 Overseas current tax for the period/year 6.0 5.9 Impact of prior year US R&D tax credits (1.8) (1.0) Adjustments in respect of prior periods (2.6) (2.8) Total current tax 3.2 2.2 Deferred tax expense Origination and reversal of temporary differences (1.2) (3.0) Movement in tax rate — (0.2) Impact of prior year US R&D tax credits (0.2) (0.4) Adjustment to tax expense in respect of prior periods 3.2 1.7 Total deferred tax 1.8 (1.9) Total tax expense 5.0 0.3 NCC Group plc — Annual report and accounts for the period ended 30 September 2024136 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 8 Taxation continued Reconciliation of taxation 2024 2023 £m £m Loss before taxation (27.5) (4.3) Current tax using the UK effective corporation tax rate of 25% (2023: 20%) (6.9) (0.9) Effects of: Items not deductible/(taxable) for tax purposes 5.0 2.6 Adjustment to tax charge in respect of prior periods 0.6 (1.1) Impact of prior year US R&D tax credits (2.0) (1.4) Impact of current period/year US R&D tax credits 0.3 (0.3) Differences between overseas tax rates (0.6) 1.0 Movements in temporary differences not recognised 8.6 0.6 Movement in tax rate — (0.2) Total tax expense 5.0 0.3 During the period, a deferred tax asset of £7.1m was generated in North America, which has not been recognised. This reflects an assessment of the recoverability of the Group’s North American deferred tax assets, based on latest available forecasts and expectations of future taxable profits in the region. The decision not to recognise these assets was made in accordance with IAS 12 Income Taxes, which requires that deferred tax assets be recognised only to the extent it is probable that sufficient taxable profits will be available to utilise the deductible temporary differences. As of 30 September 2024, the criteria for recognition were not met. As this derecognition relates to the historical performance of our North American Cyber Security Business, where the recovery in demand has been less consistent than expected, it is directly tied to the goodwill impairment of £31.9m at 31 May 2024 (taken to ISIs, see note 4). The Group has included this adjustment as an adjusted item within the taxation line in the Income Statement. For reconciliation to statutory measures, please see page 50. The UK government introduced legislation in the Finance Bill 2021 to increase the main rate of UK corporation tax from 19% to 25% with effect from 1 April 2023. The legislation was substantively enacted on 24 May 2021 and therefore UK deferred tax balances as at balance sheet date are generally measured at a rate of 25%. Tax uncertainties The tax expense reported for the current period and prior year is affected by certain positions taken by management where there may be uncertainty. The most significant source of uncertainty arises from claims for US R&D tax credits relating to the current and previous periods. Uncertainty relates to the interpretation of US legislation applicable to periods where the statute of limitations has not expired. As at 30 September 2024, the gross cumulative amount of US R&D tax credits amounts to £9.5m (2023: £10.4m) of which a cumulative tax benefit has been recognised of £6.7m (2023: £6.2m). The unrecognised benefit is £2.8m (2023: £4.2m). Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 137 9 Dividends Dividend policy Dividends are the way the Company makes distributions from the Company’s distributable reserves to shareholders. The Board has historically determined the dividend level at each half-year reporting period (i.e. 30 November and 31 May). With the change in the year end, the Board will now decide the dividend level during the new half-year periods (i.e. 31 March and 30 September). If an interim or final dividend is declared, the Company pays the dividend approximately eight weeks after the results announcement. A dividend is paid for each share, with the amount received depending on the number of shares owned. 2024 2023 £m £m Dividends paid and recognised in the period/year 14.5 14.5 Dividends recognised but not paid in the period/year 9.8 — Dividends per share paid and recognised in the period/year 4.65p 4.65p Dividends per share recognised but not paid in the period/year 3.15p — Dividends per share proposed but not recognised in the period/year 1.5p 3.15p The interim dividend of £9.8m which was approved during the period ended 30 September 2024 was paid on 1 October 2024, and therefore included within non-trade payables (see Note 19). The proposed final dividend for the period ended 30 September 2024 of 1.5p per ordinary share was recommended by the Board on 5 December 2024 and will be paid on 4 April 2025, to shareholders on the register at the close of business on 21 February 2025. The ex-dividend date is 20 February 2025. The dividend will be recommended to shareholders at the AGM on 28 January 2025. The dividend has not been included as a liability as at 30 September 2024. The payment of this dividend will not have any tax consequences for the Group. 10 Loss per ordinary share 2024 2023 £m £m Loss for the period/year attributable to owners of the Company (32.5) (4.6) Number Number of shares of shares m m Weighted average number of shares in issue 313.3 311.1 Less: weighted average holdings by Group ESOT (1.6) (0.7) Basic weighted average number of shares in issue 311.7 310.4 Dilutive effect of share options 1.5 0.8 Diluted weighted average shares in issue 313.2 311.2 For the purposes of calculating the dilutive effect of share options, the average market value is based on quoted market prices for the period during which the options are outstanding. Given the Group reported a loss for the period, the diluted EPS does not include the dilutive effect of share options. 2024 2023 Pence Pence Loss per ordinary share Basic (10.4) (1.5) Diluted (10.4) (1.5) NCC Group plc — Annual report and accounts for the period ended 30 September 2024138 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 11 Goodwill and intangible assets Customer Development contracts and Intangibles Goodwill Software costs relationships sub-total Total £m £m £m £m £m £m Cost: At 1 June 2022 322.1 18.7 12.9 176.8 208.4 530.5 Additions — 2.5 0.9 — 3.4 3.4 Disposals (see Note 33) (1.0) — — — — (1.0) Effects of movements in exchange rates 3.5 — — 2.4 2.4 5.9 At 31 May 2023 324.6 21.2 13.8 179.2 214.2 538.8 Additions — 1.4 1.0 0.2 2.6 2.6 Disposals (see Note 33) (5.9) (0.6) (9.9) — (10.5) (16.4) Assets classified as held for sale (51.9) — (2.5) — (2.5) (54.4) Effects of movements in exchange rates (9.6) (0.2) (0.1) (9.4) (9.7) (19.3) At 30 September 2024 257.2 21.8 2.3 170.0 194.1 451.3 Accumulated amortisation and impairment: At 1 June 2022 (56.0) (12.7) (9.8) (67.3) (89.8) (145.8) Charge for year — (1.2) (1.2) (10.0) (12.4) (12.4) Impairment (12.8) (0.6) — — (0.6) (13.4) Effects of movements in exchange rates — — (0.1) (0.4) (0.5) (0.5) At 31 May 2023 (68.8) (14.5) (11.1) (7 7.7) (103.3) (172.1) Charge for year — (2.0) (1.3) (12.5) (15.8) (15.8) Impairment (31.9) — — — — (31.9) Disposals — — 8.8 — 8.8 8.8 Assets classified as held for sale — — 2.4 — 2.4 2.4 Effects of movements in exchange rates — — 0.1 2.9 3.0 3.0 At 30 September 2024 (100.7) (16.5) (1.1) (87.3) (104.9) (205.6) Net book value: At 31 May 2023 255.8 6.7 2.7 101.5 110.9 366.7 At 30 September 2024 156.5 5.3 1.2 82.7 89.2 245.7 The impairment of software of £nil (2023: £0.6m) relates to a specific asset under development which was no longer deemed to be economically viable and therefore development was ceased. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 139 11 Goodwill and intangible assets continued Cash generating units (CGUs) Goodwill and intangible assets are allocated to CGUs in order to be assessed for potential impairment. CGUs are defined by accounting standards as the lowest level of asset groupings that generate separately identifiable cash inflows that are not dependent on other CGUs. The CGUs presented are consistent with the year ended 31 May 2023, with the exception of the reorganisation of the Europe Cyber Security CGU. Please see further discussion below. The CGUs and the allocation of goodwill to those CGUs are shown below: Goodwill Goodwill 2024 2023 Cash generating units £m £m UK Escode 22.8 22.9 North America Escode 80.1 87.2 Europe Escode 7.1 7.4 Total Escode 110.0 117.5 UK and APAC Cyber Security 44.3 44.3 North America Cyber Security — 31.6 Europe Cyber Security 2.2 62.4 Total Cyber Security 46.5 138.3 Total Group 156.5 255.8 Impairment review Goodwill is tested for impairment annually at the level of the CGU to which it is allocated. An impairment review was carried out as at 31 May 2023 and 31 May 2024. Following the Group’s change in year end reporting date, the Group has carried out a further review as at 30 September 2024 which is expected to be applied consistently as the date for the annual impairment review going forward. The recoverable amount of all CGUs was measured on a fair value less costs to sell basis. Capitalised development and software costs are included in the CGU asset bases when performing the impairment review. Capitalised development projects and software intangible assets are also considered, on an asset-by-asset basis, for impairment where there are indicators of impairment. Fair value less costs to sell The methodology described below has been applied consistently for the impairment reviews carried out as at 31 May 2024 and 30 September 2024. The recoverable amount of all CGUs has been determined on a fair value less costs to sell basis for the purposes of the impairment review. The valuation under FVLCTS is expected to exceed the valuation under VIU because uncommitted restructurings and resulting operating efficiencies are not considered within in a VIU valuation in line with the requirements of IAS 36. The FVLCTS valuation for of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA 1 , and applying a reasonable market multiple on the calculated sustainable earnings. Estimated sustainable earnings has been determined taking into account a Board-approved forecast which considers past performance. The sustainable earnings used include expectations based on a market participant view of sustainable performance of the business based on market volatility and uncertainty as at the Balance Sheet date. The sustainable earnings input is a level 3 measurement; level 3 measurements are inputs which are normally unobservable to market participants. The Group incurs certain overhead costs in respect of support services provided centrally to the CGUs. Such support services include Finance, Human Resources, Legal, Information Technology and additional central management support in respect of stewardship and governance. In calculating sustainable earnings these overhead costs have been allocated to the CGUs based on the extent to which each CGU has benefited from the services provided. Commonly this is driven by time spent by the relevant central department in supporting the CGU, informed by headcount or where possible specific cost allocations have been made. The Adjusted EBITDA 1 multiple used in the calculations is based on an independent third party assessment of the implied enterprise value of each CGU based on a population of comparable companies as at the Balance Sheet date. The estimated cost to sell was based on other recent transactions that the Group has undertaken. NCC Group plc — Annual report and accounts for the period ended 30 September 2024140 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 11 Goodwill and intangible assets continued Fair value less costs to sell continued Impairment The Board has assessed the recoverable amount of the North America Cyber Security CGU based on its FVLCTS as at 31 May 2024 as described above. Based on that assessment, the carrying amount of this CGU exceeded its recoverable amount and therefore an impairment loss of £31.9m has been recognised reducing the value of goodwill allocated to this CGU to £nil. This impairment relates to our North American Cyber Security Business, as the recovery in demand is less consistent than expected. This amount has been recognised as an individually significant item (see Note 4). The impairment charge recognised has resulted in a reduction in the carrying value of goodwill only. Sensitivity analysis – impairment The FVLCTS valuation for of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA 1 , and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation include a key assumption regarding a sustainable gross margin percentage for the business. The table below shows the sensitivity of headroom to reasonably possible changes in the key assumptions, by reflecting the additional impairment that would be required from a decrease in gross margin of 0.5 percentage points. This additional impairment would be after the £31.9m impairment in the North America Cyber Security CGU during May 2024. As goodwill has been impaired to £Nil, any further impairment would be applied to other assets allocated to the CGU. Decrease in gross margin of 0.5 percentage points CGU £m North America Cyber Security 2.9 As the goodwill in the North America Cyber Security CGU was fully impaired as at 31 May 2024, no further sensitivity analysis is provided as at 30 September 2024. With the exception of the North American Cyber Security CGU, the Board has not identified reasonably possible changes in the key assumptions that would cause the carrying values of the other CGUs to exceed their respective recoverable amounts. Goodwill reallocation During June 2024, as part of the expected disposal of the Fox Crypto B.V. entity, the Group reorganised its reporting structure to separate out the Fox Crypto B.V. entity from the Europe Cyber Security CGU. On this basis the Europe Cyber Security goodwill has been reallocated between the newly created Fox Crypto CGU and the remaining Europe Cyber Security CGU. Goodwill has been reallocated based on relative values of the two CGUs, but having made adjustment to reflect that the Fox Crypto CGU is less asset-intensive than the remaining Europe Cyber Security CGU. The value of each CGU is based on FVLCTS. For the Fox Crypto CGU the FVLCTS is based on the expected consideration to be received on disposal (see note 18) of this business less estimated selling costs. For the remaining Europe Cyber Security CGU the fair value has been calculated using a methodology consistent with that used in the goodwill impairment review and described above. Based on this assessment, goodwill of £51.9m has been reallocated to the Fox Crypto CGU, leaving £2.2m as reallocated to the EU Cyber Security CGU. Goodwill reallocated to the Fox Crypto CGU has been reclassified to asset held for sale (see note 18). Sensitivity analysis – goodwill reallocation The FVLCTS valuation for of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA 1 , and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation include a key assumption regarding forecast revenue for the business. The table below shows the sensitivity of the goodwill reallocation to reasonably possible changes in the key assumptions, by reflecting the additional goodwill that would be allocated to the Europe Cyber Security CGU from an increase in revenue of 5% with no increased costs. This additional goodwill would be after the allocation of £2.2m of goodwill to the Europe Cyber Security CGU. 5% increase in revenue CGU £m Europe Cyber Security 13.3 1 Adjusted EBITDA is an Alternative Performance Measure (APM) and not an IFRS measure. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 141 12 Property, plant and equipment Fixtures, Computer fittings and Motor equipment equipment vehicles Total £m £m £m £m Cost At 1 June 2022 24.6 19.1 0.1 43.8 Additions 2.7 1.2 — 3.9 Disposals — — (0.1) (0.1) Movement in foreign exchange rates 0.2 0.1 — 0.3 At 31 May 2023 27.5 20.4 — 47.9 Additions 3.8 2.4 — 6.2 Disposals (0.1) (0.2) — (0.3) Assets classified as held for sale (1.1) (1.2) — (2.3) Movement in foreign exchange rates (0.3) (0.2) — (0.5) At 30 September 2024 29.8 21.2 — 51.0 Accumulated depreciation At 1 June 2022 (20.2) (10.6) (0.1) (30.9) Charge for year (2.7) (1.8) — (4.5) On disposals — — 0.1 0.1 Movement in foreign exchange rates (0.1) — — (0.1) At 31 May 2023 (23.0) (12.4) — (35.4) Charge for year (3.4) (2.0) — (5.4) Impairment — (0.4) — (0.4) On disposals 0.1 0.1 — 0.2 Assets classified as held for sale 0.9 0.3 — 1.2 Movement in foreign exchange rates 0.2 0.2 — 0.4 At 30 September 2024 (25.2) (14.2) — (39.4) Net book value At 31 May 2023 4.5 8.0 — 12.5 At 30 September 2024 4.6 7.0 — 11.6 NCC Group plc — Annual report and accounts for the period ended 30 September 2024142 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 13 Right-of-use assets Land and Motor buildings vehicles Total £m £m £m Cost: At 1 June 2022 35.7 4.6 40.3 Additions 2.9 1.4 4.3 Disposals (1.8) — (1.8) Impairment (0.5) — (0.5) At 31 May 2023 36.3 6.0 42.3 Additions 5.2 4.2 9.4 Disposals — (1.7) (1.7) Impairment (3.2) — (3.2) Assets classified as held for sale — (0.4) (0.4) At 30 September 2024 38.3 8.1 46.4 Accumulated depreciation: At 1 June 2022 (14.9) (3.4) (18.3) Charge for year (4.4) (1.3) (5.7) Disposals 0.3 — 0.3 At 31 May 2023 (19.0) (4.7) (23.7) Charge for year (5.6) (2.5) (8.1) Disposals — 1.1 1.1 At 30 September 2024 (24.6) (6.1) (30.7) Net book value: At 31 May 2023 17.3 1.3 18.6 At 30 September 2024 13.7 2.0 15.7 14 Investments Group Group 2024 2023 £m £m Interest in unlisted shares — 0.3 During the year, the Group disposed of its 3.35% shareholding in an unlisted company. The shares were sold for a total consideration of £0.4m. A gain of £0.1m has been recognised within the Income Statement in relation to this disposal. A further potential contingent consideration may be received after three years, subject to specific performance conditions. As this payment is not considered virtually certain at the reporting date, it has not been recognised in the current period’s Financial Statements. If achieved, the maximum additional amount receivable would be £0.2m. In the prior year, the Directors assessed the carrying value of the investment and did not identify any indicators of impairment. Prior to disposal, the Group received annual dividends from the investment; the trading performance and the net assets reported were strong and profitable. 15 Inventories Group Group 2024 2023 £m £m Goods for resale — 0.8 There have been no write-downs of inventory in the period (2023: £nil). The Directors have considered the impact of climate change on inventory, with no material impact identified. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 143 16 Trade and other receivables Group Group Company Company 2024 2023 2024 2023 £m £m £m £m Current Trade receivables 17.3 26.7 — — Prepayments 12.6 10.5 — — Contract costs (see Note 23) 1.2 1.7 — — Other receivables 1.1 2.0 — — Amounts owed by Group undertakings — — — — Non-current Amounts owed by Group undertakings — — 43.1 23.2 Total 32.2 40.9 43.1 23.2 Disclosed as follows: Current assets 32.2 40.9 — — Non-current assets — — 43.1 23.2 32.2 40.9 43.1 23.2 The carrying value of trade and other receivables classified at amortised cost approximates fair value. No credit losses have been recognised in respect of amounts owed by Group undertakings (Parent Company only) in the period (2023: £nil). Amounts owed by Group undertakings in the Parent Company Balance Sheet have been disclosed as repayable after more than one year. Although these are repayable on demand, the disclosure as non-current is based on management’s expectation of the timing of repayment. The ageing of trade receivables and other receivables at the end of the reporting period was: Expected Expected Gross credit losses Net Gross credit losses Net 2024 2024 2024 2023 2023 2023 Group £m £m £m £m £m £m Trade receivables: Not past due 7.5 — 7.5 15.6 (0.1) 15.5 Past due 0–30 days 5.6 — 5.6 6.8 — 6.8 Past due 31–90 days 2.6 — 2.6 4.1 — 4.1 Past due more than 90 days 3.2 (1.6) 1.6 2.2 (1.9) 0.3 18.9 (1.6) 17.3 28.7 (2.0) 26.7 Other receivables: Not past due 1.1 — 1.1 2.0 — 2.0 Total 20.0 (1.6) 18.4 30.7 (2.0) 28.7 The Company had no trade receivables (2023: £nil). The standard period for credit sales varies from 30 days to 60 days. The Group assesses the creditworthiness of all trade debts on an ongoing basis providing for expected credit losses in line with IFRS 9. The Group has considered credit risk rating grades; these are based on the ageing categories above. New customers are subject to stringent credit checks. The movement in the expected credit losses of trade and other receivables (being the credit losses recognised on financial assets, specifically trade receivables) is as follows: Expected credit loss provision £m Balance at 1 June 2022 (3.5) Provision utilised during the year 1.5 Balance at 31 May 2023 (2.0) Provision utilised during the period 0.4 Balance at 30 September 2024 (1.6) NCC Group plc — Annual report and accounts for the period ended 30 September 2024144 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 17 Deferred tax assets and liabilities (Group) Deferred tax assets and liabilities on the Consolidated Balance Sheet are offset in accordance with IAS 12. A summary of this, offset with significant jurisdictions, is shown below: 2024 UK US Netherlands Denmark Total Asset/(liability) £m £m £m £m £m Plant and equipment — — 0.3 — 0.3 Short-term temporary differences 0.5 3.1 — — 3.6 Intangible assets (0.8) (3.1) (0.8) — (4.7) Share-based payments 0.9 — — — 0.9 Tax losses — — — — — Deferred tax (liability)/asset 0.6 — (0.5) — 0.1 Analysed as follows: Non-current assets 0.6 — — — 0.6 Non-current liabilities — — (0.5) — (0.5) 2023 UK US Netherlands Denmark Total Asset/(liability) £m £m £m £m £m Plant and equipment 0.2 (0.3) 0.3 — 0.2 Short-term temporary differences 0.2 8.9 — — 9.1 IFRS 16 assets 0.3 0.2 — — 0.5 Intangible assets (1.4) (7.6) (1.7) — (10.7) Share-based payments 0.3 0.2 — — 0.5 Tax losses 1.7 0.2 — — 1.9 Deferred tax asset/(liability) 1.3 1.6 (1.4) — 1.5 Analysed as follows: Non-current assets 1.3 1.6 — — 2.9 Non-current liabilities — — (1.4) — (1.4) Movement in deferred tax during the period: Recognised 1 June in Income Exchange Recognised 30 September 2023 Statement differences in equity Acquisition 2024 £m £m £m £m £m £m Plant and equipment 0.2 0.1 — — — 0.3 Short-term temporary differences 9.1 (5.7) 0.2 — — 3.6 IFRS 16 assets/(liabilities) 0.5 (0.5) — — — — Intangible assets (10.7) 5.8 0.2 — — (4.7) Share-based payments 0.5 0.4 — — — 0.9 Tax losses 1.9 (1.9) — — — — Total 1.5 (1.8) 0.4 — — 0.1 Recognised 1 June in Income Exchange Recognised 31 May 2022 Statement differences in equity Acquisition 2023 £m £m £m £m £m £m Plant and equipment 0.2 — — — — 0.2 Short-term temporary differences 6.4 2.7 — — — 9.1 IFRS 16 assets/(liabilities) 0.5 — — — — 0.5 Intangible assets (8.8) (1.8) (0.1) — — (10.7) Share-based payments 1.5 (0.9) — (0.1) — 0.5 Tax losses — 1.9 — — — 1.9 Total (0.2) 1.9 (0.1) (0.1) — 1.5 Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 145 17 Deferred tax assets and liabilities (Group) continued In the year ended 31 May 2024, the Group has not recognised a deferred tax asset in relation to tax losses (and certain other North American temporary differences) as management does not consider it probable that future taxable profits will be available against which they may be offset. In the year ended 31 May 2023, the Group recognised a deferred tax asset in relation to tax losses of £1.9m. The Group has not recognised a deferred tax asset on any element of £19.9m (2023: £14.8m) of tax losses carried forward in the United Kingdom (£6.4m), Denmark (£4.2m), Australia (£3.9m), Japan (£0.1m) and United States federal and state (£5.3m) due to current uncertainties over their future recoverability (and in the case of certain United Kingdom/United States losses because of specific legislative restrictions). The Group has not recognised a potential deferred tax asset in relation to short-term temporary differences (and other minor categories) of £25.0m (2023: £nil) in relation to the United States. The unrecognised deferred tax asset on the above deductible temporary differences at 30 September 2024 is £10.9m (£3.5m at 31 May 2023): 2024 2023 £m £m Plant and equipment (0.2) — Short-term temporary differences (6.3) — Share-based payments (0.3) — Tax losses (4.1) (3.5) Total (10.9) (3.5) A deferred tax asset of £2.0m (2023: £1.4m) in respect of R&D tax claims submitted in the United States has been partially provided against due to uncertainty about recoverability; an amount of £1.2m has been provided (2023: £0.8m). No deferred tax liability is recognised on temporary differences of £8.1m (2023: £12.5m) relating to the unremitted earnings of overseas subsidiaries as the Group can control the timing of the reversal of these temporary differences and it is probable that they will not reverse in the foreseeable future. 18 Assets and liabilities held for sale On 1 August 2024, the Group announced the disposal of Fox Crypto B.V. for an initial expected gross consideration of €77.3m to CR Group Nordic AB. As at 30 September 2024, the disposal was yet to be finalised; however, the transaction is expected to complete in early 2025. On this basis, as at 30 September 2024, the sale of this business was considered highly probable and therefore the following assets and liabilities were reclassified as held for sale as at 30 September 2024: 30 September 2024 £m Assets classified as held for sale: Goodwill 51.9 Intangible fixed assets 0.1 Right-of-use assets 0.4 Property, plant and equipment 1.1 Inventories 0.6 Trade and other receivables 4.3 Contract assets 3.1 Total assets classified as held for sale 61.5 Liabilities associated with assets classified as held for sale: Trade and other payables (1.4) Deferred revenue (3.1) Lease liabilities (0.4) Provisions (0.8) Total liabilities associated with assets classified as held for sale (5.7) NCC Group plc — Annual report and accounts for the period ended 30 September 2024146 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 19 Trade and other payables Group Group Company Company 2024 2023 2024 2023 £m £m £m £m Trade payables 4.6 6.3 — — Non-trade payables 17.5 8.6 9.8 — Accruals 24.7 29.8 — — Amounts owed to Group companies — — 0.1 0.2 Total 46.8 44.7 9.9 0.2 The carrying value of trade and other payables classified as financial liabilities measured at amortised cost approximates fair value. 20 Lease liabilities Land and Motor buildings vehicles Total £m £m £m At 1 June 2022 29.1 3.5 32.6 Additions 2.2 1.4 3.6 Disposals (0.2) — (0.2) Lease payments (5.8) (1.3) (7.1) Interest expense 1.0 0.1 1.1 At 31 May 2023 26.3 3.7 30.0 Additions 4.7 4.2 8.9 Disposals — (0.7) (0.7) Lease payments (9.2) (2.7) (11.9) Interest expense 1.3 0.4 1.7 Liabilities classified as held for sale — (0.4) (0.4) At 30 September 2024 23.1 4.5 27.6 Analysed as follows: 2024 2023 £m £m Current 5.7 6.0 Non-current 21.9 24.0 The maturity of lease liabilities is as follows: 2024 2023 £m £m Less than one year 5.7 6.0 Two to five years 16.1 16.7 More than five years 5.8 7.3 Total lease liabilities 27.6 30.0 The total cash outflow for leases in the period was £11.9m (2023: £7.1m), which consists of £10.2m (2023: £6.1m) principal element of lease payments disclosed above, £1.7m (2023: £1.1m) interest element of leases payments and £nil (2023: £nil) lease payments charged to the Income Statement in respect of short-term leases. The Group has used its incremental borrowing rate of 6.35% (2023: 5.8%) as the discount rate for the calculation of the lease liabilities. Some leases contain break clauses or extension options to provide operational flexibility. Potential future undiscounted lease payments not included in the reasonably certain lease term, and hence not included in lease liabilities, total £4.6m (2023: £4.9m). Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 147 21 Provisions Onerous Loss-making property Other contracts costs provisions Total £m £m £m £m Balance as at 31 May 2022 and 1 June 2022 1.8 1.0 0.7 3.5 Provisions created in the year — 0.7 0.3 1.0 Provisions utilised during the year (0.8) (0.3) (0.7) (1.8) Balance as at 31 May 2023 and 1 June 2023 1.0 1.4 0.3 2.7 Provisions created in the period 0.3 3.0 0.1 3.4 Provisions released during the period — (0.2) — (0.2) Provisions utilised during the period (0.5) (1.0) (0.3) (1.8) Transferred to assets held for sale (0.8) — — (0.8) Balance as at 30 September 2024 — 3.2 0.1 3.3 Analysed as follows (2024): Current — 1.3 0.1 1.4 Non-current — 1.9 — 1.9 Analysed as follows (2023): Current 0.6 0.3 0.3 1.2 Non-current 0.4 1.1 — 1.5 The loss-making contracts provision represents the estimated remaining net lifetime loss on long-term development and supply contracts. It was expected in the prior year that these contracts would have been completed in 2024. However, these contracts have faced further delays during the 2024 calendar year (mainly due to ongoing supply chain sourcing) and are now expected to be fully completed in the 2025 calendar year. During the period, revenue has been recognised in relation to these long-term contracts of £0.2m (2023: £0.8m). The onerous property costs provision relates to unused and closed office spaces within the Group’s property portfolio. The onerous property provision of £3.2m (2023: £1.4m) at 30 September 2024 includes £2.0m (2023: £0.9m) of non-rental costs relating to the onerous properties including service charges and insurance and also the estimated costs of disposing or terminating these leases, which includes rent incentives and letting fees. The provision at 30 September 2024 also includes estimated dilapidations liabilities of £1.2m (2023: £0.5m) relating to the Group’s leased premises. Both of these provisions are expected to unwind over the period of the relevant leases (2025–2034). Other provisions of £0.1m (2023: £0.3m) comprise accrued redundancy costs relating to the implementation of the reorganisation detailed in Note 4, to which the Group was committed as of 30 September 2024. These costs are expected to be settled within the year ending 30 September 2025. 22 Contract liabilities – deferred revenue Deferred revenue represents advanced consideration received from customers, for which revenue is recognised over time. Deferred revenue is analysed as follows and is considered a contract liability: Group Group 2024 2023 £m £m Analysed as follows: Current 50.7 51.6 Non-current 2.8 3.3 53.5 54.9 Revenue recognised in the period ended 30 September 2024 that was included in the contract liability at 1 June 2023 amounted to £54.9m (2023: £62.4m). The non-current element is expected to unwind in the year ending 31 May 2025. NCC Group plc — Annual report and accounts for the period ended 30 September 2024148 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 23 Contract assets The following table provides information about receivables, contract assets and contract liabilities from contracts with customers. Group Group 2024 2023 Notes £m £m Receivables, which are included in trade and other receivables 16 17.3 26.7 Contract assets – accrued income 20.1 17.2 Contract costs – costs to obtain 16 1.2 1.7 Contract liabilities – deferred revenue 22 (53.5) (54.9) The Group has recognised £20.1m of contract assets (2023: £17.2m). All contract assets for the current period and the comparative year are presented within current assets. The ageing of contract assets at the end of the reporting period was: Expected Expected Gross credit losses Net Gross credit losses Net 2024 2024 2024 2023 2023 2023 Group £m £m £m £m £m £m Contract assets: Not past due 21.1 (1.0) 20.1 17.4 (0.2) 17.2 Total 21.1 (1.0) 20.1 17.4 (0.2) 17.2 The movement in the expected credit losses of contract assets (being the credit losses recognised on financial assets, specifically contract assets) is as follows: Expected credit loss provision £m Balance at 1 June 2022 (0.2) Charged to the Income Statement — Balance at 31 May 2023 (0.2) Provision created during the period (0.8) Balance at 30 September 2024 (1.0) Accrued income of £20.1m (2023: £17.2m) is the Group’s rights to consideration for work completed but not billed at the reporting date. The contract assets accrued in the prior year of £17.2m were fully recognised as trade receivables during the period ended 30 September 2024. Therefore the balances as at 30 September 2024 were fully accrued during the period and will be transferred to receivables when the rights become unconditional. Expected credit losses of £1.0m (2023: £0.2m) have been recognised in respect of contract assets. The contract assets are transferred to receivables when the rights become unconditional. This usually occurs when the Group issues an invoice to the customer. Invoices usually become payable within 30 days. The contract costs to obtain of £1.2m (2023: £1.7m) represent incremental sales commissions to obtain specific contracts and are amortised over the length of the contract. During the period, contract assets of £20.1m (2023: £17.2m) have been reclassified from trade and other receivables. The contract costs to fulfil represent recoverable costs relating to future performance obligations and economic benefits to the customer in relation to an onerous contract. Contract liabilities primarily relate to advanced consideration received from customers, for which revenue is recognised over time in line with the respective performance obligation. See note 3 for information regarding the remaining performance obligations as of 30 September 2024 and 31 May 2023. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 149 24 Cash and cash equivalents and borrowings Cash and cash equivalents Cash and cash equivalents comprise: Group Group Company Company 2024 2023 2024 2023 £m £m £m £m Cash and cash equivalents 29.8 34.1 9.8 15.0 Bank overdraft (13.6) (1.8) — — Total cash at bank and in hand 16.2 32.3 9.8 15.0 Borrowings are analysed as follows: Group Group Company Company 2024 2023 2024 2023 Maturity £m £m £m £m Non-current liabilities: Revolving credit facility 2026 61.5 81.9 — — Total borrowings 61.5 81.9 — — The maturity profile is as follows: Group Group Company Company 2024 2023 2024 2023 £m £m £m £m Two to five years 61.5 81.9 — — The RCF is drawn in short to medium-term tranches of debt that are repayable within 12 months of drawdown. These tranches can be rolled over, provided certain conditions are met, including compliance with all loan terms. As at the period end, the Group has assessed its compliance with these conditions and considers it highly likely that it will continue to meet all requirements and be able to exercise its right to roll over the debt. Therefore, the Directors believe the Group has both the ability and the intent to roll over the drawn RCF amounts when due and, consequently, has presented the RCF as a non-current liability. In December 2022, the Group entered into a four year £162.5m multi-currency revolving credit facility replacing the previous £100m multi-currency revolving credit facility and the remaining $46.7m of the original $70m term loan that was maturing in June 2024. Key terms of the facility are: • £162.5m multi-currency revolving credit facility maturing in December 2026 • Additional £75m uncommitted accordion option, subject to bank approval • Increase to leverage covenant from 2.5x to 3.0x with an additional acquisition spike to 3.5x for the first 12 months of any acquisition • The bank margin is lower and payable on a ratchet mechanism, with a margin payable above SONIA and SOFR in the range of 1.00% to 2.25% depending on the level of the Group’s leverage. The weighted average interest rate is 6.21% for the period ended 30 September 2024 (2023: 5.92%) • The new facility was considered an extinguishment of the previous RCF and Term Loan Facility Agreement and therefore remaining arrangement fees of £0.6m were charged to the Income Statement during the year ended 31 May 2023. As at 31 May 2023, new arrangement fees of £1.7m will be amortised over the new four year term to December 2026. Arrangement fees of £0.6m (2023: £0.4m) have been charged to the Income Statement in the period ended 30 September 2024 • Certain subsidiaries of the Group act as guarantors to the new facility to provide coverage based on aggregate Adjusted EBITDA 1 and gross assets As at 30 September 2024, the Group had committed bank facilities of £162.5m (2023: £162.5m), of which £62.4m (2023: £83.4m) had been drawn, leaving £100.1m (2023: £79.1m) of undrawn facilities. Unamortised arrangement fees of £0.9m (2023: £1.5m) have been offset against the amounts drawn down, resulting in a carrying value of borrowings at 30 September 2024 of £61.5m (2023: £81.9m). The fair value of borrowings is not materially different to its amortised cost. 1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. NCC Group plc — Annual report and accounts for the period ended 30 September 2024150 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 25 Financial instruments Loans and borrowings Group Group Company Company 2024 2023 2024 2023 £m £m £m £m Non-current Variable rate: Revolving credit facility (61.5) (81.9) — — Total loans and borrowings (excluding lease liabilities) (61.5) (81.9) — — Current Cash 29.8 34.1 9.8 15.0 Bank overdraft (13.6) (1.8) — — Net (debt)/cash (excluding lease liabilities) 1 (45.3) (49.6) 9.8 15.0 Non-current Lease liabilities (21.9) (24.0) — — Current Lease liabilities (5.7) (6.0) — — Net (debt)/cash 1 (72.9) (79.6) 9.8 15.0 Lease liabilities of £0.4m classified as held for sale in Note 18 have been excluded from the net debt calculation. Reconciliation of movements in liabilities to cash flows arising from financing activities 2024 2023 Group £m £m Revolving credit facility/bank term loan: Drawdown on facility 57.8 70.8 Repayment of facility (75.0) (115.6) Transaction costs — (1.7) Release of deferred arrangement fees 0.6 1.0 Foreign exchange movement (3.8) 1.8 Movement in borrowings (20.4) (43.7) IFRS 16 lease liability: New leases entered into 8.9 3.6 Disposals (0.7) (0.2) Principal element of lease payments (10.2) (6.0) Lease liabilities held for sale (see Note 18) (0.4) — Movement in lease liabilities (2.4) (2.6) Financial risk management The Group has exposure to the following risks from its use of financial instruments: • Credit risk • Liquidity risk • Currency risk • Interest rate risk The Board has overall responsibility for establishing appropriate management of exposure to risk. The Audit Committee oversees how management identifies and addresses risks to the Group. 1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 151 25 Financial instruments continued Capital management The Board’s policy is to maintain a strong capital base so as to maintain investor, creditor and market confidence and to sustain future development of the business. The Group monitors capital on the basis of the gearing ratio. This ratio is calculated as net (debt)/cash 1 divided by total capital. Net (debt)/cash 1 is calculated as total borrowings as shown in the Consolidated Balance Sheet, less cash and cash equivalents. Total capital is calculated as equity, as shown in the Consolidated Balance Sheet, plus net debt 1 . As at 30 September 2024 the Group’s gearing ratio was 17.8% (2023: 15.1%). Financial instruments policy All instruments utilised by the Company and Group are for financing purposes. The financial management and treasury activities of the Group are controlled centrally for all operations with local finance teams responsible for day-to-day banking activities. Fair value of financial instruments As at 30 September 2024, the Group and Company had no other financial instruments other than those disclosed below. In addition, no embedded derivatives have been identified. There have been no transfers between levels in the period. The following table presents the Group’s financial assets and liabilities that are measured at fair value by level of fair value hierarchy: • Quoted prices (unadjusted) in active markets for identical assets or liabilities (level 1) • Inputs other than quoted prices included within level 1 that are observable for the asset or liability, either directly (that is, as prices) or indirectly (that is, derived from prices) (level 2) • Inputs for the asset or liability that are not based on observable market data (unobservable inputs) (level 3) Borrowings are held at amortised cost, which is considered to equate to fair value. All other assets and liabilities are held at either fair value or their carrying value, which approximates to fair value. 2024 2023 Level 1 Level 2 Level 3 Level 1 Level 2 Level 3 £m £m £m £m £m £m Financial liabilities at fair value through profit or loss — 0.8 — — 0.6 — Total financial instruments — 0.8 — — 0.6 — At 30 September 2024, the Group holds derivatives with a mark to market valuation of £0.8m (2023: £0.6m) to mitigate currency risk, as described in Note 25. Credit risk Credit risk is the risk of financial loss to the Group if a customer or counterparty to a financial instrument fails to meet its contractual obligations and arises principally from the Group’s receivables from customers. The Group’s exposure to credit risk is influenced mainly by the individual characteristics of each customer. Exposure to credit risk The carrying value of financial assets represents the maximum credit exposure. The maximum exposure to credit risk at the reporting date was: Restated * Group Group Company Company 2024 2023 2024 2023 £m £m £m £m Trade receivables 17.3 26.7 — — Other receivables 1.1 2.0 — — Amounts owed by Group undertakings — — 43.1 23.2 Contract assets 20.1 17.2 — — Contingent consideration receivable — 3.8 — — Cash and cash equivalents 29.8 34.1 9.8 15.0 Total 68.3 83.8 52.9 38.2 * To better analyse the Company’s exposure to credit risk, amounts owed by Group undertakings of £43.1m (2023: £23.2m) have been included within the above table. 1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. NCC Group plc — Annual report and accounts for the period ended 30 September 2024152 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 25 Financial instruments continued Exposure to credit risk continued The maximum exposure to credit risk for trade receivables and other receivables at the reporting date by geographic region was: Group Group Company Company 2024 2023 2024 2023 Trade and other receivables by geographical segment £m £m £m £m UK 8.0 14.6 — — APAC 1.1 1.2 — — North America 4.9 6.3 — — Europe 4.4 6.6 — — Total 18.4 28.7 — — The maximum exposure to credit risk for trade and other receivables at the reporting date by business segment was: Group Group Company Company 2024 2023 2024 2023 Trade and other receivables by business segment £m £m £m £m Cyber Security 15.7 25.1 — — Escode 2.5 1.8 — — Central and head office 0.2 1.8 — — Total 18.4 28.7 — — The trade receivables of the Group typically comprise many amounts due from a large number of customers and represent a spread of industry sectors. The largest amount due from a single customer at the reporting date represented 2.5% (2023: 3.1%) of total Group receivables. All of the Group’s cash is held with financial institutions of high credit rating. The provisions in respect of trade receivables are used to record expected credit losses. The Group has dedicated credit control teams, which regularly review customer debt balances to assess the risk of recovery. Liquidity risk Liquidity risk is the risk that the Group will not be able to meet its financial obligations as they fall due. The Group manages and minimises liquidity risk by using global cash management solutions and actively monitoring both actual and projected cash outflows to ensure that it will have sufficient liquidity to meet its liabilities when due and have headroom to provide against unforeseen obligations. Longer term, the Group has assessed its liquidity forecast as part of the viability assessment and its ability to continue trading as a going concern. For further detail on the Group’s assessment of liquidity risk refer to the Viability Statement on page 39. The following are the undiscounted contractual maturities of financial liabilities, including interest payments, of the Group: Carrying Contractual 1–2 2-5 5+ amount cash flows <1 year years years years At 30 September 2024 £m £m £m £m £m £m Borrowings (61.5) (73.9) (3.8) (3.8) (66.3) — Bank overdraft (13.6) (13.6) (13.6) — — — Lease liabilities (27.6) (32.5) (8.0) (6.6) (13.6) (4.3) Trade and other payables (46.8) (46.8) (46.8) — — — Carrying Contractual 1–2 2+ 5+ amount cash flows <1 year years years years At 31 May 2023 £m £m £m £m £m £m Borrowings (81.9) (98.0) (4.9) (4.9) (88.2) — Bank overdraft (1.8) (1.8) (1.8) — — — Contingent consideration payable (1.0) (1.0) (1.0) — — — Lease liabilities (30.0) (33.6) (6.9) (6.1) (12.6) (8.0) Trade and other payables (44.7) (44.7) (44.7) — — — The contractual cash flows for borrowings disclosed above relate to the Group’s RCF facility for the period ended 30 September 2024, which expires in December 2026, and in the prior year includes the Term Loan Facility Agreement that was due to expire in June 2024. The contractual cash flows include an estimate of the interest payable based on the assumption that the borrowings remain drawn based upon 30 September 2024 levels, except that the term loan which existed at 31 May 2023, is repayable over its term. Interest is calculated based on SONIA/SOFR plus a margin based on the current leverage ratio. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 153 25 Financial instruments continued Currency risk The Group is exposed to currency risk on sales, purchases, cash and borrowings that are denominated in a currency other than the respective functional and presentational currency of the Group. The Group’s management reviews the size and probable timing of settlement of all financial assets and liabilities denominated in foreign currencies. The Group’s exposure to currency risk is as follows: 2024 2023 Sterling EUR USD Other Total Sterling EUR USD Other Total £m £m £m £m £m £m £m £m £m £m Trade receivables 7.6 2.0 7.4 0.3 17.3 11.0 7.0 7.1 1.6 26.7 Other receivables 1.1 — — — 1.1 2.0 — — — 2.0 Contract assets 7.9 3.4 6.5 2.3 20.1 5.5 3.9 6.7 1.1 17.2 Cash and cash equivalents 18.0 4.1 4.5 3.2 29.8 17.0 5.0 9.4 2.7 34.1 Bank overdraft (11.9) — (1.7) — (13.6) (1.8) — — — (1.8) Borrowings (19.0) — (42.5) — (61.5) (18.6) — (63.3) — (81.9) Lease liabilities (16.0) (3.2) (4.9) (3.5) (27.6) (19.6) (2.0) (6.7) (1.7) (30.0) Trade and other payables (32.7) (3.9) (7.6) (2.6) (46.8) (31.8) (9.2) (1.6) (2.1) (44.7) Total (45.0) 2.4 (38.3) (0.3) (81.2) (36.3) 4.7 (48.4) 1.6 (78.4) A 10% change in each of the respective exchange rates utilised during the period would impact revenue by £23.6m (2023: £20.3m) and borrowings by £4.3m (2023: £6.3m), either increasing or decreasing each by the stated amounts. The Group’s Risk Management Policy is to hedge foreign currency exposure in respect of significant material transactions that may arise from time to time. No such hedges were in place at 31 May 2023 or at 30 September 2024. In order to manage shorter-term currency risk, the Group enters into short-term derivative arrangements. The Group designates the spot element of forward foreign exchange contracts to hedge its currency risk and applies a hedge ratio of 1:1. The forward elements of forward exchange contracts are excluded from the designation of the hedging instrument and are separately accounted for as a cost of hedging, which is recognised in equity in a cost of hedging reserve. The Group’s policy is for the critical terms of the forward exchange contracts to align with the hedged item. The Group determines the existence of an economic relationship between the hedging instrument and hedged item based on the currency, amount and timing of their respective cash flows. Given the short-term nature of these hedges there is limited risk of ineffectiveness. Interest rate risk The Group and Company finance their operations through a combination of retained profits and bank borrowings. The Group borrows and invests surplus cash at floating rates of interest based upon bank base rate. The cash and cash equivalents of the Group and Company at the end of the financial year were as follows: 2024 2023 Group £m £m Sterling denominated financial assets 18.0 17.0 Euro denominated financial assets 4.1 5.0 US Dollar denominated financial assets 4.5 9.4 Other denominated financial assets 3.2 2.7 Total 29.8 34.1 The financial assets and liabilities of the Company at the end of the financial year were as follows: 2024 2023 Company £m £m Financial assets Sterling denominated financial assets 9.8 15.0 Amounts owed by Group undertakings 43.1 23.2 Total 52.9 38.2 Financial liabilities Sterling denominated financial liabilities 9.8 — Amounts owed to Group undertakings 0.1 0.2 Total 9.9 0.2 A change of 1% basis points in interest rates would result in a difference in annual pre-tax profit of £0.6m (2023: £0.9m). NCC Group plc — Annual report and accounts for the period ended 30 September 2024154 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 25 Financial instruments continued Interest rate risk continued The financial liabilities of the Group (trade and other payables, borrowings and lease liabilities) and their maturity profile are as follows: 2024 2023 Sterling EUR USD Other Total Sterling EUR USD Other Total £m £m £m £m £m £m £m £m £m £m Less than one year (34.9) (5.0) (9.1) (3.4) (52.4) (36.6) (10.3) (3.0) (2.6) (52.5) Two to five years (28.6) (2.1) (46.0) (2.8) (79.5) (28.1) (0.9) (68.4) (1.2) (98.6) More than five years (4.0) — — — (4.0) (7.2) — (0.1) — (7.3) Total (67.5) (7.1) (55.1) (6.2) (135.9) (71.9) (11.2) (71.5) (3.8) (158.4) 26 Share-based payments The Company has a number of share option schemes under which options to subscribe for the Company’s shares have been granted to Directors and colleagues, details of which are illustrated in the tables below. Expected term of options represents the period over which the fair value calculations are based. The share-based payment charge for the period was £2.3m (2023: £2.2m) of which £2.3m (2023: £2.2m) related to equity settled payments and £nil (2023: £nil) to cash settled payments. Company Share Option (CSOP) scheme – equity settled Under the CSOP scheme, options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. Options granted in September 2019 do not have any performance criteria. 2024 Expected term Exercisable Exercise Number Date of grant of options between price outstanding August 2018 7 years August 2021–August 2028 £2.20 — September 2019 7 years September 2022–September 2029 £1.79 161,998 Sharesave schemes – equity settled The Company operates Sharesave schemes, which are available to all colleagues based in the UK, the Netherlands, Denmark, Spain and Australia, and full-time Executive Directors of the Group and its subsidiaries who have worked for a qualifying period. 2024 Expected term Exercisable Exercise Number Date of grant of options between price outstanding March 2020 3 years May 2023–October 2023 £1.84 — March 2020 3 years May 2023–October 2023 £1.84 — May 2021 3 years May 2024–October 2024 £2.15 78,406 May 2021 3 years May 2024–October 2024 £2.15 137,171 May 2022 3 years May 2025–October 2025 £1.52 219,962 May 2022 3 years May 2025–October 2025 £1.52 273,634 May 2023 3 years June 2026–November 2026 £1.26 165,320 May 2023 3 years June 2026–November 2026 £1.26 388,754 May 2024 3 years June 2027–November 2027 £0.99 348,786 May 2024 3 years June 2027–November 2027 £0.99 1,529,982 Colleague stock (ESPP) purchase plan – equity settled The Company operates a stock purchase plan, which is available to all US-based colleagues who have worked for a qualifying period. All options are to be settled by equity. Under the scheme the following options have been granted and are outstanding at period end. 2024 Expected term Exercise Number Date of grant of options Exercisable in price outstanding May 2023 1 year May 2024 £1.26 — May 2024 1 year May 2025 £1.09 360,960 Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 155 26 Share-based payments continued Incentive Stock Option (ISO) scheme – equity settled Under the ISO scheme, options granted will be subject to performance criteria. Options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. 2024 Expected term Exercisable Exercise Number Date of grant of options between price outstanding September 2019 7 years September 2022–September 2029 £1.82 21,976 Long Term Incentive Plan (LTIP) schemes – equity settled Options granted between November 2017 to May 2021 have three separate vesting conditions as set out below: • 60% will vest based on achieving an average increase in Group EPS of 20% or more over a three year period. If growth is equal to an average of 9% (threshold), then 12% of the award will vest. If, however, growth is less than 9%, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 30% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion 1 is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. Options granted in November 2021 have three separate vesting conditions as set out below: • 60% will vest based on achieving an average increase in Group EPS of 22.5% or more over a three year period. If growth is equal to an average of 9% (threshold), then 15% of the award will vest. If, however, growth is less than 9% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 30% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion 1 is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. Options granted between October 2022 and November 2022 have three separate vesting conditions as set out below: • 60% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 20% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. Options granted between October 2023 and February 2024 have three separate vesting conditions as set out below: • 40% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 40% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. NCC Group plc — Annual report and accounts for the period ended 30 September 2024156 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 26 Share-based payments continued Long Term Investment Plan (LTIP) schemes – equity settled continued Options granted during or after June 2024 have three separate vesting conditions as set out below: • 30% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 50% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. 2024 Expected term Exercisable Exercise Number Date of grant of options between price outstanding September 2019 3 years June 2022–August 2023 £nil — March 2020 3 years June 2022–August 2024 £nil — May 2021 3 years June 2023–August 2025 £nil — November 2021 3 years June 2024–November 2031 £nil 529,259 October 2022 3 years October 2025–October 2032 £nil 683,559 November 2022 3 years November 2025–November 2032 £nil 113,521 October 2023 3 years October 2026–October 2033 £nil 1,926,725 February 2024 3 years February 2027–February 2034 £nil 98,988 June 2024 3 years October 2027–June 2034 £nil 3,659,199 Restricted State Unit (RSU) schemes – equity settled Options granted related to the RSU schemes on or after August 2018 have three separate vesting conditions as set out below: • 60% will vest based on achieving an average increase in Group EPS of 20% or more over a three year period. If growth is equal to an average of 9% (threshold), then 12% of the award will vest. If, however, growth is less than 9%, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 30% will vest based on achieving a cash conversion ratio ¹ expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion ¹ is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis. • 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis. The options are to be settled in equity. 2024 Expected term Exercisable Exercise Number Date of grant of options between price outstanding May 2021 3 years June 2023–August 2023 £0.01 — Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 157 26 Share-based payments continued Restricted Share Plan (RSP) – equity settled The vesting condition for the award of RSPs relates to colleagues remaining with the Group for a certain period of time, namely two years to receive 50% of the award, and a further year to receive the remaining 50%. There are no other performance conditions. 2024 Expected term Exercisable Exercise Number Date of grant of options between price outstanding May 2021 2/3 years 50% exercisable August 2022 to August 2031, £nil (£0.01 in the 36,500 50% exercisable August 2023 to August 2031 US and Canada) November 2021 2/3 years 50% exercisable October 2023 to August 2032, £nil (£0.01 in the 434,381 50% exercisable October 2024 to August 2032 US and Canada) October 2022 2/3 years 50% exercisable October 2024 to October 2032, £nil (£0.01 in the 546,672 50% exercisable October 2025 to October 2032 US and Canada) November 2022 2/3 years 50% exercisable November 2024 to November 2032, £nil (£0.01 in the 30,272 50% exercisable November 2025 to November 2032 US and Canada) October 2023 2/3 years 50% exercisable September 2025 to September 2033, £nil (£0.01 in the 1,571,352 50% exercisable September 2026 to September 2033 US and Canada) February 2024 2/3 years 50% exercisable February 2026 to February 2034, £nil (£0.01 in the 56,619 50% exercisable February 2027 to February 2034 US and Canada) Deferred share scheme – equity settled At least 35% of any cash bonus payment is normally deferred into shares or nominal cost share options which vest after a two year period. Dividend equivalents are paid on vesting share options. 2024 Expected term Exercise Number Date of grant of options Exercisable in price outstanding October 2021 2 years October 2023 £nil — October 2022 2 years October 2024 £nil — October 2023 2 years October 2025 £nil 12,207 August 2024 2 years August 2026 £nil 174,434 Phantom schemes – cash settled Phantom schemes are used to allow the grant of LTIPs or RSPs to members of the Executive Committee or other senior colleagues based in certain overseas locations at a time when the Group’s option scheme rules were not structured to allow overseas grants. Options granted on or after September 2019 do not have any performance criteria. 2024 Expected term Exercisable Exercise Number Date of grant of options between price outstanding September 2019 3 years September 2022–September 2023 £nil — July 2021 3 years August 2022–July 2031 £nil 1,500 November 2021 3 years October 2023–November 2031 £nil — Measurement of fair values The fair value of services received in return for share options is calculated with reference to the fair value of the award on the date of grant. The fair value is spread over the period during which the colleague becomes unconditionally entitled to the award, adjusted to reflect actual and expected levels of vesting. The assumptions used in the models are illustrated in the tables below: Expected Option Risk free Scheme Grant date volatility expected term interest rate CSOP scheme August 2018–September 2019 48.0%–52.8% 7 years 0.35%–2.00% Sharesave scheme March 2020–May 2024 37.6%–55.7% 3 years 0.13%–4.63% ESPP scheme May 2023–May 2024 53.9%–55.7% 1 year 1.15%–4.63% Special Award (CEO) September 2022 n/a 2 years n/a ISO scheme September 2019 77.0% 7 years 0.38% LTIP scheme September 2019–June 2024 37.4% 3 years 0.21% RSU scheme May 2021 42.3% 3 years 0.32% RSP scheme May 2021–February 2024 n/a 10 years n/a Deferred shares October 2023–August 2024 n/a 2 years n/a Phantom schemes September 2019–November 2021 53.8% 3 years 2.2% NCC Group plc — Annual report and accounts for the period ended 30 September 2024158 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 26 Share-based payments continued Measurement of fair values continued Weighted average Weighted average Fair value at fair value at Exercise exercise value at Scheme Grant date measurement date measurement date price measurement date CSOP scheme August 2018–September 2019 £0.55–£0.63 £0.55 £1.79–£2.09 £1.80 Sharesave scheme March 2019–May 2024 £0.39–£0.86 £0.54 £0.99–£2.15 £1.20 ESPP scheme May 2023–May 2024 £0.30–£0.37 £0.37 £1.09–£1.26 £1.09 Special Award (CEO) September 2022 £2.30 £nil £nil £nil ISO scheme September 2019 £0.54 £0.54 £1.82 £1.82 LTIP scheme September 2019–June 2024 £0.90–£2.31 £1.38 £nil £nil RSU scheme May 2021 £2.87 £2.87 £0.01 £0.01 RSP scheme May 2021–February 2024 £0.90–£2.85 £1.40 £nil £nil Deferred shares October 2021–August 2024 £1.11–£1.55 £1.52 £nil £nil Phantom schemes July 2021 £2.87 £2.87 £nil £nil The expected volatility has been based on an evaluation of the historical volatility of the Company’s share price, particularly over the historical period commensurate with the expected term. The expected term of the instruments has been based on historical experience and general option holder behaviour. For the options granted in the period ended 30 September 2024, dividend yield assumed at the time of option grant is 4.52% (2023: 1.75%). Reconciliation of outstanding share options The options outstanding at 30 September 2024 have an exercise price in the range of £nil to £2.15 (2023: £nil to £2.15) and a weighted average contractual life of seven years (2023 * : six years). * Restated based on expiry date, previously three years. The following table illustrates the number and weighted average exercise prices (WAEP) of, and movements in, outstanding share awards during the period: 2024 2023 Number 2024 Number 2023 ’000 WAEP ’000 WAEP Outstanding at beginning of period/year 11,220 £0.61 11,431 £0.68 Granted during the period/year 10,474 £0.23 5,114 £0.55 Exercised during the period/year (2,049) £0.23 (1,488) £0.10 Forfeited in the period/year (6,083) £0.70 (3,837) £0.96 Outstanding at end of period/year 13,562 £0.33 11,220 £0.61 Exercisable at end of period/year 1,690 £0.48 1,598 £1.00 Number of Number of Instruments instruments instruments granted Options as at as at during exercised in Forfeitures 30 September Scheme 1 June 2023 the period the period in the period 2024 CSOP schemes 284,898 — — (122,900) 161,998 Sharesave/SAYE schemes 3,512,804 2,058,142 — (2,428,931) 3,142,015 ESPP schemes 604,321 360,960 (363,014) (241,307) 360,960 Special Award 222,222 — (222,222) — — ISO schemes 49,446 — — (27,470) 21,976 LTIP schemes 3,239,193 5,867,593 (357,806) (1,737,729) 7,011,251 RSU schemes 138,554 — (41,565) (96,989) — RSP scheme 3,023,704 1,993,719 (942,805) (1,398,822) 2,675,796 Deferred shares 91,616 193,137 (98,112) — 186,641 Phantom schemes 53,345 — (23,250) (28,595) 1,500 11,220,103 10,473,551 (2,048,774) (6,082,743) 13,562,137 The liability for cash settled share-based payments at 30 September 2024 was £nil (2023: £nil). Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 159 27 Called up share capital and reserves 2024 2023 Number Number 2024 2023 Allotted, called up and fully paid of shares of shares £m £m Ordinary shares of 1p each at the beginning of the period/year 312,128,892 309,967,243 3.1 3.1 Ordinary shares of 1p each issued in the period/year 2,395,738 2,161,649 — — Ordinary shares of 1p each at the end of the period/year 314,524,630 312,128,892 3.1 3.1 During the period, 2,395,738 (2023: 2,161,649) new ordinary shares of 1p were issued as a result of the exercise of share options. The proceeds of £0.3m (2023: £0.1m) were credited to the share premium account. As at 30 September 2024, 5,158,090 shares were held in treasury (2023: 868,800). Share premium The share premium account records the difference between the nominal amount of shares issued and the fair value of the consideration received. The share premium account may be used for certain purposes specified by UK law, including to write off expenses incurred on any issue of shares and to pay fully paid bonus shares. The share premium account is not distributable but may be reduced by special resolution of the Company’s ordinary shareholders and with court approval. Merger reserve The merger reserve arose in 2015 from the acquisition of Accumuli plc through a share-for-share exchange in part consideration for the business. Currency translation reserve The results of overseas operations are translated at the average foreign exchange rates for the period, and their balance sheets are translated at the rates prevailing at the Balance Sheet date. Exchange differences arising on the translation of opening net assets and results of overseas operations are recognised in the currency translation reserve. All other exchange differences are included in the Income Statement. Retained earnings Retained earnings for the Group are made up of accumulated reserves. For the Company, retained earnings are made up of accumulated reserves. 28 Other financial commitments At the end of the reporting period, the Group had no other financial commitments (2023: £nil). 29 Contingencies There are no contingent liabilities not provided for at the end of the financial year (2023: £nil). Similarly, there are no contingent assets (2023: £nil). The Company and its subsidiaries are party to cross guarantees securing certain bank loans. At 30 September 2024, there was no material impact that could arise for the Company from these cross guarantees. 30 Pension scheme The Group operates a defined contribution pension scheme that is open to all eligible colleagues. The pension cost charge for the period represents contributions payable by the Group to the fund and amounted to £8.0m (2023: £6.3m). For the Company, the pension cost charge for the period represents contributions payable by the Company to the fund and amounted to £nil (2023: £nil). 31 Related party transactions Management has defined related party transactions as those involving key management personnel only. Key management personnel have been assessed to be the Group’s Board of Directors. During the period ended 30 September 2024 there were nine (2023: nine) key management personnel. Disclosures relating to remuneration of Directors are set out in the Remuneration Report on pages 81 to 100. The remuneration of the key management personnel is set out below: Group Group Company Company 2024 2023 2024 2023 £m £m £m £m Salary costs (including bonus) 2.7 1.8 — — Social security costs 0.4 0.3 — — Post-employment benefits — — — — Share-based payments 0.3 0.2 — — Total 3.4 2.3 — — There were no other related party transactions identified during the period. The amount of gains made by Directors on the exercise of share options is disclosed in the Remuneration Report on page 86. NCC Group plc — Annual report and accounts for the period ended 30 September 2024160 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 32 Investments in subsidiary undertakings Shares in Group undertakings Company £m At 1 June 2022 276.9 Increase in subsidiary investment for share-based charges 2.2 At 31 May 2023 279.1 Increase in subsidiary investment for share-based charges 2.3 Increase in subsidiary investment for below market value loan arrangement 9.7 At 30 September 2024 291.1 In accordance with IAS 36 ‘Impairment of Assets’, management annually reviews the carrying value of investments to ensure that it does not exceed the recoverable amount. The investment in subsidiary undertakings is held against the Company’s direct subsidiary NCC Group Holdings Limited. In performing this assessment, management considered external market factors, such as the Group’s market capitalisation and internal factors, such as the results of the Group’s annual goodwill impairment review. As of the reporting date, no indicators of impairment were noted. The increase in subsidiary investment for share-based charges represents IFRS 2 ‘Share-based Payments’ charges in respect of subsidiaries which will not be recharged. Fixed asset investments are recognised at cost. The undertakings in which the Company has a 100% interest at 30 September 2024 are as follows: Subsidiary undertakings Country of incorporation Principal activity Registered office NCC Group Holdings Limited England and Wales Holding company XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ (XYZ 1 ) NCC Group (Solutions) Limited England and Wales Holding company XYZ 1 NCC Group Corporate Limited England and Wales Corporate cost centre XYZ 1 NCC Group Finance Limited England and Wales Financing company XYZ 1 The National Computing Centre Limited England and Wales Dormant XYZ 1 NCC Group Software Resilience Limited England and Wales Holding company XYZ 1 NCC Group Software Resilience (UK) Limited England and Wales Holding company XYZ 1 NCC Services Limited England and Wales Escode XYZ 1 NCC Group Escrow Limited England and Wales Dormant XYZ 1 NCC Group Software Resilience (Europe) B.V. Netherlands Holding company Barbara Strozzilaan 201, 1083HN Amsterdam, Netherlands NCC Group GmbH Germany Escode c/o Deloitte Legal Rechtsanwaltsgesellschaft mbH, Rosenheimer Platz 6, 81669, Munich, Bavaria, Germany NCC Group Deutschland GmbH Germany Cyber Security Leopoldstrasse Business Centre GmbH, Konrad-Zuse-Platz 8, 81829, Munich, Germany NCC Group Escrow Europe B.V. Netherlands Escode Barbara Strozzilaan 201, 1083HN Amsterdam, Netherlands NCC Group Escrow Europe (Switzerland) AG Switzerland Escode Ibelweg 18A, 6300 Zug, Switzerland NCC Group Software Resilience England and Wales Holding company XYZ 1 (MEA-APAC) Limited NCC Group FZ-LLC United Arab Emirates Escode F01-004, Building 5, Dubai, Media City, Dubai, United Arab Emirates NCC Group Cyber Security Limited England and Wales Holding company XYZ 1 NCC Group Cyber Security (UK) Limited England and Wales Holding company XYZ 1 NCC Group Security Services Limited England and Wales Cyber Security XYZ 1 NCC Group Audit Limited England and Wales Cyber Security XYZ 1 ArmstrongAdams Limited England and Wales Cyber Security XYZ 1 NCC Group Signify Solutions Limited England and Wales Cyber Security XYZ 1 NCC Group Accumuli Security Limited England and Wales Cyber Security XYZ 1 NCC Group Cyber Security (Europe) B.V. Netherlands Holding company Fox-IT 3 Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 161 Subsidiary undertakings Country of incorporation Principal activity Registered office NCC Group A/S Denmark Cyber Security Lautruphøj 1, 2750 Ballerup, Denmark NCC Group Cyber Portuguesa, Unipessoal, LDA Portugal Cyber Security Av. António Augusto de Aguiar nº 19 – 4º, 1050-012 Lisboa, Portugal NCC Group Security Services Espana SLU Spain Cyber Security Plaza Manuel Gómez Moreno, número 2, Edificio Alfredo Mahou, planta 19ª, letra B, 28020, Madrid, Spain Cyber Assurance Sweden AB Sweden Cyber Security c/o Advokatfirman Delphi, P.O. Box 1432, 111 84 Stockholm Fox-IT Holding B.V. Netherlands Holding company Olof Palmestraat 6, 2616 LM Delft, Netherlands (Fox-IT 3 ) Fox-IT Group B.V. Netherlands Holding company Fox-IT 3 Fox-IT B.V. Netherlands Cyber Security Fox-IT 3 Fox-IT Operations B.V. Netherlands Dormant Fox-IT 3 Fox Crypto B.V. Netherlands Cyber Security Fox-IT 3 NCC Group Cyber Security (APAC) Limited England and Wales Holding company XYZ 1 NCC Group Pte Limited Singapore Cyber Security Unit #10-09 PLUS Building, 20 Cecil Street, Singapore (049705) NCC Group Pty Limited Australia Cyber Security Suite 23.01, Level 23, 45 Clarence Street, Sydney, NSW 2000 Escode Australia Pty Limited Australia Software Resilience Suite 23.01, Level 23, 45 Clarence Street, Sydney, NSW 2000 NCC Group Japan KK Japan Cyber Security Level 18, Yesibu Garden Place Tower, 4-20-3 Ebisu Shibuya-Ku, Tokyo NCC Group (Americas) Inc. USA Holding company 650 California Street, Suite 2950, San Francisco, CA 94108, USA (North America HQ 2 ) NCC Group, LLC USA Escode and central/ North America HQ 2 head office costs NCC Group Cyber Security (Americas), LLC USA Holding company North America HQ 2 NCC Group Security Services, Inc. USA Cyber Security North America HQ 2 NCC Group Secure Registrar, Inc. USA Domain services North America HQ 2 NCC Group Domain Services, Inc. USA Domain services North America HQ 2 NCC Group Security Services Corporation Canada Cyber Security Suite 270 0, The Stack, 1133 Melville St, Vancouver, BC V6E 4E5 Payment Software Company, Inc. USA Cyber Security North America HQ 2 Payment Software Company Limited England and Wales Cyber Security XYZ 1 NCC Group Software Resilience (Americas) LLC USA Holding company North America HQ 2 NCC Group Escrow Associates, LLC USA Escode North America HQ 2 NCC Group Software Resilience (NA), LLC USA Escode North America HQ 2 NCC Group Asia, Inc Philippines Cyber Security 37F Seven/NEO, 4th Avenue Bonifacio Global City, Taguig City, Metro Manila, 1634 The undertakings in which the Company holds less than a 100% interest at the period end are as follows: Undertaking % interest Country of incorporation Principal activity Deposit AB 24% Sweden Escode The Directors consider the above ownership structure to give rise to no significant influence over the undertaking. There is no Board representation, and the Group has no power to participate in the operating and financial policy decisions of the undertaking. Accordingly, the undertaking of Deposit AB has not been consolidated. 1 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ. 2 650 California Street, Suite 2950, San Francisco, CA 94108, USA. 3 Olof Palmestraat 6, 2616 LM Delft, Netherlands. 32 Investments in subsidiary undertakings continued NCC Group plc — Annual report and accounts for the period ended 30 September 2024162 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 33 Disposals Current period disposal of DetACT business On 30 April 2024, the Group completed the planned disposal of its DetACT business for a total cash consideration of £8.2m. The assets and liabilities included as part of the disposal were as follows: 2024 £m Attributable goodwill (5.9) Intangible fixed assets (1.4) Trade and other receivables (1.5) Trade and other payables 0.1 Deferred revenue 2.8 Deferred tax liability 0.3 Net assets disposed of (5.6) Consideration 8.2 Transaction costs (1.0) Gain on disposal – recognised as an individual significant item (Note 4) 1.6 Satisfied by: Cash and cash equivalents 8.2 Total consideration 8.2 Prior period disposal of DDI business On 31 December 2022, the Group completed the planned disposal of its DDI business for consideration of £5.8m. Of this amount, £3.8m, is contingent on the novation of certain customer contracts, which has now been settled in full. The assets and liabilities included as part of the disposal were as follows: 2023 £m Attributable goodwill (1.0) Trade and other receivables (1.2) Trade and other payables 1.2 Net assets disposed of (1.0) Consideration 5.8 Transaction costs (0.1) Gain on disposal 4.7 Satisfied by: Cash and cash equivalents 2.0 Contingent consideration 3.8 Consideration 5.8 34 Audit exemption The subsidiary undertakings listed below are exempt from the Companies Act 2006 requirements relating to the audit of their individual accounts by virtue of section 479A of the Act as this Company has guaranteed the subsidiary company under section 479C of the Act. Company name Company registration no. Payment Software Company Limited 10059024 NCC Group Holdings Limited 13325653 NCC Group (Solutions) Limited 03742757 NCC Group Corporate Limited 13247138 NCC Group Cyber Security (APAC) Limited 13294684 NCC Group Audit Limited 04323323 NCC Group Signify Solutions Limited 03915262 NCC Group Finance Limited 13350193 The Directors acknowledge their responsibility for complying with the requirements of the Companies Act 2006 with respect to accounting records and preparation of accounts. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 163 Appendix 1 – Unaudited 12-months pro forma results The following sections (pages 164 to 171) highlight the Group’s overall performance for the unaudited 12 month period ending 30 September 2024 (“2024”), compared to the previous unaudited 12 month period ending 30 September 2023 (“2023”). The following table summarises the Group’s unaudited overall performance by division: 2024 2023 Cyber Security £m Escode £m Central and head office £m Group – continuing £m Crypto and DetACT £m Total Group £m Cyber Security £m Escode £m Central and head office £m Group – continuing £m Crypto and DetACT £m Total Group £m Revenue 239.2 66.0 — 305.2 24.0 329.2 238.9 65.4 — 304.3 19.5 323.8 Cost of sales (150.7) (20.6) — (171.3) (15.0) (186.3) (167.1) (18.4) — (185.5) (12.5) (198.0) Gross profit 88.5 45.4 — 133.9 9.0 142.9 71.8 47.0 — 118.8 7.0 125.8 Gross margin % 37.0% 68.8% — 43.9% 37.5% 43.4% 30.1% 71.9% — 39.0% 35.9% 38.9% Administrative expenses (69.9) (16.9) (3.2) (90.0) (1.4) (91.4) (68.8) (16.6) (6.4) (91.8) (0.8) (92.6) Share-based payments (0.1) (0.1) (1.6) (1.8) — (1.8) (1.1) (0.1) (0.7) (1.9) (0.1) (2.0) Adjusted EBITDA 1,2 18.5 28.4 (4.8) 42.1 7.6 49.7 1.9 30.3 (7.1) 25.1 6.1 31.2 Depreciation and amortisation (8.5) (0.5) (3.7) (12.7) (0.1) (12.8) (8.2) (0.5) (3.6) (12.3) (0.2) (12.5) Amortisation of acquired intangibles (1.1) (5.3) (3.0) (9.4) — (9.4) (1.1) (5.6) (2.9) (9.6) — (9.6) Adjusted operating profit 1,2 8.9 22.6 (11.5) 20.0 7.5 27.5 (7.4) 24.2 (13.6) 3.2 5.9 9.1 Individually Significant Items (38.9) (0.1) — (39.0) — (39.0) (15.6) (2.4) — (18.0) — (18.0) Operating (loss)/profit (30.0) 22.5 (11.5) (19.0) 7.5 (11.5) (23.0) 21.8 (13.6) (14.8) 5.9 (8.9) Finance costs (6.1) (0.2) (6.3) (6.9) — (6.9) Loss before taxation (25.1) 7.3 (17.8) (21.7) 5.9 (15.8) Taxation (5.4) (1.9) (7.3) 1.9 (1.5) 0.4 Loss after taxation (30.5) 5.4 (25.1) (19.8) 4.4 (15.4) Earnings per share – Basic (9.8p) 1.7p (8.1p) (6.4p) 1.4p (5.0p) – Adjusted basic 3.5p 1.7p 5.2p (0.8p) 1.4p 0.6p 1 Adjusted EBITDA and Adjusted operating profit are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. 2 After reconsidering FRC best practice guidance around the disclosure of adjusting items and APMs, the Group has reduced the number of adjusted measures and items. The Group now only has one adjusted item, “Individual Significant Items”. Previous adjusted items of amortisation of acquisition intangibles and share-based payments are no longer disclosed as an adjusted item. Accordingly, comparative numbers have been restated. See unaudited appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. NCC Group plc — Annual report and accounts for the period ended 30 September 2024164 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 Appendix 1 – Unaudited 12-months pro forma results continued The following tables reconciles how these changes have affected the historic measures of Adjusted EBITDA and Adjusted operating profit: 2024 2023 Cyber Security £m Escode £m Central and head office £m Group – continuing £m Crypto and DetACT £m Total Group £m Cyber Security £m Escode £m Central and head office £m Group – continuing £m Crypto and DetACT £m Total Group £m Adjusted EBITDA – previously 18.6 28.5 (3.2) 43.9 7.6 51.5 3.0 30.4 (6.4) 27.0 6.2 33.2 Share-based payments (0.1) (0.1) (1.6) (1.8) — (1.8) (1.1) (0.1) (0.7) (1.9) (0.1) (2.0) Adjusted EBITDA – revised 18.5 28.4 (4.8) 42.1 7.6 49.7 1.9 30.3 (7.1) 25.1 6.1 31.2 Adjusted operating profit – previously 10.1 28.0 (6.9) 31.2 7.5 38.7 (5.2) 29.9 (10.0) 14.7 6.0 20.7 Share-based payments (0.1) (0.1) (1.6) (1.8) — (1.8) (1.1) (0.1) (0.7) (1.9) (0.1) (2.0) Amortisation of acquired intangibles (1.1) (5.3) (3.0) (9.4) — (9.4) (1.1) (5.6) (2.9) (9.6) — (9.6) Adjusted operating profit – revised 8.9 22.6 (11.5) 20.0 7.5 27.5 (7.4) 24.2 (13.6) 3.2 5.9 9.1 Unaudited revenue summary: 2024 £m 2023 £m % change at actual rates 2024 £m Constant currency 1 2023 £m % change at constant currency 1 Cyber Security revenue (excluding Crypto and DetACT) 239.2 238.9 0.1% 239.2 234.7 1.9% Crypto and DetACT 24.0 19.5 23.1% 24.0 19.1 25.7% Total Cyber Security revenue 263.2 258.4 1.9% 263.2 253.8 3.7% Escode 66.0 65.4 0.9% 66.0 64.2 2.8% Total revenue 329.2 323.8 1.7% 329.2 318.0 3.5% Unaudited divisional performance – Cyber Security: Cyber Security unaudited revenue analysis – by originating country: 2024 £m 2023 £m % change at actual rates 2024 £m Constant currency 1 2023 £m % change at constant currency 1 UK and APAC 135.5 118.2 14.6% 135.5 117.7 15.1% North America 67.0 84.8 (21.0%) 67.0 81.8 (18.1%) Europe 60.7 55.4 9.6% 60.7 54.3 11.8% Total Cyber Security revenue 263.2 258.4 1.9% 263.2 253.8 3.7% From a total Cyber Security revenue trajectory perspective, the following tables compare half on half (being the half-year results relating to the 12 months ending 30 September 2024 and the 12 months ending 30 September 2023) performance: H1 2024 £m H1 2023 £m % change at actual rates H1 2024 £m Constant currency 1 H1 2023 £m % change at constant currency 1 UK and APAC 69.1 62.3 10.9% 69.1 62.9 9.9% North America 33.4 49.0 (31.8%) 33.4 46.9 (28.8%) Europe 31.4 27.6 13.8% 31.4 26.2 19.8% Total Cyber Security revenue 133.9 138.9 (3.6%) 133.9 136.0 (1.5%) 1 Revenue growth at constant currency is an Alternative Performance Measure (APM) and not an IFRS measure. See unaudited appendix 2 for an explanation of APMs, including a reconciliation to statutory information. Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 165 Appendix 1 – Unaudited 12-months pro forma results continued Unaudited divisional performance – Cyber Security: continued H2 2024 £m H2 2023 £m % change at actual rates H2 2024 £m Constant currency 1 H2 2023 £m % change at constant currency 1 UK and APAC 66.4 55.9 18.8% 66.4 54.8 21.2% North America 33.6 35.8 (6.1%) 33.6 34.9 (3.7%) Europe 29.3 27.8 5.4% 29.3 28.1 4.3% Total Cyber Security revenue 129.3 119.5 8.2% 129.3 117.8 9.7% The following table shows the current trajectory of revenue during the 12 month period: H2 2024 £m H1 2024 £m % change at actual rates UK and APAC 66.4 69.1 (3.9%) North America 33.6 33.4 0.6% Europe 29.3 31.4 (6.7%) Total Cyber Security revenue 129.3 133.9 (3.4%) Following the implementation of our new strategy, Cyber Security revenue is now analysed in more detail by type of service and capability. This is summarised by the following unaudited revenue analysis: 2024 £m 2023 £m % change at actual rates 2024 £m Constant currency 1 2023 £m % change at constant currency 1 Technical Assurance Services (TAS) 105.6 126.9 (16.8%) 105.6 124.2 (15.0%) Consulting and Implementation (C&I) 42.2 44.2 (4.5%) 42.2 43.7 (3.4%) Managed Services (MS) 74.5 51.5 44.7% 74.5 50.8 46.7% Digital Forensics and Incident Response (DFIR) 15.1 15.1 — 15.1 14.9 1.3% Other services 25.8 20.7 24.6% 25.8 20.2 27.7% Total Cyber Security revenue 263.2 258.4 1.9% 263.2 253.8 3.7% From a total Cyber Security revenue trajectory perspective in relation to types of services, the following tables compare half on half (being the half-year results relating to the 12 months ended 30 September 2024 and the 12 months to 30 September 2023) performance: H1 2024 £m H1 2023 £m % change at actual rates H1 2024 £m Constant currency 1 H1 2023 £m % change at constant currency 1 Technical Assurance Services (TAS) 52.9 73.4 (27.9%) 52.9 71.5 (26.0%) Consulting and Implementation (C&I) 22.7 23.4 (3.0%) 22.7 23.0 (1.3%) Managed Services (MS) 36.9 24.7 49.4% 36.9 24.3 51.9% Digital Forensics and Incident Response (DFIR) 7.7 6.9 11.6% 7.7 6.8 13.2% Other services 13.7 10.5 30.5% 13.7 10.4 31.7% Total Cyber Security revenue 133.9 138.9 (3.6%) 133.9 136.0 (1.5%) H2 2024 £m H2 2023 £m % change at actual rates H2 2024 £m Constant currency 1 H2 2023 £m % change at constant currency 1 Technical Assurance Services (TAS) 52.8 53.5 (1.3%) 52.8 52.9 (0.2%) Consulting and Implementation (C&I) 19.5 20.8 (6.3%) 19.5 20.7 (5.8%) Managed Services (MS) 37.5 26.8 39.9% 37.5 26.5 41.5% Digital Forensics and Incident Response (DFIR) 7.4 8.2 (9.8%) 7.4 8.0 (7.5%) Other services 12.1 10.2 18.6% 12.1 9.8 23.5% Total Cyber Security revenue 129.3 119.5 8.2% 129.3 117.9 9.7% 1 Revenue growth at constant currency is an Alternative Performance Measure (APM) and not an IFRS measure. See unaudited appendix 2 for an explanation of APMs, including a reconciliation to statutory information. NCC Group plc — Annual report and accounts for the period ended 30 September 2024166 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 Appendix 1 – Unaudited 12-months pro forma results continued Unaudited divisional performance – Cyber Security: continued H2 2024 £m H1 2024 £m % change at actual rates Technical Assurance Services (TAS) 52.8 52.9 (0.2%) Consulting and Implementation (C&I) 19.5 22.7 (14.1%) Managed Services (MS) 37.5 36.9 1.6% Digital Forensics and Incident Response (DFIR) 7.4 7.7 (3.9%) Other services 12.1 13.7 (11.7%) Total Cyber Security revenue 129.3 133.9 (3.4%) Cyber Security unaudited gross profit is analysed as follows: 2024 £m 2024 % margin 2023 £m 2023 % margin % pts change UK and APAC 61.3 45.2% 40.6 34.3% 10.9% pts North America 14.8 22.1% 20.0 23.6% (1.5% pts) Europe 21.4 35.3% 18.2 32.9% 2.4% pts Cyber Security gross profit and % margin 97.5 37.0% 78.8 30.5% 6.5% pts Europe gross profit excluding Crypto and DetACT would have amounted to 33.8% compared to the prior year of 31.2%. From a total Cyber Security gross profit trajectory perspective, the following tables compare half on half (being the half-year results relating to the 12 months ended 30 September 2024 and the 12 months to 30 September 2023) performance: H1 2024 £m H1 2024 % margin H1 2023 £m H1 2023 % margin % pts change UK and APAC 31.4 45.4% 23.0 36.9% 8.5% pts North America 7.4 22.2% 12.0 24.5% (2.3% pts) Europe 10.2 32.5% 10.0 36.2% (3.7% pts) Cyber Security gross profit and % margin 49.0 36.6% 45.0 32.4% 4.2% pts H2 2024 £m H2 2024 % margin H2 2023 £m H2 2023 % margin % pts change UK and APAC 29.9 45.0% 17.6 31.5% 13.5% pts North America 7.4 22.0% 8.0 22.3% (0.3% pts) Europe 11.2 38.2% 8.2 29.5% 8.7% pts Cyber Security gross profit and % margin 48.5 37.5% 33.8 28.3% 9.2% pts H2 2024 £m H2 2024 % margin H1 2024 £m H1 2024 % margin % pts change UK and APAC 29.9 45.0% 31.4 45.4% (0.4% pts) North America 7.4 22.0% 7.4 22.2% (0.2% pts) Europe 11.2 38.2% 10.2 32.5% 5.7% pts Cyber Security gross profit and % margin 48.5 37.5% 49.0 36.6% 0.9% pts Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 167 Appendix 1 – Unaudited 12-months pro forma results continued Unaudited divisional performance – Escode: Escode unaudited revenue analysis – by originating country: 2024 £m 2023 £m % change at actual rates 2024 £m Constant currency 1 2023 £m % change at constant currency 1 UK 28.0 26.5 5.7% 28.0 26.5 5.7% North America 33.9 34.7 (2.3%) 33.9 33.5 1.2% Europe 4.1 4.2 (2.4%) 4.1 4.2 (2.4%) Total Escode revenue 66.0 65.4 0.9% 66.0 64.2 2.8% Escode unaudited revenues analysed by service line: 2024 £m 2023 £m % change at actual rates 2024 £m Constant currency 1 2023 £m % change at constant currency 1 Escrow contracts 43.0 43.6 (1.4%) 43.0 43.4 (0.9%) Verification services 23.0 21.8 5.5% 23.0 20.8 10.6% Total Escode revenue 66.0 65.4 0.9% 66.0 64.2 2.8% From a Escode revenue trajectory perspective, the following tables compare half on half (being the half-year results relating to the 12 months ended 30 September 2024 and the 12 months to 30 September 2023) performance: H1 2024 £m H1 2023 £m % change at actual rates H1 2024 £m Constant currency 1 H1 2023 £m % change at constant currency 1 UK 14.0 12.6 11.1% 14.0 12.8 9.4% North America 16.8 17.4 (3.4%) 16.8 17.3 (2.9%) Europe 2.1 2.2 (4.5%) 2.1 2.2 (4.5%) Total Escode revenue 32.9 32.2 2.2% 32.9 32.3 1.9% H2 2024 £m H2 2023 £m % change at actual rates H2 2024 £m Constant currency 1 H2 2023 £m % change at constant currency 1 UK 14.0 13.9 0.7% 14.0 13.7 2.2% North America 17.1 17.3 (1.2%) 17.1 16.3 4.9% Europe 2.0 2.0 (0.0%) 2.0 2.0 0.0% Total Escode revenue 33.1 33.2 (0.3%) 33.1 32.0 3.4% H2 2024 £m H1 2024 £m % change at actual rates H2 2024 £m Constant currency 1 H1 2024 £m % change at constant currency 1 UK 14.0 14.0 0.0% 14.0 12.6 11.1% North America 17.1 16.8 1.8% 17.1 16.6 3.0% Europe 2.0 2.1 (4.8%) 2.0 2.1 (4.8%) Total Escode revenue 33.1 32.9 0.6% 33.1 31.3 5.8% H1 2024 £m H1 2023 £m % change at actual rates H1 2024 £m Constant currency 1 H1 2023 £m % change at constant currency 1 Escrow contracts 22.0 21.7 1.4% 22.0 22.4 (1.8%) Verification services 10.9 10.5 3.8% 10.9 9.8 11.2% Total Escode revenue 32.9 32.2 2.2% 32.9 32.2 2.2% 1 Revenue growth at constant currency is an Alternative Performance Measure (APM) and not an IFRS measure. See unaudited appendix 2 for an explanation of APMs, including a reconciliation to statutory information. NCC Group plc — Annual report and accounts for the period ended 30 September 2024168 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 Appendix 1 – Unaudited 12-months pro forma results continued Unaudited divisional performance – Escode: continued H2 2024 £m H2 2023 £m % change at actual rates H2 2024 £m Constant currency 1 H2 2023 £m % change at constant currency 1 Escrow contracts 21.0 21.9 (4.1%) 21.0 21.0 0.0% Verification services 12.1 11.3 7.1% 12.1 11.0 10.0% Total Escode revenue 33.1 33.2 (0.3%) 33.1 32.0 3.4% H2 2024 £m H1 2024 £m % change at actual rates H2 2024 £m Constant currency 1 H1 2024 £m % change at constant currency 1 Escrow contracts 21.0 22.0 (4.5%) 21.0 21.1 (0.5%) Verification services 12.1 10.9 11.0% 12.1 10.3 17.5% Total Escode revenue 33.1 32.9 0.6% 33.1 31.4 5.4% Escode unaudited gross profit is analysed as follows: 2024 £m 2024 % margin 2023 £m 2023 % margin % pts change UK 19.0 67.9% 18.3 69.1% (1.2% pts) North America 24.1 71.1% 25.8 74.4% (3.3% pts) Europe 2.3 56.1% 2.9 69.0% (12.9% pts) Escode gross profit and % margin 45.4 68.8% 47.0 71.9% (3.1% pts) From a Escode gross profit trajectory perspective, the following tables compare half on half (being the half-year results relating to the 12 months ended 30 September 2024 and the 12 months to 30 September 2023) performance: H1 2024 £m H1 2024 % margin H1 2023 £m H1 2023 % margin % pts change UK 9.5 67.9% 9.2 73.0% (5.1% pts) North America 11.7 69.6% 12.8 73.6% (4.0% pts) Europe 1.2 57.1% 1.4 63.6% (6.5% pts) Escode gross profit and % margin 22.4 68.1% 23.4 72.7% (4.6% pts) H2 2024 £m H2 2024 % margin H2 2023 £m H2 2023 % margin % pts change UK 9.5 68.3% 9.1 65.5% 2.8% pts North America 12.4 72.5% 13.0 75.1% (2.6% pts) Europe 1.1 55.0% 1.5 75.0% (20.0% pts) Escode gross profit and % margin 23.0 69.5% 23.6 71.1% (1.6% pts) H2 2024 £m H2 2024 % margin H1 2024 £m H1 2024 % margin % pts change UK 9.5 68.3% 9.5 67.9% 0.4% pts North America 12.4 72.5% 11.7 69.6% 2.9% pts Europe 1.1 55.0% 1.2 57.1% (2.1% pts) Escode gross profit and % margin 23.0 69.5% 22.4 68.1% 1.4% pts Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 169 Appendix 1 – Unaudited 12-months pro forma results continued The unaudited Consolidated Balance Sheet position as at 30 September 2023 compared to the audited Balance Sheet position as at 30 September 2024: 30 September 2024 £m Unaudited 30 September 2023 £m Non-current assets Goodwill 156.5 257.9 Intangible assets 89.2 109.4 Property, plant and equipment 11.6 12.6 Right-of-use assets 15.7 18.0 Investments — 0.3 Deferred tax asset 0.6 2.9 Total non-current assets 273.6 401.1 Current assets Inventories — 0.8 Trade and other receivables 32.2 58.9 Contract assets 20.1 20.5 Contingent consideration receivable — 1.8 Current tax receivable 2.9 3.6 Cash and cash equivalents 29.8 13.6 Assets classified as held for sale 61.5 — Total current assets 146.5 99.2 Total assets 420.1 500.3 Current liabilities Trade and other payables 46.8 47.1 Bank overdraft 13.6 3.1 Lease liabilities 5.7 6.1 Current tax payable 1.6 1.5 Derivative financial instruments 0.8 0.1 Provisions 1.4 1.6 Contract liabilities – deferred revenue 50.7 62.6 Liabilities directly associated with assets classified as held for sale 5.7 — Total current liabilities 126.3 122.1 Non-current liabilities Borrowings 61.5 78.0 Lease liabilities 21.9 22.8 Deferred tax liabilities 0.5 1.4 Provisions 1.9 1.4 Contract liabilities – deferred revenue 2.8 4.2 Total non-current liabilities 88.6 107.8 Total liabilities 214.9 229.9 Net assets 205.2 270.4 Equity Share capital 3.1 3.1 Share premium 224.4 224.1 Merger reserve 42.3 42.3 Currency translation reserve 24.5 39.9 Retained earnings (89.1) (39.0) Total equity attributable to equity holders of the Parent 205.2 270.4 NCC Group plc — Annual report and accounts for the period ended 30 September 2024170 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 Appendix 1 – Unaudited 12-months pro forma results continued The unaudited Cash Flow Statement for the 12 month period ended 30 September 2024: 12 months period ended 30 September 2024 £m Cash flows from operating activities Loss for the period/year (25.1) Adjustments for: Depreciation of property, plant and equipment 4.3 Depreciation of right-of-use assets 6.6 Amortisation of customer contracts and relationships 9.4 Amortisation of software and development costs 2.6 Impairment of goodwill 31.9 Impairment of non-current assets included in ISIs 3.7 Share-based payments 1.8 Lease financing costs 1.6 Other financing costs 6.3 Foreign exchange loss 1.9 Profit on disposal of right-of-use assets (0.1) Profit on disposal of businesses (1.6) Profit on disposal of investment (0.1) Loss on disposal of fixed assets 0.1 Income tax expense 7.3 Cash inflow for the year before changes in working capital 50.6 Decrease in trade and other receivables 19.3 Increase in contract assets (3.4) Decrease in inventories 0.2 Decrease in trade and other payables (19.3) Increase in provisions 0.6 Cash generated from operating activities before interest and taxation 48.0 Interest element of lease payments (1.6) Other interest paid (5.9) Taxation paid (2.1) Net cash generated from operating activities 38.4 Cash flows from investing activities Purchase of property, plant and equipment (4.3) Software, development and customer contracts expenditure (1.3) Sale proceeds of business disposals 10.4 Net cash generated from/(used in) in investing activities 4.8 Cash flows from financing activities Proceeds from the issue of ordinary share capital 0.3 Acquisition of treasury shares (5.8) Principal element of lease payments (7.9) Drawdown of borrowings (net of deferred issue costs) 38.8 Repayment of borrowings (51.3) Equity dividends paid (14.5) Net cash used in financing activities (40.4) Net decrease in cash and cash equivalents (inc. bank overdraft) 2.8 Cash and cash equivalents (inc. bank overdraft) at beginning of period 10.5 Effect of foreign currency exchange rate changes 2.9 Cash and cash equivalents (inc. bank overdraft) at end of year 16.2 Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 171 Appendix 2 – Alternative Performance Measures (APMs) and adjusting items The consolidated Financial Statements include APMs as well as statutory measures. These APMs used by the Group are not defined terms under IFRS and may therefore not be comparable with similarly titled measures reported by other companies. They are not intended to be a substitute for, or superior to, Generally Accepted Accounting Practice (GAAP) measures. All APMs relate to the current period results and comparative periods where provided. This presentation is also consistent with the way that financial performance is measured by management and reported to the Board, and the basis of financial measures for senior management’s compensation schemes and provides supplementary information that assists the user in understanding the financial performance, position and trends of the Group. At all times, the Group aims to ensure that the Annual Report and Accounts gives a fair, balanced and understandable view of the Group’s performance, cash flows and financial position. IAS 1 ‘Presentation of Financial Statements’ requires the separate presentation of items that are material in nature or scale in order to allow the user of the Financial Statements to understand underlying business performance. We believe these APMs provide readers with important additional information on our business and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can differ significantly from the APMs and may be assessed differently by the reader we encourage you to consider these figures together with statutory reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related APMs may exclude recurring business transactions (e.g. acquisition related costs and certain share-based payment charges) that impact financial performance and cash flows. As the Group manages internally its performance at an Adjusted operating profit level (before Individually Significant Items, amortisation of acquired intangibles and share-based payments), which management believes represents the underlying trading of the business. This information is still disclosed as an APM within this Annual Report. This APM is reconciled to statutory operating profit, together with the consequently Adjusted basic EPS (before amortisation of acquisition intangibles, share-based payments and Individually Significant Items and tax effect thereon) to statutory basic EPS. Please see page 42 of the Financial Review section. The Group has the following APMs/non-statutory measures: APM Closest equivalent IFRS measure Adjustments to reconcile to IFRS measure Definition, purpose and considerations made by the Directors Income statement measures: Constant currency revenue growth rates Revenue growth rates at actual rates of currency exchange Retranslation of comparative numbers at current period exchange rates to provide constant currency The Group reports certain geographic regions and service capabilities on a constant currency basis to reflect the underlying performance considering constant foreign exchange rates year on year. This involves retranslating comparative numbers at current period rates for comparability to enable a growth factor to be calculated. Adjusted operating profit Operating profit or loss Operating profit or loss before Individually Significant Items (Previously: Operating profit or loss before amortisation of acquired intangibles, share-based payments and Individually Significant Items) Represents operating profit before Individually Significant Items (the only adjusting item). This measure is to allow the user to understand the Group’s underlying financial performance as measured by management. Individually Significant Items are items that are considered unusual by nature or scale and are of such significance that separate disclosure is relevant to understanding the Group’s financial performance and therefore requires separate presentation in the Financial Statements in order to fairly present the financial performance of the Group. Adjusted profit for the period Loss for the period Loss for the period before Individually Significant Items and associated tax effects and adjusted tax items. Represents loss for the period before Individually Significant Items and their associated tax effect and adjusted tax items. This measure is to allow the user to calculate the Group’s Adjusted earnings per share. Adjusted earnings before interest, tax, depreciation and amortisation (Adjusted EBITDA) Operating profit or loss Operating profit or loss, before adjusting item, depreciation and amortisation, finance costs and taxation (Previously: before amortisation of acquired intangibles, share-based payments, Individually Significant Items and the tax effect thereon) Represents operating profit before adjusting item, depreciation and amortisation to assist in the understanding of the Group’s performance. Adjusted EBITDA is disclosed as this is a measure widely used by various stakeholders and used by the Group to measure the cash conversion ratio. NCC Group plc — Annual report and accounts for the period ended 30 September 2024172 Notes to the Financial Statements continued for the 16 month period ended 30 September 2024 APM Closest equivalent IFRS measure Adjustments to reconcile to IFRS measure Definition, purpose and considerations made by the Directors Income statement measures: continued Adjusted basic EPS Statutory basic EPS Statutory basic EPS before Individually Significant Items and their associated tax effect and adjusted tax items. (Previously: before amortisation of acquired intangibles, share-based payments, Individually Significant Items and the tax effect thereon) Represents basic EPS before Individually Significant Items and their associated tax effect and adjusted tax items. This measure is to allow the user to understand the Group’s underlying financial performance as measured by management, reported to the Board and used as a financial measure in senior management’s compensation schemes. Balance Sheet measures: Net debt excluding lease liabilities Total borrowings (excluding lease liabilities) offset by cash and cash equivalents Represents total borrowings (excluding lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group Balance Sheet position, overall net indebtedness and gearing on a like-for-like basis. Net debt, when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions. Net debt Total borrowings (including lease liabilities) offset by cash and cash equivalents Represents total borrowings (including lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group Balance Sheet position, overall net indebtedness and gearing including lease liabilities. Net debt, when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions. Cash flow measures: Cash conversion ratio Ratio % of net cash flow from operating activities before interest and tax divided by operating profit Ratio % of net cash flow from operating activities before interest and tax divided by Adjusted EBITDA The cash conversion ratio is a measure of how effectively operating profit is converted into cash and effectively highlights both non-cash accounting items within operating profit and also movements in working capital. It is calculated as net cash flow from operating activities before interest and taxation (as disclosed on the face of the Cash Flow Statement) divided by Adjusted EBITDA. The cash conversion ratio is a measure widely used by various stakeholders and hence is disclosed to show the quality of cash generation and also to allow comparison to other similar companies. Appendix 2 – Alternative Performance Measures (APMs) and adjusting items continued Financial statements NCC Group plc — Annual report and accounts for the period ended 30 September 2024 173 Glossary of terms – other terms Other terms Definition and usage Code Guidance, issued by the Financial Reporting Council in 2016 and updated in 2018, on how companies should be governed, applicable to UK listed companies including NCC Group plc. Adjusted Any result described as adjusted excludes the impact of Individually Significant Items, and any tax on any of these items. Adjusted earnings Adjusted earnings are defined as statutory earnings before Individually Significant Items, net of the tax effect of these items. Adjusted operating profit margin 1 Calculated as Adjusted operating profit divided by revenue from continuing activities. AGM Annual General Meeting of shareholders of the Company held each year to consider ordinary and special business as provided in the Notice of AGM. Alternative Performance Measure (APM) An Alternative Performance Measure (which is denoted in each case or use thereof by a footnote) is a non-GAAP performance metric used by management either internally or externally to present management’s view of the underlying business performance. They are not superior to GAAP-based measures and are simply an alternative way of looking at performance. See appendix 2 for further information over the Group’s APMs. Board The Board of Directors of the Company (for more information see pages 56 and 57). Cash conversion ratio 1 Calculated as cash generated from operating activities before interest and taxation divided by Adjusted EBITDA 1 , expressed as a percentage. CDO Cyber Defence Operations. CEO Chief Executive Officer. CFO Chief Financial Officer. CISO Chief Information Security Officer. Company, Group, NCC, we, our or us We use these terms, depending on the context, to refer to either NCC Group plc, the individual Company, or to NCC Group plc and its subsidiaries collectively. CPO Chief People Officer. CTO Chief Technology Officer. Directors, Executive Directors and Non-Executive Directors The Directors/Executive Directors and Non-Executive Directors of the Company whose names are set out on pages 56 and 57 of this report. EBIT Earnings before interest and tax. EBIT margin % EBIT margin % is calculated as follows: Adjusted EBIT divided by revenue. EBITDA Earnings before interest, tax, depreciation and amortisation. Calculated as operating profit before Individually Significant Items and adding back depreciation and amortisation charged. EBITDA margin % EBITDA divided by revenue. EPS Earnings per share. Profit for the period attributable to equity shareholders of the Parent allocated to each ordinary share. FCA Financial Conduct Authority. Financial year For NCC Group, following the change in year end in the current period, this is an accounting period ending on 30 September (previously 31 May in prior periods). FRC Financial Reporting Council. Free cash flow Net cash from operating activities less net capital expenditure and acquisition costs. FRS A UK Financial Reporting Standard as issued by the UK Financial Reporting Council (FRC). FVLCTS Fair value less costs to sell. NCC Group plc — Annual report and accounts for the period ended 30 September 2024174 Other terms Definition and usage Gross profit Gross profit is revenue less direct costs of sale. It excludes costs considered to be overheads that are supporting the business as a whole as opposed to a specific revenue item. Gross margin %/GM % Calculated as gross profit divided by revenue from continuing activities. HMRC His Majesty’s Revenue & Customs, the tax collecting authority of the UK. IAS or IFRS An International Accounting Standard or International Financial Reporting Standard, as issued by the International Accounting Standards Board (IASB). IFRS is also used as the term to describe international generally accepted accounting principles as a whole. Individually Significant Items Items that the Directors consider to be material in nature, scale or frequency of occurrence that need to be excluded when calculating some non-statutory performance measures in order to allow users of the Financial Statements to gain a full understanding of the underlying business performance. See Note 4 for further information. PricewaterhouseCoopers (PwC) The Company’s external auditor, PwC LLP. LTIP Long Term Incentive Plan established to align the interests of senior and executive management with those of shareholders. The plan is formally known as the NCC Group Long Term Incentive Plan 2013 (approved by shareholders in 2013). MD Managing Director. MDR Managed Detection and Response. Net debt 1 Total borrowings offset by cash and cash equivalents. Ordinary shares Voting shares entitling the holder to part ownership of a company. SAYE/Sharesave Save As You Earn, being a tax efficient scheme to encourage colleague share ownership. Escode Escode represents our escrow resilience services. Subsidiary A company or other entity that is controlled by NCC Group. TSC Technical Security Consulting. TSR Total shareholder return, which is share price growth plus dividends reinvested (where applicable) over a specified period of time, divided by the share price at the start of the period. 1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See appendix 2 for an explanation of APMs and adjusting items, including a reconciliation to statutory information. NCC Group plc — Annual report and accounts for the period ended 30 September 2024 175 Additional information Other information Directors Chris Stone – Non-Executive Chair Mike Maddison – Chief Executive Officer Guy Ellis – Chief Financial Officer Julie Chakraverty – Senior Independent Non-Executive Director Jennifer Duvalier – Independent Non-Executive Director Mike Ettling – Independent Non-Executive Director Lynn Fordham – Independent Non-Executive Director Company Secretary Jonathan Williams Registered Group and Company head office XYZ Building 2 Hardman Boulevard Spinningfields Manchester M3 3AQ Registered number 4627044 Registered in England and Wales Joint brokers and corporate finance advisers Investec Bank plc 30 Gresham Street London EC2V 7QP Peel Hunt LLP Moor House 120 London Wall London EC2Y 5ET Auditor PricewaterhouseCoopers LLP 1 Hardman Square Manchester M3 3EB Solicitors DLA Piper UK LLP 1 St Peter’s Square Manchester M2 3DE Registrar Equiniti Aspect House Spencer Road Lancing West Sussex BN99 6DA Bankers HSBC UK Bank plc 2nd Floor 4 Hardman Square Spinningfields Manchester M3 3EB National Westminster Bank plc 1 Hardman Boulevard Manchester M3 3AQ ING Bank N.V. London Branch 8–10 Moorgate London EC2R 6DA Fifth Third Bank NA 38 Fountain Square Plaza Cincinnati OH 45263 NCC Group plc — Annual report and accounts for the period ended 30 September 2024176 Financial calendar AGM 28 January 2025 Ex-dividend date 20 February 2025 Record date 21 February 2025 2025 half-year end 31 March 2025 Dividend payment date 4 April 2025 2025 interim statement June 2025 2025 year end 30 September 2025 2025 preliminary year end statement December 2025 These dates are provisional and may be subject to change. CBP028356 NCC Group plc’s commitment to environmental issues is reflected in this Annual Report, which has been printed on Magno Satin, an FSC ® certified material. This document was printed by Geoff Neal using its environmental print technology, which minimises the impact of printing on the environment, with 99% of dry waste diverted from landfill. Both the printer and the paper mill are registered to ISO 14001. NCC Group plc Annual report and accounts for the period ended 30 September 2024 NCC Group plc Annual report and accounts for the period ended 30 September 2024
Building tools?
Free accounts include 100 API calls/year for testing.
Have a question? We'll get back to you promptly.