Ernst & Young Oy Korkeavuorenkatu 32-34 FI-00130 Helsinki FINLAND

Tel: +358 207 280 190 www.ey.com/fi Business ID: 2204039-6, domicile Helsinki

AUDITOR'S REPORT (Translation of the Finnish original)

To the Annual General Meeting of SSH Communications Security Corporation

Report on the Audit of Financial Statements

Opinion

We have audited the financial statements of SSH Communications Security Corporation (business identity code 1035804-9) for the year ended 31 December, 2024. The financial statements comprise the consolidated balance sheet, income statement, statement of comprehensive income, statement of changes in equity, statement of cash flows and notes, including material accounting policy information, as well as the parent company's balance sheet, income statement, statement of cash flows and notes.

In our opinion

the consolidated financial statements give a true and fair view of the group's financial position, financial performance and cash flows in accordance with IFRS Accounting Standards as adopted by the EU.
the financial statements give a true and fair view of the parent company's financial performance and financial position in accordance with the laws and regulations governing the preparation of financial statements in Finland and comply with statutory requirements.

Our opinion is consistent with the additional report submitted to the Board of Directors.

Basis for Opinion

We conducted our audit in accordance with good auditing practice in Finland. Our responsibilities under good auditing practice are further described in the Auditor's Responsibilities for the Audit of Financial Statements section of our report.

We are independent of the parent company and of the group companies in accordance with the ethical requirements that are applicable in Finland and are relevant to our audit, and we have fulfilled our other ethical responsibilities in accordance with these requirements.

In our best knowledge and understanding, the non-audit services that we have provided to the parent company and group companies are in compliance with laws and regulations applicable in Finland regarding these services, and we have not provided any prohibited non-audit services referred to in Article 5(1) of regulation (EU) 537/2014. The non-audit services that we have provided have been disclosed in note 5 to the consolidated financial statements.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

Key Audit Matters

Key audit matters are those matters that, in our professional judgment, were of most significance in our audit of the financial statements of the current period. These matters were addressed in the context of our audit of the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters.

We have fulfilled the responsibilities described in the Auditor's responsibilities for the audit of the financial statements section of our report, including in relation to these matters. Accordingly, our audit included the performance of procedures designed to respond to our assessment of the risks of material misstatement of the financial statements. The results of our audit procedures, including the procedures performed to address the matters below, provide the basis for our audit opinion on the accompanying financial statements.

We have also addressed the risk of management override of internal controls. This includes consideration of whether there was evidence of management bias that represented a risk of material misstatement due to fraud.

Key Audit Matter	How our audit addressed the Key Audit Matter
Revenue recognition We refer to the notes 2 and 3.
The group has multiple revenue sources including maintenance and subscription sales, license sales and consulting services. The group's revenue for the financial year 2024 amounted to 22,2 million euros, which mostly comprised of maintenance and subscription sales and license sales. According to the group's accounting policies, maintenance and subscription sales are recognized evenly on an accrual basis throughout the contract period, and license sales are recognized when the right of use of the product is granted to the buyer. Consulting sales are recognized when the service has been delivered. There is a risk of incorrect timing of revenue recognition due to the various different terms and conditions included in the group's sales contracts. Revenue recognition was determined to be a key audit matter and a significant risk of material misstatement referred to in EU Regulation No 537/2014, point (c) of Article 10 (2).	Our audit procedures to address the risk of material misstatement in respect of revenue recognition included among others the following procedures: • We evaluated the revenue recognition principles applied by the group from the perspective of the applicable accounting standards. • We evaluated the revenue recognition of different sources of revenue in relation to the terms and conditions of the sales contracts. • We tested the correctness of the timing of revenue recognition. • We evaluated the appropriateness and sufficiency of the notes related to the group's revenue.
Key Audit Matter	How our audit addressed the Key Audit Matter
Valuation of goodwill and customer relationships We refer to the note 13.
As of balance sheet date 31 December 2024, the book value of goodwill amounted to 8,6 million euros and customer relationships to 5,1 million euros representing 46 % of Group's assets and 152 % of equity. Goodwill and customer relationships are tested as part of cash generating unit SSH Secure Collaboration. Valuation of goodwill and customer relationships was a key audit matter because • the annual impairment testing process involves management judgment, the assessment process is complex, and it includes estimates and assumptions,	Our audit procedures to address the risk of material misstatement in respect of valuation of goodwill and customer relationships included among others the following procedures: • We evaluated with the assistance of EY valuation specialists the underlying assumptions and methods applied by the management in the impairment testing, with regards to the following assumptions: the revenue growth rate, EBIT-% and the discount rate applied on net cash flows. • We evaluated with the assistance of EY valuation specialists the appropriateness of the
• impairment testing is based on assumptions relating to market and economic conditions, and • book value of goodwill and customer relationships is significant to the financial	sensitivity analysis, and whether a reasonably possible change in an underlying assumption could cause the book value of the unit to exceed the value in use. • We compared future estimates to the budget

The value in use of the cash generating unit is estimated based on a discounted cash flow calculation, and the outcome can vary significantly when the underlying assumptions used in the calculation change. There are number of underlying assumptions used to determine the value in use, such as revenue growth rate, EBIT and the discount rate applied on net cash flows. Any changes in these assumptions may result in an impairment of goodwill. This matter was a significant risk of material misstatement referred to in EU Regulation No 537/2014, point (c) of Article 10 (2).	available historical information, and we tested the mathematical accuracy of the impairment calculation. • We evaluated the appropriateness of the group's disclosures in respect of impairment testing.
Key Audit Matter	How our audit addressed the Key Audit Matter
Valuation of capitalized development costs We refer to the note 13. As of balance sheet date 31 December 2024, the book value of capitalized development costs amounted to 4,3 million euros representing 14 % of Group's assets and 48 % of equity. Valuation of capitalized development costs was a key audit matter because impairment testing includes forecasts. Group management exercises judgment determining the assumptions related to future market conditions and economic trends such as the general economic growth and sales and profitability trends. This matter was a significant risk of material misstatement referred to in EU Regulation No 537/2014, point (c) of Article 10 (2).	Our audit procedures to address the risk of material misstatement in respect of valuation of capitalized development costs included among others the following procedures: • We evaluated the key assumptions used by management including revenue growth rate, profitability development and discount rate. • We compared management estimates to available historical information and we tested the mathematical accuracy of the impairment calculation. • We evaluated the appropriateness of the group's disclosures in respect of impairment testing.

The value in use of the cash generating unit is
estimated based on a discounted cash flow
calculation, and the outcome can vary significantly
when the underlying assumptions used in the
calculation change. There are number of underlying
assumptions used to determine the value in use,
such as revenue growth rate, EBIT and the discount
rate applied on net cash flows. Any changes in
these assumptions may result in an impairment of
goodwill.
This matter was a significant risk of material
misstatement referred to in EU Regulation No
537/2014, point (c) of Article 10 (2).

available historical information, and we tested
the mathematical accuracy of the impairment
calculation.
•
We evaluated the appropriateness of the
group's disclosures in respect of impairment
testing.

Key Audit Matter

How our audit addressed the Key Audit Matter

Valuation of capitalized development costs
We refer to the note 13.
As of balance sheet date 31 December 2024, the
book value of capitalized development costs
amounted to 4,3 million euros representing 14 % of
Group's assets and 48 % of equity.
Valuation of capitalized development costs was a
key audit matter because impairment testing
includes forecasts. Group management exercises
judgment determining the assumptions related to
future market conditions and economic trends
such as the general economic growth and sales
and profitability trends.
This matter was a significant risk of material
misstatement referred to in EU Regulation No
537/2014, point (c) of Article 10 (2).

Our audit procedures to address the risk of material
misstatement in respect of valuation of capitalized
development costs included among others the
following procedures:
•
We evaluated the key assumptions used by
management including revenue growth rate,
profitability development and discount rate.
•
We compared management estimates to
available historical information and we tested
the mathematical accuracy of the impairment
calculation.
•
We evaluated the appropriateness of the
group's disclosures in respect of impairment
testing.

Responsibilities of the Board of Directors and the Managing Director for the Financial Statements

The Board of Directors and the Managing Director are responsible for the preparation of consolidated financial statements that give a true and fair view in accordance with IFRS Accounting Standards as adopted by the EU, and of financial statements that give a true and fair view in accordance with the laws and regulations governing the preparation of financial statements in Finland and comply with statutory requirements. The Board of Directors and the Managing Director are also responsible for such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error.

In preparing the financial statements, the Board of Directors and the Managing Director are responsible for assessing the parent company's and the group's ability to continue as going concern, disclosing, as applicable, matters relating to going concern and using the going concern basis of accounting. The financial statements are prepared using the going concern basis of accounting unless there is an intention to liquidate the parent company or the group or cease operations, or there is no realistic alternative but to do so.

Auditor's Responsibilities for the Audit of Financial Statements

Our objectives are to obtain reasonable assurance on whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor's report that includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with good auditing practice will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.

As part of an audit in accordance with good auditing practice, we exercise professional judgment and maintain professional skepticism throughout the audit. We also:

Identify and assess the risks of material misstatement of the financial statements, whether due to fraud or error, design and perform audit procedures responsive to those risks, and obtain audit evidence that is sufficient and appropriate to provide a basis for our opinion. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.
Obtain an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the parent company's or the group's internal control.
Evaluate the appropriateness of accounting policies used and the reasonableness of accounting estimates and related disclosures made by management.
Conclude on the appropriateness of the Board of Directors' and the Managing Director's use of the going concern basis of accounting and based on the audit evidence obtained, whether a material uncertainty exists related to events or conditions that may cast significant doubt on the parent company's or the group's ability to continue as a going concern. If we conclude that a material uncertainty exists, we are required to draw attention in our auditor's report to the related disclosures in the financial statements or, if such disclosures are inadequate, to modify our opinion. Our conclusions are based on the audit evidence obtained up to the date of our auditor's report. However, future events or conditions may cause the parent company or the group to cease to continue as a going concern.
Evaluate the overall presentation, structure and content of the financial statements, including the disclosures, and whether the financial statements represent the underlying transactions and events so that the financial statements give a true and fair view.
Plan and perform the group audit to obtain sufficient appropriate audit evidence regarding the financial information of the entities or business units within the group as a basis for forming an opinion on the group financial statements. We are responsible for the direction, supervision and review of the audit work performed for purposes of the group audit. We remain solely responsible for our audit opinion.

We communicate with those charged with governance regarding, among other matters, the planned scope and timing of the audit and significant audit findings, including any significant deficiencies in internal control that we identify during our audit.

We also provide those charged with governance with a statement that we have complied with relevant ethical requirements regarding independence, and communicate with them all relationships and other matters that may reasonably be thought to bear on our independence, and where applicable, related safeguards.

From the matters communicated with those charged with governance, we determine those matters that were of most significance in the audit of the financial statements of the current period and are therefore the key audit matters. We describe these matters in our auditor's report unless law or regulation precludes public disclosure about the matter or when, in extremely rare circumstances, we determine that a matter should not be communicated in our report because the adverse consequences of doing so would reasonably be expected to outweigh the public interest benefits of such communication.

Other Reporting Requirements

Information on our audit engagement

We were first appointed as auditors by the Annual General Meeting on 20.4.2016, and our appointment represents a total period of uninterrupted engagement of 9 years.

Other information

The Board of Directors and the Managing Director are responsible for the other information. The other information comprises the report of the Board of Directors and the information included in the Annual Report, but does not include the financial statements and our auditor's report thereon. We have obtained the report of the Board of Directors prior to the date of this auditor's report, and the Annual Report is expected to be made available to us after that date.

Our opinion on the financial statements does not cover the other information.

In connection with our audit of the financial statements, our responsibility is to read the other information identified above and, in doing so, consider whether the other information is materially inconsistent with the financial statements or our knowledge obtained in the audit, or otherwise appears to be materially misstated. With respect to report of the Board of Directors, our responsibility also includes considering whether the report of the Board of Directors has been prepared in compliance with the applicable provisions.

In our opinion, the information in the report of the Board of Directors is consistent with the information in the financial statements and the report of the Board of Directors has been prepared in compliance with the applicable provisions.

If, based on the work we have performed on the other information that we obtained prior to the date of this auditor's report, we conclude that there is a material misstatement of this other information, we are required to report that fact. We have nothing to report in this regard.

Helsinki, 13 February 2025

Ernst & Young Oy Authorized Public Accountant Firm

Maria Onniselkä Authorized Public Accountant

AI Terminal

SSH Communications Security

3344_10-k_2025-03-05_35e5b3de-b8dd-4de5-9e36-b9709e358231.pdf