Annual Report (ESEF) • Dec 23, 2025
Preview not available for this file type.
Download Source FileUnlocking ourpotential
A global delivery engine asa differentiated and scalable service for clientsaround the world
Find out more: p2
A single technology stack and the opportunity to leverage our scalable full‑circle cyber services
Find out more: p8
A network of partners andstrategic alliances tooptimise solutions forclients
Find out more: p12
NCC Group is a people‑powered, tech‑enabled global Cyber Security and software escrow business. We harness our collective insight, intelligence and innovation to power end‑to‑end cyber services that protect our clients from cyber threat.
1 Highlights for the year ended 30September 2025
2 At a glance
4 Chair’s statement
6 CEO’s review
8 Our business model
10 Market outlook
12 Our strategy
14 Stakeholder engagement
16 Sustainability
29 Risk management
38 Viability statement
40 Financial review
58 Chair’s introduction togovernance
61 Governance framework
62 Board of Directors
64 Board composition and division ofresponsibilities
70 Shareholder engagement
71 Audit Committee report
77 Nomination Committee report
79 Cyber Security Committee report
81 Remuneration Committee report
94 Directors’ report
98 Directors’ responsibilities statement
99 Independent auditors’ report
104 Consolidated income statement
104 Consolidated statement ofcomprehensive income
105 Consolidated balance sheet
106 Consolidated cash flow statement
107 Consolidated statement ofchanges inequity
108 Company balance sheet
109 Company statement ofchanges inequity
110 Notes to the Financial Statements
157 Appendix 1
159 Glossary of terms – other terms
161 Other information
162 Financial calendar
View our latest results: nccgroupplc.com
| Revenue (£m) | 305.4m |
| Profit/(loss) before taxation (£m) | 20.6m |
| Basic EPS (p) | 5.6p |
| Net cash/(debt) excluding lease liabilities 3 (£m) | 13.1m |
| Adjusted operating profit 3 (£m) | 23.7m |
| Adjusted EPS 3 (p) | 4.7p |
IFRS measures 1
Alternative Performance Measures 1
1 The statutory results for the audited year (and the audited prior period of 16 Months to 30 September 2024) present the Group’s Escode business as discontinued operations. Therefore,the tables below show the Group’s continuing operations results, with Escode added back to ensure full comparability of the Group’s performance.
2 Non-core disposals refer to the disposals of Fox-IT Crypto and Fox DetACT. The disposal of Fox-IT Crypto and Fox DetACT completed on 28 March 2025 and 30 April 2024 respectively.
3 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
| 305.4 | 429.5 | 335.1 | 23 | 25 | 24 | 23 | 25 | 24 | 20.6 | (27.5) | (4.3) | 23 | 25 | 24 | 5.6 | (10.4) | (1.5) | 23 | 25 | 24 | (49.6) | 13.1 | (45.3) | 23 | 25 | 24 | 23.7 | 16.6 | 22.3 | 4.7 | 2.8 | 3.4 | 23 | 25 | 24 | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
1
We give organisations the legal right and practical means to access, rebuild, and maintain business‑critical software and intellectual property when a supplier is no longer able tosupport it.# Our independent escrow and verification services support organisations in four key ways:
For more information visit our Escode website: escode.com
Protecting today. Shaping tomorrow. Creating a more secure digital future. NCC Group is a leading global Cyber Security and resilience company, trusted for over 25 years by leading businesses and governments. With roots in offensive security and defence, and a heritage built on research and threat intelligence, we uncover thousands of risks each year, bringing deep insight into vulnerabilities, attack patterns and adversary behaviours. With significant market presence in the UK, Europe, North America and Asia Pacific we deliver full-spectrum cyber resilience to governments and businesses to protect what matters most – the cars we drive, the energy in our homes, and the phones in our pockets, and critical infrastructures worldwide. We build resilience and deliver impactful, forward-thinking solutions that help create a safer digital future. For more information visit our Cyber Security website: nccgroup.com
We are NCC Group plc
* Leaders in regulatory and complex testing
* Managed Security including MXDR
* Digital Forensics and Incident Response
* Consultancy and Implementation
* Escrow agreements for both cloud and on-premise
* Testing and verification services
Founded in 1999, we are a global leader in cyber security and business resilience. Our colleagues are relied upon by the world’s leading companies and governments to help them manage risk, strengthen resilience and build lasting trust. Against a backdrop of continued, fast-paced technological change and increasing interconnectedness, we help companies to manage risk and face into the future with confidence. NCC Group has two main divisions: a people-powered, tech-enabled Cyber Security company (nccgroup.com), and a market-leading IP and software escrow business, Escode (escode.com). Working together with our clients, we create a more secure digital future.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
2
We operate as one global business, with in-country delivery tailored to local needs and cultures, as well as a global delivery team to respond quickly to our clients’ challenges.
Our offices
We have a significant market presence in the UK, Europe and North America, and a growing footprint in Asia Pacific, with offices in Australia and Singapore, and the Philippines.
Group revenues
| Region | Revenue (£m) | 2024 Revenue (£m) |
| :----------------- | :------------ | :---------------- |
| UK and Asia Pacific | 163.8 | 209.8 |
| North America | 89.6 | 136.2 |
| Europe | 52.0 | 83.5 |
Cyber Security revenue
| Service Area | Revenue (£m) | 2024 Revenue (£m) |
| :--------------------------------- | :----------- | :---------------- |
| Technical Assurance Services (TAS) | 88.4 | 141.4 |
| Consulting and Implementation (C&I)| 48.5 | 55.2 |
| Managed Services (MS) | 76.4 | 91.8 |
| Digital Forensics and Incident Response (DFIR) | 13.1 | 20.6 |
| Other services | 12.5 | 33.1 |
Escode revenue
| Service Area | Revenue (£m) | 2024 Revenue (£m) |
| :------------------ | :----------- | :---------------- |
| Escrow contracts | 43.0 | 57.2 |
| Verification services | 23.5 | 30.2 |
1 2024 represents the 16 month period ended 30 September 2024 (audited).
Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025
3
As a result of this decision, we announced in July 2025 that we had started to explore options for our Cyber business should the Escode sale proceed. This was about looking ahead and anticipating what our people, our clients and shareholders will need in years to come, and we believe it is right that we keep all options open.
In May we hosted a unique experience for shareholders, analysts and partners, demonstrating our ongoing commitment to transparency and engagement. Guests were invited to step into our world and experience first-hand decisions that management teams must make in response to cyber threats. It was a powerful reminder of the trust our clients place in us, and of course the expertise and dedication that runs through every part of our business. These moments of connection, where we open our doors and share our story, are vital. They build understanding, foster trust and remind us all of the critical role NCC Group plays in keeping our digital world safer and more secure. I’m proud that we’ve continued to strengthen our relationships with clients, focusing on strategic partnerships that go beyond transactions, which you’ll see from Mike’s review on pages 6 and 7. Our teams work tirelessly to understand the evolving needs of our clients, offering not just technical solutions but genuine partnership and support. In a world where digital risks are ever-present, our role as a trusted advisor has never been more important.
If there is one thing that stands out year after year, it is the extraordinary commitment and talent of our people. The pace of change has been relentless, and yet our colleagues have responded with professionalism and creativity, focused on our client’s needs. Whether adapting to new ways of working, supporting clients through complex challenges, or driving innovation from within, our teams have shown what is possible when we pull together. Our investment in people is matched by our commitment to sustainability and responsible business. As we nurture talent and foster a positive culture, we also strive to make a meaningful impact on the environment and society. Our Manila operations have gone from strength to strength, bringing new perspectives and capabilities to our global front and back-office teams. I am proud of the progress we have made, but even more excited about what lies ahead.
We continue to make bold decisions as we navigate the changing landscape all businesses are operating in. I’m proud of the way the management team and the wider Group embrace these as opportunities to continue to grow and strengthen the overall business. In March 2025, we completed the sale of the Fox-IT Crypto business for a gross consideration of £65.6m, a milestone that not only reflects our commitment to simplifying the Group’s proposition, deriving great value to our shareholders and reducing net debt, but also our willingness to evolve in a rapidly shifting digital landscape. And this commitment continued as we announced in April 2025 that we were exploring a range of strategic options for our Escode business, including a potential sale (Escode review). The decision is one that was not taken lightly by the Board. The Board will provide updates as and when it is practicable and appropriate to do so. If a sale of Escode were to be successfully concluded, the Group would become a focused, people-powered, tech-enabled global Cyber Security business. It would also enable the Board to consider a significant return of capital to shareholders over and above the recently announced initial share buy-back programme.
Chris Stone
Non-Executive Chair
When I reflect on the past year at NCC Group, I am reminded that progress is rarely linear. It is shaped by the challenges we face, the decisions we make, and – most importantly – the people who come together to move us forward. This year has been a testament to the resilience, adaptability and shared purpose that defines our Group. And I want to begin by expressing my heartfelt thanks to every colleague, client and shareholder, as well as our partners, who continue to be a part of our journey.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
4
This year, we took significant steps forward on our climate action agenda, responding to changing requirements and also client requests. We published our Carbon Reduction Plan, developed in partnership with Positive Planet, which sets out our path to net zero and commits us to ambitious, science-based targets. We are on track to achieve SBTi verification by March 2026 and will update our plan to reflect our progress. Our partnership with Positive Planet led to the creation of a bespoke Carbon Literacy Training programme, and I am delighted that my fellow Board member Lynn Fordham was among the first to achieve certification. We are now working towards verification of our science-based targets, a further demonstration of our commitment to collaborating with other businesses to reduce our impact on the environment and will update the Carbon Reduction Plan in early 2026. This holistic approach to sustainability is reflected in our governance practices. The Board remains focused on upholding the highest standards and ensuring that our values are embedded in every decision we make, and you can read more about our progress on this from page 58.
The Board has played an active and engaged role, providing challenge, support and guidance as we continue to navigate this critical time for the Group. We are committed to upholding the highest standards of governance, ensuring that our decisions are grounded in integrity, transparency and a long-term perspective. Our focus has been on supporting the management team, overseeing strategic reviews and ensuring that the interests of all stakeholders are represented. We have also continued to review and strengthen our governance practices, learning from best practice and adapting to the evolving needs of our business.# Strategic report
As we reflect on FY25, I want to begin by recognising the continued commitment and expertise of our colleagues across the globe. The work they do for clients is extraordinary and they have continued to demonstrate their resilience and adaptability navigating change and at times an uncertain economic environment. Our purpose – to create a safer digital future – remains at the heart of everything we do, and our progress this year is a testament to the strength of our people and the trust our clients place in us.
This includes ongoing engagement with our shareholders, listening to their views and incorporating their feedback into our decision making. Looking to the future With strong foundations in place – strategic clarity, stakeholder trust, empowered people and robust governance – we are well positioned to embrace the future with confidence. We are continuing to build strategic client relationships, scan the market for smart acquisition opportunities and focus on operational efficiencies that will make us stronger and more agile. Our partnerships are deepening, our Manila office is flourishing and our global teams are united by a shared sense of purpose. I am confident that we have the right people, the right strategy and the right values to succeed. Together, we are building a stronger, more resilient NCC Group – one that is ready to seize the opportunities of tomorrow.
Reflecting the Board’s continued confidence in the future prospects of the Group and the strength of the Balance Sheet, regardless of the outcome of the Escode review, we announced in October 2025 our intention to commence an initial share buy-back programme. This will be carried out utilising our current shareholder authority and in accordance with our capital allocation policy, and relevant legal and regulatory obligations. It was also noted that the initial share buy-back programme would not launch before 11 December 2025.
During the year, total dividends of £19.0m were paid (2024: £14.5m), an increase due to the change in our year end and the additional dividend we gave for the four month period to 30 September 2024. The Board is proposing an unchanged final dividend of 3.15p per ordinary share for the year ended 30 September 2025, as it remains mindful of the continued need to invest in the Group’s strategy, marking 20 consecutive years of dividend payments for shareholders. The final dividend will be paid on 10 April 2026, subject to approval at the AGM on 3 March 2026, to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026. Our existing dividend policy will remain unchanged by any share buy-back programme noted above.
In closing, I want to thank everyone who has been part of our journey this year. To our colleagues: your dedication, creativity and resilience inspire me every day. To our clients: thank you for your trust and partnership. And to our shareholders: thank you for your continued support and belief in our vision. We do not take any of these relationships for granted. As we move forward, we will continue to listen, learn and adapt – always with the goal of creating lasting value for all our stakeholders.
Chris Stone
Non-Executive Chair
11 December 2025
Poorly maintained access control processes are among the leading causes of cyber breaches and regulatory non-compliance. Up to 80% of security incidents involve compromised credentials and insufficient safeguards, giving attackers the keys to infiltrate networks, steal sensitive data, and disrupt operations. The cost? Millions in lost revenue, reputational damage, regulatory penalties, and recovery downtime. AI and autonomous agents amplify identity risks by increasing access across systems, making an already complex task even more challenging. We help our clients manage every aspect of Identity and Access Management (IDAM), ensuring human and non-human accounts are governed, monitored, secured, and maintained across the entire lifecycle. With NCC Group’s expertise and strategic partnerships, you gain resilience, confidence, and continuity so you can focus on what matters most: running your business securely.
As a B2B service provider, demand for many of our services reflects the macro-economic cycle and the confidence of our clients to invest. During the year this cycle and the geopolitical environment remained complex, particularly in the first half. We saw this reflected in cautious client behaviour, which naturally lengthen sales cycles. Despite these headwinds, demand for cyber resilience and regulatory assurance continues to grow, particularly in highly regulated sectors such as financial services, healthcare and businesses running critical infrastructure. Our clients are increasingly seeking expert-led, end-to-end solutions that address the full spectrum of cyber risk – from Identity and Access Management to Operational Technology security and Managed Detection and Response. Our differentiated capabilities, global delivery and strategic alliances with leading technology partners position us strongly to meet these needs.
As expected, we saw Group revenue for FY25 decline by 2.6% on a constant currency basis (excluding non-core disposals), with Escode delivering growth on a constant currency basis of 2.2% and Cyber Security declining on a constant currency basis by 4.0% when compared to the previous 12 months. Importantly, as I reflect on all of this, half-to-half performance was markedly stronger with revenue performance improving in the second half, a reflection of the positive impact of our strategic focus and operational discipline together with the strong order book we indicated in our December 2024 results. Gross margins (excluding non-core disposals) overall strengthened to 44.5% with Escode margin reaching 71.4% and Cyber Security broadly flat at 36.6%. Adjusted EBITDA (excluding non-core disposals) was in line with Board expectations and amounted to £40.6m when compared to the previous 12 months. Our Balance Sheet remains robust, with net cash of approximately £13m at year end, a marked improvement from the net debt of £79.6m as at 31 May 2023 and now providing a strong foundation for future investment and capital returns.
We continued to strengthen our business in FY25 with management action focused on strategic change to build the necessary technical capability in cyber and to strengthen our commercial organisation in both the Escode and Cyber Security businesses.
FY25 has been a year of disciplined execution against the strategy we originally established back in 2023 to transform and reshape the Group. We have made significant progress to simply the Group and built our two distinct businesses – Cyber Security, with Managed Services at the centre, and Escode, our software escrow service. We have improved profitability, materially reduced and eliminated net debt, and repositioned the Group’s portfolio around core, scalable activities. More timely and granular financial and operational information has strengthened decision making, however there is more work to do. A major event this year was the successful sale of our Fox-IT Crypto business in March 2025 that strengthened our Balance Sheet, providing us with the financial flexibility to invest in growth, while removing the management distraction of a non-core business. In April 2025, the Group confirmed that it was investigating several options for its Escode business, including a potential sale. The Board will provide updates as and when it is practicable and appropriate to do so. If a sale of Escode were to be successfully concluded, the Group would become a focused, people-powered, tech-enabled global Cyber Security business. It would also enable the Board to consider a significant return of capital to shareholders over and above the recently announced initial share buy-back programme. Our investments in new capabilities such as Operational Technology and Digital Identity have allowed us to win further strategic projects during the year. Our global operating model, including our expanding office in Manila with exceptional cyber and operational talent, has enabled us to scale, win more opportunities and serve clients more efficiently. We will continue to invest in our people, technology and strategic partnerships – underpinned by our leading intelligence, innovation and insight, we remain at the forefront of an evolving cyber threat landscape.
Mike Maddison
Chief Executive Officer
For decades, we’ve developed thousands of cyber experts and explored emerging technologies. Now, as a global, client‑focused business, we continue to evolve, delivering groundbreaking projects for leading companies and governments. Our collective expertise sits at the forefront of cyber resilience, shaping a more secure digital future. Read more on market outlook on pages 10 and 11
In a fast-moving and complex environment, our strategy puts clients’ needs first, with a roadmap of investments designed to develop future capabilities and a global delivery model to provide clients with thebest solution.
We are a diverse global community of talented and creative individuals, working together and united by the same goal – to create a more secure digital future.
With our roots stretching back to the 1990s we haveatrack record of being at the cutting edge of innovation. NCC Group was created in 1999 when the National Computing Centre sold its commercial divisions to its existing management; from there we continued to grow through acquisitions. And while history is important, so is the future, with innovation, insights and intelligence the drivers of differentiation and woven into the DNA of who we are.
We are active members of the global cyber community, working in collaboration and in partnership with key industry players. Many successful global partnerships have delivered integrated, seamless solutions to clients.
We’re recognised by leading analysts for excelling inour understanding of CISO needs, building strong partnerships with clients and being called to solve complex problems.
For more information visit our Cyber Security website: nccgroup.com
For more information visit our Escode website: escode.com
Read more on our strategy on pages 12 and 13
As a leading global Cyber Security services company we are trusted to protect what matters most – the cars we drive, the energy in our homes, and the phones in our pockets, and critical infrastructures worldwide. With roots in deep offensive security and defence and a heritage built on research and threat intelligence, we deliver full-spectrum cyber resilience to governments and businesses. From tracking threat actors and uncovering vulnerabilities to responding to ransomware, we don’t just defend, we are actively building a more secure digital future. Through our end-to-end cyber capabilities, we empower organisations to counter threats, manage disruption and navigate regulations with confidence.
We provide specialist escrow and verification solutions for business‑critical IP, technology and software applications. Our services help companies and government organisations manage supplier risk, sustain business continuity and give confidence that essential third party software can be accessed and redeployed when required. Our cloud services bring clarity to application management, making the transition to the cloud straightforward and controlled.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 8
Our people are leading the industry with innovative solutions protecting clients and society from growing cyber threats. As a people-powered, tech‑enabled organisation, our talent strategy builds future-ready skills, strengthens leadership and fosters an inclusive culture ofhigh performance, aligned with our business goals.
pricing tools • Have fully separated Fox DETACT and Fox Crypto These actions are already delivering results, an improved sales pipeline visibility, deeper client engagement and a positive shift in revenue mix towards higher value, recurring contracts. We remain focused on further evolving our sales model to ensure stronger linkage between sales execution and service delivery, and to drive deeper penetration in our priority sectors globally: financial services, insurance, healthcare, industrials, and the public sector.
The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. Regulatory momentum has intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act, which came into force in December 2024 and the UK’s AI Cyber Security Code of Practice will embed secure-by-design requirements up through the software supply chain, while NIS2, DORA and sector-specific requirements in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by similar requirements in the US, Australia and APAC, signalling a global consensus for higher standards. Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group’s recognised contribution to the UK government’s AI and CRA initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services.
The worldwide shortage in qualified cyber security professionals is both widening and coming more acute. This structural gap is most evident in highly specialised skills, including advanced testing, Operational Technology, and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients need around-the-clock expert coverage without inflating their cost base as a cost of employment and our global delivery hubs meet this need. Additionally, the strong reputation that we have among cyber professionals positions us to attract the best talent using our academy/ training ability to further expand and strengthen this talent base.
The combination of hybrid working and using personal devices at work has shifted the security perimeter from the edge of the Enterprise network to the individual user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2, the EU’s updated cyber security directive and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations.
Lastly, the attack surface is expanding and becoming more complex, with cloud migrations accelerating, SaaS solution proliferation and AI adoption continuing, as well as early discussions ongoing regarding the potential implications of quantum computing. Each new platform expands the potential for malicious attacks and reinforces the need for security to be embedded earlier into development pipelines. Demand is therefore rising for secure-by-design assessments, supply chain software assurance and Managed Extended Detection and Response (MXDR) coverage that spans traditional IT, cloud and OT environments. The breadth of clients we serve across industries, geographies and IT and OT environments has allowed us to build unique IP to help clients secure this expanding attack surface.
Looking ahead, we remain confident in our strategy and the medium-term growth prospects for both businesses. While we expect the current challenging economic conditions to endure in the near term, our pipeline is building, and we anticipate a return to Cyber Security revenue growth in FY26 as our continued transformation delivers further benefits to both our competitive positioning and stakeholders.
On 28 April 2025, the Board confirmed that it was investigating a number of options for its Escode business including a potential sale (Escode review). We currently remain in that process and we will provide a further update in due course. Further to a subsequent announcement on 16 July 2025, the Board confirms that the Group remains in the early stages of a review of all strategic options for its Cyber business should the Escode business be sold, this includes a range of potential outcomes including potential offers for the entire issued and to be issued share capital of the Company, and that no decision has been made regarding which options will be pursued.
Our focus remains on operational excellence, innovation and supporting existing and new clients as they navigate an increasingly complex digital threat landscape. In closing, I would like to thank our colleagues, clients and partners for their continued trust and support. Together, we are building a stronger, more resilient NCC Group, well positioned for sustainable growth and long-term success.
Mike Maddison
Chief Executive Officer
11 December 2025# NCC Group plc — Annual report and accounts for the year ended 30 September 2025
We’re committed to helping every colleague thrive – through inclusive practices, targeted development and a focus on colleague experience – driving commercial success through empowered, engaged teams. Read more on our sustainability strategy: nccgroupplc.com/sustainability
Our cyber security and software escrow solutions enable clients to confidently innovate and embrace new technologies, and build responsible, sustainable and resilient organisations that thrive and succeed.
We’re the collaborators, the co-ordinators, the conveners, and you will find us bringing together our global community to drive our industry forward and create a more secure digital future. We invest 1,100 days of research each year and engage proactively to ensure our insights and vision deliver the best societal outcomes, bringing partners together in support of our clients as well as policymakers and regulators to help shape future cyber policy.
We have a dedicated Investor Relations programme providing shareholders and financial analysts with regular updates on our performance. Engagement activities include results presentations, roadshows with the CEO and CFO, Capital Markets events, site visits, RNS and email updates. Read more on stakeholder engagement on pages 14 and 15.
Establish legal right
Knowledge transfer
Deposit
Manage
Scenario test
Secure storage
Release
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 9
The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. We remain confident our transformation strategy will deliver growth underpinned by the range of services, geographic coverage, and breadth and depth of offering.
Cautious client behaviour and the lengthening sales and onboarding cycles reported in December 2024 have impacted our first half results. This is also against a backdrop of macro-economic uncertainty, IT and security budgets being under scrutiny and competitive pricing.
We continue to see cyber resilience elevated as a core business risk agenda item to the C-suite as opposed to a purely IT consideration. Cyber continues to be elevated as a core business risk for boards, as opposed to just an IT consideration. This pivot is most evident in highly regulated verticals – financial services, healthcare, government and critical infrastructure – where regulatory scrutiny and heightened director liability is driving materially larger, multi-year security programmes.
Within Operational Technology (OT) in particular, full risk reviews and resilience roadmaps are being commissioned as the potential business interruption cost of an OT outage becomes clearer. Our global delivery model ensures that these international operators can obtain expert support around the clock, irrespective of time zone or geography. Strategically, our global delivery engine is a differentiated and scalable service that enables us to be competitive.
Ransomware remains widespread and we have seen a marked uplift in AI-enabled phishing and double extortion campaigns, including the more recent high profile retail sector cases in the UK. This evolving threat landscape is leading organisations to favour Managed (Extended) Detection and Response (MDR/MXDR) solutions that provide continuous monitoring across endpoint, cloud, identity and OT telemetry. In addition, businesses are requesting OT-specific MDR to counter the increase in attacks against industrial control environments.
NCC Group named ‘Strong Performer’ in the 2025 Forrester assessment of European MDR providers: tinyurl.com/5n8rc9uc
Regulatory momentum intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act and UK’s software and AI security Codes of Practice will drive secure-by-design requirements up the supply chain, while NIS2, DORA and sector-specific mandates in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by comparable moves in the US and APAC, signalling a global consensus for higher standards.
Read our leading Global Cyber Policy Radar: tinyurl.com/522my5vc
Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group’s recognised contribution to the UK government’s cyber resilience initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services. The UK Government’s Industrial Strategy calls out NCC Group as a company exporting world‑leading cyber solutions: tinyurl.com/yefadasr
The worldwide shortfall in qualified cyber security professionals continues to become more acute. This structural gap is most evident in highly specialised skills, including advanced testing, OT and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients are relying on our global delivery hubs to ensure around-the-clock expert coverage without inflating their cost base as a cost of employment. Additionally, the strong reputation that we have among cyber professionals positions us to attract talent more easily than our competitors, with our academy/training ability allowing us to further expand and strengthen this talent base.
Hybrid working and personal device policies have shifted the security perimeter from the edge of the Enterprise network to the user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2 and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 10
Between December 2024 and February 2025, NCC Group’s OT/IT Cyber Safety Webinar series explored the critical intersection of IT and OT cyber security convergence and the safety considerations in industrial environments, addressing the unique challenges and opportunities that arise when legacy operational technologies meet modern digital systems amid rising cyber threats.
Watch our YouTube video series here: tinyurl.com/4c6s96tm
Lastly, the attack surface is expanding, with cloud migrations accelerating, SaaS proliferation and AI adoption continuing, and early discussions ongoing regarding the implications of quantum computing. Each new platform expands the potential for malicious attacks and reinforces the need for security to be embedded earlier into development pipelines. Demand is therefore rising for secure-by-design assessments, supply chain software assurance and MXDR coverage that spans traditional IT, cloud and OT environments.
The breadth of clients we serve across industries, geographies and IT and OT environments has allowed us to build unique IP to help clients secure this expanding attack surface.
NCC Group’s 1000+ respondent survey reveals the critical issues driving supply chain security in 2025
Read more: www.nccgroup.com/the-state-of-supply-chain-security
| Key | 2018 | 2019 | 2020 | 2021 | 2022 | 2023 | 2024 | 2025 | 2017 |
|---|---|---|---|---|---|---|---|---|---|
| WannaCry | |||||||||
| NotPetya | |||||||||
| Political recognition of market failure in Cyber Security | |||||||||
| Period of heightened legislative and regulatory activity to “make up for lost ground” | |||||||||
| Commencement of enforcement actions | |||||||||
| Inflection point: the future trajectory is yet to be set in stone | |||||||||
| Legislative intervention | |||||||||
| Scattered Spider | |||||||||
| Synnovis | |||||||||
| EU NIS | |||||||||
| EU GDPR | |||||||||
| Australia Security of Critical Infrastructure Act | |||||||||
| Singapore Cybersecurity Act | |||||||||
| EU Cybersecurity Act | |||||||||
| UK Product Security and Telecoms Infrastructure Act | |||||||||
| US sector regulations | |||||||||
| UK Telecoms Security Act | |||||||||
| EU NIS2 | |||||||||
| EU Cyber Resilience Act | |||||||||
| Australia Cybersecurity Act | |||||||||
| UK Cyber Security and Resilience Bill | |||||||||
| Regulatory settlement or equilibrium as cyber rules reach saturation, and increased mandated baseline forms part of “cyber toolbox” in 21st century | |||||||||
| Continued increase of volume of cyber rules and regulations, e.g. ransomware payment bans, mandating Cyber Essentials, etc. | |||||||||
| Reduction in regulatory requirements in the name of growth, competitiveness and innovation |
© 2025 NCC Group. All rights reserved. Please see www.nccgroup.com for further details. No reproduction is permitted in whole or part without written permission of NCC Group. This content is for general purposes only and should not be used as a substitute for consultation with professional advisers.
The NCC Group Cyber Security regulations maturity curve
© 2025 NCC Group. All rights reserved. Please see www.nccgroup.com for further details. No reproduction is permitted in whole or part without written permission of NCC Group. This content is for general purposes only and should not be used as a substitute for consultation with professional advisers.# NCC Group plc — Annual report and accounts for the year ended 30 September 2025
Our strategy
| Strategic priority | Progress in FY25 | Future outlook | Link to risks: Read more on our risks on pages 29 to 37 |
|---|---|---|---|
| Our clients | Deeper client engagement on the most pressing Cyber Security and software escrow needs • Appointed a CCO to align the global go-to-market strategy with overall business objectives • Hired new Market Leads to drive and implement regional strategies • Redefined the global markets organisational structure to support growth and enhance sales performance • Streamlined internal processes to sharpen focus on clients and execution of the go-to-market strategy | • Drive deeper penetration in financial services, insurance, healthcare, industrials and public sector globally • If the potential sale of Escode does not occur, we will continue scaling Escode with a focus on critical infrastructure and regulated sectors • Evolve Cyber Security sales model to ensure stronger linkage between sales execution and service delivery | A Strategy B Cyber and information security D People and partners E Market and competition F Brand and reputation G Quality and delivery H Legal, regulatory compliance and governance |
| Our proposition | Offering a broader service portfolio addressing the full Cyber Security lifecycle • Strengthened our Managed Services business by expanding client adoption of our MXDR platform and adding enhanced detection and response capabilities • Built momentum in Digital Identity and Operational Technology practices, winning new client mandates • Continued to leverage technology partnerships to extend our propositions and global reach • Drove margin improvement within Technical Assurance, particularly in North America, through delivery model optimisation | • Accelerate Managed Services growth and further differentiate our MXDR proposition • Continue scaling Digital Identity and Operational Technology practices into core markets • Build repeatable propositions and intellectual property across Consulting and Implementation to improve delivery efficiency and client impact | A Strategy B Cyber and information security C Innovation and product development D People and partners E Market and competition F Brand and reputation G Quality and delivery H Legal, regulatory compliance and governance |
| Global delivery | Transitioning from an international to a fully global business • Rolled out global scheduling tool (Kantata) across all key regions, improving resource visibility and planning • Manila office scaled significantly, now an established hub for delivery and enabling functions • Introduced new ways of working within global delivery to improve efficiency and management information (MI) for decision making | • Continue embedding global delivery model to enhance utilisation and efficiency • Leverage shared service hubs for scalable and cost effective delivery • Develop global KPIs and dashboards to drive consistent performance management across regions | A Strategy B Cyber and information security D People and partners G Quality and delivery |
| Brands | Creating distinct and relevant brands for our Cyber Security and Escode businesses • Launched a distinct brand refresh for NCC Group Cyber Security business while establishing and embedding Escode • Celebrated 25 years of cutting-edge research and delivered market-leading thought leadership such as our monthly Threat Intelligence series and global Cyber Policy Radar • Recognised by leading industry analysts such as Forrester, Gartner and IDC citing our ability to solve complex security challenges with trusted CISO partnerships | • Build on increasing media share of voice (SoV) and continue to grow thought leadership, research activity and industry engagement in cyber • Become the go-to Cyber Security and business resilience advisor to C-suite and boards | A Strategy C Innovation and product development E Market and competition F Brand and reputation G Quality and delivery |
View our financial results: www.nccgroupplc.com/investor-relations/results-media
Progress in FY25
Future outlook
Link to risks: Read more on our risks on pages 29 to 37
Our clients
Deeper client engagement on the most pressing Cyber Security and software escrow needs
Streamlined internal processes to sharpen focus on clients and execution of the go-to-market strategy
Drive deeper penetration in financial services, insurance, healthcare, industrials and public sector globally
A Strategy B Cyber and information security D People and partners E Market and competition F Brand and reputation G Quality and delivery H Legal, regulatory compliance and governance
Our proposition
Offering a broader service portfolio addressing the full Cyber Security lifecycle
Drove margin improvement within Technical Assurance, particularly in North America, through delivery model optimisation
Accelerate Managed Services growth and further differentiate our MXDR proposition
A Strategy B Cyber and information security C Innovation and product development D People and partners E Market and competition F Brand and reputation G Quality and delivery H Legal, regulatory compliance and governance
Global delivery
Transitioning from an international to a fully global business
Introduced new ways of working within global delivery to improve efficiency and management information (MI) for decision making
Continue embedding global delivery model to enhance utilisation and efficiency
A Strategy B Cyber and information security D People and partners G Quality and delivery
Brands
Creating distinct and relevant brands for our Cyber Security and Escode businesses
Recognised by leading industry analysts such as Forrester, Gartner and IDC citing our ability to solve complex security challenges with trusted CISO partnerships
Build on increasing media share of voice (SoV) and continue to grow thought leadership, research activity and industry engagement in cyber
We are a people-powered, tech-enabled business. Our colleagues worldwide all play a vital role in creating a more secure digital future. Their expertise, commitment and innovation drive our success.
We’re committed to creating an environment where every colleague can thrive and contribute meaningfully. This means:
Strong engagement underpins our inclusive, high performance culture. Listening and acting on feedback is central to how we operate.
Rooted in our sector knowledge, we develop solutions tailored to the unique needs of our clients. Bringing our in-depth understanding of the threat and regulatory landscape, we assist our clients in addressing their complex cyber security challenges.
Investing in stakeholder engagement
We have a responsibility to listen to our stakeholders, understand their priorities and apply insights and learning to guide how we make important decisions.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 14
Link to strategy: Our clients
Our proposition
Global delivery
Differentiated brands
We engage with many different suppliers across our global business and value the critical role our supply chain plays in supporting responsible business operations. Our procurement operations are maturing in line with industry best practice and we proactively work with an optimised supply chain network to drive competitive advantage through accessing innovation, delivering commercial value and managing risk.
Our expertise plays a pivotal role in shaping evidence-based policy decisions and convening the cyber community. We proactively engage, contribute to public-private partnerships and harness our experience and insights to contribute meaningfully towards a more secure digital society.
We are committed to engaging with our shareholders, creating an opportunity to understand our business, the market, how we are responding and the opportunity to deliver sustainable growth.
Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 15
P e o p l e l e d , t e c h n o l o g y e n a b l e d
We strive for a resilient future through sustainable business practices, and take responsibility for identifying and managing the impact we have on people and the planet.# Sustainability
We can only lead with our purpose through our greatest asset, the exceptional people we employ. They are at the forefront of our industry, developing solutions that protect our clients and society from the growing threat of cyber crime.
Our desire to improve the world we live in is encapsulated in our purpose. Embedding responsible business into our everyday activities is central to achieving this aim.
Taking urgent action to combat climate change and its impacts supports our purpose. Decarbonising our business and embedding climate considerations into our commercial offering are crucial elements in our support for the net zero transition.
Read our Sustainability Report: nccgroupplc.com/sustainability
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
16
Sustainability is about doing the right thing in the right way, and this is reflected in our Code of Ethics and embedded into our everyday ways of working. It’s important to our clients, who trust us to help secure their digital assets; it’s important to our colleagues, who are critical to the value we bring to our clients; and it’s important to our shareholders, who entrust their investments to NCC Group, relying on us to deliver returns to their shareholders. It also matters to our political stakeholders who turn to us for trusted and independent advice and insights that improve cyber rules and regulations around the world.
We live in a rapidly evolving digital world, where the concept of sustainability extends to how we operate in totality. Not only are we supporting our clients to meet their governance requirements through our cyber security and escrow solutions, we are also helping to advance technologies that are at the forefront of fighting climate change, as well as other UN Sustainable Development Goals. This means systems, networks and infrastructures need to be resilient, secure and long lasting.
Cyber Security and sustainability are inherently intertwined, which means cyber threats pose a significant risk not only to individual businesses but to our very way of life too. The decisions we make today have far-reaching implications for the future.
As our lives become more digitally interconnected, the risk landscape broadens. From smart homes to smart cities, from online banking to telehealth services, from power grids to water supplies – they all rely on complex digital infrastructures. If these systems are compromised, the repercussions can be devastating. Hence, securing these infrastructures is an essential part of ensuring a sustainable future.
Our ability to protect against cyber threats, through the work we do for our clients, plays a pivotal role in guaranteeing that our world remains functional, reliable and consistent for generations to come. Indeed, we believe strongly that we can’t build a resilient economy without resilient cyberspace, and we can’t have a resilient cyberspace without 21st century laws and an infrastructure to tackle cyber threats, which is why we share our expertise with policymakers to improve cyber rules and regulations meaningfully.
While the primary focus of our industry has always been about security, we recognise our operations have a broader environmental and societal impact. Our sustainability framework has two core tenets focused on people and the planet, underpinned by being a responsible employer and supply chain partner. This framework is the foundation to start making tangible progress in addressing material topics for our stakeholders. We believe that this is a journey, not a race. We place sustainability at the heart of our strategy – not just securing the digital world, but securing the future for ourselves and for generations to come. We invite our stakeholders to join us, working together to build a future that is not only secure but also sustainable.
If we are to meaningfully reduce our carbon footprint we need to engage our stakeholders in the conversation. Building on our partnership with Positive Planet, and as part of developing our Carbon Reduction Plan, we designed and had certified our own Carbon Literacy Training programme. This certified, one-day programme will enable us to build knowledge around the business of what the climate crisis is, and what we can do individually and collectively to take action to reduce the impact we have. The first cohort of delegates on this course included Lynn Fordham, our Non-Executive Director responsible for Sustainability; Guy Ellis, Chief Financial Officer; and Michelle Van de Velde, Chief People Officer, along with senior members of the procurement, communications and marketing, HR and sales and technical delivery teams. Over 400 colleagues have signed up to undertake the course, and we have developed our own certified in-house training capability to do this.
VIEWPOINT
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
17
View our Sustainability Report: nccgroupplc.com
The following table provides readers with an index of where to further find relevant non-financial information within this Annual Report and Accounts, in line with the Financial Reporting Directive requirements contained in sections 414CA and 414CB of the Companies Act. Where relevant, additional information is signposted to further support the requirements.
The Group considers that it complies with the disclosure requirements under section 414CB(2A) of the Companies Act 2006 and has included climate-related financial disclosures that are partially consistent with the TCFD recommendations.
| Reporting topic | Policies and standards which govern our approach | Annual Report and Accounts section reference | Page | Website resources |
|---|---|---|---|---|
| Climate-related disclosures | • Environmental policy | 22 | 29 | • Sustainability Report • TCFD Report |
| • Sustainability Report | 14 | • Streamlined Energy and Carbon Report | ||
| Colleagues | • Whistleblowing policy | 14 | 81 | • Sustainability Report • Stakeholder Engagement • Remuneration Committee Report • Culture |
| • Code of Ethics | 19 | • Sustainability Report | ||
| • Disciplinary Policy | ||||
| • Grievance Policy | ||||
| Social and community matters | • Modern Slavery Statement | 14 | • Sustainability Report • Stakeholder Engagement | |
| • Code of Ethics | • Sustainability Report | |||
| • Supply chain Code of Conduct | ||||
| • Giving back policy | ||||
| • Matched funding policy | ||||
| Respect for human rights | • Modern Slavery Statement | 14 | 19 | • Sustainability Report • Stakeholder Engagement • Culture |
| • Data privacy policy | • Sustainability Report | |||
| • Global equal opportunities and diversity policy | ||||
| Anti-bribery and corruption | • Anti-bribery and corruption policy | 71 | • Sustainability Report • Audit Committee Report | |
| • Gifts and entertainment policy | • Sustainability Report |
For information on our business model please see pages 8 and 9. For full details of the Group’s principal risks see pages 29 to 37.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
18
At NCC Group we embrace difference and are connected by our purpose to create a more secure digital future. Across our global operations we form a phenomenal network, working together, collaborating and innovating to support our clients. We are guided by our Code of Ethics and our values, which define our behaviours – treating everyone and everything with respect. This is the foundation of our culture, and we strive to create an environment where everyone is welcome, feels safe and can be successful.
As of 30 September 2025, we have 2,073 colleagues (including contractors) across the world supporting our clients, made of three core groups – Sales, Delivery and Enabling Functions. Circa 98% of colleagues are permanent and the remainder are contractors to provide support on projects.
We want everyone here to feel safe – psychologically, emotionally and physically – so they can be themselves, share their experiences and have equal opportunities to succeed. Our team reflects the diversity of the world around us, and this is how we live our values: working together and being brilliant.
We acknowledge our opportunities to contribute to diversity in the technology sector, with inclusion and diversity principles incorporated into our hiring and talent management processes.# Strategic report
Innovation and continuous learning are central to NCC Group’s culture, supported by investments in skill development and leadership growth, fostering personal and professional development through structured programmes and new digital platforms to enhance colleague capabilities globally. We combine on-the-job learning, mentoring, self-study and formal training with personal development plans, supporting colleagues to gain certifications and advance their careers.
In England, we leverage the Modern Apprenticeship Levy, with 4.3% of our colleague population undertaking apprenticeship learning – an increase of 60% of eligible colleagues year on year. FY25 was the first year we partnered with Co-op Levy Share to donate our excess levy funds, pledging £150k over the next two to three years. Currently, we’re supporting eight UK employers and 21 learners, with donations to date totalling £27k.
We continued to invest in our leadership and management populations, and by June 2025 had delivered Enabling Performance, our Leadership programme, to 75 leaders and managers across the Group, including 73% of our senior leaders. Throughout FY26/FY27 we plan to upskill specific leaders and people team colleagues to enable us to roll out this programme across the remainder of the senior leaders and our middle manager population.
In October 2024, we launched our Skills Boost series, available to all leaders and managers globally. These 90-minute, virtual sessions focus on key leadership skill areas, e.g. effective performance management, leading cross-culturally, and leading through change. Where relevant, we replicated models from Enabling Performance, e.g. clean talk for difficult conversations and the GROW model for coaching.
In FY25, we delivered 66 sessions across six key skill areas, with 943 individual attendances, and circa 40% of leaders and managers regularly attending sessions. Across all sessions, feedback is collected via an online form, including an NPS-specific question: “Would you recommend this session to your colleagues at NCC Group?” All sessions secured an “excellent” (+70–100) NPS score.
In July 2025 we launched our Compass Management Development programme, leveraging Saville leadership profiling to offer a dedicated learning pathway focused on self-awareness through a series of virtual and face-to-face workshops building leadership capability, supplemented by group coaching and mentoring to enable colleagues to embed their learning into their day-to-day roles. Workshops are delivered in concentrated cohorts of 12–15 delegates to facilitate a semi-personalised programme and are available to colleagues in people manager roles with less than two years’ experience. Following the launch in the final quarter of FY25 we engaged 25 attendees across two cohorts.
We launched our first Learning Experience Platform, Spark, in April 2025, and while it’s still being embedded, 93% of colleagues have engaged with content on the platform to date.
In FY25 we facilitated a talent review to identify potential successors to the Executive Committee. The five leaders identified worked with our partner, Saville Assessment, completing Saville Wave and 360 Leadership Impact assessments, and creating a talent profile outlining their strengths and areas for development. They will be supported on their development, with regular one-to-one meetings with their Executive Committee member and Talent Development partner to discuss progress. To date, two of the five leaders have advanced into more senior roles, with one joining the Executive Committee.
We have several mechanisms to measure colleague engagement (see page 14), including MyVoice, our biannual engagement survey using the Viva Glint platform. In our March 2025 survey, 1,489 colleagues responded, an increase in our engagement score of two points from March 2024. In addition to the survey, Senior Non-Executive Director Julie Chakraverty hosts quarterly Colleague Listening Sessions, ensuring the Board has a direct link to colleagues and decision making takes into account their voices. In FY25, over 80 colleagues met with Julie, who in turn reported feedback to the Board.
Colleagues have a number of opportunities to speak up – sharing feedback or raising concerns. A global Speak Up framework outlines channels and resources available for doing this, guidance on who to engage with on different types of feedback, and how to ensure confidentiality. A whistleblowing helpline and policy are also available – the policy is published in multiple languages on our website. This ensures colleagues are encouraged to speak up, safe from fear of reprisals, and with the reassurance that any concerns will be listened to and acted on appropriately.
Each country we operate in has its own prevailing market conditions, and as such we align our benefit and wellbeing propositions locally, while ensuring they are competitively benchmarked, enabling us to retain and attract the best talent. Our Global Benefits Strategy focuses on four key pillars aligned with colleague feedback and global best practice:
Continually reviewing our reward offering in each country ensures we retain and attract the best talent. In FY25, we built on our reward offering to remain competitive, including:
We understand the importance of financial stability benefits to support colleagues when making choices about their and their families’ current and future financial status.
Our strategy supports colleagues in planning for the future, enabling them through different investment options to strengthen their financial wellbeing.
We’re committed to fostering a culture of wellness by offering preventative and supportive resources, programmes and initiatives that promote healthy lifestyles, family-work-life balance, and stress management.
We recognise the importance of maintaining a healthy work-life balance and offer flexible work arrangements, paid time off and family friendly policies.
To find out more about our support of colleagues, please see our sustainability strategy on page 16
We’re committed to taking proportionate climate action as a responsible employer, a trusted supply chain partner, and a business focused on long-term value creation for all stakeholders.
In addition to our support of the net zero transition (read more on our sustainability strategy at nccgroupplc.com/sustainability), our action on climate has three pillars, starting with our own operations and extending to the support we give to clients operating in the energy transition sector and the contribution we make to their endeavours:
The biggest impact occurs in our business travel, both for client and non-client related travel, and our leased office spaces and is the focus for our reporting.
Our total annual Scope 1 and 2 emissions associated with our business operations were 1,232 tCO2e for our full year 2025. See page 28 for further detail.
To further support DE&I, we’ve formed partnerships with external organisations such as Disability Confident and the Business Disability Forum in the UK to increase accessibility, not only for our current colleagues, but also a broader candidate pool. Unconscious bias training is included as part of our Global Onboarding programme via a specific session entitled “Working Across Cultures”. Furthermore, through our Manager Skills Boost sessions we reiterate the importance of awareness of unconscious bias in support of diversity, equity and inclusion. All colleagues complete the ethics module as part of our mandatory annual compliance training, which includes dignity and respect at work. We continue to support our core colleague resource groups (gender, LGBTQIA+, neurodiversity, accessibility, and race and ethnicity) to provide input on workplace practices, engagement, education and representation for under-represented communities across our global business.
As of 30 September 2025, the Board of Directors comprised four males and three females. The wider Group employed 554 females, 1,444 males and 94 individuals whose gender was not disclosed. For the purpose of this disclosure, the Group defines its senior management as the Executive Committee, which consisted of four males and three females as of 30 September 2025. These figures for the Executive Committee include colleagues who also serve as statutory directors of subsidiary companies, where relevant.We continue to review our leased office space requirements, considering client and colleague needs. Considerations are given to collaboration, health and safety, personal wellbeing and the impact emissions have on the environment. This includes taking into consideration commuting for colleagues and the accessibility of public transport networks. We review office usage monthly as part of the executive team operations review, which, alongside colleague feedback and engagement, and consideration of client needs, informs the real estate strategy. On travel, all colleagues are required to book through our travel partner, Gray Dawes. This provides us with global tracking and improves our data collection for emissions as well as improving how we respond to any social or climate-related issues that colleagues may face. Domestic flights within the UK and European countries are by exception only, with rail travel the preferred option. As a result, any train journey more than three hours in duration in total is travelled by first class to ensure the health, safety and wellbeing of colleagues.
Climategames partnership
During the financial year, we partnered with Climategames, bringing both wellbeing and climate action together to engage colleagues and give back. We chose to invest in two projects – a sea kelp forestation initiative off the coast of British Columbia, and a social enterprise in Asia, including the Philippines, that prevents plastic from entering the ocean in the first place. In the initial launch during the summer of 2025 we funded the equivalent of planting 1,020 trees and removing 16.1kg of plastic from the ocean. Financial donations are made in return for colleagues taking part in physical challenges – from Group activities to local and team-based events. This is a great way to engage colleagues in our climate action activities as well as facilitating wellbeing conversations.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 21
Strategic report
In alignment with the UK Listing Rules, which mandates climate-related disclosure for all UK listed companies, we have produced a comprehensive TCFD Report. Our report covers the four pillars recommended by TCFD: governance, strategy, risk management and metrics/targets, and the 11 disclosures recommended by TCFD except as noted below. To ensure consistency across our report, we adhered to section C of the TCFD Annex, titled “Guidance for All Sectors”. As a result the following are documented as partially consistent, with further detail available within this report:
Our assessments indicate a low risk of exposure to physical and transitional climate changes, thanks to our business model. However, we acknowledge the high importance of mitigating greenhouse gas emissions, which emerged as a priority from stakeholder feedback as part of our “ongoing assessment” of double materiality in accordance with European Sustainability Reporting Standards. In FY25 we appointed a new partner – Positive Planet – to support the design and publication of our global Carbon Reduction Plan and to calculate and verify our GHG emissions. We recognise the considerable opportunities presented by the growing climate-focused market. Our collaborations with clients in industries such as electric vehicles, renewable energy, Operational Technology and other climate-friendly technologies underscore our readiness to seize these opportunities for sustainable growth.
Task Force on Climate-related Financial Disclosures (TCFD)
| TCFD recommended disclosure | Consistency | NCC Group disclosure # Sustainability
Each identified risk is paired with corresponding mitigation measures, such as implementing energy-efficient technologies or diversifying our supply chain, aimed to reduce our vulnerability. It’s critical that we remain flexible in our approach but focused on taking responsibility for the emissions we generate and seek to reduce what we can control. While these risks apply to the Group as a whole, we do recognise that certain locations face unique challenges. For example, our operations in coastal areas are more susceptible to rising sea levels and increased frequency of extreme weather events. For a more detailed understanding of the climate-related risks and opportunities we face, please refer to the table below. It provides a snapshot of the specific challenges we’re addressing and the strategic responses we have undertaken.
| Risk | Risk impact | Short/medium/ long term | Regions impacted | Mitigating activities |
|---|---|---|---|---|
| Physical risks | ||||
| Extreme weather (acute) | Causing business disruption and loss of service delivery if colleagues or clients are impacted adversely, which would in turn potentially impact revenue | Short to medium term | All but particularly Europe (Rijswijk and Amsterdam) | • Business interruption cover • Business continuity plans • Remote working in place • Dutch flood defences in place |
| Sea level rises (chronic) | Increased likelihood of flooding in Delft and Amsterdam offices causing increased insurance premiums to mitigate against business interruption and material loss | Long term | Europe – Rijswijk and Amsterdam offices | |
| Transition risks | ||||
| Increase in taxes and levies for greenhouse gas emissions | Increased costs to implement control and monitor/measurement processes as well as actual cost of taxes and levies | Medium term | Depends on local legislation | • Implement actions identified in our Carbon Reduction Plan and monitor |
| Move to net zero | Increased costs required to lower emissions | Long term | Global | • Remote delivery of client services where possible • Green car scheme for UK colleagues • Annual calculation of Scope 1 and 2 emissions and a Carbon Reduction Plan in place • Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction |
| Margin risk | Impact on results due to extra costs incurred to lower emissions | Medium term | Global | • Accounting policies regularly reviewed • Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction |
| Reputation risk | Increased stakeholder concern and changing client behaviours | Medium term | Global | • Rolling out Carbon Literacy Training to colleagues, starting with key decision makers and senior client-facing colleagues to empower them to engage in the conversation • Ongoing dialogue with investors • Participation in reporting frameworks such as CDP, EcoVadis, FTSE4Good, etc. • ESG information publicly available |
| Supply chain risk | Substitution of existing products and services with lower emission options | Medium to long term | Global | • Building climate change reporting and activity into supplier onboarding • Business continuity plans • Continuing to review our estate provision and taking steps to move out of leases where there is no client or business benefit to being there • Implementation of our estates policy, which incorporates environment considerations alongside the health, safety and security of colleagues |
Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 23
Sustainability continued
Resource efficiency: By embracing more efficient modes of transport, promoting recycling, encouraging hybrid working models and operating within efficient buildings, we can lessen our environmental footprint, improve colleague satisfaction and reduce operational costs. For instance, removing unnecessary travel not only reduces our carbon emissions but also empowers colleagues with more control over their work-life balance, contributing to improved morale and productivity (anticipated medium to long-term benefits).
Energy source: Our transition to lower emission energy sources, underpinned by our electric/hybrid car scheme for all UK colleagues, demonstrates our commitment to sustainable practices. By giving colleagues access to green car options, we are mitigating our exposure to future fossil fuel price fluctuations and regulations. It also addresses our colleagues’ material concerns, fostering a culture of environmental responsibility and enhancing overall job satisfaction (medium to long-term impact).
Market: As industries evolve in response to climate change, we’re strategically positioned to leverage these transformations. For example, by partnering with companies transitioning to alternative energy sources or working on projects involving smart meters, electric vehicles, IoT technology for waste reduction and cloud data centres, we anticipate strengthening our market position and enhancing our reputation as a sustainable and innovative enterprise (short to medium-term outlook).
Resilience: Our sustainable business model increases our resilience to climate-related risks, demonstrating our commitment to being a responsible and ethical supply chain partner. This commitment to sustainability not only aligns us with an increasingly eco-aware market but also empowers us to lead in the space, fostering a culture of innovation and responsible business practices (short to long-term perspective).
NCC Group plc — Annual report and accounts for the year ended 30 September 202524
| Risk type | Risk | Risk impact | Scenario | Short-term risk (<1 year 2025) | Medium-term risk (1–5 years 2026 to 2031) | Long-term risk (>5 years 2031) |
|---|---|---|---|---|---|---|
| Physical risk | Rising sea levels | Risk to NCC Group offices located in high risk areas, as well as colleagues’ homes and clients’ business premises, resulting in business disruption | 1 | Low | Low | High |
| 2 | Low | High | High | |||
| Transition risk | Increase in taxes and levies | Disruption and increased costs to ensure compliance with new legislation | 1 | Low | Medium | High |
| 2 | Low | Low | Low | |||
| Margin risk | Impact on results due to extra costs incurred to lower emissions | 1 | Low | Medium | High | |
| 2 | Low | Low | Low | |||
| Reputation risk | Increased stakeholder concern and changing client behaviours | 1 | Medium | High | High | |
| 2 | Low | High | High | |||
| Supply chain risk | Substitution of existing products and services with lower emission options | 1 | Low | Medium | High | |
| 2 | Low | Low | High |
To understand the risks and opportunities our business faces considering climate change, we conducted a quantitative scenario analysis using two distinct scenarios: a “<2°C” scenario (“Scenario 1”), where global warming is limited to less than 2°C with net zero achieved by 2050, and a “4°C” scenario (“Scenario 2”), where the goal of net zero by 2050 is not reached. A summary of the scenarios selected is provided in the diagram below. These scenarios are chosen to reflect the diverse spectrum of possibilities that could unfold due to different levels of global effort to curb climate change. In the context of these scenarios, “transition risks” refer to the challenges associated with the shift towards a lower carbon economy, while “physical risks” denote the potential damage caused by climate change itself. In terms of the risks selected, these were based on physical locations and the nature of our business in key locations of North America, the UK, Europe and Asia Pacific. We are in the process of flowing this into our financial planning and will continue to do so as we mature our climate action planning and reporting.
Under Scenario 1, we anticipate higher transition risks due to rapid shifts in regulatory and market conditions, but the physical risks would be significantly reduced due to the effective global action on climate change. Conversely, Scenario 2 predicts lower transition risks but considerably higher physical risks due to the lack of substantial progress towards climate goals. We’ve further broken down these risks by timeline, classifying them as short term (less than one year), medium term (one to five years) and long term (more than five years). The table below offers a comprehensive overview of NCC Group’s potential exposure to both transition and physical risks under each scenario. While our current analysis is qualitative, we are working towards quantifying these risks and opportunities as we progress towards our net zero targets and continually improve our data collection across Scope 1, 2 and 3 emissions. At this point, we don’t foresee a significant impact on our Financial Statement disclosures based on our materiality assessment results and known near to mid-term regulatory developments. However, we will continuously monitor both transition and physical risks, adjusting our mitigation strategy as necessary.
We recognise the potential implications of climate-related risks and opportunities on our financial planning. We anticipate shifts in our future business model and strategy in response to evolving market conditions due to climate change. We foresee potential changes in client preferences towards more sustainable products and services, along with possible disruptions in our supply chain due to extreme weather events. These factors are thoroughly considered in our business strategy development. Our business strategy has been designed to be resilient to future economic and climate-related scenarios. And by running regular scenarios we can test that resilience and ensure it’s considered in future business strategy development, enabling us to adapt accordingly, without disrupting or negatively impacting current operations. The scenarios are based on industry insights, which are used in the expert input into our ongoing materiality assessment. During FY24 we prioritised drafting our Carbon Reduction Plan working with Positive Planet.# Strategic report NCC Group plc — Annual report and accounts for the year ended 30 September 2025 25
| TCFD recommended disclosure | Consistency | NCC Group disclosure | Focus area of FY26 |
| :---# NCC Group plc — Annual report and accounts for the year ended 30 September 2025
NCC Group adopts both a “top-down” and “bottom-up” approach to risk, to manage risk exposure across the Group to enable the effective pursuit of strategic objectives. The approach is summarised in the diagram on page 30. The approach is one of collaboration, which supports our comprehensive approach to risk identification, from the “top down” and “bottom up”. The Group believes that this is the most efficient and effective way to identify its business risks.
The Board, Audit Committee and Cyber Security Committee review risks on an ongoing basis and are supported by the Executive Committee and subject matter specialists (including Escode, Cyber Security, information security, data protection and health and safety). The Board considers the Group’s strategic objectives and any barriers to their achievement.
The Board and senior leadership team engage with colleagues at every level of the Group in recognition of the importance of their expertise, contribution and views.
The Board has overall responsibility for ensuring that NCC Group adopts an effective risk management model, which is aligned to our objectives and promotes good risk management practice. We have therefore adopted the model described in this section and summarised in the diagram above.
Risk management is an inherent part of doing business, and risk management is a fundamental aspect of good corporate governance. A successful risk management process balances risk and reward and is underpinned by sound judgement regarding the impact and likelihood of risks. The Board holds overall responsibility for ensuring that NCC Group has an effective risk management framework that aligns with its business objectives.
The Board has established an Enterprise Risk Management policy, which has established protocols, including:
* Roles and responsibilities for the risk management framework
* A risk scoring framework
* A definition of risk appetite
The integrated approach to risk management diagram on page 30 summarises the Group’s overall approach to risk management.
| | # Risk management
Examples of ongoing monitoring of business risks include, but are not limited to:
* Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks
* Review of the annual Internal Audit Plan to validate that it incorporates key areas of business risk
* A review of internal audit reports issued during the period, including a summary of progress against previously raised management actions at each Audit Committee meeting
* Annual review of the strategic risk register by the Enterprise Risk Management Steering Group and Board to ensure that it includes risks arising in the period
While risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation. NCC Group has established a robust internal control framework, which is made up of a number of components:
The control environment has primarily been established taking account of the Group’s values (working together, being brilliantly creative, embracing difference and taking responsibility), and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, while also maintaining integrity and transparency.
Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements and are vital in our transformational programmes.
Established policies communicate expected behaviours and are supported by procedures and guidelines that define required processes and controls. This, in turn, helps the business to adopt efficient and effective control environments.
Access to accurate and timely data is essential for supporting our colleagues in making informed decisions and effectively managing and controlling their areas of responsibility.
The minimum financial controls framework was established in FY20. Further enhancement of the framework is being designed and implemented to align with the UK Corporate Governance Reform and upcoming Directors’ attestation of internal controls. In preparation for new legislative requirements relating to failure to prevent fraud, key anti-fraud controls have been identified and these are supported by red flag reporting and ongoing trend analysis to enhance the existing control environment to ensure compliance with the Economic Crime and Transparency Act (2023). Financial accounting and reporting follow generally accepted accounting practices. Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies. The approval procedures are captured within a global delegation of authority (DoA) matrix which is disseminated across the Group. Compliance with all legislation, current and new, is closely monitored.
NCC Group has embedded the “three lines of defence” to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Security Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 31
Risk movement: Increased, Decreased, Unchanged
Viability risk: VR
New risk: NR
Risk impact: High, Medium, Low
During the period, the Board has completed a robust assessment of the Company’s emerging and principal risks. This has included the Board reassessing and rescoring the principal risks, with changes to the risks noted below. The overall number of principal risks has reduced from 24 in FY24 to 14 in FY25 primarily due to risks being combined where the operating risks overlapped or where they were considered sub-risks. The Group continues to operate in a particularly dynamic and evolving marketplace. The current risk register has been developed to reflect these factors and includes risks that could threaten the Group’s business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, along with their potential impact and the mitigating processes and controls, are set out below. The strategic risks are based on the four pillars of our strategy: our clients, our capabilities, global delivery and differentiated brands.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 32
Risk movement: Increased, Decreased, Unchanged
Viability risk: VR
New risk: NR
Risk impact: High, Medium, Low
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 33
Risk impact and movement Increased due to a lot of ongoing transformational change and the general increase in cyber attacks.
Key controls and mitigating factors Deployed an Information Security Management System (ISO 27001). All key locations are certified. IT strategy of continued cloud migration which has greater resilience and availability. Business continuity plans, including crisis management, are in place and tested regularly. A change management process is in place within IT which assists a reduction in incidents caused by human error. Backups are in place and single points of failure are identified and mitigated in the event of prolonged loss of systems. Regular vulnerability assessments (perimeter scanning) and penetration testing are undertaken. Global systems are in place.
Loss of client/colleague data
Link to strategy: Our capabilities Differentiated brands
Previous risk name Merged with intellectual property theft or exposure
Risk owner Guy Ellis, CFO
Risk impact Data breach leading to fines from regulators and reputational damage. Reputational damage from losing client data and industrial espionage, resulting in loss of revenue and loss of competitive advantage from threat of malicious actors.
Risk impact and movement Key controls and mitigating factors Deployed an Information Security Management System (ISO 27001). All key locations are certified. Regular compliance training, including data protection, is provided to all colleagues at least annually. Information classification and handling and data privacy policies are in place.
Insufficient quality, integrity and availability of management information
Viability risk: VR
Link to strategy: Our clients Our capabilities Global delivery
Previous risk name N/A
Risk owner Guy Ellis, CFO
Risk impact Suboptimal business decision making and performance as key financial performance data is not available or trusted.
Risk impact and movement Key controls and mitigating factors We are ISO 9001 accredited across key locations. Standardised business process control standards are in place and subject to regular review by the global standards and support team. Increased focus on implementing global systems to support global strategy.
Risk movement: Increased Decreased Unchanged
Viability risk: VR New risk: NR
Risk impact: High Medium Low
Risk movement: Increased Decreased Unchanged
Viability risk: VR New risk: NR
Risk impact: High Medium Low
Risk movement: Increased Decreased Unchanged
Viability risk: VR New risk: NR
Risk impact: High Medium Low
Criminal and civil corporate legal action resulting in fines and incarceration
Viability risk: VR
Link to strategy: Our clients Global delivery Differentiated brands
Previous risk name N/A
Risk owner Guy Ellis, CFO
Risk impact Reputational damage from legal action being taken and financial impact of the fines and the impact it may have on key customer accounts.
Risk impact and movement Key controls and mitigating factors The legal team reviews customer contracts. Annual compliance training is undertaken including ethics, economic crime, health and safety, information security and data protection.
Inability to identify and adopt emerging regulations in a timely manner
Link to strategy: Our clients Global delivery Differentiated brands
Previous risk name N/A
Risk owner Guy Ellis, CFO
Risk impact Non-compliance with regulations resulting in fines from regulators and reputational damage leading to loss of key customer accounts and shareholder investment.
Risk impact and movement Key controls and mitigating factors TCFD reporting in third period and working on CSRD for our Fox-IT business. Horizon scanning for new regulations.
Risk movement: Increased Decreased Unchanged
Viability risk: VR New risk: NR
Risk impact: High Medium Low
We have removed the lack of visibility in the workplace risk, within the brand and reputation risk theme, as the Board deemed this was no longer a strategic risk. In addition to identifying the Group principal risks, we continuously review and monitor emerging risks through horizon scanning; publications; assessing regulatory changes and how they may impact the Group; and ensuring adequate oversight over significant projects. Examples of identification include horizon scanning for emerging risks such as increasing energy costs, takeover risks, legislative and market changes and geopolitical risks.# Strategic report
In line with Provision 31 of the 2018 UK Corporate Governance Code, this Viability Statement outlines the Directors’ assessment of the Group’s ability to continue in operation and meet its liabilities as they fall due over the designated assessment period (factoring in the Group’s continuing operations), drawing attention to any qualifications or assumptions, as necessary. This evaluation considers our current financial position, outlook and principal risks and uncertainties, as well as the critical judgements and estimates underpinning the Financial Statements. The Directors’ assessment is grounded in the Group’s business model and strategic plan, which are reviewed and approved annually by the Board with a focus on a sustainable growth strategy derived from two distinct businesses, increasing shareholder value, and enhancing our service offering. For further details, please see the Strategic Report on pages 8 and 9. The Group’s strategic priorities, detailed on pages 12 and 13 of the Strategic Report, provide a foundation for this outlook. Additionally, the effective management of principal risks and uncertainties, as outlined on pages 29 to 37, underscores those factors that could theoretically pose a threat to the Group’s operational or financial resilience, particularly those carrying the viability risk (VR) designation.
The Directors have assessed the viability of the Group over a three year period ending in September 2028. This timeframe aligns with the Group’s strategic planning horizon and reflects a practical planning period, considering the pace of industry change and evolving customer demands.
The viability of the Group has been assessed based on its current financial position, available banking facilities, and the Board-approved FY26 budget and three year strategic plan (factoring in the Group’s continuing operations). The Group’s base case budget for FY26 incorporates recent growth trends across geographical regions and operating segments, as well as relevant growth opportunities driven by existing offerings. Management has also performed base case modelling inclusive of the potential disposal of its Escode business (incorporating any associated impact on the Group’s banking facilities and expected net cash position). This assessment also accounts for current macro-economic conditions where applicable. Additionally, the Group remains in the early stages of reviewing a number of strategic options for its Cyber business, however no decision has been made on which option will be pursued as of 11 December 2025. No material issues impacting the Group’s viability assessment as of 11 December 2025.
In April 2025, the Group refinanced its borrowing arrangements by entering into a new four year £120m multi-currency revolving credit facility, replacing the previous facility due to expire in December 2026. The new facility, which expires in April 2029, provides additional liquidity headroom and has been factored into the Group’s viability assessment. Additionally, the Directors have modelled the impact of severe, yet plausible, scenarios associated with the Group’s principal viability risks, which could have the most significant potential impact on viability over the three year period, as outlined in the table below. These sensitivities have been assessed against the Group’s projected cash flow position, available banking facilities, and compliance with financial covenants throughout the viability period. Under these scenarios, the Group has assessed and concluded that sufficient headroom exists to support its operations and meet its liabilities as they fall due. Further details on the Group’s financing arrangements can be found in Note 1 of the Financial Statements. The applied sensitivities demonstrate sufficient levels of headroom, indicating that no mitigating actions are necessary under the severe but plausible scenarios modelled by management. Nevertheless, should additional headroom be needed, available measures within the Directors’ control include reducing planned capital expenditure, adjusting headcount, freezing pay and recruitment, and suspending dividend payments to shareholders.
As outlined on page 32, the Board has undertaken a robust assessment of the Company’s principal risks, resulting in an overall reduction in the number of identified risks. This reassessment included a review of the Group’s principal risks that are also considered viability risks, and any changes identified during the year are clearly highlighted on pages 32 to 37.
Based on the severe but plausible scenarios modelled (inclusive of the planned disposal of Escode), the Directors have a reasonable expectation that the Company will be able to continue in operation and meet its liabilities as they fall due over the three year period of assessment. The Directors have considered this assumption as part of their viability assessment and believe it to be reasonable based on the Group’s financial position.
| Viability risk | Risk as applied to viability assessment | Specifics of scenario modelled
In line with Provision 31 of the 2018 UK Corporate Governance Code, this Viability Statement outlines the Directors’ assessment of the Group’s ability to continue in operation and meet its liabilities as they fall due over the designated assessment period (factoring in the Group’s continuing operations), drawing attention to any qualifications or assumptions, as necessary. This evaluation considers our current financial position, outlook and principal risks and uncertainties, as well as the critical judgements and estimates underpinning the Financial Statements. The Directors’ assessment is grounded in the Group’s business model and strategic plan, which are reviewed and approved annually by the Board with a focus on a sustainable growth strategy derived from two distinct businesses, increasing shareholder value, andenhancing our service offering. For further details, please see theStrategic Report on pages 8 and 9. The Group’s strategic priorities, detailed on pages 12 and 13 of the Strategic Report, provide a foundation for this outlook. Additionally, theeffective management of principal risks and uncertainties, as outlined on pages 29 to 37, underscores those factors that could theoretically pose a threat to the Group’s operational or financial resilience, particularly those carrying the viability risk (VR) designation.
The Directors have assessed the viability of the Group over a three year period ending in September 2028. This timeframe aligns with the Group’s strategic planning horizon and reflects a practical planning period, considering the pace of industry change and evolving customer demands.
The viability of the Group has been assessed based on its current financial position, available banking facilities, and the Board-approved FY26 budget and three year strategic plan (factoring in the Group’s continuing operations). The Group’s base case budget for FY26 incorporates recent growth trends across geographical regions and operating segments, as well as relevant growth opportunities driven byexisting offerings. Management has also performed base case modelling inclusive of the potential disposal of its Escode business (incorporating any associated impact on the Group’s banking facilities and expected netcash position). This assessment also accounts for current macro-economic conditions where applicable. Additionally, the Group remains in the early stages of reviewing anumber of strategic options for its Cyber business, however no decision has been made on which option will be pursued as of 11 December 2025. No material issues impacting the Group’s viability assessment as of 11December 2025.
In April 2025, the Group refinanced its borrowing arrangements by entering into a new four year £120m multi-currency revolving credit facility, replacing the previous facility due to expire in December 2026. The new facility, which expires in April 2029, provides additional liquidity headroom and has been factored into the Group’s viabilityassessment. Additionally, the Directors have modelled the impact of severe, yet plausible, scenarios associated with the Group’s principal viability risks, which could have the most significant potential impact on viability over the three year period, as outlined in the table below. These sensitivities have been assessed against the Group’s projected cash flow position, available banking facilities, and compliance with financial covenants throughout the viability period. Under these scenarios, the Group hasassessed and concluded that sufficient headroom exists to support its operations and meet its liabilities as they fall due. Further details onthe Group’s financing arrangements can be found in Note 1 oftheFinancial Statements. The applied sensitivities demonstrate sufficient levels of headroom, indicating that no mitigating actions are necessary under the severe butplausible scenarios modelled by management. Nevertheless, should additional headroom be needed, available measures within theDirectors’ control include reducing planned capital expenditure, adjusting headcount, freezing pay and recruitment, and suspending dividend payments to shareholders.
As outlined on page 32, the Board has undertaken a robust assessment of the Company’s principal risks, resulting in an overall reduction in the number of identified risks. This reassessment included a review of the Group’s principal risks that are also considered viability risks, and any changes identified during the year are clearly highlighted on pages 32 to37.
Based on the severe but plausible scenarios modelled (inclusive of the planned disposal of Escode), the Directors have a reasonable expectation that the Company will be able to continue in operation and meet its liabilities as they fall due over the three year period of assessment. TheDirectors have considered this assumption as part of their viability assessment and believe it to be reasonable based on the Group’s financial position.
| Viability risk | Risk as applied to viability assessment | Specifics of scenario modelled # Overview of financial performance
Throughout this Financial Review, references are made to a number of reporting periods. Any references to the year ended 30 September 2025 or the 16 month period ended 30 September 2024 relate to audited figures (unless stated otherwise). References to the year ended 30 September 2024, the six months (“H1”) to 31 March 2025 (and comparative six months to 31 March 2024), and the six months (“H2”) to 30 September 2025 (and comparative six months to 30 September 2024) relate to unaudited figures.
As we assess our performance against the FY25 financial framework published in December 2024, it is encouraging to see that we have continued to deliver throughout the year against most of the framework. The key points to note are as follows:
Guy Ellis
Chief Financial Officer
Delivering on our financial framework
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 40
This approach continues to support comparability of the Group’s new year end performance (following the year end change in FY24) and, importantly, provides visibility on the current trajectory.
The following table summarises the Group’s performance for the year ended 30 September 2025, following the results for the 16 month period ended 30 September 2024, which reflected the Group’s change in financial year end to 30 September in the prior period. The results for the year (and the prior period) present the Group’s Escode business as discontinued operations. Therefore, the table below shows the Group’s continuing operations results, with Escode added back to ensure full comparability of the Group’s performance. During the year ended 30 September 2025, the Group explored a number of options for its Escode business, including a potential sale, eventually initiating an active programme to locate a potential buyer. As at 30 September 2025, the sale was considered highly probable, so the related assets and liabilities were reclassified as held for sale. Since Escode is a separate major line of business and classified as held for sale, it is presented also presented as a discontinued operation.
| Year ended 30 September 2025 | 16 month period ended 30 September 2024 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Cyber Security £m | Central and head office £m | Continuing operations 3 : Sub-total £m | Discontinued operations 3 : Escode £m | Group £m | Cyber Security £m | Central and head office £m | Continuing operations 3 : Sub-total £m | Discontinued operations 3 : Escode £m | |
| Revenue | 238.9 | — | 238.9 | 66.5 | 305.4 | 342.1 | — | 342.1 | 87.4 |
| Cost of sales | (150.5) | — | (150.5) | (19.0) | (169.5) | (224.1) | — | (224.1) | (26.7) |
| Gross profit | 88.4 | — | 88.4 | 47.5 | 135.9 | 118.0 | — | 118.0 | 60.7 |
| Gross margin % | 37.0% | — | 37.0% | 71.4% | 44.5% | 34.5% | — | 34.5% | 69.5% |
| Administrative expenses | (68.4) | (4.4) | (72.8) | (16.4) | (89.2) | (97.3) | (3.4) | (100.7) | (24.1) |
| Share-based payments | (0.2) | (2.6) | (2.8) | (0.2) | (3.0) | (0.1) | (2.0) | (2.1) | (0.2) |
| Adjusted EBITDA 1,2 | 19.8 | (7.0) | 12.8 | 30.9 | 43.7 | 20.6 | (5.4) | 15.2 | 36.4 |
| Depreciation and amortisation | (7.8) | (3.1) | (10.9) | (1.0) | (11.9) | (10.9) | (5.3) | (16.2) | (0.6) |
| Amortisation of acquired intangibles | (1.0) | (2.1) | (3.1) | (5.0) | (8.1) | (1.4) | (4.0) | (5.4) | (7.1) |
| Adjusted operating profit/(loss) 1,2 | 11.0 | (12.2) | (1.2) | 24.9 | 23.7 | 8.3 | (14.7) | (6.4) | 28.7 |
| Individually Significant Items | (3.9) | 5.8 | 1.9 | — | 1.9 | (41.4) | — | (41.4) | (0.1) |
| Operating profit/(loss) | 7.1 | (6.4) | 0.7 | 24.9 | 25.6 | (33.1) | (14.7) | (47.8) | 28.6 |
| Operating margin % | 3.0% | N/A | 0.3% | 37.4% | 8.4% | (9.7%) | N/A | (14.0%) | 32.7% |
| Finance costs | | | | | (5.0) | | | (8.3) | |
| Profit/(loss) before taxation | | | | | 20.6 | | (27.5) | | |
| Taxation | | | | | (3.5) | | (5.0) | | |
| Profit/(loss) after taxation | | | | | 17.1 | | (32.5) | | |
| EPS | | | | | | | | | |
| Basic EPS | 5.6p | (10.4p) | |||||||
| Adjusted basic EPS 1,2 | 4.7p | 3.4p |
On the basis we are comparing a 12 month period to a 16 month period, revenue decreased by 28.0% on a constant currency basis (actual rates: 28.9%), with total Cyber Security revenue decreasing 29.3% on a constant currency basis (actual rates: 30.2%) and Escode decreasing by 22.8% on a constant currency basis (actual rates: 23.9%). Encouragingly, when you directly compare our overall gross margins, we have improved since the 16 month period ended 30 September 2024 with gross margin percentage increasing to 44.5% (2024: 41.6%). This +2.9% pts in gross margin is driven by improved utilisation and operational efficiencies within Cyber Security, together with a continued shift in the service mix, as Managed Services accounts for a growing proportion of overall revenue at a higher margin. This has also been boosted by an improvement in Escode gross profit margin, increasing to 71.4% from 69.5% due to the continued benefits arising from previous investments within Escode. Administrative expenses (excluding share-based payments, depreciation and amortisation, and amortisation of acquired intangibles) have decreased from £124.8m in the 16 month period ended 30 September 2024 to £89.2m. This is predominantly driven by lower payroll related costs on the basis we are comparing a 12 month period to a 16 month period.
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 41
A profit before taxation of £20.6m (inclusive of Escode) for the year was recognised after incurring £1.9m (credit) of Individually Significant Items (including the profit on disposal of Fox Crypto, fundamental re-organisation costs and the strategic review of both the Escode and Cyber businesses).This profit before taxation was driven in part by the £11.4m gain on disposal of Fox Crypto, following completion during the year. This gave rise to a basic EPS of 5.6p and diluted EPS of 5.5p (2024: basic and diluted (10.4p)). Adjusted basic EPS 1 amounted to 4.7p and 4.6p (2024: basic and diluted 3.4p). Net cash excluding lease liabilities 1 amounts to £13.1m (2024: net debt excluding lease liabilities 1 of £45.3m), reflecting the repayment of the Group’s borrowings following the successful completion of the Fox Crypto disposal. The Group’s Balance Sheet remains strong following the successful refinancing completed in April 2025. At that time, the Group entered into a new four year, £120m multi-currency revolving credit facility (RCF) with a syndicate of four banks and including an uncommitted £50m accordion option. This new unsecured facility replaces the previous £162.5m RCF due to expire in December 2026.
Financial review continued
Year ended 30 September 2025 compared to pro forma 12 months to 30 September 2024
The following table summarises the results for the year ended 30 September 2025 compared to the unaudited 12 month pro forma period ended 30 September 2024.
| Year ended 30 September 2025 | 12 month pro forma period ended 30 September 2024 | |
|---|---|---|
| Cyber Security £m | Central and head office £m | |
| Revenue | 227.4 | — |
| Cost of sales | (144.1) | — |
| Gross profit | 83.3 | — |
| Gross margin % | 36.6% | — |
| Administrative expenses | (66.4) | (4.4) |
| Share-based payments | (0.2) | (2.6) |
| Adjusted EBITDA 1,2 | 16.7 | (7.0) |
| Depreciation and amortisation | (7.6) | (3.1) |
| Amortisation of acquired intangibles | (0.9) | (2.1) |
| Adjusted operating profit/(loss) 1,2 | 8.2 | (12.2) |
| Individually Significant Items | (3.9) | 5.8 |
| Operating profit/(loss) | 4.3 | (6.4) |
| Operating margin % | 1.9% | N/A |
| Finance costs | ||
| Profit/(loss) before taxation | ||
| Taxation | ||
| Profit/(loss) after taxation | ||
| EPS | ||
| Basic EPS | 5.6p | |
| Adjusted basic EPS 1,2 | 4.7p |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 42
1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
2 The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic review of Escode and strategic review of Cyber costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which include an explanation of APMs and adjusting items, along with a reconciliation to statutory information.
3 Management have allocated £6.8m of these costs to Escode which have been included within the administrative expenses above. To reconcile to Escode’s statutory operating profit, these costs are reallocated to central and head office administrative expenses in accordance with the requirements of IFRS 5 on discontinued operations. This is due to the fact that if an operation is disposed of, the relevant central overheads may not decrease in the short term.
Total revenue has decreased by 6.2% on a constant currency basis (actual rates: (7.2%)), with Cyber Security revenue (excluding non-core disposals) decreasing by 4.0% on a constant currency basis (actual rates: (4.9%)) and Escode growing by 2.2% on a constant currency basis (actual rates: 0.8%). The Escode revenue increase has predominantly been driven by favourable price increases and volume during the year within verification services Turning to Cyber Security revenue trajectory during the year, the UK and APAC declined by 0.6% at constant currency (actual rates: (0.8%)), and North America declined by 12.9% (actual rates: (15.4%)). These reductions have been driven primarily by declines in their respective TAS markets, as demand has recovered more slowly than expected year on year. Encouragingly, the UK and APAC improved by 5.5% at actual rates when comparing H2 2025 with H1 2025, driven primarily by improvements within the UK’s C&I business. Year on year we have experienced continued growth in our Managed Services performance by 2.8% at constant currency (actual rates: 2.6%) which has mainly been driven by our European MS business, with this growth continuing when comparing H2 2025 with H1 2025. Additionally, we have seen year-on-year growth in our C&I business of 16.6% at constant currency (actual rates: 14.9%) which has been driven by increased demand within our UK markets. Similarly to our MS business from a trajectory perspective we have seen continued growth within our UK C&I business when comparing H2 2025 to H1 2025.
Year-on-year gross profit has decreased by 4.9% to £135.9m; however, gross profit margin has favourably increased to 44.5% (reflecting an increase of 1.1% pts) mainly driven by an improvement in Escode of 2.6% pts (noting Cyber Security excluding non-core disposals has remained broadly flat at c.37%). Encouragingly, comparing H2 2025 with H1 2025 Cyber Security gross margin has increased by 2.0% pts to 38.0% reflecting the increased shift in mix towards the higher margin Managed Services business.
Administrative expenses (excluding share-based payments, depreciation and amortisation, and amortisation of acquired intangibles) have decreased by 2.4% from £91.4m to £89.2m, after taking into account inflationary wage increases. This movement was primarily driven by lower payroll costs (following the globalisation of certain back office functions to Manila) and savings in rent and rates during the year, offset by unfavourable exchange rate movements.
Alternative Performance Measures (APMs)
Throughout this Financial Review, certain APMs are presented. The APMs used by the Group are not defined terms under IFRS and therefore may not be comparable with similarly titled measures reported by other companies. They are not intended to be a substitute for, or superior to, IFRS measures. This presentation is also consistent with the way that financial performance is measured by management and reported to the Board, and the basis of financial measures for senior management’s compensation scheme, and provides supplementary information that assists the user in understanding the financial performance, position and trends of the Group. We believe these APMs provide readers with important additional information on our business, and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can differ significantly from the APMs and may be assessed differently by the reader, we encourage you to consider these figures together with statutory reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related APMs may exclude recurring business transactions (e.g. acquisition related costs) that impact financial performance and cash flows.
As previously reported, the Group only discloses one adjusted item: “Individually Significant Items” (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic review of Escode costs and strategic review of the Cyber business costs). As the £11.4m profit on disposal of Crypto represents a material gain, it has been disclosed separately on the face of the statutory income statement within the Group’s consolidated Income Statement.
The Group has the following APMs/non-statutory measures:
• Adjusted EBITDA (reconciled below)
• Adjusted operating profit (reconciled below)
• Adjusted profit for the year (reconciled below)
• Adjusted basic EPS (pence) (reconciled below)
• Net cash/(debt) excluding lease liabilities (reconciled below)
• Net cash/(debt) (reconciled below)
• Cash conversion which includes Adjusted EBITDA (reconciled below)
• Constant currency revenue (reconciled below)
The above APMs are consistent with those reported for the 16 month period ended 30 September 2024. The Group reports certain geographic regions and service capabilities on a constant currency basis to reflect the underlying performance considering constant foreign exchange rates period on period. This involves translating comparative numbers to current period rates for comparability to enable a growth factor to be calculated. As these measures are not statutory revenue numbers, management considers these to be APMs; see unaudited Appendix 1 for further details.# Strategic report
1 Adjusted EBITDA 1 and Adjusted operating profit 1,2 are reconciled to statutory measures below:
| Year ended 30 September 2025 £m | 16 month period ended 30 September 2024 £m | |
|---|---|---|
| Operating profit/(loss) from continuing operations 3 | 0.7 | (47.8) |
| Operating profit from discontinuing operations 3 | 24.9 | 28.6 |
| Operating profit/(loss) | 25.6 | (19.2) |
| Depreciation and amortisation | 11.9 | 16.8 |
| Amortisation of acquired intangibles | 8.1 | 12.5 |
| Individually Significant Items | (1.9) | 41.5 |
| Adjusted EBITDA 1,2 | 43.7 | 51.6 |
| Depreciation, amortisation and amortisation charge on acquired intangibles | (20.0) | (29.3) |
| Adjusted operating profit 1,2 | 23.7 | 22.3 |
| Year ended 30 September 2025 £m | 12 month period ended 30 September 2024 £m | % change | |
|---|---|---|---|
| Cyber Security (excluding Crypto and DetACT) | 16.7 | 18.5 | (9.7%) |
| Central and head office | (7.0) | (4.8) | (45.8%) |
| Escode (discontinued operations) | 30.9 | 28.4 | 8.8% |
| Total Adjusted EBITDA 1,2 (excluding Crypto and DetACT) | 40.6 | 42.1 | (3.6%) |
| Crypto and DetACT | 3.1 | 7.6 | (59.2%) |
| Total Adjusted EBITDA 1,2 | 43.7 | 49.7 | (12.1%) |
1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
2 The Group reports only one adjusted item: Individually Significant Items (includes the £11.4m profit on disposal of Fox Crypto and £9.5m of re-organisation, strategic review of Escode costs and strategic review of the Cyber business costs). For further details, please refer to unaudited Appendix 1 and the Financial Review, which includes an explanation of APMs and adjusting items, along with a reconciliation to statutory information.
3 During the year, Escode incurred £6.8m (2024: £9.6m) of allocated head office overheads, which have been included within Escode’s administrative expenses. To reconcile to Escode’s statutory operating profit, these costs are reallocated to central and head office administrative expenses in accordance with the requirements of IFRS 5 on discontinued operations.
Comparing the year ended 30 September 2025 with the prior 16 month period ended 30 September 2024, overall revenue is analysed as follows:
| Year ended 30 September 2025 £m | 16 month period ended 30 September 2024 £m | % change at actual rates | Year ended 30 September 2025 £m | Constant currency 1 16 month period ended 30 September 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Cyber Security revenue | 238.9 | 342.1 | (30.2%) | 238.9 | 338.0 | (29.3%) |
| Escode (discontinued operations) | 66.5 | 87.4 | (23.9%) | 66.5 | 86.1 | (22.8%) |
| Total revenue | 305.4 | 429.5 | (28.9%) | 305.4 | 424.1 | (28.0%) |
Comparing year on year, overall revenue is analysed as follows:
| Year ended 30 September 2025 £m | Year ended 30 September 2024 £m | % change at actual rates | Year ended 30 September 2025 £m | Constant currency 1 12 month period ended 30 September 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Cyber Security revenue (excluding Crypto and DetACT) | 227.4 | 239.2 | (4.9%) | 227.4 | 236.8 | (4.0%) |
| Crypto and DetACT | 11.5 | 24.0 | (52.1%) | 11.5 | 23.7 | (51.5%) |
| Total Cyber Security revenue | 238.9 | 263.2 | (9.2%) | 238.9 | 260.5 | (8.3%) |
| Escode (discontinued operations) | 66.5 | 66.0 | 0.8% | 66.5 | 65.1 | 2.2% |
| Total revenue | 305.4 | 329.2 | (7.2%) | 305.4 | 325.6 | (6.2%) |
| Year ended 30 September 2025 £m | Year ended 30 September 2024 £m | % change at actual rates | Year ended 30 September 2025 £m | Constant currency 1 12 month period ended 30 September 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Cyber Security revenue (excluding Crypto and DetACT) | 227.4 | 239.2 | (4.9%) | 227.4 | 236.8 | (4.0%) |
| Escode (discontinued operations) | 66.5 | 66.0 | 0.8% | 66.5 | 65.1 | 2.2% |
| Total revenue (excluding Crypto and DetACT) | 293.9 | 305.2 | (3.7%) | 293.9 | 301.9 | (2.6%) |
| Crypto and DetACT | 11.5 | 24.0 | (52.1%) | 11.5 | 23.7 | (51.5%) |
| Total revenue | 305.4 | 329.2 | (7.2%) | 305.4 | 325.6 | (6.2%) |
Comparing the two halves of the year against their respective prior period comparatives is as follows:
| 6 month period ended 31 March 2025 £m | 6 month period ended 31 March 2024 £m | % change at actual rates | 6 month period ended 31 March 2025 £m | Constant currency 1 6 month period ended 31 March 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Cyber Security revenue (excluding Crypto and DetACT) | 112.0 | 120.8 | (7.3%) | 112.0 | 119.5 | (6.3%) |
| Crypto and DetACT | 11.5 | 13.1 | (12.2%) | 11.5 | 12.7 | (9.4%) |
| Total Cyber Security revenue | 123.5 | 133.9 | (7.8%) | 123.5 | 132.2 | (6.6%) |
| Escode (discontinued operations) | 33.3 | 32.9 | 1.2% | 33.3 | 32.7 | 1.8% |
| Total revenue | 156.8 | 166.8 | (6.0%) | 156.8 | 164.9 | (4.9%) |
| 6 month period ended 30 September 2025 £m | 6 month period ended 30 September 2024 £m | % change at actual rates | 6 month period ended 30 September 2025 £m | Constant currency 1 6 month period ended 30 September 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 118.4 | (2.5%) | 115.4 | 117.3 | (1.6%) |
| Crypto and DetACT | — | 10.9 | (100.0%) | — | 11.0 | (100.0%) |
| Total Cyber Security revenue | 115.4 | 129.3 | (10.8%) | 115.4 | 128.3 | (10.1%) |
| Escode (discontinued operations) | 33.2 | 33.1 | 0.3% | 33.2 | 32.4 | 2.5% |
| Total revenue | 148.6 | 162.4 | (8.5%) | 148.6 | 160.7 | (7.5%) |
From an overall revenue trajectory perspective by originating region, the following tables compare H2 2025 performance with H1 2025:
| 6 month period ended 30 September 2025 £m | 6 month period ended 31 March 2025 £m | % change at actual rates | |
|---|---|---|---|
| Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 112.0 | 3.0% |
| Crypto and DetACT | — | 11.5 | (100.0%) |
| Total Cyber Security revenue | 115.4 | 123.5 | (6.6%) |
| Escode (discontinued operations) | 33.2 | 33.3 | (0.3%) |
| Total revenue | 148.6 | 156.8 | (5.2%) |
1 Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
| Year ended 30 September 2025 £m | Year ended 30 September 2025 % margin | 12 month period ended 30 September 2024 £m | 12 month period ended 30 September 2024 % margin | % pts change | |
|---|---|---|---|---|---|
| Cyber Security gross profit (excluding Crypto and DetACT) | 83.3 | 36.6% | 88.5 | 37.0% | (0.4%) |
| Escode (discontinued operations) | 47.5 | 71.4% | 45.4 | 68.8% | 2.6% |
| Total gross profit (excluding Crypto and DetACT) | 130.8 | 44.5% | 133.9 | 43.9% | 0.6% |
| Crypto and DetACT | 5.1 | 44.3% | 9.0 | 37.5% | 6.8% |
| Total gross profit and % margin | 135.9 | 44.5% | 142.9 | 43.4% | 1.1% |
The following sections summarise the Group’s divisional performance for the year ended 30 September 2025, following the 16 month period ended 30 September 2024. It also compares the results for the year ended 30 September 2025 with the unaudited 12 months to 30 September 2024, including an analysis of each year’s composition by reviewing the first and second halves and their respective comparative periods (unaudited).
The Cyber Security division accounts for 78.2% of Group revenue (16 month period ended 30 September 2024: 79.7%) and 65.0% of Group gross profit (16 month period ended 30 September 2024: 66.0%).
| Year ended 30 September 2025 £m | 16 month period ended 30 September 2024 £m | % change at actual rates | Year ended 30 September 2025 £m | Constant currency 1 16 month period ended 30 September 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| UK and APAC | 134.4 | 173.3 | (22.4%) | 134.4 | 172.8 | (22.2%) |
| North America | 56.7 | 90.7 | (37.5%) | 56.7 | 88.0 | (35.6%) |
| Europe | 47.8 | 78.1 | (38.8%) | 47.8 | 77.2 | (38.1%) |
| Total Cyber Security revenue | 238.9 | 342.1 | (30.2%) | 238.9 | 338.0 | (29.3%) |
| Year ended 30 September 2025 £m | 12 month period ended 30 September 2024 £m | % change at actual rates | Year ended 30 September 2025 £m | Constant currency 1 12 month period ended 30 September 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| UK and APAC | 134.4 | 135.5 | (0.8%) | 134.4 | 135.2 | (0.6%) |
| North America | 56.7 | 67.0 | (15.4%) | 56.7 | 65.1 | (12.9%) |
| Europe (excluding Crypto and DetACT) | 36.3 | 36.7 | (1.1%) | 36.3 | 36.5 | (0.5%) |
| Cyber Security revenue (excluding Crypto and DetACT) | 227.4 | 239.2 | (4.9%) | 227.4 | 236.8 | (4.0%) |
| Crypto and DetACT | 11.5 | 24.0 | (52.1%) | 11.5 | 23.7 | (51.5%) |
| Total Cyber Security revenue | 238.9 | 263.2 | (9.2%) | 238.9 | 260.5 | (8.3%) |
Comparing the two halves of the year against their respective prior period comparatives, Cyber Security revenue by originating region is analysed as follows:
| 6 month period ended 31 March 2025 £m | 6 month period ended 31 March 2024 £m | % change at actual rates | 6 month period ended 31 March 2025 £m | Constant currency 1 6 month period ended 31 March 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| UK and APAC | 65.4 | 69.1 | (5.4%) | 65.4 | 69.0 | (5.2%) |
| North America | 28.6 | 33.4 | (14.4%) | 28.6 | 32.9 | (13.1%) |
| Europe (excluding Crypto and DetACT) | 18.0 | 18.3 | (1.6%) | 18.0 | 17.6 | 2.3% |
| Cyber Security revenue (excluding Crypto and DetACT) | 112.0 | 120.8 | (7.3%) | 112.0 | 119.5 | (6.3%) |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
46
| £m | 6 month period ended 30 September 2025 | 6 month period ended 30 September 2024 | % change at actual rates | £m | 6 month period ended 30 September 2025 | 6 month period ended 30 September 2024 | % change at constant currency¹ |
|---|---|---|---|---|---|---|---|
| UK and APAC | 69.0 | 66.4 | 3.9% | UK and APAC | 69.0 | 66.2 | 4.2% |
| North America | 28.1 | 33.6 | (16.4%) | North America | 28.1 | 32.2 | (12.7%) |
| Europe (excluding Crypto and DetACT) | 18.3 | 18.4 | (0.5%) | Europe (excluding Crypto and DetACT) | 18.3 | 18.9 | (3.2%) |
| Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 118.4 | (2.5%) | Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 117.3 | (1.6%) |
| Crypto and DetACT | — | 10.9 | (100.0%) | Crypto and DetACT | — | 11.0 | (100.0%) |
| Total Cyber Security revenue | 115.4 | 129.3 | (10.8%) | Total Cyber Security revenue | 115.4 | 128.3 | (10.1%) |
From a Cyber Security revenue trajectory perspective by originating region, the following tables compare H2 2025 performance with H1 2025:
| £m | 6 month period ended 30 September 2025 | 6 month period ended 31 March 2025 | % change at actual rates | £m | 6 month period ended 30 September 2025 | 6 month period ended 31 March 2025 | % change at constant currency¹ |
|---|---|---|---|---|---|---|---|
| UK and APAC | 69.0 | 65.4 | 5.5% | UK and APAC | 69.0 | 65.2 | 5.8% |
| North America | 28.1 | 28.6 | (1.7%) | North America | 28.1 | 28.3 | (0.7%) |
| Europe (excluding Crypto and DetACT) | 18.3 | 18.0 | 1.7% | Europe (excluding Crypto and DetACT) | 18.3 | 18.6 | (1.6%) |
| Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 112.0 | 3.0% | Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 112.1 | 2.9% |
| Crypto and DetACT | — | 11.5 | (100.0%) | Crypto and DetACT | — | 11.7 | (100.0%) |
| Total Cyber Security revenue | 115.4 | 123.5 | (6.6%) | Total Cyber Security revenue | 115.4 | 123.8 | (6.8%) |
Cyber Security revenue analysis – by type of service and capability:
| £m | Year ended 30 September 2025 | 16 month period ended 30 September 2024 | % change at actual rates | £m | Year ended 30 September 2025 | 16 month period ended 30 September 2024 | % change at constant currency¹ |
|---|---|---|---|---|---|---|---|
| Technical Assurance Services (TAS) | 88.4 | 141.4 | (37.5%) | Technical Assurance Services (TAS) | 88.4 | 138.9 | (36.4%) |
| Consulting and Implementation (C&I) | 48.5 | 55.2 | (12.1%) | Consulting and Implementation (C&I) | 48.5 | 54.6 | (11.2%) |
| Managed Services (MS) | 76.4 | 91.8 | (16.8%) | Managed Services (MS) | 76.4 | 91.2 | (16.2%) |
| Digital Forensics and Incident Response (DFIR) | 13.1 | 20.6 | (36.4%) | Digital Forensics and Incident Response (DFIR) | 13.1 | 20.4 | (35.8%) |
| Other services | 12.5 | 33.1 | (62.2%) | Other services | 12.5 | 32.6 | (61.7%) |
| Total Cyber Security revenue | 238.9 | 342.1 | (30.2%) | Total Cyber Security revenue | 238.9 | 333.7 | (28.4%) |
Cyber Security revenue, analysed year on year by service and capability, is as follows:
| £m | Year ended 30 September 2025 | 12 month period ended 30 September 2024 | % change at actual rates | £m | Year ended 30 September 2025 | 12 month period ended 30 September 2024 | % change at constant currency¹ |
|---|---|---|---|---|---|---|---|
| Technical Assurance Services (TAS) | 88.4 | 105.6 | (16.3%) | Technical Assurance Services (TAS) | 88.4 | 104.0 | (15.0%) |
| Consulting and Implementation (C&I) | 48.5 | 42.2 | 14.9% | Consulting and Implementation (C&I) | 48.5 | 41.6 | 16.6% |
| Managed Services (MS) | 76.4 | 74.5 | 2.6% | Managed Services (MS) | 76.4 | 74.3 | 2.8% |
| Digital Forensics and Incident Response (DFIR) | 13.1 | 15.1 | (13.2%) | Digital Forensics and Incident Response (DFIR) | 13.1 | 15.0 | (12.7%) |
| Other services | 1.0 | 1.8 | (44.4%) | Other services | 1.0 | 1.9 | (47.4%) |
| Cyber Security revenue (excluding Crypto and DetACT) | 227.4 | 239.2 | (4.9%) | Cyber Security revenue (excluding Crypto and DetACT) | 227.4 | 236.8 | (4.0%) |
| Crypto and DetACT | 11.5 | 24.0 | (52.1%) | Crypto and DetACT | 11.5 | 23.7 | (51.5%) |
| Total Cyber Security revenue | 238.9 | 263.2 | (9.2%) | Total Cyber Security revenue | 238.9 | 260.5 | (8.3%) |
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
47
Divisional performance continued
Cyber Security continued
Comparing the two halves of the year against their respective prior period comparatives, Cyber Security revenue by service and capability is analysed as follows:
| £m | 6 month period ended 31 March 2025 | 6 month period ended 31 March 2024 | % change at actual rates | £m | 6 month period ended 31 March 2025 | 6 month period ended 31 March 2024 | % change at constant currency¹ |
|---|---|---|---|---|---|---|---|
| Technical Assurance Services (TAS) | 45.6 | 52.9 | (13.8%) | Technical Assurance Services (TAS) | 45.6 | 52.2 | (12.6%) |
| Consulting and Implementation (C&I) | 21.9 | 22.7 | (3.5%) | Consulting and Implementation (C&I) | 21.9 | 22.5 | (2.7%) |
| Managed Services (MS) | 37.7 | 36.9 | 2.2% | Managed Services (MS) | 37.7 | 36.6 | 3.0% |
| Digital Forensics and Incident Response (DFIR) | 6.3 | 7.7 | (18.2%) | Digital Forensics and Incident Response (DFIR) | 6.3 | 7.6 | (17.1%) |
| Other services | 0.5 | 0.5 | — | Other services | 0.5 | 0.6 | (16.7%) |
| Cyber Security revenue (excluding Crypto and DetACT) | 112.0 | 120.7 | (7.2%) | Cyber Security revenue (excluding Crypto and DetACT) | 112.0 | 119.5 | (6.3%) |
| Crypto and DetACT | 11.5 | 13.2 | (12.9%) | Crypto and DetACT | 11.5 | 12.7 | (9.4%) |
| Total Cyber Security revenue | 123.5 | 133.9 | (7.8%) | Total Cyber Security revenue | 123.5 | 132.2 | (6.6%) |
| £m | 6 month period ended 30 September 2025 | 6 month period ended 30 September 2024 | % change at actual rates | £m | 6 month period ended 30 September 2025 | 6 month period ended 30 September 2024 | % change at constant currency¹ |
|---|---|---|---|---|---|---|---|
| Technical Assurance Services (TAS) | 42.8 | 52.8 | (18.9%) | Technical Assurance Services (TAS) | 42.8 | 51.8 | (17.4%) |
| Consulting and Implementation (C&I) | 26.6 | 19.5 | 36.4% | Consulting and Implementation (C&I) | 26.6 | 19.1 | 39.3% |
| Managed Services (MS) | 38.7 | 37.5 | 3.2% | Managed Services (MS) | 38.7 | 37.7 | 2.7% |
| Digital Forensics and Incident Response (DFIR) | 6.8 | 7.4 | (8.1%) | Digital Forensics and Incident Response (DFIR) | 6.8 | 7.4 | (8.1%) |
| Other services | 0.5 | 1.4 | (64.3%) | Other services | 0.5 | 1.3 | (61.5%) |
| Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 118.6 | (2.7%) | Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 117.3 | (1.6%) |
| Crypto and DetACT | — | 10.7 | (100.0%) | Crypto and DetACT | — | 11.0 | (100.0%) |
| Total Cyber Security revenue | 115.4 | 129.3 | (10.8%) | Total Cyber Security revenue | 115.4 | 128.3 | (10.1%) |
From a Cyber Security revenue trajectory perspective by service and capability, the following tables compare H2 2025 performance with H1 2025:
| £m | 6 month period ended 30 September 2025 | 6 month period ended 31 March 2025 | % change at actual rates | £m | 6 month period ended 30 September 2025 | 6 month period ended 31 March 2025 | % change at constant currency¹ |
|---|---|---|---|---|---|---|---|
| Technical Assurance Services (TAS) | 42.8 | 45.6 | (6.1%) | Technical Assurance Services (TAS) | 42.8 | 45.2 | (5.3%) |
| Consulting and Implementation (C&I) | 26.6 | 21.9 | 21.5% | Consulting and Implementation (C&I) | 26.6 | 21.7 | 22.6% |
| Managed Services (MS) | 38.7 | 37.7 | 2.7% | Managed Services (MS) | 38.7 | 37.2 | 4.0% |
| Digital Forensics and Incident Response (DFIR) | 6.8 | 6.3 | 7.9% | Digital Forensics and Incident Response (DFIR) | 6.8 | 6.3 | 7.9% |
| Other services | 0.5 | 0.5 | — | Other services | 0.5 | 0.5 | — |
| Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 112.0 | 3.0% | Cyber Security revenue (excluding Crypto and DetACT) | 115.4 | 111.9 | 3.1% |
| Crypto and DetACT | — | 11.5 | (100.0%) | Crypto and DetACT | — | 11.7 | (100.0%) |
| Total Cyber Security revenue | 115.4 | 123.5 | (6.6%) | Total Cyber Security revenue | 115.4 | 123.6 | (6.7%) |
¹ Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
Financial review continued
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
48
Cyber Security gross profit is analysed as follows:
| £m | Year ended 30 September 2025 | Year ended 30 September 2025 % margin | 16 month period ended 30 September 2024 | 16 month period ended 30 September 2024 % margin | % pts change |
|---|---|---|---|---|---|
| UK and APAC | 54.2 | 40.3% | 72.5 | 41.8% | (1.5%) |
| North America | 16.1 | 28.4% | 18.4 | 20.3% | 8.1% |
| Europe | 18.1 | 37.9% | 27.1 | 34.7% | 3.2% |
| Cyber Security gross profit and % margin | 88.4 | 37.0% | 118.0 | 34.5% | 2.5% |
Cyber Security gross margins increased overall by +2.5 percentage points, driven by improvements in North American and European margins, which reflect ongoing benefits from headcount reduction cost savings/improved utilisation in these markets.
| £m | Year ended 30 September 2025 | Year ended 30 September 2025 % margin | 12 month period ended 30 September 2024 | 12 month period ended 30 September 2024 % margin | % pts change |
|---|---|---|---|---|---|
| UK and APAC | 54.2 | 40.3% | 61.3 | 45.2% | (4.9%) |
| North America | 16.1 | 28.4% | 14.8 | 22.1% | 6.3% |
| Europe | 13.0 | 35.8% | 12.4 | 33.8% | 2.0% |
| Cyber Security gross profit (excluding Crypto and DetACT) | 83.3 | 36.6% | 88.5 | 37.0% | (0.4%) |
| Crypto and DetACT | 5.1 | 44.3% | 9.0 | 37.5% | 6.8% |
| Cyber Security gross profit and % margin | 88.4 | 37.0% | 97.5 | 37.0% | — |
| £m | 6 month period ended 31 March 2025 | 6 month period ended 31 March 2025 % margin | 6 month period ended 31 March 2024 | 6 month period ended 31 March 2024 % margin | % pts change |
|---|---|---|---|---|---|
| UK and APAC | 26.6 | 40.7% | 31.4 | 45.4% | (4.7%) |
| North America | 6.4 | 22.4% | 7.4 | 22.2% | 0.2% |
| Europe | 6.4 | 35.6% | 6.4 | 35.0% | 0.6% |
| Cyber Security gross profit (excluding Crypto andDetACT) | 39.4 | 35.2% | 45.2 | 37.4% | (2.2%) |
| Crypto and DetACT | 5.1 | 44.3% | 3.8 | 29.0% | 15.3% |
| Cyber Security gross profit and % margin | 44.5 | 36.0% | 49.0 | 36.6% | (0.6%) |
| £m | 6 month period ended 30 September 2025 | 6 month period ended 30 September 2025 % margin | 6 month period ended 30 September 2024 | 6 month period ended 30 September 2024 % margin | % pts change |
|---|---|---|---|---|---|
| UK and APAC | 27.6 | 40.0% | 29.9 | 45.0% | (5.0%) |
| North America | 9.7 | 34.5% | 7.4 | 22.0% | 12.5% |
| Europe | 6.6 | 36.1% | 6.0 | 32.6% | 3.5% |
| Cyber Security gross profit (excluding Crypto and DetACT) | 43.9 | 38.0% | 43.3 | 36.6% | 1.4% |
| Crypto and DetACT | — | — | 5.2 | 47.7% | (47.7%) |
| Cyber Security gross profit and % margin | 43.9 | 38.0% | 48.5 | 37.5% | 0.5% |
| £m | 6 month period ended 30 September 2025 | 6 month period ended 30 September 2025 % margin | 6 month period ended 31 March 2025 | 6 month period ended 31 March 2025 % margin | % pts change |
|---|---|---|---|---|---|
| UK and APAC | 27.6 | 40.0% | 26.6 | 40.7% | (0.7%) |
| North America | 9.7 | 34.5% | 6.4 | 22.4% | 12.1% |
| Europe | 6.6 | 36.1% | 6.4 | 35.6% | 0.5% |
| Cyber Security (excluding Crypto and DetACT) | 43.9 | 38.0% | 39.4 | 35.2% | 2.8% |
| Crypto and DetACT | — | — | 5.1 | 44.3% | (44.3%) |
| Cyber Security gross profit and % margin | 43.9 | 38.0% | 44.5 | 36.0% | 2.0% |
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
49
Financial review continued
Divisional performance continued
Escode (discontinued operations)
During the year, the Escode division accounted for 21.8% of Group revenue (16 month period ended 30 September 2024: 20.3%) and 35.0% of Group gross profit (16 month period ended 30 September 2024: 34.0%).
Escode revenue analysis – by originating region:
| £m | Year ended 30 September 2025 | 16 month period ended 30 September 2024 | % change at actual rates | £m | Year ended 30 September 2025 | 16 month period ended 30 September 2024 | % change at constant currency¹ |
|---|---|---|---|---|---|---|---|
| UK | 29.4 | 36.5 | (19.5%) | UK | 29.4 | 36.5 | (19.5%) |
| North America | 32.9 | 45.5 | (27.7%) | North America | 32.9 | 44.3 | (25.7%) |
| Europe | 4.2 | 5.4 | (22.2%) | Europe | 4.2 | 5.3 | (20.8%) |
| Total Escode revenue | 66.5 | 87.4 | (23.9%) | Total Escode revenue | 66.5 | 86.1 | (22.8%) |
Escode revenue, analysed year on year by originating region, is as follows:
| £m | Year ended 30 September 2025 | Year ended 30 September 2024 | % change at actual rates | £m | Year ended 30 September 2025 | Year ended 30 September 2024 | % change at constant currency¹ |
|---|---|---|---|---|---|---|---|
| UK | 29.4 | 28.0 | 5.0% | UK | 29.4 | 28.0 | 5.0% |
| North America | 32.9 | 33.9 | (2.9%) | North America | 32.9 | 33.1 | (0.6%) |
| Europe | 4.2 | 4.1 | 2.4% | Europe | 4.2 | 4.0 | 5.0% |
| Total Escode revenue | 66.5 | 66.0 | 0.8% | Total Escode revenue | 66.5 | 65.1 | 2.2% |
Escode revenue has increased by 2.2% at constant currency (0.8% at actual rates), which has predominantly been driven by favourable price increases and volume during the year within verification services Escode has seen consistent growth for the same reasons when comparing each half of the year, as reflected in theThe following analysis compares the two halves of the year against their respective prior period comparatives, showing Escode revenue by originating region:
| 6 month period ended 31 March 2025 £m | 6 month period ended 31 March 2024 £m | % change at actual rates | 6 month period ended 31 March 2025 £m Constant currency 1 | 6 month period ended 31 March 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| UK | 14.9 | 14.0 | 6.4% | 14.9 | 14.0 | 6.4% |
| North America | 16.4 | 16.8 | (2.4%) | 16.4 | 16.7 | (1.8%) |
| Europe | 2.0 | 2.1 | (4.8%) | 2.0 | 2.0 | — |
| Total Escode revenue | 33.3 | 32.9 | 1.2% | 33.3 | 32.7 | 1.8% |
| 6 month period ended 30 September 2025 £m | 6 month period ended 30 September 2024 £m | % change at actual rates | 6 month period ended 30 September 2025 £m Constant currency 1 | 6 month period ended 30 September 2024 £m | % change at constant currency 1 | |
| UK | 14.5 | 14.0 | 3.6% | 14.5 | 13.9 | 4.3% |
| North America | 16.5 | 17.1 | (3.5%) | 16.5 | 16.5 | — |
| Europe | 2.2 | 2.0 | 10.0% | 2.2 | 2.0 | 10.0% |
| Total Escode revenue | 33.2 | 33.1 | 0.3% | 33.2 | 32.4 | 2.5% |
NCC Group plc — Annual report and accounts for the year ended 30 September 202550
From an Escode revenue trajectory perspective by originating region, the following tables compare H2 2025 performance with H1 2025:
| 6 month period ended 30 September 2025 £m | 6 month period ended 31 March 2025 £m | % change at actual rates | 6 month period ended 30 September 2025 £m Constant currency 1 | 6 month period ended 31 March 2025 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| UK | 14.5 | 14.9 | (2.7%) | 14.5 | 14.9 | (2.7%) |
| North America | 16.5 | 16.4 | 0.6% | 16.5 | 15.5 | 6.5% |
| Europe | 2.2 | 2.0 | 10.0% | 2.2 | 2.1 | 4.8% |
| Total Escode revenue | 33.2 | 33.3 | (0.3%) | 33.2 | 32.5 | 2.2% |
Escode revenues analysed by service line:
| Year ended 30 September 2025 £m | 16 month period ended 30 September 2024 £m | % change at actual rates | Year ended 30 September 2025 £m Constant currency 1 | 16 month period ended 30 September 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Escrow contracts | 43.0 | 57.2 | (24.8%) | 43.0 | 56.5 | (23.9%) |
| Verification services | 23.5 | 30.2 | (22.2%) | 23.5 | 29.6 | (20.6%) |
| Total Escode revenue | 66.5 | 87.4 | (23.9%) | 66.5 | 86.1 | (22.8%) |
Escode revenue, analysed year on year by service line, is as follows:
| Year ended 30 September 2025 £m | 12 month period ended 30 September 2024 £m | % change at actual rates | Year ended 30 September 2025 £m Constant currency 1 | 12 month period ended 30 September 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Escrow contracts | 43.0 | 43.0 | — | 43.0 | 42.5 | 1.2% |
| Verification services | 23.5 | 23.0 | 2.2% | 23.5 | 22.6 | 4.0% |
| Total Escode revenue | 66.5 | 66.0 | 0.8% | 66.5 | 65.1 | 2.2% |
Comparing the two halves of the year against their respective prior period comparatives, Escode revenue by service line is analysed as follows:
| 6 month period ended 31 March 2025 £m | 6 month period ended 31 March 2024 £m | % change at actual rates | 6 month period ended 31 March 2025 £m Constant currency 1 | 6 month period ended 31 March 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Escrow contracts | 22.0 | 22.0 | — | 22.0 | 21.8 | 0.9% |
| Verification services | 11.3 | 10.9 | 3.7% | 11.3 | 10.9 | 3.7% |
| Total Escode revenue | 33.3 | 32.9 | 1.2% | 33.3 | 32.7 | 1.8% |
| 6 month period ended 30 September 2025 £m | 6 month period ended 30 September 2024 £m | % change at actual rates | 6 month period ended 30 September 2025 £m Constant currency 1 | 6 month period ended 30 September 2024 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Escrow contracts | 21.0 | 21.0 | — | 21.0 | 20.7 | 1.4% |
| Verification services | 12.2 | 12.1 | 0.8% | 12.2 | 11.7 | 4.3% |
| Total Escode revenue | 33.2 | 33.1 | 0.3% | 33.2 | 32.4 | 2.5% |
From an Escode service line revenue trajectory perspective the following tables compare H2 2025 against H1 2025 performance:
Strategic report
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 51
Divisional performance continued
Escode (discontinued operations) continued
| 6 month period ended 30 September 2025 £m | 6 month period ended 31 March 2025 £m | % change at actual rates | 6 month period ended 30 September 2025 £m Constant currency 1 | 6 month period ended 31 March 2025 £m | % change at constant currency 1 | |
|---|---|---|---|---|---|---|
| Escrow contracts | 21.0 | 22.0 | (4.5%) | 21.0 | 21.4 | (1.9%) |
| Verification services | 12.2 | 11.3 | 8.0% | 12.2 | 11.1 | 9.9% |
| Total Escode revenue | 33.2 | 33.3 | (0.3%) | 33.2 | 32.5 | 2.2% |
1 Revenue at constant currency is an unaudited Alternative Performance Measures (APMs) and not an IFRS measure. See unaudited Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
Escode gross margin, by originating region, is analysed as follows:
| Year ended 30 September 2025 £m | Year ended 30 September 2025 % margin | 16 month period ended 30 September 2024 £m | 16 month period ended 30 September 2024 % margin | % pts change | |
|---|---|---|---|---|---|
| UK | 20.6 | 70.1% | 24.8 | 67.9 % | 2.2% |
| North America | 23.9 | 72.6% | 32.6 | 71.6% | 1.0% |
| Europe | 3.0 | 71.4% | 3.3 | 61.1% | 10.3% |
| Escode gross profit and % margin | 47.5 | 71.4% | 60.7 | 69.5% | 1.9% |
Escode gross margin, analysed year on year by originating region, is as follows:
| Year ended 30 September 2025 £m | Year ended 30 September 2025 % margin | 12 month period ended 30 September 2024 £m | 12 month period ended 30 September 2024 % margin | % pts change | |
|---|---|---|---|---|---|
| UK | 20.6 | 70.1% | 19.0 | 67.9% | 2.2% |
| North America | 23.9 | 72.6% | 24.1 | 71.1% | 1.5% |
| Europe | 3.0 | 71.4% | 2.3 | 56 .1% | 15.3% |
| Escode gross profit and % margin | 47.5 | 71.4% | 45.4 | 68.8% | 2.6% |
Escode gross margin has increased by +2.6% pts, with UK and North America increasing by +2.2% pts and +1.5% pts respectively and Europe increasing by +15.3%. This is due to the continued benefits arising from previous investments enabling Escode to achieve sustainable revenue growth and gross margin improvements. The improvement in gross margin was driven primarily by favourable price increases and operating efficiencies.
Comparing the two halves of the year against their respective prior period comparatives, Escode gross profit by originating region is analysed as follows:
| 6 month period ended 31 March 2025 £m | 6 month period ended 31 March 2025 % margin | 6 month period ended 31 March 2024 £m | 6 month period ended 31 March 2024 % margin | % pts change | |
|---|---|---|---|---|---|
| UK | 10.2 | 68.5% | 9.5 | 67. 9 % | 0.6% |
| North America | 11.7 | 71.3% | 11.7 | 69.6% | 1.7% |
| Europe | 1.4 | 70.0% | 1.2 | 57.1% | 12.9% |
| Escode gross profit and % margin | 23.3 | 70.0% | 22.4 | 68.1% | 1.9% |
| 6 month period ended 30 September 2025 £m | 6 month period ended 30 September 2025 % margin | 6 month period ended 30 September 2024 £m | 6 month period ended 30 September 2024 % margin | % pts change | |
|---|---|---|---|---|---|
| UK | 10.4 | 71.7% | 9.5 | 67. 9 % | 3.8% |
| North America | 12.2 | 73.9% | 12.4 | 72.5% | 1.4% |
| Europe | 1.6 | 72.7% | 1.1 | 55.0% | 17.7% |
| Escode gross profit and % margin | 24.2 | 72.9% | 23.0 | 69.5% | 3.4% |
Financial review continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202552
When comparing H2 2025 performance to H1 2025, the following table summarises the gross margin trajectory:
| 6 month period ended 30 September 2025 £m | 6 month period ended 30 September 2025 % margin | 6 month period ended 31 March 2025 £m | 6 month period ended 31 March 2025 % margin | % pts change | |
|---|---|---|---|---|---|
| UK | 10.4 | 71.7% | 10.2 | 68.5% | 3.2% |
| North America | 12.2 | 73.9% | 11.7 | 71.3% | 2.6% |
| Europe | 1.6 | 72.7% | 1.4 | 70.0% | 2.7% |
| Escode gross profit and % margin | 24.2 | 72.9% | 23.3 | 70.0% | 2.9% |
Overall Escode gross margin has increased by 2.9% in H2 2025 compared to H1 2025. This is predominantly driven by an improvement in UK and North America Escode which have increased by 3.2% and 2.6% respectively. These improvements continue to reflect an increased shift towards a more global operating model for Escode, following the change in sales team structure during the year.
Individually Significant Items
During the year, the Group has incurred a £1.9m credit in Individually Significant Items (ISIs) (2024: £41.5m) as follows:
| 2025 £m | 2024 £m | |
|---|---|---|
| Fundamental re-organisation costs | 3.9 | 9.4 |
| Costs associated with strategic review of Escode business | 3.8 | 0.1 |
| Costs associated with strategic review of Cyber business | 1.8 | — |
| Profit on disposal of DetACT/DDI | — | (1.5) |
| North America Cyber Security goodwillimpairment | — | 31.9 |
| Transaction costs of Fox Crypto | — | 1.6 |
| Total ISIs (excluding profit on disposal of Fox Crypto) | 9.5 | 41.5 |
| Profit on disposal of Fox Crypto | (11.4) | — |
| Total ISIs | (1.9) | 41.5 |
The £11.4m gain on disposal of Fox Crypto recognised in the year ended 30 September 2025 is calculated as cash consideration of £65.6m, less net assets disposed of £52.3m, and less £2.0m of transaction costs incurred during the year. The difference between the £11.4m gain recorded in the year and the £9.8m overall gain (see Note 31) reflects £1.5m of transaction costs incurred in the 16 month period ended 30September 2024, which are not included in the current year. In addition, £0.1m of TSA income has been accrued during the year. As this represents a material gain on disposal, it has been separately disclosed on the face of the Groups statutory consolidated Income Statement.
ISIs also include £3.9m (2024: £9.4m) of fundamental re-organisation costs as we continue to reshape the Group in line with its strategy, with the current intention to complete the final phase by December 2025. However, this will continue to be monitored as the transformation strategy progresses as we ensure the operating model is market aligned, and delivery is focused to support the underlying Cyber Security business strategy. £3.8m (2024: £0.1m) of professional fees in relation to the ongoing strategic review of Escode have also been incurred during the year. Regarding the strategic review of Cyber (the “Cyber Review”), professional fees of £1.8m (2024: £nil) have been incurred during the year.
Finance costs
The Group’s finance costs (including discontinued operations of £0.1m) for the year ended 30 September 2025 were £5.0m (2024: £8.3m). This annualised reduction in finance costs resulted from the Group’s repayment of external borrowings part way through the year, following the receipt of gross cash proceeds of £65.6m from the completion of the Fox Crypto disposal in March 2025. Finance costs include lease financing costs of £1.1m (2024: £1.7m), with a reduction due to the Group’s property rationalisation.# Strategic report
FY26 finance costs are expected to amount to c£1.8m, following the Group’s expected net cash position.
Taxation
The Group’s effective statutory tax rate is 17.0% (2024: 18.2%), with the Group’s adjusted tax rate is 22.5% (2024: 24.3%).
Earnings/(loss) per share (EPS)
| Year ended 30 September 2025 | 16 month period ended 30 September 2024 | |
|---|---|---|
| Statutory | ||
| Statutory profit/(loss) for the year/period from continuing operations | 17.1 | (32.5) |
| Basic earnings/(loss) per share | 5.6p | (10.4p) |
| Diluted earnings/(loss) per share | 5.5p | (10.4p) |
| Adjusted | ||
| Adjusted profit for the year/period | 14.5 | 10.6 |
| Basic EPS | 4.7p | 3.4p |
| Diluted EPS | 4.6p | 3.4p |
| Weighted average number of shares(million) | ||
| Basic | 307.1 | 311.7 |
| Diluted | 312.3 | 313.2 |
1 See Note 3 of the Consolidated Financial Statements for the composition of how the Group’s statutory profit/(loss) for the year/period is comprised between continuing operations and discontinued operations.
Adjusted basic EPS 1 is reconciled as follows:
| Year ended 30 September 2025 | 16 month period ended 30 September 2024 | |
|---|---|---|
| Statutory profit/(loss) for the year/period | 17.1 | (32.5) |
| Individually Significant Items (Note 4) | 9.5 | 39.9 |
| (Profit on disposal)/transaction costs of Fox Crypto (Note 4) | (11.4) | 1.6 |
| Tax effect of Individually Significant Items | (0.7) | (5.8) |
| North America deferred tax asset derecognition (adjusting item) | — | 7.4 |
| Adjusted profit for the year/period | 14.5 | 10.6 |
1 The table below summarises the Group’s cash flow and net debt 1 (including discontinued operations):
| Year ended 30 September 2025 £m | Year ended 30 September 2024 £m | 16 month period ended 30 September 2024 £m | |
|---|---|---|---|
| Operating cash inflow before movements in working capital | 38.7 | 50.6 | 48.5 |
| Movement in working capital and non-payables | 1.2 | (2.6) | (10.1) |
| Cash generated from operating activities before interest and taxation | 39.9 | 48.0 | 38.4 |
| Interest element of lease payments | (1.1) | (1.6) | (1.7) |
| Finance interest paid | (3.3) | (5.9) | (6.0) |
| Taxation paid | (2.0) | (2.1) | (4.3) |
| Net cash generated from operating activities | 33.5 | 38.4 | 26.4 |
| Purchase of property, plant and equipment | (4.7) | (4.3) | (6.2) |
| Software and development expenditure | (0.4) | (1.3) | (2.6) |
| Acquisition of trade and assets as part of a business combination | — | — | (1.0) |
| Sale proceeds from business disposals | 61.4 | 10.4 | 12.4 |
| Equity dividends paid | (19.0) | (14.5) | (14.5) |
| Repayment of lease liabilities (principal amount) | (6.8) | (7.9) | (10.2) |
| Acquisition of treasury shares | (5.8) | (5.8) | (5.8) |
| Proceeds from the issue of ordinary share capital | 0.3 | 0.3 | 0.3 |
| Net movement | 58.5 | 15.3 | (1.2) |
| Opening net debt (excluding lease liabilities) 1 | (45.3) | (67.5) | (49.6) |
| Non-cash movements (release of deferred issue costs) | (0.5) | (0.5) | (0.6) |
| Foreign exchange movement | 0.4 | 7.4 | 6.1 |
| Closing net cash/(debt) excluding lease liabilities 1 | 13.1 | (45.3) | (45.3) |
| Lease liabilities | (19.5) | (27.6) | (27.6) |
| Closing net debt 1 | (6.4) | (72.9) | (72.9) |
1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
2 The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic review of Escode and strategic review of Cyber costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which includes an explanation of APMs and adjusting items, along with a reconciliation to statutory information. The gain on disposal of Fox Crypto was non-taxable.
| Year ended 30 September 2025 £m | 16 month period ended 30 September 2024 £m | |
|---|---|---|
| Cash and cash equivalents | 16.4 | 29.8 |
| Bank overdraft | — | (13.6) |
| Borrowings (net of deferred issue costs) – continuing operations | (3.3) | (61.5) |
| Net cash/(debt) excluding lease liabilities 1 | 13.1 | (45.3) |
| Lease liabilities | (19.5) | (27.6) |
| Net debt 1 | (6.4) | (72.9) |
Net cash/(debt), excluding lease liabilities, for discontinued and continuing operations is presented below:
| Year ended 30 September 2025 £m | 16 month period ended 30 September 2024 £m | |
|---|---|---|
| Net cash/(debt) excluding lease liabilities 1 – continuing operations | 9.2 | (47.3) |
| Net cash excluding lease liabilities 1 – discontinuing operations | 3.9 | 2.0 |
| Net cash/(debt) excluding lease liabilities 1 | 13.1 | (45.3) |
| Net debt 1 | (6.4) | (72.9) |
Net debt 1 can be reconciled as follows:
| Year ended 30 September 2025 £m | 16 month period ended 30 September 2024 £m | |
|---|---|---|
| Net decrease in cash and cash equivalents (inc. bank overdraft) | (1.0) | (18.4) |
| Change in net debt 1 resulting from cash flows (net of deferred issue costs) | 59.2 | 17.2 |
| Release of deferred issue costs | (0.5) | (0.6) |
| Issue costs related to borrowings (non-cash) | 0.3 | — |
| Effect of foreign currency on cash flows | 1.2 | 2.3 |
| Foreign currency translation differences on borrowings | (0.8) | 3.8 |
| Change in net debt 1 during the year/period | 58.4 | 4.3 |
| Net debt 1 at start of period excluding lease liabilities | (45.3) | (49.6) |
| Net cash/(debt) 1 at end of period excluding lease liabilities | 13.1 | (45.3) |
| Lease liabilities | (19.5) | (27.6) |
| Net debt 1 at end of year/period | (6.4) | (72.9) |
1 Net cash/(debt) and Net cash/(debt) excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
The reduction in net debt is predominantly driven by the completion of the Fox Crypto disposal in March 2025, where the Group received sale proceeds (net of cash disposed of) of £61.4m. This amount has been utilised to reduce the Group’s borrowings during the year.
The calculation of the cash conversion ratio 1 is set out below:
| Year ended 30 September 2025 £m | Year ended 30 September 2024 £m | 16 month period ended 30 September 2024 £m | |
|---|---|---|---|
| Operating cash flow before interest and taxation | 39.9 | 48.0 | 38.4 |
| Adjusted EBITDA 1,2 | 43.7 | 49.7 | 51.6 |
| Cash conversion ratio 1,2 (%) | 91.3% | 96.6% | 74.4% |
1 Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
2 The Group reports only one adjusted item: Individually Significant Items (which includes the £11.4m profit on disposal of Fox Crypto and £9.5m of fundamental re-organisation, strategic review of Escode and strategic review of Cyber costs). For further details, please refer to unaudited Appendix 1 and this Financial Review, which includes an explanation of APMs and adjusting items, along with a reconciliation to statutory information.
Cash conversion has improved by 16.9% pts to 91.3% as at 30 September 2025 (when compared to the previous audited period), primarily driven by stronger performance in the second half of the year and favourable movements in the Group’s working capital, reflecting improved collectability. For reference, cash conversion was 62.3% in H1 2025 and 119.4% in H2 2025.
Cash capital expenditure during the period was £5.1m (2024: £8.8m), which includes tangible asset expenditure of £4.7m (2024: £6.2m) and capitalised software and development costs of £0.4m (2024: £2.6m). Following the opening of our new Fox-IT office in October 2025, the Group incurred £1.6m of tangible capital expenditure during the year to fit out the premises and make the office operational.
During the year, the Company acquired treasury shares (4,000,000 ordinary shares) for £5.8m, this follows shares (4,000,000 ordinary shares) purchased in the prior period 2024 for £5.8m. The shares are held in the EBT, which is a discretionary trust for the benefit of the Group’s colleagues. The shares will be used to satisfy the future vesting requirements of share plans the Company operates under the Long Term Incentive Plan, the Restricted Share Plan and other discretionary share plans. Following this purchase, and as at 30 September 2025, the EBT holds a total of 8,485,195 ordinary shares (2024: 5,158,090), equating to 2.69% of the Company’s issued share capital.
As announced on 21 October 2025, the Board will commence an initial share buy-back programme in December 2025/January 2026. This will becarried out under our existing shareholder authority and in line with our capital allocation policy, as well as all relevant legal and regulatory requirements. Our current dividend policy will remain unchanged by the share buy-back programme.
Dividends
During the year, total dividends of £9.2m were recognised and paid (2024: £14.5m). In addition, the interim dividend of £9.8m for the period ended 30 September 2024 (3.15p per share) was recognised in the prior period and paid during the year on 1 October 2024. The Board is proposing a final dividend of 3.15p per ordinary share for the year ended 30 September 2025, as it remains mindful of the continued need to invest in the Group’s strategy, marking 20 consecutive years of dividend payments for shareholders.The final dividend of 3.15p per ordinary share, which, together with the interim dividends of 1.50p and 1.50p per ordinary share paid on 4 April 2025 and 1 August 2025 respectively, makes a total dividend of 6.15p for the year ended 30 September 2025. The final dividend will be paid on 10 April 2026, subject to approval at the AGM on 3 March 2026, to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026. The dividend has not been included as a liability as at 30 September 2025. The payment of this dividend will not have any tax consequences for the Group.
Looking forward to FY26, we will measure ourselves against the following goals:
Guy Ellis
Chief Financial Officer
11 December 2025
The Board is committed to high standards of corporate governance and is pleased to confirm that throughout the year ended 30 September 2025, the Company complied with all relevant provisions of the UK Corporate Governance Code other than the fact that we have not undertaken a formal Board and Committee evaluation (the reasons why are set out below). A key focus of the Code is culture and ensuring it aligns with the Group’s purpose, strategy and values. Culture has been high on the Board’s agenda for a long time and the Board considers culture to be an essential ingredient in meeting our long-term, sustainable returns to all stakeholders. The Board, the Executive Committee and senior management continue to promote our culture and standards throughout the business and lead by example to provide a strong corporate governance framework.
One of the most significant parts of the Code affecting NCC Group is in respect of workforce engagement. Our main stakeholder is our colleagues and we continue to maintain meaningful mechanisms to ensure that we, as a Board, have constructive and regular dialogue with our dedicated and committed workforce. This then puts us in a strong position to deliver our strategy. During the year, Julie Chakraverty, Senior Independent Director and designated Non-Executive Director for workforce engagement, has been continuing to reach out to colleagues across the business. As a people business, insights from our colleagues are invaluable; therefore, colleague engagement is a crucial area for us to continue to focus on and continue to get right. We have not let distance or differing time zones be a barrier to hearing our colleagues’ opinions around the Board table.
The Directors have acted in a way they consider, in good faith, to be most likely to promote the long-term success of the Company. Our role as the Board is to set the strategy of the Group and ensure that management operates the business in accordance with our priorities. We believe this approach will promote the Group’s long-term success and our customers’ interests as well as creating value for shareholders and having regard to our other key stakeholders such as our colleagues. The Board’s intention is to hand over the business to our successors in a better and more sustainable position for the future. We recognise the continued focus on the contribution that a successful company can make to wider society in general, in addition to generating value for shareholders, and as a Board we want to ensure that we have effective engagement with, and encourage participation from, shareholders and other stakeholders. The Board acknowledges that there are competing priorities for different stakeholders but strives to balance the priorities, while ensuring decisions made are in the best interests of the Company.
The biographies of all the Board members can be found on pages 62 and 63. There have been no changes to the Board during the year. With regard to our current diversity, I am satisfied that we have an appropriately diverse Board in terms of experience, skills and personal attributes among our Board members. The Directors have many years of experience gained across a variety of industries and sectors, ensuring a mix of views and providing a broad perspective.
Dear Shareholder
On behalf of the Board, I am pleased to present the Corporate Governance Report for the year ended 30 September 2025. Throughout the year the Board has worked cohesively as a team and I would like to thank each Director for their wise counsel and continued efforts during this time. The Board is composed of highly skilled and experienced Directors from a diverse range of industries and backgrounds, all of whom contribute towards the long-term success of the Company and show commitment and enthusiasm in the performance of their roles and duties. I would like to thank all of my Board colleagues for their commitment, support and flexibility over the past year.
We now meet as a Board predominantly face to face, but we still use virtual meetings for shorter update meetings or when we need to meet at short notice. This continued hybrid way of working has enabled us to maintain strong governance and robust decision making, delivering against our strategy. We had the opportunity during the year to hold a number of Board dinners either the night before or following Board meetings. This informal time together as a Board, which often has other colleagues from across the business in attendance, allows us to talk matters through and also fosters a culture of team and togetherness away from the more formal setting of the boardroom.
The Board is committed to creating and maintaining a culture where strong levels of governance thrive throughout the organisation, specifically ensuring that we send out consistent messages on our values and principles for our colleagues, our customers, our suppliers and our advisers.
Chris Stone
Non-Executive Chair
We recognise that we still have some progress to make in terms of improving the diversity of the Board and our executive team (and indeed our workforce as a whole). During the year ended 31 May 2021, we made the firm commitment that by 2024, we will have at least 33% female representation on our Board and at least one person of colour. We have now delivered on our commitment and are also on course to meet the FTSE Women Leaders Review and Listing Rules target of 40% female representation by the end of 2025. Although this is best practice for FTSE 350 companies, we have committed to this target regardless of which share index we are in. Our Board now has 43% female representation (three out of seven) and we will look to improve this further still during any future appointments to the Board.
Improvements in diversity are often not a quick process but we are very mindful of the need to take positive action, and the matter continues to remain high on our agenda, as can be seen with the progress we have made over recent years. Accessing the candidates we require to reach this target will involve us looking beyond the obvious pool of existing board directors within the UK and we intend to ensure that we extend our talent search to other sectors and countries enabling us to find a diverse pool of candidates from which to choose to provide us with true diversity around our Board table.
To confirm, as at 30 September 2025, we complied with the following:
* At least 40% of the individuals on our Board of Directors are women.
* At least one of the senior positions on our Board of Directors is held by a woman (our Senior Independent Director).
* At least one individual on our Board of Directors is from a minority ethnic background.
As Chair, I am responsible for providing leadership to ensure that the Board operates effectively. I have been supported in this by all the Directors, but in particular our Senior Independent Director (Julie Chakraverty). The annual reviews of Board effectiveness help the Board to consider how it operates and how its operations can be improved.
This year, we have not undertaken a formal review of the Board and its Committees. Building on our inaugural externally facilitated Board evaluation in 2023, we undertook a comprehensive internally facilitated Board and Committee evaluation in 2024, where we took significant time to discuss the output and agree actions in January 2025. We felt that we wanted further time to embed the actions from previous evaluations into how we operate and work together as a Board and felt that pausing the formal review process for a year was a sensible course of action.
In addition, a significant amount of Board time and focus was taken up by a number of strategic considerations, as well as being in an “offer period” since mid-July 2025. We concluded that undertaking a Board and Committee evaluation process at this time would not be appropriate, given the significant level of activity currently underway.# Governance
In reaching this decision, the Board considered the importance of maintaining focus on critical strategic and operational priorities during a period of heightened activity. While evaluations are an integral component of good governance and support continuous improvement, the timing of such a process must ensure that it adds value rather than creating unnecessary burden or distraction. The Board remains committed to undertaking a comprehensive evaluation when circumstances allow, in line with best practice. Our intention is for our next review to be externally facilitated and we will look to undertake this during 2026. As a reminder, Board succession planning remains a priority, particularly as we look to ensure the Board and Executive Committee have the right set of skills and experience to support the Group as the business evolves.
| 2017 | 2018 | 2019 | 2020 | 2021 | 2022 | 2023 | 2024 | 2025 | |
|---|---|---|---|---|---|---|---|---|---|
| 30 September: |
We are in regular contact with our large investors through a scheduled programme of meetings attended by our CEO, CFO and Chair. Julie Chakraverty (Senior Independent Director), Lynn Fordham (Audit Committee Chair) and Jennifer Duvalier (Remuneration Committee Chair) are also available to meet with investors should the need arise. In May 2025, we hosted an immersive experience to help our shareholders and analysts, along with other industry professionals from insurance brokers and financial services, to understand how we would help clients respond to cyber incidents. Particular highlights during the year were NCC Group winning the IR Society award for “Best IR Programme 2024 (Small Cap)”, and also being shortlisted for the IR Society award for “Best Communication of Sustainability 2024 (Small Cap)”. I continue to meet with our larger investors and report my findings to Board colleagues. Investor engagement has remained a priority throughout the year and has been conducted in full compliance with Offer Period regulations. In addition, our brokers have undertaken investor surveys following the half-year results, and the findings were presented and discussed at a Board meeting. Our objective is to maintain open, transparent, and meaningful dialogue with our shareholders. Ensuring that the Directors’ remuneration packages align the Directors’ and senior managers’ interests with the long-term interests of NCC Group and its shareholders is always a key area of interest for investors. The 2024 Directors’ Remuneration Policy received 89.61% of votes in favour at the 2025 AGM, and it was pleasing that our 2024 Directors’ Remuneration Report received 80.33% of votes in favour, recognising the continued appreciated support of our shareholders for our approach to executive remuneration.
The Company measures itself against the requirements of the UK Corporate Governance Code 2018 (the “Code”), which is available on the Financial Reporting Council website (www.frc.org.uk). I can confirm that the Board has applied the principles and complied with the provisions of the UK Corporate Governance Code 2018 throughout the year to 30 September 2025 other than the fact that we have not undertaken a formal Board and Committee evaluation for the reasons explained earlier.
Thank you
We are immensely proud of our colleagues for their continuing extraordinary efforts, always acting in the best interests of our customers and our stakeholders. I would like to thank all our colleagues for their incredible contribution in stepping up and meeting the challenges that the Group has faced over the past year.
Chris Stone
Non-Executive Chair
11 December 2025
| Mike Maddison | Guy Ellis | Chris Stone | Lynn Fordham | Julie Chakraverty | Jennifer Duvalier | Mike Ettling | |
|---|---|---|---|---|---|---|---|
| 8 years 6 months | 3 years 3 months | 2 years 3 months | 3 years 9 months | 7 years 5 months | 8 years 0 months | 3 years 1 month |
NCC Group plc — Annual report and accounts for the year ended 30 September 202560
The different parts of the Company’s governance framework are shown below, with a description of how they operate and the linkages between them.
Remuneration Committee: Responsible for determining the overall remuneration of the Executive Directors and the remuneration of senior managers (ExCom) within the broader institutional context of remuneration practice. Read more on pages 81 to 93
Board (The Board has collective responsibility to promote the long-term sustainable success of the Group, ensuring due regard is paid to the interests of its stakeholders.)
For further details on Board composition and division of responsibilities, see pages 64 to 69
Governance NCC Group plc — Annual report and accounts for the year ended 30 September 2025 61
Our business is led by our Board of Directors. Biographical and other details of the Directors are as follows:
During the year a number of Directors took on additional appointments outside of their role with NCC Group. The Board considered these appointments and concluded that these appointments did not conflict with NCC Group, and the Director would have sufficient time to devote to NCC Group following the additional appointments, and that the appointments did not result in the Directors concerned being “overboarded”.
View our Executive Committee: nccgroupplc.com/our-board-executive-committee/
Other Directors during the year
No other Directors served on the Board during the year.
Non-Executive Chair
Chief Executive Officer
Chief Financial Officer
NCC Group plc — Annual report and accounts for the year ended 30 September 202562
Senior Independent Non-Executive Director (and designated Non-Executive Director for workforce engagement)
Independent Non-Executive Director
Independent Non-Executive Director
Independent Non-Executive Director (and lead Non-Executive Director for Sustainability)
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 63
The Board has agreed a clear division of responsibilities with the responsibilities of the Chair, Chief Executive Officer, Chief Financial Officer, Senior Independent Director and other Directors clearly defined so that no individual has unrestricted powers of decision and no small group of Directors can dominate the Board’s decision making.
| Role | Responsibilities |
|---|---|
| Chair of the Board (Chris Stone) | Is responsible for the running and leadership of the Board, setting its agenda and ensuring its effectiveness in all aspects of its role, and promoting a culture of openness, debate and the highest standards of corporate governance. The Chair, in conjunction with the CEO and other Board members, plans the agendas, which are issued with the supporting Board papers in advance of the Board meetings. These supporting papers provide appropriate information to enable the Board to discharge its duties, which include monitoring, assessing and challenging the executive management of the Group. |
| Chief Executive Officer (Mike Maddison) | Together with the senior management team (ExCom), is responsible for the day-to-day running of the Group’s business, implementing the strategy and policies approved by the Board, and regularly providing performance reports to the Board. The role of CEO is separate from that of the Chair to ensure that no one individual has unfettered powers of decision. |
| Chief Financial Officer (Guy Ellis) | Works closely with the CEO with specific responsibility for all financial matters, including Group accounting policies, financial control, tax and treasury management, risk management and financial probity. The CFO is also accountable for the transparency and appropriateness of management information and key performance indicators, internally and externally. |
| Senior Independent Director (Julie Chakraverty) | Provides a sounding board for the Chair and serves as an intermediary for other Directors, colleagues and shareholders when necessary. The main responsibility is to be available to the shareholders should they have concerns that they have been unable to resolve through normal channels or when such channels would be inappropriate. |
| Non-Executive Directors (Jennifer Duvalier, Mike Ettling and Lynn Fordham) | Bring experience and independent judgement to the Board. Maintain an ongoing dialogue with the Executive Directors, which includes constructive challenge of performance and the Group’s strategy. |
| Designated Non-Executive Director for engagement with the workforce (Julie Chakraverty) | Leads on Board engagement with the workforce (please see separate section on page 14). |
| Company Secretary (Jonathan Williams) | Ensures good information flows within the Board and its Committees and between senior management and Non-Executive Directors. The Company Secretary is responsible for facilitating the induction of new Directors and assisting with their professional development as required. All Directors have access to the advice and services of the Company Secretary to enable them to discharge their duties as Directors. The Company Secretary is responsible for ensuring that Board procedures are complied with and for advising the Board via the Chair on governance matters. The appointment and removal of the Company Secretary is a matter for the Board as a whole. |
| No. of Board members | % of the Board | No. of senior positions on the Board (CEO, CFO, SID, Chair) | No. in executive management (ExCom) | % of executive management | |
|---|---|---|---|---|---|
| Men | 4 | 57% | 3 | 5 | 71% |
| Women | 3 | 43% | 1 | 2 | 29% |
| Not specified/prefer not to say | — | — | — | — | — |
| No. of Board members | % of the Board | No. of senior positions on the Board (CEO, CFO, SID, Chair) | No. in executive management (ExCom) | % of executive management | |
|---|---|---|---|---|---|
| White British or other White (including minority White groups) | 5 | 72% | 3 | 6 | 86% |
| Mixed/multiple ethnic groups | — | — | — | — | — |
| Asian/Asian British | 1 | 14% | 1 | 1 | 14% |
| Black/African/Caribbean/Black British | — | — | — | — | — |
| Other ethnic group, including Arab | — | — | — | — | — |
| Not specified/prefer not to say | 1 | 14% | — | — | — |
NCC Group plc — Annual report and accounts for the year ended 30 September 202564
The Board considers that each Director is able to allocate sufficient time to the Company to discharge their responsibilities effectively. The Non-Executive Directors are contracted to spend a minimum of 24 days per annum on the Group’s affairs, and the Chair 60 days. A summary of each current Director’s attendance at meetings that they were eligible to attend of the Board and its Committees during the financial year ended 30 September 2025 is shown below. Unless otherwise indicated, all Directors held office throughout the year. For the avoidance of doubt, no concerns have been raised about the attendance record of any Directors, nor their continued commitment to their work and NCC Group.# Board Audit Nomination Cyber Security Remuneration
Chris Stone | 8 | 9 | 1 | N/A | 1 | 1 | * | 1 | 1 | N/A
Mike Maddison | 9 | 9 | N/A | N/A | N/A | N/A | | | |
Guy Ellis | 9 | 9 | N/A | N/A | N/A | N/A | | | |
Lynn Fordham | 9 | 9 | 4 | 4 | * | 1 | 1 | 1 | 1 | 5 | 5
Julie Chakraverty | 9 | 9 | 3 | 4 | 2 | 1 | 1 | 1 | 1 | * | 4 | 5 | 2
Jennifer Duvalier | 9 | 9 | N/A | 1 | 1 | 1 | 1 | 5 | 5 | * | | |
Mike Ettling | 9 | 9 | 4 | 4 | N/A | N/A | N/A | N/A | | |
At all times, all of the Board and Committee meetings remained quorate.
Meetings attended Possible meetings
* Committee Chair
N/A Director is not required to attend the meeting, but may have attended by invitation.
1 Was unable to make one meeting due to an important personal matter that could not be rearranged.
2 Unable to make one Committee meeting because of a pre-existing business commitment (scheduled before NCC Group set its Board and Committee meeting dates) that could not be rearranged.
What principal decisions have been made and what have we looked at as a Board during 2024/25?
Section 172 of the Companies Act 2006 requires a director of a company to act in the way they consider, in good faith, would most likely promote the success of the company for the benefit of its members as a whole, but having regard to a range of factors set out in section 172(1)(a)–(f) of the Companies Act 2006. In discharging our section 172 duty, we have regard for these factors, taking them into consideration when decisions are made. The Board understands the importance of stakeholder engagement and, through regular updates from the Executive Directors and other senior managers, it has provided challenge and oversight throughout the year. The Company’s stakeholders are set out on pages 14 and 15, with an overview of how we engage with them, how they relate to our strategy and highlights from the previous year.
Throughout this Annual Report, we have provided examples of how we have thought about the likely consequences of long-term decisions and detailed below is how the Board considered stakeholders, and the information we received through engagement, in a number of its key decisions in 2024/25. When making each decision, the Board carefully considered how it impacted on the success of the Group and its long-term (financial and non-financial) impact and had due regard to the other matters set out in section 172(1)(a)–(f) of the Companies Act 2006. The below should be read in conjunction with our Stakeholder Engagement section on pages 14 and 15, along with other sections of the Annual Report where appropriate.
| Topic | Stakeholder group | Decision taken | Engagement process | Reference |
|---|---|---|---|---|
| Approving a new four year £120m multi-currency revolving credit facility | Colleagues, shareholders, clients, suppliers | During the year, the decision was taken to approve a new four year £120m multi-currency revolving credit facility (RCF), with a £50m uncommitted accordion option, provided by a syndicate of four banks. The new RCF facility will expire on 28 April 2029 and replaces the Group’s previous RCF, which had an expiry date of 22 December 2026. | We communicated the new RCF via an RNS announcement. | Strategic Report on page 38 |
The new RCF will provide our stakeholders with the reassurance that NCC Group has appropriate and sufficient financial facilities through to April 2029, along with the financial flexibility and means to pursue its strategy both now and in the coming years.
Governance NCC Group plc — Annual report and accounts for the year ended 30 September 2025 65
At every meeting the Board reviews the minutes from the previous meeting and the status of any outstanding actions. Colleague engagement is a standing agenda item presented by Julie Chakraverty as our designated Non-Executive Director for workforce engagement. The CEO and CFO present their monthly performance update reports, which are also circulated to Board members in months where there is no scheduled Board meeting.
The Board has also reviewed the following during 2024/25:
All Directors have access to the advice and services of the Company Secretary and Directors are entitled to take independent professional advice if necessary, at the expense of the Company.
The Companies Act 2006 requires Directors to avoid situations where they have, or could have, a direct or indirect interest that conflicts or potentially conflicts with the interests of the Company. The Company’s Articles of Association require any Director with a conflict or potential conflict to declare this to the Board. That Director will not then be involved in the discussions relating to the proposal, transaction, contract or arrangement in which they have an interest, unless agreed otherwise by the Directors of the Company in the limited circumstance specified in the Articles of Association, nor will they be counted in the quorum or be permitted to vote on any issue in which they have an interest. Directors are required to inform the Board without delay should they be aware of any actual or potential conflicts of interest and a check on conflicts is undertaken each year with a report to the Board.
Board composition and division of responsibilities continued NCC Group plc — Annual report and accounts for the year ended 30 September 2025 66
Julie Chakraverty is the Board’s designated Non-Executive Director to lead the Board’s colleague engagement programme and is committed to understanding the views of our colleagues and ensuring they are incorporated into the Board’s decision-making process. In addition, there is also opportunity for colleagues to ask any questions they have on executive remuneration and how this aligns with the wider Company pay policy. Prior to meeting with Julie at one of the engagement sessions, colleagues are introduced to Julie via our internal social channels where she explains her role through a video and written communications. Julie has access to these channels to enable her to engage fully outside of the formal events. We were keen to build on the momentum generated in previous years and Julie is sometimes joined by our Chair, Chris Stone, or other Non-Executive Directors, to meet colleagues, all of whom are invited from below the mid-management level and all parts of the business to ensure diversity of thought. We ensure that no one has their line manager in either the physical or the virtual room to ensure they can speak freely and tell Julie what is on their mind. Feedback from each session’s participants is shared anonymously to the Board and to our CEO. This enables action to be taken, further strengthening the value of listening. Colleagues attending are invited to give their feedback and, so far, results have been positive and valued.
As required by the Code, at least 50% of the Board, excluding the Chair, are Independent Non-Executive Directors. The Board comprises two Executive Directors, four Independent Non-Executive Directors and the Non-Executive Chair.# Governance
As described earlier, this year we have not undertaken a formal review of the Board and its Committees. Building on our inaugural externally facilitated Board evaluation in 2023, we undertook a comprehensive internally facilitated Board and Committee evaluation in 2024, where we took significant time to discuss the output and agree actions in January 2025. We felt that we wanted further time to embed the actions from previous evaluations into how we operate and work together as a Board and felt that pausing the formal review process for a year was a sensible course of action. Our intention is for our next review to be externally facilitated and we will look to undertake this during the 2026 calendar year.
As a reminder, Board succession planning remains a priority, particularly as we look to ensure the Board and Executive Committee have the right set of skills and experience to support the Group as the business evolves. As a reminder, a number of observations and recommendations were noted from previous evaluations, which are detailed below.
| Area | Recommendation/observation # NCC Group plc — Annual report and accounts for the year ended 30 September 2025
The Board has ultimate responsibility for ensuring that business risks are effectively managed. The Board has delegated regular review of the risk management procedures to the Cyber Security Committee in relation to cyber risks, and to the Audit Committee in relation to all other risks. The Board reviews the overall risk environment on at least an annual basis. The day-to-day management of business risks is the responsibility of the Executive Committee (“ExCom”).
Internal control
The Group has a system of internal controls which aims to support the delivery of the Group’s strategy by managing the risk of failing to achieve business objectives and to protect the stewardship of the Group’s assets. As with all such systems, the goal is to manage risk within acceptable parameters, rather than to eliminate risk entirely. The Group can therefore only provide reasonable and not absolute assurance that the business objectives and asset stewardship will be delivered successfully. In addition, the Group insures against various risks, but certain risks remain difficult to insure, due to the breadth and cost of cover. In some cases, external insurance is not available at all, or at least not at an economically viable price. The Group regularly reviews both the type and amount of external insurance that it buys in conjunction with its insurance brokers. For a more detailed review of risk management processes, the principal risks faced by the Group and their mitigation, see pages 29 to 37.
The Audit Committee is responsible for reviewing the effectiveness of the risk management and internal control systems. The steps it takes in relation to the review are set out on page 74. The Audit Committee makes recommendations to the Board on the effectiveness of risk management and internal controls, which the Board considers, together with reports from the Cyber Security Committee, in forming its own view on the effectiveness of the risk management and internal control systems.
During the year ended 30 September 2025, the Board reviewed the effectiveness of the Group’s risk management and internal control systems together with internal control findings issued by our auditor. We confirm that the processes outlined above and on page 74 have been in place for the year under review and up to the date of this Annual Report and Accounts, and that these processes accord with the UK Corporate Governance Code and the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting.
While we have had a number of improvements identified through our internal audit reports issued throughout the year, management has agreed the required actions and is working to close these down. We report on these regularly to the Audit Committee and are working with local management to continuously improve controls and processes across the business.
Executive remuneration
During the year, we operated within the Remuneration Policy approved by shareholders. Details of how the Remuneration Policy has been applied during this financial year are set out on pages 81 to 93 of the Remuneration Committee Report.
69 NCC Group plc — Annual report and accounts for the year ended 30 September 2025
The Company’s issued share capital at 30 September 2025 consists of 315,006,079 ordinary shares of 1p each. There are no special control rights or restrictions on share transfer or special rights pertaining to any of the shares in issue and the Company does not have preference shares. As far as is reasonably known to the Board, the Company is not directly or indirectly owned or controlled by another company or by any government.
Communications with shareholders are given high priority. There is a regular dialogue with institutional investors including presentations after the Company’s year end and half-year results announcements. A programme of meetings takes place throughout the year with major institutional shareholders, and private shareholders have the opportunity to meet the Board face to face and ask questions at the AGM. We are in regular contact with our large investors through a regular scheduled programme of meetings attended by either our CEO or CFO or both of them. Julie Chakraverty, our Senior Independent Director, and I are also available to meet with investors should the need arise. After meeting our larger investors, I feed back my findings to Board colleagues at the next Board meeting. In addition, our brokers undertake investor surveys on the back of our half and full-year results and the results of these were presented and discussed at Board meetings. Our aim is to engage with our shareholders in an open and meaningful way.
During the financial year, the Directors held a number of meetings with shareholders as set out below.
| Board shareholder updates | |
|---|---|
| Feedback from major institutional shareholders is provided to the Board | on a regular basis and, where appropriate, the Board takes steps to address their concerns and recommendations. |
| Investor meetings | |
| One-to-one meetings | 157 |
| Group meetings | 40 |
As at 30 September 2025, the Company had been notified of the following interests of 3% or more in the issued share capital of the Company under the UK Disclosure and Transparency Rules:
| Shareholder | Number of ordinary shares | % of NCC Group’s total share capital |
|---|---|---|
| Aberforth Partners | 40,057,799 | 12.72% |
| Richard Griffiths | 32,671,106 | 10.37% |
| Odyssean Investment Trust | 20,000,000 | 6.35% |
| BlackRock | 18,312,987 | 5.81% |
| Vanguard Group | 15,624,408 | 4.96% |
| Harwood Capital | 15,362,500 | 4.88% |
| First Trust Advisors | 15,299,695 | 4.86% |
| NFU Mutual | 13,151,529 | 4.18% |
| Artemis Investment Management | 10,888,638 | 3.46% |
| Kestrel Partners | 9,932,261 | 3.15% |
| Canaccord Wealth (Inst) | 9,750,000 | 3.10% |
| Schroder Investment Management | 9,471,825 | 3.01% |
There were no changes to the above notified to the Company between 30 September 2025 and 11 December 2025.
For details of Directors’ shareholdings, remuneration and interests in the Company’s shares and options, together with information on service contracts, see pages 81 to 93 of the Directors’ Remuneration Report.
The AGM is an opportunity for shareholders to vote on certain aspects of Group business and provides a useful forum for one-to-one communication with private shareholders. At the AGM shareholders receive presentations on the Company’s performance and may ask questions of the Board. The Chair seeks to ensure that the Chairs of the Audit, Remuneration, Nomination and Cyber Security Committees are available at the meeting to answer questions and all Directors attend. The Company prepares separate resolutions on each substantially separate issue to be voted upon at the AGM. The result of the vote on each resolution is published on the Company’s website after the AGM and will be announced via the regulatory information service.
At the 2025 AGM, shareholders representing over 65% of the Company’s issued share capital returned their proxy votes.
On behalf of the Board
Chris Stone
Non-Executive Chair
11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 202570
In April 2025, the role of the Director of Global Governance was extended to include Procurement and Estates. As a result, to ensure independence from operational functions, the role of Chief Audit Executive (CAE) transferred to the Head of Risk and Assurance. Attendance during the year of individual Audit Committee members is shown in the table on page 65.
The table below summarises the significant accounting issues, judgements and estimates considered by the Committee during the year in relation to the Financial Statements. These are categorised as either recurring items the Committee regularly reviews or current year focus areas. The table also indicates the level of judgement or estimation applied to each item. Items with a “low” judgement level typically have extensive independent third party evidence, while those requiring “high” judgement rely more on management estimates and historical trends than third party evidence.# Audit Committee Report
Goodwill carrying value: N/A
Discontinued operations and held-for-sale classification: Low
Goodwill carrying value: High
Discontinued operations and held-for-sale classification: N/A
During the year, the Committee reviewed and considered the following areas in respect of financial reporting and the preparation of the interim and annual Financial Statements:
In carrying out this review the Committee challenged the significant estimates and judgements made by the Group’s finance team and considered the external auditor’s reports setting out its views on the accounting treatments and judgements included in the Financial Statements.
I am pleased to present the Audit Committee Report for the year ended 30 September 2025 to explain how we have discharged our responsibilities with an overview of our principal activities and their outcomes.
I have been Chair of the Audit Committee since 1 September 2022 and I am a Chartered Accountant with diverse sector experience across listed companies, private equity and financial services in several disciplines including risk management, internal control and financial reporting. I am also currently Chair of NewRiver REIT plc and Pollen Street Group and Non-Executive Director of Enfinium Group. From 17 September 2025, I became a Special Adviser to the Board of Domino’s Pizza Group, having stepped down from the Board as the Senior Independent Director at the same date. The Board therefore considers that I have the recent and relevant financial experience required by the Code.
Mike Ettling, Julie Chakraverty and I all served on the Committee throughout the period. All members of the Committee are considered to be independent, and the Committee as a whole continues to have competence in the technology sector. Summary biographies of each member of the Committee are included on pages 62 and 63.
The purpose of the Audit Committee is to provide oversight of an organisation’s financial reporting, internal controls and compliance with laws and regulations, ensuring transparency and accountability in financial operations on behalf of the Board. The Committee also provides a forum for reporting by the external auditor. Cyber risk and controls are considered by the Cyber Security Committee. A full copy of the Committee’s terms of reference can be found in the Investor Relations section of the Group’s website.
The terms of reference for the Committee require at least three meetings per year. During this financial year, the Committee met four times. As well as the members of the Committee, standing invitations are given to the Company Chair, the other Independent Non-Executive Directors, the Chief Executive Officer, the Chief Financial Officer, the SVP, Group Finance and the SVP, Global Governance, Procurement and Estates, with other attendees also attending by invitation. The external auditor also attends each meeting. During the year, the Committee held meetings with the external auditor and the SVP, Global Governance, Procurement and Estates and the Head of Risk and Assurance without the Executive Directors and management being present.
Lynn Fordham
Chair, Audit Committee
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 71
| Committee responsibilities | Activities during the year # Fair value less costs to sell
In accordance with IAS 36, during the year ended 30 September 2025, tests for impairment are based on the calculation of a fair value less costs to sell (FVLCTS) which has been used to establish the recoverable amount of the CGU. The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on Adjusted EBITDA¹, and applying a reasonable market multiple on the calculated sustainable earnings. Estimated sustainable earnings have been determined taking into account past experience and includes expectations based on a market participant view of maintainable performance of the business based on market volatility and uncertainty as at 30 September 2025. The sustainable earnings input is a level 3 measurement; level 3 measurements are inputs which are normally unobservable to market participants. The sustainable earnings figures used in this calculation include key assumptions regarding sustainable revenues and costs for the business. If the assumptions and estimates used in this valuation prove to be incorrect, the carrying value of goodwill may be overstated. During this year, the Committee has reviewed the Group’s latest available forecasts, along with its ongoing execution of the new strategy and management’s future action plans, as part of its consideration of the utilised sustainable earnings figures. The Group incurs certain overhead costs in respect of support services provided centrally to the CGUs. Such support services include Finance, Human Resources, Legal, Information Technology and additional central management support in respect of stewardship and governance. In calculating sustainable earnings these overhead costs have been allocated to the CGUs based on the extent to which each CGU has benefited from the services provided. This allocation is primarily based on the time spent by the relevant central department in supporting each CGU, informed by headcount or another reasonable proxy where available. Where possible, specific cost allocations have been applied. The methodology remains consistent with the prior period to ensure the allocation reflects the Group’s operating model. The Adjusted EBITDA¹ multiple used in the calculations is based on an independent third party assessment of the implied enterprise value (from a market participant perspective as at 30 September 2025) of each CGU based on a population of comparable companies and precedent transactions. The estimated cost to sell was based on other recent transactions that the Group has undertaken. The Committee reviewed the FVLCTS calculations, including the sustainable earnings assumptions and the applied multiple. This review considered independent third-party valuations as at 30 September 2025, which reflect a market participant view of business performance in light of prevailing market volatility and uncertainty.
The Committee assessed the recoverable amount of each CGU using fair value less costs to sell as at 30 September 2025, after applying the methodology described above. The Committee concurred with management’s view that, in all cases, the recoverable amount exceeded the carrying amount and, accordingly, no impairment losses were recognised for the year ended 30 September 2025. Sustainable earnings include a key assumption regarding the achievement of forecast revenue within each CGU assessment. The Committee reviewed the sensitivity analysis prepared by management, focusing on reasonably possible changes to this key revenue assumption. In particular, the Committee considered the impact of a 10% shortfall in forecast revenue (after factoring in controllable variable cost reductions and maintaining margins) and concurred with management’s view that, under this scenario, the recoverable amount of each CGU would continue to exceed its carrying amount, and no material impairment would arise.
Under IFRS 5, a disposal group is classified as held for sale when management is committed to a plan to sell, the asset is available for immediate sale in its present condition, the sale is highly probable and expected to complete within 12 months, and the disposal group is measured at the lower of its carrying amount and fair value less costs to sell. During the year, the Group committed to a plan to dispose of its Escode business, which met the above criterion and has therefore been classified as held for sale as at 30 September 2025. Management determined the sale to be highly probable and expected to complete within 12 months. Accordingly, assets of £198.0m and associated liabilities of £39.8m relating to the Group’s Escode business have been presented as held for sale as at 30 September 2025. The Committee reviewed and concurred with management’s assessment of the held-for-sale classification, including the appropriateness of the measurement basis and related disclosures.
Under IFRS 5, a disposal Group is classified as a discontinued operation when:
* It is a component of the entity
* It has either been disposed of or is classified as held for sale
* It represents a separate major line of business or geographical area of operations, or is part of a single co-ordinated plan to dispose of such a component
Escode represents a major line of business within one of the Group’s two reportable segments, contributing 21.8% of Group revenue (2024: 20.3%) and 35.0% of Group gross profit (2024: 34.0%). Given Escode also met the criteria for classification as held for sale at 30 September 2025 (as described above), the Committee reviewed and concurred with management’s assessment that the requirements for discontinued operations were satisfied as at 30 September 2025, including the adequacy of all related disclosures.
¹ Adjusted EBITDA are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and the Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
In considering the materiality of any individual issue or issues in aggregate, the Group looks at a range of qualitative and quantitative measures to assess whether omitting, misstating or obscuring information could reasonably be expected to influence decisions that the primary users of general-purpose Financial Statements make on the basis of those Financial Statements. The range of measures includes (but is not limited to) the primary Financial Statements themselves, the individual line item in question, and whether the issue moves the result from one side of an inflection point to another (for example, turning a profit into a loss or a net asset into a net liability). Qualitative and quantitative measures are both considered, as is any potential impact on remuneration or banking arrangements such as debt covenants.
The risk and assurance function is responsible for internal audit, and the provision of assurance in relation to financial, operational and quality systems and processes. The team is responsible for supporting the implementation of risk management across the business and monitors the implementation of related action plans. During the year, 19 internal audit reports were issued to the Audit Committee covering a range of risk areas including but not limited to key financial controls, backup controls, HR and payroll processes, including IR35, expenses and business cases. The Audit Committee maintains an ongoing review of the risk and assurance function, which reports directly into the Chair of the Committee. The Committee is responsible for approving the content and coverage of the Internal Audit Plan, which documents the links to the Group’s strategic risks, key controls and associated assurance coverage. In addition, the risk and assurance team has a co-source arrangement as required for IT specialist audits and also utilises the cyber experts from within the business. The members of the risk and assurance team are all qualified in ACA, ACCA, CIMA, or hold the CIIA qualification. The Internal Audit Plan also includes time for the continual professional development of the team. The work of the risk and assurance function is a regular standing agenda item at all Committee meetings where a full update is provided including updates on audit and assurance activities, progress against the Internal Audit Plan, and commentary and tracking of the implementation of agreed management actions to address deficiencies in an expedited manner. All internal audit reports are provided to the PwC external audit team and discussed during regular catch-up meetings. The Internal Audit Plan is reviewed to ensure continued relevance, or is adjusted to the current environment taking a risk-based approach. In FY25, the risk and assurance team has carried out a gap analysis against the 2024 CIIA Standards and commissioned an external quality assessment which is required once every five years. The output will be shared with the Audit Committee in early FY26.
The Board is responsible for establishing, maintaining and monitoring the Group’s system of risk management and internal control and reviewing its effectiveness. The Committee monitors the performance of management in this area. We have an ongoing process for identifying, evaluating and managing the principal risks faced by the Group, which has been in place for the year under review and is deemed effective up to the date of approval of the Annual Report and Accounts.# Audit Committee Report
The Group’s non-Cyber Security risks are monitored by the Audit Committee on behalf of the Board, which sets aside time for an in-depth discussion of notable or changing risks to the business. A description of the process for managing risk, together with a description of the principal risks and strategies to manage those risks, is provided on pages 29 to 37. Cyber risks are reviewed by the Cyber Security Committee; the Cyber Security Committee Report can be found on pages 79 and 80.
Internal control systems are designed to meet the needs of the Group and the risks to which it is exposed. By their nature, however, internal control systems are designed to manage rather than eliminate the risk of failure and can provide only reasonable but not absolute assurance against material misstatement or loss.
Key elements of the risk management and internal control system are described below.
The external auditor regularly reports its findings on those areas of internal control which it assesses as part of the external audit to the Board and the Audit Committee.
Our internal control effectiveness is assessed through the performance of regular checks, which in the year ended 30 September 2025 included:
Following these regular checks, it was deemed that the controls were effective and the internal control systems are designed to meet the needs of the Group and its risks.
Compliance with the revised Corporate Governance Code is being reviewed with a dry run planned for FY26. This will be discussed with the Audit Committee and progress updates communicated throughout FY26.
The Group operates a confidential reporting and whistleblowing procedure (known as our “whistleblowing policy”). The policy aims to support the stewardship of the Group’s assets and the integrity of the Financial Statements as well as protecting colleague welfare. The procedure is reviewed annually by the Committee to ensure that it remains fit for purpose.
The Group has appointed an independent third party reporting agent to be the first point of contact for those who do not wish to use normal internal line management channels for reporting their concerns. This is advertised both internally, via colleague noticeboards and our intranet, and externally on the website. Colleagues are asked to undertake mandatory training on an annual basis including a reminder on the Code of Ethics policy and the whistleblowing helpline. The Committee reviews any whistleblowing or confidential reporting of concerns raised during the year with respect to their nature, scale and any associated or consequential risks.
For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year.
The Committee is responsible for overseeing the relationship with the external auditor, including recommending to the Board their appointment, reappointment and removal, assessing their independence on an ongoing basis and approving the statutory audit fees.
The Committee notes the publication in May 2023 of the FRC’s Audit Committees and the External Audit: Minimum Standard. In making these recommendations the Committee considers:
PwC were appointed as the Group’s external auditors during the 16-month period ended 30 September 2024. The current audit engagement partner has now served for two periods.
As part of the Board’s responsibility to ensure the integrity of the Company’s financial reporting and audit processes, the Audit Committee undertook a review of the effectiveness of the external audit.
PwC is engaged to express an opinion on the Financial Statements. It reviews the data contained in the Financial Statements to the extent necessary to express its opinion. It discusses with management the reporting of results and the financial position of the Company and presents findings to the Committee. Where it makes recommendations in its report to the Committee, the Committee reviews them and agrees with management the manner and extent to which they should be implemented.
Each of the Directors in office at the date of this report is not aware of any relevant information that has not been made available to PwC and each Director has taken steps to be aware of all such information and to ensure it is available to PwC. PwC’s audit report is published on pages 99 to 103.
The Audit Committee confirms that the Company has complied with the provisions of the Statutory Audit Services for Large Companies Market Investigation Order 2014 during the financial year. The Committee received a formal statement of independence from the external auditor.
The Committee recognises the importance of ensuring that the independence and objectivity of the external auditor is not impaired through the provision of non-audit services. We have in place robust policies on the use of auditors for non-audit work. Additionally, the Audit Committee’s approval is also required for any fees for any non-audit work undertaken by the auditor.
During the year, the Group paid PwC £80,000 (2024: £80,000) for its review of the interim Financial Statements and £2,000 (2024: £2,000) for access to a generic online accounting manual (both of which are non-audit services). These represented 5.1% (2024: 4.9%) of the total audit fees. No other non-audit services were provided by the external auditor.
All significant pieces of non-audit work are put to informal tender to suitable parties that, if appropriate, can include the external auditor. Upon review as to suitability and price, the work will then be placed with the service provider recommended. If this is the external auditor, then Audit Committee approval is required. The external auditor was not engaged during the year to provide any services which may have given rise to a conflict of interest. The Committee is satisfied that the overall levels of audit and non-audit fees are not material relative to the income of the external auditor as a whole and therefore that the objectivity and independence of the external auditor were not compromised.
During the year, our external auditor received ad hoc Cyber Security services in the ordinary course of business, totalling £13,431 (2024: £151,861). The Committee is satisfied that this work is immaterial and provided on normal commercial terms to both the external auditor and the Company and therefore the objectivity and independence of the external auditor are not compromised.
Since its appointment, PwC has been fully engaged with both management and the Audit Committee to ensure a smooth and effective implementation of the audit. This has included:
• Engagement with management: Feedback from management indicates that PwC has adopted a thorough and collaborative approach to understanding the business’s operations, processes and risk areas. During the financial year, I attended regular meetings with PwC’s engagement partner without management being present. This provided the opportunity for open dialogue. The engagement partner demonstrated her understanding of the Group’s business risks and the consequential impact on the Financial Statements. The Audit Committee will continue to closely monitor PwC’s performance throughout the audit period and conduct a post-audit review to assess its effectiveness in delivering a high quality and independent audit. In line with the UK Corporate Governance Code, the Audit Committee will continue to monitor the effectiveness of the external audit process annually, ensuring that the Company’s auditor continues to meet the highest standards of independence, audit quality and service.
Governance NCC Group plc — Annual report and accounts for the year ended 30 September 2025 75
The following process was followed by the Committee in making its assessment:
At the request of the Board, the Committee considered whether the 2025 Annual Report and Accounts, when taken as a whole, was fair, balanced and understandable (FBU) and whether it provided the necessary information for shareholders to assess NCC Group’s position and performance, business model and strategy. The reviews outlined in the diagram below include reviews of all material matters, as reported elsewhere in this Annual Report and Accounts, and reviews of the balance of good and bad news and ensure the Annual Report and Accounts correctly reflects:
The independent reviewers were not major contributors to the Annual Report and Accounts but, at the same time, as members of the Executive Committee or other senior colleagues, are deemed to be sufficiently well informed on the Group’s activities to be able to give appropriate feedback on the FBU criteria. They undertake a qualitative review of disclosures and internal consistency throughout the Annual Report and Accounts. The Directors’ statement on an FBU Annual Report and Accounts is set out on page 98.
Lynn Fordham
Chair, Audit Committee
11 December 2025
Audit Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 76
for the Board to effectively support the Company’s strategy both in the immediate future and over several years. The Committee’s efforts in succession planning played a crucial role in recruitment activities over the years. In the forthcoming year, the Committee will continue to prioritise the establishment of suitable succession plans for various timeframes.
Our objective is to have a broad range of skills, backgrounds, experiences and personal attributes within the Board as this ensures the Board is best placed to serve the Company. All appointments are made on merit and against objective criteria with due regard for the benefits of diversity on the Board, including gender identity, nationality and educational and professional background, as well as individual characteristics which will enhance diversity of thinking on the Board.
NCC Group and the Committee value the aims and objectives of the FTSE Women Leaders Review (formerly the Hampton-Alexander Review on FTSE women leaders) and the Parker Review on ethnic diversity of UK boards and support and apply the Group’s diversity policy. The Committee is also mindful of the Group’s diversity policy when making appointments to the Board Committees (Audit, Cyber Security, Nomination and Remuneration), ensuring an appropriate range of backgrounds across Committee members to enhance quality decision making.
The Group’s gender diversity statistics are set out on page 19. At Board level, we currently have three females, one of whom is a person of colour; however, we note that diversity extends beyond the measurable statistics of gender and ethnicity. We continue to take diversity in its wider context into account, having regard to the diversity policy, and recommend only the most appropriate candidates for appointment to the Board.
During the year ended 31 May 2021, we made the firm commitment that by 2024, we would have at least 33% female representation on our Board and at least one person of colour. In 2022 we delivered on our commitment and we will also meet the FTSE Women Leaders Review target of 40% by the end of 2025. Although this is best practice for FTSE 350 companies, we have committed to this target regardless of which share index we are in. Our Board now has 43% female representation.
We remain focused on ensuring diversity within our leadership population and will continue to address this during future Board and Executive Committee appointments. Improvements in diversity are often not a quick process; however, we are very mindful of the need to continue to take positive action, and the matter remains an ongoing priority on our agenda. Accessing the candidates we require to reach this target will involve us looking beyond the obvious pool of existing board directors within the UK and we are committed to ensuring that we extend our talent search to other sectors and locations globally to ensure we find a diverse pool of candidates to provide us with true diversity of thought, culture and lived experience, around our Board table.
When a new Director is appointed, they receive a full, formal and tailored induction into the Company and discuss with the Chair to identify any immediate and longer-term training requirements. The Committee’s terms of reference can be found in the Investor Relations section of the Company’s website. The terms of reference are reviewed annually and updated when necessary.
During this financial year, the Committee held one scheduled meeting. The attendance of individual Committee members at Nomination Committee meetings is shown in the table on page 65. The members of the Nomination Committee are Julie Chakraverty, Jennifer Duvalier and Lynn Fordham, along with me.
The Nomination Committee’s objectives and responsibilities
The Nomination Committee is responsible for reviewing the size, structure, balance, composition and progressive refreshing of the Board and its Committees and as such its duties include:
The Chair of the Board leads the process for the appointment of new Non-Executive Directors to the Board and for the appointment of the Chief Executive Officer. The Chief Executive Officer, in conjunction with the Chair, leads the process for the Chief Financial Officer. The Senior Independent Director leads the process for a new Chair of the Board.
In relation to an appointment to the Board, the Committee draws up a specification and assesses the capabilities and experience required for such a role, taking into account the Board’s existing composition, including relevant experience and understanding of our stakeholder groups. We also assess the time commitment required. Candidates are sought by third party executive search consultants and, where appropriate, through the assessment of internal candidates and are then formally considered by the Nomination Committee. Extensive external referencing is also completed.
The Committee is tasked with overseeing the succession planning process and providing recommendations to the Board.# Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 77
Chris Stone
Chair, Nomination Committee
It adopts a long-term perspective on succession planning, consistently evaluating Board tenure and diversity (with an emphasis on gender, cultural background and experience), and identifying the skills necessary for the evolving needs of the Group.
During the year, the Committee:
During the year, the Nomination Committee has had an in-depth presentation from the Chief People Officer, focused on leadership, succession planning and talent management and development, informed by insights from our data analysis and the external environment. These presentations looked at the overall current position, and in particular senior succession, i.e. the Executive Committee and its direct reports.
This year the Committee has had a number of presentations and updates on various colleague matters across the Group, including:
To support the ambition and our commitment to improving global diversity, we continue to focus on:
For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year.
During the year, no external search agencies were engaged.
Chris Stone
Chair, Nomination Committee
11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 78
The Cyber Security Committee is responsible for assessing the performance of the Group’s internal security and defences and as such its duties are to:
The Committee’s terms of reference can be found in the Investor Relations section of the Company’s website. The terms of reference are reviewed annually and updated when necessary.
The Cyber Security Committee was formed to focus specifically on the cyber and data protection risks faced by the Group. This reflects the significant threat posed by cyber risks, the nature of our business and the potential damage to the business as a high value target for malicious acts. The Committee’s activities aim to challenge and support improvements to the Group’s information security and data protection policies, defences and controls, so as to comply with global data protection regulations around the world, and ensure that the Group looks after its own information, and the information that its customers entrust to it, with the proper care and attention.
The Committee was formed in November 2016 and I have been Chair since July 2022. Jennifer Duvalier and Lynn Fordham (both Independent Non-Executive Directors) served as members of the Committee throughout the year. Chris Stone (Company Chair) is also a member of the Committee. The Group’s SVP, Global Governance, Estates and Procurement, the Director of Internal Security (DIS), and the Group General Counsel (also Head of Data Governance) (GC) are standing invitees of the Committee. The Executive Directors are invited to attend Committee meetings when the Committee considers it to be appropriate, as are the Data Protection and Governance Officers.
Julie Chakraverty
Chair, Cyber Security Committee
Governance NCC Group plc — Annual report and accounts for the year ended 30 September 2025 79
For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year.# Cyber Security Committee report
During the year the Committee, along with the Board, reaffirmed that Cyber Security and data protection are sufficiently important risks for the business and that the Committee should remain focused on this specific set of risks. Therefore, the current structure in which the responsibility for broader risk management remains with the Audit Committee will continue.
The continuing focus, in terms of Cyber Security, was ensuring the risks to the Group remained well documented and the types of threats and attacks were well understood, building on a risk analysis which was performed during the year before to ensure cyber risks map to the enterprise risk architecture, and the work of the Global Technical Services (GTS) security team was tailored to the highest value areas.
Training has been a critical area once again this year, with an increased emphasis on identifying phishing emails as this is an attack vector that is frequently observed. All colleagues now partake in monthly phishing exercises that cycle through difficulty levels to target different attacker sophistication, with educational assistance sent out post-exercise to help identify suspicious elements of an email that may indicate a phishing attack. Board training and updates on developments within Cyber Security are also provided regularly.
Turning to data protection, the regulatory landscape is continually evolving – this past year saw regulatory updates including the Data (Use and Access) Act 2025 (UK), the phased implementation of certain aspects of the European Union Artificial Intelligence Act (EU AI Act), and changes to Australia’s Privacy Act coming into effect, to name a few. The data protection and governance team, along with colleagues in the Group legal team, is working closely to stay abreast of such changes and support the business accordingly. The team has also continued to experience a number of Data Subject Rights Requests it receives as individuals become more aware of their rights under GDPR.
Noteworthy highlights since our previous report include:
Following last year’s work on the standard terms and conditions, further work has been done to strengthen the Group’s data protection position in client contracts through updates to the data processing agreements. Additionally, appendices have been drafted for each service line. This provides clarity to clients and ensures a tailored and commercial approach.
During this financial year, although the Committee only met once, meetings were held in September 2024 and October 2025 in the weeks just preceding and following the financial year. The attendance of individual Committee members at the Cyber Security Committee meetings is shown in the table on page 65.
Julie Chakraverty
Chair, Cyber Security Committee
11 December 2025
Cyber Security Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
80
During the year ended 30 September 2025, the Committee reviewed and benchmarked both the CEO’s and CFO’s salary. The Committee increased the CEO’s base salary by 2.5% taking Mike’s salary from £561,350 to £575,384, with effect from 1 June 2025, which was slightly lower than the increase for the wider workforce (circa 2.9%).
After due deliberation, the Committee agreed to increase Guy Ellis’s base salary by 9.6% from £312,000 to £342,000 with effect from 1 June 2025. As a reminder, on appointment (in June 2023), Guy’s salary was set somewhat below the benchmark level (against similar sized peers operating in IT services and adjacent sectors). Since then, Guy has not just settled into the role but has exceeded expectations with positive engagement with shareholders and significant contribution to various initiatives. For these reasons we felt it was appropriate to award an above workforce rate increase. Alongside this increase, the Committee also increased Guy’s notice period from 6 to 12 months, recognising his contribution to the business and the need to retain him for the medium to long term.
For the forthcoming financial year, the Committee has taken the decision to increase Guy’s salary by a further 9.6% from £342,000 to £375,000, with effect from 1 October 2025. The Committee was very mindful that this increase follows shortly after the previous increase. However, since the departure of the CIO, Guy is now also responsible for the Global Technical Services (GTS) function. This is a significant change and step up in Guy’s scope of responsibilities for which the Committee wanted to ensure he was appropriately remunerated. It is anticipated at this stage that future increases for Guy will be aligned to those for the workforce.
The annual bonus targets for the year ended 30 September 2025 for both the CEO and CFO were based on the satisfaction of stretching financial and strategic targets. The financial target of Group Adjusted operating profit for the year to 30 September 2025 had a weighting of 60%. Group Adjusted operating profit was £23.7m and this resulted in a payout of 24.8% of the 60%. The strategic objectives had a weighting of 40% and covered a number of areas supporting the pillars of the strategy, together with people and operational excellence objectives. The Committee determined that the strategic element should pay out at 36.5% for the CEO, and 40% for the CFO. Further detail on performance against strategic objectives is provided later in the report. This resulted in a total bonus for the year of 61.3% for the CEO and 64.8% for the CFO of maximum resulting in a bonus payout of £433,719 for the CEO and £260,820 for the CFO.
For both the CEO and CFO, 35% of the aggregate bonus in excess of £50,000 earned over the year to 30 September 2025 will be deferred into shares and will vest after two years. Clawback and malus provisions are also in place for the bonus. The Committee considered whether it should exercise any discretion to the bonus outcomes. The Committee concluded that the aggregate outcomes from the financial and the strategic, non-financial elements were a fair reflection of the performance in the relevant areas, and the Committee therefore decided not to exercise any discretion.
For 2025/26, the Committee has considered the weighting of metrics in the annual bonus. The Committee concluded that the weighting on the Group Adjusted operating profit should be maintained at 60% of maximum, to continue to give appropriate emphasis to this metric. The remaining 40% will apply to key strategic metrics, with stretching targets. These will include targets linked to the pillars of the strategy, together with people and operational excellence objectives. These will be fully disclosed in the Remuneration Report for 2025/26.
On behalf of your Board, I am pleased to present our Directors’ Remuneration Report (DRR) for the year ended 30 September 2025. The report is divided into three sections: the Remuneration Committee Chair’s Statement, a brief summary of the shareholder approved Directors’ Remuneration Policy for the period 2025–2028, and the Annual Report on Remuneration for FY25. At the AGM in January 2025, 80.33% of shareholders voted in favour of the Directors’ Remuneration Report and 89.61% of shareholders voted in favour of the Directors’ Remuneration Policy, and I would like to thank shareholders for their continuing support on both these areas.
The Committee comprised Julie Chakraverty, Lynn Fordham and me as Chair. Our Board Chair, Chris Stone, also attended all meetings. Our remuneration consultants, Chief People Officer, Director of Reward and Benefits, CEO and other Executives, including the SVP, Group Finance, were invited to meetings as required, although we always ensure that we have time without Executives present, and no Executive was present when decisions relating to their own reward were made. The Committee closely monitors shareholder guidance and feedback on remuneration. Shareholder voting on AGM remuneration resolutions is reviewed annually, shareholders are consulted when changes to policy are being considered and major shareholders have the opportunity to provide annual feedback to the Board and Remuneration Committee on NCC Group’s remuneration approach at annual engagement meetings.
Throughout the year ended 30 September 2025, we operated both within the Remuneration Policy that was approved by shareholders at the AGM in November 2021 (until 28 January 2025), and then the Remuneration Policy that was approved by shareholders at the AGM in January 2025 (from 28 January 2025). The main changes to our Remuneration Policy were summarised within the 2024 Remuneration Report, along with information as to how we dealt with our change in year end from 31 May to 30 September, and how we dealt with a longer 16 month accounting period to 30 September 2024.
Jennifer Duvalier
Chair, Remuneration Committee
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
81
During the year ended 30 September 2025, no LTIP awards were made to either the CEO or CFO.# Remuneration Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 82
The Directors’ Remuneration Policy was approved by shareholders at the AGM on 28 January 2025 and our approach to implementing this for our Executive Directors can be found below:
| Element | Approach | Approach for FY25 | Approach for FY26 |
|---|---|---|---|
| Salary | Reviewed annually taking into account Group and personal performance. Increases are normally in line with the wider workforce but also take into account other factors such as changes to responsibility, development and complexity of the role. | Salaries from 1 October 2024: • Mike Maddison (CEO) – £561,350 • Guy Ellis (CFO) – £312,000 until 1 June 2025, £342,000 from 1 June 2025 |
Salaries from 1 October 2025: • Mike Maddison (CEO) – £575,384 • Guy Ellis (CFO) – £375,000 |
| Benefits | Benefits principally include private medical insurance, income protection and life assurance. | As per the policy. No change for FY26. | As per the policy. No change for FY26. |
| Pension | Pensions for FY25 were in line with the maximum employer contribution available to the majority of the workforce. | Pensions in line with the workforce rate of 4.5% of salary. No change for FY26. | Pensions in line with the workforce rate of 4.5% of salary. No change for FY26. |
| Annual bonus | Maximum annual bonus of 125% of salary. 35% of any bonus payment in excess of £50,000 is normally deferred into shares or nominal cost share options which vest after a two year period. Malus and clawback provisions apply. | Maximum annual bonus of 125% of salary. Performance measures: • 60% Adjusted operating profit • 40% strategic objectives |
Maximum annual bonus of 125% of salary. Performance measures: • 60% Adjusted operating profit • 40% strategic objectives No change for FY26. |
| Long Term Incentive Plan | Maximum annual award levels: • Mike Maddison (CEO) – 175% of base salary • Guy Ellis (CFO) – 150% of base salary Awards have a performance period of at least three years and are normally subject to a further holding period of two years. Malus and clawback provisions apply. |
For FY25, neither of the Executive Directors were granted awards. LTIP awards are expected to be made in December 2025/ January 2026 during the financial year ending 30 September 2026, which will be for performance period 1 October 2025 to 30 September 2028. | LTIP awards are expected to be made in December 2025/ January 2026 during the financial year ending 30 September 2026, which will be for performance period 1 October 2025 to 30 September 2028. |
| Shareholding requirement | 200% of salary. Post-cessation shareholding guidelines of 200% of salary for year one and 100% of salary for year two after stepping down as an Executive Director. | As per the policy. No change for FY26. | As per the policy. No change for FY26. |
| Performance measure | Threshold (20%) | Target (40%) | Maximum (60%) | Actual | Weighting | Outcome achieved |
|---|---|---|---|---|---|---|
| Adjusted operating profit | £23.1m | £25.6m | £29.1m | £23.7m | 60% | 24.8% |
| Strategic | Strategic | Strategic | Strategic | See page 86 | 40% | CEO – 36.5% CFO – 40.0% |
| Total | 100% | CEO – 61.3% CFO – 64.8% |
| Performance measure | Threshold (15% vesting) | Target (50% vesting) | Maximum (100% vesting) | Actual | Weighting | Outcome achieved |
|---|---|---|---|---|---|---|
| Adjusted EPS growth | 6% | N/A | 18% | (31%) | 60% | 0% |
| Cash conversion | 80% | 85% | 90% | 92% | 20% | 20% |
| TSR Median | N/A | Upper quartile | Lower quartile | 20% | 0% | |
| Total | 100% | 20% |
Governance
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 83
This part of the report has been prepared in accordance with Part 3 of The Large and Medium-sized Companies and Groups (Accounts and Reports) (Amendment) Regulations 2013 as amended and 9.8.8R of the Listing Rules. The following report will be subject to an advisory shareholder vote at the AGM, which is scheduled to be held on 3 March 2026. The information on pages 81 to 93 has been audited where indicated.
This section sets out how the Remuneration Policy was implemented in 2024/25. The key implementation decisions during the year related to:
Further detail on these decisions, together with other information on payments made to Directors, is set out in the following sections.
The detailed emoluments received by the Executive and Non-Executive Directors for the year ended 30 September 2025 are below. For ease of comparison, a 12 month period to 30 September 2024 has also been shown (these figures are, however, unaudited, with the audited figures being the 16 month period to 30 September 2024).
As reported in the 2024 Directors’ Remuneration Report, for the LTIP awards made in June 2024, the Committee proposed an uplift to the award opportunity for all long-term incentive participants of four months to allow for a smoother transition between LTIP grants given the change to the accounting reference date. In the future, awards will be granted in January with the performance period starting on 1 October. Our next cycle of LTIP awards is scheduled to take place in either December 2025 or January 2026. The performance period for these LTIP awards will be 1 October 2025 to 30 September 2028. The 2022 LTIP (in which only the CEO participated) vested at 20% of maximum. This was based on the cash conversion element (weighting 20%) being achieved in full, but with below-threshold achievement of the EPS growth and TSR metrics. The Committee considered whether any downward discretion should be applied to the overall vesting outcome. It concluded that it remained important to recognise and continue to incentivise strong levels of cash conversion and that it would not be appropriate to apply discretion to the payment outcome given the relatively low weighting on this element. The Committee also considered NCC Group’s underlying performance and the experience of both our shareholders and wider workforce.
Non-Executive Director and Chair’s fees
In accordance with our Remuneration Policy, the fees for Non-Executive Directors were reviewed by the Company Chair, CEO and CFO, based on data provided by our remuneration consultants. After careful consideration, it was determined that these would be increased by 5% during 2024/25 with the increases being effective 1 October 2024. This was against benchmarked data and the fact that Non-Executive Directors had not had any increases to base fees since 1 June 2022. The base fee was increased from £51,500 to £54,000.
The Remuneration Committee also conducted a review of the fees for the Board Chair, utilising data provided by our remuneration consultants. After careful consideration, it was determined that these would be increased by 5% during 2024/25 with the increases being effective 1 October 2024. This was against benchmarked data and the fact that the Chair fee had not had any increases since 1 June 2022. The base fee was increased from £154,500 to £162,225. In addition, in December 2025 the Committee increased the Chair’s base fee by 2.5% taking Chris’s fee from £162,225 to £166,280, with effect from 1 October 2025, which was slightly lower than the increase for the wider workforce (circa 2.9%).
Details of these fees and allowances are given in the Annual Report on Remuneration on page 92.
We remain committed to broadening share ownership throughout the Group, both as a reward and a retention tool. During the year, we made further grants to over 170 colleagues under our Restricted Share Plan (RSP) in January 2025, and in July 2025 made an inaugural grant to all colleagues, around 120, in the Philippines who had passed their probation period. In addition, we also offered colleagues the opportunity to participate in our Save As You Earn/stock purchase share plans in the UK, the US, Canada, the Netherlands, Australia, Spain and (for the first time) the Philippines. Once again, these proved popular with high take-up levels. The Group also continues to operate and actively promote the Share Incentive Plan (SIP) for UK-based colleagues, further increasing our commitment to cost effective colleague share ownership.
There are a number of existing channels of communication with colleagues with regard to NCC Group’s remuneration policies and executive remuneration. Our engagement survey enables colleagues to provide feedback confidentially on many employment issues, including remuneration. Our designated NED for workforce engagement also held a number of colleague engagement sessions during the year in which colleagues were invited to provide feedback and comments on any issue, including executive remuneration and broader remuneration policies. In particular, a question and answer discussion is always held on executive remuneration and how this aligns with the wider Company pay policy. Our designated NED also reminds colleagues where the information can be located and answers any questions as they arise. The Committee also receives regular feedback from the Chief People Officer and the Director of Reward and Benefits on how colleagues perceive our remuneration policies and practices in the context of recruitment, retention and motivation. This information is used by the Committee in its monitoring and development of remuneration policies.
The 2025 Directors’ Remuneration Report will be put to the usual annual advisory vote at the AGM on 3 March 2026. The Committee is committed to engagement and transparency and I welcome the opportunity for discussion of the Group’s remuneration with shareholders, at our AGM or at any other time during the year, and look forward to your continuing support.
Jennifer Duvalier
Chair, Remuneration Committee
11 December 2025# Remuneration Committee report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 84
| Director | Period ended | Salary/ Non-Executive Director fees £000 | Benefits £000 | Pension benefits £000 | Total fixed pay £000 | Annual bonus £000 | Long-term incentive £000 | Total variable pay £000 | Total £000 |
|---|---|---|---|---|---|---|---|---|---|
| Chris Stone | 30 Sept 2025 | 171 | — | — | 171 | — | — | — | 171 |
| 12 months to 30 Sept 2024 | 163 | — | — | 163 | — | — | — | 163 | |
| 16 months to 30 Sept 2024 | 217 | — | — | 217 | — | — | — | 217 | |
| Mike Maddison | 30 Sept 2025 | 566 | 7 | 26 | 599 | 434 | 127 | 561 | 1,160 |
| 12 months to 30 Sept 2024 | 550 | 7 | 24 | 581 | 582 | — | 582 | 1,163 | |
| 16 months to 30 Sept 2024 | 710 | 14 | 32 | 756 | 757 | — | 757 | 1,513 | |
| Guy Ellis 8 | 30 Sept 2025 | 322 | 6 | 14 | 342 | 261 | — | 261 | 603 |
| 12 months to 30 Sept 2024 | 304 | 6 | 14 | 324 | 301 | — | 301 | 625 | |
| 16 months to 30 Sept 2024 | 379 | 8 | 17 | 404 | 380 | — | 380 | 784 | |
| Julie Chakraverty 6 | 30 Sept 2025 | 88 | — | — | 88 | — | — | — | 88 |
| 12 months to 30 Sept 2024 | 85 | — | — | 85 | — | — | — | 85 | |
| 16 months to 30 Sept 2024 | 114 | — | — | 114 | — | — | — | 114 | |
| Jennifer Duvalier | 30 Sept 2025 | 70 | — | — | 70 | — | — | — | 70 |
| 12 months to 30 Sept 2024 | 67 | — | — | 67 | — | — | — | 67 | |
| 16 months to 30 Sept 2024 | 90 | — | — | 90 | — | — | — | 90 | |
| Lynn Fordham 7 | 30 Sept 2025 | 70 | — | — | 70 | — | — | — | 70 |
| 12 months to 30 Sept 2024 | 67 | — | — | 67 | — | — | — | 67 | |
| 16 months to 30 Sept 2024 | 90 | — | — | 90 | — | — | — | 90 | |
| Mike Ettling | 30 Sept 2025 | 59 | — | — | 59 | — | — | — | 59 |
| 12 months to 30 Sept 2024 | 56 | — | — | 56 | — | — | — | 56 | |
| 16 months to 30 Sept 2024 | 75 | — | — | 75 | — | — | — | 75 | |
| Tim Kowalski | 30 Sept 2025 | — | — | — | — | — | — | — | — |
| 12 months to 30 Sept 2024 | — | — | — | — | — | — | — | — | |
| 16 months to 30 Sept 2024 | 28 | 2 | 1 | 31 | — | — | — | 31 | |
| Chris Batterham | 30 Sept 2025 | — | — | — | — | — | — | — | — |
| 12 months to 30 Sept 2024 | — | — | — | — | — | — | — | — | |
| 16 months to 30 Sept 2024 | 28 | — | — | 28 | — | — | — | 28 | |
| Total | 30 Sept 2025 | 1,346 | 13 | 40 | 1,399 | 695 | 127 | 822 | 2,221 |
| 12 months to 30 Sept 2024 | 1,292 | 13 | 38 | 1,343 | 883 | — | 883 | 2,226 | |
| 16 months to 30 Sept 2024 | 1,731 | 24 | 50 | 1,805 | 1,137 | — | 1,137 | 2,942 |
The CEO’s and CFO’s pension provisions are in line with the level of the wider workforce, which is currently 4.5% of salary. These are either paid as pension contributions, or cash in lieu of pension.
For the year ended 30 September 2025, the maximum annual bonus opportunity for Mike Maddison and Guy Ellis was 125% of salary. For the 12 months ended 30 September 2025, bonuses of 61.3% for the CEO and 64.8% for the CFO of maximum were payable, being £433,719 and £260,820 respectively for Mike Maddison and Guy Ellis. In accordance with the Remuneration Policy, 35% of each payment (above £50,000) will be deferred into nominal cost share options for two years (these shares are subject to service conditions but there are no further performance conditions), with the remaining 65% paid in cash in December 2025. The performance measures and targets are set out below.
| Financial targets – up to 60% of the annual bonus for the financial year to 30 September 2025 (audited) | Performance targets | Threshold (20%) | Target (40%) | Max. (60%) | Actual Weighting |
| Mike Maddison | £23.1m | £25.6m | £29.1m | 60% | |
| Adjusted operating profit 1, target for CEO and CFO | Guy Ellis | 60% | |||
| Strategic | The strategic targets were set individually for the Executive Directors based on key strategic objectives for the year in their area of responsibility – see below. | 40% | |||
| Total payout (% of bonus) | 100% | ||||
| 100% | |||||
| Bonus opportunity | £707,535 | ||||
| Total bonus for the year to 30 September 2025 | £433,719 | ||||
| £260,820 | |||||
| Amount paid in cash (65%) | £299,417 | ||||
| £187,033 | |||||
| Amount deferred in shares (35%) | £134,302 | ||||
| £73,787 |
1 Adjusted operating profit – previous measure is an Alternative Performance Measure (APM) and not an IFRS measure. (See Note 3 for an explanation of APMs and adjusting items.)
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 85
The table below highlights the key strategic targets and achievements for each Executive Director. Bonus target ranges have been disclosed to the extent possible, but the achievement of some areas is determined by the Committee based on its judgement of performance.
| Year ended 30 September 2025 | Target and performance conditions | Outcome | Weighting | Outcome | |
|---|---|---|---|---|---|
| CEO targets | Our clients | Ensure that the organisation is better equipped to grow sales in key areas of focus. | 10% | 10% | |
| Our capabilities | Improve NCC Group’s revenue trajectory in agreed investment areas of our four cyber capabilities. | 7.5% | 6.5% | ||
| Global delivery | Ensure the successful rollout of Kantata and effective use of our global resources. | 7.5% | 7.5% | ||
| Differentiated brands | Build profile (top of the funnel) to drive greater demand within key markets. Drive demand within key markets to build pipeline. | 5% | 5% | ||
| People and operational excellence | Simplify business operations and structure, globalise processes, and reduce costs. Set up and operate during FY25 regional operating and governance/compliance boards in all regions. Demonstrate a commitment to improving engagement across the business by taking action on opportunities identified through Glint surveys. Focus on developing a client-focused culture, driving service excellence. | 5% | 5% | ||
| Insight, innovation and intelligence | Develop innovative services that capitalise on advances in AI, data sharing and/or automation, to build reputation, grow thought leadership and research activity and improve revenue growth and profitability. | 5% | 2.5% | ||
| CEO outcome | 40% | 36.5% | |||
| CFO targets | Our clients | Ensure that we are selling and delivering work that drives improved margins. | 5% | 5% | |
| Global delivery | Ensure the successful rollout of Kantata and effective use of our global resources. | 7.5% | 7.5% | ||
| People and operational excellence | Simplify business operations and structure, globalise processes, and reduce costs. Set up and operate during FY25 regional operating and governance/compliance boards in all regions. Demonstrate a commitment to improving engagement across the business by taking action on opportunities identified through Glint surveys. Focus on developing a client-focused culture, driving service excellence. | 27. 5% | 27.5% | ||
| CFO outcome | 40% | 40% |
The LTIP awards made in October 2022 (with a performance period of 1 June 2022 to 30 September 2025) will vest in December 2025. Mike Maddison was a beneficiary of these and achieved a vesting of 20% of the award of 436,408 shares, being 87,281 shares.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 86# Annual Report on Remuneration
| Basis | Performance period |
|---|---|
| Mike Maddison | 1 June 2022 to 30 September 2025 |
| 436,408 | |
| 175% of base salary |
The performance conditions for these awards are set out below:
| Weighting | Component | Metric | Threshold (15% vesting) | Maximum (100% vesting) | Actual performance | Actual % vested | Vesting basis |
|---|---|---|---|---|---|---|---|
| 60% | Adjusted basic EPS – previous measure 2,3 | CAGR growth over a three year period | 6% | 18% | (31%) | 0% | Straight line between threshold and maximum |
| 20% | Cash conversion – previous measure 2,4 | Average cash conversion ratio – previous measure over a three year period | 80% | 90% | 92% | 20% | Straight line between threshold and target, then target and maximum |
| 20% | TSR | TSR over three years vs FTSE 250 comparator group (excluding investment trusts) | Median | Upper quartile | Lower quartile | 0% | Straight line between threshold and maximum |
| Total |
During the financial year to 30 September 2025, neither of the Executive Directors were granted awards.
The Group operates an HMRC-approved SAYE scheme. All eligible colleagues, including Executive Directors, may be invited to participate on similar terms for a fixed period of three years. During the year, Guy Ellis joined the 2025 SAYE scheme (which will mature on 1 September 2028) and has options over 9,668 shares with an option price of £1.1387. No awards vested this year for either Executive Director.
No payments were made for loss of office during the year. Tim Kowalski stepped down as CFO on 30 June 2023. The LTIP awards made in October 2022 (with a performance period of 1 June 2022–30 September 2025) will vest in December 2025. Tim Kowalski was a beneficiary of these and achieved a vesting of 20% of the award of 97,951 shares, being 19,590 shares (the original number of shares granted was 248,857 shares which was pro-rated for service). These awards are subject to the post-employment shareholding guideline.
The tables below set out details of the Executive Directors’ outstanding share awards, which will vest in future years subject to performance conditions and/or continued service.
| Total LTIP options held at 30 September 2024¹ | Granted during the year | Exercised during the year | Share price on date of exercise | Lapsed during the year | Total LTIP options held at 30 September 2025¹ | |
|---|---|---|---|---|---|---|
| Mike Maddison | 2,399,730 | — | — | N/A | 349,127 | 2,050,603 |
| Guy Ellis | 845,639 | — | — | N/A | — | 845,639 |
¹ Includes only unvested and unexercised LTIP options.
² Adjusted basic EPS – previous measure
³ , cash conversion – previous measure ⁴ , and cash conversion ratio – previous measure are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 and Financial Review for an explanation of APMs and adjusting items.
³ Adjusted basic EPS – previous measure is statutory basic EPS before share-based payments, amortisation of acquired intangibles and Individually Significant Items and the tax effect thereon.
⁴ Cash conversion – previous measure ratio percentage of net cash flow from operating activities before interest and tax divided by Adjusted EBITDA – previous measure.
All awards granted under the LTIP are subject to continued employment and the satisfaction of the performance conditions as set out above. The awards were all nil-cost options.
The beneficial and non-beneficial interests of the current Directors in the share capital of NCC Group plc at 30 September 2025 are set out below. (Details of Executive Director shareholding requirements and achievement against these are set out below.)
| Total | Beneficial interests in ordinary shares | Nil-cost options subject to performance | SAYE options | Deferred bonus nil-cost options | Vested but unexercised nil-cost options | ||
|---|---|---|---|---|---|---|---|
| 30 Sept 2025 | 30 Sept 2024 | 30 Sept 2025 | 30 Sept 2024 | 30 Sept 2025 | 30 Sept 2024 | 30 Sept 2025 | |
| Chris Stone | 756,195 | 712,843 | — | — | — | — | — |
| Mike Maddison | 171,707 | 148,063 | 1,963,322 | 2,399,730 | 18,699 | 18,699 | 189,683 |
| Guy Ellis | 1,602 | 3,533 | 845,639 | 845,639 | 9,668 | — | 98,967 |
| Julie Chakraverty | 63,914 | 63,914 | — | — | — | — | — |
| Jennifer Duvalier | 19,115 | 19,115 | — | — | — | — | — |
| Mike Ettling | 50,000 | 50,000 | — | — | — | — | — |
| Lynn Fordham | 50,000 | 50,000 | — | — | — | — | — |
¹ This information includes holdings of any connected persons.
² These awards represent the outstanding LTIP interests, included in the table above, which are due to vest after 30 September 2025.
³ Representative SAYE scheme interests, which will vest after the end of the three year savings period in 2027, or 2028.
⁴ Nominal cost share options granted under the deferred bonus plans, subject to a service condition, tax and National Insurance (for Guy Ellis, awards made under the Restricted Share Plan of 9,450 shares made prior to his promotion to CFO are also included in this figure).
During the year, awards were made under the Deferred Annual Bonus Schemes to the CEO and CFO of 59,493 shares and 33,066 shares respectively, which had a face value of £81,864 and £45,500 respectively.
Following the year ended 30 September 2025, the following Directors dealt shares under the colleague HMRC approved UK Share Incentive Plan. The number of shares traded are shown below:
The Executive Directors are expected to build and retain a shareholding in the Group equivalent to at least 200% of base salary. Executives will normally be required to retain all vested deferred bonus shares and LTIP shares released from the holding period, until they have attained the minimum shareholding requirement and, even then, only when they have held vested LTIP shares for a minimum period of two years. Executive Directors will also be required to retain all shares vesting from SAYE schemes. For the avoidance of doubt, Executive Directors are permitted to sell sufficient shares in order to meet any tax obligation arising from vesting shares. The table below sets out the Executive Directors’ shareholding requirements and achievement against these. The percentages within this table have been calculated using a three month average share price (1 July 2025 to 30 September 2025) of £1.45, and include all unvested deferred bonus plans on a net of tax and National Insurance basis.
| Shareholding requirements (% of salary) | Shareholding as at 30 September 2025 (% of salary) | Requirement met | |
|---|---|---|---|
| Mike Maddison | 200% | 69% | No |
| Guy Ellis | 200% | 21% | No |
The table below presents the percentage change in total colleague remuneration relative to total dividends (interim and final) for the current and prior financial periods.
| 12 month financial year to 30 September 2025 £m | 16 month financial period to 30 September 2024 £m | % change | |
|---|---|---|---|
| Colleague remuneration costs ¹ | 203.3 | 283.6 | (28.3%) |
| Dividends for the period | 14.5 | 24.3 | (40.3%) |
¹ Based on the figure shown in Note 6 to the consolidated Financial Statements.
The table below shows the movement in the salary or fees, benefits and annual bonus for each Director over the last five financial years compared to the equivalent changes for all colleagues of the Company. The comparator group for salaries and benefits is all colleagues in the UK. During the year, UK-based colleagues were provided with a medical cash plan, along with the addition of critical illness cover. There are no employees of NCC Group plc. The comparator group for the bonus is those in the senior management population who also have an annual scheme and excludes those on commission and incentive plans.
| Year | Mike Maddison (CEO) | Guy Ellis (CFO) | All colleagues |
|---|---|---|---|
| % increase in salary | |||
| 2024/25 | 2.5% | 9.6% | 4.67% |
| 2023/24 (16 months) | 18.6% | — | 7.4% |
| 2023/24 (12 months) | 16.5% | — | 6.7% |
| 2022/23 | — | — | 7.9% |
| 2021/22 | — | — | 5.1% |
| 2020/21 | — | — | 5.1% |
| % increase in benefits | |||
| 2024/25 | — | — | 139% |
| 2023/24 (16 months) | 950.0% | — | — |
| 2023/24 (12 months) | 1,000.0% | — | — |
| 2022/23 | — | — | — |
| 2021/22 | — | — | — |
| 2020/21 | — | — | — |
| % increase in annual bonus | |||
| 2024/25 | (17.0%) | 2.0% | (19.0%) |
| 2023/24 (16 months) | 1,841.0% | — | 561.0% |
| 2023/24 (12 months) | 1,241.0% | — | 412.0% |
| 2022/23 | — | — | (89.0%) |
| 2021/22 | — | — | (40.0%) |
| 2020/21 | — | — | 1.0% |
Non-Executive Directors do not receive benefits and are not eligible to participate in the annual bonus and therefore do not have those rows in the table below.
| Year | Chris Stone | Julie Chakraverty | Jennifer Duvalier | Lynn Fordham | Mike Ettling |
|---|---|---|---|---|---|
| % increase in salary | |||||
| 2024/25 | 4.7% | 2.9% | 3.7% | 3.7% | 4.4% |
| 2023/24 (16 months) | — | 9.6% | — | 46.7% | — |
| 2023/24 (12 months) | — | 9.0% | — | 45.7% | — |
| 2022/23 | 3.0% | 225.0% | 2.0% | — | 2.0% |
| 2021/22 | 14.0% | — | 29.0% | — | 20.0% |
| 2020/21 | (5.0%) | — | 2.0% | — | (8.0%) |
The decrease and subsequent increase of NED fees in 2020/21 and 2021/22 are the results of the removal and reintroduction of the travel allowance and a review of NED fee levels. The travel allowance was removed in 2020/21 due to the lower levels of travel resulting from the reaction to the pandemic and then was reintroduced in 2021/22. The combination of these factors results in changes which are not reflective of changes to NED fee levels.# Governance
The changes are also affected by the comparison of fees for a full year to fees for a part year when a Director joins or leaves. The increase for the CEO’s / CFO’s salary has been explained within the Committee Chair’s opening statement. The significant increase in CEO bonus in 2023/24 from the previous year was caused by the 2022/23 bonus paying out at a very low level, with the 2023/24 bonus being paid out at a much higher level. For the 2023/24 16 month comparison, this has been annualised to provide a meaningful comparison to the prior year. To note that for the 2022/23 year, Mike Maddison (CEO) joined on 7 July 2022 hence the 2022/23 year is not a full year for comparison purposes. To note that for the 2023/24 year, Guy Ellis (CFO) was appointed on 30 June 2023 hence the 2023/24 period is not a full year for comparison purposes and there is no prior year comparator. The increase to the CFO’s salary above the average increase to colleagues during the year has been explained earlier in the Chair’s introductory letter.
The following table shows the ratio between the single total figure of remuneration (STFR) of the Chief Executive for 2024/25 and the lower quartile, median and upper quartile pay of our UK colleagues. The salary and total pay and benefits for the lower quartile, median and upper quartile colleagues are also shown.
| Financial year | Method | 25th percentile pay ratio | 50th percentile pay ratio | 75th percentile pay ratio |
|---|---|---|---|---|
| 2019/20 | Option B | 18:1 | 12:1 | 8:1 |
| 2020/21 | Option B | 27:1 | 18:1 | 11:1 |
| 2020/21 | Option C | 26:1 | 16:1 | 12:1 |
| 2021/22 | Option C | 23:1 | 14:1 | 10:1 |
| 2022/23 | Option C | 22:1 | 14:1 | 10:1 |
| 2023/24 | Option C | 25:1 | 16:1 | 11:1 |
| 2023/24 (16 months) | Option C | 26:1 | 17:1 | 11:1 |
| 2024/25 | Option C | 22:1 | 15:1 | 9:1 |
Financial year to 30 September 2025
| Mike Maddison, CEO | 25th percentile | 50th percentile | 75th percentile | |
|---|---|---|---|---|
| Salary (£000) | 566 | 45 | 69 | 68 |
| Total pay and benefits (£000) | 1,160 | 52 | 79 | 122 |
The CEO pay ratio has been calculated using Option C, which we deem the most appropriate methodology for NCC Group. Under Option C, we have used the most recent P60 information (for the 2024/25 tax year) to determine the relevant colleague at the 25th, 50th and 75th percentile. As such the data was correct as of 5 April 2025. As in prior years, we have omitted joiners and leavers from the data to ensure that the data is on a like-for-like basis. This option was chosen in preference to the other possibilities as it uses the most accurate and comprehensive data currently available and provides a fair reflection of the total pay received by colleagues. We are satisfied that the applicable colleagues chosen are a fair representation of the workforce. The CEO pay ratio has marginally decreased due to the following reasons: the CEO had a lower than workforce average pay increase for the reasons explained within the Committee Chair’s opening statement, the business adopted a real living wage approach, and is also considering joining the “Living Wage Foundation”, and the pay review philosophy this year was to focus on lower paid colleagues more affected by the continued cost of living pressures. The pay ratio is consistent with the pay, reward and progression policies currently in place at NCC Group.
The following graph shows the total shareholder return, with dividends reinvested, from 1 October 2015 against the corresponding changes in a hypothetical holding in shares in both the FTSE All Share and FTSE 250 Indices. The FTSE All Share and FTSE 250 Indices represent broad equity indices. The Company is a constituent member of the FTSE 250 and FTSE All Share Index and the Committee has adopted the FTSE 250 Index for part of its LTIP performance measure. Both indices give a market capitalisation-based perspective. During the financial year ended 30 September 2025, the Company’s share price varied between £1.27 and £1.73 and ended the financial year at £1.48. Ten year historical TSR performance is the growth in the value of a hypothetical £100 holding over ten years. It has been calculated for NCC Group plc and the FTSE All Share, FTSE 250 and FTSE Small Cap Indices (excluding investment trusts) based on spot values.
250
200
100
150
50
0
2016 20172015 2018 2019 2020 2021 2022 2023 2024 2025
£100 £121 £73 £63 £64 £93 £79 £65 £43 £54 £79
Value (£)
NCC Group plc
FTSE All Share Index
FTSE 250 (excluding investment trusts)
FTSE Small Cap (excluding investment trusts)
The share price was £1.73 on 1 October 2024 and £1.48 on 30 September 2025.
The table below shows the total remuneration for the Chief Executive over the same ten year period, including share awards valued at the date they vested.
| Period ended | Incumbent | Total remuneration £000 | Annual bonus % of maximum | Long-term incentives % of maximum |
|---|---|---|---|---|
| 30 September 2025 | Mike Maddison | 1,160 | 61 | 20 |
| 31 May/30 September 2024 | Mike Maddison | 1,081/1,513 | 80/100 | — |
| 31 May 2023 1 | Mike Maddison | 1,005 | 7.5 | — |
| 31 May 2023 2 | Adam Palser | 26 | — | 30 |
| 31 May 2022 | Adam Palser | 1,081 | 60 | 59 |
| 31 May 2021 | Adam Palser | 1,110 | 92 | 40 |
| 31 May 2020 | Adam Palser | 861 | 23 | 52 |
| 31 May 2019 | Adam Palser | 679 | 48 | — |
| 31 May 2018 3 | Adam Palser | 292 | 3 | 32 |
| 31 May 2018 4 | Brian Tenner | 257 | 4 | 32 |
| 31 May 2017 | Rob Cotton | 610 | — | — |
| 31 May 2016 | Rob Cotton | 1,091 | 70 | 20 |
1 Mike Maddison was appointed on 7 July 2022. The amount above is in respect of the period from 7 July 2022 to 31 May 2023. Mike Maddison was not eligible for long-term incentives vesting in 2023 and 2024. However, LTIP awards vested at 30% and 30% in 2023 and 2024 respectively.
2 Adam Palser stepped down from the Board on 17 June 2022. The amount above is in respect of the period from 1 June 2022 to 17 June 2022.
3 Adam Palser was appointed on 1 December 2017. The total remuneration figure above is in respect of the period from 1 December 2017 to 31 May 2018.
4 During the year ended 31 May 2018, Brian Tenner acted as Interim Chief Executive Officer for the period 1 June 2017 to 30 November 2017. The total remuneration figure above is the total remuneration received in relation to that six month period.
5 Note that this shows the annual bonus payments as a percentage of the maximum opportunity. (For 2024, 80% relates to the 12 months to 31 May 2024, and 100% relates to the four months to 30 September 2024. Two figures are shown due to the change in financial year end and the 16 month financial period.)
6 This shows the LTIP vesting level as a percentage of the maximum opportunity.
The Remuneration Committee membership consists solely of Non-Executive Directors and comprises Jennifer Duvalier, Julie Chakraverty and Lynn Fordham. The Company Chair, Chief Executive Officer, SVP, Group Finance, Chief People Officer, Director of Reward and Benefits and Company Secretary attend the Remuneration Committee meetings by invitation of the Chair of the Committee from time to time and assist the Committee with its considerations. No Director is involved in setting their personal remuneration. The attendance of individual Committee members at Remuneration Committee meetings is shown within the table on page 65.
For the reasons described in the Chair’s Introduction to Governance, no Board or Committee evaluation was carried out during the year. Further information can be found on page 68.
During the year, the Committee received advice on senior executive remuneration from Mercer and was comfortable that the advice was objective and independent. Mercer was appointed via an open tender process. Mercer is a founding member of the Remuneration Consultants Group and is a signatory to its Code of Conduct. The total fee charged in 2024/25 for providing advice in relation to executive remuneration was £75,364 with fees being determined on a time and expenses basis.
The service contracts and letters of appointment of the current Directors include the following terms:
| Date of contract | Notice period | |
|---|---|---|
| Executive | ||
| Mike Maddison | 28 April 2022 | 12 months |
| Guy Ellis | 30 June 2023 | 12 months |
| Non-Executive | ||
| Chris Stone | 31 March 2017 | 3 months |
| Julie Chakraverty | 27 October 2021 | 3 months |
| Jennifer Duvalier | 25 April 2018 | 3 months |
| Mike Ettling | 21 September 2017 | 3 months |
| Lynn Fordham | 19 July 2022 | 3 months |
Increases were made to the base salaries of both Executive Directors for the year ended 30 September 2025. The table below details the Executive Directors’ salaries as at 30 September 2025 and salaries which are in force on 1 October 2025, with the next review of salaries taking place during the year ending 30 September 2026, in line with the wider workforce.
| Base salary at 30 September 2025 £000 | Base salary at 1 October 2025 £000 | % change | |
|---|---|---|---|
| Chief Executive Officer – Mike Maddison | 575 | 575 | 0% |
| Chief Financial Officer – Guy Ellis | 342 | 375 | 9.6% |
Pensions will remain aligned with the level for other colleagues.
The annual bonus maximum in 2025/26 will be 125% of salary for the Chief Executive Officer and 125% for the Chief Financial Officer, with 60% based on the achievement of Adjusted operating profit targets and 40% based on the achievement of strategic targets. These targets are commercially sensitive and will be disclosed in the next Annual Report. Awards will also be subject to the Committee’s assessment of the overall financial health of the business.In addition, to ensure that this bonus opportunity results in shareholder alignment and provides greater retention value, 35% of any bonus payment will be deferred into nominal cost share options over £50,000 for a period of two years. The bonus, nominal cost share options and associated dividend equivalents are also subject to malus and clawback provisions.
LTIP awards were granted in June 2024, and no further awards were made under the LTIP scheme for the year ended 30 September 2025, with the next round of LTIP awards expected to be made in December 2025/January 2026 during the financial year ending 30 September 2026, which will be for performance period 1 October 2025 to 30 September 2028.
In line with the current policy, Non-Executive Director fees are reviewed annually. The last increase to Non-Executive Director fees was applied on 1 June 2022. During the financial year ended 30 September 2025, a review was carried out of Non-Executive Directors’ fees and the decision was taken to increase them by 5%, effective 1 October 2024. Fees will be reviewed again in the financial year ending 30 September 2026:
| FY26 | FY25 | |
|---|---|---|
| Chair fee (excluding travel allowance of £8,200) | £166,280 | £162,225 |
| Non-Executive Director base fee (excluding travel allowance of £4,750) | £54,000 | £54,000 |
| Supplemental fees for additional responsibilities: | ||
| SID | £10,000 | £10,000 |
| Audit Committee Chair | £11,000 | £11,000 |
| Remuneration Committee Chair | £11,000 | £11,000 |
| Cyber Security Committee Chair | £8,000 | £8,000 |
| Designated NED for workforce engagement | £11,000 | £11,000 |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 92
The following votes were received from the shareholders in respect of the Directors’ Remuneration Report and in respect of the Remuneration Policy:
| Remuneration Report (2025 AGM) | Remuneration Policy (2025 AGM) | |
|---|---|---|
| Total number of votes | % of votes cast | |
| For | 165,819,347 | 80.33 |
| Against | 40,605,441 | 19.67 |
| Total votes cast (for and against excluding withheld votes) | 206,424,788 | |
| Votes withheld | 43,886,409 | |
| Total votes cast (including withheld votes) | 250,311,197 |
1 Includes Chair’s discretionary votes.
2 A vote withheld is not a vote in law and is not counted in the calculation of the proportion of votes cast “for” and “against” a resolution.
Approved by the Board and signed on its behalf:
Jennifer Duvalier
Chair, Remuneration Committee
11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 93
The Directors present their report and the audited Group and Company Financial Statements of NCC Group plc (the “Company”) and its subsidiaries (together, the “Group”) for the financial year ended 30 September 2025.
The Company is a public limited company incorporated in England, registered number 4627044, with its registered office at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ. The principal activity of the Group is the provision of independent advice and services to customers through the provision of software resilience and Cyber Security services. The principal activity of the Company is that of a holding company.
At the time of approving the Financial Statements, the Board of Directors is required to formally assess that the business has adequate resources to continue in operational existence and as such can continue to adopt the “going concern” basis of accounting. To support this assessment, the Board is required to consider the Group’s current financial position, its strategy, the market outlook, and its principal risks. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections.
The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons. The Directors have prepared cash flow and covenant compliance forecasts for 12 months from the date of approval of the Financial Statements which indicate that, taking account of severe but plausible downsides on the operations of the Group and its financial resources, the Group will have sufficient funds to meet its liabilities as they fall due for that period. The going concern period is required to cover a period of at least 12 months from the date of approval of the Financial Statements and the Directors still consider this 12 month period to be an appropriate assessment period due to the Group’s financial position and trading performance and that its current borrowing facilities do not expire until April 2029 (following the Group successfully refinancing in April 2025 – see below and Note 22). The Directors have considered whether there are any significant events beyond the 12 month period which would suggest this period should be longer but have not identified any such conditions or events.
In April 2025, the Group refinanced its borrowing arrangements by entering into a new four year £120m multi-currency revolving credit facility (RCF), with an uncommitted £50m accordion option. This new unsecured facility replaces the previous £162.5m RCF (which was in existence as at 30 September 2024), which was due to expire in December 2026 and included an uncommitted accordion option of up to £75m. The uncommitted accordion option has not been included in the Group’s going concern assessment as it remains subject to lender approval and is therefore not guaranteed at the date of approval of these Financial Statements.
As of 30 September 2025, net cash (excluding lease liabilities) was £13.1m, comprising cash and cash equivalents of £16.4 m, a bank overdraft of £nil, and a drawn revolving credit facility of £5.2m (excluding £1.9 m of unamortised borrowing fees). The Group also had £114.8 m of undrawn committed facilities, excluding an uncommitted accordion facility of £50.0 m. The Group’s day-to-day working capital requirements are met through existing cash resources, the revolving credit facility and receipts from its continuing business activities.
The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA) 1 and interest cover (Adjusted EBITDA 1 to interest charge) that are tested biannually on 31 March and 30 September each year. As of 30 September 2025, leverage amounted to 0.0x and net interest cover amounted to 8.1x compared to a maximum of 3.0x and a minimum of 3.5x respectively. The terms and ratios are specifically defined in the Group’s banking documents (in line with normal commercial practice) and are materially similar to amounts noted in these Financial Statements with the exceptions being net debt which excludes IFRS 16 lease liabilities and Adjusted EBITDA 1 .
The Group was in compliance with the terms of all its facilities during the year, including the financial covenants on 30 September 2025, and, based on forecasts, expects to remain in compliance over the going concern period. In addition, the Group has not sought or is not planning to seek any waivers to its financial covenants noted above.
Management has performed base case modelling derived from the FY26 Board-approved budget and forecasts beyond this budgeted period, reflecting scenarios both with and without the potential disposal of its Escode business (incorporating any associated impact on the Group’s banking facilities and expected net cash position). In addition, management has prepared forecasts reflecting severe but plausible downside scenarios, considering the principal risks faced by the Group, such as the loss of key customers and further reductions in the Group’s Technical Assurance Services (‘TAS’) Cyber business. These forecasts, including all scenarios modelled, have been reviewed by the Directors, support their expectation that the Group will operate within its available committed banking facilities and meet its liabilities as they fall due throughout the assessment period. The assumptions underpinning these forecasts (and severe yet plausible downside scenarios) are set out in more detail in the Viability Statement on pages 38 and 39.
Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Group will have sufficient funds to meet its liabilities as they fall due for a period of at least 12 months from the date of approval of Financial Statements. This period is referred to as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 30 September 2025.
Directors’ report
1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 94
Additionally, the Group remains in the early stages of reviewing a number of strategic options for its Cyber business, however no decision has been made on which option will be pursued as of 11 December 2025. Accordingly, no material uncertainties have been identified that would cast significant doubt on the Group’s ability to continue as a going concern in relation to this ongoing process.
From a Company perspective, the Company places reliance on other Group trading entities for financial support.The Company controls these Group entities and therefore has the ability to direct the financial activities of the Group. Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial Statements, which is determined as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 30 September 2025. There are no post-Balance Sheet events which the Directors believe will negatively impact the going concern assessment.
The Group’s and Company’s audited Financial Statements for the financial year ended 30 September 2025 are set out on pages 104 to 158. The Directors propose a final dividend of 3.15p per ordinary share, which, together with the interim dividend of 1.5p per ordinary share paid on 1 August 2025, makes a total dividend of 4.65p for the year ended 30 September 2025. The final dividend will be paid on 10 April 2026, subject to approval at the AGM on 3 March 2026, to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026.
At the AGM held on 28 January 2025, the Directors were granted authority to allot up to 104,913,324 ordinary shares representing approximately one-third of the Company’s issued share capital. In addition, the Directors were granted authority to allot a further 104,913,324 ordinary shares, again representing approximately one-third of the Company’s issued share capital, solely to be used in connection with a pre-emptive rights issue.
As at 30 September 2025, the Company’s issued ordinary share capital comprised 315,006,079 ordinary shares with a nominal value of 1p each. During the financial year ended 30 September 2025, 481,449 shares in the Company were issued further to the exercise of options pursuant to the Company’s share option schemes.
The holders of ordinary shares are entitled, among other rights, to receive the Company’s Annual Reports and Accounts, to attend and speak at general meetings of the Company, to appoint proxies and to exercise voting rights. Details of the movements of the called up share capital of the Company are set out in Note 25 to the Financial Statements and the information in this note is incorporated by reference and forms part of this Directors’ Report.
All rights and obligations attaching to the Company’s ordinary shares are set out in the Company’s Articles of Association (the “Articles”), copies of which can be obtained from the Companies House website or by writing to the Company Secretary. Unless otherwise provided in the Articles, the terms of issue of any shares, any restrictions from time to time imposed by laws or regulations (for example insider trading laws) or pursuant to the UK Market Abuse Regulation whereby certain Directors, officers and colleagues of the Group require the approval of the Company to deal in ordinary shares of the Company, any shareholder may transfer any or all of their shares. The Company is not aware of any agreements between shareholders that may result in restrictions on the transfer of securities and/or voting rights. The Directors may refuse to register a transfer of shares in certificated form that are not fully paid up or otherwise in accordance with the Articles.
At the AGM held on 28 January 2025, shareholders authorised the Company to make market purchases of up to 31,473,997 ordinary shares representing approximately 10% of the issued share capital. At the 2026 AGM, shareholders will be asked to give a similar authority. During the year, the Employee Benefit Trust purchased 4m shares in connection with the Company’s employee share plans.
Biographical details of the Company’s current Directors are set out on pages 62 and 63 together with the names of Directors that have held office during the year. Subject to law and the Company’s Articles of Association, the Directors may exercise all of the powers of the Company and may delegate their power and discretion to Committees. The Company’s Articles of Association give the Directors power to appoint and replace Directors. Under the terms of reference of the Nomination Committee, any appointment to the Board of the Company must be recommended by the Nomination Committee for approval by the Board. The Articles of Association also require one-third of the Directors to retire by rotation each year end and each Director must offer themselves for re-election at least every three years. However, in accordance with previous years and in accordance with best practice, all Directors will submit themselves for re-election at the AGM each year. During the year, no Director had any material interest in any contract of significance in the Group’s business.
On 16 July 2025, the Company confirmed that it is in the early stages of commencing a review of all strategic options for its Cyber business (Cyber Review) and that such Cyber Review includes a range of potential outcomes including potential offers for the entire issued and to be issued share capital of the Company (Announcement). The Company gave notice, in accordance with Rule 2.11 of the City Code on Takeovers and Mergers (Code), that it was in an ‘Offer Period’ pursuant to the Code. At the time of approval of these Accounts, the Company remains in this Offer Period.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 95
The Company maintains Directors’ and Officers’ liability insurance, which provides appropriate cover for any legal action brought against its Directors (including those who served as Directors or Officers during 2024/25). This cover was in place throughout the financial year ended 30 September 2025 and up to the date of this Directors’ Report. The Directors of the Company have also entered into individual deeds of indemnity with the Company which constitute as qualifying third-party indemnity provisions for the purposes of section 234 of the Companies Act 2006. The deeds were in effect during the course of the financial year ended 30 September 2025 for the benefit of the Directors and, at the date of this report, are in force for the benefit of the Directors in relation to certain losses and liabilities which they may incur (or have incurred) in connection with their duties, powers or office.
The Group uses a number of ways to engage with its colleagues on matters that impact them and the performance of the Group. These include briefings by members of the Executive Committee, regular team meetings, the Group’s intranet site, global communications and update emails which together provide, among other information, an awareness of the financial and economic factors affecting the Company’s performance. Further information on how the Directors engage with colleagues along with how colleague interests are taken into account during decision making can be found within the Corporate Governance Report on pages 58 to 70. We also conduct colleague engagement surveys to ensure all colleagues are given a voice in the organisation. We offer colleagues the opportunity to purchase ordinary shares in the Company through participation in either the Company’s Save As You Earn (SAYE) scheme or Employee Stock Purchase Plan (ESPP). Colleagues in the UK also have the opportunity to purchases shares through a Share Incentive Plan (SIP). All these schemes help to encourage colleague interest in the performance of the Group.
The Directors have summarised how they have fostered the Company’s business relationships with suppliers, customers and others on pages 14 and 15. In addition, on page 65 the Directors have included the principal decisions taken by the Company during the financial year.
The Group is committed to providing equality of opportunity to all colleagues without discrimination and applies fair and equitable employment policies which seek to promote entry into and progression within the Group. Appointments are determined solely by application of job criteria, personal ability, behaviour and competency. In the opinion of the Directors, all colleague policies are deemed to be effective and in accordance with their intended aims.
Disabled persons have equal opportunities when applying for vacancies, with due regard to their aptitudes and abilities. Procedures ensure that disabled colleagues are fairly treated in respect of training and career development. For those colleagues becoming disabled during the course of their employment, the Group is supportive so as to provide an opportunity for them to remain with the Group, wherever reasonably practicable.
NCC Group believes in the rights of individuals to engage in the democratic process; however, it is NCC Group’s policy not to make political donations. There were no political donations made or political expenditure incurred during the financial year ended 30 September 2025. To be clear, it is not the Company’s policy to make political donations, the Company has not made a political donation in the past, and the Company has no intention either now or in the future of changing its policy or making any political donation or incurring any political expenditure in respect of any political party, political organisation or independent election candidate.# Directors’ report continued
NCC Group plc — Annual report and accounts for the year ended 30 September 202596
The Notice of the Company’s AGM to be held at 1pm on 3 March 2026 at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ, along with details of the business to be proposed and explanatory notes, will be available on the Group’s website together with the Annual Report and Accounts. All shareholders will be notified by post or email, at their request, when the documents have been made available. The Board recognises that the AGM provides an important opportunity to engage with shareholders. Therefore, the Company will ensure that shareholders can submit any questions in writing prior to the AGM as outlined in the Notice of AGM. The result of the poll vote will be made available as soon as possible after the meeting on our website.
During the year, no interest was capitalised by the Group (2024: £nil). The tax benefit on this amount was £nil (2024: £nil).
The following sets out the location of additional information forming part of the Directors’ Report, which is incorporated by reference into this report:
| Reporting requirement | Location |
|---|---|
| Board’s assessment of the Group’s internal control systems | Corporate Governance Report on page 69 and Audit Committee Report on page 74 |
| Details of uses of financial instruments and specific policies for managing financial risk | Note 23 (Financial Instruments) on pages 144 to 147 |
| Directors’ interests | Remuneration Committee Report on page 88 |
| Directors’ Responsibilities Statement | Directors’ Responsibilities Statement on page 98 |
| Directors’ remuneration including disclosures required by Schedule 5 and Schedule 8 of SI2008/410 – Large and Medium-sized Companies and Groups (Accounts and Reports) Regulations 2008 | Remuneration Committee Report on pages 81 to 93 |
| DTR 4.1.8.R – Management Report – the Directors’ Report and Strategic Report comprise the Management Report | Directors’ Report on pages 94 to 97 and Strategic Report on pages 1 to 57 |
| Going Concern Statement | Directors’ Report on pages 94 and 95 and Going Concern section within Note 1 on pages 111 and 112 |
| Greenhouse gas emissions and energy consumption | TCFD Report on pages 22 to 27 |
| Likely future developments of the business and Group | Strategic Report on pages 1 to 57 |
| LR 9.8.4 (4) – Long-term incentive schemes | Remuneration Committee Report on pages 81 to 93 |
| LR 9.8.6 (2) – Substantial shareholders | Shareholder Engagement section of Corporate Governance Report on page 70 |
| Statement on corporate governance | Corporate Governance Report, Audit Committee Report, Nomination Committee Report and Remuneration Committee Report on pages 58 to 93. Statement of compliance with the UK Corporate Governance Code is on page 60 |
| Strategic Report – Companies Act 2006 section 414A–D | Strategic Report on pages 1 to 57 |
The Strategic Report on pages 1 to 57 and this Directors’ Report on pages 94 to 97 have been approved and authorised for issue by the Board. They were signed on its behalf by:
Mike Maddison
Chief Executive Officer
11 December 2025
Guy Ellis
Chief Financial Officer
11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 97
The Directors are responsible for preparing the Annual Report and the Financial Statements in accordance with applicable law and regulation. Company law requires the Directors to prepare Financial Statements for each financial year. Under that law the Directors have prepared the Group Financial Statements in accordance with UK-adopted International Accounting Standards and the Company Financial Statements in accordance with United Kingdom Generally Accepted Accounting Practice (United Kingdom Accounting Standards, comprising FRS 101 ‘Reduced Disclosure Framework’, and applicable law).
Under company law, Directors must not approve the Financial Statements unless they are satisfied that they give a true and fair view of the state of affairs of the Group and Company and of the profit or loss of the Group for that period.
In preparing the Financial Statements, the Directors are required to:
The Directors are responsible for safeguarding the assets of the Group and Company and hence for taking reasonable steps for the prevention and detection of fraud and other irregularities. The Directors are also responsible for keeping adequate accounting records that are sufficient to show and explain the Group’s and Company’s transactions and disclose with reasonable accuracy at any time the financial position of the Group and Company and enable them to ensure that the Financial Statements and the Directors’ Remuneration Report comply with the Companies Act 2006.
The Directors are responsible for the maintenance and integrity of the Company’s website. Legislation in the United Kingdom governing the preparation and dissemination of financial statements may differ from legislation in other jurisdictions.
The Directors consider that the Annual Report and Accounts, taken as a whole, is fair, balanced and understandable and provides the information necessary for shareholders to assess the Group’s and Company’s position and performance, business model and strategy.
Each of the Directors, whose names and functions are listed in the Board of Directors section of this report, confirms that, to the best of their knowledge:
In the case of each Director in office at the date the Directors’ Report is approved:
For and on behalf of the Board
Mike Maddison
Chief Executive Officer
11 December 2025
Guy Ellis
Chief Financial Officer
11 December 2025
NCC Group plc — Annual report and accounts for the year ended 30 September 202598
In our opinion:
to the members of NCC Group plc
In our opinion, the financial statements of NCC Group plc (the “Company”) and its subsidiaries (the “Group”) give a true and fair view of the state of the Company’s and the Group’s affairs as at 30 September 2025 and of the Group’s profit and the Group’s cash flows for the year then ended; the group financial statements have been properly prepared in accordance with UK-adopted international accounting standards as applied in accordance with the provisions of the Companies Act 2006; the company financial statements have been properly prepared in accordance with United Kingdom Generally Accepted Accounting Practice (United Kingdom Accounting Standards, including FRS 101 “Reduced Disclosure Framework”, and applicable law); and the financial statements have been prepared in accordance with the requirements of the Companies Act 2006.
We have audited the financial statements, included within the Annual report and accounts (the “Annual Report”), which comprise: the Consolidated and Company balance sheets as at 30 September 2025; the Consolidated income statement, the Consolidated statement of comprehensive income, the Consolidated cash flow statement and the Consolidated and Company statements of changes in equity for the year then ended; and the notes to the financial statements, comprising material accounting policy information and other explanatory information.
Our opinion is consistent with our reporting to the Audit Committee.
We conducted our audit in accordance with International Standards on Auditing (UK) (“ISAs (UK)”) and applicable law. Our responsibilities under ISAs (UK) are further described in the Auditors’ responsibilities for the audit of the financial statements section of our report. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.
We remained independent of the Group in accordance with the ethical requirements that are relevant to our audit of the financial statements in the UK, which includes the FRC’s Ethical Standard, as applicable to listed public interest entities, and we have fulfilled our other ethical responsibilities in accordance with these requirements. To the best of our knowledge and belief, we declare that non-audit services prohibited by the FRC’s Ethical Standard were not provided. Other than those disclosed in Audit Committee report, we have provided no non-audit services to the Company or its controlled undertakings in the period under audit.
The scope of our audit
As part of designing our audit, we determined materiality and assessed the risks of material misstatement in the financial statements.
Key audit matters are those matters that, in the auditors’ professional judgement, were of most significance in the audit of the financial statements of the current period and include the most significant assessed risks of material misstatement (whether or not due to fraud) identified by the auditors, including those which had the greatest effect on: the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team. These matters, and any comments we make on the results of our procedures thereon, were addressed in the context of our audit of the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters. This is not a complete list of all risks identified by our audit.
Recoverability of goodwill in UK and APAC Cyber Security cash generating unit is a new key audit matter this year. Recoverability of goodwill in North America Cyber Security cash generating unit, which was a key audit matter last year, is no longer included because of the goodwill relating to the cash generating unit was fully impaired in the previous year. Otherwise, the key audit matters below are consistent with last year.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 99
Independent auditors’ report continued to the members of NCC Group plc
| Key audit matter | How our audit addressed the key audit matter We reviewed the assessment of the indicators of impairment and compared this assessment to external market factors, the results of the group’s annual goodwill impairment review and the ongoing Cyber and Escode strategic reviews. We compared the carrying value of the investment to the group’s market capitalisation at the reporting date. We reviewed the disclosures included within note 30 of the financial statements and consider these to be appropriate. As a result of these procedures, we were satisfied with the conclusion that no indicators of impairment were identified.
We tailored the scope of our audit to ensure that we performed enough work to be able to give an opinion on the financial statements as a whole, taking into account the structure of the group and the company, the accounting processes and controls, and the industry in which they operate.
The group is split into two main reporting segments being Cyber Security and Escode. These reportable segments are organised into 52 management reporting units in a range of different geographies which are structured mainly across Europe and North America. Certain functions relevant for financial reporting are managed by the group’s head office. The financial statements are a consolidation of the group’s management reporting units and its centralised consolidation entries. As the group is headquartered and its principal finance offices are in Manchester, United Kingdom, the group engagement team is also based in Manchester. All audit work was completed by the group engagement team.
The management reporting units vary in size. We identified one reporting unit (NCC Group Security Services Limited) that required an audit of its complete financial information due to its size. We also identified a further seven management reporting units that required specific audit procedures to be performed over selected financial statement line items which included Fox-IT Holding B.V, NCC Group Security Services Inc, NCC Group Corporate Limited, NCC Group plc, NCC Services Limited, NCC Group (Solutions) Limited, and NCC Group Software Resilience (NA) LLC.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025100 Report on the audit of the financial statements continued
We also performed audit procedures over the consolidation adjustments. The entities where we conducted audit work accounted for approximately 87% (2024: 91%) of the group’s revenue. For the remaining 44 management reporting units which were not subject to further audit procedures, we performed analytical procedures over 10 of these reporting units to respond to any potential risks of material misstatement in the group financial statements. The remaining 34 reporting units were considered to be inconsequential for the group’s financial statements.
Included within above are the management reporting units relating to the group’s Escode business, which has been reclassified as held for sale and presented as a discontinued operation. Our audit scope included performing specific audit procedures relating to the presentation of the Escode business, including Escode specific consolidation adjustments. The parent company is comprised of one reporting unit which was subject to a full scope audit for the purposes of the company financial statements.
We made enquiries of management to understand the process they have adopted to assess the extent of the potential impact of climate risk on the group’s financial statements. The key areas of the financial statements where management evaluated that climate risk has a potential impact are set out in note 1 to the financial statements. The directors have reached the overall conclusion that there has been no material impact on the financial statements for the current period from the potential impact of climate change.
We used our knowledge of the group to challenge management’s assessment. We particularly considered how climate risk would impact the assumptions made in the forecasts prepared by management used in their goodwill impairment analysis, going concern and viability. We also considered the consistency of the disclosures in relation to climate change (including the disclosures in the Non-Financial and Sustainability Information Statement) within the Annual Report with the financial statements and our knowledge obtained from our audit. Our procedures did not identify any material impact in the context of our audit of the financial statements as a whole, or on our key audit matters for the year ended 30 September 2025.
The scope of our audit was influenced by our application of materiality. We set certain quantitative thresholds for materiality. These, together with qualitative considerations, helped us to determine the scope of our audit and the nature, timing and extent of our audit procedures on the individual financial statement line items and disclosures and in evaluating the effect of misstatements, both individually and in aggregate on the financial statements as a whole.
Based on our professional judgement, we determined materiality for the financial statements as a whole as follows:
| Financial statements – group | Financial statements – company | |
|---|---|---|
| Overall materiality | £3,000,000 (2024: 3,200,000) | £3,200,000 (2024: £3,400,000) |
| How we determined it | 1% of total revenue (including discontinued operations) | 1% of total assets |
| Rationale for benchmark applied | We considered materiality in a number of different ways and used our professional judgement having applied ‘rule of thumb’ percentages to a number of potential benchmarks. On the basis of this, we concluded that 1% of total revenue (including discontinued operations) is an appropriate level of materiality considering the overall scale of the business. | The company does not trade and therefore total assets is considered to be the most appropriate benchmark. |
For each component in the scope of our group audit, we allocated a materiality that is less than our overall group materiality. The range of materiality allocated across components was between £879,000 and £2,325,000. Certain components were audited to a local statutory audit materiality that was also less than our overall group materiality.
We use performance materiality to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds overall materiality. Specifically, we use performance materiality in determining the scope of our audit and the nature and extent of our testing of account balances, classes of transactions and disclosures, for example in determining sample sizes.
Our performance materiality was 75% (2024: 75%) of overall materiality, amounting to £2,250,000 (2024: 2,400,000) for the group financial statements and 2,400,0000 (2024: 2,500,000) for the company financial statements. In determining the performance materiality, we considered a number of factors - the history of misstatements, risk assessment and aggregation risk and the effectiveness of controls - and concluded that an amount in the middle of our normal range was appropriate.
We agreed with the Audit Committee that we would report to them misstatements identified during our audit above £150,000 (group audit) (2024: £160,000) and £160,000 (company audit) (2024: £170,000) as well as misstatements below those amounts that, in our view, warranted reporting for qualitative reasons.
Our evaluation of the directors’ assessment of the group’s and the company’s ability to continue to adopt the going concern basis of accounting included:
Based on the work we have performed, we have not identified any material uncertainties relating to events or conditions that, individually or collectively, may cast significant doubt on the group’s and the company’s ability to continue as a going concern for a period of at least twelve months from when the financial statements are authorised for issue. In auditing the financial statements, we have concluded that the directors’ use of the going concern basis of accounting in the preparation of the financial statements is appropriate. However, because not all future events or conditions can be predicted, this conclusion is not a guarantee as to the group’s and the company’s ability to continue as a going concern. In relation to the directors’ reporting on how they have applied the UK Corporate Governance Code, we have nothing material to add or draw attention to in relation to the directors’ statement in the financial statements about whether the directors considered it appropriate to adopt the going concern basis of accounting. Our responsibilities and the responsibilities of the directors with respect to going concern are described in the relevant sections of this report.
The other information comprises all of the information in the Annual Report other than the financial statements and our auditors’ report thereon. The directors are responsible for the other information. Our opinion on the financial statements does not cover the other information and, accordingly, we do not express an audit opinion or, except to the extent otherwise explicitly stated in this report, any form of assurance thereon. In connection with our audit of the financial statements, our responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements or our knowledge obtained in the audit, or otherwise appears to be materially misstated. If we identify an apparent material inconsistency or material misstatement, we are required to perform procedures to conclude whether there is a material misstatement of the financial statements or a material misstatement of the other information. If, based on the work we have performed, we conclude that there is a material misstatement of this other information, we are required to report that fact. We have nothing to report based on these responsibilities. With respect to the Strategic report and Directors’ report, we also considered whether the disclosures required by the UK Companies Act 2006 have been included. Based on our work undertaken in the course of the audit, the Companies Act 2006 requires us also to report certain opinions and matters as described below.
In our opinion, based on the work undertaken in the course of the audit, the information given in the Strategic report and Directors’ report for the year ended 30 September 2025 is consistent with the financial statements and has been prepared in accordance with applicable legal requirements. In light of the knowledge and understanding of the group and company and their environment obtained in the course of the audit, we did not identify any material misstatements in the Strategic report and Directors’ report.
In our opinion, the part of the Annual Report on Remuneration to be audited has been properly prepared in accordance with the Companies Act 2006.
The Listing Rules require us to review the directors’ statements in relation to going concern, longer-term viability and that part of the corporate governance statement relating to the company’s compliance with the provisions of the UK Corporate Governance Code specified for our review. Our additional responsibilities with respect to the corporate governance statement as other information are described in the Reporting on other information section of this report. Based on the work undertaken as part of our audit, we have concluded that each of the following elements of the corporate governance statement, included within the Governance section of the Annual Report is materially consistent with the financial statements and our knowledge obtained during the audit, and we have nothing material to add or draw attention to in relation to:
Our review of the directors’ statement regarding the longer-term viability of the group and company was substantially less in scope than an audit and only consisted of making inquiries and considering the directors’ process supporting their statement; checking that the statement is in alignment with the relevant provisions of the UK Corporate Governance Code; and considering whether the statement is consistent with the financial statements and our knowledge and understanding of the group and company and their environment obtained in the course of the audit. In addition, based on the work undertaken as part of our audit, we have concluded that each of the following elements of the corporate governance statement is materially consistent with the financial statements and our knowledge obtained during the audit:
We have nothing to report in respect of our responsibility to report when the directors’ statement relating to the company’s compliance with the Code does not properly disclose a departure from a relevant provision of the Code specified under the Listing Rules for review by the auditors.
As explained more fully in the Directors’ responsibilities statement, the directors are responsible for the preparation of the financial statements in accordance with the applicable framework and for being satisfied that they give a true and fair view. The directors are also responsible for such internal control as they determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error. In preparing the financial statements, the directors are responsible for assessing the group’s and the company’s ability to continue as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis of accounting unless the directors either intend to liquidate the group or the company or to cease operations, or have no realistic alternative but to do so.
Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditors’ report that includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements. Irregularities, including fraud, are instances of non-compliance with laws and regulations. We design procedures in line with our responsibilities, outlined above, to detect material misstatements in respect of irregularities, including fraud. The extent to which our procedures are capable of detecting irregularities, including fraud, is detailed below. Based on our understanding of the group and industry, we identified that the principal risks of non-compliance with laws and regulations related to employment laws in the countries where the group has more significant operations and data protection laws and regulations, and we considered the extent to which non-compliance might have a material effect on the financial statements.We also considered those laws and regulations that have a direct impact on the financial statements such as local and international tax laws and the Companies Act 2006. We evaluated management’s incentives and opportunities for fraudulent manipulation of the financial statements (including the risk of override of controls), and determined that the principal risks were related to posting inappropriate journal entries to overstate financial performance and revenue recognition and management bias within accounting estimates.
Audit procedures performed by the engagement team included:
• discussions with management, the Audit Committee and internal audit, including consideration of known or suspected instances of non-compliance with laws and regulations and fraud;
• reviewing minutes of meetings of those charged with governance;
• auditing the tax computations to evaluate compliance with tax legislation;
• identifying and testing journal entries, in particular any journal entries posted with unusual account combinations impacting revenue recognition;
• challenging assumptions and judgements made by management in their critical accounting estimates and presentation of individually significant items; and
• reviewing financial statement disclosures and testing to supporting documentation where appropriate to assess compliance with applicable laws and regulations.
There are inherent limitations in the audit procedures described above. We are less likely to become aware of instances of non-compliance with laws and regulations that are not closely related to events and transactions reflected in the financial statements. Also, the risk of not detecting a material misstatement due to fraud is higher than the risk of not detecting one resulting from error, as fraud may involve deliberate concealment by, for example, forgery or intentional misrepresentations, or through collusion. Our audit testing might include testing complete populations of certain transactions and balances, possibly using data auditing techniques. However, it typically involves selecting a limited number of items for testing, rather than testing complete populations. We will often seek to target particular items for testing based on their size or risk characteristics. In other cases, we will use audit sampling to enable us to draw a conclusion about the population from which the sample is selected.
A further description of our responsibilities for the audit of the financial statements is located on the FRC’s website at: www.frc.org.uk/auditorsresponsibilities. This description forms part of our auditors’ report.
This report, including the opinions, has been prepared for and only for the company’s members as a body in accordance with Chapter 3 of Part 16 of the Companies Act 2006 and for no other purpose. We do not, in giving these opinions, accept or assume responsibility for any other purpose or to any other person to whom this report is shown or into whose hands it may come save where expressly agreed by our prior consent in writing.
Under the Companies Act 2006 we are required to report to you if, in our opinion:
• we have not obtained all the information and explanations we require for our audit; or
• adequate accounting records have not been kept by the company, or returns adequate for our audit have not been received from branches not visited by us; or
• certain disclosures of directors’ remuneration specified by law are not made; or
• the company financial statements and the part of the Annual Report on Remuneration to be audited are not in agreement with the accounting records and returns.
We have no exceptions to report arising from this responsibility.
Following the recommendation of the Audit Committee, we were appointed by the directors on 7 March 2024 to audit the financial statements for the 16-month period ended 30 September 2024 and subsequent financial periods. The period of total uninterrupted engagement is two periods, covering the period ended 30 September 2024 and the year ended 30 September 2025.
The company is required by the Financial Conduct Authority Disclosure Guidance and Transparency Rules to include these financial statements in an annual financial report prepared under the structured digital format required by DTR 4.1.15R - 4.1.18R and filed on the National Storage Mechanism of the Financial Conduct Authority. This auditors’ report provides no assurance over whether the structured digital format annual financial report has been prepared in accordance with those requirements.
Hazel Macnamara (Senior Statutory Auditor)
for and on behalf of
PricewaterhouseCoopers LLP
Chartered Accountants and Statutory Auditors
Manchester
11 December 2025
| 16 month period ended 30 September 2024 | Year ended 30 September 2025 | ||
|---|---|---|---|
| Note | £m | £m | |
| Revenue | 3 | 238.9 | 342.1 |
| Cost of sales | 3 | (150.5) | (224.1) |
| Gross profit | 3 | 88.4 | 118.0 |
| Administrative expenses | |||
| Individually Significant Items | 4 | (9.5) | (41.4) |
| Depreciation and amortisation | 5 | (14.0) | (21.6) |
| Other administrative expenses | 3 | (82.4) | (112.4) |
| Total administrative expenses | (105.9) | (175.4) | |
| Profit on disposal of Fox Crypto | 4 | 11.4 | — |
| Operating loss | 3 | (6.1) | (57.4) |
| Finance costs | 7 | (4.9) | (8.2) |
| Loss before taxation | 5 | (11.0) | (65.6) |
| Taxation | 8 | 1.9 | (1.6) |
| Loss from continuing operations | (9.1) | (67.2) | |
| Profit from discontinued operations | 16 | 26.2 | 34.7 |
| Profit/(loss) for the year/period attributable to owners of the Company | 17 | 17.1 | (32.5) |
| Loss per ordinary share from continuing operations | |||
| Basic EPS | 10 | (3.0p) | (21.6p) |
| Diluted EPS | 10 | (3.0p) | (21.6p) |
| 16 month period ended 30 September 2024 | Year ended 30 September 2025 | |
|---|---|---|
| Restated * £m | Restated * £m | |
| Profit/(loss) for the year/period attributable to the owners of the Company | 17.1 | (32.5) |
| Other comprehensive loss | ||
| Items that may be reclassified subsequently to profit or loss (net of tax) | ||
| Reclassification of currency translation reserve on disposal of foreign operations | (7.9) | — |
| Foreign exchange translation differences from continuing operations | 4.9 | (2.8) |
| Exchange differences on translation of discontinued operations (Note 16) | (0.1) | (10.2) |
| Total other comprehensive loss | (3.1) | (13.0) |
| Total comprehensive income/(loss) for the year/period (net of tax) attributable to the owners of the Company | 14.0 | (45.5) |
| Total comprehensive income/(loss) for the year/period attributable to owners of the Company arises from: | ||
| Continuing operations | (12.1) | (70.0) |
| Discontinued operations | 26.1 | 24.5 |
| 14.0 | (45.5) |
The accompanying Notes 1 to 32 are an integral part of these Consolidated Financial Statements.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025104
| 30 September 2025 | 30 September 2024 | ||
|---|---|---|---|
| Note | £m | £m | |
| Non-current assets | |||
| Goodwill | 11 | 46.3 | 156.5 |
| Intangible assets | 11 | 3.6 | 89.2 |
| Property, plant and equipment | 12 | 10.5 | 11.6 |
| Right-of-use assets | 13 | 13.8 | 15.7 |
| Deferred tax asset | 15 | 1.0 | 0.6 |
| Total non-current assets | 75.2 | 273.6 | |
| Current assets | |||
| Trade and other receivables | 14 | 31.8 | 32.2 |
| Contract assets | 21 | 19.4 | 20.1 |
| Current tax receivable | 5.5 | 2.9 | |
| Cash and cash equivalents | 22 | 12.5 | 29.8 |
| Derivative financial instruments | 23 | 0.9 | — |
| Assets classified as held for sale | 16 | 198.0 | 61.5 |
| Total current assets | 268.1 | 146.5 | |
| Total assets | 343.3 | 420.1 | |
| Current liabilities | |||
| Trade and other payables | 17 | 43.1 | 46.8 |
| Bank overdraft | 22 | — | 13.6 |
| Lease liabilities | 18 | 4.1 | 5.7 |
| Current tax payable | 0.8 | 1.6 | |
| Derivative financial instruments | 23 | — | 0.8 |
| Provisions | 19 | 0.3 | 1.4 |
| Contract liabilities – deferred revenue | 20 | 25.7 | 50.7 |
| Liabilities directly associated with assets classified as held for sale | 16 | 39.8 | 5.7 |
| Total current liabilities | 113.8 | 126.3 | |
| Non-current liabilities | |||
| Borrowings | 22 | 3.3 | 61.5 |
| Lease liabilities | 18 | 15.4 | 21.9 |
| Deferred tax liabilities | 15 | 0.2 | 0.5 |
| Provisions | 19 | 1.9 | 1.9 |
| Contract liabilities – deferred revenue | 20 | 2.2 | 2.8 |
| Total non-current liabilities | 23.0 | 88.6 | |
| Total liabilities | 136.8 | 214.9 | |
| 206.5 | 205.2 | ||
| Equity | |||
| Share capital | 25 | 3.1 | 3.1 |
| Share premium | 25 | 224.7 | 224.4 |
| Merger reserve | 25 | 42.3 | 42.3 |
| Currency translation reserve | 25 | 21.4 | 24.5 |
| Retained earnings | 25 | (85.0) | (89.1) |
| Total equity | 206.5 | 205.2 |
The accompanying Notes 1 to 32 are an integral part of these consolidated Financial Statements.
These Financial Statements were approved and authorised for issue by the Board of Directors on 11 December 2025. They were signed on its behalf by:
Mike Maddison Guy Ellis
Chief Executive Officer Chief Financial Officer
11 December 2025 11 December 2025
Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 105
| 16 month period ended 30 September 2024 | Year ended 30 September 2025 | ||
|---|---|---|---|
| Note | £m | £m | |
| Cash flows from operating activities | |||
| Loss for the year/period of continuing operations | (9.1) | (67.2) | |
| Profit for the year/period from discontinued operations | 16 | 26.2 | 34.7 |
| Profit/(loss) for year/period including discontinued operations | 17 | 17.1 | (32.5) |
| Adjustments for: | |||
| Depreciation of property, plant and equipment | 12 | 4.3 | 5.4 |
| Depreciation of right-of-use assets | 13 | 5.5 | 8.1 |
| Amortisation of customer contracts and relationships | 11 | 8.1 | 12.5 |
| Amortisation of software and development costs | 11 | 2.1 | 3.3 |
| Impairment of goodwill | 11 | — | 31.1 |
| Currency £m | Share capital £m | Share premium £m | Merger reserve £m | Retained earnings £m | Total £m |
|---|---|---|---|---|---|
| Balance at 1 June 2023 | 3.1 | 224.1 | 42.3 | (28.8) | 278.2 |
| Loss for the period | — | — | — | (32.5) | (32.5) |
| Foreign currency translation differences | — | — | — | (13.0) | (13.0) |
| Total comprehensive loss for the period | — | — | — | (13.0) | (32.5) |
| Transactions with owners recorded directly in equity | |||||
| Dividends to equity shareholders | 9 | — | — | — | (24.3) |
| Share-based payments | 24 | — | — | — | 2.3 |
| Acquisition of treasury shares | — | — | — | (5.8) | |
| Shares issued | 25 | — | 0.3 | — | — |
| Total contributions by and distributions to owners | — | 0.3 | — | (27.8) | |
| Balance at 30 September 2024 | 3.1 | 224.4 | 42.3 | (89.1) | 205.2 |
| Profit for the year | — | — | — | 17.1 | 17.1 |
| Reclassification of currency translation reserve on disposal of foreign operations | 31 | — | — | (7.9) | — |
| Foreign currency translation differences | — | — | — | 4.8 | — |
| Total comprehensive (loss)/income for the year | — | — | — | (3.1) | 17.1 |
| Transactions with owners recorded directly in equity | |||||
| Dividends to equity shareholders | 9 | — | — | — | (9.2) |
| Share-based payments | 24 | — | — | — | 2.1 |
| Current and deferred tax on share-based payments | — | — | — | (0.1) | |
| Acquisition of treasury shares | — | — | — | (5.8) | |
| Shares issued | 25 | — | 0.3 | — | — |
| Total contributions by and distributions to owners | — | 0.3 | — | (13.0) | |
| Balance at 30 September 2025 | 3.1 | 224.7 | 42.3 | 21.4 | (85.0) |
The accompanying Notes 1 to 32 are an integral part of these consolidated Financial Statements.
| Company no: 04627044 | Note | 30 September 2025 £m | 30 September 2024 £m |
|---|---|---|---|
| Non-current assets | |||
| Investments in subsidiary undertakings | 30 | 293.2 | 291.1 |
| Trade and other receivables | 14 | 34.2 | 43.1 |
| Total non-current assets | 327.4 | 334.2 | |
| Current assets | |||
| Cash and cash equivalents | 22 | — | 9.8 |
| Total current assets | — | 9.8 | |
| Total assets | 327.4 | 344.0 | |
| Current liabilities | |||
| Trade and other payables | 17 | — | 9.9 |
| Total current liabilities | — | 9.9 | |
| Total liabilities | — | 9.9 | |
| Net assets | 327.4 | 334.1 | |
| Equity | |||
| Share capital | 25 | 3.1 | 3.1 |
| Share premium | 25 | 224.7 | 224.4 |
| Merger reserve | 25 | 42.3 | 42.3 |
| Retained earnings | 25 | 57.3 | 64.3 |
| Total equity | 327.4 | 334.1 |
During the year ended 30 September 2025, the Parent Company reported a profit of £0.1m (2024: £38.7m). The accompanying Notes 1 to 32 are an integral part of these Financial Statements.
These Financial Statements were approved and authorised for issue by the Board of Directors on 11 December 2025. They were signed on its behalf by:
Mike Maddison
Chief Executive Officer
11 December 2025
Guy Ellis
Chief Financial Officer
11 December 2025
| Note | Share capital £m | Share premium £m | Merger reserve £m | Retained earnings £m | Total £m |
|---|---|---|---|---|---|
| Balance at 1 June 2023 | 3.1 | 224.1 | 42.3 | 47.6 | 317.1 |
| Profit for the period | — | — | — | 38.7 | 38.7 |
| Total comprehensive income for the period | — | — | — | 38.7 | 38.7 |
| Transactions with owners recorded directly in equity | |||||
| Dividends to equity shareholders | 9 | — | — | (24.3) | (24.3) |
| Increase in subsidiary investment for share-based charges | — | — | 2.3 | 2.3 | |
| Shares issued | 25 | — | 0.3 | — | 0.3 |
| Total contributions by and distributions to owners | — | 0.3 | — | (22.0) | |
| Balance at 30 September 2024 | 3.1 | 224.4 | 42.3 | 64.3 | 334.1 |
| Profit for the year | — | — | — | 0.1 | 0.1 |
| Total comprehensive income for the year | — | — | — | 0.1 | 0.1 |
| Transactions with owners recorded directly in equity | |||||
| Dividends to equity shareholders | 9 | — | — | (9.2) | (9.2) |
| Increase in subsidiary investment for share-based charges | — | — | 2.1 | 2.1 | |
| Shares issued | 25 | — | 0.3 | — | 0.3 |
| Total contributions by and distributions to owners | — | 0.3 | — | (7.1) | |
| Balance at 30 September 2025 | 3.1 | 224.7 | 42.3 | 57.3 | 327.4 |
The accompanying Notes 1 to 32 are an integral part of these Financial Statements.
NCC Group plc (the “Company”) is a public company incorporated in the UK, with its registered office at XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester M3 3AQ. The Group Financial Statements consolidate those of the Company and its subsidiaries (together referred to as the “Group”). NCC Group plc is a listed public company, limited by shares, and the Company registration number is 04627044. The principal activity of the Group is the provision of independent advice and services to customers through the supply of Cyber Security and Escode services. The Parent Company Financial Statements present information about the Company as a separate entity and not about the Group. These Financial Statements have been approved for issue by the Board of Directors on 11 December 2025. The Group Financial Statements have been prepared and approved by the Directors in accordance with UK-adopted International Accounting Standards (UK-adopted IFRS) and with the requirements of the Companies Act 2006 as applicable to companies reporting under those standards. The Parent Company Financial Statements have been prepared in accordance with FRS 101 ‘Reduced Disclosure Framework’ (FRS 101), under the historical cost convention, and in accordance with the Companies Act 2006 and other applicable law. The Company transitioned from UK-adopted International Financial Reporting Standards to FRS 101 in the prior period. The impact of this transition on the net assets of the Parent Company was £nil, as disclosed in the prior period Financial Statements. As permitted by FRS 101, the Parent Company has taken advantage of the disclosure exemptions available under that standard in relation to standards not yet effective and presentation of a cash flow statement. The accounting policies adopted for the Parent Company are otherwise consistent with those used for the Group as set out within this note.# Material accounting policies
The Company has also taken advantage of the following disclosure exemptions under FRS 101:
* The requirements of paragraphs 91–99 of IFRS 13 ‘Fair Value Measurement’
* The requirements of IFRS 7 ‘Financial Instruments: Disclosure’
* The requirements of 45(b) and 46–52 of IFRS 2 ‘Share-based Payment’
* The requirements in IAS 24 ‘Related Party Disclosures’ to disclose related party transactions entered into between two or more members of a group, provided that any subsidiary which is a party to the transaction is wholly owned by such a member
On publishing the Parent Company Financial Statements here together with the Group Financial Statements, the Company is also taking advantage of the exemption in section 408 of the Companies Act 2006 not to present its individual Income Statement and related notes that form a part of these approved Financial Statements.
The accounting policies set out below have, unless otherwise stated, been applied consistently to all periods presented in these Financial Statements.
The Directors have reviewed the potential impact of climate change and the Task Force on Climate-related Financial Disclosures (TCFD) on the consolidated Financial Statements. During the year, the Group has reviewed its materiality assessment to identify which environmental, social and governance issues are most material and significant to the NCC Group business and stakeholders to aid our commitment to achieving net zero by 2050. Our overall exposure to physical and transitional climate change is considered low in the short to medium term due to the nature of the business and cyber assurance industry. The Group continues to evolve its sustainability agenda with further details on its short, medium, medium to long and long-term goals contained within the Non-Financial and Sustainability Information Statement on page 18 of the Annual Report.
The Directors have considered climate change in the following areas of the consolidated Financial Statements (including critical accounting judgements and key sources of estimation uncertainty), noting no material financial impact in each area:
* Going concern assessment
* Property, plant and equipment – economic life and residual values
* Impairment of assets (including right-of-use assets) – the impact of environmental change on growth rates and projected cash flows
* Provisions – recognition of new liabilities or contingent liabilities arising from climate change and the Group physical and transition risks of:
* Greenhouse gas emissions – increased costs associated with more taxes and levies
* Move to net zero – increased costs required to lower emissions
* Margin risk – impact on delivery day rates and associated erosion of profit margin due to increased costs
* Reputational risk – failure to comply with regulations resulting in negative impact on the Group
* Supply chain – increased supply costs and delayed deliveries impacting customer contracts/provision of services
* Extreme weather or rising sea levels – reduction in revenue and increased costs
* Fair value measurement – climate change variables being incorporated into market participant valuations
* Financial instruments – expected credit losses and risk of default on Group borrowings (RCF and term loan)
At the date of authorisation of these Financial Statements, the following new accounting pronouncements have been issued and are effective from 1 January 2025:
* Amendments to IAS 21 ‘The Effects of Changes in Foreign Exchange Rates’, issued in August 2023 and effective from 1 January 2025
These IFRSs are not expected to have a material impact on the Group’s consolidated or the Company’s financial position or performance.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025110
1 Material accounting policies continued
In addition to the above, the following new accounting pronouncements have also been issued which are not yet effective, but the Group is not expecting them to have a significant impact on the Group’s consolidated Financial Statements:
* IFRS 19 ‘Subsidiaries without Public Accountability: Disclosures’, issued in May 2024 and effective from 1 January 2027
* Amendments to IFRS 9 ‘Financial Instruments’ and IFRS 7 ‘Financial Instruments: Disclosures’, issued in May 2024 and effective from 1 January 2026
* Annual improvements to the following IFRS Accounting Standards – amendments to: IFRS 1 ‘First-time Adoption of International Financial Reporting Standards’, IFRS 10 ‘Consolidated Financial Statements’ and IAS 7 ‘Statement of Cash Flows’, issued in July 2024 and effective from 1 January 2026
In addition to the above new standards, the Group also continues to evaluate the potential impact from IFRS 18 ‘Presentation and Disclosure in Financial Statements’, issued in April 2024 and effective from 1 January 2027.
The consolidated Financial Statements have been prepared on the historical cost basis except for the revaluation of certain financial instruments.
The Group and Company Financial Statements are presented in millions of Pounds Sterling (£m) because that is the currency of the principal economic environment in which the Group operates. Items included in the Financial Statements of each of the Group’s entities are measured using the currency of the primary economic environment in which the entity operates (the “functional currency”).
At the time of approving the Financial Statements, the Board of Directors is required to formally assess that the business has adequate resources to continue in operational existence and as such can continue to adopt the “going concern” basis of accounting. To support this assessment, the Board is required to consider the Group’s current financial position, its strategy, the market outlook, and its principal risks. The Group’s business activities, together with the factors likely to affect its future development, performance and position, are set out in the Business Review and Financial Review. The Group’s financial position, cash and borrowing facilities are also described within these sections.
The Financial Statements have been prepared on a going concern basis which the Directors consider to be appropriate for the following reasons. The Directors have prepared cash flow and covenant compliance forecasts for 12 months from the date of approval of the Financial Statements which indicate that, taking account of severe but plausible downsides on the operations of the Group and its financial resources, the Group will have sufficient funds to meet its liabilities as they fall due for that period. The going concern period is required to cover a period of at least 12 months from the date of approval of the Financial Statements and the Directors still consider this 12 month period to be an appropriate assessment period due to the Group’s financial position and trading performance and that its current borrowing facilities do not expire until April 2029 (following the Group successfully refinancing in April 2025 – see below and Note 22). The Directors have considered whether there are any significant events beyond the 12 month period which would suggest this period should be longer but have not identified any such conditions or events.
In April 2025, the Group refinanced its borrowing arrangements by entering into a new four year £120m multi-currency revolving credit facility (RCF), with an uncommitted £50m accordion option. This new unsecured facility replaces the previous £162.5m RCF (which was in existence as at 30 September 2024), which was due to expire in December 2026 and included an uncommitted accordion option of up to £75m. The uncommitted accordion option has not been included in the Group’s going concern assessment as it remains subject to lender approval and is therefore not guaranteed at the date of approval of these Financial Statements.
As of 30 September 2025, net cash (excluding lease liabilities) was £13.1m, comprising cash and cash equivalents of £16.4 m, a bank overdraft of £nil, and a drawn revolving credit facility of £5.2m (excluding £1.9 m of unamortised borrowing fees). The Group also had £114.8 m of undrawn committed facilities, excluding an uncommitted accordion facility of £50.0 m. The Group’s day-to-day working capital requirements are met through existing cash resources, the revolving credit facility and receipts from its continuing business activities.
The Group is required to comply with financial covenants for leverage (net debt to Adjusted EBITDA)¹ and interest cover (Adjusted EBITDA¹ to interest charge) that are tested bi-annually on 31 March and 30 September each year. As of 30 September 2025, leverage amounted to 0.0x and net interest cover amounted to 8.1x compared to a maximum of 3.0x and a minimum of 3.5x respectively. The terms and ratios are specifically defined in the Group’s banking documents (in line with normal commercial practice) and are materially similar to amounts noted in these Financial Statements with the exceptions being net debt which excludes IFRS 16 lease liabilities and Adjusted EBITDA¹. The Group was in compliance with the terms of all its facilities during the year, including the financial covenants on 30 September 2025, and, based on forecasts, expects to remain in compliance over the going concern period. In addition, the Group has not sought or is not planning to seek any waivers to its financial covenants noted above.
Management has performed base case modelling derived from the FY26 Board-approved budget and forecasts beyond this budgeted period, reflecting scenarios both with and without the potential disposal of its Escode business (incorporating any associated impact on the Group’s banking facilities and expected net cash position).# NCC Group plc — Annual report and accounts for the year ended 30 September 2025
In addition, management has prepared forecasts reflecting severe but plausible downside scenarios, considering the principal risks faced by the Group, such as the loss of key customers and further reductions in the Group’s Technical Assurance Services (‘TAS’) Cyber business. These forecasts, including all scenarios modelled, have been reviewed by the Directors, support their expectation that the Group will operate within its available committed banking facilities and meet its liabilities as they fall due throughout the assessment period. The assumptions underpinning these forecasts (and severe yet plausible downside scenarios) are set out in more detail in the Viability Statement on pages 38 and 39.
Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Group will have sufficient funds to meet its liabilities as they fall due for a period of at least 12 months from the date of approval of Financial Statements. This period is referred to as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 30 September 2025.
Additionally, the Group remains in the early stages of reviewing a number of strategic options for its Cyber business, however no decision has been made on which option will be pursued as of 11 December 2025. Accordingly, no material uncertainties have been identified that would cast significant doubt on the Group’s ability to continue as a going concern in relation to this ongoing process.
From a Company perspective, the Company places reliance on other Group trading entities for financial support. The Company controls these Group entities and therefore has the ability to direct the financial activities of the Group. Having reviewed the current trading performance, forecasts, debt servicing requirements, total facilities and risks, the Directors are confident that the Company and the Group will have sufficient funds to continue to meet their liabilities as they fall due for a period of at least 12 months from the date of approval of these consolidated Financial Statements, which is determined as the going concern period. Accordingly, the Directors continue to adopt the going concern basis of accounting in preparing the Group’s Financial Statements for the year ended 30 September 2025.
There are no post-Balance Sheet events which the Directors believe will negatively impact the going concern assessment.
1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
Business combinations are accounted for by applying the acquisition method at the acquisition date, which is the date on which control is transferred to the Group. The Group controls an entity when the Group is exposed to, or has rights to, variable returns from its involvement with the entity and has the ability to affect those returns through its power over the entity.
The Group measures goodwill at the acquisition date as:
When the excess is negative, a bargain purchase gain is recognised immediately in profit or loss. The consideration transferred does not include amounts related to the settlement of pre-existing relationships. Such amounts are generally recognised in the Income Statement. Costs related to the acquisition, other than those associated with the issue of debt or equity securities, are expensed as incurred.
Any deferred or contingent consideration payable is recognised at fair value at the acquisition date. If the contingent consideration is classified as equity, it is not remeasured, and settlement is accounted for within equity. Otherwise, subsequent changes to the fair value of contingent consideration are recognised in the Income Statement.
On a transaction-by-transaction basis, the Group elects to measure non-controlling interests either at their fair value or at their proportionate interest in the recognised amount of the identifiable net assets of the acquiree at the acquisition date.
The results of subsidiaries acquired or disposed of during the period are included in the Consolidated Income Statement from the effective date of acquisition or up to the effective date of disposal, as applicable. Comparatives are only restated if a disposed business meets the definition of a discontinued operation under IFRS 5 ‘Non-current Assets Held for Sale and Discontinued Operations’. This restatement occurs only when the disposal represents a separate major line of business or geographical area, or is part of a single co-ordinated plan to dispose of such a line or area.
Subsidiaries are entities controlled by the Group. The Financial Statements of subsidiaries are included in the consolidated Financial Statements from the date that control commences until the date that control ceases. Control is achieved where the Company has the power to govern the financial and operating policies of an investee entity so as to obtain benefits from its activities. Intercompany transactions and balances between subsidiaries are eliminated on consolidation.
Goodwill represents the amounts arising from the acquisition of subsidiaries, as well as from the acquisition of trade and assets. In respect of business acquisitions that have occurred since 1 June 2004, goodwill represents the difference between the cost of the acquisition and the fair value of the net identifiable assets acquired including identifiable intangible assets. Identifiable intangibles are those which can be sold separately, or which arise from legal rights regardless of whether those rights are separable.
Goodwill is stated at cost less any accumulated impairment losses. Goodwill is allocated to cash generating units (CGUs) and is not amortised but is tested annually for impairment. In respect of equity accounted investees, the carrying amount of goodwill is included in the carrying amount of the investment in the investee.
Expenditure on research activities is recognised in the Income Statement as an expense as incurred. Expenditure on development activities is capitalised as “development costs” if the product or process is technically and commercially feasible, if the Group has the technical ability and sufficient resources to complete development, if future economic benefits are probable and if the Group can measure reliably the expenditure attributable to the intangible asset during its development. Development activities involve a plan or design for the production of new or substantially improved products or processes. Subsequent expenditure is capitalised only when it increases the future economic benefits embodied in the specific asset to which it relates. All other expenditure, including expenditure on internally generated goodwill, is recognised in the Income Statement as an expense as incurred.
The Group capitalises software costs in accordance with the criteria of IAS 38. Software costs comprise third party costs and internal colleague time costs for internal system developments. Capitalised amounts are initially measured at cost and amortised on a straight-line basis over the period for which the developed system is expected to be in use as a business platform.
Software costs incurred as part of a service agreement are only capitalised when it can be evidenced that the Group has control over the resources defined in the arrangement. The expenditure capitalised includes the cost of materials, direct labour, overhead costs that are directly attributable to preparing the asset for its intended use and capitalised borrowing costs. Other development expenditure is recognised in the Consolidated Income Statement as an expense as incurred. Software costs are stated at cost less accumulated amortisation and less accumulated impairment losses.
When the Group incurs customisation and configuration costs, as part of a service agreement for Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS), judgement is applied in assessing whether the Group has control over the resources defined in the arrangement. These costs are treated in accordance with the March 2019 IFRIC update with regard to the Customer’s Right to Receive Access to the Supplier’s Software Hosted on the Cloud (IAS 38 ‘Intangible Assets’) and the IFRIC interpretation ratified by the Interpretations Committee in April 2021 with regard to Configuration or Customisation Costs in a Cloud Computing Arrangement, as follows:
NCC Group plc — Annual report and accounts for the year ended 30 September 2025112
Notes to the Financial Statements continued
for the year ended 30 September 2025
1 Material accounting policies continued
Software costs continued# Material accounting policies
Expenditure on internally generated goodwill is recognised in the Income Statement as an expense as incurred. Intangible assets that are acquired by the Group are stated at cost less accumulated amortisation and less accumulated impairment losses.
Amortisation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of intangible assets unless such lives are indefinite. Intangible assets with an indefinite useful life and goodwill are systematically tested for impairment at each Balance Sheet date. Intangible assets are amortised from the date they are available for use. The estimated useful lives are as follows:
The carrying amounts of the Group’s non-financial assets, other than deferred tax assets, are reviewed at each reporting date to determine whether there is any indication of impairment. If any such indication exists, then the asset’s recoverable amount is estimated. For goodwill, and intangible assets that have indefinite useful lives or that are not yet available for use, the recoverable amount is estimated each year at the same time. The Group performed its annual impairment review at 30 September 2025.
The recoverable amount of an asset or cash generating unit is the greater of its value in use (VIU) and its fair value less costs to sell (FVLCTS). FVLCTS has been used for all CGUs for the year ended 30 September 2025 and the comparative period for the period ended 30 September 2024. The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA ¹, and applying a reasonable market multiple on the calculated sustainable earnings.
For the purpose of impairment testing, assets that cannot be tested individually are grouped together into the smallest group of assets that generates cash inflows from continuing use that are largely independent of the cash inflows of other assets or groups of assets (the “cash generating unit”). The goodwill acquired in a business combination, for the purpose of impairment testing, is allocated to cash generating units (CGUs). Subject to an operating segment ceiling test, for the purposes of goodwill impairment testing, CGUs to which goodwill has been allocated are aggregated so that the level at which impairment is tested reflects the lowest level at which goodwill is monitored for internal reporting purposes. Goodwill acquired in a business combination is allocated to groups of CGUs that are expected to benefit from the synergies of the combination.
An impairment loss is recognised if the carrying amount of an asset or its CGU exceeds its estimated recoverable amount. Impairment losses are recognised in the Income Statement. Impairment losses recognised in respect of CGUs are allocated first to reduce the carrying amount of any goodwill allocated to the units, and then to reduce the carrying amounts of the other assets in the unit (group of units) on a pro rata basis. An impairment loss in respect of goodwill is not reversed.
In respect of other assets, impairment losses recognised in prior periods are assessed at each reporting date for any indications that the loss has decreased or no longer exists. An impairment loss is reversed if there has been a change in the estimates used to determine the recoverable amount. An impairment loss is reversed only to the extent that the asset’s carrying amount does not exceed the carrying amount that would have been determined, net of depreciation or amortisation, if no impairment loss had been recognised.
¹ Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
A related party is a person or entity that is related to the Group or Company. Related party transactions are the transfer of resources, services or obligations between parties regardless of whether a price is charged. In these circumstances, the Group or Company will disclose the nature of the related party relationship as well as information about the transactions and outstanding balances necessary for an understanding of the potential effect of the relationship on the Financial Statements in accordance with IAS 24 ‘Related Party Transactions’.
Property, plant and equipment assets are carried at cost less accumulated depreciation and any recognised impairment in value. To the extent that borrowing costs relate to the acquisition, construction or production of a qualifying asset, borrowing costs are capitalised as part of the cost of that asset.
Depreciation is charged to the Income Statement on a straight-line basis over the estimated useful economic lives of each part of an item of plant and equipment as follows:
Property, plant and equipment is also tested for impairment whenever there is an indication of potential impairment.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 113
1 Material accounting policies continued
At inception of a contract, the Group assesses whether a contract is, or contains, a lease. A contract is, or contains, a lease if the contract conveys the right to control the use of an identified asset for a period of time in exchange for consideration. To assess whether a contract conveys the right to control the use of an identified asset, the Group assesses whether:
The Group recognises a right-of-use asset and a lease liability at the lease commencement date. The right-of-use asset is initially measured at cost, which comprises the initial amount of the lease liability adjusted for any lease payments made at or before the commencement date, and an estimate of costs to dismantle and remove the underlying asset or to restore the underlying asset or the site on which it is located, less any lease incentives received. The right-of-use asset is subsequently depreciated using the straight-line method from the commencement date to the earlier of the end of the useful life of the right-of-use asset or the end of the lease term. The estimated useful lives of right-of-use assets are determined on the same basis as those of property, plant and equipment. In addition, the right-of-use asset is periodically reduced by impairment losses, if any, and adjusted for certain remeasurements of the lease liability.
The lease liability is initially measured at the present value of the lease payments that are not paid at the commencement date, discounted using the interest rate implicit in the lease or, if that rate cannot be readily determined, the Group’s incremental borrowing rate. The lease liability is measured at amortised cost using the effective interest method. It is remeasured when there is a change in future lease payments arising from a change in an index or rate, if there is a change in the Group’s estimate of the amount expected to be payable, or if the Group changes its assessment of whether it will exercise a purchase, extension or termination option. When the lease liability is remeasured in this way, a corresponding adjustment is made to the carrying amount of the right-of-use asset or is recorded in the Income Statement if the carrying amount of the right-of-use asset has been reduced to zero.
The Group has elected not to recognise right-of-use assets and lease liabilities for short-term leases that have a lease term of 12 months or less and leases of low value assets, including certain IT equipment. The Group recognises the lease payments associated with these leases as an expense on a straight-line basis over the lease term. Lease rental costs in respect of short-term leases (less than one year) and low value assets which are exempt from being accounted for under IFRS 16 are charged to the Income Statement on a straight-line basis over the period of the lease.
Investments in subsidiaries are carried at cost less impairment. Investments in property and unlisted shares are carried at cost less impairment, which is based on the fair value at acquisition.# Financial instruments
Financial assets and financial liabilities, in respect of financial instruments, are recognised in the Group and Parent Company Balance Sheet when the Group or Company becomes a party to the contractual provisions of the instrument.
Classification of financial assets is generally based on the business model in which the financial asset is managed and its contractual cash flow characteristics. A financial asset is measured at amortised cost if it is held with the objective of collecting the contractual cash flows and its contractual terms give rise on specified dates to cash flows that are solely payments of principal and interest on the principal amount outstanding. All other financial assets are measured at fair value through other comprehensive income or the Income Statement.
Trade and other receivables are classified as financial assets at amortised cost in accordance with IFRS 9 ‘Financial Instruments’. This classification is applied to receivables such that the asset is to collect contractual cash flows. Trade and other receivables are initially recognised at their fair value, which is typically the transaction price. Subsequently, these assets are measured at amortised cost, less any provision for expected credit losses (ECLs). Under the IFRS 9 “expected credit loss” model, a credit event (or impairment “trigger”) no longer needs to occur before credit losses are recognised. The Group analyses the risk profile of trade receivables based on past experience and an analysis of the receivables’ current financial position, potential for a default event to occur, adjusted for specific factors, forward-looking general economic conditions of the industry in which the receivables operate, and assessment of both the current and the forecast direction of conditions at the reporting date. A default event is considered to occur when information is obtained that indicates that a receivable is unlikely to be paid to the Group. Credit risk is regularly reviewed by management to ensure the expected credit loss (ECL) model is being appropriately applied. The Group has performed the calculation of ECL separately for each business unit.
Trade payables are other financial liabilities initially measured at fair value and subsequently measured at amortised cost.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
114
Notes to the Financial Statements continued
for the year ended 30 September 2025
1 Material accounting policies continued
Interest-bearing bank loans are initially recorded at their fair value and subsequently held at amortised cost. Transaction costs incurred are amortised over the term of the loan.
Assets are classified as held for sale if their carrying amount is to be recovered principally through a sale transaction rather than through continuing use. This condition is regarded as met only when the sale is highly probable within one year from the date of classification and the assets are available for sale in their present condition. Assets held for sale are stated at the lower of the carrying amount and fair value less costs to dispose.
A discontinued operation is a component of the Group that has been disposed of or is classified as held for sale and represents a separate major line of business or geographical area of operation. In accordance with IFRS 5, the post-tax results of discontinued operations and any post-tax gain or loss on disposal or remeasurement to fair value less costs to sell are presented as a single amount in the Consolidated Income Statement. When classified as held for sale, the assets and liabilities of discontinued operations are presented separately in the Consolidated Balance Sheet. Cash flows relating to discontinued operations are disclosed separately in Note 16, including operating, investing and financing activities. Further disclosures, including a breakdown of the Income Statement components and earnings per share from discontinued operations, are provided in the Notes to the Financial Statements.
The Group provides independent global Cyber Security and Escode services.
During the 16 month period ended 30 September 2024, as part of the Group’s ongoing transformation and the implementation of its new strategy, the Group began to analyse Cyber Security revenue in greater detail by service type and capability, which replaced the previous revenue streams of Global Managed Services (GMS) and Global Professional Services (GPS), as reflected within the prior year segmental information note (Note 3). This change in analysis enables the Group to better focus on existing customers, as well as on simplifying operations and the core services it provides. During the year ended 30 September 2025, the Group has updated its revenue recognition policy to better align with the revenue streams disclosed in Note 3 (segmental information). This update has no impact on the timing or recognition of revenue under IFRS 15 for the current year or prior period. The revenue streams in relation to Cyber Security include:
The revenue streams in relation to Escode include:
While the detailed recognition is contract specific, and set out in the table on pages 116 to 119, in most cases:
Revenue is presented net of VAT and other sales related taxes. Revenue is measured based on the consideration specified in a contract with a customer. The Group recognises revenue when it transfers control over a good or service to a customer. The Group does not have any material obligations in respect of returns, refunds or warranties. The impact of any financing component within contracts with customers has been assessed and concluded to be immaterial. On contract inception, the probability of collectability is assessed across the Group and, unless there is a significant change in facts and circumstances, revenue is recognised. During the year or prior period, no instances have been identified where the collectability has had to be reassessed, nor have there been any new contracts with customers for which the collection of consideration has not been assessed at inception as probable.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
115
1 Material accounting policies continued
The following table provides information about the nature and timing of the satisfaction of performance obligations in contracts with customers by reportable segment, including significant payment terms, and the related revenue recognition policies.
| Revenue stream | Nature | Timing of satisfaction of performance obligations and significant payment terms | Revenue recognition policies, including determination of transaction price and rationale |
|---|---|---|---|
| Cyber Security | |||
| Managed Services (MS) | These services provide operational cyber defence, scanning, simulation and managed security operations centres (SOCs). | The customer will benefit from the services over the period of the contract. Services are typically for an extended delivery duration, with contract lengths varying up to a maximum of five years. | The amount of revenue recognised in relation to the software licence(s) depends on whether the Group acts as an agent or as a principal. The Group acts as principal when the Group controls the specified software licence or service prior to transfer (MSP model). Where an MSP model is selected by the customer, the transaction price is determined by a contract price (cost plus mark-up). When the Group acts as a principal the revenue recorded is the gross amount billed. The transaction price is determined by a contract price (cost plus mark-up). |
| Digital Forensics and | Incident response including rapid global support during and after cyber attacks. | ||
| Incident Response | |||
| (DFIR) | |||
| Technical Assurance | Global Cyber Security consultancy services. | ||
| Services (TAS) and | |||
| Consulting and | |||
| Implementation (C&I) | |||
| Other services | Sale of own manufactured and/or resale of third party products. | ||
| Escode | |||
| Escrow contract | Securely maintain in “escrow” the long-term availability of business-critical software and applications. | ||
| services | |||
| Verification services | Verify source code, and provide a fully managed secure service and result validation. |
Revenue recognition policies, including determination of transaction price and rationale
| Revenue stream | Nature | Terms |
|---|---|---|
| Cyber Security continued | ||
| Managed Services (MS) continued | ||
| The set-up fees are based on day rates incurred (defined by an in-house day rate sales pricing matrix). Accordingly, the charge out rates are recognised and allocated to these tasks when performed akin to technical professional day rate services. These rates are considered to be the standalone selling prices and are not discounted or reduced for other services. | ||
| Post-go-live fees are recognised on delivery of consultancy services over time as the customer obtains incremental benefit from the hours provided. Revenue is recognised on an input basis (day rates) to measure the satisfaction of performance obligations over time. Transaction price is determined by fixed contract rates based upon day rates and number of post-go-live consultancy days. | ||
| Where one performance obligation, being a combined monitoring cyber and licence service, is identified in relation to the MSP model monitoring service, revenue is recognised over the contract length as the software and monitoring process is an overall service, whereby the Group retains control of the licence and provides a complete monitoring service to the customer. If the customer cancels the contract, the Group will retain control of the licence. | ||
| Where separate performance obligations are identified for monitoring services and the licence, revenue is recognised over the period the respective services are offered, in line with the underlying contract. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily and therefore revenue is recognised on straight-line basis as the performance obligation is satisfied over time. The transaction price is determined by fixed contract rates for the services. | ||
| Revenue in relation to the reseller model monitoring service is recognised over the contract length on a straight-line basis as the performance obligation is satisfied over time. The customer benefits from a 24/7 monitoring service whereby benefit is obtained daily on straight-line basis. | ||
| Where the Group provides professional services, the revenue recognition (including the determination of transaction prices) is the same as described within the TAS and C&I revenue recognition policy. | ||
| Digital Forensics and Incident Response (DFIR) | DFIR services provide rapid global support during and after cyber attacks, minimising disruption, containing threats, protecting data and enabling swift recovery. DFIR contracts are generally structured on a retainer basis, providing customers with access to DFIR services over a defined contractual period. | The provision of DFIR services on a retainer basis constitutes a series of distinct services that are substantially the same and have the same pattern of transfer to the customer. One performance obligation is identified. Accordingly, revenue is recognised on a straight-line basis over the contractual period. The customer will benefit from the services over the period of the contract. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. |
| Cyber Security continued | ||
| Technical Assurance Services (TAS) and Consulting and Implementation (C&I) | These revenue streams represent the Group’s core consulting services, delivered by consultants providing Cyber Security services to customers either over time or based on specific deliverables. Namely: • TAS provides proactive defence of digital assets through vulnerability assessments, penetration testing, adversary simulation, training, third party | For annuities, the customer simultaneously receives the benefits of the services provided by the Group over the contract term and one promise (performance obligation) is identified. The performance obligation is satisfied evenly over the length of the contract. For fixed price contracts, the customer simultaneously receives and consumes the benefits over time as services |
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are based on the residual approach. This is assessed by customer is supplied with treated as separate reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is customer and provides the acting as an agent, and the Group does not control the Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from access to the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the available and the promise to transfer the goods or service timing of satisfaction of is distinct. performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
The proposition often provides Group generally recognises transaction price for the overall service is outlined within the customer with the software three performance obligations: the customer contract. In certain scenarios, the contract licence(s) to enable these • Set-up fees will outline the price for each performance obligation, services to occur. which is considered to be the standalone selling price of • Combined monitoring cyber the services/goods, and the transaction price is allocated On this basis, the Group and licence service to each performance obligation on this basis. Where the operates two types of contracts: • Post-go-live fees contract does not stipulate the price per performance Where the licence and obligation, management determines the relative • A Managed Service Provider monitoring services terms are standalone selling price for each performance obligation (MSP) model whereby the not coterminous, they are considered to be separate based on the residual approach. This is assessed by customer is supplied with treated as separate performance obligations. reference to the total transaction price less the sum of the one complete integrated performance obligations. observable standalone selling prices of the other services service including the promised in the contract. The contract transaction price is software licence(s) The MSP model is considered allocated to each performance obligation in proportion to • A reseller model whereby the to be under a principal those standalone selling prices. Group sources the software arrangements whereby the Under a reseller model, the Group’s responsibility is to arrange for a third party to provide a specified software licence(s) on behalf of the Group controls the service prior to transfer. licence(s) to the customer. In these cases, the Group is Managed Detection and relevant licence(s) before it is transferred to the customer. These services will also include Response services selected by the Group recognises four In particular, the Group does not have inventory risk, have set-up fees. Set-up fees performance obligations: access to its source code or hold the IP rights. represent workshops, design • Sourced software licence(s) When the Group is acting as an agent, the revenue is and configuration to create a • Set-up fees recorded at the net amount retained (commission) at a “connection” between systems. • Monitoring cyber point in time as the customer receives immediate benefit The Group also provides a service from the licence and the Group does not have from the licence and the Group does not have any further obligations in relation to the provision of the service. • Post-go-live fees certain level of professional The commission transaction value represents the consultancy days (including post-go-live fees) The reseller model is considered to be under an mark-up on the licence provided. based on day rates. agency arrangement whereby the customer receives the The majority of set-up fees relate to the MSP model. benefit and control of the licence on delivery. Set-up fees are recognised over time of the set-up. The set-up activities are completed by a separate deployment team that typically spans a period of one to four months. Invoices are raised based on an agreed invoicing profile with the customer. Invoices are usually payable within 30 days. The set-up activities do not customise the licence provided by the third party but only allow a link between the client’s infrastructure and the software to allow monitoring services to be provided by the Group once the set-up process is completed. On this basis, the client can benefit from each of the goods and services either on their own or Where the Group provides together with the other goods and services that are readily professional services, the timing of satisfaction of performance obligations (including payment terms) is the same as described within the TAS and C&I revenue recognition policy. available and the promise to transfer the goods or service is distinct.
Revenue recognition policies, including determination of transaction price and rationale
| Revenue stream | Nature # NCC Group plc — Annual report and accounts for the year ended 30 September 2025
Timing of satisfaction of performance obligations and significant payment
| Revenue stream | Nature | Terms # Material accounting policies
Where a project spans a reporting period(s) the total project size and nature are considered in totality. ISIs typically comprise costs/profits/losses on material acquisitions/disposals/business exits, fundamental reorganisation/restructuring programmes and other significant one-off events (including material impairments). ISIs are considered to require separate presentation in the Notes to the Financial Statements in order to fairly present the financial performance of the Group. See Note 4 for further information.
Transactions in foreign currencies are recorded using the appropriate monthly exchange rate ruling at the date of the transaction. Monetary assets and liabilities denominated in foreign currencies are retranslated using the exchange rate ruling at the Balance Sheet date and the gains or losses on translation are included in the Income Statement. The assets and liabilities of overseas subsidiaries denominated in foreign currencies are retranslated at the exchange rate ruling at the Balance Sheet date. The income statements of overseas subsidiary undertakings are translated at the average exchange rates for the financial year. Gains and losses arising on the retranslation of overseas subsidiary undertakings are taken to the currency translation reserve. They are released to the Income Statement upon disposal of the subsidiary to which they relate.
The Group holds derivative financial instruments to hedge its foreign currency risk exposures. Derivatives are initially measured at fair value. Subsequent to initial recognition, derivatives are measured at fair value, and changes therein are generally recognised in profit or loss. The Group designates certain derivatives as hedging instruments to hedge the variability in cash flows associated with highly probable forecast transactions arising from changes in foreign exchange rates. At inception of designated hedging relationships, the Group documents the risk management objective and strategy for undertaking the hedge. The Group also documents the economic relationship between the hedged item and the hedging instrument, including whether the changes in cash flows of the hedged item and hedging instrument are expected to offset each other.
When a derivative is designated as a cash flow hedging instrument, the effective portion of changes in the fair value of the derivative is recognised in OCI and accumulated in the hedging reserve. The effective portion of changes in the fair value of the derivative that is recognised in OCI is limited to the cumulative change in fair value of the hedged item, determined on a present value basis, from inception of the hedge. Any ineffective portion of changes in the fair value of the derivative is recognised immediately in profit or loss.
The Group designates only the change in fair value of the spot element of forward exchange contracts as the hedging instrument in cash flow hedging relationships. The change in fair value of the forward element of forward exchange contracts (forward points) is separately accounted for as a cost of hedging and recognised in a cost of hedging reserve within equity.
When the hedged forecast transaction subsequently results in the recognition of a non-financial item, the amount accumulated in the hedging reserve and the cost of hedging reserve is included directly in the initial cost of the non-financial item when it is recognised. For all other hedged forecast transactions, the amount accumulated in the hedging reserve and the cost of hedging reserve is reclassified to profit or loss in the same period or periods during which the hedged expected future cash flows affect profit or loss.
If the hedge no longer meets the criteria for hedge accounting or the hedging instrument is sold, expires, is terminated or is exercised, then hedge accounting is discontinued prospectively. When hedge accounting for cash flow hedges is discontinued, the amount that has been accumulated in the hedging reserve remains in equity until, for a hedge of a transaction resulting in the recognition of a non-financial item, it is included in the non-financial item’s cost on its initial recognition or, for other cash flow hedges, it is reclassified to profit or loss in the same period or periods as the hedged expected future cash flows affect profit or loss. If the hedged future cash flows are no longer expected to occur, then the amounts that have been accumulated in the hedging reserve and the cost of hedging reserve are immediately reclassified to profit or loss.
The Group operates a defined contribution pension scheme. The assets of the scheme are kept separate from those of the Group in an independently administered fund. The amount charged as an expense in the Income Statement represents the contributions payable to the scheme in respect of the accounting period.
Short-term colleague benefit obligations are measured on an undiscounted basis and are expensed as the related service is provided. A liability is recognised for the amount expected to be paid under short-term cash bonus or profit-sharing plans if the Group has a present legal or constructive obligation to pay this amount as a result of past service provided by the colleague and the obligation can be estimated reliably.
Share-based payments in which the Group receives goods or services as consideration for its own equity instruments are accounted for as equity settled share-based payment transactions, regardless of how the equity instruments are obtained by the Group. The grant date fair value of share-based payment awards granted to colleagues is recognised as a colleague expense, with a corresponding increase in equity, over the period that the colleagues become unconditionally entitled to the awards. The fair value of the options granted is measured using an option valuation model, taking into account the terms and conditions upon which the options were granted.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025120 Notes to the Financial Statements continued for the year ended 30 September 2025
The amount recognised as an expense is adjusted to reflect the actual number of awards for which the related service and non-market vesting conditions are expected to be met, such that the amount ultimately recognised as an expense is based on the number of awards that do meet the related service and non-market performance conditions at the vesting date. For share-based payment awards with non-vesting conditions and market conditions, the grant date fair value of the share-based payment is measured to reflect such conditions and there is no true-up for differences between expected and actual outcomes.
Share-based payment transactions in which the Group receives goods or services by incurring a liability to transfer cash or other assets that is based on the price of the Group’s equity instruments are accounted for as cash settled share-based payments. The fair value of the amount payable to colleagues is recognised as an expense, with a corresponding increase in liabilities, over the period in which the colleagues become unconditionally entitled to payment. The liability is remeasured at each Balance Sheet date and at settlement date. Any changes in the fair value of the liability are recognised as personnel expense within the Income Statement.
Where the Company grants options over its own shares to the colleagues of a subsidiary it recognises in its individual Financial Statements, an increase in the cost of investment in that subsidiary equivalent to the equity settled share-based payment charge is recognised in respect of that subsidiary in its consolidated Financial Statements with the corresponding credit being recognised directly in equity.
The Group recognises a liability in the Balance Sheet for any earned but not yet taken holiday entitlement for staff. Earned holiday is calculated on a straight-line basis over a holiday year, which can vary by business unit. Taken holiday is based on actually taken holiday. Any movement in the liability between the opening and closing balance in the period is recorded as a colleague cost or a reduction in colleague costs in the Income Statement in the period.
Borrowings are recognised initially at fair value less attributable transaction costs. Subsequent to initial recognition, borrowings are stated at amortised cost with any difference between cost and redemption value being recognised in the Income Statement over the period of the borrowings on an effective interest basis.
Finance costs are recognised within the Income Statement in the period in which they are incurred.
Provisions are determined by discounting the expected future cash flows at a pre-tax rate that reflects current market assessments of the time value of money and the risks specific to the liability. The unwinding of the discount is recognised as finance cost.
Taxation on the profit or loss for the year/period comprises current and deferred taxation. Taxation is recognised in the Income Statement except to the extent that it relates to items recognised directly in equity, in which case it is recognised in equity. Current tax is the expected tax payable or receivable on the taxable income or loss for the period, using tax rates enacted or substantively enacted at the Balance Sheet date, and any adjustment to tax payable in respect of previous years. Deferred tax is provided on temporary differences between the carrying amounts of assets and liabilities for financial reporting purposes and the amounts used for taxation purposes.# Notes to the Financial Statements
The following temporary differences are not provided for: the initial recognition of goodwill; the initial recognition of assets or liabilities that affect neither accounting nor taxable profit other than in a business combination; and differences relating to investments in subsidiaries to the extent that they will probably not reverse in the foreseeable future. The amount of deferred tax provided is based on the expected manner of realisation or settlement of the carrying amount of assets and liabilities, using tax rates enacted or substantively enacted at the Balance Sheet date. A deferred tax asset is recognised only to the extent that it is probable that future taxable profits will be available against which the temporary difference can be utilised. Deferred tax assets and liabilities are offset where there is a legally enforceable right to offset current tax assets and liabilities and where the deferred tax balances relate to the same taxation authority. Current tax assets and tax liabilities are offset where the entity has a legally enforceable right to offset and intends either to settle on a net basis, or to realise the asset and settle the liability simultaneously. UK research and development expenditure credits (RDECs) are recognised for the UK tax jurisdiction within administrative expenses and R&D US tax credits within income tax for the US tax jurisdiction.
From time to time, the Company enters into financial guarantee contracts to guarantee the indebtedness of its subsidiaries. The Company accounts for these contracts under IFRS 9. Financial guarantee contracts are initially measured at fair value and subsequently measured at the higher of fair value and the expected credit loss. Intercompany loans within the Company are repayable on demand and are classified as financial assets. Interest income is recognised using the effective interest method in accordance with IFRS 9.
Cash and cash equivalents comprise cash in hand and deposits repayable on demand. Bank overdrafts that are repayable on demand form part of the Group’s cash management and are included as a component of cash and cash equivalents for the purpose only of the Statement of Cash Flows. These facilities are considered to form an integral part of the treasury management of the Group and can fluctuate from positive to negative balances during the period.
The Group operates an Employee Share Ownership Trust (ESOT), which holds shares for the benefit of employees under the Group’s share-based payment schemes. Shares held by the ESOT are classified as treasury shares in the consolidated Financial Statements and are presented as a deduction from equity. Consideration received for the sale of such shares is also recognised in equity, with any difference between the proceeds from sale and the original cost being taken to reserves. No gain or loss is recognised in the Income Statement on the purchase, sale, issue or cancellation of equity shares. To the extent the Company makes funds available to the ESOT under the terms of a formal loan arrangement, this loan arrangement is recognised as an intergroup loan receivable within current assets. The recoverability of this loan receivable is reviewed at each reporting date, and where objective evidence of impairment exists, an impairment loss is recognised in accordance with IFRS 9 ‘Financial Instruments’.
The preparation of Financial Statements requires management to exercise judgement in applying the Group’s accounting policies. Different judgements would have the potential to change the reported outcome of an accounting transaction or Balance Sheet. It also requires the use of estimates that affect the reported amounts of assets, liabilities, income and expenses. Actual results may differ from these estimates. Estimates and underlying assumptions are reviewed on an ongoing basis, with changes recognised in the period in which the estimates are revised and in any future periods affected. The table below shows the area of critical accounting judgement and estimation that the Directors consider material and that could reasonably change significantly in the next year.
| Accounting area | Accounting judgement? | Accounting estimate? |
|---|---|---|
| Carrying value of goodwill | No | Yes |
No critical accounting judgements have been made in applying accounting policies that have the most significant effects on the amounts recognised in the consolidated Financial Statements.
Information about estimation uncertainties that have a significant risk of resulting in a material adjustment to the carrying values of assets and liabilities within the next financial year is addressed below. While every effort is made to ensure that such estimates and assumptions are reasonable, by their nature they are uncertain, and as such changes in estimates and assumptions may have a material impact. Estimates and assumptions used in the preparation of the Financial Statements are continually reviewed and revised as necessary as at each reporting date. The Directors have considered the impact of climate change on the following estimation uncertainties. Due to nature of the climate change impact on the Group, no material impact has been identified. The key sources of estimation uncertainty disclosed in the Group’s consolidated Financial Statements for the 16 month period ended 30 September 2024 remain applicable for the year ended 30 September 2025. These primarily relate to the carrying value of goodwill.
The Group has significant goodwill balances as at 30 September 2025, arising from acquisitions in previous years. The carrying value of goodwill at 30 September 2025 is £46.3m (30 September 2024: £156.5m). Goodwill is tested for impairment annually on 30 September. The Group allocates goodwill to cash generating units (CGUs), representing the lowest level of asset groupings that generate independent cash inflows. For the year ended 30 September 2025, tests for impairment are based on the calculation of a fair value less costs to sell (FVLCTS) which has been used to establish the recoverable amount of each CGU. The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA ¹, and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation include a key assumption regarding achievable forecast revenue. Reasonable changes in the key assumptions used to determine the sustainable earnings can materially impact the outcomes of the impairment reviews and the impairment charges recognised. An analysis of the Group’s goodwill, the methodology used to test for impairment and sensitivity analysis relating to the sustainable earnings are set out in Note 11.
Regarding the prior period, the two principal areas of estimation uncertainty (whereby reasonable changes in their assumptions could materially impact their respective outcomes) related to:
* The impairment of goodwill within the North America Cyber Security CGU
* The reallocation of goodwill within the Europe Cyber Security CGU
This estimate involved a calculation of sustainable earnings, within which the gross margin used was a key assumption, which had the potential to result in material adjustments to the carrying amounts of goodwill. No impact was noted in the current year, given the full goodwill balance was impaired in the prior period.
This estimate involved an allocation of goodwill between the Fox Crypto CGU and the remaining Europe Cyber Security CGU. This was based on a calculation of adjusted relative fair values, within which the revenue used was a key assumption. The goodwill allocated to the Fox Crypto CGU was reclassified as an asset held for sale at 30 September 2024 and was derecognised on 28 March 2025 following the completion of the disposal of Fox Crypto (see Note 31). No further impairments or changes to goodwill allocations have occurred in the year ended 30 September 2025. For further information on the Group’s impairment methodology and sensitivity analyses, refer to Note 11.
¹ Revenue at constant currency, Adjusted EBITDA, and net debt excluding lease liabilities are Alternative Performance Measures (APMs) rather than IFRS measures. For an explanation of APMs and adjusting items, including a reference to the reconciliation with statutory information, please see Appendix 1.
The Group is organised into the following two (2024: two) reportable segments: Cyber Security and Escode. The two reporting segments provide distinct types of service. Within each of the reporting segments the operating segments provide a homogeneous group of services. These operating segments are deemed to hold similar economic characteristics. The operating segments are grouped into the reporting segments on the basis of how they are reported to the Chief Operating Decision Maker (CODM) for the purposes of IFRS 8 ‘Operating Segments’, which is considered to be the Board of Directors of NCC Group plc. Operating segments are aggregated into the two reportable segments based on the types and delivery methods of services they provide, common management structures, and their relatively homogeneous commercial and strategic market environments.# 3 Segmental information
Performance is measured based on reporting segment profit, with interest and tax not allocated to business segments. There are no intra-segment sales. During the year, the Group’s Escode business has been classified as a discontinued operation as described in Note 16. As the CODM continues to assess the performance of this operation, its results are included in the segmental information presented below. The central and head office cost centre is not considered to be a separate operating segment nor part of any other operating segment as it does not generate any revenues. Included within central and head office are assets and liabilities not specifically allocated to the reporting segments and include investments, head office tangible and intangible assets, deferred tax assets and liabilities, right-of-use assets and associated lease liabilities, Parent Company cash balances, the RCF and certain provisions. Central and head office assets and liabilities are disclosed to allow a reconciliation back to the Group’s assets and liabilities.
| Continuing operations - Central and head office (£m) | Continuing operations - Cyber Security (£m) | Continuing operations - Sub-total (£m) | Discontinued operations - Escode (£m) | Group Total (£m) | |
|---|---|---|---|---|---|
| Revenue | — | 238.9 | 238.9 | 66.5 | 305.4 |
| Cost of sales | — | (150.5) | (150.5) | (19.0) | (169.5) |
| Gross profit | — | 88.4 | 88.4 | 47.5 | 135.9 |
| Gross margin % | — | 37.0% | 37.0% | 71.4% | 44.5% |
| Administrative expenses* | (11.2) | (68.4) | (79.6) | (9.6) | (89.2) |
| Share-based payments | (2.6) | (0.2) | (2.8) | (0.2) | (3.0) |
| Depreciation | (2.5) | (6.6) | (9.1) | (0.7) | (9.8) |
| Amortisation of software and development costs | (0.6) | (1.2) | (1.8) | (0.3) | (2.1) |
| Amortisation of acquired intangibles | (2.1) | (1.0) | (3.1) | (5.0) | (8.1) |
| Individually Significant Items (Note 4) | (5.6) | (3.9) | (9.5) | — | (9.5) |
| Total administrative expenses | (24.6) | (81.3) | (105.9) | (15.8) | (121.7) |
| Profit on disposal of Fox Crypto | 11.4 | — | 11.4 | — | 11.4 |
| Operating (loss)/profit | (13.2) | 7.1 | (6.1) | 31.7 | 25.6 |
| Finance costs | (5.0) | ||||
| Profit before taxation | 20.6 | ||||
| Taxation | (3.5) | ||||
| Profit for the year attributable to owners of the Company | 17.1 |
*In accordance with IFRS 5, £6.8m of head office overheads incurred by the discontinued Escode division during the year have been reallocated to central and head office within continuing operations. This is due to the fact that if an operation is disposed of, the relevant central overheads may not decrease in the short term.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 123
3 Segmental information continued
| Continuing operations - Central and head office (£m) | Continuing operations - Cyber Security (£m) | Continuing operations - Sub-total (£m) | Discontinued operations - Escode (£m) | Group Total (£m) | |
|---|---|---|---|---|---|
| Revenue | — | 342.1 | 342.1 | 87.4 | 429.5 |
| Cost of sales | — | (224.1) | (224.1) | (26.7) | (250.8) |
| Gross profit | — | 118.0 | 118.0 | 60.7 | 178.7 |
| Gross margin % | — | 34.5% | 34.5% | 69.5% | 41.6% |
| Administrative expenses* | (13.0) | (97.3) | (110.3) | (14.5) | (124.8) |
| Share-based payments | (2.0) | (0.1) | (2.1) | (0.2) | (2.3) |
| Depreciation | (3.5) | (9.4) | (12.9) | (0.6) | (13.5) |
| Amortisation of software and development costs | (1.8) | (1.5) | (3.3) | — | (3.3) |
| Amortisation of acquired intangibles | (4.0) | (1.4) | (5.4) | (7.1) | (12.5) |
| Individually Significant Items (Note 4) | — | (41.4) | (41.4) | (0.1) | (41.5) |
| Total administrative expenses | (24.3) | (151.1) | (175.4) | (22.5) | (197.9) |
| Operating (loss)/profit | (24.3) | (33.1) | (57.4) | 38.2 | (19.2) |
| Finance costs | (8.3) | ||||
| Loss before taxation | (27.5) | ||||
| Taxation | (5.0) | ||||
| Loss for the period attributable to owners of the Company | (32.5) |
*In accordance with IFRS 5, £9.6m of head office overheads incurred by the discontinued Escode division during the prior period have been reallocated to central and head office within continuing operations, restating the prior period Escode and central and head office administrative expenses. This is due to the fact that if an operation is disposed of, the relevant central overheads may not decrease in the short term. See Note 16 for further details.
| Continuing operations - Central and head office (£m) | Continuing operations - Cyber Security (£m) | Continuing operations - Sub-total (£m) | Discontinued operations - Escode (£m) | Group Total (£m) | |
|---|---|---|---|---|---|
| Additions to non-current assets | 3.5 | 7.8 | 11.3 | 0.3 | 11.6 |
| Reportable segment assets | 28.9 | 116.4 | 145.3 | 198.0 | 343.3 |
| Reportable segment liabilities | (32.0) | (65.0) | (97.0) | (39.8) | (136.8) |
| Continuing operations - Central and head office (£m) | Continuing operations - Cyber Security (£m) | Continuing operations - Sub-total (£m) | Discontinued operations - Escode (£m) | Group Total (£m) | |
|---|---|---|---|---|---|
| Additions to non-current assets | 4.0 | 12.6 | 16.6 | 1.6 | 18.2 |
| Reportable segment assets | 37.5 | 183.8 | 221.3 | 198.8 | 420.1 |
| Reportable segment liabilities | (113.0) | (77.2) | (190.2) | (24.7) | (214.9) |
The net book value of non-current assets is analysed geographically as follows:
| 30 September 2025 (£m) | 30 September 2024 (£m) | |
|---|---|---|
| Continuing operations | ||
| UK | 57.5 | 57.5 |
| APAC | 4.8 | 5.4 |
| North America | 1.6 | 2.0 |
| Europe | 11.3 | 8.6 |
| Total non-current assets | 75.2 | 73.5 |
| 30 September 2025 (£m) | 30 September 2024 (£m) | |
|---|---|---|
| Discontinued operations | ||
| UK | 24.5 | 28.4 |
| APAC | — | — |
| North America | 156.4 | 162.3 |
| Europe | 7.6 | 9.4 |
| Total non-current assets* | 188.5 | 200.1 |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025124
Notes to the Financial Statements continued for the year ended 30 September 2025
3 Segmental information continued
Revenue is disaggregated by primary geographical market, by category and by timing of revenue recognition as follows:
| Revenue by originating country | Continuing operations - Cyber Security 2025 (£m) | Continuing operations - Cyber Security 2024 (£m) | Discontinued operations - Escode 2025 (£m) | Discontinued operations - Escode 2024 (£m) | Total 2025 (£m) | Total 2024 (£m) |
|---|---|---|---|---|---|---|
| UK | 125.8 | 158.9 | 29.3 | 36.5 | 155.1 | 195.4 |
| APAC | 8.6 | 14.4 | 0.1 | — | 8.7 | 14.4 |
| North America | 56.7 | 90.7 | 32.9 | 45.5 | 89.6 | 136.2 |
| Europe | 47.8 | 78.1 | 4.2 | 5.4 | 52.0 | 83.5 |
| Total revenue | 238.9 | 342.1 | 66.5 | 87.4 | 305.4 | 429.5 |
| Revenue by category | Continuing operations - Cyber Security 2025 (£m) | Continuing operations - Cyber Security 2024 (£m) | Discontinued operations - Escode 2025 (£m) | Discontinued operations - Escode 2024 (£m) | Total 2025 (£m) | Total 2024 (£m) |
|---|---|---|---|---|---|---|
| Services | 236.0 | 337.5 | 66.5 | 87.4 | 302.5 | 424.9 |
| Products | 2.9 | 4.6 | — | — | 2.9 | 4.6 |
| Total revenue | 238.9 | 342.1 | 66.5 | 87.4 | 305.4 | 429.5 |
| Timing of revenue recognition | Continuing operations - Cyber Security 2025 (£m) | Continuing operations - Cyber Security 2024 (£m) | Discontinued operations - Escode 2025 (£m) | Discontinued operations - Escode 2024 (£m) | Total 2025 (£m) | Total 2024 (£m) |
|---|---|---|---|---|---|---|
| Services and products transferred over time | 219.6 | 322.1 | 42.9 | 57.9 | 262.5 | 380.0 |
| Services and products transferred at a point in time | 19.3 | 20.0 | 23.6 | 29.5 | 42.9 | 49.5 |
| Total revenue | 238.9 | 342.1 | 66.5 | 87.4 | 305.4 | 429.5 |
The total future revenue from the remaining term of the Group’s continuing operations contracts, for performance obligations not yet delivered as of 30 September 2025, is £232.8m (2024 restated*: £224.2m). The equivalent from discontinued operations is £24.7m (2024: £22.4m). The Group expects this revenue to be recognised over the respective contract terms between FY26 and FY30. The prior period amounts have been restated following the Escode division being classed as a discontinued operation in 2025.
As part of the Group’s ongoing transformation and the implementation of its new strategy, Cyber Security revenue continues to be analysed in greater detail by service type and capability. This change in analysis enables the Group to better focus on existing customers, as well as on simplifying operations and the core services provided. The analysis is as follows:
| Continuing operations | 2025 (£m) | 2024 (£m) |
|---|---|---|
| Technical Assurance Services (TAS) | 88.4 | 141.4 |
| Consulting and Implementation (C&I) | 48.5 | 55.2 |
| Managed Services (MS) | 76.4 | 91.8 |
| Digital Forensics and Incident Response (DFIR) | 13.1 | 20.6 |
| Other services | 12.5 | 33.1 |
| Total Cyber Security revenue | 238.9 | 342.1 |
In compliance with IFRS 8, the Group had one external customer contributing £33.7m of revenue for the year ended 30 September 2025, Financial statements representing more than 10% of the Group’s total revenue. This revenue is attributable to the Cyber Security reportable segment. There were no individual external customers contributing more than 10% of revenue in the prior period.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 125
3 Segmental information continued
Revenues from the Escode business, classified as a discontinued operation for the year ended 30 September 2025, have been analysed by service line:
| Discontinued operations | 2025 (£m) | 2024 (£m) |
|---|---|---|
| Escrow contracts | 43.0 | 57.2 |
| Verification services | 23.5 | 30.2 |
| Total Escode revenue | 66.5 | 87.4 |
The Group separately identifies items as Individually Significant Items. Each of these is considered by the Directors to be sufficiently unusual in terms of nature or scale so as not to form part of the underlying performance of the business. They are therefore separately identified and excluded from adjusted results (as explained in Appendix 1).
| Reference | Description | 2025 (£m) | 2024 (£m) |
|---|---|---|---|
| a | Fundamental reorganisation costs | 3.9 | 9.4 |
| b | Costs associated with strategic review of Escode business | 3.8 | 0.1 |
| c | Costs associated with strategic review of Cyber business | 1.8 | — |
| d | Profit on disposal of DetACT/DDI | — | (1.5) |
| e | North America Cyber Security goodwill impairment | — | 31.9 |
| f | Transaction costs of Fox Crypto | — | 1.6 |
| Total ISIs (excluding profit on disposal of Fox Crypto) | 9.5 | 41.5 | |
| f | Profit on disposal of Fox Crypto | (11.4) | — |
| Total ISIs | (1.9) | 41.5 |
(a) Fundamental reorganisation costs
In order to implement the next chapter of the Group’s strategy to enhance future growth, certain strategic actions are required including reshaping the Group’s global delivery and operational model. This reshaping is considered a fundamental reorganisation and restructuring programme that will span reporting periods, and the total project size and nature are considered in totality.The programme commencement was accelerated following the Group experiencing specific market conditions that validated the rationale of the next chapter of the Group’s strategy. The programme included three planned phases (with phase 3 remaining in progress as at 30 September 2025) as follows: • Phase 1 (March–April 2023) – initial reduction in global delivery and operational headcount, and c.7% reduction of the Group’s global headcount. • Phase 2 (June–September 2023) – a further reduction in the global delivery, operational and corporate functions’ headcount prior to opening our offshore operations and delivery centre in Manila. • Phase 3 (October 2023–December 2025) – the Group’s intention remains for phase 3 of the reorganisation to complete by December 2025; however, this will continue to be monitored as the transformation strategy progresses as we ensure the operating model is market aligned, and delivery is focused to support the underlying Cyber Security business strategy. Costs of £3.9m (2024: £9.4m) and a cash outflow of £3.8m (2024: £6.0m) have been incurred in relation to the implementation of this reorganisation. These costs primarily consist of severance payments, associated taxes, and professional fees for advisory and legal services. The reorganisation costs include £0.3m (2024: £3.4m) related to property rationalisation. This comprises £0.1m (2024: £3.5m) in property closure impairment charges and £nil (2024: £0.4m) in fixed asset impairment charges, both relating to non-current assets. Additionally, £nil (2024: £0.7m) relates to non-rental provision costs. Offsetting these costs are £0.2m (2024: £0.8m) in non-current asset impairment reversals and £nil (2024: £0.4m) in provision reversals. These costs and reversals reflect the impact of a reduction in the Group’s global headcount, leading to decreased office utilisation and a re-evaluation of the global property portfolio. It is expected that costs will continue to be incurred into FY26. The Group will need to exercise judgement in assessing whether restructuring items should be classified as ISIs. This assessment will consider the nature of the item, its cause, the scale of its impact on reported performance, the resulting benefits, and alignment with the original reorganisation programme’s principles and plans. (b) Costs associated with strategic review of Escode business In February 2023, the Group announced the commencement of a strategic review of its Escode business and other core and non-core assets. The review of the Escode business was subsequently stopped in June 2023, which was reinforced within the Group’s 2024 Annual Report and Accounts. However, during the year ended 30 September 2025, the Group confirmed that it was exploring a number of options for its Escode business, including a potential sale. This was subsequently reinforced by the Group’s trading update issued on 21 October 2025. Professional fees of £3.8m (2024: £0.1m) have been incurred during the year, primarily relating to advisory support services. These costs meet the Group’s policy for inclusion as ISIs, having been incurred as part of the wider restructuring and reorganisation activities ongoing within the Group. Costs of £3.8m (2024: £0.1m) and a cash outflow of £1.8m (2024: £0.1m) have been incurred. (c) Costs associated with strategic review of Cyber business On 28 April 2025, the Group confirmed that it was investigating a number of options for its Escode business including a potential sale. On 16 July 2025 the Company confirmed that it was in the early stages of commencing a review of all strategic options for its Cyber business in the event the sale of the Escode business is agreed (the "Cyber Review"). This was subsequently reinforced by the Group’s trading update issued on 21 October 2025. This process remains at a very early stage, and as at 30 September 2025, no decisions had been made regarding which option will be pursued. NCC Group plc — Annual report and accounts for the year ended 30 September 2025126 Notes to the Financial Statements continued for the year ended 30 September 2025 4 Individually Significant Items (ISIs) continued (c) Costs associated with strategic review of Cyber business continued During the year the Group has incurred professional fees of £1.8m (2024: £nil) in relation to the Cyber review, primarily relating to advisory support services. Costs of £1.8m (2024: £nil) and a cash outflow of £0.9m (2024: £nil) have been incurred. (d) Profit on disposal of DetACT/DDI In the prior period, on 30 April 2024, the Group disposed of its DetACT business for cash consideration of £8.2m. A profit of £1.6m was recognised in relation to this disposal. There has been no impact in the current year. On 31 December 2022, the Group disposed of its DDI business for a total consideration of £5.8m, consisting of a cash payment of £2.0m and contingent consideration of £3.8m. This disposal resulted in a profit of £nil (2024: £nil) directly attributable to the DDI business sale. Further details are available in the 2024 Annual Report. The Group classified these proceeds under ISIs due to the material profit on disposal. During the period ended 30 September 2024 the £3.8m contingent consideration identified in 2023 was received, and a £0.1m reclassification related to the final tranche payment was recorded. No additional contingent consideration payments were received in the year ended 30 September 2025. (e) North America Cyber Security goodwill impairment Following the impairment review of goodwill as at 31 May 2024, an impairment of £31.9m was recognised in North America Cyber Security for the period ended 30 September 2024. No further impairment has been recognised in the year ended 30 September 2025. For further details, please refer to Note 11. (f) Profit on disposal/transaction costs of Fox Crypto B.V. On 28 March 2025, the Group completed the disposal of Fox Crypto B.V. to CR Group Nordic AB for a gross cash consideration of £65.6m. A gain on disposal of £11.3m has been recognised within ISIs in the year ended 30 September 2025, calculated as cash consideration of £65.6m, less net assets disposed of £52.3m and transaction costs of £2.0m incurred in the year. An additional £1.5m of related transaction costs were recognised in ISIs in the 16 month period ended 30 September 2024. After accounting for these, the total gain on disposal amounts to £9.8m. Refer to Note 31 for further details, including a reconciliation of the gain on disposal. A further £0.1m of other transaction costs was included in the prior period that did not relate to Fox Crypto. As this represents a material gain on disposal, this has been classified as a separate line item within the Income Statement. Since completion of the deal, £0.1m (2024: £nil) of income has been earned under a six month transactional services agreement (TSA), bringing the overall impact relating to Fox Crypto to £11.4m. 5 Expenses and auditor’s remuneration Group 2025 Auditor’s remuneration £m Profit/(loss) before taxation is stated after charging: Amounts receivable by auditor and its associates in respect of: Audit of the Parent and consolidated annual Financial Statements 1.5 Audit of Financial Statements of subsidiaries pursuant to legislation 0.1 Other assurance services (see Audit Committee Report on page 71 for further information) 0.1 Total audit 1 1.7 Continuing Discontinued operations operations Group 2025 2025 2025 £m £m £m Profit/(loss) before taxation is stated after charging/(crediting): Amortisation of software costs (Note 11) 1.4 — 1.4 Amortisation of acquired intangibles (Note 11) 3.1 5.0 8.1 Amortisation of development costs (Note 11) 0.4 0.3 0.7 Depreciation of property, plant and equipment (Note 12) 4.1 0.2 4.3 Depreciation of right-of-use assets (Note 13) 5.0 0.5 5.5 Loss on disposal of non-current assets (Note 12) 1.2 — 1.2 Other impairment charge of non-current assets (Note 13) 0.3 — 0.3 Impairment reversal of non-current assets (Note 13) (0.2) — (0.2) Profit on disposal of Fox Crypto B.V. (Note 4) (11.4) — (11.4) Individually Significant Items (ISIs) (Note 4) 9.5 — 9.5 Net impairment gains on financial and contract assets (Note 21) (0.3) — (0.3) Foreign exchange losses 2.7 — 2.7 Research and development UK tax credits 0.4 — 0.4 Gain on disposal following derecognition of lease liabilities (1.9) — (1.9) Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 127 5 Expenses and auditor’s remuneration continued Auditor’s remuneration Group 2024 £m Profit/(loss) before taxation is stated after charging: Amounts receivable by auditor and its associates in respect of: Audit of the Parent and consolidated annual Financial Statements 1.6 Audit of Financial Statements of subsidiaries pursuant to legislation 0.1 Other assurance services (see Audit Committee Report on page 71 for further information) 0.1 Total audit 1 1.8 Continuing operations 2024 £m Discontinued operations 2024 £m Group 2024 £m Profit/(loss) before taxation is stated after charging/(crediting): Amortisation of development costs (Note 11) 1.3 — 1.3 Amortisation of software costs (Note 11) 2.0 — 2.0 Amortisation of acquired intangibles (Note 11) 5.4 7.1 12.5 Depreciation of property, plant and equipment (Note 12) 5.1 0.3 5.4 Depreciation of right-of-use assets (Note 13) 7.8 0.3 8 .1 Other impairment charge of non-current assets 0.5 0.4 0.9 Individually Significant Items (ISIs) (Note 4) 41.4 0.1 41.5 Net impairment losses on financial and contract assets (Notes 14 and 21) 0.4 — 0.4 Cost of inventories recognised as an expense 0.8 — 0.8 Foreign exchange losses 1.9 — 1.9 Research and development UK tax credits (0.3) (0.2) (0.5) Profit on disposal of right-of-use assets (0.1) — (0.1) 1 The only non-audit services provided by the auditor were the interim review for the half year ended 31 March 2025, for which the fee was £80,000 (31 May 2024 interim review: £80,000), and access to a generic
The programme commencement was accelerated following the Group experiencing specific market conditions that validated the rationale of the next chapter of the Group’s strategy. The programme included three planned phases (with phase 3 remaining in progress as at 30 September 2025) as follows:
* Phase 1 (March–April 2023) – initial reduction in global delivery and operational headcount, and c.7% reduction of the Group’s global headcount.
* Phase 2 (June–September 2023) – a further reduction in the global delivery, operational and corporate functions’ headcount prior to opening our offshore operations and delivery centre in Manila.
* Phase 3 (October 2023–December 2025) – the Group’s intention remains for phase 3 of the reorganisation to complete by December 2025; however, this will continue to be monitored as the transformation strategy progresses as we ensure the operating model is market aligned, and delivery is focused to support the underlying Cyber Security business strategy.
Costs of £3.9m (2024: £9.4m) and a cash outflow of £3.8m (2024: £6.0m) have been incurred in relation to the implementation of this reorganisation. These costs primarily consist of severance payments, associated taxes, and professional fees for advisory and legal services.
The reorganisation costs include £0.3m (2024: £3.4m) related to property rationalisation. This comprises £0.1m (2024: £3.5m) in property closure impairment charges and £nil (2024: £0.4m) in fixed asset impairment charges, both relating to non-current assets. Additionally, £nil (2024: £0.7m) relates to non-rental provision costs. Offsetting these costs are £0.2m (2024: £0.8m) in non-current asset impairment reversals and £nil (2024: £0.4m) in provision reversals. These costs and reversals reflect the impact of a reduction in the Group’s global headcount, leading to decreased office utilisation and a re-evaluation of the global property portfolio. It is expected that costs will continue to be incurred into FY26.
The Group will need to exercise judgement in assessing whether restructuring items should be classified as ISIs. This assessment will consider the nature of the item, its cause, the scale of its impact on reported performance, the resulting benefits, and alignment with the original reorganisation programme’s principles and plans.
In February 2023, the Group announced the commencement of a strategic review of its Escode business and other core and non-core assets. The review of the Escode business was subsequently stopped in June 2023, which was reinforced within the Group’s 2024 Annual Report and Accounts. However, during the year ended 30 September 2025, the Group confirmed that it was exploring a number of options for its Escode business, including a potential sale. This was subsequently reinforced by the Group’s trading update issued on 21 October 2025.
Professional fees of £3.8m (2024: £0.1m) have been incurred during the year, primarily relating to advisory support services. These costs meet the Group’s policy for inclusion as ISIs, having been incurred as part of the wider restructuring and reorganisation activities ongoing within the Group. Costs of £3.8m (2024: £0.1m) and a cash outflow of £1.8m (2024: £0.1m) have been incurred.
On 28 April 2025, the Group confirmed that it was investigating a number of options for its Escode business including a potential sale. On 16 July 2025 the Company confirmed that it was in the early stages of commencing a review of all strategic options for its Cyber business in the event the sale of the Escode business is agreed (the "Cyber Review"). This was subsequently reinforced by the Group’s trading update issued on 21 October 2025. This process remains at a very early stage, and as at 30 September 2025, no decisions had been made regarding which option will be pursued.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025126
Notes to the Financial Statements continued for the year ended 30 September 2025
During the year the Group has incurred professional fees of £1.8m (2024: £nil) in relation to the Cyber review, primarily relating to advisory support services. Costs of £1.8m (2024: £nil) and a cash outflow of £0.9m (2024: £nil) have been incurred.
In the prior period, on 30 April 2024, the Group disposed of its DetACT business for cash consideration of £8.2m. A profit of £1.6m was recognised in relation to this disposal. There has been no impact in the current year. On 31 December 2022, the Group disposed of its DDI business for a total consideration of £5.8m, consisting of a cash payment of £2.0m and contingent consideration of £3.8m. This disposal resulted in a profit of £nil (2024: £nil) directly attributable to the DDI business sale. Further details are available in the 2024 Annual Report. The Group classified these proceeds under ISIs due to the material profit on disposal. During the period ended 30 September 2024 the £3.8m contingent consideration identified in 2023 was received, and a £0.1m reclassification related to the final tranche payment was recorded. No additional contingent consideration payments were received in the year ended 30 September 2025.
Following the impairment review of goodwill as at 31 May 2024, an impairment of £31.9m was recognised in North America Cyber Security for the period ended 30 September 2024. No further impairment has been recognised in the year ended 30 September 2025. For further details, please refer to Note 11.
On 28 March 2025, the Group completed the disposal of Fox Crypto B.V. to CR Group Nordic AB for a gross cash consideration of £65.6m. A gain on disposal of £11.3m has been recognised within ISIs in the year ended 30 September 2025, calculated as cash consideration of £65.6m, less net assets disposed of £52.3m and transaction costs of £2.0m incurred in the year. An additional £1.5m of related transaction costs were recognised in ISIs in the 16 month period ended 30 September 2024. After accounting for these, the total gain on disposal amounts to £9.8m. Refer to Note 31 for further details, including a reconciliation of the gain on disposal. A further £0.1m of other transaction costs was included in the prior period that did not relate to Fox Crypto. As this represents a material gain on disposal, this has been classified as a separate line item within the Income Statement. Since completion of the deal, £0.1m (2024: £nil) of income has been earned under a six month transactional services agreement (TSA), bringing the overall impact relating to Fox Crypto to £11.4m.
| Auditor’s remuneration £m | |
|---|---|
| Profit/(loss) before taxation is stated after charging: | |
| Amounts receivable by auditor and its associates in respect of: | |
| Audit of the Parent and consolidated annual Financial Statements | 1.5 |
| Audit of Financial Statements of subsidiaries pursuant to legislation | 0.1 |
| Other assurance services (see Audit Committee Report on page 71 for further information) | 0.1 |
| Total audit | 1.7 |
| Continuing operations 2025 £m | Discontinued operations 2025 £m | Group 2025 £m | |
|---|---|---|---|
| Profit/(loss) before taxation is stated after charging/(crediting): | |||
| Amortisation of software costs (Note 11) | 1.4 | — | 1.4 |
| Amortisation of acquired intangibles (Note 11) | 3.1 | 5.0 | 8.1 |
| Amortisation of development costs (Note 11) | 0.4 | 0.3 | 0.7 |
| Depreciation of property, plant and equipment (Note 12) | 4.1 | 0.2 | 4.3 |
| Depreciation of right-of-use assets (Note 13) | 5.0 | 0.5 | 5.5 |
| Loss on disposal of non-current assets (Note 12) | 1.2 | — | 1.2 |
| Other impairment charge of non-current assets (Note 13) | 0.3 | — | 0.3 |
| Impairment reversal of non-current assets (Note 13) | (0.2) | — | (0.2) |
| Profit on disposal of Fox Crypto B.V. (Note 4) | (11.4) | — | (11.4) |
| Individually Significant Items (ISIs) (Note 4) | 9.5 | — | 9.5 |
| Net impairment gains on financial and contract assets (Note 21) | (0.3) | — | (0.3) |
| Foreign exchange losses | 2.7 | — | 2.7 |
| Research and development UK tax credits | 0.4 | — | 0.4 |
| Gain on disposal following derecognition of lease liabilities | (1.9) | — | (1.9) |
Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 127
| Group 2024 £m | |
|---|---|
| Profit/(loss) before taxation is stated after charging: | |
| Amounts receivable by auditor and its associates in respect of: | |
| Audit of the Parent and consolidated annual Financial Statements | 1.6 |
| Audit of Financial Statements of subsidiaries pursuant to legislation | 0.1 |
| Other assurance services (see Audit Committee Report on page 71 for further information) | 0.1 |
| Total audit | 1.8 |
| Continuing operations 2024 £m | Discontinued operations 2024 £m | Group 2024 £m | |
|---|---|---|---|
| Profit/(loss) before taxation is stated after charging/(crediting): | |||
| Amortisation of development costs (Note 11) | 1.3 | — | 1.3 |
| Amortisation of software costs (Note 11) | 2.0 | — | 2.0 |
| Amortisation of acquired intangibles (Note 11) | 5.4 | 7.1 | 12.5 |
| Depreciation of property, plant and equipment (Note 12) | 5.1 | 0.3 | 5.4 |
| Depreciation of right-of-use assets (Note 13) | 7.8 | 0.3 | 8.1 |
| Other impairment charge of non-current assets | 0.5 | 0.4 | 0.9 |
| Individually Significant Items (ISIs) (Note 4) | 41.4 | 0.1 | 41.5 |
| Net impairment losses on financial and contract assets (Notes 14 and 21) | 0.4 | — | 0.4 |
| Cost of inventories recognised as an expense | 0.8 | — | 0.8 |
| Foreign exchange losses | 1.9 | — | 1.9 |
| Research and development UK tax credits | (0.3) | (0.2) | (0.5) |
| Profit on disposal of right-of-use assets | (0.1) | — | (0.1) |
1 The only non-audit services provided by the auditor were the interim review for the half year ended 31 March 2025, for which the fee was £80,000 (31 May 2024 interim review: £80,000), and access to a genericonline accounting manual, for which the fee was £2,000 (2024: £2,000).
Directors’ emoluments are disclosed in the Remuneration Committee Report. Total aggregate emoluments of the Directors in respect of the year ended 30 September 2025 were £2.5m (2024: £3.4m). Employer contributions to pensions for Executive Directors for qualifying periods were £40,000 (2024: £50,000). The Company provided pension payments in lieu of pension contributions for two (2024: three) Executive Directors during the year ended 30 September 2025. The aggregate net value of share awards granted to the Directors in the year was £nil (2024: £3.7m). The net value has been calculated by reference to the closing mid-market price of the Company’s shares on the day before the date of grant. During the year, no (2024: 5,000) share options were exercised by Directors and their gain on exercise of share options was £nil (2024: £5,000).
The average monthly number of persons employed by the Group during the year, including Executive Directors and discontinued operations, is analysed by category as follows:
| Number of colleagues | 2025 | 2024 |
|---|---|---|
| Operational | 1,642 | 1,733 |
| Administration | 498 | 468 |
| Total | 2,140 | 2,201 |
The aggregate payroll costs (inclusive of Executive Directors and discontinued operations) of these persons were as follows:
| 2025 | 2024 | |
|---|---|---|
| £m | £m | |
| Wages and salaries | 177.2 | 247.4 |
| Share-based payments (Note 24) | 2.1 | 2.3 |
| Social security costs | 16.6 | 25.9 |
| Other pension costs (Note 28) | 7.4 | 8.0 |
| Total payroll costs | 203.3 | 283.6 |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
128
Notes to the Financial Statements continued for the year ended 30 September 2025
| 2025 * | 2024 * | |
|---|---|---|
| £m | £m | |
| Interest payable on bank loans and overdrafts | 6.6 | 3.8 |
| Interest expense on lease liabilities * | 1.6 | 1.1 |
| Total Finance costs | 8.2 | 4.9 |
The above finance costs relate entirely to liabilities not at fair value through profit or loss.
| 2025 Restated * | 2024 Restated * | |
|---|---|---|
| £m | £m | |
| Current tax expense | ||
| Current year/period | 1.6 | 1.7 |
| Overseas current tax for the year/period | 6.0 | 2.5 |
| Impact of prior period US R&D tax credits | (1.8) | (1.0) |
| Adjustments in respect of prior periods | (2.6) | 1.0 |
| Total current tax | 3.2 | 4.2 |
| Deferred tax expense | ||
| Origination and reversal of temporary differences | (1.2) | (0.9) |
| Impact of prior period US R&D tax credits | (0.2) | 0.3 |
| Adjustment to tax expense in respect of prior periods | 3.2 | (0.1) |
| Total deferred tax | 1.8 | (0.7) |
| Total tax expense | 5.0 | 3.5 |
Tax (credit)/expense is attributable to:
| 2025 | 2024 | |
|---|---|---|
| £m | £m | |
| Loss from continuing operations | 1.6 | (1.9) |
| Profit from discontinued operations | 3.4 | 5.4 |
| 5.0 | 3.5 |
| 2024 Restated * | 2025 Restated * | |
|---|---|---|
| £m | £m | |
| Loss before taxation from continuing operations | (11.0) | (65.6) |
| Profit before taxation from discontinued operations | 31.6 | 38.1 |
| 20.6 | (27.5) | |
| Current tax using the UK effective corporation tax rate of 25% (2024: 25%) | 5.2 | (6.9) |
| Effects of: | ||
| Items not deductible for tax purposes | 1.7 | 5.0 |
| Adjustment to tax charge in respect of prior periods | 0.9 | 0.6 |
| Impact of prior period US R&D tax credits | (0.7) | (2.0) |
| Impact of current year/period US R&D tax credits | (0.1) | 0.3 |
| Differences between overseas tax rates | 0.2 | (0.6) |
| Movements in temporary differences not recognised | (0.9) | 8.6 |
| Profit on disposal of Fox Crypto | (2.8) | — |
| Total tax expense | 3.5 | 5.0 |
During the prior period, a deferred tax asset of £7.1m was generated in North America, which was derecognised. This reflected an assessment of the recoverability of the Group’s North American deferred tax assets, based on latest available forecasts and expectations of future taxable profits in the region. The decision not to recognise these assets was made in accordance with IAS 12 ‘Income Taxes’, which required that deferred tax assets be recognised only to the extent it is probable that sufficient taxable profits will be available to utilise the deductible temporary differences. As of 30 September 2024, the criteria for recognition were not met. This recognition criterion continued not to be met as at 30 September 2025, with no changes identified from the prior-period assessment during the year. The unrecognised deferred tax asset as at 30 September 2025 is £6.1m.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
129
8 Taxation continued
As this prior period derecognition related to the historical performance of our North America Cyber Security business, where the recovery in demand was less consistent than expected, it was directly tied to the prior period goodwill impairment of £31.9m at 31 May 2024 (taken to ISIs; see Note 4). The Group included this adjustment as an adjusted item within the taxation line in the Income Statement. For reconciliation to statutory measures, please see page 53. No current year impact has been noted.
The UK government introduced legislation in the Finance Bill 2021 to increase the main rate of UK corporation tax from 19% to 25% with effect from 1 April 2023. The legislation was substantively enacted on 24 May 2021 and therefore UK deferred tax balances as at the Balance Sheet date are generally measured at a rate of 25%.
The tax expense reported for the current year and prior period is affected by certain positions taken by management where there may be uncertainty. The most significant source of uncertainty arises from claims for US R&D tax credits relating to the current and previous periods. Uncertainty relates to the interpretation of US legislation applicable to periods where the statute of limitations has not expired. As at 30 September 2025, the gross cumulative amount of US R&D tax credits amounts to £9.0m (2024: £9.5m), of which a cumulative tax benefit has been recognised of £7.6m (2024: £6.7m). The unrecognised benefit is £1.4m (2024: £2.8m).
Dividends are the way the Company makes distributions from the Company’s distributable reserves to shareholders. The Board determines the dividend level at each half-year reporting period (i.e. 31 March and 30 September). If an interim or final dividend is declared, the Company pays the dividend approximately eight weeks after the results announcement. A dividend is paid for each share, with the amount received depending on the number of shares owned.
| 2025 | 2024 | |
|---|---|---|
| £m | £m | |
| Dividends paid and recognised in the year/period | 9.2 | 14.5 |
| Dividends recognised but not paid in the year/period | — | 9.8 |
| Dividends per share paid and recognised in the year/period | 3.0p | 4.65p |
| Dividends per share recognised but not paid in the year/period | — | 3.15p |
| Dividends per share proposed but not recognised in the year/period | 3.15p | 1.50p |
An interim dividend of £9.8m for the period ended 30 September 2024 of 3.15p per ordinary share was paid on 1 October 2024. It was recognised in the prior period but not paid until the current financial year and was therefore included within non-trade payables as at 30 September 2024 (see Note 17). The final dividend of £4.6m for the period ended 30 September 2024 of 1.50p per ordinary share was recommended by the Board on 5 December 2024 and was subsequently paid on 4 April 2025. The interim dividend of £4.6m for the year ended 30 September 2025 of 1.50p per ordinary share was recommended by the Board on 19 June 2025 and was subsequently paid on 1 August 2025. The proposed final dividend for the year ended 30 September 2025 of 3.15p per ordinary share was recommended by the Board on 8 December 2025 and will be paid on 10 April 2026 to shareholders on the register at the close of business on 13 March 2026. The ex-dividend date is 12 March 2026. The dividend will be recommended to shareholders at the AGM on 3 March 2026. The dividend has not been included as a liability as at 30 September 2025.
| 2025 | 2024 | |
|---|---|---|
| £m | £m | |
| Loss for the year/period from continuing operations | (9.1) | (67.2) |
| Profit for the year/period from discontinued operations | 26.2 | 34.7 |
| Profit/(loss) for the year/period attributable to owners of the Company | 17.1 | (32.5) |
| Number of shares m | Number of shares m | |
|---|---|---|
| 2025 | 2024 | |
| Weighted average number of shares in issue | 314.8 | 313.3 |
| Less: weighted average holdings by Group ESOT | (7.7) | (1.6) |
| Basic weighted average number of shares in issue | 307.1 | 311.7 |
| Dilutive effect of share options | 5.2 | 1.5 |
| Diluted weighted average shares in issue | 312.3 | 313.2 |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025
130
Notes to the Financial Statements continued for the year ended 30 September 2025
10 (Loss)/earnings per ordinary share continued
For the purposes of calculating the dilutive effect of share options, the average market value is based on quoted market prices for the period during which the options are outstanding. Where losses have been reported in the current year or prior period, the diluted EPS does not include the dilutive effect of share options.# 11 Goodwill and intangible assets
| Cost | £m | £m | £m | £m | £m | £m |
|---|---|---|---|---|---|---|
| At 1 June 2023 | 324.6 | 21.2 | 13.8 | 179.2 | 214.2 | 538.8 |
| Additions | — | 1.4 | 1.0 | 0.2 | 2.6 | 2.6 |
| Disposals (see Note 31) | (5.9) | (0.6) | (9.9) | — | (10.5) | (16.4) |
| Assets classified as held for sale (Note 16) | (52.1) | — | (2.5) | — | (2.5) | (54.6) |
| Effects of movements in exchange rates | (9.4) | (0.2) | (0.1) | (9.4) | (9.7) | (19.1) |
| At 30 September 2024 | 257.2 | 21.8 | 2.3 | 170.0 | 194.1 | 451.3 |
| Additions | — | 0.4 | — | — | 0.4 | 0.4 |
| Reclassification | — | (0.8) | 0.2 | 0.6 | — | — |
| Assets classified as held for sale (Note 16) | (110.2) | (3.8) | — | (95.1) | (98.9) | (209.1) |
| Effects of movements in exchange rates | — | — | 0.6 | 1.0 | 1.6 | 1.6 |
| At 30 September 2025 | 147.0 | 17.6 | 3.1 | 76.5 | 97.2 | 244.2 |
| Accumulated amortisation and impairment | £m | £m | £m | £m | £m | £m |
|---|---|---|---|---|---|---|
| At 1 June 2023 | (68.8) | (14.5) | (11.1) | (77.7) | (103.3) | (172.1) |
| Charge for period | — | (2.0) | (1.3) | (12.5) | (15.8) | (15.8) |
| Impairment | (31.9) | — | — | — | — | (31.9) |
| Disposals | — | — | 8.8 | — | 8.8 | 8.8 |
| Assets classified as held for sale (Note 16) | — | — | 2.4 | — | 2.4 | 2.4 |
| Effects of movements in exchange rates | — | — | 0.1 | 2.9 | 3.0 | 3.0 |
| At 30 September 2024 | (100.7) | (16.5) | (1.1) | (87.3) | (104.9) | (205.6) |
| Charge for year | — | (1.4) | (0.7) | (8.1) | (10.2) | (10.2) |
| Assets classified as held for sale (Note 16) | — | 1.8 | — | 21.0 | 22.8 | 22.8 |
| Effects of movements in exchange rates | — | — | (0.4) | (0.9) | (1.3) | (1.3) |
| At 30 September 2025 | (100.7) | (16.1) | (2.2) | (75.3) | (93.6) | (194.3) |
| Net book value | ||||||
|---|---|---|---|---|---|---|
| At 30 September 2024 | 156.5 | 5.3 | 1.2 | 82.7 | 89.2 | 245.7 |
| At 30 September 2025 | 46.3 | 1.5 | 0.9 | 1.2 | 3.6 | 49.9 |
Cash generating units (CGUs)
Goodwill and intangible assets are allocated to CGUs in order to be assessed for potential impairment. CGUs are defined by accounting standards as the lowest level of asset groupings that generate separately identifiable cash inflows that are not dependent on other CGUs. The CGUs presented are consistent with the year ended 30 September 2024, with the exception of the Fox Crypto CGU, which was disposed of during the year (with associated goodwill of £52.1m classified as held for sale as at 30 September 2024). The CGUs and the allocation of goodwill to those CGUs are shown below:
| Goodwill | Goodwill | Goodwill |
|---|---|---|
| Cash generating units – continuing operations | 2025 £m | 2024 £m |
| UK and APAC Cyber Security | 44.3 | 44.3 |
| North America Cyber Security | — | — |
| Europe Cyber Security | 2.0 | 2.2 |
| Total Cyber Security | 46.3 | 46.5 |
The Escode division, which was classified as a discontinued operation during the year, includes the following CGUs and associated allocated goodwill:
| Goodwill | Goodwill | Goodwill |
|---|---|---|
| Cash generating units – discontinued operations | 2025 £m | 2024 £m |
| UK Escode | 22.8 | 22.8 |
| North America Escode | 80.0 | 80.1 |
| Europe Escode | 7.4 | 7.1 |
| Total Escode | 110.2 | 110.0 |
Impairment review
Goodwill is tested for impairment annually at the level of the CGU to which it is allocated. An impairment review was carried out at 30 September 2025. The recoverable amount of all CGUs was measured on a fair value less costs to sell basis. Capitalised development and software costs are included in the CGU asset bases when performing the impairment review. Capitalised development projects and software intangible assets are also considered, on an asset-by-asset basis, for impairment where there are indicators of impairment.
Fair value less costs to sell
The methodology described below has been applied consistently for the impairment reviews carried out as at 30 September 2024 and 30 September 2025. The recoverable amount of all CGUs has been determined on a fair value less costs to sell basis for the purposes of the impairment review. The valuation under FVLCTS is expected to exceed the valuation under VIU because uncommitted restructurings and resulting operating efficiencies are not considered within a VIU valuation in line with the requirements of IAS 36. The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA¹, and applying a reasonable market multiple on the calculated sustainable earnings. Estimated sustainable earnings have been determined taking into account a Board-approved forecast which considers past performance. The sustainable earnings used include expectations based on a market participant view of sustainable performance of the business based on market volatility and uncertainty as at the Balance Sheet date. The sustainable earnings input is a level 3 measurement; level 3 measurements are inputs which are normally unobservable to market participants. The Group incurs certain overhead costs in respect of support services provided centrally to the CGUs. Such support services include Finance, Human Resources, Legal, Information Technology and additional central management support in respect of stewardship and governance. In calculating sustainable earnings these overhead costs have been allocated to the CGUs based on the extent to which each CGU has benefited from the services provided. Commonly this is driven by time spent by the relevant central department in supporting the CGU, informed by headcount or where possible specific cost allocations have been made. The Adjusted EBITDA¹ multiple used in the calculations is based on an independent third party assessment of the implied enterprise value of each CGU based on a population of comparable companies as at the Balance Sheet date. The estimated cost to sell was based on other recent transactions that the Group has undertaken.
Current year impairment
The Board assessed the recoverable amount of each CGU using fair value less costs to sell as at 30 September 2025, applying the methodology described above. In all cases, the recoverable amount exceeded the carrying amount, and no impairment losses have been recognised for the year ended 30 September 2025.
Current year sensitivity analysis – impairment
The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, based on Adjusted EBITDA¹, and applying a reasonable market multiple. The sustainable earnings figures include a key assumption regarding achieving forecast revenue within each CGU assessment. The Board has reviewed sensitivity analysis on the FVLCTS calculations for each CGU, considering reasonably possible changes in the key assumption of revenue. Assuming a 10% shortfall in forecast revenue (after factoring in controllable variable cost reductions and maintaining margins), no material impairment would arise.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 132
Notes to the Financial Statements continued for the year ended 30 September 2025
11 Goodwill and intangible assets continued
Fair value less costs to sell continued
Prior period impairment
In the prior period the Board assessed the recoverable amount of the North America Cyber Security CGU based on its FVLCTS as at 31 May 2024 as described above. Based on that assessment, the carrying amount of this CGU exceeded its recoverable amount and therefore an impairment loss of £31.9m was recognised, reducing the value of goodwill allocated to this CGU to £nil. This impairment relates to our North America Cyber Security business, as the recovery in demand was less consistent than expected. This amount was recognised as an Individually Significant Item (see Note 4). The impairment charge recognised resulted in a reduction in the carrying value of goodwill only.
Prior period sensitivity analysis – impairment
The FVLCTS valuation of each standalone CGU has been calculated by determining sustainable earnings, which are based on the Adjusted EBITDA¹, and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation include a key assumption regarding a sustainable gross margin percentage for the business. The table below shows the sensitivity of headroom to reasonably possible changes in the key assumptions, by reflecting the additional impairment that would have been required from a decrease in gross margin of 0.5 percentage points. This additional impairment would have been after the £31.9m impairment in the North America Cyber Security CGU during May 2024. As goodwill has been impaired to £nil, any further impairment would be applied to other assets allocated to the CGU.
| Decrease in gross margin of 0.5 percentage points | £m |
|---|---|
| CGU | |
| North America Cyber Security | 2.9 |
As the goodwill in the North America Cyber Security CGU was fully impaired as at 31 May 2024, no further sensitivity analysis was provided as at 30 September 2024. With the exception of the North America Cyber Security CGU, the Board did not identify any reasonably possible changes in the key assumptions that would cause the carrying values of the other CGUs to exceed their respective recoverable amounts at 30 September 2024.
Prior period goodwill reallocation
During June 2024, as part of the expected disposal of the Fox Crypto B.V. entity, the Group reorganised its reporting structure to separate out the Fox Crypto entity from the Europe Cyber Security CGU. On this basis the Europe Cyber Security goodwill was reallocated between the newly created Fox Crypto CGU and the remaining Europe Cyber Security CGU.Goodwill was reallocated based on relative values of the two CGUs, but having made adjustment to reflect that the Fox Crypto CGU is less asset intensive than the remaining Europe Cyber Security CGU. The value of each CGU was based on FVLCTS. For the Fox Crypto CGU, the FVLCTS was based on the expected consideration to be received on disposal (see Note 18 of the 2024 Annual Report and Accounts) of this business less estimated selling costs. For the remaining Europe Cyber Security CGU the fair value was calculated using a methodology consistent with that used in the goodwill impairment review and described above. Based on this assessment, goodwill of £51.9m was reallocated to the Fox Crypto CGU, leaving £2.2m as reallocated to the EU Cyber Security CGU. Goodwill reallocated to the Fox Crypto CGU was reclassified to assets held for sale (see Note 16). There was no change in the allocated goodwill following completion of the disposal in the current year.
Prior period sensitivity analysis – goodwill reallocation
The FVLCTS valuation of each standalone CGU was calculated by determining sustainable earnings, which were based on the Adjusted EBITDA 1 , and applying a reasonable market multiple on the calculated sustainable earnings. The sustainable earnings figures used in this calculation included a key assumption regarding forecast revenue for the business. The table below shows the sensitivity of the goodwill reallocation to reasonably possible changes in the key assumptions, by reflecting the additional goodwill that would have been allocated to the Europe Cyber Security CGU from an increase in revenue of 5% with no increased costs. This additional goodwill would be after the allocation of £2.2m of goodwill to the Europe Cyber Security CGU.
| CGU | 5% increase in revenue |
|---|---|
| £m | £m |
| Europe Cyber Security | 13.3 |
1 Adjusted EBITDA is an Alternative Performance Measure (APM) and not an IFRS measure. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 133
12 Property, plant and equipment
| £m | Fixtures, fittings and equipment | Assets under construction | Computer equipment | Total |
|---|---|---|---|---|
| Cost | ||||
| At 1 June 2023 | 27.5 | 20.4 | — | 47.9 |
| Additions | 3.8 | 2.4 | — | 6.2 |
| Disposals | (0.1) | (0.2) | — | (0.3) |
| Assets classified as held for sale (Note 16) | (1.1) | (1.2) | — | (2.3) |
| Movement in foreign exchange rates | (0.3) | (0.2) | — | (0.5) |
| At 30 September 2024 | 29.8 | 21.2 | — | 51.0 |
| Additions | 2.6 | 0.5 | 1.6 | 4.7 |
| Disposals | — | (1.8) | — | (1.8) |
| Assets classified as held for sale (Note 16) | (1.1) | (0.2) | — | (1.3) |
| Movement in foreign exchange rates | (0.8) | — | — | (0.8) |
| At 30 September 2025 | 30.5 | 19.7 | 1.6 | 51.8 |
| Accumulated depreciation | ||||
| At 1 June 2023 | (23.0) | (12.4) | — | (35.4) |
| Charge for period | (3.4) | (2.0) | — | (5.4) |
| Impairment | — | (0.4) | — | (0.4) |
| On disposals | 0.1 | 0.1 | — | 0.2 |
| Assets classified as held for sale (Note 16) | 0.9 | 0.3 | — | 1.2 |
| Movement in foreign exchange rates | 0.2 | 0.2 | — | 0.4 |
| At 30 September 2024 | (25.2) | (14.2) | — | (39.4) |
| Charge for year | (2.7) | (1.6) | — | (4.3) |
| On disposals | — | 0.6 | — | 0.6 |
| Assets classified as held for sale (Note 16) | 1.0 | 0.1 | — | 1.1 |
| Movement in foreign exchange rates | 0.6 | 0.1 | — | 0.7 |
| At 30 September 2025 | (26.3) | (15.0) | — | (41.3) |
| Net book value | ||||
| At 30 September 2024 | 4.6 | 7.0 | — | 11.6 |
| At 30 September 2025 | 4.2 | 4.7 | 1.6 | 10.5 |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 134
Notes to the Financial Statements continued for the year ended 30 September 2025
13 Right-of-use assets
| £m | Land and buildings | Motor vehicles | Total |
|---|---|---|---|
| Cost | |||
| At 1 June 2023 | 36.3 | 6.0 | 42.3 |
| Additions | 5.2 | 4.2 | 9.4 |
| Disposals | — | (1.7) | (1.7) |
| Impairment | (3.2) | — | (3.2) |
| Assets classified as held for sale | — | (0.4) | (0.4) |
| At 30 September 2024 | 38.3 | 8.1 | 46.4 |
| Additions | 4.7 | 1.8 | 6.5 |
| Disposals | (1.4) | (2.0) | (3.4) |
| Impairment | (0.3) | — | (0.3) |
| Reversal of impairment | 0.2 | — | 0.2 |
| Assets classified as held for sale | (5.9) | (0.2) | (6.1) |
| At 30 September 2025 | 35.6 | 7.7 | 43.3 |
| Accumulated depreciation | |||
| At 1 June 2023 | (19.0) | (4.7) | (23.7) |
| Charge for period | (5.6) | (2.5) | (8.1) |
| Disposals | — | 1.1 | 1.1 |
| At 30 September 2024 | (24.6) | (6.1) | (30.7) |
| Charge for year | (3.8) | (1.7) | (5.5) |
| Disposals | 1.3 | 1.3 | 2.6 |
| Assets classified as held for sale | 3.9 | 0.2 | 4.1 |
| At 30 September 2025 | (23.2) | (6.3) | (29.5) |
| Net book value | |||
| At 30 September 2024 | 13.7 | 2.0 | 15.7 |
| At 30 September 2025 | 12.4 | 1.4 | 13.8 |
14 Trade and other receivables
| Group 2025 | Group 2024 | Company 2025 | Company 2024 | |
|---|---|---|---|---|
| £m | £m | £m | £m | £m |
| Current | ||||
| Trade receivables | 14.1 | 17.3 | — | — |
| Prepayments | 9.7 | 12.6 | — | — |
| Contract costs – costs to obtain (see Note 21) | 3.5 | 1.2 | — | — |
| Contract costs – costs to fulfil (see Note 21) | 3.5 | — | — | — |
| Other receivables | 1.0 | 1.1 | — | — |
| Non-current | ||||
| Amounts owed by Group undertakings | — | — | 34.2 | 43.1 |
| Total | 31.8 | 32.2 | 34.2 | 43.1 |
| Disclosed as follows: | ||||
| Current assets | 31.8 | 32.2 | — | — |
| Non-current assets | — | — | 34.2 | 43.1 |
| 31.8 | 32.2 | 34.2 | 43.1 |
The carrying value of trade and other receivables classified at amortised cost approximates fair value. No material credit losses have been recognised in respect of amounts owed by Group undertakings (Parent Company only) in the period (2024: £nil). Amounts owed by Group undertakings in the Parent Company Balance Sheet have been disclosed as repayable after more than one year. Although these are repayable on demand, the disclosure as non-current is based on management’s expectation of the timing of repayment.
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 135
14 Trade and other receivables continued
The ageing of trade receivables and other receivables at the end of the reporting year was:
| Expected credit losses 2025 | Gross 2025 | Net 2025 | Expected credit losses 2024 Restated * | Gross 2024 Restated * | Net 2024 Restated * | |
|---|---|---|---|---|---|---|
| Group £m | £m | £m | £m | £m | £m | £m |
| Trade receivables: | ||||||
| Not past due | 10.5 | — | 10.5 | 13.8 | — | 13.8 |
| Past due 0–30 days | 2.1 | — | 2.1 | 2.1 | — | 2.1 |
| Past due 31–90 days | 0.9 | — | 0.9 | 0.7 | — | 0.7 |
| Past due more than 90 days | 1.3 | (0.7) | 0.6 | 2.3 | (1.6) | 0.7 |
| 14.8 | (0.7) | 14.1 | 18.9 | (1.6) | 17.3 | |
| Other receivables: | ||||||
| Not past due | 1.0 | — | 1.0 | 1.1 | — | 1.1 |
| Total | 15.8 | (0.7) | 15.1 | 20.0 | (1.6) | 18.4 |
The movement in the expected credit losses of trade and other receivables (being the credit losses recognised on financial assets, specifically trade receivables) is as follows:
| Expected credit loss provision £m | |
|---|---|
| Balance at 1 June 2023 | (2.0) |
| Provision utilised during the period | 0.4 |
| Balance at 30 September 2024 | (1.6) |
| Transferred to assets held for sale | 0.9 |
| Balance at 30 September 2025 | (0.7) |
15 Deferred tax assets and liabilities (Group)
Deferred tax assets and liabilities on the Consolidated Balance Sheet are offset in accordance with IAS 12. A summary of this, offset with significant jurisdictions, is shown for the Group (including discontinued operations) below:
| UK £m | US £m | Netherlands £m | Total £m | |
|---|---|---|---|---|
| 2025 Asset/(liability) | ||||
| Plant and equipment | — | — | 0.2 | 0.2 |
| Short-term temporary differences | 0.4 | 6.3 | — | 6.7 |
| IFRS 16 assets | — | — | 0.1 | 0.1 |
| Intangible assets | (0.6) | (6.3) | (0.5) | (7.4) |
| Share-based payments | 1.2 | — | — | 1.2 |
| Tax losses | — | — | — | — |
| Deferred tax asset/(liability) | 1.0 | — | (0.2) | 0.8 |
| Analysed as follows: | ||||
| Non-current assets | 1.0 | — | — | 1.0 |
| Non-current liabilities | — | — | (0.2) | (0.2) |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 136
Notes to the Financial Statements continued for the year ended 30 September 2025
15 Deferred tax assets and liabilities (Group) continued
| UK £m | US £m | Netherlands £m | Total £m | |
|---|---|---|---|---|
| 2024 Asset/(liability) | ||||
| Plant and equipment | — | — | 0.3 | 0.3 |
| Short-term temporary differences | 0.5 | 3.1 | — | 3.6 |
| Intangible assets | (0.8) | (3.1) | (0.8) | (4.7) |
| Share-based payments | 0.9 | — | — | 0.9 |
| Tax losses | — | — | — | — |
| Deferred tax asset/(liability) | 0.6 | — | (0.5) | 0.1 |
| Analysed as follows: | ||||
| Non-current assets | 0.6 | — | — | 0.6 |
| Non-current liabilities | — | — | (0.5) | (0.5) |
Movement in deferred tax during the year:
| Recognised 30 September 2024 £m | In Income Statement £m | Exchange differences £m | Recognised in equity £m | 30 September 2025 £m | |
|---|---|---|---|---|---|
| Plant and equipment | 0.3 | (0.1) | — | — | 0.2 |
| Short-term temporary differences | 3.6 | 3.1 | — | — | 6.7 |
| IFRS 16 assets | — | 0.1 | — | — | 0.1 |
| Intangible assets | (4.7) | (2.6) | (0.1) | — | (7.4) |
| Share-based payments | 0.9 | 0.2 | — | 0.1 | 1.2 |
| Total | 0.1 | 0.7 | (0.1) | 0.1 | 0.8 |
| Recognised 1 June 2023 £m | In Income Statement £m | Exchange differences £m | Recognised in equity £m | Acquisition £m | 30 September 2024 £m | |
|---|---|---|---|---|---|---|
| Plant and equipment | 0.2 | 0.1 | — | — | — | 0.3 |
| Short-term temporary differences | 9.1 | (5.7) | 0.2 | — | — | 3.6 |
| IFRS 16 assets/(liabilities) | 0.5 | (0.5) | — | — | — | — |
| Intangible assets | (10.7) | 5.8 | 0.2 | — | — | (4.7) |
| Share-based payments | 0.5 | 0.4 | — | — | — | 0.9 |
| Tax losses | 1.9 | (1.9) | — | — | — | — |
| Total | 1.5 | (1.8) | 0.4 | — | — | 0.1 |
In the year ended 30 September 2025 (as in the period ended 30 September 2024), the Group (including the Escode division) has not recognised a deferred tax asset in relation to tax losses (and certain other North American temporary differences) as management does not consider it probable that future taxable profits will be available against which they may be offset. The Group has not recognised a deferred tax asset on any element of £43.4m (2024: £19.9m) of tax losses carried forward in the United Kingdom (£8.2m), Denmark (£4.2m), Australia (£5.4m), Japan (£0.2m) and United States state taxes (£25.4m) due to current uncertainties over their future recoverability (and in the case of certain United Kingdom/United States losses because of specific legislative restrictions).# Financial Statements
In February 2023, the Group announced the commencement of a strategic review of its Escode business and other core and non-core assets. The review of the Escode business was subsequently stopped in June 2023. During the year ended 30 September 2025, the Group confirmed that it was exploring a number of options for its Escode business, including a potential sale. The Group initiated an active programme to locate a buyer for Escode during the year. On this basis, as at 30 September 2025, the sale of Escode was considered highly probable and therefore the associated assets and liabilities were reclassified as held for sale as at 30 September 2025. As the conditions for classification as “held for sale” were met, and given that Escode represents a separate major line of business within the Group, it is presented as a discontinued operation. The financial performance and cash flow information relating to discontinued operations for the year ended 30 September 2025, including comparative figures, is presented below.
| Year ended 30 September 2025 | 16 month period ended 30 September 2024 | |
|---|---|---|
| £m | £m | |
| Discontinued operations | ||
| Revenue (Note 3) | 66.5 | 87.4 |
| Cost of sales | (19.0) | (26.7) |
| Gross profit | 47.5 | 60.7 |
| Administrative expenses | ||
| Individually Significant Items | — | (0.1) |
| Depreciation and amortisation | (6.0) | (7.7 ) |
| Other administrative expenses | (9.8) | (14.7) |
| Total administrative expenses | (15.8) | (22.5) |
| Operating profit | 31.7 | 38.2 |
| Finance costs | (0.1) | (0.1) |
| Profit before taxation | 31.6 | 3 8 .1 |
| Tax expense (Note 8) | (5.4) | (3.4) |
| Profit for the year/period from discontinued operations | 26.2 | 34.7 |
| Exchange differences on translation of discontinued | (0.1) | (10.2) |
| operations | ||
| Other comprehensive income from discontinued operations | 26.1 | 24.5 |
| Net cash inflow from operating activities | 39.6 | 37.0 |
| Net cash outflow from investing activities | (0.3) | (1.6) |
| Net cash outflow from financing activities | (37.4) | (37. 0) |
| Net increase/(decrease) in cash generated by the | 1.9 | (1.6) |
| discontinued operations |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 138
Notes to the Financial Statements continued for the year ended 30 September 2025
The following assets and liabilities were reclassified as held for sale in relation to discontinued operations as at 30 September 2025:
| 30 September 2025 | |
|---|---|
| £m | |
| Assets classified as held for sale: | |
| Goodwill | 110. |
| Intangible fixed assets | 76.1 |
| Tangible fixed assets | 0.2 |
| Right-of-use assets | 2.0 |
| Trade and other receivables | 5.1 |
| Cash and cash equivalents | 3.9 |
| Contract assets | 0.5 |
| Total assets classified as held for sale | 198.0 |
| Liabilities associated with assets classified as held for sale: | |
| Lease liabilities | (3.0) |
| Trade and other payables | (6.2) |
| Provisions | (0.3) |
| Deferred revenue | (24.7) |
| Current tax liability | (5.6) |
| Total liabilities associated with assets classified as held for sale | (39.8) |
On 1 August 2024, the Group announced the disposal of Fox Crypto B.V. for an initial expected gross consideration of €77.3m to CR Group Nordic AB. As at 30 September 2024, the disposal was yet to be finalised; however, the sale of this business was considered highly probable and, accordingly, Fox Crypto’s assets and liabilities were reclassified as held for sale as at 30 September 2024. Fox Crypto B.V. did not meet the definition of discontinued operations. On 28 March 2025, the Group completed the disposal of its entire 100% interest in Fox Crypto, a foreign operation, for total cash consideration of £65.6m. Following completion, all assets and liabilities held for sale were derecognised. The Group did not retain any interest in Fox Crypto, and no contingent consideration was recognised. For further details on the disposal see Note 31. The table below sets out the assets held for sale balances as at 30 September 2024:
| 30 September 2024 | |
|---|---|
| £m | |
| Assets classified as held for sale: | |
| Goodwill | 51.9 |
| Intangible fixed assets | 0.1 |
| Right-of-use assets | 0.4 |
| Property, plant and equipment | 1.1 |
| Inventories | 0.6 |
| Trade and other receivables | 4.3 |
| Contract assets | 3.1 |
| Total assets classified as held for sale | 61.5 |
| Liabilities associated with assets classified as held for sale: | |
| Trade and other payables | (1.4) |
| Deferred revenue | (3 .1) |
| Lease liabilities | (0.4) |
| Provisions | (0.8) |
| Total liabilities associated with assets classified as held for sale | (5.7) |
Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 139
| Group 2025 | Group 2024 | Company 2025 | Company 2024 | |
|---|---|---|---|---|
| £m | £m | £m | £m | |
| Trade payables | 4.6 | 4.6 | — | — |
| Non-trade payables | 5.5 | 17.5 | — | 9.8 |
| Accruals | 33.0 | 24.7 | — | — |
| Amounts owed to | — | — | — | 0.1 |
| Group companies | ||||
| Total | 43.1 | 46.8 | — | 9.9 |
The carrying value of trade and other payables classified as financial liabilities measured at amortised cost approximates fair value.
| Land and buildings £m | Motor vehicles £m | Total £m | |
|---|---|---|---|
| At 1 June 2023 | 26.3 | 3.7 | 30.0 |
| Additions | 4.7 | 4.2 | 8.9 |
| Disposals | — | (0.7) | (0.7) |
| Lease payments | (9.2) | (2.7) | (11.9) |
| Interest expense | 1.3 | 0.4 | 1.7 |
| Liabilities classified as held for | — | (0.4) | (0.4) |
| sale | |||
| At 30 September 2024 | 23 .1 | 4.5 | 27.6 |
| Additions | 2.9 | 1.6 | 4.5 |
| Disposals | (2.3) | (0.5) | (2.8) |
| Lease payments | (5.8) | (2.1) | (7.9) |
| Interest expense | 0.9 | 0.2 | 1.1 |
| Liabilities classified as held for | (3.0) | — | (3.0) |
| sale | |||
| At 30 September 2025 | 15.8 | 3.7 | 19.5 |
Analysed as follows:
| 2025 | 2024 | |
|---|---|---|
| £m | £m | |
| Current | 4.1 | 5.7 |
| Non-current | 15.4 | 21.9 |
The maturity of lease liabilities is as follows:
| 2025 | 2024 | |
|---|---|---|
| £m | £m | |
| Less than one year | 4.1 | 5.7 |
| Two to five years | 11.0 | 16 .1 |
| More than five years | 4.4 | 5.8 |
| Total lease liabilities | 19.5 | 27.6 |
The total cash outflow for leases in the year was £7.9m (2024: £11.9m), which consists of £6.8m (2024: £10.2m) principal element of lease payments disclosed above, £1.1m (2024: £1.7m) interest element of lease payments and £nil (2024: £nil) lease payments charged to the Income Statement in respect of short-term leases. The Group has used its incremental borrowing rate of 6.53% (2024: 6.35%) as the discount rate for the calculation of the lease liabilities. Some leases contain break clauses or extension options to provide operational flexibility. Potential future undiscounted lease payments not included in the reasonably certain lease term, and hence not included in lease liabilities, total £1.2m (2024: £4.6m).
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 140
Notes to the Financial Statements continued for the year ended 30 September 2025
| Onerous property costs £m | Loss-making contracts £m | Other provisions £m | Total £m | |
|---|---|---|---|---|
| Balance at 1 June 2023 | 1.0 | 1.4 | 0.3 | 2.7 |
| Provisions created in the period | 0.3 | 3.0 | 0.1 | 3.4 |
| Provisions released during the | — | (0.2) | — | (0.2) |
| period | ||||
| Provisions utilised during the | (0.5) | (1.0) | (0.3) | (1.8) |
| period | ||||
| Transferred to assets held for | (0.8) | — | — | (0.8) |
| sale | ||||
| Balance at 30 September 2024 | — | 3.2 | 0.1 | 3.3 |
| Provisions created in the year | — | 1.3 | — | 1.3 |
| Provisions released during the | — | (1.2) | — | (1.2) |
| year | ||||
| Provisions utilised during the | — | (0.8) | (0.1) | (0.9) |
| year | ||||
| Transferred to assets held for | — | (0.3) | — | (0.3) |
| sale | ||||
| Balance at 30 September 2025 | — | 2.2 | — | 2.2 |
Analysed as follows (2025):
| Current | — 0.3 |
| Non-current | — 1.9 |
Analysed as follows (2024):
| Current | — 1.3 |
| Non-current | — 1.9 |
The onerous property costs provision relates to unused and closed office spaces within the Group’s property portfolio. The onerous property provision of £2.2m (2024: £3.2m) at 30 September 2025 includes £0.5m (2024: £2.0m) of non-rental costs relating to the onerous properties including service charges and insurance, as well as the estimated costs of disposing of or terminating these leases, which includes rent incentives and letting fees. The provision at 30 September 2025 also includes estimated dilapidations liabilities of £1.7m (2024: £1.2m) relating to the Group’s leased premises. Both of these provisions are expected to unwind over the period of the relevant leases (2026–2035). Other provisions are £nil in the year ended 30 September 2025 (2024: £0.1m). These comprised accrued redundancy costs relating to the implementation of the reorganisation to which the Group was committed as of 30 September 2024. These costs were settled within the year ended 30 September 2025.
Deferred revenue represents advanced consideration received from customers, for which revenue is recognised over time.# Notes to the Financial Statements
The following table provides information about receivables and contract assets from contracts with customers.
| Group | Group | ||||
|---|---|---|---|---|---|
| 2025 | 2024 | Note | £m | £m | |
| Receivables, which are included in trade and other receivables | 14 | 14.1 | 17. | 3 | |
| Contract assets – accrued income | 19.4 | 2 | 0.1 | ||
| Contract costs – costs to fulfil | 14 | 3.5 | — | ||
| Contract costs – costs to obtain | 14 | 3.5 | 1.2 |
The Group has recognised £19.4m of contract assets (2024: £20.1m). All contract assets for the current year and the comparative period are presented within current assets.
The ageing of contract assets at the end of the reporting year was:
| Expected Gross credit losses | Net | Expected Gross credit losses | Net | ||
|---|---|---|---|---|---|
| 2025 | 2025 | 2025 | 2024 | 2024 | 2024 |
| Group | £m | £m | £m | £m | £m |
| Contract assets: | |||||
| Not past due | 20.1 | (0.7) | 19.4 | 21.1 | (1.0) |
| Total | 20.1 | (0.7) | 19.4 | 21.1 | (1.0) |
The movement in the expected credit losses of contract assets (being the credit losses recognised on financial assets, specifically contract assets) is as follows:
| Expected credit loss provision | £m |
|---|---|
| Balance at 1 June 2023 | (0.2) |
| Charged to the Income Statement | (0.8) |
| Balance at 30 September 2024 | (1.0) |
| Provision utilised during the year | 0.3 |
| Balance at 30 September 2025 | (0.7) |
Accrued income of £19.4m (2024: £20.1m) is the Group’s rights to consideration for work completed but not billed at the reporting date. The contract assets accrued in the prior year of £20.1m were fully recognised as trade receivables during the year ended 30 September 2025. Therefore, the balances as at 30 September 2025 were fully accrued during the year and will be transferred to receivables when the rights become unconditional.
Expected credit losses of £0.7m (2024: £1.0m) have been recognised in respect of contract assets. The contract assets are transferred to receivables when the rights become unconditional. This usually occurs when the Group issues an invoice to the customer. Invoices usually become payable within 30 days.
The contract costs to obtain of £3.5m (2024: £1.2m) represent incremental sales commissions to obtain specific contracts and are amortised over the length of the contract. Contract costs comprise (i) incremental costs of obtaining contracts of £3.5m (2024: £1.2m), which are expected to be recovered through future revenue, and (ii) costs to fulfil contracts of £3.5m (2024: £nil), which relate directly to future performance obligations and are expected to be recovered.
| Group | Group | Company | Company | |
|---|---|---|---|---|
| 2025 | 2024 | 2025 | 2024 | |
| £m | £m | £m | £m | |
| Cash and cash equivalents | 12.5 | 29.8 | — | 9.8 |
| Bank overdraft | — | (13.6) | — | — |
| Total cash at bank and in hand | 12.5 | 16.2 | — | 9.8 |
| Group | Group | Company | Company | |
|---|---|---|---|---|
| 2025 | 2024 | 2025 | 2024 | |
| Maturity | £m | £m | £m | £m |
| Non-current liabilities | ||||
| Revolving credit facility | 2029 | 3.3 | 61.5 | — |
| Total borrowings | 3.3 | 61.5 | — |
| Group | Group | Company | Company | |
|---|---|---|---|---|
| 2025 | 2024 | 2025 | 2024 | |
| £m | £m | £m | £m | |
| Two to five years | 3.3 | 61.5 | — | — |
The RCF is drawn in short to medium-term tranches of debt that are repayable within 12 months of drawdown. These tranches can be rolled over, provided certain conditions are met, including compliance with all loan terms. As at the year end, the Group has assessed its compliance with these conditions and considers it highly likely that it will continue to meet all requirements and be able to exercise its right to roll over the debt. The Directors believe the Group has both the ability and intent to roll over the drawn RCF amounts when due and, accordingly, have presented the RCF as a non-current liability in line with applicable IFRIC guidance.
In April 2025, the Group entered into a four year £120m multi-currency revolving credit facility replacing the previous £162.5m multi-currency revolving credit facility. Key terms of the facility are:
• A £120m multi-currency revolving credit facility maturing in April 2029.
• An additional £50m uncommitted accordion option, subject to bank approval.
• In line with the previous facility, a net leverage covenant of 3.0x with an additional acquisition spike to 3.5x for up to 12 months of the date of any acquisition.
• The bank margin is payable on a ratchet mechanism, with a margin payable above SONIA and SOFR in the range of 1.35% to 2.35% (previously 1.00% to 2.25%) depending on the level of the Group’s leverage. The weighted average interest rate is 6.16% for the year ended 30 September 2025 (2024: 6.21%).
• At the date of refinancing, unamortised arrangement fees relating to the previous RCF remained outstanding as the facility was refinanced before the end of its original term. The refinancing did not result in a substantial modification under IFRS 9. Accordingly, arrangement fees from the previous refinancing in December 2022 have been carried forward and are being amortised over the life of the new RCF term (four years to April 2029), together with new arrangement fees of £1.1m incurred directly with the lenders on refinancing.
• Certain subsidiaries of the Group act as guarantors to the new facility to provide coverage based on aggregate Adjusted EBITDA¹ and gross assets.
As at 30 September 2025, the Group had committed bank facilities of £120m (2024: £162.5m), of which £5.2m (2024: £62.4m) had been drawn, leaving £114.8m (2024: £100.1m) of undrawn facilities. Unamortised arrangement fees of £1.9m (2024: £0.9m) have been offset against the amounts drawn down, resulting in a carrying value of borrowings at 30 September 2025 of £3.3m (2024: £61.5m). The fair value of borrowings is not materially different to its amortised cost.
¹ Adjusted EBITDA is an Alternative Performance Measure (APM) and not an IFRS measure. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
| Group | Group | Company | Company | |
|---|---|---|---|---|
| 2025 | 2024 | 2025 | 2024 | |
| £m | £m | £m | £m | |
| Non-current | ||||
| Variable rate: | ||||
| Revolving credit facility | (3.3) | (61.5) | — | — |
| Total loans and borrowings (excluding lease liabilities) | (3.3) | (61.5) | — | — |
| Current | ||||
| Cash | 12.5 | 29.8 | — | 9.8 |
| Bank overdraft | — | (13.6) | — | — |
| Net cash/(debt) | 9.2 | (45.3) | — | 9.8 |
| (excluding lease liabilities) ¹ | ||||
| Non-current | ||||
| Lease liabilities | (15.4) | (21.9) | — | — |
| Current | ||||
| Lease liabilities | (4.1) | (5.7) | — | — |
| Net (debt)/cash ¹ | (10.3) | (72.9) | — | 9.8 |
Lease liabilities of £3.0m classified as held for sale in Note 16 have been excluded from the net debt calculation.
¹ Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
| 2025 | 2024 | |
|---|---|---|
| Group | £m | £m |
| Revolving credit facility/bank term loan: | ||
| Drawdown on facility | 21.1 | 57.8 |
| Repayment of facility | (80.3) | (75.0) |
| Release of deferred arrangement fees | 0.2 | 0.6 |
| Foreign exchange movement | 0.8 | (3.8) |
| Movement in borrowings | (58.2) | (20.4) |
| IFRS 16 lease liability: | ||
| New leases entered into | 4.5 | 8.9 |
| Disposals | (2.8) | (0.7) |
| Principal element of lease payments | (6.8) | (10.2) |
| Lease liabilities held for sale (see Note 16) | (3.0) | (0.4) |
| Movement in lease liabilities | (8.1) | (2.4) |
The Group has exposure to the following risks from its use of financial instruments:
• Credit risk
• Liquidity risk
• Currency risk
• Interest rate risk
The Board has overall responsibility for establishing appropriate management of exposure to risk. The Audit Committee oversees how management identifies and addresses risks to the Group.
The Board’s policy is to maintain a strong capital base so as to maintain investor, creditor and market confidence and to sustain future development of the business. The Group monitors capital on the basis of the gearing ratio. This ratio is calculated as net cash/(debt)² divided by total capital. Net cash/(debt)¹ is calculated as total borrowings as shown in the Consolidated Balance Sheet, less cash and cash equivalents. Total capital is calculated as equity, as shown in the Consolidated Balance Sheet, plus net debt¹.
As at 30 September 2025 the Group’s gearing ratio was nil (2024: 17.8%).
¹ Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
All instruments utilised by the Company and Group are for financing purposes.# 23 Financial instruments
The financial management and treasury activities of the Group are controlled centrally for all operations with local finance teams responsible for day-to-day banking activities.
As at 30 September 2025, the Group and Company had no other financial instruments other than those disclosed below. In addition, no embedded derivatives have been identified. There have been no transfers between levels in the year. The following table presents the Group’s financial assets and liabilities that are measured at fair value by level of fair value hierarchy:
Borrowings are held at amortised cost, which is considered to equate to fair value. All other assets and liabilities are held at either fair value or their carrying value, which approximates to fair value.
| Level 1 | Level 2 | Level 3 | Level 1 | Level 2 | Level 3 | |
|---|---|---|---|---|---|---|
| £m | £m | £m | £m | £m | £m | |
| Financial liabilities at fair value through profit or loss | — | — | — | — | 0.8 | — |
| Financial assets at fair value through profit or loss | — | 0.9 | — | — | — | — |
| Total financial asset/liabilities | — | 0.9 | — | — | 0.8 | — |
At 30 September 2025, the Group holds derivatives (financial assets) with a mark to market valuation of £0.9m (2024 financial liabilities: £0.8m) to mitigate currency risk, as described in Note 23.
Credit risk is the risk of financial loss to the Group if a customer or counterparty to a financial instrument fails to meet its contractual obligations and arises principally from the Group’s receivables from customers. The Group’s exposure to credit risk is influenced mainly by the individual characteristics of each customer.
The carrying value of financial assets represents the maximum credit exposure. The maximum exposure to credit risk at the reporting date was:
| Group | Group | Company | Company | |
|---|---|---|---|---|
| 2025 | 2024 | 2025 | 2024 | |
| £m | £m | £m | £m | |
| Trade receivables | 14.1 | 17.3 | — | — |
| Other receivables | 1.0 | 1.1 | — | — |
| Amounts owed by Group undertakings | — | — | 34.2 | 43.1 |
| Contract assets | 19.4 | 20.1 | — | — |
| Cash and cash equivalents | 12.5 | 29.8 | — | 9.8 |
| Total | 47.0 | 68.3 | 34.2 | 52.9 |
The maximum exposure to credit risk for trade receivables and other receivables at the reporting date by geographic region was:
| Group | Group | Company | Company | |
|---|---|---|---|---|
| 2025 | 2024 | 2025 | 2024 | |
| £m | £m | £m | £m | |
| Trade and other receivables by geographical segment | 6.8 | 8.0 | — | — |
| UK | 0.7 | 1.1 | — | — |
| APAC | 5.1 | 4.9 | — | — |
| North America | 2.5 | 4.4 | — | — |
| Europe | 15.1 | 18.4 | — | — |
| Total |
Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 145
23 Financial instruments continued
The maximum exposure to credit risk for trade and other receivables at the reporting date by business segment was:
| Group | Group | Company | Company | |
|---|---|---|---|---|
| 2025 | 2024 | 2025 | 2024 | |
| £m | £m | £m | £m | |
| Trade and other receivables by business segment | 14.8 | 15.7 | — | — |
| Cyber Security | — | 2.5 | — | — |
| Escode | 0.3 | 0.2 | — | — |
| Central and head office | 15.1 | 18.4 | — | — |
| Total |
The trade receivables of the Group typically comprise many amounts due from a large number of customers and represent a spread of industry sectors. The largest amount due from a single customer at the reporting date represented 3.0% (2024: 2.5%) of total Group receivables. All of the Group’s cash is held with financial institutions of high credit rating. The provisions in respect of trade receivables are used to record expected credit losses. The Group has dedicated credit control teams, which regularly review customer debt balances to assess the risk of recovery.
Liquidity risk is the risk that the Group will not be able to meet its financial obligations as they fall due. The Group manages and minimises liquidity risk by using global cash management solutions and actively monitoring both actual and projected cash outflows to ensure that it will have sufficient liquidity to meet its liabilities when due and have headroom to provide against unforeseen obligations. Longer term, the Group has assessed its liquidity forecast as part of the viability assessment and its ability to continue trading as a going concern. For further detail on the Group’s assessment of liquidity risk refer to the Viability Statement on pages 38 and 39.
The following are the undiscounted contractual maturities of financial liabilities, including interest payments, of the Group:
At 30 September 2025
| Carrying amount | Contractual cash flows | <1 year | 1–2 years | 2–5 years | 5+ years |
|---|---|---|---|---|---|
| £m | £m | £m | £m | £m | £m |
| Borrowings | (3.3) | (6.1) | (0.3) | (0.3) | (5.5) |
| Lease liabilities | (19.5) | (16.7) | (3.3) | (3.7) | (5.7) |
| Trade and other payables | (43.1) | (43.1) | (43.1) | — | — |
At 30 September 2024
| Carrying amount | Contractual cash flows | <1 year | 1–2 years | 2–5 years | 5+ years |
|---|---|---|---|---|---|
| £m | £m | £m | £m | £m | £m |
| Borrowings | (61.5) | (73.9) | (3.8) | (3.8) | (66.3) |
| Bank overdraft | (13.6) | (13.6) | (13.6) | — | — |
| Lease liabilities | (27.6) | (32.5) | (8.0) | (6.6) | (13.6) |
| Trade and other payables | (46.8) | (46.8) | (46.8) | — | — |
The contractual cash flows for borrowings disclosed above relate to the Group’s RCF for the year ended 30 September 2025, which expires in April 2029, and in the prior year includes the Term Loan Facility Agreement that was due to expire in December 2026. The contractual cash flows include an estimate of the interest payable based on the assumption that the borrowings remain drawn based upon 30 September 2025 levels, except that the term loan which existed at 30 September 2024 is repayable over its term. Interest is calculated based on SONIA/SOFR plus a margin based on the current leverage ratio.
The Group is exposed to currency risk on sales, purchases, cash and borrowings that are denominated in a currency other than the respective functional and presentational currency of the Group. The Group’s management reviews the size and probable timing of settlement of all financial assets and liabilities denominated in foreign currencies.
The Group’s exposure to currency risk is as follows:
| Sterling | EUR | USD | Other | Total | Sterling | EUR | USD | Other | Total | |
|---|---|---|---|---|---|---|---|---|---|---|
| 2025 | 2025 | 2025 | 2025 | 2025 | 2024 | 2024 | 2024 | 2024 | 2024 | |
| £m | £m | £m | £m | £m | £m | £m | £m | £m | £m | |
| Trade receivables | 8.4 | 2.9 | 1.9 | 0.9 | 14.1 | 7.6 | 2.0 | 7.4 | 0.3 | 17.3 |
| Other receivables | 1.0 | — | — | — | 1.0 | 1.1 | — | — | — | 1.1 |
| Contract assets | 7.8 | 3.8 | 6.1 | 1.7 | 19.4 | 7.9 | 3.4 | 6.5 | 2.3 | 20.1 |
| Cash and cash equivalents | 2.7 | 3.5 | 4.3 | 2.0 | 12.5 | 18.0 | 4.1 | 4.5 | 3.2 | 29.8 |
| Bank overdraft | — | — | — | — | — | (11.9) | — | (1.7) | — | (13.6) |
| Borrowings | 1.9 | — | (5.2) | — | (3.3) | (19.0) | — | (42.5) | — | (61.5) |
| Lease liabilities | (9.7) | (3.8) | (3.0) | (3.0) | (19.5) | (16.0) | (3.2) | (4.9) | (3.5) | (27.6) |
| Trade and other payables | (28.7) | (5.6) | (6.2) | (2.6) | (43.1) | (32.7) | (3.9) | (7.6) | (2.6) | (46.8) |
| Total | (16.6) | 0.8 | (2.1) | (1.0) | (18.9) | (45.0) | 2.4 | (38.3) | (0.3) | (81.2) |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 146 Notes to the Financial Statements continued for the year ended 30 September 2025
23 Financial instruments continued
The £1.9m of borrowings denominated in sterling relates to unamortised arrangement fees. A 10% change in each of the respective exchange rates utilised during the year would impact revenue by £17.0m (2024: £23.6m) and borrowings by £0.5m (2024: £4.3m), either increasing or decreasing each by the stated amounts. The Group’s risk management policy is to hedge foreign currency exposure in respect of significant material transactions that may arise from time to time. No material hedges were in place at 30 September 2025 or at 30 September 2024.
In order to manage shorter-term currency risk, the Group enters into short-term derivative arrangements. The Group designates the spot element of forward foreign exchange contracts to hedge its currency risk and applies a hedge ratio of 1:1. The forward elements of forward exchange contracts are excluded from the designation of the hedging instrument and are separately accounted for as a cost of hedging, which is recognised in equity in a cost of hedging reserve. The Group’s policy is for the critical terms of the forward exchange contracts to align with the hedged item. The Group determines the existence of an economic relationship between the hedging instrument and hedged item based on the currency, amount and timing of their respective cash flows. Given the short-term nature of these hedges there is limited risk of ineffectiveness.
The Group and Company finance their operations through a combination of retained profits and bank borrowings. The Group borrows and invests surplus cash at floating rates of interest based upon bank base rate.
The cash and cash equivalents of the Group and Company at the end of the financial year were as follows:
| 2025 | 2024 | |
|---|---|---|
| £m | £m | |
| Group | ||
| Sterling denominated financial assets | 2.7 | 18.0 |
| Euro denominated financial assets | 3.5 | 4.1 |
| US Dollar denominated financial assets | 4.3 | 4.5 |
| Other denominated financial assets | 2.0 | 3.2 |
| Total | 12.5 | 29.8 |
The financial assets and liabilities of the Company at the end of the financial year were as follows:
| 2025 | 2024 | |
|---|---|---|
| £m | £m | |
| Company | ||
| Financial assets | ||
| Sterling denominated financial assets | — | 9.8 |
| Amounts owed by Group undertakings | 34.2 | 43.1 |
| Total | 34.2 | 52.9 |
| Financial liabilities | ||
| Sterling denominated financial liabilities | — | 9.8 |
| Amounts owed to Group undertakings | — | 0.1 |
| Total | — | 9.9 |
A change of 100 basis points in interest rates would result in a difference in annual pre-tax profit of £nil (2024: £0.6m).
The financial liabilities of the Group (trade and other payables, borrowings and lease liabilities) and their maturity profile are as follows:
| Sterling | EUR | USD | Other | Total | Sterling | EUR | USD | Other | Total | |
|---|---|---|---|---|---|---|---|---|---|---|
| 2025 | 2025 | 2025 | 2025 | 2025 | 2024 | 2024 | 2024 | 2024 | 2024 | |
| £m | £m | £m | £m | £m | £m | £m | £m | £m | £m | |
| Less than one year | (30.4) | (6.3) | (7.3) | (3.2) | (47.2) | # Financial statements |
The Company has a number of share option schemes under which options to subscribe for the Company’s shares have been granted to Directors and colleagues, details of which are illustrated in the tables below. Expected term of options represents the period over which the fair value calculations are based. The share-based payment charge for the year was £2.1m (2024: £2.3m), of which £2.1m (2024: £2.3m) related to equity settled payments and £nil (2024: £nil) to cash settled payments.
Under the CSOP scheme, options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. Options granted in September 2019 do not have any performance criteria.
| 2025 | Expected term of options | Exercisable between | Exercise price | Number outstanding |
|---|---|---|---|---|
| Date of grant | ||||
| August 2018 | 7 years | August 2021–August 2028 | £2.20 | — |
| September 2019 | 7 years | September 2022–September 2029 | £1.79 | 10,6136 |
The Company operates Sharesave schemes, which are available to all colleagues based in the UK, the Netherlands, Denmark, the Philippines, Spain and Australia, and full-time Executive Directors of the Group and its subsidiaries who have worked for a qualifying period.
| 2025 | Expected term of options | Exercisable between | Exercise price | Number outstanding |
|---|---|---|---|---|
| Date of grant | ||||
| May 2021 | 3 years | May 2024–October 2024 | £2.15 | — |
| May 2021 | 3 years | May 2024–October 2024 | £2.15 | — |
| May 2022 | 3 years | May 2025–October 2025 | £1.52 | 98,445 |
| May 2022 | 3 years | May 2025–October 2025 | £1.52 | 227,288 |
| May 2023 | 3 years | June 2026–November 2026 | £1.26 | 99,093 |
| May 2023 | 3 years | June 2026–November 2026 | £1.26 | 273,269 |
| May 2024 | 3 years | June 2027–November 2027 | £0.99 | 264,400 |
| May 2024 | 3 years | June 2027–November 2027 | £0.99 | 1,306,128 |
| July 2025 | 3 years | August 2028–January 2029 | £1.14 | 168,854 |
| July 2025 | 3 years | August 2028–January 2029 | £1.14 | 623,723 |
The Company operates a stock purchase plan, which is available to all North American-based colleagues who have worked for a qualifying period. All options are to be settled by equity. Under the scheme the following options have been granted and are outstanding at the year end.
| 2025 | Expected term of options | Exercisable in | Exercise price | Number outstanding |
|---|---|---|---|---|
| Date of grant | ||||
| May 2024 | 1 year | May 2025 | £1.09 | — |
| July 2025 | 1 year | July 2026 | £1.23 | 61,478 |
Under the ISO scheme, options granted will be subject to performance criteria. Options will vest if the average EPS growth for the three years following their grant is greater than 10% per annum. Options granted in September 2019 do not have any performance criteria.
| 2025 | Expected term of options | Exercisable between | Exercise price | Number outstanding |
|---|---|---|---|---|
| Date of grant | ||||
| September 2019 | 7 years | September 2022–September 2029 | £1.82 | 16,482 |
Options granted between November 2017 and May 2021 have three separate vesting conditions as set out below:
* 60% will vest based on achieving an average increase in Group EPS of 20% or more over a three year period. If growth is equal to an average of 9% (threshold), then 12% of the award will vest. If, however, growth is less than 9%, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 30% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion 1 is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.
Options granted in November 2021 have three separate vesting conditions as set out below:
* 60% will vest based on achieving an average increase in Group EPS of 22.5% or more over a three year period. If growth is equal to an average of 9% (threshold), then 15% of the award will vest. If, however, growth is less than 9% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 30% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 70% per annum on average. If cash conversion 1 is greater than or equal to 80% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 70% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 10% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 20% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.
Options granted between October 2022 and November 2022 have three separate vesting conditions as set out below:
* 60% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 20% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.
Options granted between October 2023 and February 2024 have three separate vesting conditions as set out below:
* 40% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 40% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts). If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.
Options granted during or after June 2024 have three separate vesting conditions as set out below:
* 30% will vest based on achieving an average increase in Group EPS of 18% or more over a three year period. If growth is equal to an average of 6% (threshold), then 15% of the award will vest. If, however, growth is less than 6% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 20% will vest based on achieving a cash conversion ratio 1 expressed as a percentage over the measurement period of greater than 80% per annum on average. If cash conversion 1 is greater than or equal to 90% per annum, then 100% of the award element will vest. If, however, cash conversion is less than 80% per annum, none of the award element will vest. Between these two points, vesting is determined on a straight-line basis.
* 50% will vest based on the Group’s total shareholder return (TSR) ranking when measured against the FTSE 250 (excluding investment trusts).If the Group’s TSR is consistent with the median group, 15% of the award will vest; below this level, none of the award element will vest. If the TSR is within the upper quartile or above, 100% of the award element will vest; between the median and upper quartile, vesting is determined on a straight-line basis.
March 2020 | 3 years | June 2022–August 2024 | £nil | —
May 2021 | 3 years | June 2023–August 2025 | £nil | —
November 2021 | 3 years | June 2024–November 2031 | £nil | —
October 2022 | 3 years | October 2025–October 2032 | £nil | 677,916
November 2022 | 3 years | November 2025–November 2032 | £nil | —
October 2023 | 3 years | October 2026–October 2033 | £nil | 1,606,795
February 2024 | 3 years | February 2027–February 2034 | £nil | 65,412
June 2024 | 3 years | October 2027–June 2034 | £nil | 2,839,374
January 2025 | 3 years | January 2028–January 2035 | £nil | 78,185
1 Cash conversion is an Alternative Performance Measure (APM) and not an IFRS measure. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 149
The vesting condition for the award of RSPs relates to colleagues remaining with the Group for a certain period of time, namely two years to receive 50% of the award, and a further year to receive the remaining 50%. There are no other performance conditions.
| 2025 Expected term | Exercisable | Exercise | Number | Date of grant | of options | outstanding | Price |
|---|---|---|---|---|---|---|---|
| May 2021 | 2/3 years | 50% exercisable August 2022 to August 2031, 50% exercisable August 2023 to August 2031 | £nil (£0.01 in the US and Canada) | 16,500 | |||
| November 2021 | 2/3 years | 50% exercisable October 2023 to August 2032, 50% exercisable October 2024 to August 2032 | £nil (£0.01 in the US and Canada) | 52,950 | |||
| October 2022 | 2/3 years | 50% exercisable October 2024 to October 2032, 50% exercisable October 2025 to October 2032 | £nil (£0.01 in the US and Canada) | 197,776 | |||
| November 2022 | 2/3 years | 50% exercisable November 2024 to November 2032, 50% exercisable November 2025 to November 2032 | £nil (£0.01 in the US and Canada) | — | |||
| October 2023 | 2/3 years | 50% exercisable September 2025 to September 2033, 50% exercisable September 2026 to September 2033 | £nil (£0.01 in the US and Canada) | 1,128,278 | |||
| February 2024 | 2/3 years | 50% exercisable February 2026 to February 2034, 50% exercisable February 2027 to February 2034 | £nil (£0.01 in the US and Canada) | 42,636 | |||
| January 2025 | 2/3 years | 50% exercisable January 2027 to February 2035, 50% exercisable January 2028 to February 2035 | £nil (£0.01 in the US and Canada) | 1,647,182 | |||
| July 2025 | 2/3 years | 50% exercisable July 2027 to July 2035, 50% exercisable July 2028 to July 2035 | £nil (£0.01 in the US and Canada) | 145,132 |
At least 35% of any cash bonus payment is normally deferred into shares or nominal cost share options which vest after a two year period. Dividend equivalents are paid on vesting share options. From January 2025, 35% of any bonus payment earned in excess of £50,000 (the first £50,000 of any bonus will be paid in cash before any bonus deferral) is normally deferred into shares or nominal cost share options which vest after a two year period.
| 2025 Expected term | Exercise | Number | Date of grant | of options | Exercisable | in price | outstanding |
|---|---|---|---|---|---|---|---|
| October 2022 | 2 years | October 2024 | £nil | — | |||
| October 2023 | 2 years | October 2025 | £nil | 12,207 | |||
| August 2024 | 2 years | August 2026 | £nil | 174,434 | |||
| December 2024 | 2 years | December 2026 | £nil | 92,559 |
Phantom schemes are used to allow the grant of LTIPs or RSPs to members of the Executive Committee or other senior colleagues based in certain overseas locations at a time when the Group’s option scheme rules are not structured to allow overseas grants. Options granted on or after September 2019 do not have any performance criteria.
| 2025 Expected term | Exercisable | Exercise | Number | Date of grant | of options | between price | outstanding |
|---|---|---|---|---|---|---|---|
| July 2021 | 3 years | August 2022–July 2031 | £nil | — | |||
| November 2021 | 3 years | October 2023–November 2031 | £nil | — | |||
| January 2025 | 3 years | February 2026–November 2035 | £nil | 9,776 |
The fair value of services received in return for share options is calculated with reference to the fair value of the award on the date of grant. The fair value is spread over the period during which the colleague becomes unconditionally entitled to the award, adjusted to reflect actual and expected levels of vesting. The assumptions used in the models are illustrated in the tables below:
| Option Scheme | Grant date | expected term | Risk free interest rate |
|---|---|---|---|
| CSOP scheme | August 2018–September 2019 | 7 years | 0.35%–2.00% |
| Sharesave scheme | May 2021–July 2025 | 3 years | 0.13%–5.53% |
| ESPP scheme | May 2024–July 2025 | 1 year | 4.63%–5.53% |
| ISO scheme | September 2019 | 7 years | 0.38% |
| LTIP scheme | March 2020–January 2025 | 3 years | 0.21% |
| RSP scheme | May 2021–July 2025 | 10 years | N/A |
| Deferred shares | October 2022–December 2024 | 2 years | N/A |
| Phantom schemes | July 2021–January 2025 | 3 years | 5.53% |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 150
Notes to the Financial Statements continued for the year ended 30 September 2025
| Scheme | Grant date | Weighted average fair value of options granted during the year | Fair value at measurement date | Weighted average Exercise price at measurement date | Weighted average fair value at measurement date |
|---|---|---|---|---|---|
| CSOP scheme | August 2018–September 2019 | £0.55–£0.63 | £0.55 | £1.79 – £2.09 | £1.79 |
| Sharesave scheme | May 2021–July 2025 | £0.39–£0.86 | £0.51 | £0.9 9 – £2.15 | £1.12 |
| ESPP scheme | May 2024–July 2025 | £0.34–£0.37 | £0.34 | £1.09–£1.23 | £1.23 |
| ISO scheme | September 2019 | £0.54 | £0.54 | £1.82 | £1.82 |
| LTIP scheme | March 2020–January 2025 | £0.90–£2.31 | £1.30 | £nil | £nil |
| RSP scheme | May 2021–July 2025 | £0.90–£2.85 | £1.22 | £nil | £nil |
| Deferred shares | October 2022–December 2024 | £1.11– £1.55 | £1.46 | £nil | £nil |
| Phantom schemes | July 2021–January 2025 | £1.36 –£2.87 | £1.36 | £nil | £nil |
LTIP schemes that include market conditions have been valued using a Monte Carlo simulation. All other schemes without market conditions have been valued using the Black-Scholes model. The expected volatility has been based on an evaluation of the historical volatility of the Company’s share price, particularly over the historical period commensurate with the expected term. The expected term of the instruments has been based on historical experience and general option holder behaviour. For the options granted in the year ended 30 September 2025, dividend yield assumed at the time of option grant is 3.62% (2024: 4.52%).
The options outstanding at 30 September 2025 have an exercise price in the range of £nil to £2.15 (2024: £nil to £2.15) and a weighted average contractual life of seven years (2024: seven years). The following table illustrates the number and weighted average exercise prices (WAEP) of, and movements in, outstanding share awards during the year:
| 2025 | 2024 | |
|---|---|---|
| Number ’000 | WAEP | |
| Outstanding at beginning of year/period | 13,562 | £0.33 |
| Granted during the year/period | 2,997 | £0.34 |
| Exercised during the year/period | (1,156) | £0.28 |
| Forfeited in the year/period | (3,371) | £0.44 |
| Outstanding at end of year/period | 12,032 | £0.31 |
| Exercisable at end of year/period | 1,356 | £0.53 |
| Scheme | Number of instruments as at 1 October 2024 | Number of Options granted during the year | Instruments exercised in the year | Forfeitures in the year | Instruments as at 30 September 2025 |
|---|---|---|---|---|---|
| CSOP schemes | 161,998 | — | — | (55,862) | 106,136 |
| Sharesave/SAYE schemes | 3,142,015 | 824,011 | (75,537) | (829,289) | 3,061,200 |
| ESPP schemes | 360,960 | 70,413 | (204,492) | (165,403) | 61,478 |
| ISO schemes | 21,976 | — | — | (5,494) | 16,482 |
| LTIP schemes | 7,011,251 | 78,185 | (158,772) | (1,662,982) | 5,267,682 |
| RSP scheme | 2,675,796 | 1,922,037 | (715,543) | (651,838) | 3,230,452 |
| Deferred shares | 186,641 | 92,559 | — | — | 279,200 |
| Phantom schemes | 1,500 | 9,776 | (1,500) | — | 9,776 |
| 13,562,137 | 2,996,981 | (1,155,844) | (3,370,868) | 12,032,406 |
The liability for cash settled share-based payments at 30 September 2025 was £nil (2024: £nil).
Financial statements NCC Group plc — Annual report and accounts for the year ended 30 September 2025 151
| 2025 | 2024 | |
|---|---|---|
| Number of shares | Number of shares | |
| Ordinary shares of 1p each at the beginning of the year/period | 314,524,630 | 312,128,892 |
| Ordinary shares of 1p each issued in the year/period | 481,449 | 2,395,738 |
| Ordinary shares of 1p each at the end of the year/period | 315,006,079 | 314,524,630 |
| 2025 | 2024 | |
|---|---|---|
| £m | £m | |
| Allotted, called up and fully paid | 3.1 | 3.1 |
| Ordinary shares of 1p each at the beginning of the year/period | — | — |
| Ordinary shares of 1p each issued in the year/period | 3.1 | 3.1 |
| Ordinary shares of 1p each at the end of the year/period |
During the year, 481,449 (2024: 2,395,738) new ordinary shares of 1p were issued as a result of the exercise of share options. The proceeds of £0.3m (2024: £0.3m) were credited to the share premium account. As at 30 September 2025, 8,485,195 shares were held in treasury (2024: 5,158,090).
The share premium account records the difference between the nominal amount of shares issued and the fair value of the consideration received. The share premium account may be used for certain purposes specified by UK law, including to write off expenses incurred on any issue of shares and to pay fully paid bonus shares. The share premium account is not distributable but may be reduced by special resolution of the Company’s ordinary shareholders and with court approval.
The merger reserve arose in 2015 from the acquisition of Accumuli plc through a share-for-share exchange in part consideration for the business.# Currency translation reserve
The results of overseas operations are translated at the average foreign exchange rates for the year, and their balance sheets are translated at the rates prevailing at the Balance Sheet date. Exchange differences arising on the translation of opening net assets and results of overseas operations are recognised in the currency translation reserve. All other exchange differences are included in the Income Statement. On disposal of a foreign operation, the cumulative amount of exchange differences previously recognised in other comprehensive income and accumulated in equity is reclassified to the Income Statement. See Note 31 for further details.
Retained earnings for the Group are made up of accumulated reserves. For the Company, retained earnings are made up of accumulated reserves.
At the end of the reporting year, the Group had no other financial commitments (2024: £nil).
There are no contingent liabilities not provided for at the end of the financial year (2024: £nil). Similarly, there are no contingent assets (2024: £nil). The Company and its subsidiaries are party to cross guarantees securing certain bank loans. At 30 September 2025, there was no material impact that could arise for the Company from these cross guarantees.
The Group operates a defined contribution pension scheme that is open to all eligible colleagues. The pension cost charge for the year represents contributions payable by the Group to the fund and amounted to £7.4m (2024: £8.0m). For the Company, the pension cost charge for the year represents contributions payable by the Company to the fund and amounted to £nil (2024: £nil).
Management has defined related party transactions as those involving key management personnel only. Key management personnel have been assessed to be the Group’s Board of Directors. During the year ended 30 September 2025 there were seven (2024: nine) key management personnel. Disclosures relating to remuneration of Directors are set out in the Remuneration Report on pages 81 to 93. The remuneration of the key management personnel is set out below:
| Group 2025 £m | Group 2024 £m | Company 2025 £m | Company 2024 £m | |
|---|---|---|---|---|
| Salary costs (including bonus) | 2.2 | 2.7 | — | — |
| Social security costs | 0.3 | 0.4 | — | — |
| Share-based payments | — | 0.3 | — | — |
| Total | 2.5 | 3.4 | — | — |
There were no other related party transactions identified during the year. The amount of gains made by Directors on the exercise of share options is disclosed in the Remuneration Report on page 87.
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 152
Notes to the Financial Statements continued for the year ended 30 September 2025
| Company £m | |
|---|---|
| At 1 June 2023 | 279.1 |
| Increase in subsidiary investment for share-based charges | 2.3 |
| Increase in subsidiary investment for below market value loan arrangement | 9.7 |
| At 30 September 2024 | 291.1 |
| Increase in subsidiary investment for share-based charges | 2.1 |
| At 30 September 2025 | 293.2 |
In accordance with IAS 36 ‘Impairment of Assets’, management annually reviews the carrying value of investments to ensure that it does not exceed the recoverable amount. The investment in subsidiary undertakings is held against the Company’s direct subsidiary NCC Group Holdings Limited. In performing this assessment, management considered external market factors, such as the Group’s market capitalisation, and internal factors, such as the results of the Group’s annual goodwill impairment review. As of the reporting date, no indicators of impairment were noted. The increase in subsidiary investment for share-based charges represents IFRS 2 ‘Share-based Payment’ charges in respect of subsidiaries which will not be recharged. Fixed asset investments are recognised at cost.
The undertakings in which the Company has a 100% interest at 30 September 2025 are as follows:
| Subsidiary undertakings | Country of incorporation | Principal activity | Registered office |
|---|---|---|---|
| NCC Group Holdings Limited | England and Wales | Holding company | XYZ Building, 2 Hardman Boulevard, Spinningfields, Manchester, England M3 3AQ (XYZ 1 ) |
| NCC Group (Solutions) Limited | England and Wales | Holding company | XYZ 1 |
| NCC Group Corporate Limited | England and Wales | Corporate cost centre | XYZ 1 |
| NCC Group Finance Limited | England and Wales | Financing company | XYZ 1 |
| The National Computing Centre Limited | England and Wales | Dormant | XYZ 1 |
| NCC Group Software Resilience Limited | England and Wales | Holding company | XYZ 1 |
| NCC Group Software Resilience (UK) Limited | England and Wales | Holding company | XYZ 1 |
| NCC Services Limited | England and Wales | Escode | XYZ 1 |
| NCC Group Escrow Limited | England and Wales | Dormant | XYZ 1 |
| NCC Group Software Resilience (Europe) B.V. | Netherlands | Holding company | Barbara Strozzilaan 201, 1083HN Amsterdam, Netherlands |
| NCC Group GmbH | Germany | Escode | c/o Deloitte Legal Rechtsanwaltsgesellschaft mbH, Rosenheimer Platz 6, 81669, Munich, Bavaria, Germany |
| NCC Group Deutschland GmbH | Germany | Cyber Security | Leopoldstrasse Business Centre GmbH, Konrad-Zuse-Platz 8, 81829, Munich, Germany |
| NCC Group Escrow Europe B.V. | Netherlands | Escode | Barbara Strozzilaan 201, 1083HN Amsterdam, Netherlands |
| NCC Group Escrow Europe (Switzerland) AG | Switzerland | Escode | Ibelweg 18A, 6300 Zug, Switzerland |
| NCC Group Software Resilience (MEA-APAC) Limited | England and Wales | Holding company | XYZ 1 |
| NCC Group FZ-LLC | United Arab Emirates | Escode | F01-004, Building 5, Dubai, Media City, Dubai, United Arab Emirates |
| NCC Group Cyber Security Limited | England and Wales | Holding company | XYZ 1 |
| NCC Group Cyber Security (UK) Limited | England and Wales | Holding company | XYZ 1 |
| NCC Group Security Services Limited | England and Wales | Cyber Security | XYZ 1 |
| NCC Group Audit Limited | England and Wales | Cyber Security | XYZ 1 |
| ArmstrongAdams Limited | England and Wales | Cyber Security | XYZ 1 |
| NCC Group Signify Solutions Limited | England and Wales | Cyber Security | XYZ 1 |
| NCC Group Accumuli Security Limited | England and Wales | Cyber Security | XYZ 1 |
| NCC Group Cyber Security (Europe) B.V. | Netherlands | Holding company | Olof Palmestraat 6, 2616 LM Delft, Netherlands (Fox-IT 3 ) |
| NCC Group A/S | Denmark | Cyber Security | Lautruphøj 1, 2750 Ballerup, Denmark |
| NCC Group Cyber Portuguesa, Unipessoal, LDA | Portugal | Cyber Security | Av. António Augusto de Aguiar nº 19 – 4º, 1050-012 Lisboa, Portugal |
| NCC Group Security Services Espana SLU | Spain | Cyber Security | Plaza Manuel Gómez Moreno, número 2, Edificio Alfredo Mahou, planta 19ª, letra B, 28020, Madrid, Spain |
Financial statements
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 153
The undertakings in which the Company holds less than a 100% interest at the year end are as follows:
| Undertaking | % interest | Country of incorporation | Principal activity |
|---|---|---|---|
| Deposit AB | 24% | Sweden | Escode |
The Directors consider the above ownership structure to give rise to no significant influence over the undertaking. There is no Board representation, and the Group has no power to participate in the operating and financial policy decisions of the undertaking. Accordingly, the undertaking of Deposit AB has not been consolidated.
1 2 Hardman Boulevard, Spinningfields, Manchester, England M3 3AQ.
2 11 East Adams Street, Suite 400, Chicago, IL 60603, USA.
3 Olof Palmestraat 6, 2616 LM Delft, Netherlands.
During the prior period, the Group disposed of its 3.35% shareholding in an unlisted company. The shares were sold for a total consideration of £0.4m. A gain of £0.1m was recognised within the Income Statement in relation to this disposal. There has been no impact in the current year. A further potential contingent consideration may be received after two years, subject to specific performance conditions. As this payment is not considered virtually certain at the reporting date, it has not been recognised in the current year’s Financial Statements. If achieved, the maximum additional amount receivable would be £0.2m.
| Subsidiary undertakings | Country of incorporation | Principal activity | Registered office |
|---|---|---|---|
| Cyber Assurance Sweden AB | Sweden | Cyber Security | c/o Advokatfirman Delphi, P.O. Box 143 2, 111 84 Stockholm |
| Fox-IT Holding B.V. | Netherlands | Holding company | Olof Palmestraat 6, 2616 LM Delft, Netherlands (Fox-IT 3 ) |
| Fox-IT Group B.V. | Netherlands | Holding company | Fox-IT 3 |
| Fox-IT B.V. | Netherlands | Cyber Security | Fox-IT 3 |
| NCC Group Cyber Security (APAC) Limited | England and Wales | Holding company | XYZ 1 |
| NCC Group Pte Limited | Singapore | Cyber Security | Unit #10-09 PLUS Building, 20 Cecil Street, Singapore (049705) |
| NCC Group Pty Limited | Australia | Cyber Security | Suite 23.01, Level 23, 45 Clarence Street, Sydney, NSW 2000, Australia |
| Escode Australia Pty Limited | Australia | Software Resilience | Suite 23.01, Level 23, 45 Clarence Street, Sydney, NSW 2000, Australia |
| NCC Group Japan KK | Japan | Cyber Security | Level 18, Yesibu Garden Place Tower, 4-20-3 Ebisu Shibuya-Ku, Tokyo, Japan |
| NCC Group (Americas) Inc. | USA | Holding company | 11 East Adams Street, Suite 400 Chicago IL 6 0 603, USA (North America HQ 2 ) |
| NCC Group, LLC | USA | Escode and central/head office costs | North America HQ 2 |
| NCC Group Cyber Security (Americas), LLC | USA | Holding company | North America HQ 2 |
| NCC Group Security Services, Inc. | USA | Cyber Security | North America HQ 2 |
| NCC Group Secure Registrar, Inc. | USA | Domain services | North America HQ 2 |
| NCC Group Domain Services, Inc. | USA | Domain services | North America HQ 2 |
| NCC Group Security Services Corporation | Canada | Cyber Security | Suite 2700, The Stack, 1133 Melville St, Vancouver, BC V6E 4E5, Canada |
| Payment Software Company, Inc. |
At 30 September 2024, the assets and liabilities associated with the planned disposal of Fox Crypto were classified as held for sale (for further details please refer to Note 16). On 28 March 2025, the Group completed the disposal of its entire 100% interest in Fox Crypto, a foreign operation, for total cash consideration of £65.6m. Following completion, no interest was retained in the entity, and no contingent consideration was recognised. The disposal resulted in an overall gain of £9.8m, recognised within Individually Significant Items (see Note 4 for further details).
The assets and liabilities included as part of the disposal were as follows:
| 2025 £m | |
|---|---|
| Attributable goodwill | (52.1) |
| Intangible fixed assets | (0.1) |
| Tangible fixed assets | (1.0) |
| Right-of-use assets | (0.6) |
| Inventories | (0.5) |
| Trade and other receivables | (6.2) |
| Contract assets | (2.2) |
| Cash and cash equivalents | (4.2) |
| Trade and other payables | 2.7 |
| Deferred revenue | 2.8 |
| Lease liabilities | 0.6 |
| Provisions | 0.6 |
| Cumulative currency translation adjustment | 7.9 |
| Net assets disposed of | (52.3) |
| Total consideration | 65.6 |
| Transaction costs incurred in the year ended 30 September 2025 | (2.0) |
| Gain on disposal – recognised as an Individually Significant Item (Note 4) | 11.3 |
| Transaction costs incurred during the 16 month period ended 30 September 2024 | (1.5) |
| Total transaction costs | (3.5) |
| Overall gain on disposal (Note 4) | 9.8 |
| Satisfied by: | |
|---|---|
| Cash and cash equivalents | 65.6 |
| Total consideration | 65.6 |
As part of the disposal, £7.9m of foreign currency translation reserve relating to Fox Crypto was reclassified from equity to the Income Statement and recognised within the gain on disposal. The net cash inflow on disposal was £61.4m, comprising gross consideration of £65.6m less £4.2m of cash disposed of on completion. A gain on disposal of £11.3m has been recognised within ISIs in the year ended 30 September 2025. An additional £1.5m of related transaction costs were recognised in ISIs in the 16 month period ended 30 September 2024, bringing the total gain on disposal to £9.8m. Overall, total transaction costs total £3.5m, including the £2.0m incurred in the year ended 30 September 2025. Since completion of the deal, £0.1m of income has been earned under a six month transactional services agreement (TSA); this brings the overall gain on disposal recognised in relation to the disposal of Fox Crypto within FY25’s ISIs to £11.4m. Please refer to Note 4.
On 30 April 2024, the Group completed the disposal of its DetACT business for a total cash consideration of £8.2m. The assets and liabilities included as part of the disposal were as follows:
| 2024 £m | |
|---|---|
| Attributable goodwill | (5.9) |
| Intangible fixed assets | (1.4) |
| Trade and other receivables | (1.5) |
| Trade and other payables | 0.1 |
| Deferred revenue | 2.8 |
| Deferred tax liability | 0.3 |
| Net assets disposed of | (5.6) |
| Consideration | 8.2 |
| Transaction costs | (1.0) |
| Gain on disposal – recognised as an Individually Significant Item (Note 4) | 1.6 |
| Satisfied by: | |
|---|---|
| Cash and cash equivalents | 8.2 |
| Total consideration | 8.2 |
The subsidiary undertakings listed below are exempt from the Companies Act 2006 requirements relating to the audit of their individual accounts by virtue of section 479A of the Act as this Company has guaranteed the subsidiary company under section 479C of the Act.
| Company name | Company registration no. |
|---|---|
| NCC Group Software Resilience (MEA-APAC) Limited | 13295784 |
| ArmstrongAdams Limited | 04270584 |
| NCC Group Software Resilience Limited | 13247183 |
| NCC Group Software Resilience (UK) Limited | 13298310 |
| NCC Group Accumuli Security Limited | 03203561 |
| NCC Group Audit Limited | 04323323 |
| NCC Group Corporate Limited | 13247138 |
| NCC Group Cyber Security limited | 13287219 |
| NCC Group Cyber Security (APAC) Limited | 13294684 |
| NCC Group Holdings Limited | 13325653 |
| NCC Group Signify Solutions Limited | 03915262 |
| NCC Group (Solutions) Limited | 03742757 |
| Payment Software Company Limited | 10059024 |
| NCC Group Finance Limited | 13350193 |
| NCC Group Escrow Limited | 03081952 |
| The National Computing Centre Limited | 04225835 |
| NCC Group Cyber Security (UK) Limited | 13294277 |
The Directors acknowledge their responsibility for complying with the requirements of the Companies Act 2006 with respect to accounting records and preparation of accounts.
The consolidated Financial Statements include Alternative Performance Measures (APMs) alongside statutory measures. APMs used by the Group are not defined under IFRS and may not be comparable to similarly titled measures reported by other companies. They are not intended to replace or be superior to Generally Accepted Accounting Practice (GAAP) measures. All APMs relate to the current year’s results and, where provided, comparative periods. This presentation is consistent with how management measures financial performance and reports to the Board. It also forms the basis for financial measures used in senior management’s compensation schemes and provides supplementary information to help users understand the Group’s financial performance, position and trends. At all times, the Group aims to ensure that the Annual Report and Accounts gives a fair, balanced and understandable view of the Group’s performance, cash flows and financial position. IAS 1 ‘Presentation of Financial Statements’ requires the separate presentation of items that are material in nature or scale in order to allow the user of the Financial Statements to understand underlying business performance. We believe these APMs provide readers with important additional information on our business, and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can differ significantly from the APMs and may be assessed differently by the reader we encourage you to consider these figures together with statutory reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related APMs may exclude recurring business transactions (e.g. acquisition related costs) that impact financial performance and cash flows.
The Group continues to internally manage its performance at an Adjusted operating profit level (before Individually Significant Items), which management believes represents the underlying trading of the business. This information is still disclosed as an APM within this Annual Report. This APM is reconciled to statutory operating profit, together with the consequently Adjusted basic EPS (before Individually Significant Items and the tax effect thereon) to statutory basic EPS. Please see page 54 of the Financial Review section.
The Group has the following APMs/non-statutory measures:
| APM | Closest equivalent IFRS measure | Adjustments to reconcile to IFRS measure | Definition, purpose and considerations made by the Directors ### Satisfied by:
| Cash and cash equivalents | 65.6 |
|---|---|
| Total consideration | 65.6 |
As part of the disposal, £7.9m of foreign currency translation reserve relating to Fox Crypto was reclassified from equity to the Income Statement and recognised within the gain on disposal. The net cash inflow on disposal was £61.4m, comprising gross consideration of £65.6m less £4.2m of cash disposed of on completion. A gain on disposal of £11.3m has been recognised within ISIs in the year ended 30 September 2025. An additional £1.5m of related transaction costs were recognised in ISIs in the 16 month period ended 30 September 2024, bringing the total gain on disposal to £9.8m. Overall, total transaction costs total £3.5m, including the £2.0m incurred in the year ended 30 September 2025. Since completion of the deal, £0.1m of income has been earned under a six month transactional services agreement (TSA); this brings the overall gain on disposal recognised in relation to the disposal of Fox Crypto within FY25’s ISIs to £11.4m. Please refer to Note 4.
On 30 April 2024, the Group completed the disposal of its DetACT business for a total cash consideration of £8.2m. The assets and liabilities included as part of the disposal were as follows:
| 2024 £m | |
|---|---|
| Attributable goodwill | (5.9) |
| Intangible fixed assets | (1.4) |
| Trade and other receivables | (1.5) |
| Trade and other payables | 0.1 |
| Deferred revenue | 2.8 |
| Deferred tax liability | 0.3 |
| Net assets disposed of | (5.6) |
| Consideration | 8.2 |
| Transaction costs | (1.0) |
| Gain on disposal – recognised as an Individually Significant Item (Note 4) | 1.6 |
| Satisfied by: | |
|---|---|
| Cash and cash equivalents | 8.2 |
| Total consideration | 8.2 |
The subsidiary undertakings listed below are exempt from the Companies Act 2006 requirements relating to the audit of their individual accounts by virtue of section 479A of the Act as this Company has guaranteed the subsidiary company under section 479C of the Act.
| Company name | Company registration no. |
|---|---|
| NCC Group Software Resilience (MEA-APAC) Limited | 13295784 |
| ArmstrongAdams Limited | 04270584 |
| NCC Group Software Resilience Limited | 13247183 |
| NCC Group Software Resilience (UK) Limited | 13298310 |
| NCC Group Accumuli Security Limited | 03203561 |
| NCC Group Audit Limited | 04323323 |
| NCC Group Corporate Limited | 13247138 |
| NCC Group Cyber Security limited | 13287219 |
| NCC Group Cyber Security (APAC) Limited | 13294684 |
| NCC Group Holdings Limited | 13325653 |
| NCC Group Signify Solutions Limited | 03915262 |
| NCC Group (Solutions) Limited | 03742757 |
| Payment Software Company Limited | 10059024 |
| NCC Group Finance Limited | 13350193 |
| NCC Group Escrow Limited | 03081952 |
| The National Computing Centre Limited | 04225835 |
| NCC Group Cyber Security (UK) Limited | 13294277 |
The Directors acknowledge their responsibility for complying with the requirements of the Companies Act 2006 with respect to accounting records and preparation of accounts.
The consolidated Financial Statements include Alternative Performance Measures (APMs) alongside statutory measures. APMs used by the Group are not defined under IFRS and may not be comparable to similarly titled measures reported by other companies. They are not intended to replace or be superior to Generally Accepted Accounting Practice (GAAP) measures. All APMs relate to the current year’s results and, where provided, comparative periods. This presentation is consistent with how management measures financial performance and reports to the Board. It also forms the basis for financial measures used in senior management’s compensation schemes and provides supplementary information to help users understand the Group’s financial performance, position and trends. At all times, the Group aims to ensure that the Annual Report and Accounts gives a fair, balanced and understandable view of the Group’s performance, cash flows and financial position. IAS 1 ‘Presentation of Financial Statements’ requires the separate presentation of items that are material in nature or scale in order to allow the user of the Financial Statements to understand underlying business performance. We believe these APMs provide readers with important additional information on our business, and this information is relevant for use by investors, securities analysts and other interested parties as supplemental measures of future potential performance. However, since statutory measures can differ significantly from the APMs and may be assessed differently by the reader we encourage you to consider these figures together with statutory reporting measures noted. Specifically, we would note that APMs may not be comparable across different companies and that certain profit related APMs may exclude recurring business transactions (e.g. acquisition related costs) that impact financial performance and cash flows.
The Group continues to internally manage its performance at an Adjusted operating profit level (before Individually Significant Items), which management believes represents the underlying trading of the business. This information is still disclosed as an APM within this Annual Report. This APM is reconciled to statutory operating profit, together with the consequently Adjusted basic EPS (before Individually Significant Items and the tax effect thereon) to statutory basic EPS. Please see page 54 of the Financial Review section.
The Group has the following APMs/non-statutory measures:
| APM | Closest equivalent IFRS measure | Adjustments to reconcile to IFRS measure | Definition, purpose and considerations made by the Directors
| Income Statement measures: Constant currency revenue growth rates | Revenue growth rates at actual rates of currency exchange | Retranslation of comparative numbers at current period exchange rates to provide constant currency | The Group reports certain geographic regions and service capabilities on a constant currency basis to reflect the underlying performance considering constant foreign exchange rates year on year. This involves retranslating comparative numbers at current period rates for comparability to enable a growth factor to be calculated. |
| Adjusted operating profit | Operating profit or loss | Operating profit or loss before Individually Significant Items | Represents operating profit before Individually Significant Items. This measure is to allow the user to understand the Group’s underlying financial performance as measured by management. Individually Significant Items are items that are considered unusual by nature or scale and are of such significance that separate disclosure is relevant to understanding the Group’s financial performance and therefore requires separate presentation in the Financial Statements in order to fairly present the financial performance of the Group. |
| Adjusted profit for the period | Profit or loss for the period | Profit or loss for the period before Individually Significant Items and associated tax effects and adjusted tax items | Represents profit or loss for the period before Individually Significant Items and their associated tax effect and adjusted taxitems. This measure is to allow the user to calculate the Group’s Adjusted earnings per share. |
| Adjusted earnings before interest, tax, depreciation and amortisation (Adjusted EBITDA) | Operating profit or loss | Operating profit or loss before ISIs, depreciation and amortisation, finance costs and taxation | Represents operating profit before the Group’s one adjusting item (ISIs), depreciation and amortisation to assist in the understanding of the Group’s performance. |# Appendix 1 – Alternative Performance Measures (APMs) and adjusting items continued
| Other terms | Definition and usage |
|---|---|
| Code | Guidance, issued by the Financial Reporting Council in 2016 and updated in 2018, on how companies should be governed, applicable to UK listed companies including NCC Group plc. |
| Adjusted | Any result described as adjusted excludes the impact of Individually Significant Items, and any tax on any of these items. |
| Adjusted profit for the period | Adjusted earnings are defined as statutory earnings before Individually Significant Items, net of the tax effect of these items. |
| Adjusted operating profit margin 1 | Calculated as Adjusted operating profit divided by revenue. |
| AGM | Annual General Meeting of shareholders of the Company held each year to consider ordinary and special business as provided in the Notice of AGM. |
| Alternative Performance Measure (APM) | An Alternative Performance Measure (which is denoted in each case or use thereof by a footnote) is a non-GAAP performance metric used by management either internally or externally to present management’s view of the underlying business performance. They are not superior to GAAP-based measures and are simply an alternative way of looking at performance. See Appendix 1 for further information over the Group’s APMs. |
| Board | The Board of Directors of the Company (for more information see pages 62 and 63). |
| Cash conversion ratio 1 | Calculated as cash generated from operating activities before interest and taxation divided by Adjusted EBITDA 1 , expressed as a percentage. |
| CDO | Cyber Defence Operations. |
| CEO | Chief Executive Officer. |
| CFO | Chief Financial Officer. |
| CISO | Chief Information Security Officer. |
| Company, Group, NCC, we, our or us | We use these terms, depending on the context, to refer to either NCC Group plc, the individual Company, or to NCC Group plc and its subsidiaries collectively. |
| CPO | Chief People Officer. |
| CTO | Chief Technology Officer. |
| Directors, Executive Directors and Non-Executive Directors | The Directors/Executive Directors and Non-Executive Directors of the Company whose names are set out on pages 62 and 63 of this report. |
| EBIT | Earnings before interest and tax. |
| EBIT margin % | EBIT margin % is calculated as follows: Adjusted EBIT divided by revenue. |
| EBITDA | Earnings before interest, tax, depreciation and amortisation. Calculated as operating profit before Individually Significant Items and adding back depreciation and amortisation charged. |
| EBITDA margin % | EBITDA divided by revenue. |
| EPS | Earnings per share. Profit for the period attributable to equity shareholders of the Parent allocated to each ordinary share. |
| FCA | Financial Conduct Authority. |
| Financial year | For NCC Group, following the change in year end in the prior period, this is an accounting period ending on 30 September. |
| FRC | Financial Reporting Council. |
| Free cash flow | Net cash from operating activities less net capital expenditure and acquisition costs. |
| FRS | A UK Financial Reporting Standard as issued by the UK Financial Reporting Council (FRC). |
| FVLCTS | Fair value less costs to sell. |
| Gross profit | Gross profit is revenue less direct costs of sale. It excludes costs considered to be overheads that are supporting the business as a whole as opposed to a specific revenue item. |
| Gross margin % (GM %) | Calculated as gross profit divided by revenue from continuing activities. |
| HMRC | His Majesty’s Revenue & Customs, the tax collecting authority of the UK. |
| IAS or IFRS | An International Accounting Standard or International Financial Reporting Standard, as issued by the International Accounting Standards Board (IASB). IFRS is also used as the term to describe international generally accepted accounting principles as a whole. |
| Individually Significant Items | Items that the Directors consider to be material in nature, scale or frequency of occurrence that need to be excluded when calculating some non-statutory performance measures in order to allow users of the Financial Statements to gain a full understanding of the underlying business performance. See Note 4 for further information. |
| PricewaterhouseCoopers (PwC) | The Company’s external auditor, PwC LLP. |
| LTIP | Long Term Incentive Plan established to align the interests of senior and executive management with those of shareholders. The plan is formally known as the NCC Group Long Term Incentive Plan 2013 (approved by shareholders in 2013). |
| MD | Managing Director. |
| MDR | Managed Detection and Response. |
| Net debt 1 | Total borrowings offset by cash and cash equivalents. |
| Ordinary shares | Voting shares entitling the holder to part ownership of a company. |
| SAYE/Sharesave | Save As You Earn, being a tax efficient scheme to encourage colleague share ownership. |
| Escode | Escode represents our escrow resilience services. |
| Subsidiary | A company or other entity that is controlled by NCC Group. |
| TSC | Technical Security Consulting. |
| TSR | Total shareholder return, which is share price growth plus dividends reinvested (where applicable) over a specified period of time, divided by the share price at the start of the period. |
1 Revenue at constant currency, Adjusted EBITDA and net debt excluding lease liabilities are Alternative Performance Measures (APMs) and not IFRS measures. See Appendix 1 for an explanation of APMs and adjusting items, including a reconciliation to statutory information.
| Other terms | Definition and usage |
|---|---|
| Adjusted EBITDA | Is disclosed as this is a measure widely used by various stakeholders and used by the Group to measure the cash conversion ratio. |
| Adjusted basic EPS | Statutory basic EPS before Individually Significant Items and their associated tax effect and adjusted tax items Represents basic EPS before Individually Significant Items and their associated tax effect and adjusted tax items. This measure is to allow the user to understand the Group’s underlying financial performance as measured by management, reported to the Board and used as a financial measure in senior management’s compensation schemes. |
| Balance Sheet measures: Net cash/debt excluding lease liabilities | Total borrowings (excluding lease liabilities) offset by cash and cash equivalents Represents total borrowings (excluding lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group Balance Sheet position, overall net indebtedness and gearing on a like-for-like basis. Net cash/debt, when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions. |
| Net cash/debt | Total borrowings (including lease liabilities) offset by cash and cash equivalents Represents total borrowings (including lease liabilities) offset by cash and cash equivalents. It is a useful measure of the progress in generating cash, strengthening of the Group’s Balance Sheet position, overall net indebtedness and gearing including lease liabilities. Net cash/debt, when compared to available borrowing facilities, also gives an indication of available financial resources to fund potential future business investment decisions and/or potential acquisitions. |
| Cash flow measures: Cash conversion ratio | Ratio % of net cash flow from operating activities before interest and tax divided by operating profit Ratio % of net cash flow from operating activities before interest and tax divided by Adjusted EBITDA The cash conversion ratio is a measure of how effectively operating profit is converted into cash and effectively highlights both non-cash accounting items within operating profit and also movements in working capital. It is calculated as net cash flow from operating activities before interest and taxation (as disclosed on the face of the Cash Flow Statement) divided by Adjusted EBITDA. The cash conversion ratio is a measure widely used by various stakeholders and hence is disclosed to show the quality of cash generation and also to allow comparison to other similar companies. |
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 157
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 158
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 159
Chris Stone – Non-Executive Chair
Mike Maddison – Chief Executive Officer
Guy Ellis – Chief Financial Officer
Julie Chakraverty – Senior Independent Non-Executive Director
Jennifer Duvalier – Independent Non-Executive Director
Mike Ettling – Independent Non-Executive Director
Lynn Fordham – Independent Non-Executive Director
Jonathan Williams
XYZ Building
2 Hardman Boulevard
Spinningfields
Manchester
England
M3 3AQ
04627044
Registered in England and Wales
Investec Bank plc
30 Gresham Street
London
EC2V 7QP
Peel Hunt LLP
Moor House
120 London Wall
London
EC2Y 5ET
PricewaterhouseCoopers LLP
1 Hardman Square
Manchester
M3 3EB
DLA Piper UK LLP
1 St Peter’s Square
Manchester
M2 3DE
Equiniti
Aspect House
Spencer Road
Lancing
West Sussex
BN99 6DA
HSBC UK Bank plc
2nd Floor
4 Hardman Square
Spinningfields
Manchester
M3 3EB
National Westminster Bank plc
1 Hardman Boulevard
Manchester
M3 3AQ
Barclays Bank plc
1 Churchill Place
London
E14 5HP
Santander UK plc
2 Triton Square
Regent’s Place
London
NW1 3AN
NCC Group plc — Annual report and accounts for the year ended 30 September 2025 161
AGM
3# NCC Group plc — Annual report and accounts for the year ended 30 September 2025
162 Produced by Design Portfolio www.design-portfolio.co.uk
NCC Group plc’s commitment to environmental issues is reflected in this Annual Report, which has been printed on Amadeus, an FSC ® certified material. This document was printed by Pureprint Group using its environmental print technology, with 99% of dry waste diverted from landfill, minimising the impact of printing on the environment. The printer is a CarbonNeutral ® company. Both the printer and the paper mill are registered to ISO 14001.
March 2026 Ex-dividend date
12 March 2026 Record date
13 March 2026 2026 half-year end
31 March 2026 Dividend payment date
10 April 2026 2026 interim statement
June 2026 2026 year end
30 September 2026 2026 preliminary year end statement
December 2026
These dates are provisional and may be subject to change.
Building tools?
Free accounts include 100 API calls/year for testing.
Have a question? We'll get back to you promptly.