Unlocking our potential

NCC Group is a people-powered, tech‑enabled global Cyber Security and software escrow business.

We harness our collective insight, intelligence and innovation to power end-to-end cyber services that protect our clients from cyber threat.

A global delivery engine as a differentiated and scalable service for clients around the world

Find out more:

A single technology stack and the opportunity to leverage our scalable full‑circle cyber services

Find out more:

A network of partners and strategic alliances to optimise solutions for clients

Find out more:

p12

In this report

Strategic report

1 Highlights for the year ended 30 September 2025
2 At a glance
4 Chair's statement
6 CEO's review
8 Our business model
10 Market outlook
12 Our strategy
14 Stakeholder engagement
16 Sustainability
29 Risk management
38 Viability statement
40 Financial review

Governance

58 Chair's introduction to governance
61 Governance framework
62 Board of Directors
64 Board composition and division of responsibilities
70 Shareholder engagement
71 Audit Committee report
77 Nomination Committee report
79 Cyber Security Committee report
81 Remuneration Committee report
94 Directors' report
98 Directors' responsibilities statement

Audited consolidated financial statements

99 Independent auditors' report
104 Consolidated income statement
104 Consolidated statement of comprehensive income
105 Consolidated balance sheet
106 Consolidated cash flow statement
107 Consolidated statement of changes in equity
108 Company balance sheet
109 Company statement of changes in equity
110 Notes to the Financial Statements

Additional information

157 Appendix 1
159 Glossary of terms other terms
161 Other information
162 Financial calendar

Highlights for the year ended 30 September 2025

IFRS measures1

Revenue (£m)

£305.4m

Profit/(loss) before taxation (£m)

£20.6m

Basic EPS (p)

5.6p

Alternative Performance Measures

Net cash/(debt) excluding lease liabilities³ (£m)

£13.1m

Adjusted operating profit (£m)

£23.7m

Adjusted EPS3 (p)

4.7p

Highlights

Group revenue on a constant currency basis³ (excluding non-core disposals² ) has declined by 2.6% to £293.9m with Escode experiencing growth of 2.2% to £66.5m, offset by a Cyber Security decline of 4.0% to £227.4m.
Revenue performance in H2 2025 on a constant currency basis¹ (excluding non-core disposals2 ) for both Escode and Cyber Security improved from the position in H1 2025, with Escode H2 2025 growth of 2.5% vs H2 2024 compared to H1 2025 growth of 1.8% vs H1 2024, and Cyber Security H2 2025 decline of 1.6% vs H2 2024 compared to H1 2025 6.3% decline vs H1 2024. Escode has now delivered 12 consecutive quarters of year-on-year revenue growth and Cyber Security has returned to growth in Q4 FY25 providing momentum into FY26.
Gross margins (excluding non-core disposals2 ) year on year have improved to 44.5% from 43.9% as the Group maintained operational discipline, with Escode gross margin improving by 2.6% pts at 71.4% and Cyber Security declining slightly by 0.4% pts to 36.6%.
The Group reported Adjusted EBITDA³ (excluding non-core disposals² ) of £40.6m, down from £42.1m in the 12 months to 30 September 2024, in line with Board's expectations (down from £51.6m for the 16 month period ending 30 September 2024 (including non-core disposals2 )).
Profit before taxation grew to £20.6m from a loss of £17.8m in the year ended 30 September 2024, as a result of a reduction in non-core disposals² trading (£4.7m), underlying reduction in Adjusted EBITDA trading performance (£1.5m), a one-off profit (£11.4m in H1 2025) from the sale of our Fox Crypto business for a total consideration of £65.6m completed in March 2025, a reduction in other Individually Significant Items (£29.5m), excluding the £11.4m profit on disposal of Fox Crypto, reduction in depreciation and amortisation (£2.2m) and finance costs (£1.3m).
The disposal of Fox Crypto in March 2025 was part of the strategic plan to simplify our business and focus on creating a pure play cyber service proposition for clients. It has also helped us transform our Balance Sheet to eliminate Group borrowings, with net cash of £13.1m at 30 September 2025 compared to net debt of £45.3m on 30 September 2024. In conjunction with our successful refinancing in April 2025 to a new four year, £120m multi-currency revolving credit facility (RCF) and an uncommitted £50m accordion option, this supports strategic options for a recently announced share buy-back programme and value enhancing M&A opportunities.
As announced on 28 April 2025, the Group confirmed that it was investigating several options for its Escode business, including a potential sale ('Escode review'). If a transaction were to be successfully concluded it would enable the Group to consider a significant return of capital to shareholders over and above the recently announced share buy-back programme. The Board will provide updates as and when appropriate.
Further to the announcement on 16 July 2025, the Board confirms the process to review all options for the Group's Cyber Security business also continues and is independent from both the process and outcome of the Escode review. Our focus remains on operational excellence and continuing our transformation journey as we ensure the operating model is aligned to support our clients and the underlying Cyber Security strategy.
The Board is proposing an unchanged final dividend of 3.15p per ordinary share, marking 20 consecutive years of dividend payments for shareholders.
The Board anticipates that revenue (including recent non-core disposals2 ) for the year ended 30 September 2026 is expected to grow marginally, with Escode and Cyber Security experiencing low single-digit growth as pipeline continues to build. FY26 Group Adjusted EBITDA¹ (after the adjustment for non-core disposals2 ) is expected to be in line with Board expectations – growing faster than revenue and the Board remains confident in delivering the Group's medium-term financial goals as it continues to improve operational discipline and transform our cyber security engine.

¹ The statutory results for the audited year (and the audited prior period of 16 Months to 30 September 2024) present the Group's Escode business as discontinued operations. Therefore, the tables below show the Group's continuing operations results, with Escode added back to ensure full comparability of the Group's performance.

² Non-core disposals refer to the disposals of Fox-IT Crypto and Fox DetACT. The disposal of Fox-IT Crypto and Fox DetACT completed on 28 March 2025 and 30 April 2024 respectively.

³ Revenue at constant currency, Adjusted EBITDA, Adjusted operating profit, Adjusted basic EPS, net cash/(debt) excluding lease liabilities and cash conversion are Alternative Performance Measures (APMs) and not IFRS measures. See unaudited Appendix 1 and this Financial Review for an explanation of APMs and adjusting items, including a reconciliation to statutory information.

We are NCC Group plc

What we do

Founded in 1999, we are a global leader in cyber security and business resilience. Our colleagues are relied upon by the world's leading companies and governments to help them manage risk, strengthen resilience and build lasting trust.

Against a backdrop of continued, fast-paced technological change and increasing interconnectedness, we help companies to manage risk and face into the future with confidence.

NCC Group has two main divisions: a people-powered, tech-enabled Cyber Security company (nccgroup.com), and a market-leading IP and software escrow business, Escode (escode.com). Working together with our clients, we create a more secure digital future.

Cyber Security

Protecting today. Shaping tomorrow. Creating a more secure digital future.

NCC Group is a leading global Cyber Security and resilience company, trusted for over 25 years by leading businesses and governments.

With roots in offensive security and defence, and a heritage built on research and threat intelligence, we uncover thousands of risks each year, bringing deep insight into vulnerabilities, attack patterns and adversary behaviours.

With significant market presence in the UK, Europe, North America and Asia Pacific we deliver full-spectrum cyber resilience to governments and businesses to protect what matters most – the cars we drive, the energy in our homes, and the phones in our pockets, and critical infrastructures worldwide. We build resilience and deliver impactful, forward‑thinking solutions that help create a safer digital future.

For more information visit our Cyber Security website: nccgroup.com

Leaders in regulatory and complex testing

Digital Forensics and Incident Response

Managed Security including MXDR

Consultancy and Implementation

Escode

We give organisations the legal right and practical means to access, rebuild, and maintain business-critical software and intellectual property when a supplier is no longer able to support it.

Our independent escrow and verification services support organisations in four key ways:

Resilience for organisations when software suppliers falter, code shows weaknesses or disruption strikes
Confidence that continuity and compliance are built into both on-premise and cloud solutions
Secure storage and long-term access to essential software and data
Technical assurance that the materials held in escrow can be successfully rebuilt and function as intended when it matters most
For more information visit our Escode website: escode.com

Escrow agreements for both cloud and on-premise

Testing and verification services

Where we operate

We operate as one global business, with in-country delivery tailored to local needs and cultures, as well as a global delivery team to respond quickly to our clients' challenges.

Group revenues

UK and Asia Pacific

£163.8m

(20241: £209.8m)

North America

£89.6m

(20241: £136.2m)

Europe

£52.0m

(20241: £83.5m)

Cyber Security revenue

£238.9m

(20241: £342.1m)

Technical Assurance Services (TAS): £88.4m (2024¹: £141.4m)
Consulting and Implementation (C&I): £48.5m (20241: £55.2m)
Managed Services (MS): £76.4m (20241: £91.8m)
Digital Forensics and Incident Response (DFIR): £13.1m (2024¹: £20.6m)
Other services: £12.5m (2024¹: £33.1m)

Escode revenue

£66.5m

(20241: £87.4m)

Escrow contracts: £43.0m (20241: £57.2m)
Verification services: £23.5m (20241: £30.2m)

^{1 2024} represents the 16 month period ended 30 September 2024 (audited)

Unlocking our potential

When I reflect on the past year at NCC Group, I am reminded that progress is rarely linear. It is shaped by the challenges we face, the decisions we make, and – most importantly – the people who come together to move us forward. This year has been a testament to the resilience, adaptability and shared purpose that defines our Group. And I want to begin by expressing my heartfelt thanks to every colleague, client and shareholder, as well as our partners, who continue to be a part of our journey.

Chris Stone Non-Executive Chair

Navigating change with purpose

We continue to make bold decisions as we navigate the changing landscape all businesses are operating in. I'm proud of the way the management team and the wider Group embrace these as opportunities to continue to grow and strengthen the overall business.

In March 2025, we completed the sale of the Fox-IT Crypto business for a gross consideration of £65.6m, a milestone that not only reflects our commitment to simplifying the Group's proposition, deriving great value to our shareholders and reducing net debt, but also our willingness to evolve in a rapidly shifting digital landscape.

And this commitment continued as we announced in April 2025 that we were exploring a range of strategic options for our Escode business, including a potential sale (Escode review). The decision is one that was not taken lightly by the Board. The Board will provide updates as and when it is practicable and appropriate to do so.

If a sale of Escode were to be successfully concluded, the Group would become a focused, people-powered, tech-enabled global Cyber Security business. It would also enable the Board to consider a significant return of capital to shareholders over and above the recently announced initial share buy-back programme.

As a result of this decision, we announced in July 2025 that we had started to explore options for our Cyber business should the Escode sale proceed. This was about looking ahead and anticipating what our people, our clients and shareholders will need in years to come, and we believe it is right that we keep all options open.

Deepening relationships and building trust

In May we hosted a unique experience for shareholders, analysts and partners, demonstrating our ongoing commitment to transparency and engagement. Guests were invited to step into our world and experience first-hand decisions that management teams must make in response to cyber threats. It was a powerful reminder of the trust our clients place in us, and of course the expertise and dedication that runs through every part of our business.

These moments of connection, where we open our doors and share our story, are vital. They build understanding, foster trust and remind us all of the critical role NCC Group plays in keeping our digital world safer and more secure.

I'm proud that we've continued to strengthen our relationships with clients, focusing on strategic partnerships that go beyond transactions, which you'll see from Mike's review on pages 6 and 7. Our teams work tirelessly to understand the evolving needs of our clients, offering not just technical solutions but genuine partnership and support. In a world where digital risks are ever-present, our role as a trusted advisor has never been more important.

Our people: the heart of NCC Group

If there is one thing that stands out year after year, it is the extraordinary commitment and talent of our people. The pace of change has been relentless, and yet our colleagues have responded with professionalism and creativity, focused on our client's needs. Whether adapting to new ways of working, supporting clients through complex challenges, or driving innovation from within, our teams have shown what is possible when we pull together.

Our investment in people is matched by our commitment to sustainability and responsible business. As we nurture talent and foster a positive culture, we also strive to make a meaningful impact on the environment and society. Our Manila operations have gone from strength to strength, bringing new perspectives and capabilities to our global front and back-office teams. I am proud of the progress we have made, but even more excited about what lies ahead.

Identity at the core: Strengthening cyber resilience with end-to-end access governance and expertise

Poorly maintained access control processes are among the leading causes of cyber breaches and regulatory non-compliance. Up to 80% of security incidents involve compromised credentials and insufficient safeguards, giving attackers the keys to infiltrate networks, steal sensitive data, and disrupt operations. The cost? Millions in lost revenue, reputational damage, regulatory penalties, and recovery downtime.

AI and autonomous agents amplify identity risks by increasing access across systems, making an already complex task even more challenging. We help our clients manage every aspect of Identity and Access Management (IDAM), ensuring human and non-human accounts are governed, monitored, secured, and maintained across the entire lifecycle. With NCC Group's expertise and strategic partnerships, you gain resilience, confidence, and continuity so you can focus on what matters most: running your business securely.

Commitment to sustainability and responsible business

This year, we took significant steps forward on our climate action agenda, responding to changing requirements and also client requests. We published our Carbon Reduction Plan, developed in partnership with Positive Planet, which sets out our path to net zero and commits us to ambitious, science-based targets. We are on track to achieve SBTi verification by March 2026 and will update our plan to reflect our progress. Our partnership with Positive Planet led to the creation of a bespoke Carbon Literacy Training programme, and I am delighted that my fellow Board member Lynn Fordham was among the first to achieve certification.

We are now working towards verification of our science-based targets, a further demonstration of our commitment to collaborating with other businesses to reduce our impact on the environment and will update the Carbon Reduction Plan in early 2026.

This holistic approach to sustainability is reflected in our governance practices. The Board remains focused on upholding the highest standards and ensuring that our values are embedded in every decision we make, and you can read more about our progress on this from page 58.

Governance and Board Leadership

The Board has played an active and engaged role, providing challenge, support and guidance as we continue to navigate this critical time for the Group. We are committed to upholding the highest standards of governance, ensuring that our decisions are grounded in integrity, transparency and a long-term perspective. Our focus has been on supporting the management team, overseeing strategic reviews and ensuring that the interests of all stakeholders are represented.

We have also continued to review and strengthen our governance practices, learning from best practice and adapting to the evolving needs of our business. This includes ongoing engagement with our shareholders, listening to their views and incorporating their feedback into our decision making.

Looking to the future

With strong foundations in place – strategic clarity, stakeholder trust, empowered people and robust governance – we are well positioned to embrace the future with confidence. We are continuing to build strategic client relationships, scan the market for smart acquisition opportunities and focus on operational efficiencies that will make us stronger and more agile. Our partnerships are deepening, our Manila office is flourishing and our global teams are united by a shared sense of purpose.

I am confident that we have the right people, the right strategy and the right values to succeed. Together, we are building a stronger, more resilient NCC Group – one that is ready to seize the opportunities of tomorrow.

Share buy-back programme

Reflecting the Board's continued confidence in the future prospects of the Group and the strength of the Balance Sheet, regardless of the outcome of the Escode review, we announced in October 2025 our intention to commence an initial share buy-back programme. This will be carried out utilising our current shareholder authority and in accordance with our capital allocation policy, and relevant legal and regulatory obligations. It was also noted that the initial share buy-back programme would not launch before 11 December 2025.

Dividends

During the year, total dividends of £19.0m were paid (2024: £14.5m), an increase due to the change in our year end and the additional dividend we gave for the four month period to 30 September 2024.

The Board is proposing an unchanged final dividend of 3.15p per ordinary share for the year ended 30 September 2025, as it remains mindful of the continued need to invest in the Group's strategy, marking 20 consecutive years of dividend payments for shareholders.

Our existing dividend policy will remain unchanged by any share buy-back programme noted above.

Closing thoughts

In closing, I want to thank everyone who has been part of our journey this year. To our colleagues: your dedication, creativity and resilience inspire me every day. To our clients: thank you for your trust and partnership. And to our shareholders: thank you for your continued support and belief in our vision.

We do not take any of these relationships for granted. As we move forward, we will continue to listen, learn and adapt – always with the goal of creating lasting value for all our stakeholders.

Chris Stone

Non-Executive Chair 11 December 2025

Strategic progress positions the Group for return to profitable growth

As we reflect on FY25, I want to begin by recognising the continued commitment and expertise of our colleagues across the globe. The work they do for clients is extraordinary and they have continued to demonstrate their resilience and adaptability navigating change and at times an uncertain economic environment. Our purpose – to create a safer digital future – remains at the heart of everything we do, and our progress this year is a testament to the strength of our people and the trust our clients place in us.

Mike Maddison Chief Executive Officer

Strategic progress and transformation

FY25 has been a year of disciplined execution against the strategy we originally established back in 2023 to transform and reshape the Group. We have made significant progress to simply the Group and built our two distinct businesses – Cyber Security, with Managed Services at the centre, and Escode, our software escrow service.

We have improved profitability, materially reduced and eliminated net debt, and repositioned the Group's portfolio around core, scalable activities. More timely and granular financial and operational information has strengthened decision making, however there is more work to do.

A major event this year was the successful sale of our Fox-IT Crypto business in March 2025 that strengthened our Balance Sheet, providing us with the financial flexibility to invest in growth, while removing the management distraction of a non-core business.

In April 2025, the Group confirmed that it was investigating several options for its Escode business, including a potential sale. The Board will provide updates as and when it is practicable and appropriate to do so.

Our investments in new capabilities such as Operational Technology and Digital Identity have allowed us to win further strategic projects during the year. Our global operating model, including our expanding office in Manila with exceptional cyber and operational talent, has

enabled us to scale, win more opportunities and serve clients more efficiently. We will continue to invest in our people, technology and strategic partnerships – underpinned by our leading intelligence, innovation and insight, we remain at the forefront of an evolving cyber threat landscape.

Market environment and client needs

As a B2B service provider, demand for many of our services reflects the macro-economic cycle and the confidence of our clients to invest. During the year this cycle and the geopolitical environment remained complex, particularly in the first half. We saw this reflected in cautious client behaviour, which naturally lengthen sales cycles. Despite these headwinds, demand for cyber resilience and regulatory assurance continues to grow, particularly in highly regulated sectors such as financial services, healthcare and businesses running critical infrastructure.

Our clients are increasingly seeking expert-led, end-to-end solutions that address the full spectrum of cyber risk – from Identity and Access Management to Operational Technology security and Managed Detection and Response. Our differentiated capabilities, global delivery and strategic alliances with leading technology partners position us strongly to meet these needs.

Financial performance

As expected, we saw Group revenue for FY25 decline by 2.6% on a constant currency basis (excluding non-core disposals), with Escode delivering growth on a constant currency basis of 2.2% and Cyber Security declining on a constant currency basis by 4.0% when compared to the previous 12 months. Importantly, as I reflect on all of this, half-to-half performance was markedly stronger with revenue performance improving in the second half, a reflection of the positive impact of our strategic focus and operational discipline together with the strong order book we indicated in our December 2024 results.

Gross margins (excluding non-core disposals) overall strengthened to 44.5% with Escode margin reaching 71.4% and Cyber Security broadly flat at 36.6%. Adjusted EBITDA (excluding non-core disposals) was in line with Board expectations and amounted to £40.6m when compared to the previous 12 months. Our Balance Sheet remains robust, with net cash of approximately £13m at year end, a marked improvement from the net debt of £79.6m as at 31 May 2023 and now providing a strong foundation for future investment and capital returns.

Sales and commercial execution

We continued to strengthen our business in FY25 with management action focused on strategic change to build the necessary technical capability in cyber and to strengthen our commercial organisation in both the Escode and Cyber Security businesses.

In Escode, we:

Reorganised our sales structure by industry verticals to deliver deeper sector expertise and create greater value for customers in finance, critical infrastructure, and commercial markets
Established a dedicated new customer acquisition team focused on ideal customer profiles within our priority growth sectors in the UK and US
Expanded our software verification offering to include fully independent builds of cloud-hosted solutions, ensuring greater reliability and trust
Broadened our regional presence with an extended market focus into the Middle East

In Cyber Security, we:

Invested in strategic sales capability
Enhanced client propositions with embedded technology
Put foundations in place for global account management to deepen relationships and unlock revenue opportunities
Have improved Management Information with our global sales operation
Have fully implemented global scheduling, timesheets and pricing tools
Have fully separated Fox DetACT and Fox Crypto

These actions are already delivering results, an improved sales pipeline visibility, deeper client engagement and a positive shift in revenue mix towards higher value, recurring contracts. We remain focused on further evolving our sales model to ensure stronger linkage between sales execution and service delivery, and to drive deeper penetration in our priority sectors globally: financial services, insurance, healthcare, industrials, and the public sector.

Operational highlights

Transformation: Continued progress in repositioning the Cyber Security business towards higher value, recurring revenue streams, supported by a single technology stack and scalable global delivery
Strategic partnerships: Recognition from key partners, including Splunk and Microsoft, underscores our reputation as a trusted advisor and innovator
Talent: Our ability to attract and develop top cyber talent remains a competitive advantage, supported by our academy and training programmes
Escode: The business continues to deliver consistent growth and profitability, with discussions regarding its future strategic direction ongoing
Public Research: Our leading technical expertise including Cryptography, Hardware and AI/ML Security was engaged by leading companies including Meta, Whatsapp and Google, to review and publish public reports into their emerging technology

Market trends and regulatory landscape

The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. Regulatory momentum has intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act, which came into force in December 2024 and the UK's AI Cyber Security Code of Practice will embed secure-by-design requirements up through the software supply chain, while NIS2, DORA and sector-specific requirements in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by similar requirements in the US, Australia and APAC, signalling a global consensus for higher standards.

Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group's recognised contribution to the UK government's AI and CRA initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services.

The worldwide shortage in qualified cyber security professionals is both widening and coming more acute. This structural gap is most evident in highly specialised skills, including advanced testing, Operational Technology, and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients need around-the-clock expert coverage without inflating their cost base as a cost of employment and our global delivery hubs meet this need. Additionally, the strong reputation that we have among cyber professionals positions us to attract the best talent using our academy/ training ability to further expand and strengthen this talent base.

The combination of hybrid working and using personal devices at work has shifted the security perimeter from the edge of the Enterprise network to the individual user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2, the EU's updated cyber security directive and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations.

Lastly, the attack surface is expanding and becoming more complex, with cloud migrations accelerating, SaaS solution proliferation and AI adoption continuing, as well as early discussions ongoing regarding the potential implications of quantum computing. Each new platform expands the potential for malicious attacks and reinforces the need for security to be embedded earlier into development pipelines. Demand is therefore rising for secure-by-design assessments, supply chain software assurance and Managed Extended Detection and Response (MXDR) coverage that spans traditional IT, cloud and OT environments. The breadth of clients we serve across industries, geographies and IT and OT environments has allowed us to build unique IP to help clients secure this expanding attack surface.

Outlook

Looking ahead, we remain confident in our strategy and the mediumterm growth prospects for both businesses. While we expect the current challenging economic conditions to endure in the near term, our pipeline is building, and we anticipate a return to Cyber Security revenue growth in FY26 as our continued transformation delivers further benefits to both our competitive positioning and stakeholders.

On 28 April 2025, the Board confirmed that it was investigating a number of options for its Escode business including a potential sale (Escode review). We currently remain in that process and we will provide a further update in due course.

Further to a subsequent announcement on 16 July 2025, the Board confirms that the Group remains in the early stages of a review of all strategic options for its Cyber business should the Escode business be sold, this includes a range of potential outcomes including potential offers for the entire issued and to be issued share capital of the Company, and that no decision has been made regarding which options will be pursued. Our focus remains on operational excellence, innovation and supporting existing and new clients as they navigate an increasingly complex digital threat landscape.

In closing, I would like to thank our colleagues, clients and partners for their continued trust and support. Together, we are building a stronger, more resilient NCC Group, well positioned for sustainable growth and long-term success.

Mike Maddison Chief Executive Officer

11 December 2025

Transforming for global growth

For decades, we've developed thousands of cyber experts and explored emerging technologies. Now, as a global, client-focused business, we continue to evolve, delivering groundbreaking projects for leading companies and governments. Our collective expertise sits at the forefront of cyber resilience, shaping a more secure digital future.

Read more on market outlook on pages 10 and 11

Inputs

Sustainable growth strategy

In a fast-moving and complex environment, our strategy puts clients' needs first, with a roadmap of investments designed to develop future capabilities and a global delivery model to provide clients with the best solution.

People-powered, tech-enabled

We are a diverse global community of talented and creative individuals, working together and united by the same goal – to create a more secure digital future.

Culture of innovation

With our roots stretching back to the 1990s we have a track record of being at the cutting edge of innovation. NCC Group was created in 1999 when the National Computing Centre sold its commercial divisions to its existing management; from there we continued to grow through acquisitions. And while history is important, so is the future, with innovation, insights and intelligence the drivers of differentiation and woven into the DNA of who we are.

Stronger partner relationships

We are active members of the global cyber community, working in collaboration and in partnership with key industry players. Many successful global partnerships have delivered integrated, seamless solutions to clients.

Market-leading reputation

We're recognised by leading analysts for excelling in our understanding of CISO needs, building strong partnerships with clients and being called to solve complex problems.

Read more on our strategy on pages 12 and 13

Two distinct businesses

Cyber Security

As a leading global Cyber Security services company we are trusted to protect what matters most – the cars we drive, the energy in our homes, and the phones in our pockets, and critical infrastructures worldwide.

With roots in deep offensive security and defence and a heritage built on research and threat intelligence, we deliver full-spectrum cyber resilience to governments and businesses.

From tracking threat actors and uncovering vulnerabilities to responding to ransomware, we don't just defend, we are actively building a more secure digital future. Through our end-to-end cyber capabilities, we empower organisations to counter threats, manage disruption and navigate regulations with confidence.

Escode

We provide specialist escrow and verification solutions for business-critical IP, technology and software applications.

Our services help companies and government organisations manage supplier risk, sustain business continuity and give confidence that essential third party software can be accessed and redeployed when required. Our cloud services bring clarity to application management, making the transition to the cloud straightforward and controlled.

INSIGHT INTELLIGENCE INNOVATION

Value creation

Colleagues

Our people are leading the industry with innovative solutions protecting clients and society from growing cyber threats. As a people-powered, tech-enabled organisation, our talent strategy builds future-ready skills, strengthens leadership and fosters an inclusive culture of high performance, aligned with our business goals.

We're committed to helping every colleague thrive – through inclusive practices, targeted development and a focus on colleague experience – driving commercial success through empowered, engaged teams.

Read more on our sustainability strategy: nccgroupplc.com/sustainability

Clients

Our cyber security and software escrow solutions enable clients to confidently innovate and embrace new technologies, and build responsible, sustainable and resilient organisations that thrive and succeed.

Our network

We're the collaborators, the co‑ordinators, the conveners, and you will find us bringing together our global community to drive our industry forward and create a more secure digital future. We invest 1,100 days of research each year and engage proactively to ensure our insights and vision deliver the best societal outcomes, bringing partners together in support of our clients as well as policymakers and regulators to help shape future cyber policy.

Shareholders

We have a dedicated Investor Relations programme providing shareholders and financial analysts with regular updates on our performance. Engagement activities include results presentations, roadshows with the CEO and CFO, Capital Markets events, site visits, RNS and email updates.

Read more on stakeholder engagement on pages 14 and 15

Intensifying regulatory momentum versus a worldwide shortage of qualified talent

Global market trends, threats and opportunities

The environment in which NCC Group operates is shaped by a complex interplay of macro-economic, geopolitical and technological forces. We remain confident our transformation strategy will deliver growth underpinned by the range of services, geographic coverage, and breadth and depth of offering. Cautious client behaviour and the lengthening sales and onboarding cycles reported in December 2024 have impacted our first half results. This is also against a backdrop of macro-economic uncertainty, IT and security budgets being under scrutiny and competitive pricing.

We continue to see cyber resilience elevated as a core business risk agenda item to the C-suite as opposed to a purely IT consideration. Cyber continues to be elevated as a core business risk for boards, as opposed to just an IT consideration. This pivot is most evident in highly regulated verticals – financial services, healthcare, government and critical infrastructure – where regulatory scrutiny and heightened director liability is driving materially larger, multi-year security programmes. Within Operational Technology (OT) in particular, full risk reviews and resilience roadmaps are being commissioned as the potential business interruption cost of an OT outage becomes clearer. Our global delivery model ensures that these international operators can obtain expert support around the clock, irrespective of time zone or geography. Strategically, our global delivery engine is a differentiated and scalable service that enables us to be competitive.

Ransomware remains widespread and we have seen a marked uplift in AI-enabled phishing and double extortion campaigns, including the more recent high profile retail sector cases in the UK. This evolving threat landscape is leading organisations to favour Managed (Extended) Detection and Response (MDR/MXDR) solutions that provide continuous monitoring across endpoint, cloud, identity and OT telemetry. In addition, businesses are requesting OT-specific MDR to counter the increase in attacks against industrial control environments.

NCC Group named 'Strong Performer' in the 2025 Forrester assessment of European MDR providers: tinyurl.com/5n8rc9uc

Regulatory momentum intensified across all our core territories and key customer verticals. The EU Cyber Resilience Act and UK's software and AI security Codes of Practice will drive secure-by-design requirements up the supply chain, while NIS2, DORA and sector‑specific mandates in energy and transport expand the range of organisations that must evidence robust cyber controls and incident-reporting disciplines. These developments are complemented by comparable moves in the US and APAC, signalling a global consensus for higher standards.

Read our leading Global Cyber Policy Radar: tinyurl.com/522my5vc

Demand for strategic advisory and independent validation against these emerging frameworks is fuelling growth in our consulting and assurance work across OT environments and heavily regulated industries. NCC Group's recognised contribution to the UK government's cyber resilience initiatives underpins our reputation as a leading provider of regulatory advisory and assurance services.

The UK Government's Industrial Strategy calls out NCC Group as a company exporting world-leading cyber solutions: tinyurl.com/yefadasr

The worldwide shortfall in qualified cyber security professionals continues to become more acute. This structural gap is most evident in highly specialised skills, including advanced testing, OT and Identity and Access Management disciplines. This is expected to drive outsourcing to third party Cyber Security services. Clients are relying on our global delivery hubs to ensure around-the-clock expert coverage without inflating their cost base as a cost of employment. Additionally, the strong reputation that we have among cyber professionals positions us to attract talent more easily than our competitors, with our academy/training ability allowing us to further expand and strengthen this talent base.

Hybrid working and personal device policies have shifted the security perimeter from the edge of the Enterprise network to the user and their devices. Identity and Access Management and Zero-Trust architectures are consequently commanding a growing share of security budgets. This is further driven by requirements to demonstrate granular access controls under NIS2 and other critical infrastructure regulations. Our dedicated Digital Identity service is supporting clients through this transition, covering strategy, implementation and day-to-day identity operations.

OT/IT Cyber Safety Webinar series

Between December 2024 and February 2025, NCC Group's OT/IT Cyber Safety Webinar series explored the critical intersection of IT and OT cyber security convergence and the safety considerations in industrial environments, addressing the unique challenges and opportunities that arise when legacy operational technologies meet modern digital systems amid rising cyber threats.

Watch our YouTube video series here: tinyurl.com/4c6s96tm

Lastly, the attack surface is expanding, with cloud migrations accelerating, SaaS proliferation and AI adoption continuing, and early discussions ongoing regarding the implications of quantum computing. Each new platform expands the potential for malicious attacks and reinforces the need for security to be embedded earlier into development pipelines. Demand is therefore rising for secure-by-design assessments, supply chain software assurance and MXDR coverage that spans traditional IT, cloud and OT environments. The breadth of clients we serve across industries, geographies and IT and OT environments has allowed us to build unique IP to help clients secure this expanding attack surface.

NCC Group's

respondent survey reveals the critical issues driving supply chain security in 2025

of organisations expect the severity and scale of supply chain attacks to escalate further

experienced a cyber security breach in the prior 12 months

were concerned about visibility over their supply chain

Read more: www.nccgroup.com/the-state-of-supply-chain-security

A range of services and geographies

and breadth of offering Strategic priority Progress in FY25 Future outlook Link to risks:

Our clients

Deeper client engagement on the most pressing Cyber Security and software escrow needs

Appointed a CCO to align the global go-to-market strategy with overall business objectives
Hired new Market Leads to drive and implement regional strategies
Redefined the global markets organisational structure to support growth and enhance sales performance
Streamlined internal processes to sharpen focus on clients and execution of the go-to-market strategy

Our proposition

Offering a broader service portfolio addressing the full Cyber Security lifecycle

Strengthened our Managed Services business by expanding client adoption of our MXDR platform and adding enhanced detection and response capabilities
Built momentum in Digital Identity and Operational Technology practices, winning new client mandates
Continued to leverage technology partnerships to extend our propositions and global reach
Drove margin improvement within Technical Assurance, particularly in North America, through delivery model optimisation

Global delivery

Transitioning from an international to a fully global business

Rolled out global scheduling tool (Kantata) across all key regions, improving resource visibility and planning
Manila office scaled significantly, now an established hub for delivery and enabling functions
Introduced new ways of working within global delivery to improve efficiency and management information (MI) for decision making

Brands

Creating distinct and relevant brands for our Cyber Security and Escode businesses

Launched a distinct brand refresh for NCC Group Cyber Security business while establishing and embedding Escode
Celebrated 25 years of cutting-edge research and delivered market-leading thought leadership such as our monthly Threat Intelligence series and global Cyber Policy Radar
Recognised by leading industry analysts such as Forrester, Gartner and IDC citing our ability to solve complex security challenges with trusted CISO partnerships

FY25 financial framework goals

Sustainable revenue growth Improved gross margin Efficiency for growth Capital deployment supporting growth

• Deliver underlying growth in Cyber Security

Increase Managed Services revenue as a proportion of total Cyber Security
Maintain momentum in Escode
Maintain utilisation %
Smart pricing and margin investment decision making
Globalise technical resource footprint
• Drive deeper penetration in financial services, insurance, healthcare, industrials and public sector globally
If the potential sale of Escode does not occur, we will continue scaling Escode with a focus on critical infrastructure and regulated sectors
Evolve Cyber Security sales model to ensure stronger linkage between sales execution and service delivery
Accelerate Managed Services growth and further differentiate our MXDR proposition
Continue scaling Digital Identity and Operational Technology practices into core markets
Build repeatable propositions and intellectual property across Consulting and Implementation to improve delivery efficiency and client impact
Continue embedding global delivery model to enhance utilisation and efficiency
Leverage shared service hubs for scalable and cost effective delivery
Develop global KPIs and dashboards to drive consistent performance management across regions
Build on increasing media share of voice (SoV) and continue to grow thought leadership, research activity and industry engagement in cyber
Become the go-to Cyber Security and business resilience advisor to C-suite and boards

Simplify operating model to generate efficiencies
Drive towards consistent profit conversion in every market
Eliminate stranded costs resulting from non-core disposals

Strategic priority Progress in FY25 Future outlook Link to risks:

Read more on our risks on pages 29 to 37
A Strategy
B Cyber and information security
D People and partners
E Market and competition
F Brand and reputation
G Quality and delivery
H Legal, regulatory compliance and governance
A Strategy
B Cyber and information security
C Innovation and product development
D People and partners
E Market and competition
F Brand and reputation
G Quality and delivery
H Legal, regulatory compliance and governance
A Strategy
B Cyber and information security
D People and partners
G Quality and delivery
A Strategy
C Innovation and product development
E Market and competition
F Brand and reputation
G Quality and delivery

Sustainable revenue growth Improved gross margin Efficiency for growth Capital deployment supporting growth

Strong cash conversion
Ensure appropriate liquidity and debt facilities
Maintain dividend
Accretive acquisition opportunities

View our financial results: www.nccgroupplc.com/ investor-relations/ results‑media

Investing in stakeholder engagement

We have a responsibility to listen to our stakeholders, understand their priorities and apply insights and learning to guide how we make important decisions.

Colleagues

We are a people-powered, tech-enabled business. Our colleagues worldwide all play a vital role in creating a more secure digital future. Their expertise, commitment and innovation drive our success.

The opportunity

We're committed to creating an environment where every colleague can thrive and contribute meaningfully. This means:

Every colleague understands their impact and is connected to our commercial success
Managers invest time in their people, offering tailored support, coaching and feedback to further unlock potential
Colleagues have resources and opportunities to succeed and grow
Expectations are clear and fair, supported by structured performance management

How we listen and engage

Strong engagement underpins our inclusive, high performance culture. Listening and acting on feedback is central to how we operate.

• We enable regular, structured dialogue at all levels, from team huddles to global townhalls

Managers play a pivotal role in engagement, dedicating time to understand strengths, support growth and drive performance
Internal news platforms and collaboration tools keep colleagues informed, connected and able to contribute in real time
We gather feedback through pulse surveys, listening sessions and feedback loops to shape policies and programmes

Highlights in 2024/25

Made people operations seamless: Unified global processes and automated over 220 workflows to make it easier and faster for colleagues to get support
Accelerated leadership growth: Equipped senior and people leaders with targeted development to boost performance and leadership maturity
Built talent foundations: Rolled out consistent job levels with enhanced clarity around expectations for each level of role, and designed new frameworks to support internal mobility

Clients

Rooted in our sector knowledge, we develop solutions tailored to the unique needs of our clients. Bringing our in-depth understanding of the threat and regulatory landscape, we assist our clients in addressing their complex cyber security challenges.

The opportunity

Shift the transactional business to a subscription model, enabling sales teams to prioritise long-term client value and deeper engagement over short-term outcomes
Refresh the go-to-market portfolio to better meet customer needs, enhance solution relevance and drive stronger business impact
Leverage our expertise in AI and language models to support customers in their integration journeys
Utilise our world-class Managed Services capabilities to enhance customers' visibility and control over their assets and data

How we listen and engage

Through an integrated account management strategy and value-driven quarterly business reviews
Client satisfaction surveys and a formal global process are used to capture client feedback, ensuring a closed-loop response

Highlights in 2024/25

Established a new global and regional leadership team to drive effective strategy implementation
Launched new Cyber Security business branding, strengthening market recognition and reinforcing our position as a trusted partner in Cyber Security
Introduced new Managed Services branding (iMXDR) and refreshed proposition, with an updated go-to-market strategy that differentiates us in the market
Reviewed and redesigned data, processes and tools to improve internal insight, streamline operations and enable faster mobilisation at enhanced margins

Link to strategy:

Suppliers

We engage with many different suppliers across our global business and value the critical role our supply chain plays in supporting responsible business operations. Our procurement operations are maturing in line with industry best practice and we proactively work with an optimised supply chain network to drive competitive advantage through accessing innovation, delivering commercial value and managing risk.

The opportunity

Long-term trusted partnerships, facilitating sustainable operating cost reduction and cost of sale margin improvement
Fit for purpose contracts and payment terms, ensuring a safe, compliant and responsible supply chain with suppliers delivering to required service levels and protecting NCC Group from long-term commercial inflation

How we listen and engage

Regular joint business reviews held with key suppliers to mutually understand strategy and future forecasting
Supplier due diligence completed at onboarding

Highlights in 2024/25

Implemented Workday Strategic Sourcing to centralise investment requests
Introduced Investment Control Board (ICB) weekly review to understand and challenge investment requests to ensure either enabling revenue or reducing cost
New global procurement strategy launched to enable revenue, control costs and manage risk
Launch of new travel supplier to improve colleague experience and safety, reduce costs and accommodate diverse requirements
Investment in a transactional team based in Manila to develop into Purchase to Pay (P2P) specialists, collaborating with finance to drive supplier payments on time and improve the supplier experience, releasing working capital down the supply chain

Shareholders

We are committed to engaging with our shareholders, creating an opportunity to understand our business, the market, how we are responding

The opportunity

Financial performance
Dividend
Responsible long-term sustainable strategy
Sound corporate governance and stewardship

and the opportunity to deliver sustainable growth.

How we listen and engage

Strategic and financial updates issued via RNS Reach and RNS respectively
Regular meetings with investor relations, management and Board members
Investor roadshows after the full and half-year results
Open-door policy with investors and analysts (taking into account "offer period" restrictions and protocols)
AGM

Highlights in 2024/25

Hosted a live in-person Capital Market event to help investors and financial analysts understand what happens in a cyber attack and how to respond
Completed the disposal of Fox Crypto B.V. for total gross consideration of £65.6m to CR Group Nordic AB
Marked 20 consecutive years of dividend payments for shareholders
Announced a share buy-back programme

Network

Our expertise plays a pivotal role in shaping evidence-based policy decisions and convening the cyber community. We proactively engage, contribute to public-private partnerships and harness our experience and insights to contribute meaningfully towards a more secure digital society.

The opportunity

Building on our technology heritage and our role as a trusted advisor to governments and regulators we provide independent, technical expertise to improve cyber resilience policies
By understanding and shaping new and emerging regulations and policy proposals we can develop the right solutions to prepare for our clients' future needs and requirements

How we listen and engage

Building alliances with global think tanks and foundations, publicprivate partnerships, trade associations and campaign groups to pool resources, amplify our messages and maximise impact
Strategic relationships with national technical authorities, and support for government initiatives across all our regions through direct engagement

• Representation on senior government and parliamentary advisory panels

Highlights in 2024/25

Cited in the UK government's Industrial Strategy for cyber industry growth and chosen for cyber resilience at the 2025 NATO Summit
Recognised as a key convener of the UK cyber community through collaboration with the National Cyber Security Centre and contributing to Project Melissa – a leading public-private partnership in the Netherlands to combat ransomware threats in Europe
Published the Global Cyber Policy Radar Report, providing insights on global cyber regulations
Influenced global cyber policy by speaking at top conferences and briefing EU leaders and providing evidence to UK parliament on public-private partnerships

A resilient future

We strive for a resilient future through sustainable business practices, and take responsibility for identifying and managing the impact we have on people and the planet.

Read our Sustainability Report: nccgroupplc.com/sustainability

Our sustainability strategy

People-led, technology-enabled

We can only lead with our purpose through our greatest asset, the exceptional people we employ. They are at the forefront of our industry, developing solutions that protect our clients and society from the growing threat of cyber crime.

Responsible business

Our desire to improve the world we live in is encapsulated in our purpose. Embedding responsible business into our everyday activities is central to achieving this aim.

Action on climate

Taking urgent action to combat climate change and its impacts supports our purpose. Decarbonising our business and embedding climate considerations into our commercial offering are crucial elements in our support for the net zero transition.

2024/25 highlights

Enhanced our colleague benefits, including the launch of an improved Employee Assistance Programme in Europe.
Published our draft Carbon Reduction Plan and launched our verified Carbon Literacy Training programme.
Successful migration of Fox-IT onto the NCC Group certification for ISO 9001:2015 and ISO 27001:2022, resulting in a reduction of overall costs and consistent ways of working.

Why sustainability matters

Sustainability is about doing the right thing in the right way, and this is reflected in our Code of Ethics and embedded into our everyday ways of working. It's important to our clients, who trust us to help secure their digital assets; it's important to our colleagues, who are critical to the value we bring to our clients; and it's important to our shareholders, who entrust their investments to NCC Group, relying on us to deliver returns to their shareholders. It also matters to our political stakeholders who turn to us for trusted and independent advice and insights that improve cyber rules and regulations around the world.

We live in a rapidly evolving digital world, where the concept of sustainability extends to how we operate in totality. Not only are we supporting our clients to meet their governance requirements through our cyber security and escrow solutions, we are also helping to advance technologies that are at the forefront of fighting climate change, as well as other UN Sustainable Development Goals.

This means systems, networks and infrastructures need to be resilient, secure and long lasting. Cyber Security and sustainability are inherently intertwined, which means cyber threats pose a significant risk not only to individual businesses but to our very way of life too. The decisions we make today have far-reaching implications for the future.

Securing our future

As our lives become more digitally interconnected, the risk landscape broadens. From smart homes to smart cities, from online banking to telehealth services, from power grids to water supplies – they all rely on complex digital infrastructures. If these systems are compromised, the repercussions can be devastating. Hence, securing these infrastructures is an essential part of ensuring a sustainable future.

Our ability to protect against cyber threats, through the work we do for our clients, plays a pivotal role in guaranteeing that our world remains functional, reliable and consistent for generations to come. Indeed, we believe strongly that we can't build a resilient economy without resilient cyberspace, and we can't have a resilient cyberspace without 21st century laws and an infrastructure to tackle cyber threats, which is why we share our expertise with policymakers to improve cyber rules and regulations meaningfully.

Our sustainability framework

While the primary focus of our industry has always been about security, we recognise our operations have a broader environmental and societal impact. Our sustainability framework has two core tenets focused on people and the planet, underpinned by being a responsible employer and supply chain partner.

This framework is the foundation to start making tangible progress in addressing material topics for our stakeholders. We believe that this is a journey, not a race. We place sustainability at the heart of our strategy – not just securing the digital world, but securing the future for ourselves and for generations to come.

We invite our stakeholders to join us, working together to build a future that is not only secure but also sustainable.

VIEWPOINT

If we are to meaningfully reduce our carbon footprint we need to engage our stakeholders in the conversation

Building on our partnership with Positive Planet, and as part of developing our Carbon Reduction Plan, we designed and had certified our own Carbon Literacy Training programme. This certified, one-day programme will enable us to build knowledge around the business of what the climate crisis is, and what we can do individually and collectively to take action to reduce the impact we have.

The first cohort of delegates on this course included Lynn Fordham, our Non-Executive Director responsible for Sustainability; Guy Ellis, Chief Financial Officer; and Michelle Van de Velde, Chief People Officer, along with senior members of the procurement, communications and marketing, HR and sales and technical delivery teams.

Over 400 colleagues have signed up to undertake the course, and we have developed our own certified in-house training capability to do this.

Non-financial and sustainability information statement

The following table provides readers with an index of where to further find relevant non‑financial information within this Annual Report and Accounts, in line with the Financial Reporting Directive requirements contained in sections 414CA and 414CB of the Companies Act. Where relevant, additional information is signposted to further support the requirements.

The Group considers that it complies with the disclosure requirements under section 414CB(2A) of the Companies Act 2006 and has included climate-related financial disclosures that are partially consistent with the TCFD recommendations.

Reporting topic	Policies and standards which govern our approach	Annual Report and Accounts section reference	Page	Website resources
Climate-related disclosures	• Environmental policy	• Sustainability Report • TCFD Report • Risk Management • Stakeholder Engagement	22 29 14	• Sustainability Report • Streamlined Energy and Carbon Report
Colleagues Social and community matters	• Whistleblowing policy • Code of Ethics • Disciplinary Policy • Grievance Policy • Modern Slavery Statement • Code of Ethics • Supply chain Code of Conduct • Giving back policy • Matched funding policy	• Sustainability Report • Stakeholder Engagement • Remuneration Committee Report • Culture • Sustainability Report • Stakeholder Engagement	14 81 19 14	• Sustainability Report • Sustainability Report
Respect for human rights	• Modern Slavery Statement • Data privacy policy • Global equal opportunities and diversity policy	• Sustainability Report • Stakeholder Engagement • Culture	14 19	• Sustainability Report
Anti-bribery and corruption	• Anti-bribery and corruption policy • Gifts and entertainment policy	• Sustainability Report • Audit Committee Report	71	• Sustainability Report

Our people

At NCC Group we embrace difference and are connected by our purpose to create a more secure digital future. Across our global operations we form a phenomenal network, working together, collaborating and innovating to support our clients.

We are guided by our Code of Ethics and our values, which define our behaviours – treating everyone and everything with respect. This is the foundation of our culture, and we strive to create an environment where everyone is welcome, feels safe and can be successful.

Progress in 2024/25

Continued investment in leadership and management development with leadership development rolled out across the organisation, and additional manager-focused development sessions
Enhanced our colleague benefits, including the launch of an improved Employee Assistance Programme in Europe
Enhanced focus on actions resulting from colleague engagement survey feedback

A global team

As of 30 September 2025, we have 2,073 colleagues (including contractors) across the world supporting our clients, made of three core groups – Sales, Delivery and Enabling Functions. Circa 98% of colleagues are permanent and the remainder are contractors to provide support on projects.

People-powered, technology-enabled

We want everyone here to feel safe – psychologically, emotionally and physically – so they can be themselves, share their experiences and have equal opportunities to succeed. Our team reflects the diversity of the world around us, and this is how we live our values: working together and being brilliant.

Our approach to diversity, equity and inclusion (DE&I)

We acknowledge our opportunities to contribute to diversity in the technology sector, with inclusion and diversity principles incorporated into our hiring and talent management processes. To further support DE&I, we've formed partnerships with external organisations such as Disability Confident and the Business Disability Forum in the UK to increase accessibility, not only for our current colleagues, but also a broader candidate pool.

Unconscious bias training is included as part of our Global Onboarding programme via a specific session entitled "Working Across Cultures". Furthermore, through our Manager Skills Boost sessions we reiterate the importance of awareness of unconscious bias in support of diversity, equity and inclusion. All colleagues complete the ethics module as part of our mandatory annual compliance training, which includes dignity and respect at work. We continue to support our core

colleague resource groups (gender, LGBTQIA+, neurodiversity, accessibility, and race and ethnicity) to provide input on workplace practices, engagement, education and representation for under‑represented communities across our global business.

As of 30 September 2025, the Board of Directors comprised four males and three females. The wider Group employed 554 females, 1,444 males and 94 individuals whose gender was not disclosed. For the purpose of this disclosure, the Group defines its senior management as the Executive Committee, which consisted of four males and three females as of 30 September 2025. These figures for the Executive Committee include colleagues who also serve as statutory directors of subsidiary companies, where relevant.

Talent development

Innovation and continuous learning are central to NCC Group's culture, supported by investments in skill development and leadership growth, fostering personal and professional development through structured programmes and new digital platforms to enhance colleague capabilities globally.

We combine on-the-job learning, mentoring, self-study and formal training with personal development plans, supporting colleagues to gain certifications and advance their careers. In England, we leverage the Modern Apprenticeship Levy, with 4.3% of our colleague population undertaking apprenticeship learning – an increase of 60% of eligible colleagues year on year. FY25 was the first year we partnered with Co-op Levy Share to donate our excess levy funds, pledging £150k over the next two to three years. Currently, we're supporting eight UK employers and 21 learners, with donations to date totalling £27k.

We continued to invest in our leadership and management populations, and by June 2025 had delivered Enabling Performance, our Leadership programme, to 75 leaders and managers across the Group, including 73% of our senior leaders. Throughout FY26/FY27 we plan to upskill specific leaders and people team colleagues to enable us to roll out this programme across the remainder of the senior leaders and our middle manager population.

Sustainability continued

Talent development continued

In October 2024, we launched our Skills Boost series, available to all leaders and managers globally. These 90-minute, virtual sessions focus on key leadership skill areas, e.g. effective performance management, leading cross-culturally, and leading through change. Where relevant, we replicated models from Enabling Performance, e.g. clean talk for difficult conversations and the GROW model for coaching. In FY25, we delivered 66 sessions across six key skill areas, with 943 individual attendances, and circa 40% of leaders and managers regularly attending sessions. Across all sessions, feedback is collected via an online form, including an NPS-specific question: "Would you recommend this session to your colleagues at NCC Group?" All sessions secured an "excellent" (+70–100) NPS score.

In July 2025 we launched our Compass Management Development programme, leveraging Saville leadership profiling to offer a dedicated learning pathway focused on self-awareness through a series of virtual and face-to-face workshops building leadership capability, supplemented by group coaching and mentoring to enable colleagues to embed their learning into their day-to-day roles. Workshops are delivered in concentrated cohorts of 12–15 delegates to facilitate a semi‑personalised programme and are available to colleagues in people manager roles with less than two years' experience. Following the launch in the final quarter of FY25 we engaged 25 attendees across two cohorts.

We launched our first Learning Experience Platform, Spark, in April 2025, and while it's still being embedded, 93% of colleagues have engaged with content on the platform to date.

In FY25 we facilitated a talent review to identify potential successors to the Executive Committee. The five leaders identified worked with our partner, Saville Assessment, completing Saville Wave and 360 Leadership Impact

assessments, and creating a talent profile outlining their strengths and areas for development. They will be supported on their development, with regular one-to-one meetings with their Executive Committee member and Talent Development partner to discuss progress. To date, two of the five leaders have advanced into more senior roles, with one joining the Executive Committee.

Engagement

We have several mechanisms to measure colleague engagement (see page 14), including MyVoice, our biannual engagement survey using the Viva Glint platform. In our March 2025 survey, 1,489 colleagues responded, an increase in our engagement score of two points from March 2024.

In addition to the survey, Senior Non-Executive Director Julie Chakraverty hosts quarterly Colleague Listening Sessions, ensuring the Board has a direct link to colleagues and decision making takes into account their voices. In FY25, over 80 colleagues met with Julie, who in turn reported feedback to the Board.

Speaking up

Colleagues have a number of opportunities to speak up – sharing feedback or raising concerns. A global Speak Up framework outlines channels and resources available for doing this, guidance on who to engage with on different types of feedback, and how to ensure confidentiality. A whistleblowing helpline and policy are also available – the policy is published in multiple languages on our website.

This ensures colleagues are encouraged to speak up, safe from fear of reprisals, and with the reassurance that any concerns will be listened to and acted on appropriately.

Enhancing the colleague experience through competitive reward and wellbeing propositions

Each country we operate in has its own prevailing market conditions, and as such we align our benefit and wellbeing propositions locally, while ensuring they are competitively benchmarked, enabling us to retain and attract the best talent. Our Global Benefits Strategy focuses on four key pillars aligned with colleague feedback and global best practice:

Finance and protection

We understand the importance of financial stability benefits to support colleagues when making choices about their and their families' current and future financial status.

Health and wellbeing

We're committed to fostering a culture of wellness by offering preventative and supportive resources, programmes and initiatives that promote healthy lifestyles, family-work-life balance, and stress management.

Investment and savings

Our strategy supports colleagues in planning for the future, enabling them through different investment options to strengthen their financial wellbeing.

Lifestyle and flexibility

We recognise the importance of maintaining a healthy work-life balance and offer flexible work arrangements, paid time off and family friendly policies.

Continually reviewing our reward offering in each country ensures we retain and attract the best talent. In FY25, we built on our reward offering to remain competitive, including:

In Canada we changed the pension provider, with lower management fees, which means greater levels of investment for colleagues.
In Manila, we launched our Philippines Share Plan to all colleagues post-probation and expanded our medical offering to dependants,

helping to retain and attract colleagues in a competitive marketplace.

Across Europe, we enhanced our Employee Assistance Programmes, providing enhanced health and wellbeing support to all.
In the UK we rolled out our health cash plan, providing all colleagues with financial support to access dental, optical and medical treatments.

To find out more about our support of colleagues, please see our sustainability strategy on page 16

Action on climate

We're committed to taking proportionate climate action as a responsible employer, a trusted supply chain partner, and a business focused on long-term value creation for all stakeholders.

Progress in 2024/25

Published our draft Carbon Reduction Plan
Working with Positive Planet, designed and launched NCC Group's own certified Carbon Literacy Training programme and launched annual and onboarding mandatory climate action training for all colleagues
Partnered with Climategames to fund climate action projects through our wellbeing initiatives

In addition to our support of the net zero transition (read more on our sustainability strategy at nccgroupplc.com/sustainability), our action on climate has three pillars, starting with our own operations and extending to the support we give to clients operating in the energy transition sector and the contribution we make to their endeavours:

Supporting the net zero transition
Decarbonising energy use
Developing sustainable solutions

The biggest impact occurs in our business travel, both for client and non-client related travel, and our leased office spaces and is the focus for our reporting.

Decarbonising energy use

Our total annual Scope 1 and 2 emissions associated with our business operations were 1,232 tCO2 e for our full year 2025. See page 28 for further detail.

We continue to review our leased office space requirements, considering client and colleague needs. Considerations are given to collaboration, health and safety, personal wellbeing and the impact emissions have on the environment. This includes taking into consideration commuting for colleagues and the accessibility of public transport networks.

We review office usage monthly as part of the executive team operations review, which, alongside colleague feedback and engagement, and consideration of client needs, informs the real estate strategy.

On travel, all colleagues are required to book through our travel partner, Gray Dawes. This provides us with global tracking and improves our data collection for emissions as well as improving how we respond to any social or climate-related issues that colleagues may face.

Domestic flights within the UK and European countries are by exception only, with rail travel the preferred option. As a result, any train journey more than three hours in duration in total is travelled by first class to ensure the health, safety and wellbeing of colleagues.

Climategames partnership

During the financial year, we partnered with Climategames, bringing both wellbeing and climate action together to engage colleagues and give back.

We chose to invest in two projects – a sea kelp forestation initiative off the coast of British Columbia, and a social enterprise in Asia, including the Philippines, that prevents plastic from entering the ocean in the first place.

In the initial launch during the summer of 2025 we funded the equivalent of planting 1,020 trees and removing 16.1kg of plastic from the ocean.

Financial donations are made in return for colleagues taking part in physical challenges – from Group activities to local and team‑based events. This is a great way to engage colleagues in our climate action activities as well as facilitating wellbeing conversations.

Task Force on Climate-related Financial Disclosures (TCFD)

In alignment with the UK Listing Rules, which mandates climate-related disclosure for all UK listed companies, we have produced a comprehensive TCFD Report. Our report covers the four pillars recommended by TCFD: governance, strategy, risk management and metrics/targets, and the 11 disclosures recommended by TCFD except as noted below.

To ensure consistency across our report, we adhered to section C of the TCFD Annex, titled "Guidance for All Sectors".

As a result the following are documented as partially consistent, with further detail available within this report:

• Strategy B and C – these disclosures have not been fully met due to prioritising drafting our Carbon Reduction Plan, which will use FY25 as our baseline year to enable reduction targets aligned to science-based targets.

Our assessments indicate a low risk of exposure to physical and transitional climate changes, thanks to our business model. However, we acknowledge the high importance of mitigating greenhouse gas emissions, which emerged as a priority from stakeholder feedback as part of our "ongoing assessment" of double materiality in accordance with European Sustainability Reporting Standards.

In FY25 we appointed a new partner – Positive Planet – to support the design and publication of our global Carbon Reduction Plan and to calculate and verify our GHG emissions.

We recognise the considerable opportunities presented by the growing climate-focused market. Our collaborations with clients in industries such as electric vehicles, renewable energy, Operational Technology and other climate-friendly technologies underscore our readiness to seize these opportunities for sustainable growth.

Governance TCFD recommended disclosure Consistency NCC Group disclosure Focus area of FY26

Governance A. Describe the Board's oversight of climaterelated risk and opportunities Consistent • The Board's Head of the Audit Committee is the lead Non-Executive Director responsible for sustainability. Monthly updates are provided via the CFO report to the Board as well as directly from quarterly meetings with the VP, Investor Relations and Sustainability and the lead NED, including an update on progress against the Group's goals and targets where appropriate • The Board takes overall accountability for the management of climate-related risks and opportunities and considers them as part of its overall risk review processes • Introduce reporting aligned to the Carbon Reduction Plan targets to reflect, discuss and ensure actions are being taken B. Describe the management's role in assessing and managing climate-related risks and opportunities Consistent • The VP, Investor Relations and Sustainability reports to the Chief Financial Officer, providing advice and updates to the Executive Committee on climaterelated issues as and when relevant • An Executive Risk Management (ERM) Committee meets quarterly and addresses any climate risks as part of that process where appropriate • Roll out Climate Literacy Training to all ExCom members and senior leaders during FY26 • Continue to embed climate action into key business decisions • Assign accountabilities and

Lynn Fordham, the lead Non-Executive Director for Sustainability, was appointed by the NCC Group Board Chair. In addition to her position as the Head of the Audit Committee, Lynn's role is to oversee the Company's sustainability strategy, ensure its integration with the overall business strategy and provide regular sustainability updates to the Board.

While there is no specific Board committee for environmental issues, an Executive Risk Management (ERM) Committee chaired by the SVP, Global Governance, Procurement and Estates addresses these issues. The ERM meets bi-monthly and is attended by our CEO and CFO. It discusses, among other risks, sustainability and environmental challenges where relevant, which are then reported to the Board.

The results from our ongoing double-materiality assessment continue to inform our sustainability framework. With the changes in requirements for CSRD and the fact our business operations are not in scope for the foreseeable future, we do not intend to report voluntarily against the standards. We will continue to review and assess to ensure we can bid competitively for work within Europe.

track progress resulting from the Carbon Reduction Plan

The Board is committed to communicating its dedication to addressing climate change. By way of example Lynn Fordham along with Guy Ellis, CFO, attended NCC Group's inaugural Carbon Literacy Training and received their certification in August 2025. They continue to champion training and action in their respective roles.

Strategy

TCFD recommended disclosure	Consistency	NCC Group disclosure	Focus area of FY26
Strategy
A. Describe the climate-related risks and opportunities the organisation has identified over the short, medium and long term	Consistent	• See the tables below and on page 24 describing risks and opportunities, which were selected based on the location of our existing business and known climate change risks affecting the broader region we operate in	• Monitor actions arising from the risk register
B. Describe the impact of climate‑related risks and opportunities on the organisation's business strategy and financial planning	Partially consistent	• Climate-related taxes, or fines for non-compliance, could impact the business if we fail to take action • Our ability to raise capital to invest in growth may be restricted if we fail to make progress on climate related action, if this is a requirement of any future sustainable lending requirements	• Assess financial implications of climate scenarios in our financial planning
C. Describe the resilience of the organisation's strategy, taking into consideration different climate-related scenarios, including a 2°C or lower scenario	Partially consistent	• We have conducted an initial quantitative analysis against two scenarios of 1.5°C and 4°C	• Develop initial scenario analysis and integrate into NCC Group's strategy development through implementation of the Carbon Reduction Plan

Our focus is not limited to risk mitigation but extends to exploring opportunities where we can make a positive impact. This includes improving the energy efficiency of our operations, collaborating with our landlords and requesting renewable energy sources, and identifying ways our technology solutions can contribute to our clients' sustainability efforts. As we continue our climate change journey, we are committed to regularly reporting our progress against these objectives, showing transparency in our endeavours, and constantly seeking ways to better our efforts.

Climate-related risks

Our comprehensive risk management framework (summarised in the Risk Management section of the Annual Report on pages 29 to 37) is instrumental in identifying and assessing climate-related risks. We categorise these risks into:

Short term (less than one year) based on short-term regulatory or policy changes impacting climate-related risks and opportunities as well as existing forecasting processes considered by management which are reviewed and evaluated on an annual basis
Medium term (one to five years) based on regulatory changes that may affect climate-related risks and opportunities
Long term (more than five years) based on the likely timeline of international agreements and commitments, technological trends and changes to policy or carbon pricing and their impact on our operations, client services and supply chain

For instance, short-term risks might include immediate regulatory changes or extreme weather events, while long-term risks could be major shifts in our industry driven by the transition to a low carbon economy. Each identified risk is paired with corresponding mitigation measures, such as implementing energy-efficient technologies or diversifying our supply chain, aimed to reduce our vulnerability.

It's critical that we remain flexible in our approach but focused on taking responsibility for the emissions we generate and seek to reduce what we can control.

While these risks apply to the Group as a whole, we do recognise that certain locations face unique challenges. For example, our operations in coastal areas are more susceptible to rising sea levels and increased frequency of extreme weather events.

For a more detailed understanding of the climate-related risks and opportunities we face, please refer to the table below. It provides a snapshot of the specific challenges we're addressing and the strategic responses we have undertaken.

Risk	Risk impact	Short/medium/ long term	Regions impacted	Mitigating activities
Physical risks
Extreme weather (acute)	Causing business disruption and loss of service delivery if colleagues or clients are impacted adversely, which would in turn potentially impact revenue	Short to medium term	All but particularly Europe (Rijswijk and Amsterdam)	• Business interruption cover • Business continuity plans • Remote working in place • Dutch flood defences in place
Sea level rises (chronic)	Increased likelihood of flooding in Delft and Amsterdam offices causing increased insurance premiums to mitigate against business interruption and material loss	Long term	Europe – Rijswijk and Amsterdam offices

<-- PDF CHUNK SEPARATOR -->

Sustainability continued

TCFD continued

Climate-related risks continued

Risk	Risk impact	Short/medium/ long term	Regions impacted	Mitigating activities
Transition risks
Increase in taxes and levies for greenhouse gas emissions	Increased costs to implement control and monitor/measurement processes as well as actual cost of taxes and levies	Medium term	Depends on local legislation	• Implement actions identified in our Carbon Reduction Plan and monitor
Move to net zero	Increased costs required to lower emissions	Long term	Global	• Remote delivery of client services where possible • Green car scheme for UK colleagues • Annual calculation of Scope 1 and 2 emissions and a Carbon Reduction Plan in place • Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction
Margin risk	Impact on results due to extra costs incurred to lower emissions	Medium term	Global	• Accounting policies regularly reviewed • Rigorous and transparent budget setting will identify increasing costs associated with carbon emissions reduction
Reputation risk	Increased stakeholder concern and changing client behaviours	Medium term	Global	• Rolling out Carbon Literacy Training to colleagues, starting with key decision makers and senior client-facing colleagues to empower them to engage in the conversation • Ongoing dialogue with investors • Participation in reporting frameworks such as CDP, EcoVadis, FTSE4Good, etc. • ESG information publicly available
Supply chain risk	Substitution of existing products and services with lower emission options	Medium to long term	Global	• Building climate change reporting and activity into supplier onboarding • Business continuity plans • Continuing to review our estate provision and taking steps to move out of leases where there is no client or business benefit to being there • Implementation of our estates policy, which incorporates environment considerations alongside the health, safety and security of colleagues

Resource efficiency: By embracing more efficient modes of transport, promoting recycling, encouraging hybrid working models and operating within efficient buildings, we can lessen our environmental footprint, improve colleague satisfaction and reduce operational costs. For instance, removing unnecessary travel not only reduces our carbon emissions but also empowers colleagues with more control over their work-life balance, contributing to improved morale and productivity (anticipated medium to long-term benefits).

Energy source: Our transition to lower emission energy sources, underpinned by our electric/hybrid car scheme for all UK colleagues, demonstrates our commitment to sustainable practices. By giving colleagues access to green car options, we are mitigating our exposure to future fossil fuel price fluctuations and regulations. It also addresses our colleagues' material concerns, fostering a culture of environmental responsibility and enhancing overall job satisfaction (medium to long-term impact).

Market: As industries evolve in response to climate change, we're strategically positioned to leverage these transformations. For example, by partnering with companies transitioning to alternative energy sources or working on projects involving smart meters, electric vehicles, IoT technology for waste reduction and cloud data centres, we anticipate strengthening our market position and enhancing our reputation as a sustainable and innovative enterprise (short to medium-term outlook).

Resilience: Our sustainable business model increases our resilience to climate-related risks, demonstrating our commitment to being a responsible and ethical supply chain partner. This commitment to sustainability not only aligns us with an increasingly eco-aware market but also empowers us to lead in the space, fostering a culture of innovation and responsible business practices (short to long‑term perspective).

Scenario analysis

To understand the risks and opportunities our business faces considering climate change, we conducted a quantitative scenario analysis using two distinct scenarios: a "<2°C" scenario ("Scenario 1"), where global warming is limited to less than 2°C with net zero achieved by 2050, and a "4°C" scenario ("Scenario 2"), where the goal of net zero by 2050 is not reached. A summary of the scenarios selected is provided in the diagram below.

These scenarios are chosen to reflect the diverse spectrum of possibilities that could unfold due to different levels of global effort to curb climate change. In the context of these scenarios, "transition risks" refer to the challenges associated with the shift towards a lower carbon economy, while "physical risks" denote the potential damage caused by climate change itself.

In terms of the risks selected, these were based on physical locations and the nature of our business in key locations of North America, the UK, Europe and Asia Pacific. We are in the process of flowing this into our financial planning and will continue to do so as we mature our climate action planning and reporting.

Under Scenario 1, we anticipate higher transition risks due to rapid shifts in regulatory and market conditions, but the physical risks would be significantly reduced due to the effective global action on climate change. Conversely, Scenario 2 predicts lower transition risks but considerably higher physical risks due to the lack of substantial progress towards climate goals.

We've further broken down these risks by timeline, classifying them as short term (less than one year), medium term (one to five years) and long term (more than five years). The table below offers a comprehensive overview of NCC Group's potential exposure to both transition and physical risks under each scenario.

While our current analysis is qualitative, we are working towards quantifying these risks and opportunities as we progress towards our net zero targets and continually improve our data collection across Scope 1, 2 and 3 emissions. At this point, we don't foresee a significant impact on our Financial Statement disclosures based on our materiality assessment results and known near to mid-term regulatory developments. However, we will continuously monitor both transition and physical risks, adjusting our mitigation strategy as necessary.

Risk type	Risk	Risk impact	Scenario	Short-term risk (<1 year 2025)	Medium-term risk (1–5 years 2026 to 2031)	Long-term risk (>5 years 2031)
Physical risk	Rising sea levels	Risk to NCC Group offices located in high risk areas, as well	1	Low	Low	High
	as colleagues' homes and clients' business premises, resulting in business disruption	2	Low	High	High
Transition	Increase in	Disruption and increased costs to ensure compliance	1	Low	Medium	High
	risk taxes and levies	with new legislation	2	Low	Low	Low
	Margin risk	Impact on results due to extra costs incurred to lower emissions		Low	Medium	High
			2	Low	Low	Low
	Reputation risk	Increased stakeholder concern	1	Medium	High	High
		and changing client behaviours	2	Low	High	High
	Supply chain risk	Substitution of existing		Low	Medium	High
		products and services with lower emission options	2	Low	Low	High

Financial planning

We recognise the potential implications of climate-related risks and opportunities on our financial planning. We anticipate shifts in our future business model and strategy in response to evolving market conditions due to climate change. We foresee potential changes in client preferences towards more sustainable products and services, along with possible disruptions in our supply chain due to extreme weather events. These factors are thoroughly considered in our business strategy development.

Our business strategy has been designed to be resilient to future economic and climate-related scenarios. And by running regular scenarios we can test that resilience and ensure it's considered in future business strategy development, enabling us to adapt accordingly, without disrupting or negatively impacting current operations.

The scenarios are based on industry insights, which are used in the expert input into our ongoing materiality assessment.

During FY24 we prioritised drafting our Carbon Reduction Plan working with Positive Planet. We set interim reduction targets based on FY24 GHG emissions, with the final base being set by our FY25 GHG emissions. Targets are aligned to science-based targets and at this stage we have chosen not to verify these.

The publication of our Carbon Reduction Plan will enable us to begin work on integrating climate considerations into our financial planning process when appropriate. Our aim continues to be to incorporate climate considerations to influence future investment decisions by the Group, reducing our carbon footprint, and gradually divesting areas that carry high climate-related risks.

For now though, we are actively working to improve our operational efficiency and addressing things we can directly influence to reduce our impact on the environment and realise cost savings.

Sustainability continued

TCFD continued

Risk management

TCFD recommended disclosure	Consistency	NCC Group disclosure	Focus area of FY26
Risk management
A. Describe the organisation's processes for identifying and assessing climate-related risks	Consistent	• Climate-related risks are managed through our Enterprise Risk Management framework	• Monitor actions arising from the risk register
B. Describe the organisation's processes for managing climate-related risks	Consistent	• Climate-related risks are documented, mitigating actions are considered, a risk rating is assigned and associated actions are documented and followed up	• Monitor actions arising from the risk register
C. Describe how processes for identifying, assessing and managing climate-related risks are integrated into the organisation's overall risk management	Consistent	• Climate-related risks are managed through our Enterprise Risk Management framework	• Monitor actions arising from the risk register

Climate-related risks are managed through our NCC Group Enterprise Risk Management (ERM) framework. This framework, which is detailed in the Risk Management section of the Annual Report on page 30, uses a sophisticated risk model to assess and score each risk based on likelihood and impact. Risks are re-evaluated consistently to ensure we're responsive to evolving circumstances.

Our risk management approach combines "top-down strategic" and "bottom-up operational" perspectives, fostering collaboration and promoting efficient risk identification. With respect to climate-related risks, we have outlined our strategies and targets for GHG emissions reduction and biodiversity preservation.

These climate-related risks are integrated into our Principal Risks section (pages 29 to 37). The Executive Risk Management Committee plays an active role in the ongoing review of these risks and their mitigations, controls and associated actions. This Committee meets on a regular basis and follows a stringent process for identifying, assessing, responding to and escalating serious concerns related to these risks.

We firmly believe that this integrated and transparent approach will ensure effective risk management aligned with the principles of TCFD, while driving our strategic objectives for sustainability.

Metrics and targets

To achieve net zero, we will be aiming to reduce emissions in line with the latest guidance from the Science Based Targets initiative (SBTi). Targets are defined as "science based" when they align with the scale of reductions required to limit global temperature increases to 1.5°C compared to pre-industrial temperatures. Adopting the SBTi framework ensures our decarbonisation efforts are aligned with the latest climate science and global best practices. The SBTi provides a clear, credible pathway for reducing emissions at a pace and scale consistent with limiting global warming to 1.5°C.

For the time being our targets will be aligned with SBTi guidance, although we will not be seeking validation at this time.

We anticipate reducing our Scope 1, 2 and 3 emissions by 63% by 2035, which will be validated using FY25 as our base year. We will also consider setting an intensity‑based Scope 3 target depending on growth targets. An intensity-based target is a commitment to reduce emissions per economic unit or physical unit.

We are committed to reach net zero by 2045. Please see our Carbon Reduction Plan for more information www.nccgroupplc.com/sustainability

TCFD recommended disclosure	Consistency	NCC Group disclosure	Focus areas for FY26
Metrics and targets
A. Disclose the metrics used by the organisation to assess climate-related risks and opportunities in line with its strategy and risk management process	Partially consistent	• Reporting of Scope 1, Scope 2 and Scope 3 greenhouse gas emissions for FY25 compared to prior years while taking into account improvements in our methodology	• Prioritisation and ownership of Carbon Reduction Plan actions
B. Disclose Scope 1, Scope 2 and, if appropriate, Scope 3 greenhouse gas emissions and the related risks	Partially consistent	• Publication of Scope 1 and 2 GHG emissions for FY25 vs FY24 • Full Scope 3 emissions relevant to our business operations	• Review of our data collection in line with the new action areas identified within the Carbon Reduction Plan
C. Describe the targets used by the organisation to manage climate related risks and opportunities and performance against target	Partially consistent	• Draft Carbon Reduction Plan target to reduce Scope 1 by 63%, Scope 2 by 63% and Scope 3 by 63% by 2035	• Publish the final Carbon Reduction plan using FY25 GHG emissions as the baseline • Validate targets with SBTi

VIEWPOINT

The state of supply chain security NCC Group thought leadership shows 68% of organisations expect supply chain attacks to grow more severe

Global supply chains are under mounting pressure, suffering a series of high profile breaches in 2025. As the attack surface and threat increases, organisations are complacent and over reliant on compliance frameworks.

NCC Group's 'State of supply chain security' report investigated this overlooked area of risk and found deeply concerning evidence of overconfidence, a gap in responsibility and the rising threat posed by artificial intelligence.

At NCC Group, we help clients tackle these challenges through expert-led assessments, robust third party risk management, and tailored strategies that embed security across the supply chain, ensuring organisations can operate confidently in an increasingly hostile digital landscape.

The full report is available at: www.nccgroup.com/the-state-of‑ supply-chain-security

Streamlined Energy and Carbon Reporting (SECR)

The period under review is from 1 October 2024 to 30 September 2025 and the reporting boundary includes the full Group. Emissions are calculated in line with the GHG Protocol, as detailed in our SECR report on the Sustainability section of our website. Emissions are reported as CO₂, using 100-year Global Warming Potential values. For FY25, NCC Group's report covers SECR-relevant categories only. Data sources used include meter readings, supplier invoices, and transport mileage records.

	Total GHG	G tCO ₂ e	tCO ₂ e	%
Source	2024	2025	change from previous year	change from previous year
Scope 1
Gas	344.4	109.5	(234.9)	(68%)
Company vehicles
Diesel ^A	0.8	_	N/A	N/A
Petrol ^A	11.3	_	N/A	N/A
Diesel/petrol	12.1	349.3 ^B	337.2	2,787%
Hybrid	-	_	_	_
Fleet fuel – petrol		_
Total Scope 1	356.5	458.8	102.3	29%
Scope 2
Electricity ^A	1,280.5	_	N/A	N/A
Company vehicles – electric ^A	8.9	_	N/A	N/A
Purchased electricity	1,289.40	727.30	(562.1)	(44%)
Heat and steam	40.9	45.9	5	12%
Total Scope 2	1,330.3	773.2	(557.1)	(42%)
Total Scope 1 and 2	1,686.8	1,232.0	(454.8)	(27%)
Scope 3
Business travel ^A	1,257.5	_	N/A	N/A
Transmission and distribution losses ^A	82.3	_	N/A	N/A
Heat and steam transmission and distribution losses ^A	2.8	_	N/A	N/A
Fleet transmission and distribution losses ^A	0.8	_	N/A	N/A
Transport	1,343.40	88.7	(1,254.7)	(93%)
Commuting ^A	225.4	_	N/A	N/A
Data centre electricity ^A	71.7	_	N/A	N/A
Purchased goods and services ^A	5,713.7	_	N/A	N/A
Total Scope 3	7,354.2	88.7	(7,265.5)	(99%)
Total Scope 1, 2 and 3	9,041.0	1,320.7	(7,720.3)	(85%)

Underlying energy use

The table below shows the proportion of energy use that occurs in the UK and non-UK countries alongside the total carbon emissions. In FY25, 27% of the Group's energy consumption and 21% of carbon emissions arose from the UK.

	FY25 energy u	se	FY25 carbon emissions
Area	kWh	% of global energy use	Total emissions tCO ₂ e	% of global emissions
UK	1,340,628.6	27%	279.1	21%
Non-UK	3,587,490.3	73%	1,041.6	79%
Global purchased goods and services		_		_
Total ^A	4.928.118.9	100%	1,320.7	100%

Intensity metric

Total per £m turnover – location based

_		- Islander zin tamerer i seation zacea
	Amount kWh	Turnover £m	Total emissions tCO ₂ e	Intensity per turnover $tCO_2e$
1 October 2023–30 September 2024	6,326,920.9	329.2	9,041.0	27.5
1 October 2024–30 September 2025 ^A	4,928,118.9	305.4	1,320.7	4.3
Comparison	(22.1%)	(7.2%)	(85.4%)	(84.3)

A In accordance with SECR requirements and on the professional advice of NCC Group's newly appointed sustainability consultancy, Positive Planet, the FY25 data disclosure includes only the mandatory information prescribed by legislation. This disclosure provides a concise summary of NCC Group's energy consumption, carbon emissions and related performance metrics. A more comprehensive view, including supplementary information and analysis, will be provided in the 2025 Carbon Reduction Plan and Sustainability Report. This approach ensures transparency and accessibility while maintaining compliance with regulatory obligations.

B Reflecting NCC Group's ongoing commitment to strengthen transparency and completeness in emissions reporting, fleet emissions data for the Netherlands has been sourced and included in the FY25 SECR disclosure for the first time.

Risk management

Risk is an inherent part of doing business, and risk management is a fundamental aspect of good corporate governance. A successful risk management process balances risk and reward and is underpinned by sound judgement regarding the impact and likelihood of risks. The Board holds overall responsibility for ensuring that NCC Group has an effective risk management framework that aligns with its business objectives.

The Board has established an Enterprise Risk Management policy, which has established protocols, including:

• Roles and responsibilities for the risk management framework
• A risk scoring framework
• A definition of risk appetite
The integrated approach to risk management diagram on page 30 summarises the Group's overall approach to risk management

NCC Group's approach to risk management

NCC Group adopts both a "top-down" and "bottom-up" approach to risk, to manage risk exposure across the Group to enable the effective pursuit of strategic objectives. The approach is summarised in the diagram on page 30.

The approach is one of collaboration, which supports our comprehensive approach to risk identification, from the "top down" and "bottom up". The Group believes that this is the most efficient and effective way to identify its business risks.

Top down

The Board, Audit Committee and Cyber Security Committee review risks on an ongoing basis and are supported by the Executive Committee and subject matter specialists (including Escode, Cyber

Security, information security, data protection and health and safety). The Board considers the Group's strategic objectives and any barriers to their achievement.

Bottom up

The Board and senior leadership team engage with colleagues at every level of the Group in recognition of the importance of their expertise, contribution and views.

Risk management model

The Board has overall responsibility for ensuring that NCC Group adopts an effective risk management model, which is aligned to our objectives and promotes good risk management practice. We have therefore adopted the model described in this section and summarised in the diagram above.

Managing risk from the top down

Top down Strategic risk management

Bottom up Operational risk management

• Establishing guidance on the Group's approach to risk management and establishing the parameters for risk appetite and associated decision making

Identification, review and management of identified Group strategic risks and associated actions
Ongoing consideration of:
IT and cyber-centric risk
Environmental risk

• Implementing and embedding the Group's Enterprise Risk Management policy and approach

Directing the delivery of the Group's identified actions associated with managing/ mitigating risk
Identification of key risk indicators, monitoring and taking timely action where appropriate

Board Audit Committee Cyber Security Committee

Periodically assessing the effectiveness of the embedded Group risk management process
Challenging the content of the strategic risk register to support a comprehensive and balanced assessment of risk
Reporting on the principal risks and uncertainties of the Group

Executive Committee Leadership team

Responsible for reviewing the operational risks across the business units and Group
Challenging the appropriateness and adequacy of proposed action plans to mitigate risk
Giving due consideration to the aggregation of risk across the Group
Provisioning suitable cross-functional/ business unit resource to effectively manage risk where appropriate

Managing risk from the bottom up

• Instrumental in developing the risk management framework adopted by the Board

Conduit between the Board and the business units – providing training and support where appropriate
Developing and executing a risk-based Internal Audit Plan to assess the management of risks

Global Governance function

Ongoing monitoring and reporting to the Board in relation to the progress being made by the business units in implementing agreed action plans to mitigate strategic risk
Close cross-functional relationships with the Global Technical Services (GTS) security operations team to facilitate the identification, management, monitoring and reporting of data security risks

• Execution of the delivery of the Group's identified actions associated with managing risk

Timely reporting on the implementation and progress of agreed action plans
Provision of key risk indicator updates

Business units

Identification and reporting of strategic risk to the Board
Provision of reports and data relating to significant emerging risks to the Group (internal and external)
Implementation of risk management approach which promotes the ongoing identification, evaluation, prioritisation, mitigation and monitoring of operational risk

Effective pursuit of strategic objectives

Risk management model continued

The Board, Audit Committee, Cyber Security Committee and Executive Committee review risks on an ongoing basis throughout the period. The appropriateness and relevance of the risks are monitored by the Global Governance function to ensure they continue to be updated, meet the needs of the Group and remain in line with good risk management practice. In addition, there is a robust process in place for monitoring and reporting the implementation of agreed actions.

We are satisfied that the Enterprise Risk Management policy, framework and model currently in place are sufficient to manage risk across the Group.

The key areas of identifying, assessing, addressing and monitoring risks are explained in more detail overleaf.

Identify

Risks exist within all areas of our business, and it is important for us to identify and understand the degree to which their impact and likelihood of occurrence will affect the delivery of our key objectives. This is achieved through day-to-day working practices and incorporates risks in both the internal and external environment.

All identified risks are initially assessed for their "inherent" risk (risk with no controls in place), using a scoring mechanism that accounts for the

likelihood of an event occurring and the impact that it may have on the Group. The scoring mechanism adopted takes account of high impact, low likelihood events and these risks are managed in a timely manner.

In addition to ongoing risk identification, an annual exercise is undertaken to review the Group's strategic risk universe by the Board. This exercise is reliant on the "top-down", "bottom-up" approach discussed earlier.

Assess

Post-identification of the Group's inherent risk exposure, a comprehensive assessment of the effectiveness of current mitigating controls is undertaken. This exercise takes account of the design of the current control environment and the application of these controls prior to assessing the Group's current exposure to risk – the mitigated risk score. The Board uses a number of sources of information to support the scoring of risk and these include, but are not limited to:

Management updates
Action tracking and reporting
Control environment policies and procedures
Independent audit activity
Project monitoring reports

Address

Having identified and assessed the risks faced by the Group, the risks are scored according to likelihood of occurring and impact to the business should they occur.

An assessment of whether additional actions are required to reduce our risk exposure is undertaken, with actions falling into one of four categories:

Treat develop an action plan (applying responsibility, deadlines and prioritisation) that may include the implementation of additional controls, or increase the requirement for additional assurance over the adequacy and effectiveness of the existing controls
Transfer use a third party specialist to undertake the activity, thus mitigating the risk
Tolerate determine the risk is within appetite
Terminate exit the activity

The output from the evaluation of strategic risks has resulted in milestone plans owned by senior business leaders or has been used in the development of the Group's transformation programme.

Monitor

Ongoing monitoring of risks and related actions is key to the implementation of our risk management model and, therefore, NCC Group is committed to making enterprise-wide risk management part of business as usual. Examples of ongoing monitoring of business risks include, but are not limited to:

Annual review of the external audit strategy and plan by the Audit Committee and Chief Financial Officer to ensure inclusion of key financial risks
Review of the annual Internal Audit Plan to validate that it incorporates key areas of business risk
A review of internal audit reports issued during the period, including a summary of progress against previously raised management actions at each Audit Committee meeting
Annual review of the strategic risk register by the Enterprise Risk Management Steering Group and Board to ensure that it includes risks arising in the period

Internal control

While risk management identifies threats to the Group achieving its strategic objectives, internal controls are designed to provide assurance that these objectives are being achieved, such as the effectiveness and efficiency of operations and delivery, accurate and reliable financial reporting, and compliance with applicable laws and regulation.

NCC Group has established a robust internal control framework, which is made up of a number of components:

Control environment

The control environment has primarily been established taking account of the Group's values (working together, being brilliantly creative, embracing difference and taking responsibility), and its Code of Ethics, which sets the foundations for the expected behaviours, values and competencies for all colleagues across the Group. The Board, Executive Committee and extended leadership team lead by example and strive to maintain effective control environments, while also maintaining integrity and transparency.

Risk assessments

Risk assessments are conducted at both a strategic and operational level of the Group and support the Group in understanding the risks that it faces and the controls in place to mitigate them. Importantly, they provide a mechanism to identify operational improvements and are vital in our transformational programmes.

Policies and procedures

Established policies communicate expected behaviours and are supported by procedures and guidelines that define required processes and controls. This, in turn, helps the business to adopt efficient and effective control environments.

Information and communications

Access to accurate and timely data is essential for supporting our colleagues in making informed decisions and effectively managing and controlling their areas of responsibility.

Activity monitoring

The minimum financial controls framework was established in FY20. Further enhancement of the framework is being designed and implemented to align with the UK Corporate Governance Reform and upcoming Directors' attestation of internal controls.

In preparation for new legislative requirements relating to failure to prevent fraud, key anti-fraud controls have been identified and these are supported by red flag reporting and ongoing trend analysis to enhance the existing control environment to ensure compliance with the Economic Crime and Transparency Act (2023).

Financial accounting and reporting follow generally accepted accounting practices.

Group review and approval procedures exist in relation to major areas of risk and require Executive Committee/Board approval, including mergers and acquisitions, major contracts, capital expenditure, litigation, treasury management and taxation policies. The approval procedures are captured within a global delegation of authority (DoA) matrix which is disseminated across the Group.

Compliance with all legislation, current and new, is closely monitored.

Risk and control reporting structure

NCC Group has embedded the "three lines of defence" to provide a robust internal controls structure that will support the Board, Audit Committee, Cyber Security Committee, Executive Committee and extended leadership team with accurate and reliable information in relation to the systems of internal control.

Three lines of defence:

First line Group policies and procedures
Second line information security, data protection, health and safety, and legal
Third line risk and assurance, incorporating internal audit, standards and support, assessing compliance with standards and external audit, both financial and operational, providing independent challenge and assessment

Risk management continued

Principal risks and uncertainties

During the period, the Board has completed a robust assessment of the Company's emerging and principal risks. This has included the Board reassessing and rescoring the principal risks, with changes to the risks noted below. The overall number of principal risks has reduced from 24 in FY24 to 14 in FY25 primarily due to risks being combined where the operating risks overlapped or where they were considered sub-risks.

The Group continues to operate in a particularly dynamic and evolving marketplace. The current risk register has been developed to reflect

these factors and includes risks that could threaten the Group's business model, future performance, solvency or liquidity. Detailed descriptions of the current principal risks and uncertainties faced by the Group, along with their potential impact and the mitigating processes and controls, are set out below.

The strategic risks are based on the four pillars of our strategy: our clients, our capabilities, global delivery and differentiated brands.

Extraordinary risk during the period

A. Strategy

1. Inability to execute the Group's strategy including the diversification of market sector, region, product/service or client VR

Link to strategy: Our clients Our capabilities Global delivery Differentiated brands

Previous risk names

Inability to execute the Group strategy and over-reliance on market sector, product/service or client

Risk owner

Mike Maddison, CEO

Risk impact

Ineffective execution of a strategy could have a material negative impact on the Group's financial performance and value.

It would potentially weaken the Group compared to its competitors and risk the Group's established position in the marketplace.

Key controls and mitigating factors

Strategic transformation plans are in place.

Disposal of Crypto and DetACT.

The Manila office is fully operational.

Risk impact and movement

2. Inability of the Group to absorb the people, process and technological transformation change

Link to strategy: Our clients Our capabilities Global delivery Differentiated brands

Previous risk name

Poor adoption of change management mechanisms

Risk owner

Mike Maddison, CEO

Risk impact

Failure to successfully deliver strategic outcomes caused by projects failing because they deliver late, don't deliver, fail to deliver the right things or fail to achieve the expected benefits.

Risk impact and movement

Key controls and mitigating factors

Transformation delivery centre is in place.

Business cases linked to principal risks underpinned by robust financial and legal due diligence which clearly articulates project objectives including delivery metrics.

Programme sponsors are accountable for delivery of outcomes.

Project SteerCo's in place.

Risk movement:

Increased Decreased Unchanged

Risk impact:

High Medium Low

Viability risk: VR

New risk: NR

A. Strategy continued

3. Commercial models (contractual and pricing) do not reflect the flexibility required by clients or drive the optimal commercial outcome for NCC Group VR

Link to strategy: Our clients Our capabilities Global delivery

Previous risk name

N/A

Risk owner

Peter Vorley, CCO

Risk impact

Inability to transact, operate and deliver profitable services resulting in loss of revenue and negative impact on share price.

Risk impact and movement NR

Key controls and mitigating factors

Finance review of margins.

Legal review of contracts.

Approval is required for low margin jobs.

Regular review of services is offered.

Client engagement and feedback to enhance the portfolio of product and services.

B. Cyber and information security

Increased Decreased Unchanged

4. Cyber attack VR

Link to strategy: Our capabilities Global delivery Differentiated brands

Previous risk name

N/A

Risk owner

Guy Ellis, CFO

Risk impact

Data breach leading to fines from regulators and reputational damage.

Lack of availability in systems.

Inability to operate services resulting in loss of customer trust, resulting in loss of revenue and negative impact on share price.

Impact on national security due to our work with government clients.

Risk impact and movement

Increased due to increase in high profile cyber attacks and change to geopolitical landscape.

Key controls and mitigating factors

The Board operates a Cyber Security Committee chaired by a NED.

All colleagues globally are required to undertake annual and ongoing security training to alert them to potential methods of security breach and to their responsibilities in safeguarding information and reporting potential issues.

Security testing is regularly carried out on the Group's infrastructure and there are extensive response plans, which are tested.

Comprehensive plans are in place and being delivered associated with discharging our data protection obligations.

Deployed an Information Security Management System (ISO 27001). All key locations are certified.

Risk movement:

Risk impact:

High Medium Low

Viability risk: VR